Bypassing advanced device profiling with DHCP packet manipulation • NorthSec 2024

Back to the list of Speakers and Sessions
Watch the stream

Network Access Control is a mechanism that checks security posture of a device before it is allowed access to a network. One of the oldest inspection techniques uses MAC address inspection, however, this is a trivial defence mechanism to bypass.

More advanced device profiling techniques deploy various techniques such as nmap scan , DNS inspection, DHCP inspection, SNMP checks, and OSI layer two protocols such as Cisco Discovery Protocol or Link Layer Discovery Protocol to identify the connecting device’s features. The mechanism explained in this paper is a manipulation or spoofing of DHCP packets to trick the advanced device profiling into thinking the attacking device is a legitimate one. Essentially, we are masquerading an attacking device with crafted DHCP packets so that the device appears to the inspection engine as a legitimate device. The proof of concept has been developed that allows an attacker to define the DHCP payload to mimic the fingerprint of an arbitrary device. To the best of the author’s knowledge, no such or similar tool is publicly available. Also, this is the first paper to describe in-depth a client-based DHCP attack which is neither denial of service (server starvation) nor a rogue server.