Bypassing advanced device profiling with DHCP packet manipulation

Back to the list of Speakers and Sessions

Network Access Control is a mechanism that checks security posture of a device before it is allowed access to a network. One of the oldest inspection techniques uses MAC address inspection, however, this is a trivial defence mechanism to bypass.

More advanced device profiling techniques deploy various techniques such as nmap scan , DNS inspection, DHCP inspection, SNMP checks, and OSI layer two protocols such as Cisco Discovery Protocol or Link Layer Discovery Protocol to identify the connecting device’s features. The mechanism explained in this paper is a manipulation or spoofing of DHCP packets to trick the advanced device profiling into thinking the attacking device is a legitimate one. Essentially, we are masquerading an attacking device with crafted DHCP packets so that the device appears to the inspection engine as a legitimate device. The proof of concept has been developed that allows an attacker to define the DHCP payload to mimic the fingerprint of an arbitrary device. To the best of the author’s knowledge, no such or similar tool is publicly available. Also, this is the first paper to describe in-depth a client-based DHCP attack which is neither denial of service (server starvation) nor a rogue server.

Ivica Stipovic Information Security Consultant, Ward Solutions

Ivica works as an Information Security Consultant. He tries to understand the intricacies of security processes and find the ways to undermine them. In a previous life a network and system administrator, he moved recently towards security research. Currently, a proud employee of Ward Solutions. Formal education encompasses BSc in Computing and Telecom ,MSc in Computer Forensics and Masters in Business Administration.