Lab 10.2.6 Perform a Man-in-the-Middle DHCP Attack [WLOs: 1, 2, 3, 4, 5] [CLOs: 1, 2, 3]

Required Actions & Questions

On IT-Laptop, launch a DHCP MITM attack using Ettercap

On Support:Hide Details

View the DHCP traffic in Wireshark with the bootp filter

Refresh the network interface to get a new IP address from DHCP

Q1How many DHCP packets were captured in Wireshark?

Your answer: 5

Correct answer: 5

Q2Which gateway addresses are provided in the ACK packets?

Your answer: 192.168.0.5, 192.168.0.46

Correct answer: 192.168.0.5, 192.168.0.46

On Office1:Hide Details

Use tracert to view the path to rmksupplies.com

Use ipconfig to release and renew the assigned IP address

Login to the rmksupplies.com Employee Portal

Complete this lab as follows:

1. On IT-Laptop, start unified sniffing on the enp2s0 interface as follows:
   1. From the Favorites bar, select Ettercap.
   2. Select Sniff > Unified sniffing.
   3. From the Network Interface drop-down list, select enp2s0.
   4. Click OK.
   5. Select Mitm > DHCP spoofing.
   6. In the Netmask field, enter 255.255.255.0.
   7. In the DNS Server IP field, enter 192.168.0.11.
   8. Click OK.
2. On Support, start a capture that filters for bootp packets as follows:
   1. From top navigation tabs, select Floor 1 Overview.
   2. Under Support Office, select Support.
   3. From the Favorites bar, open Wireshark.
   4. Under Capture, select enp2s0.
   5. Select the blue fin to begin a Wireshark capture.
   6. In the Apply a display filter field, type bootp and press Enter.
3. Request a new IP address as follows:
   1. From the Favorites bar, open Terminal.
   2. At the prompt, type ip addr show and press Enter.
      The IP address for enp2s0 is 192.168.0.45.
   3. Type route and press Enter.
      The gateway is 192.168.0.5.
   4. Type ip link set enp2s0 down and press Enter.
   5. Type ip link set enp2s0 up and press Enter to bring the interface back up.
   6. Maximize Wireshark for easier viewing.
      In Wireshark, under the Info column, notice that there are two DHCP ACK packets. One is the real acknowledgment (ACK) packet from the DHCP server, and the other is the spoofed ACK packet.
   7. Select the first DHCP ACK packet received.
   8. In the middle panel, expand Bootstrap Protocol (ACK).
   9. Expand Option: (3) Router.
      Notice the IP address for the router.
   10. Repeat steps 3g-3i for the second ACK packet.
   11. In the top right, select Answer Questions.
   12. Answer the questions.
   13. Minimize Wireshark.
4. View the current IP addresses as follows:
   1. In Terminal at the prompt, type ip addr show and press Enter.
      The IP address is 192.168.0.45.
   2. Type route and press Enter.
      The current gateway is 192.168.0.46. This is the address of the computer performing the man-in-the-middle attack.
5. On Office1, view the current route and IP address as follows:
   1. From top navigation tabs, select Floor 1 Overview.
   2. Under Office 1, select Office1.
   3. Right-click Start and select Windows PowerShell (Admin).
   4. Type tracert rmksupplies.com and press Enter.
      Notice that the first hop is 192.168.0.5.
   5. Type ipconfig /all and press Enter to view the IP address configuration for the computer.
      The configuration for Office1 is as follows:
      • IP address: 192.168.0.33
      • Gateway: 192.168.0.5
      • DHCP server: 192.168.0.14
   6. At the prompt, type ipconfig /release and press Enter to release the currently assigned addresses.
   7. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server.
      Notice that the default gateway has changed to the attacker's computer which has an IP address of 192.168.0.46.
   8. Type tracert rmksupplies.com and press Enter.
      Notice that the first hop is now 192.168.0.46 (the address of the attacker's computer).
6. In Google Chrome, log into the rmksupplies.com employee portal as follows:
   1. From the taskbar, open Google Chrome.
   2. Maximize the window for easier viewing.
   3. In the URL field, enter rmksupplies.com and press Enter.
   4. At the bottom of the page, select Employee Portal.
   5. In the Username field, enter bjackson.
   6. In the Password field, enter $uper$ecret1.
   7. Select Login. You are logged in as Blake Jackson.
7. From IT-Laptop, find the captured username and password in Ettercap as follows:
   1. From top navigation tabs, select Floor 1 Overview.
   2. Under IT Administration, select IT-Laptop.
   3. Maximize Ettercap.
   4. In Ettercap's bottom pane, find the username and password used to log in to the employee portal.
8. In the top right, select Answer Questions to end the lab.
9. Select Score Lab.