For an Intro to Networking and Computer I/O class, I worked on a project to explore penetration testing. Rather than setting up our own network in the real world, we decided to make this more repeatable by creating a virtual network with Mininet. My portion of the project focused on DHCP spoofing.
Senario: An evil host near the client in the network triest to respond to DHCP requests faster than the real DHCP server and point hosts to its own DNS server allowing it to point people to phishing sites.
Goal: prevent such an attack. Methods experimented with:
Block all but the correct DHCP packets on switches with ebtables
On the client use dhclient's anycast-mac option to only send the DHCP packets only to the real DHCP server
Setup the network manually (not really a solution)
On Arch Linux, install needed packages:
sudo pacman -S busybox dhclient dnsmasq ettercap iptables ebtables python2-dnslib python2-ipy bridge-utils packer -S mininet
Make sure Mininet is functioning properly by verifying 0% packets dropped:
sudo mn --switch lxbr --controller none --test pingall
Run DHCP Spoof:
sudo python2 dhcp_spoof.py wlp2s0 0
If it ever exits without cleaning everything up, just run:
sudo mn -c
Note: If you use this on anything other than Arch Linux, you'll likely have to tweak the code.
Code based upon this example
NAT code, modified to make it work on my system
DNSChef used as the evil DNS server
Provides insight into creating per-process mounts
Relation between iptables and ebtables
Where I first learned everything about networking and iptables
How to use ebtables for MAC anti-spoofing rules
Potential tool for alternate DHCP starving for a counter-attack
Information about preventing MITM attacks