On 2014-09-30 13:33, Nicholas Weaver wrote:
Although, to be honest, although the DHCP vector is trivial to exploit [1], if the attacker can give you a bogus DHCP reply you've lost already.At this point, the attacker already has a full man-in-the-middle of all network traffic, and can easily launch invisible attacks on clients (e.g. cause a hidden iframe to appear to their metasploit server instance, insert cached scripts into the browser context, etc...).
http://tools.ietf.org/html/rfc3118Although this does rely on you trusting the DHCP server and I admit it's a non trivial setup as not many servers or clients actually support it.
[1] the DHCP server on my test network has: option domain-name "() {
ignored;}; /bin/touch pwnage ; (/bin/sleep 10; /bin/ping -c 10
10.128.0.2) & "; in its config
I have similar in my server config, but as the server id :) Roy _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
