1
00:00:00,290 --> 00:00:03,740
Dynamic host configuration protocol, Dhcp.

2
00:00:04,310 --> 00:00:10,100
It's a protocol used to provide automatic and central management for the distribution of IP addresses

3
00:00:10,100 --> 00:00:11,240
within a network.

4
00:00:12,350 --> 00:00:19,550
It's also used to configure the proper subnet mask default gateway and DNS server information on the

5
00:00:19,550 --> 00:00:20,330
device.

6
00:00:21,060 --> 00:00:26,700
In most homes and small businesses, the router acts as the Dhcp server.

7
00:00:27,000 --> 00:00:31,770
In large networks, a single computer might act as a Dhcp server.

8
00:00:32,600 --> 00:00:35,600
In short, the process goes like this.

9
00:00:35,900 --> 00:00:36,680
The device.

10
00:00:36,680 --> 00:00:40,100
The client requests an IP address from a router.

11
00:00:40,130 --> 00:00:41,000
The Host.

12
00:00:41,540 --> 00:00:48,080
After which the host assigns an available IP address to allow the client to communicate on the network.

13
00:00:49,010 --> 00:00:52,370
So let's look at some of the advantages of using Dhcp.

14
00:00:53,530 --> 00:00:58,060
A computer or any other device that connects to a network, local or internet.

15
00:00:58,360 --> 00:01:02,070
Must be properly configured to communicate on that network.

16
00:01:02,080 --> 00:01:03,040
Makes sense.

17
00:01:03,340 --> 00:01:09,520
Since Dhcp allows that configuration to happen automatically, it's used in almost every device that

18
00:01:09,520 --> 00:01:13,720
connects to a network, including computers, switches, smart phones, gaming consoles, you name it.

19
00:01:14,880 --> 00:01:17,760
And because of this dynamic IP address assignment.

20
00:01:18,370 --> 00:01:24,940
There's less of a chance that two devices will have the same IP address, which is very easy to run

21
00:01:24,940 --> 00:01:28,660
into when using manually assigned static IP addresses.

22
00:01:30,140 --> 00:01:37,280
Using Dhcp also makes a network much easier to manage from an administrative point of view.

23
00:01:37,310 --> 00:01:42,980
Every device on the network can get an IP address with nothing more than their default network settings,

24
00:01:42,980 --> 00:01:45,950
which is set up to obtain an address automatically.

25
00:01:45,950 --> 00:01:47,030
So that's easy.

26
00:01:47,030 --> 00:01:50,030
Gives them nothing to call the helpdesk about.

27
00:01:50,630 --> 00:01:56,990
The only other alternative is to manually assign addresses to each and every device on the network.

28
00:01:58,090 --> 00:01:59,890
You're not getting paid enough to do that.

29
00:02:01,300 --> 00:02:07,750
So because these devices can get an IP address automatically, they can move freely from one network

30
00:02:07,750 --> 00:02:08,620
to another.

31
00:02:08,830 --> 00:02:15,700
Given that they're all set up with Dhcp and receive an IP address automatically, which is super helpful

32
00:02:15,700 --> 00:02:16,900
with mobile devices.

33
00:02:17,760 --> 00:02:25,050
Now, as a cyber security expert, you should know one more thing about the Dhcp mechanism.

34
00:02:25,820 --> 00:02:28,910
The first device which replies to a Dhcp.

35
00:02:28,910 --> 00:02:32,600
Discover request decides the configuration of the client.

36
00:02:33,730 --> 00:02:38,380
There is not any mechanism to authenticate the Dhcp server.

37
00:02:40,290 --> 00:02:49,440
Similarly, a Dhcp server tries to reply to all the Dhcp requests and again there is no authentication

38
00:02:49,440 --> 00:02:52,920
mechanism for the clients who request an IP.

39
00:02:53,310 --> 00:02:54,120
You get it.

40
00:02:54,690 --> 00:02:55,710
I think you do.

41
00:02:55,740 --> 00:02:58,800
What if a hacker replies before the real Dhcp?

42
00:02:59,130 --> 00:03:06,240
Or what if a client sends a lot of Dhcp discovery requests by changing the Mac address each time?

43
00:03:08,350 --> 00:03:13,300
So let's have a look to see how a Dhcp mechanism works in detail.

44
00:03:14,980 --> 00:03:21,220
Once a device is turned on and connected to a network that has a Dhcp server, it will send a request

45
00:03:21,220 --> 00:03:24,700
to the server called a Dhcp discover request.

46
00:03:25,750 --> 00:03:32,290
After the Discover packet reaches the Dhcp server, the server attempts to hold on to an IP address

47
00:03:32,290 --> 00:03:38,740
that the device can use and then offers a client the address with a Dhcp offer packet.

48
00:03:39,760 --> 00:03:45,940
Once the offer has been made for the chosen IP address, the device responds to the Dhcp server with

49
00:03:45,940 --> 00:03:48,670
a Dhcp request packet to accept it.

50
00:03:49,360 --> 00:03:56,200
After which the server sends an Ack packet that's used to confirm that the device has that specific

51
00:03:56,200 --> 00:04:02,680
IP address and to define the amount of time that the device can use the address before getting a new

52
00:04:02,680 --> 00:04:03,070
one.

53
00:04:03,740 --> 00:04:09,320
If the server decides a device cannot have the IP address, it will send a Nak.

54
00:04:10,900 --> 00:04:14,230
Let's see the Dhcp server mechanism in Wireshark.

55
00:04:16,190 --> 00:04:20,660
So Wireshark is already embedded into Kali and it's ready to use.

56
00:04:20,690 --> 00:04:25,790
In addition, I'd also like to show you how to download and install it in a Windows system.

57
00:04:26,000 --> 00:04:29,210
So right now I'm in a Windows 8 system.

58
00:04:29,690 --> 00:04:36,290
Open the internet browser and search for Wireshark for Windows using those as the keywords.

59
00:04:36,560 --> 00:04:40,430
The first link is the download page of wireshark org.

60
00:04:40,700 --> 00:04:41,780
So let's click it.

61
00:04:42,740 --> 00:04:48,740
My windows is 64 bit, so I'll download the 64 bit, which is the latest stable version.

62
00:04:48,890 --> 00:04:51,410
Click it and save the installer.

63
00:04:51,770 --> 00:04:55,470
Now it takes less than a minute unless your connection is a mess.

64
00:04:55,490 --> 00:04:57,080
You might want to look into that.

65
00:04:57,740 --> 00:04:58,520
Just kidding.

66
00:05:01,480 --> 00:05:02,830
Click to run it.

67
00:05:06,880 --> 00:05:08,380
The setup Wizard opens.

68
00:05:08,950 --> 00:05:09,640
Okay.

69
00:05:09,640 --> 00:05:11,290
So simply it's a next.

70
00:05:11,320 --> 00:05:11,620
Next.

71
00:05:11,650 --> 00:05:11,950
Next.

72
00:05:11,950 --> 00:05:13,450
Finish installation.

73
00:05:13,450 --> 00:05:15,070
No need to change anything.

74
00:05:15,100 --> 00:05:17,320
Wait until the installation finishes.

75
00:05:27,450 --> 00:05:31,890
Okay, so check this to run Wireshark now and click finish.

76
00:05:32,430 --> 00:05:35,730
And welcome to the Wireshark and Windows Interface.

77
00:05:38,790 --> 00:05:44,010
So now I will show you the Dhcp mechanism in Wireshark.

78
00:05:46,590 --> 00:05:52,920
So let's run Wireshark and you can see that it's listing the packets received by Eth0.

79
00:05:54,140 --> 00:05:57,980
So to demonstrate the Dhcp mechanism.

80
00:05:58,580 --> 00:06:03,200
We need to ask for an IP address over at the Dhcp server.

81
00:06:04,810 --> 00:06:11,920
From the bottom right corner, right click to the network icon and select Open Network and Sharing Center.

82
00:06:12,700 --> 00:06:15,730
Click Ethernet zero and then properties.

83
00:06:16,120 --> 00:06:20,830
You'll have to scroll down a little bit and double click IP version four.

84
00:06:21,460 --> 00:06:26,080
And as you see here, the IP address is manually set for my Windows 8.

85
00:06:26,350 --> 00:06:33,700
So to start a Dhcp request, I'll choose obtain an IP address and DNS server address automatically.

86
00:06:33,910 --> 00:06:35,560
Those are my options.

87
00:06:36,100 --> 00:06:41,920
Now, before I click okay, I'll go to Wireshark and restart capturing by clicking the green button

88
00:06:41,950 --> 00:06:42,880
on the toolbar.

89
00:06:43,690 --> 00:06:46,870
So now Wireshark windows will be cleaned.

90
00:06:47,320 --> 00:06:48,820
Continue without saving.

91
00:06:49,120 --> 00:06:52,510
So now go to the network status window and click Okay.

92
00:06:52,600 --> 00:06:55,270
And we can close all the networking windows.

93
00:06:56,340 --> 00:07:00,030
So Wireshark captured the packets while it's still capturing.

94
00:07:00,030 --> 00:07:04,650
But let's go to the top of the list to find the Dhcp packets.

95
00:07:05,430 --> 00:07:06,930
So here are the Dhcp.

96
00:07:06,930 --> 00:07:09,810
Discover packet is right here at the top of the list.

97
00:07:10,110 --> 00:07:17,730
When we look at the ports in the UDP header, we see that the port 68 is used to send Dhcp discover

98
00:07:17,730 --> 00:07:18,510
packets.

99
00:07:18,630 --> 00:07:28,080
So let's go back to the filter box and type UDP port equals equals 68 and now we have the Dhcp packets

100
00:07:28,080 --> 00:07:28,740
only.

101
00:07:29,860 --> 00:07:38,140
So the first packet is Dhcp Discover and as I mentioned before, it's broadcast source IP is all zeros

102
00:07:38,140 --> 00:07:40,390
because we don't have an IP address at the moment.

103
00:07:40,510 --> 00:07:43,210
Destination IP is all ones.

104
00:07:43,780 --> 00:07:47,260
255.255 .255.255.

105
00:07:47,290 --> 00:07:49,120
Because it's a broadcast packet.

106
00:07:50,800 --> 00:07:57,940
And right here is bootstrap protocol, which is an application layer protocol used by Dhcp mechanisms.

107
00:07:59,160 --> 00:08:04,620
The second packet is a Dhcp offer packet sent by the Dhcp server.

108
00:08:04,650 --> 00:08:09,360
172.16.99.254 to the window system.

109
00:08:09,800 --> 00:08:17,460
Destination IP is 172.16.99.233, which is offered to the Dhcp server.

110
00:08:17,700 --> 00:08:21,510
So in here the destination Mac address is important.

111
00:08:21,900 --> 00:08:24,810
That's what's going to be targeted according to the Mac address.

112
00:08:24,840 --> 00:08:32,190
So as you see the destination Mac address of the Dhcp offer packet is the same as the source mac address

113
00:08:32,220 --> 00:08:34,830
of the dhcp discover packet.

114
00:08:35,840 --> 00:08:41,090
Now, the third packet is the Dhcp request sent by the window system.

115
00:08:41,730 --> 00:08:46,830
It's still a broadcast packet and the source IP is still all zeros.

116
00:08:47,540 --> 00:08:53,750
The message is request and the requested IP address is an option 50.

117
00:08:53,780 --> 00:09:00,920
So if you expand it, you see the requested IP address and it's the same as the offered IP address.

118
00:09:00,920 --> 00:09:04,940
172.16.99.223.

119
00:09:05,240 --> 00:09:11,180
The last packet is Dhcp sent by the Dhcp server to the windows system.

120
00:09:11,800 --> 00:09:15,580
This packet completes the Dhcp mechanism successfully.

121
00:09:16,930 --> 00:09:20,500
So from now on, the IP address of our Windows system is.

122
00:09:20,500 --> 00:09:23,530
172.16.99.223.