DHCP欺骗劫持与防御策略
一、任务目的
掌握DHCP的欺骗原理与DHCP监听配置。
二、任务设备、设施
win10、华为eNSP、vmvare、win7、typora
三、任务拓扑结构图
四、基本配置
1.接口IP与默认路由配置
R1
<Huawei>sys [Huawei]sys [Huawei]sysname R1 [R1]undo info-center enable [R1]int g0/0/0 [R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24 [R1-GigabitEthernet0/0/0]q [R1]int g0/0/1 [R1-GigabitEthernet0/0/1]ip add 192.168.2.1 24 [R1-GigabitEthernet0/0/1]q [R1]rip 1 [R1-rip-1]version 2 [R1-rip-1]netwo [R1-rip-1]network 192.168.1.0 [R1-rip-1]network 192.168.2.0 [R1-rip-1]q [R1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2 [R1]dhcp enable Info: The operation may take a few seconds. Please wait for a moment.done. [R1]int g0/0/0 [R1-GigabitEthernet0/0/0]dhcp select relay [R1-GigabitEthernet0/0/0]dhcp relay server-ip 192.168.2.2 [R1-GigabitEthernet0/0/0]q
R2
<Huawei>sys [Huawei]sys R2 [R2]undo info enable [R2]int g0/0/0 [R2-GigabitEthernet0/0/0]ip add 192.168.2.2 24 [R2-GigabitEthernet0/0/0]q [R2]int g0/0/1 [R2-GigabitEthernet0/0/1]ip add 172.16.1.1 24 [R2-GigabitEthernet0/0/1]q [R2]int s2/0/0 [R2-Serial2/0/0]ip add 202.116.64.1 24 [R2-Serial2/0/0]q [R2]rip 1 [R2-rip-1]version 2 [R2-rip-1]network 192.168.2.0 [R2-rip-1]network 172.16.0.0 [R2-rip-1]q [R2]ip route-static 0.0.0.0 0.0.0.0 serial 2/0/0
R3
<Huawei>sys [Huawei]sys R3 [R3]int g0/0/0 [R3-GigabitEthernet0/0/0]ip add 203.203.100.1 24 [R3]int s2/0/0 [R3-Serial2/0/0]ip add 202.116.64.2 24 [R3-Serial2/0/0]q
2.路由器R2 Easy-IP配置
[R2]acl 2000 [R2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255 [R2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255 [R2-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.255 [R2-acl-basic-2000]q [R2]int s2/0/0 [R2-Serial2/0/0]nat outbound 2000 [R2-Serial2/0/0]q
3.配置R2路由器DHCP服务 给技术部和工程部主机分配IP地址
[R2]dhcp enable [R2]ip pool jishu [R2-ip-pool-jishu]network 192.168.1.0 mask 24 [R2-ip-pool-jishu]gateway-list 192.168.1.1 [R2-ip-pool-jishu]dns-list 192.168.2.254 [R2-ip-pool-jishu]excluded-ip-address 192.168.1.2 192.168.1.9 [R2-ip-pool-jishu]q [R2]ip pool gongcheng [R2-ip-pool-gongcheng]network 172.16.1.0 mask 24 [R2-ip-pool-gongcheng]gateway-list 172.16.1.1 [R2-ip-pool-gongcheng]dns-list 192.168.2.254 [R2-ip-pool-gongcheng]excluded-ip-address 172.16.1.2 172.16.1.9 [R2-ip-pool-gongcheng]q [R2]int g0/0/0 [R2-GigabitEthernet0/0/0]dhcp select global [R2-GigabitEthernet0/0/0]int g0/0/1 [R2-GigabitEthernet0/0/1]dhcp select global [R2-GigabitEthernet0/0/1]q
4.配置百度服务器HttpServer
5.配置DNS Server
6.基本配置验证
五、基本配置
拓扑图
1.伪造DHCP服务器R4
<Huawei>sys [Huawei]sys R4 [R4]undo info enable [R4]int g0/0/0 [R4-GigabitEthernet0/0/0]ip add 192.168.1.9 24 [R4-GigabitEthernet0/0/0]q [R4]dhcp enable [R4]ip pool forged [R4-ip-pool-forged]network 192.168.1.0 mask 24 [R4-ip-pool-forged]gateway-list 192.168.1.1 [R4-ip-pool-forged]dns-list 192.168.1.8 [R4-ip-pool-forged]q [R4]int g0/0/0 [R4-GigabitEthernet0/0/0]dhcp select global [R4-GigabitEthernet0/0/0]q
2.伪造DNS服务器配置
3.验证入侵结果
六、防御机制
在交换机SW1启用DHCP监听 添加信任端口
<Huawei>sys [Huawei]sys R1 [R1]sys SW1 [SW1]undo info en [SW1]dhcp enable [SW1]dhcp snooping enable [SW1]dhcp snooping enable vlan 1 [SW1]int g0/0/3 [SW1-GigabitEthernet0/0/3]dhcp snooping trusted [SW1-GigabitEthernet0/0/3]q
七、任务总结
1启用DHCP监听功能的前提是开启DHCP服务
2在路由器上可以开启DHCP服务,但是无法启用DHCP监听功能,只有在交换机上才可以启用DHCP监听功能
3如果在DHCP监听区域含多个vlan,命令如dhcp snooping enable vlan 10 20 30.如果vlan连续,命令如dhcp snooping enable vlan 1 to 5.
4计算机DNS缓存不会立刻刷新需等待一段时长,如需手动刷新,可运行命令为ipconfig/flushdns
5DHCP欺骗劫持不属于病毒木马,不能通过安装反病毒软件达到防范效果