https://github.com/akamai/ddspoof

DDSpoof is a tool that enables DHCP DNS Dynamic Update attacks against Microsoft DHCP servers in AD environments.

For additional information, please refer to our blog posts:

• DDSpoof – Spoofing DNS Records By Abusing DHCP DNS Dynamic Updates
• Weaponizing DHCP DNS Spoofing – a Hands-On Guide

For information on how to mitigate DDSpoofing attacks in your networks, please refer to Invoke-DHCPCheckup.ps1

Setup

• Install the requirements by running:

pip install -r requirements.txt

• Run DDSpoof while specifying the network interface to use:

ddspoof.py --iface "eth0"

Usage

Commandline arguments:

Usage: ddspoof.py [OPTIONS] COMMAND [ARGS]...

Options:
  -i, --iface TEXT             Name of the interface to use  [required]
  -r, --retry INTEGER          Set the max retry amount for the various
                               functions used by the tool
  --config-file TEXT           Path to a DDSpoof config file to load
                               configuration from
  -v, --verbose                Display verbose output
  -np, --enum-name-protection  Test server name protection status. Note: This
                               option will cause DDSpoof to create DNS records
                               on the server
  --help                       Show this message and exit.

At startup, DDSpoof will perform the following:

1. Identify all DHCP servers in the LAN by sending DHCP Discover messages
2. Extract server associated domain and DNS server from the DHCP Offer messages
3. Test Name Protection status on the server
4. Determine the IP address to be used when spoofing, attempt to request the current interface IP from the DHCP server

After the initial setup, DDSpoof runs as an interactive console app, available commands are detailed in the next sections.