DDSpoof – DHCP DNS Dynamic Update Attacks Toolkit

January 14, 20242 min read


DDSpoof is a tool that enables DHCP DNS Dynamic Update attacks against Microsoft DHCP servers in AD environments.

For additional information, please refer to our blog posts:

For information on how to mitigate DDSpoofing attacks in your networks, please refer to Invoke-DHCPCheckup.ps1


  • Install the requirements by running:
pip install -r requirements.txt
  • Run DDSpoof while specifying the network interface to use:
ddspoof.py --iface "eth0"


Commandline arguments:

Usage: ddspoof.py [OPTIONS] COMMAND [ARGS]...

  -i, --iface TEXT             Name of the interface to use  [required]
  -r, --retry INTEGER          Set the max retry amount for the various
                               functions used by the tool
  --config-file TEXT           Path to a DDSpoof config file to load
                               configuration from
  -v, --verbose                Display verbose output
  -np, --enum-name-protection  Test server name protection status. Note: This
                               option will cause DDSpoof to create DNS records
                               on the server
  --help                       Show this message and exit.

At startup, DDSpoof will perform the following:

  1. Identify all DHCP servers in the LAN by sending DHCP Discover messages
  2. Extract server associated domain and DNS server from the DHCP Offer messages
  3. Test Name Protection status on the server
  4. Determine the IP address to be used when spoofing, attempt to request the current interface IP from the DHCP server

After the initial setup, DDSpoof runs as an interactive console app, available commands are detailed in the next sections.

How do you vote?

0 People voted this article. 0 Upvotes - 0 Downvotes.

What do you think?

Show comments / Leave a comment

Leave a reply