Pentera Labs demonstrated how DHCP spoofing can be exploited to harvest credentials through forced authentication. By combining DHCP starvation and rogue DHCP attacks, an attacker can impersonate the DHCP server, set itself as the victim’s DNS and gateway, and redirect DNS requests. This allows attackers to capture NetNTLM hashes or enable NetBIOS, exposing ports 137–139. Since SMB runs over port 139 as well as 445, this enables exploits like EternalBlue. Mitigation includes enabling DHCP snooping on switches, enforcing firewall rules for SMB and NetBIOS ports, disabling NetBIOS via scripts or registry, and continuously validating network defenses.

Join for free to read