Metasploit New Modules: DHCP Exhaustion + DNS MITM for Internal Network Takeover

Attack scenario

In a normal internal network clients obtain IP addresses from a legitimate DHCP server and resolve domain names via a trusted DNS server. After compromise the attacker runs a rogue DHCP server that hands out IP configuration and points clients to a malicious DNS server, allowing traffic to be redirected to phishing sites or monitored.

Attack chain

Run auxiliary/digininja/dhcp_exhaustion/exhaust which continuously sends DHCP REQUEST packets until the legitimate DHCP server stops responding, indicating its address pool is depleted. The attacker’s NIC must be in promiscuous mode to capture all DHCP OFFER and ACK messages.

Launch auxiliary/digininja/dns_mitm/dns_mitm with a hosts file. Domains listed in the hosts file are answered with forged IP addresses; all other queries are forwarded to the real DNS server.

Hot‑reloading hosts file

The DNS MITM module supports hot‑reloading. Adding the special entry digininja.reload to the hosts file and then querying that domain causes the module to reload the hosts configuration without restarting.

Operational considerations

Full DHCP exhaustion causes noticeable network disruption, so red‑team operators typically avoid exhausting the entire pool at once. They may maintain a “slow‑oxygen‑deprivation” state, limit the attack to off‑hours, or target only selected domains to reduce business impact and detection risk.

Defensive measures

Enable DHCP Snooping on switches to ignore unauthorized DHCP responses.

Apply port‑security limits on the number of IPs per port.

Activate Dynamic ARP Inspection (DAI).

Monitor DHCP request frequency for anomalies.