Skip to content
attack.paths
Connexion
← RegistryDossier · 5 steps · 4 edges

Rogue DHCP → DNS poisoning → MITM

Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads.

Filed by AD Knowledge Base
§ Kill-chainDrag · zoom · scroll

§ Context

Assumed environment: attacker is on the same broadcast domain as victims. No DHCP snooping enabled on the switch. Clients honour short lease times.

§ Steps

  1. 01
    Foothold on LANInitial Access
    T1078Valid Accounts
  2. 02
    Crack captured NetNTLMv2Credential Access
    T1110Brute Force
  3. 03
    Strip + log HTTPS / capture NTLMCredential Access
    T1557.001LLMNR/NBT-NS Poisoning and SMB Relay
  4. 04
    Start rogue DHCP (Responder / Yersinia)Credential Access
    N-DHCP-ROGUERogue DHCP Server
  5. 05
    Become DNS for new clientsCredential Access
    N-MDNS-POISONmDNS / SSDP Poisoning

§ References

§ Frequently asked

What is the "Rogue DHCP → DNS poisoning → MITM" attack path?
Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?
The first step is Foothold on LAN (T1078) — a initial access primitive. Assumed environment: attacker is on the same broadcast domain as victims.
What is the final impact of this kill-chain?
The final step lands on Become DNS for new clients (N-MDNS-POISON), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?
Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers