What is DHCP
DHCP stands for Dynamic Host Configuration Protocol and is used to assign an IP address to a new host connecting to the network.
When a new machine connects to a network, it broadcast a DHCP packet stating that it needs a IP address and specifying it’s own MAC address. The DHCP server on the network than broadcasts an IP address DHCP OFFER.
So the new machine replies with a DHCP REQUEST, choosing an IP address within all the offers it received. To make this choice, the machine chooses the IP address with the longer attributed lease time, which is the time for which it can use the IP before it can get reattributed.
Finally, the winning DHCP server broadcasts a DHCP ACK packet officialising the IP address attribution to the new machine.
When a DHCP server is chosen by the new machine, it now acts as the default gateway for this machine.
DHCP Spoofing
To abuse DHCP, we can act as a rogue DHCP server and send a DHCP OFFER with a greater lease time than other DHCP servers.
This way, the new machine will choose us as its DHCP server and, therefore, its default gateway. This means that we will be able to see all the traffic leaving the network from this machine.