dhcpwn

Flood the network with IP requests

$ dhcpwn [[-i|--interface]] [network_interface] flood [[-c|--count]] [number_of_requests]

$ dhcpwn [[-i|--interface]] [network_interface] sniff

dhcpwn [-h] [-i <INTERFACE>] [-l <LIMIT>] [--range <START END>] [--hwaddr-prefix <PREFIX>] [--ip-src <IP>] ... see parameters

-h
    Show help message and exit

-i, --interface <IFACE>
    Network interface to bind to (required)

-l, --limit <COUNT>
    Max number of fake clients to spawn (default: 256)

--range <STARTIP ENDIP>
    IP range to claim during starvation

--hwaddr-prefix <PREFIX>
    MAC address prefix for generated clients (e.g., 00:11:22)

--ip-src <IP>
    Source IP for outgoing packets

--ip-dst <IP>
    Destination IP (broadcast by default)

--giaddr <IP>
    Gateway IP address for relay scenarios

--siaddr <IP>
    Next server IP in BOOTP/DHCP options

--chaddr <MAC>
    Client hardware address to spoof

--file <FILE>
    Load discoveries from file

--server-ip <IP>
    IP to spoof as DHCP server

--server-port <PORT>
    DHCP server UDP port (default: 67)

--client-port <PORT>
    DHCP client UDP port (default: 68)

--delay <MS>
    Delay between packets in milliseconds

--count <N>
    Number of packets per client

--spoofmac <MAC>
    MAC address to spoof as server

--no-color
    Disable colored output

-v
    Increase verbosity

-d
    Enable debug mode

dhcpwn is a specialized Linux command-line tool designed for DHCP attacks, primarily used in penetration testing and network security assessments. It excels at two main attack vectors: DHCP starvation, which floods a DHCP server with forged DISCOVER packets using generated MAC addresses to exhaust the IP address pool, and DHCP spoofing, where it impersonates a legitimate server to deliver malicious OFFER/ACK responses, enabling traffic redirection or man-in-the-middle setups.

The tool generates client MACs with customizable prefixes, targets specific IP ranges, and supports relay agent scenarios via GIADDR manipulation. It provides real-time feedback on claimed leases, discovered clients, and packet statistics. Written in Python, it leverages raw sockets for low-level control, requiring root privileges.

dhcpwn is lightweight, evades basic detection with configurable delays, and outputs verbose logs for analysis. It's invaluable for auditing DHCP resilience on wired/wireless networks but demands ethical use to avoid service disruptions.

Requires root privileges for raw sockets. Can cause network outages by exhausting DHCP pools. Strictly for authorized testing; illegal on unauthorized networks. May trigger IDS/IPS. Not for production use.

git clone https://github.com/mogwai-physics/dhcpwn.git
cd dhcpwn && sudo python setup.py install
Or: sudo apt install dhcpwn (Kali/Debian)

Starvation: sudo dhcpwn -i eth0 -l 200 --range 192.168.1.100 192.168.1.250
Spoofing: sudo dhcpwn -i wlan0 --server-ip 192.168.1.10 --giaddr 192.168.1.1

Developed by Patrik Fehrenbach (mx0w) around 2015. Open-sourced on GitHub (mogwai-physics/dhcpwn). Evolved for pentesting suites, with updates for modern DHCPv6 support and evasion techniques. Popular in Kali Linux repos.

ettercap(8), arping(8), dhcpd(8), scapy(1)