16

How would we detect and locate a rogue DHCP server on our local area network?

Satoshi
  • 161
  • 1
  • 1
  • 3
  • 3
    In order to get a good answer I would suggest you add some more information. How big a network is it? What type of network equipment do you have? What have you already tried? – GdD Feb 09 '14 at 17:18
  • 4
    Hi.No, the question should be abstract and should not be limited to a single scenario on a particular network, so it can be discussed in broad terms.It is ment like this. – Satoshi Feb 10 '14 at 21:52

4 Answers4

17

You can use an nmap script for locating a server that will send DHCPOFFER (so long as it's in your broadcast domain):

nmap --script broadcast-dhcp-discover

This will give DNS domain name, your IP, who offered it, lease info..all of the fun stuff.

You can also include a list of hosts that have anything to do with port 67:

nmap --script broadcast-dhcp-discover -p67 [your network CIDR]
Community
  • 1
Jay
  • 171
  • 3
  • 2
    I have tested this and I believe it is incorrect. First, the script exits after the *first* DNS server responds. If you're looking for a rogue DNS, then your normal server may sometimes respond more quickly and you'd get a false negative. Second, the nmap script broadcast-dhcp-discover uses a fixed MAC address (0xDE:AD:CO:DE:CA:FE), and a rogue DNS server would simply ignore requests from that address. Third, doing an nmap scan of your network CIDR will only work if the rogue server happens to chose the same IP network as you (and why would they?) – hackerb9 Dec 13 '17 at 01:40
  • 1
    I agree with @hackerb9 . This isn't really going to do what has been asked as it doesn't keep sending responses to find as many DHCP servers as possible, only waiting until the first one replies. – Ashley Nov 30 '18 at 15:15
  • You can see all replies if you open another terminal and run there tcpdump, for example sudo tcpdump -nelt udp port 68 | grep -i "boot.*reply" – ajaaskel Oct 16 '19 at 22:03
8

The answer to this will largely depend on how good the management software on your network is.

Assuming that it's reasonable, I'd say that this wold be done by looking at the MAC address of the packets from the rogue server and then reviewing the management interface for your switches to see which port that MAC address is connected to. Then trace from the port to the physical port and see what's connected...

If you have no way to map from MAC address --> switch port --> physical port this could be a bit tricky, especially if the person running the server doesn't want to be found.

You could do a quick ping sweep of your network using nmap (nmap -sP -v -n -oA ping_sweep [your network here]) that'd give you a map of IP addresses to MAC addresses, then (assuming your rogue is on there) you could port scan the IP address and see if it tells you anything about it (e.g. machine name from SMB ports)...

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • This answer how to locate, not how to detect. You can use snort \ any other IDS \ custom script to detect and alert – Yehuda Feb 15 '17 at 15:41
1

Just found the rogue dhcp server on my home lan by the classic method of trial and error. Looking at the network properties I found that some dhcp clients got an ip address in the rogue 192.168.1.x range instead of the 192.168.3.x range that I configured in my dhcp server.

First I suspected a dev pc that hosts some virtual machines; the configuration is complex and who knows there might be some dhcp server in one of those vm's. Just pull the network cable and see if that dhcp client now gets a valid ip address. No improvement, too bad.

Now I suspected the "smart" tv, its a samsung and that brand is known for spying on viewers. Pulled its network cable. No luck, though.

Then, after some looking around I thought of that little old adsl modem with 4 ethernet ports I got some months ago from a friend to replace a broken ethernet switch. Pulled the 12 volt adapter cable. Bingo! The problem dhcp client now gets a valid ip address! I also realized that the dhcp trouble in our house started a while ago.

Agreed, I was not smart enough to fiddle with tools like nmap and/or wiresnark. But did Sherlock Holmes not succeed with Deduction and Induction?

PS

With a straightened paper clip I did a factory reset on the old adsl modem to make the default linksys password work, and disabled the dhcp server on it.

Roland
  • 137
  • 3
0

You can use wireshark to listen for dhcp replies to requests then go to your switch's arp table to find the address and location. You can do this with most configurable switches.

Waitkus
  • 146
  • 3