Locate rogue DHCP server

Question

Possible Duplicate:
How do I find if there is a rogue DHCP server on my Network?

I know this is a serious long shot, but here we go.

In the past week or so, for users connected to a particular switch in our network (there are four dumb switches all connected, and it only affects SOME, not all, users on the one switch) are getting DHCP addresses from a rogue DHCP server.

I have physically checked every cable plugged into the switch in question to make sure that none of them have a router or wifi point attached to it. I know the IP of the DHCP server, but I cannot ping it, and it does not have a web interface.

Does anyone have any suggestions on what I can do to locate it or shut it down? Unfortuantely all the switches are unmanaged, and as mentioned, there's no physical device (that I can find) plugged in to anything.

It's getting critical, because it's screwing up the PXE boot of a whole bunch of thin clients.

As a side note, DHCP Explorer purports to be able to find rogue DHCP servers: http://www.networksecurityhome.com/network_tools/dhcp_discovery/dhcp_discovery.html — joeqwerty, Jan 12 '10 at 04:38
Interesting. I wish I had known about all these tools days ago! I should have come here first! — Mark Henderson, Jan 12 '10 at 06:30
There are very affordable switches around that have a built in rogue DHCP server filter configurable per port. The less than 250 Euro that eg a GS-1224 (The Lancom one, not D-Link) will cost you are probably less than the cost you in the end summed up chasing that rogue down... — rackandboneman, May 09 '12 at 21:31
On a different note: There are also some models of LAN print servers that can function as a rogue DHCP, in case somebody finds that question with the same problem in the future... — rackandboneman, May 09 '12 at 21:33

score 19 · Accepted Answer · answered Jan 12 '10 at 01:29

19

Try to nmap it using the -O to detect the operating system, may give you a better idea of what server it is? Also running a standard port scan might help figure out what it is

answered Jan 12 '10 at 01:29

Nick Kavadias

10,758
7
36
47

The only port open is 67 (or responding at least) :( I hadn't thought of nmap -O though! I'll give it a go – Mark Henderson Jan 12 '10 at 01:32
6

Ahah! It was a Virtual Machine someone was running on their development machine. nmap had the info I needed in seconds. Brilliant! – Mark Henderson Jan 12 '10 at 01:46
Wow, how fricking annoying is that. Completely unfindable. – Satanicpuppy Jan 12 '10 at 01:57
6

looking at the MAC address to figure out the vendor would also have been a good way of knowing it was a virtual machine. Glad you got to the bottom of it :D – Nick Kavadias Jan 12 '10 at 04:17

score 11 · Answer 2 · answered Jan 12 '10 at 02:08

The fact that you can't ping it isn't a problem.

(This procedure is mostly for managed switches, in the case of your dumb switches, it isn't as helpful, since you can't inspect the cam table... but anyway.)

run ipconfig /all(or look at syslog), note the IP address listed for "DHCP Server". Generally this is the same as the default gateway.
attempt to ping this ip address, ignore the result.
run arp -a. The mac address listed for the IP is your rogue DHCP server.

So, in your case, you can't follow this up with locating the switchport and disabling it, but you could have at least looked up the mac address vendor and would have found that the vendor was something like vmware or virtualbox.

If you have a box lying around, you can install https://roguedetect.bountysource.com/ on it, which will notify you if a problem like this occurs in the future.

Interesting tool. We've got a VMWare ESXi blade centre so I can deploy it on there with little system cost, which would certainly catch this in future. Thanks. (p.s. that site's certificate is expired) — Mark Henderson, Jan 12 '10 at 02:12

score 9 · Answer 3 · answered Jan 12 '10 at 01:57

9

Well, you can always try to ping the crap out of it and check the blinky lights on the routers. =P

Does traceroute show you anything?

answered Jan 12 '10 at 01:57

Satanicpuppy

5,917
1
16
18

Hey there's another idea I hadn't thought of. This is why I love ServerFault. Nothing in traceroute as it's all all on the one switched network. – Mark Henderson Jan 12 '10 at 02:05

score 7 · Answer 4 · answered Jan 12 '10 at 06:05

I know this has already been solved but another means, when you really can't find the machine (knowing it's a VM doesn't tell you what host it's on) is to keep sending it DHCP requests and unplug each cable in turn till it shuts up. Sometimes you just have to get back to crude basics.

score 4 · Answer 5 · answered Jan 12 '10 at 02:13

4

Run Wireshark to get the MAC address of the server. It should at least tell you the manufacturer (MAC addresses are centrally allocated and each manufacturer is allocated a set of addresses).

answered Jan 12 '10 at 02:13

niXar

2,023
17
23

Locate rogue DHCP server

5 Answers5

Linked