Tool for Finding Rogue DHCP
-
@Obsolesce said in Tool for Finding Rogue DHCP:
@scottalanmiller said in Tool for Finding Rogue DHCP:
Anyone have or know of a good tool for this? Software, obviously. Just something that triggers and traps DHCP requests. I know WireShark will do this, but something more concise would be nice and convenient.
More concise how? You can filter and get the ip of the rogue server.
I'm guessing he really meant lighter weight app for the job.
-
@black3dynamite said in Tool for Finding Rogue DHCP:
Microsoft Rogue Check Tool
https://www.tachytelic.net/2019/05/detect-rogue-dhcp-server/Ugh, I hate .NET. Components required that we don't have in the environment.
-
Capture with tcpdump, analyze with wireshark on whatever machine you want.
-
Would nmap work for this?
sudo nmap --script broadcast-dhcp-discover -e eth0
-
@Pete-S said in Tool for Finding Rogue DHCP:
Capture with tcpdump, analyze with wireshark on whatever machine you want.
BTW, you can filter with tcpdump directly if you want and not use wireshark at all.
I think this will do the job:
tcpdump -n -i any port 67 or port 68 or port 69
-
@DustinB3403 said in Tool for Finding Rogue DHCP:
Would nmap work for this?
sudo nmap --script broadcast-dhcp-discover -e eth0
That thread - seems like tcpdump would be better, because it will capture all DHCP replies.
-
https://www.question-defense.com/2012/10/02/sniff-all-broadcast-traffic-using-tcpdump
sudo tcpdump -i eth0 ether broadcast and ether multicast
-
I took a library someone wrote and made a small program to print out DHCP message info. Let me know what platform you want it for and I'll build it for that.
-
@Pete-S said in Tool for Finding Rogue DHCP:
Capture with tcpdump, analyze with wireshark on whatever machine you want.
Turn on DHCP snooping on your switches and have it suppress DHCP servers on access ports.
-
This is what it looks like with tcpdump when you have two dhcp servers:
Captured on the DHCP client when the interface goes up.
DHCP server 1 is x.x.x.251
DHCP server 2 is x.x.x.252
Client IP becomes x.x.x.150If you add the option
-v
for verbose you can see all the info inside the DHCP offer/ack.
For instance mac-address, lease-time, domain, ntp server etc.When you have only one DHCP server and everything is working you will just see the IP from the one DHCP server. If you look closer at the communication you'll see that the first line will be the offer from the DHCP server and the second will be the acknowledge.
-
@Pete-S tcpdump is what I was thinking of too.
-
@jmoore said in Tool for Finding Rogue DHCP:
@Pete-S tcpdump is what I was thinking of too.
I think it's a good tool. Prior to this I've only used it to capture and then run wireshark to analyze but this thread showed up at the right time.
The dual DHCP servers in my post above was a real scenario. Two DHCP servers in a failover configuration that I suspected didn't work as it should. And it didn't because both DHCP servers would send out an IP address but since they where synced the addresses didn't collide. I could verify and correct it with the help of tcpdump.
-
Ran into this about 12 years ago. A guy on the dev team decided to setup his own DHCP server. Screwed up all sorts of stuff. Can't remember for sure what we did, but I think after we realized that it wasn't actually an issue with our known DHCP servers, we decided to talk to the dev team and found out that is what he had done.
-
@wrx7m What happened with the dev?
-
@DustinB3403 said in Tool for Finding Rogue DHCP:
@wrx7m What happened with the dev?
He was reprimanded but not fired.
-
@wrx7m said in Tool for Finding Rogue DHCP:
Ran into this about 12 years ago. A guy on the dev team decided to setup his own DHCP server. Screwed up all sorts of stuff. Can't remember for sure what we did, but I think after we realized that it wasn't actually an issue with our known DHCP servers, we decided to talk to the dev team and found out that is what he had done.
It amazes me how many people just don't think about it - they have a problem, they think they know how to solve it, and just slap something onto the network.