detecting dhcp server

Stoly

Supreme [H]ardness
Joined
Jul 26, 2005
Messages
6,713
It seems that theres a device that has dhcp server enabled on my works network.

the Main dhcp server has he 192.168.1.5 IP the gateway is 192.168.1.12 TMG firewall and the DNS is 192.168.1.5

But since yesterday I've found a few pcs with the 192.168.137.1 gateway and 255.255.255.255 dhcp server. suffice to say, no internet on those.

I need to find the name of that DHCP server device, could be a wifi access point or a router.

any ideas?
 
Wireshark.... will tell you everything going on in plain english.

It will tell you what IP/MAC is answering ARP call outs etc....
 
I believe spice works used to have a free tool called dhcp rogue detector or something like that. Or Wireshark should be able to tell you as well, just look under the bootp protocol for the offers and see what IP they are coming from.

If you have managed switches and they support dhcp snooping definitely look into it to prevent this in the future.
 
Last edited:
is this on a domain?

use psexec and connect to 192.168.137.1 using a domain admin account.

psexec \\192.168.137.1 cmd.exe

that will tell you if it's a windows box on your domain :D
 
It seems that theres a device that has dhcp server enabled on my works network.

the Main dhcp server has he 192.168.1.5 IP the gateway is 192.168.1.12 TMG firewall and the DNS is 192.168.1.5

But since yesterday I've found a few pcs with the 192.168.137.1 gateway and 255.255.255.255 dhcp server. suffice to say, no internet on those.

I need to find the name of that DHCP server device, could be a wifi access point or a router.

any ideas?

Also... do a physical audit of your network. Find out the MAC ID of that rogue IP address/DHCP server. Use the web to find the manufacurer of the MAC ID and yo'd be surprised at what it might be. It will tell you what brand it is so you can find it easier.
 
Also... do a physical audit of your network. Find out the MAC ID of that rogue IP address/DHCP server. Use the web to find the manufacurer of the MAC ID and yo'd be surprised at what it might be. It will tell you what brand it is so you can find it easier.

That's what I want to do. I want to get the MAC so I can see if its a PC, router or so.
 
That's what I want to do. I want to get the MAC so I can see if its a PC, router or so.

As someone already mentioned, just load up Wireshark and filter for DHCP.

If you have switch access and it supports port mirroring or SPAN, just load Wireshark on the host connected to the SPAN port and capture there.

Or .... just find a machine with wrong IP info on it and run ipconfig /all. Look for the line that says "DHCP Server".

Then arp it
 
And lookup the OUI of the MAC to get a possible determination of the manufacturer of the device yer looking for.
 
And lookup the OUI of the MAC to get a possible determination of the manufacturer of the device yer looking for.

Or, you could use NMAP with the dhcp-discover script to find the rogue DHCP server...

The following page talkes about Linux, but the dhcp-discover script should come bundled with the windows install version of nmap too. If you're not familiar with nmap, then Google zenmap to get a slightly more user friendly GUI version for Windows...

http://nmap.org/nsedoc/scripts/dhcp-discover.html
 
Or, you could use NMAP with the dhcp-discover script to find the rogue DHCP server...

The following page talkes about Linux, but the dhcp-discover script should come bundled with the windows install version of nmap too. If you're not familiar with nmap, then Google zenmap to get a slightly more user friendly GUI version for Windows...

http://nmap.org/nsedoc/scripts/dhcp-discover.html

That's assuming that the server is in the same subnet. It could be a different subnet that is unknown.
 
That's assuming that the server is in the same subnet. It could be a different subnet that is unknown.

Not necessarily true. DHCP works within a broadcast domain, not within a subnet. If you use nmap's broadcast-dhcp-discover, then the DHCP request will be broadcast on the entire broadcast domain (255.255.255.255) .... Any DHCP server in the broadcast domain (or any DHCP forwarder address configured on the routers for that specific broadcast domain) will reply and will be shown in the output. This will cover any devices which can send a DHCP offer to the host.
 
I'd recommend enabling DHCP Snooping on your network if the switch contains such a capability.
 
Find the MAC address of the dhcp server, find the MAC on the switch's table, shut that switchport down, see who comes complaining.
 
Once you're done, enable Dynamic ARP Inspection and DHCP Snooping so you don't have this problem again.
 
DHCP Snooping (and injecting Option82 information and define which physical interfaces are trusted to have a DHCP server available), Dynamic ARP Inspection, IP Source Guard and if you are one or more L3 hop away also DHCP relay would fix this.

Also most switches (that is somewhat up2date) has today "dhcp server detection" which will give you a log entry if some client is trying to act as a dhcp server.
 
Back
Top