detecting dhcp server

Stoly

Supreme [H]ardness
Joined
Jul 26, 2005
Messages
6,714
It seems that theres a device that has dhcp server enabled on my works network.

the Main dhcp server has he 192.168.1.5 IP the gateway is 192.168.1.12 TMG firewall and the DNS is 192.168.1.5

But since yesterday I've found a few pcs with the 192.168.137.1 gateway and 255.255.255.255 dhcp server. suffice to say, no internet on those.

I need to find the name of that DHCP server device, could be a wifi access point or a router.

any ideas?
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,311
Wireshark.... will tell you everything going on in plain english.

It will tell you what IP/MAC is answering ARP call outs etc....
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
I believe spice works used to have a free tool called dhcp rogue detector or something like that. Or Wireshark should be able to tell you as well, just look under the bootp protocol for the offers and see what IP they are coming from.

If you have managed switches and they support dhcp snooping definitely look into it to prevent this in the future.
 
Last edited:

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,236
is this on a domain?

use psexec and connect to 192.168.137.1 using a domain admin account.

psexec \\192.168.137.1 cmd.exe

that will tell you if it's a windows box on your domain :D
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,311
It seems that theres a device that has dhcp server enabled on my works network.

the Main dhcp server has he 192.168.1.5 IP the gateway is 192.168.1.12 TMG firewall and the DNS is 192.168.1.5

But since yesterday I've found a few pcs with the 192.168.137.1 gateway and 255.255.255.255 dhcp server. suffice to say, no internet on those.

I need to find the name of that DHCP server device, could be a wifi access point or a router.

any ideas?

Also... do a physical audit of your network. Find out the MAC ID of that rogue IP address/DHCP server. Use the web to find the manufacurer of the MAC ID and yo'd be surprised at what it might be. It will tell you what brand it is so you can find it easier.
 

Stoly

Supreme [H]ardness
Joined
Jul 26, 2005
Messages
6,714
Also... do a physical audit of your network. Find out the MAC ID of that rogue IP address/DHCP server. Use the web to find the manufacurer of the MAC ID and yo'd be surprised at what it might be. It will tell you what brand it is so you can find it easier.

That's what I want to do. I want to get the MAC so I can see if its a PC, router or so.
 

MekoSuka

n00b
Joined
Aug 20, 2012
Messages
63
That's what I want to do. I want to get the MAC so I can see if its a PC, router or so.

As someone already mentioned, just load up Wireshark and filter for DHCP.

If you have switch access and it supports port mirroring or SPAN, just load Wireshark on the host connected to the SPAN port and capture there.

Or .... just find a machine with wrong IP info on it and run ipconfig /all. Look for the line that says "DHCP Server".

Then arp it
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
And lookup the OUI of the MAC to get a possible determination of the manufacturer of the device yer looking for.
 

jpochedl

Limp Gawd
Joined
Jun 7, 2004
Messages
345
And lookup the OUI of the MAC to get a possible determination of the manufacturer of the device yer looking for.

Or, you could use NMAP with the dhcp-discover script to find the rogue DHCP server...

The following page talkes about Linux, but the dhcp-discover script should come bundled with the windows install version of nmap too. If you're not familiar with nmap, then Google zenmap to get a slightly more user friendly GUI version for Windows...

http://nmap.org/nsedoc/scripts/dhcp-discover.html
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Or, you could use NMAP with the dhcp-discover script to find the rogue DHCP server...

The following page talkes about Linux, but the dhcp-discover script should come bundled with the windows install version of nmap too. If you're not familiar with nmap, then Google zenmap to get a slightly more user friendly GUI version for Windows...

http://nmap.org/nsedoc/scripts/dhcp-discover.html

That's assuming that the server is in the same subnet. It could be a different subnet that is unknown.
 

jpochedl

Limp Gawd
Joined
Jun 7, 2004
Messages
345
That's assuming that the server is in the same subnet. It could be a different subnet that is unknown.

Not necessarily true. DHCP works within a broadcast domain, not within a subnet. If you use nmap's broadcast-dhcp-discover, then the DHCP request will be broadcast on the entire broadcast domain (255.255.255.255) .... Any DHCP server in the broadcast domain (or any DHCP forwarder address configured on the routers for that specific broadcast domain) will reply and will be shown in the output. This will cover any devices which can send a DHCP offer to the host.
 
S

shade91

Guest
I'd recommend enabling DHCP Snooping on your network if the switch contains such a capability.
 

Jake

Supreme [H]ardness
Joined
Mar 17, 2000
Messages
4,573
Find the MAC address of the dhcp server, find the MAC on the switch's table, shut that switchport down, see who comes complaining.
 

aaronearles

[H]ard|Gawd
Joined
Aug 31, 2006
Messages
2,016
Once you're done, enable Dynamic ARP Inspection and DHCP Snooping so you don't have this problem again.
 

Apachez

Weaksauce
Joined
Aug 20, 2012
Messages
118
DHCP Snooping (and injecting Option82 information and define which physical interfaces are trusted to have a DHCP server available), Dynamic ARP Inspection, IP Source Guard and if you are one or more L3 hop away also DHCP relay would fix this.

Also most switches (that is somewhat up2date) has today "dhcp server detection" which will give you a log entry if some client is trying to act as a dhcp server.
 
Top