Skip to main content

How do I find if there is a rogue DHCP server on my Network? [Resolved]

What's the best approach towards determining if I have a rogue DHCP server inside my network?

I'm wondering how most admins approach these kinds of problems. I found DHCP Probe through searching, and thought about trying it out. Has anyone had experience with it? (I would like to know before taking the time to compile it and install).

Do you know any useful tools or best-practices towards finding rogue DHCP servers?

Question Credit: l0c0b0x
Question Reference
Asked June 14, 2019
Posted Under: Network
13 Answers

One simple method is to simply run a sniffer like tcpdump/wireshark on a computer and send out a DHCP request. If you see any offers other then from your real DHCP server then you know you have a problem.

credit: Zoredache
Answered June 14, 2019

dhcpdump, which takes input form tcpdump and shows only DHCP related packets. Helped me find rootkited Windows, posing as fake DHCP in our LAN.

credit: vartec
Answered June 14, 2019

The Wireshark / DHCP explorer / DHCP Probe approaches are good for a one time or periodic check. However, I'd recommend looking into DHCP Snooping support on your network. This feature will provide constant protection from rogue DHCP servers on the network, and is supported by many different hardware vendors.

Here's the feature set as indicated in the Cisco docs.

• Validates DHCP messages received from untrusted sources and filters out invalid messages.

• Rate-limits DHCP traffic from trusted and untrusted sources.

• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

• Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

credit: Dave K
Answered June 14, 2019

dhcploc.exe is the quickest and handiest way on Windows systems. It is available in the XP Support Tools. The Support Tools are on every OEM/retail XP disk, but may or may not be on "recovery disks" provided by some OEMs. You can also download them from MS.

It's a simple commandline tool. You run dhcploc {yourIPaddress} and then press the 'd' key to do a fake discovery. If you leave it running without pressing any keys, it will display every DHCP request and answer it hears. Press 'q' to quit.

credit: quux
Answered June 14, 2019

Scapy is a python based packet crafting tool that is good for these sort tasks. There is an example of how to do exactly this here.

credit: Huygens
Answered June 14, 2019

To expand on l0c0b0x's comment about using bootp.type == 2 as a filter. The bootp.type filter is only available in Wireshark/tshark. It is not available in tcpdump which the contextual location of his comment inclined me to believe.

Tshark works perfectly for this.

We have our network divided up into numerous broadcast domains, each with their own Linux-based probe with a point of presence on the "local" broadcast domain and on an administrative subnet in one fashion or another. Tshark combined with ClusterSSH allows me to easily look for DHCP traffic or (anything else for that matter) on the further flung corners of the network.

This will find DHCP replies using Linux:

# ifconfig ethX promisc
# tshark -i ethX -n port 68 -R 'bootp.type == 2'

credit: Community
Answered June 14, 2019

once you've established that there's a rogue dhcp server on the network I found the quickest way to resolve it was...

Send an email round to the whole company saying:

"which one of you has added a wireless router into the LAN, you've killed the internet for everyone else"

expect a sheepish response, or the conflicting device to disappear, quickly :)

credit: Shh now
Answered June 14, 2019

Disable the main DHCP server and (re)configure a connection.

If you get an IP address, you've got a rogue.

If you have a Linux handy, the standard dhcpclient tells you the IP address of the DHCP server (else you can sniff the traffic to see where the DHCP response came from).

credit: Vinko Vrsalovic
Answered June 14, 2019

There are several ways, if your running a small network the simplest way is to turn off / disable / un-plug your dhcp server and then run ipconfig /renew or similar on a client and if you obtain and IP you have something rougue on your network.

Another way would be to use Wireshark packet capturer/analyser to look at your network traffic and find DHCP connections, there is a lab worksheet on how do do this avaliable from here.

There are also a number of utilies avaliable which proport to do this one is DHCP explorer another is DHCP probe which you mentioned in your original post.

credit: Jona
Answered June 14, 2019

You could do a ping sweep of your networks and then compare that to the number of DHCP leases handed out by your DHCP server.

You need to have a general idea of the number of static devices (router interfaces and printers perhaps) which will skew this number slightly, but this should be a quick and accurate way of identifying them across multiple networks.

credit: Peter
Answered June 14, 2019

on debian/ubuntu one also has the options to use dhcpdump and/or tcpdump with the help of e.g. dhclient

Use dhcpdump:

  • 1.a) run dhcpdump -i eth0 in one shell/shell (eth0 or the name of your interface)
  • 1.b) start dhclient in another shell (it doesn't have to run successfully)
  • 1.c) look into the output of dhcpdump for information (it should be a nice formatted, informative list of the most details)

Option 2 if you dont like to use dhcpdump:

  • 2.a) run tcpdump -i eth0 -t -n > /tmp/my_file.txt in one shell/window
    (optional: -t = disable timestamp // -n = disable name-resolution, just IP-address, no servernames (for RHEL/centos use -nn) )
  • 2.b) start dhclient in another shell (it doesn't have to run successfully)
  • 2.c) stop the running tcpdump ()
  • 2.d) examine the file /tmp/my_file.txt with your favorite editor and search for things like: ".53 " (the default DNS port) / "NX" / "CNAME" / "A?" / "AAAA" -

*sidenote: tcpdump and dhcpdump probably have to be installed (e.g.: sudo apt get install tcpdump dhcpdump); dhcpdump depends on tcpdump

credit: eli
Answered June 14, 2019
Your Answer