How to find a rogue DHCP server

If your company has a large corporate network shared by many employees, you may have encountered the case where your host machine is getting an IP address assigned by some unknown DHCP server not under the administrative control of the corporate network, which in turn causes various connectivity issues for your host. When a host machine is trying obtain an IP address via DHCP, it accepts whichever DHCP offer message arrives first. Hence, if a rogue DHCP server is interfering with a legitimate DHCP server by sending out DHCP offers of its own, it can cause various networking related problems for connected hosts by supplying them with unreachable default gateway, private IP addresses, bogus DNS resolver, etc.

An unauthorized DHCP server is added to the network in various circumstances, mostly inadvertently. Someone could be playing with a DHCP-enabled router/switch in his office, which then starts to send out DHCP offer messages to the connected network. A DHCP enabled network printer may be hooked up with the network, starting to cause problems. The built-in NAT of standard hypervisors such as VMware vSphere could also act as a rogue DHCP server by accident when an underlying host machine is connected to the network.

If you suspect that there is a misbehaving DHCP server running for any reason, follow the guideline below to find a rogue DHCP server in the network.

The first step is to identify the operating system of the DHCP server host. Knowing the OS of the rogue DHCP server may give you a better idea of where the server is running. A linux tool called nmap performs comprehensive active TCP/IP stack fingerprinting, and thus can be used to identify the OS of an arbitrary remote host. So you first find the IP address of a rogue DHCP server, and run nmap against the IP address. An example output of nmap is shown below.

$ sudo apt-get install nmap
$ sudo nmap -O 192.168.10.1
Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-16 23:25 EDT
Interesting ports on 192.168.10.1:
Not shown: 987 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
902/tcp   open  iss-realsecure
....
MAC Address: 00:19:D1:54:5B:6E (Intel)
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
OS details: Microsoft Windows Vista SP0 or SP1, Server 2008, or Windows 7 Ultimate (build 7000)
Network Distance: 1 hop 

As you can see above, the output of nmap contains the OS details of a remote IP address, as well as the vendor associated with MAC address of the DHCP server's network interface. These pieces of information may give you some hint at the identity of the rogue DHCP server.

Besides OS fingerprinting, you can also try to infer the physical location of a rogue DHCP server by looking up the MAC address of the DHCP server in the MAC tables of local network switches. This will tell you the port where the DHCP server is physically hooked up.

If the rogue DHCP server is running inside someone's router or wireless access point (WAP), chances are that the router/WAP has web-based administration interface built in. Try going to http://[IP-address-DHCP-server], and see if the front-end login page of the web-based administration gives you any clue.

Finding and disconnecting any rogue DHCP server is not straightforward due to the way DHCP works. If you would like to prevent any unauthorized DHCP servers from being active, you can try various vendor-specific mechanisms to do so (e.g., enabling DHCP snooping on managed switches).

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

One thought on “How to find a rogue DHCP server

  1. Ok this guide is pointless. the whole point is to try to identify the IP address of a rogue DNS which is normally the issue by looking at arp packets for for the DHCP request. If you already know the IP address then what's the point, the guide should be entitled how to find "A" server on your network. That fact that he's trying to find a DHCP server is completely inconsequential.

Leave a comment

Your email address will not be published. Required fields are marked *