Last updated on July 6, 2020 by Dan Nanni
If your company has a large corporate network shared by many employees, you may have encountered the case where your host machine is getting an IP address assigned by some unknown DHCP server not under the administrative control of the corporate network, which in turn causes various connectivity issues for your host. When a host machine is trying obtain an IP address via DHCP, it accepts whichever DHCP offer message arrives first. Hence, if a rogue DHCP server is interfering with a legitimate DHCP server by sending out DHCP offers of its own, it can cause various networking related problems for connected hosts by supplying them with unreachable default gateway, private IP addresses, bogus DNS resolver, etc.
An unauthorized DHCP server is added to the network in various circumstances, mostly inadvertently. Someone could be playing with a DHCP-enabled router/switch in his office, which then starts to send out DHCP offer messages to the connected network. A DHCP enabled network printer may be hooked up with the network, starting to cause problems. The built-in NAT of standard hypervisors such as VMware vSphere could also act as a rogue DHCP server by accident when an underlying host machine is connected to the network.
If you suspect that there is a misbehaving DHCP server running for any reason, follow the guideline below to find a rogue DHCP server in the network.
The first step is to identify the operating system of the DHCP server host. Knowing the OS of the rogue DHCP server may give you a better idea of where the server is running. A linux tool called nmap
performs comprehensive active TCP/IP stack fingerprinting, and thus can be used to identify the OS of an arbitrary remote host. So you first find the IP address of a rogue DHCP server, and run nmap
against the IP address. An example output of nmap
is shown below.
$ sudo apt-get install nmap $ sudo nmap -O 192.168.10.1
Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-16 23:25 EDT Interesting ports on 192.168.10.1: Not shown: 987 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure .... MAC Address: 00:19:D1:54:5B:6E (Intel) Device type: general purpose Running: Microsoft Windows Vista|2008|7 OS details: Microsoft Windows Vista SP0 or SP1, Server 2008, or Windows 7 Ultimate (build 7000) Network Distance: 1 hop
As you can see above, the output of nmap
contains the OS details of a remote IP address, as well as the vendor associated with MAC address of the DHCP server's network interface. These pieces of information may give you some hint at the identity of the rogue DHCP server.
Besides OS fingerprinting, you can also try to infer the physical location of a rogue DHCP server by looking up the MAC address of the DHCP server in the MAC tables of local network switches. This will tell you the port where the DHCP server is physically hooked up.
If the rogue DHCP server is running inside someone's router or wireless access point (WAP), chances are that the router/WAP has web-based administration interface built in. Try going to http://<IP-address-DHCP-server>
or https://<IP-address-DHCP-server>
, and see if the front-end login page of the web-based administration gives you any clue.
Finding and disconnecting any rogue DHCP server is not straightforward due to the way DHCP works. If you would like to prevent any unauthorized DHCP servers from being active, you can try various vendor-specific mechanisms to do so (e.g., enabling DHCP snooping on managed switches).
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean