How to find a rogue DHCP server

Last updated on July 6, 2020 by Dan Nanni

If your company has a large corporate network shared by many employees, you may have encountered the case where your host machine is getting an IP address assigned by some unknown DHCP server not under the administrative control of the corporate network, which in turn causes various connectivity issues for your host. When a host machine is trying obtain an IP address via DHCP, it accepts whichever DHCP offer message arrives first. Hence, if a rogue DHCP server is interfering with a legitimate DHCP server by sending out DHCP offers of its own, it can cause various networking related problems for connected hosts by supplying them with unreachable default gateway, private IP addresses, bogus DNS resolver, etc.

An unauthorized DHCP server is added to the network in various circumstances, mostly inadvertently. Someone could be playing with a DHCP-enabled router/switch in his office, which then starts to send out DHCP offer messages to the connected network. A DHCP enabled network printer may be hooked up with the network, starting to cause problems. The built-in NAT of standard hypervisors such as VMware vSphere could also act as a rogue DHCP server by accident when an underlying host machine is connected to the network.

If you suspect that there is a misbehaving DHCP server running for any reason, follow the guideline below to find a rogue DHCP server in the network.

The first step is to identify the operating system of the DHCP server host. Knowing the OS of the rogue DHCP server may give you a better idea of where the server is running. A linux tool called nmap performs comprehensive active TCP/IP stack fingerprinting, and thus can be used to identify the OS of an arbitrary remote host. So you first find the IP address of a rogue DHCP server, and run nmap against the IP address. An example output of nmap is shown below.

$ sudo apt-get install nmap
$ sudo nmap -O 192.168.10.1
Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-16 23:25 EDT
Interesting ports on 192.168.10.1:
Not shown: 987 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
902/tcp   open  iss-realsecure
....
MAC Address: 00:19:D1:54:5B:6E (Intel)
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
OS details: Microsoft Windows Vista SP0 or SP1, Server 2008, or Windows 7 Ultimate (build 7000)
Network Distance: 1 hop

As you can see above, the output of nmap contains the OS details of a remote IP address, as well as the vendor associated with MAC address of the DHCP server's network interface. These pieces of information may give you some hint at the identity of the rogue DHCP server.

Besides OS fingerprinting, you can also try to infer the physical location of a rogue DHCP server by looking up the MAC address of the DHCP server in the MAC tables of local network switches. This will tell you the port where the DHCP server is physically hooked up.

If the rogue DHCP server is running inside someone's router or wireless access point (WAP), chances are that the router/WAP has web-based administration interface built in. Try going to http://<IP-address-DHCP-server> or https://<IP-address-DHCP-server>, and see if the front-end login page of the web-based administration gives you any clue.

Finding and disconnecting any rogue DHCP server is not straightforward due to the way DHCP works. If you would like to prevent any unauthorized DHCP servers from being active, you can try various vendor-specific mechanisms to do so (e.g., enabling DHCP snooping on managed switches).

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean