Detect, Spot & Prevent Rogue DHCP server in your network

Detect Rogue DHCP server using MS Rogue DHCP Server detection tool

Tools below are provided by the DHCP team of Microsoft –
http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

Spot Rogue DHCP server using Wireshark

DHCP prcoess
1. discover
2. offer
3. request
4. acknowledge / DORA

  1. Install wireshark & restart machine
  2. Start wireshark with no capture filter
  3. Go to the command prompt and type ipconfig /release and ipconfig /renew
  4. Save the trace file as as roguedhcp.pcap
  5. Open the capture file – Add filter: bootp
  6. Target DHCP Offer Packet – this will be the template for display filter
    Select the line with “DHCP Offer – Transaction ID xxx”
    View -> Packet Details
    Expand “Bootstrap Protocol”
    move down, find and expand “Option: (53) DHCP Message Type”
    right click on “DHCP: Offer (2) -> Apply as Filter -> Selected
  7. On the menu bar, Statistics -> Endpoints
    filter will now become – bootp.option.dhcp == 2
    Select Tab “IPv4” and tick “Limit to display filter”, then IPv4 addresses displayed will be limited to the filter we selected earlier
  8. There may be multiple unicast IPs and single broadcast IP (ie 255.255.255.255), the unicast IPs should be the IPs of DHCP servers trying to allocate IP to endhosts in the subnet

Prevent Rogue DHCP server by DHCP snooping

 

Comments are closed.