cf7/ittavern.com
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

DEL HTML anchors from posts as they are going to be added automaticly with new ssg

Browse source
This commit is contained in:
Caffeine Fueled 2025-10-27 20:20:04 +01:00
parent 3484b45045
commit 3d28d5eee9
Signed by: cf7
GPG key ID: CA295D643074C68C
26 changed files with 263 additions and 263 deletions
Download patch file Download diff file Expand all files Collapse all files

24
items/2023-02-08_long_detecting-rogue-dhcp-server.md
View file

@ -1,6 +1,6 @@
# Detecting Rogue DHCP Server
# What is a rogue DHCP server <a href="#what-is-a-rogue-dhcp-server" id="what-is-a-rogue-dhcp-server">#</a>
# What is a rogue DHCP server
A rogue DHCP server is an unauthorized DHCP server that **distributes knowingly or unknowingly wrong or malicious information** to clients that send DHCP discover packets within a network. The following section lists some examples of rogue DHCP servers.
@ -18,7 +18,7 @@ Misconfiguration:
![dhcp-rogue-server](/images/blog/dhcp-rogue-server.png)
# Signs of a Rogue DHCP server <a href="#signs" id="signs">#</a>
# Signs of a Rogue DHCP server
Some signs of having a rogue DHCP server on your network are listed below:
@ -29,7 +29,7 @@ Some signs of having a rogue DHCP server on your network are listed below:
- more than usual DHCP traffic
- DHCP traffic from new/unknown IPs
# What is DHCP <a href="#dhcp" id="dhcp">#</a>
# What is DHCP
I won't go into too much detail on how DHCP is. In a nutshell, DHCP stands for Dynamic Host Configuration Protocol and allows automatic assigning of IP addresses to devices and provides more information about the network, like the default gateway, subnet mask, DNS server, NTP server, and more.
@ -62,7 +62,7 @@ The following screenshots show a rough overview of the DORA process. Since this
So, enough theory; let us detect the rouge DHCP server.
# Detecting a rogue DHCP server <a href="#detecting" id="detecting">#</a>
# Detecting a rogue DHCP server
There are various ways to detect a rogue DHCP server. Some work on the client or network level, or both.
@ -70,7 +70,7 @@ In the following sections, we assume that we only have **one legitimate DHCP ser
**Side note**: You can **release the old and request a new IP** on **Windows** via command line `ipconfig /release` and `ipconfig /renew` and on **Linux** with `sudo dhclient -v -r` and `sudo dhclient -v`. Don't forget to specify the interface if you use multiple.
## Packet capture <a href="#packet-capture" id="packet-capture">#</a>
## Packet capture
![DHCP-discover](/images/blog/dhcp-d.png)
@ -80,7 +80,7 @@ You should look for **UDP traffic on ports 67 and 68**. It makes it easier to de
You can find more DHCP display filters for Wireshark in this [post](https://ittavern.com/guide-to-wireshark-display-filters/#dhcp).
## Using nmap <a href="#nmap" id="nmap">#</a>
## Using nmap
Scan for IPs that listen on the UDP port 67 in your network:
: `sudo nmap -sU -p 67 -d 10.10.20.0/24`
@ -106,7 +106,7 @@ Final times for host: srtt: 406 rttvar: 3765 to: 100000
This gives you a quick overview of your network.
#### nmap Scripts <a href="#nmap-scripts" id="nmap-scripts">#</a>
#### nmap Scripts
The required NSE script `broadcast-dhcp-discover` should be installed by default together with nmap. More information to the script can be found in the [official documentation](https://nmap.org/nsedoc/scripts/broadcast-dhcp-discover.html).
@ -159,7 +159,7 @@ Nmap done: 0 IP addresses (0 hosts up) scanned in 1.23 seconds
For more information about `nmap` visit the [nmap guide](https://ittavern.com/getting-started-with-nmap/) or other `nmap` [posts](https://ittavern.com/tags/nmap/).
## Windows DHCP server event logs <a href="#windows-event-logs" id="windows-event-logs">#</a>
## Windows DHCP server event logs
The following event logs on the authorized Windows DHCP server can indicate a rogue DHCP server on a network.
@ -180,7 +180,7 @@ The source can be found on [microsoft.com](https://learn.microsoft.com/en-us/pre
You can check the logs regularly or add those events to your monitoring solution.
## Microsoft Rogue DHCP Checker <a href="#microsoft-roguechecker" id="microsoft-roguechecker">#</a>
## Microsoft Rogue DHCP Checker
Microsoft provided a tool to detect rogue DHCP servers, but this blog post from 2009 is no longer available. But thanks to archive.org we can find the [blog post](https://web.archive.org/web/20140812200404/http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx) and download the 'RogueChecker' there.
@ -188,17 +188,17 @@ Microsoft provided a tool to detect rogue DHCP servers, but this blog post from
Installed it on Windows 10 and it seems to work.
## Turn off your own DHCP server <a href="#turn-of-legitimate-dhcp-server" id="turn-of-legitimate-dhcp-server">#</a>
## Turn off your own DHCP server
Especially in larger networks, this often enough is not a solution, but I thought it would still be noteworthy. Disable the legitimate DHCP server in some way, release the IP on the client and ask for another IP. You shouldn't get a new legitimate IP address! - In case you receive a new IP address, the chances are high that there is a rogue DHCP server.
You can now check the DHCP server on the client and use other methods to find the rogue DHCP server on your network.
## Intrusion Detection Systems <a href="#ids" id="ids">#</a>
## Intrusion Detection Systems
There are many solutions that cover the detection of rogue DHCP servers, but not all companies have the capacities to maintain such a system. Therefore, we do not need to go into detail, but it is still worth mentioning.
# Preventing actions of a rogue DHCP server <a href="#prevention" id="prevention">#</a>
# Preventing actions of a rogue DHCP server
Detecting is one thing; preventing any damage from a rouge DHCP server is another. This post focuses on detection, but I thought it won't hurt to list some prevention measurements.