cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25499
Views
0
Helpful
9
Replies

How to find a rogue DHCP server

MJonkers
Level 1
Level 1

Hi,

Anyone know how to find such a server. We cannot find any mac address that's associated with the DHCP server. We tried sniffing nothing.

We cannot yet use dhcp snooping because of an issue toh bootp that we stil use besides dhcp.

thx,

Marc

9 Replies 9

Edison Ortiz
Hall of Fame
Hall of Fame

If you have WindowsXP and obtain an IP address from that rogue DHCP server, the IP address of the DHCP server will be displayed in ipconfig /all at the workstation.

Once you have the IP address, you can go to your Layer3 device and find its MAC Address in the ARP table.

With the MAC Address, you can find what switchport this device is connected to in the switch.

HTH,

__

Edison.

That we tried, use our own laptop in the vlan. We got an ip address 192.168.2.x with dhcp server 192.168.2.1. This machine is not pingable and the arp table says nothing about it. No mac address. That's the strange thing.

The reason could be due to the Layer3 device not being part of that subnet.

And if you have the sniffing software running on the laptop getting the initial IP address, you can't see the MAC address?

Can you ping the DHCP server from the laptop that obtained this IP address? If so, the MAC will be in the laptop's ARP table.

__

Edison.

Sniffing tell us mac adress 00:00:00:00:00:00 is the mac adres.

Try using IPScan (aka angry ip). It's a free scanning tool that scans the network using various ways to get equipment to respond. The responce should include the mac address. You can enter just the ip address of the dhcp or you can do a full range of addresses... Note: This utility is often detected as a spyware or virus on the pc it is installed on because it scans the network. It is not a spy, it is a utilty for LAN Administrators!

http://www.angryziber.com/w/Home

hi ,

Try telnetting or ssh or http or https to the rouge device ip from the same vlan which u got the ip. Sometimes that can help to find which device is the culprit.

Ullas

Hi Ullas,

Tried that also. It's so strange.

one more solution.Try continuous ping to the rogue ip from ur laptop that got the DHCP ip .log into the switch on which the laptop is connected. give show arp | in 192.x.x.x (rogue dhcp ip ). that will give u the mac address for the rogue device. get that mac and use " show mac-address-table address {mac address} " and try to find the switch port where the device is connected.

Hope that helps

Ullas

We found the machines (2) with a new sniffer action. These machine a running a trojan horse.

http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40/

Marc

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco