The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Dec
20
Problems Detecting Rogue DHCP Servers on Linux, not on Windows
Filed Under Computers & Tech on December 20, 2006 at 4:17 pm
I am by no means shy about pointing out problems with Windows on this blog but I do try to be objective in my criticism. Today I have the rare pleasure of sharing a Windows command-line tool that I haven’t been able to find an equal to on RedHat Enterprise Linux (RHEL) 4. A few weeks ago a rogue DHCP server caused us some serious problems at work so I was asked to find a simple tool for detecting rogue servers. In theory there are loads of tools for this on Linux but after having tried everything Google was able to find for me (an entire day’s work) I’d still drawn a blank. Everything I tried insisted that our main DHCP server did not exist. What’s more tcpdump showed responses from the DHCP server arriving at the machine but all the tools insisted they got no reply regardless. In my search I did come across dhcploc.exe, a small MicroSoft command-line tool that ships with most versions of Windows. Granted, it’s not part of the default install but it is on the CD none the less and more importantly it works!
[tags]Windows, RedHat, RHEL, DHCP, Rogue DHCP Servers[/tags]
To install dhcploc.exe you have to install the Support Tools which you have to look for on your Windows CD. Once you have this installed you can set it looking for rogue servers with the following command:
dhcploc
dhcploc.exe will then run continually and display all DHCP responses it sees. It will beep each time a rogue server is seen. You can also get it to only show you rogue traffic with the -p flag.
It’s rare that Windows has more powerful command-line tools than Linux but when it comes to detecting rogue DHCP servers Windows had it nailed with this simple tool that just works! I just hope this tool still exists in Vista!
Update 21 December 2006
I have finally found a tool that works for RHEL and Debian (and probably all Linuxes). It’s a Perl module and accompanying script which can optionally be run as a demon and be setup to email you each time it finds a rogue server. It’s called RogueDetect and is GPL. I have tested version 0.4Alpha2. I’ve also used this code as a basis for a Nagios plugin the code for which I’ll be releasing over the next few days on this blog.
Good post bart, nice to see that windows has some decent commands relating to standard internet protocols. In the longer term, you could have a permanent method of spotting rogue dhcp servers. I found a rule for snort:
#
# DHCP Servers
#
alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: “possible rogue DHCP Server”; sid:1000001;)
I know you use nagios, I dunno if theres a plugin for that yet.
Thanks for that Phil. I gave your suggestion a go and it would definitely work except that it is returns quite a few false-positives. However, it gave me the inspiration to try again and I finally found a Perl script that actually works and then spent the afternoon molding it into a Nagios plugin that I just got working a few minutes ago. I’ll do up a blog post about it tomorrow with the code for my nagios plugin since it’s a hacked version of a GPL script.
Hi.
reading this:http://www.windowsecurity.com/articles/DHCP-Security-Part2.html
i’ve found DHCP Probe
http://www.net.princeton.edu/software/dhcp_probe/
Regards.
I recently experienced a rogue dhcp problem started by a virus. The problem I think I would have with DHCPLOC.EXE is that it identifies good or bad servers based on IP number. This malware spoofed the IP number of our valid DHCP server. I was hoping there would be a tool (Windows) that would identify a valid server using the mac address of the dhcp helper in each segment.
After seaching the web for Days I found nothing satisfying. But now I hav got a easy solution:
dhcping -s 255.255.255.255 -r -v
Hi,
Are you still supporting this.
I cannot find DHCPDetect.pm and OUI.pm
and this link does not work:
https://roguedetect.bountysource.com/
Cheers!
Anthony – I can’t “still” support something I never actually supported. All I did was link to a tool, why assume I am somehow responsible for it?
Anyhow – two seconds of googling found a copy of RogueDetect: http://freecode.com/projects/roguedetect