[unisog] Rogue DHCP and nmap
nelson at clunix.cl.msu.edu
Tue Apr 23 21:36:19 GMT 2002
> We had some fun tracking a rogue DHCP server down and did a nmap
> on our subnet for UDP port 67. We ended up 2-3 computers but only 1 of
> them was actually the culprit. Does anyone have experience with this?
> Aside from the false positives, we believe that this is a pretty effective
> way of remotely looking for a rogue DHCP server and will probably use it
> in the future since it beats plugging something into the subnet and
> logging. Comments?
My usual approach with rogue DHCP is to enlist the help of the victims.
>From an affected computer, you can easily get the DHCP server's IP
address, and from that you can normally obtain the Ethernet address. In
most cases, I can then consult my Ethernet/IP database and find a match.
Failing that, it's a matter of tracing the Ethernet address to a switch
Our Student Network Support staff is pretty adept at walking users
through these steps and communicating back with my group.
Doug Nelson nelson at msu.edu
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
More information about the unisog