[unisog] Rogue DHCP and nmap

Doug Nelson nelson at clunix.cl.msu.edu
Tue Apr 23 21:36:19 GMT 2002


> Hi,
>         We had some fun tracking a rogue DHCP server down and did a nmap
> on our subnet for UDP port 67. We ended up 2-3 computers but only 1 of
> them was actually the culprit. Does anyone have experience with this?
> 
> Aside from the false positives, we believe that this is a pretty effective
> way of remotely looking for a rogue DHCP server and will probably use it
> in the future since it beats plugging something into the subnet and
> logging. Comments?

My usual approach with rogue DHCP is to enlist the help of the victims.
>From an affected computer, you can easily get the DHCP server's IP
address, and from that you can normally obtain the Ethernet address.  In
most cases, I can then consult my Ethernet/IP database and find a match.
Failing that, it's a matter of tracing the Ethernet address to a switch
and port.

Our Student Network Support staff is pretty adept at walking users
through these steps and communicating back with my group.

Doug Nelson			nelson at msu.edu
Network Manager			Ph: (517) 353-2980
Computer Laboratory		http://www.msu.edu/~nelson/
Michigan State University



More information about the unisog mailing list