[unisog] Rogue DHCP and nmap

Daxter Gulje dgulje at housing.ucsb.edu
Wed Apr 24 15:18:50 GMT 2002


	I checked this out as a way of trolling for dhcp servers, and my results were somewhat similar to yours, except that I had more like a 70% accuracy rate.  I found switches and printers giving false positives frequently, and most common was 98/ME machines that were running Windows ICS.
	If someone is actively taking down part of your network, however, the 'arp -a' command from the prompt is by far the easiest method to identify the offending server.

/Dax
__________________________________________
Daxter Gulje
Assistant ResNet Coordinator
University of California, Santa Barbara
805.893.4747
 

-----Original Message-----
From: Allen Chang [mailto:allen at rescomp.berkeley.edu]
Sent: Tuesday, April 23, 2002 2:20 PM
To: unisog at sans.org
Subject: [unisog] Rogue DHCP and nmap


Hi,
        We had some fun tracking a rogue DHCP server down and did a nmap
on our subnet for UDP port 67. We ended up 2-3 computers but only 1 of
them was actually the culprit. Does anyone have experience with this?

Aside from the false positives, we believe that this is a pretty effective
way of remotely looking for a rogue DHCP server and will probably use it
in the future since it beats plugging something into the subnet and
logging. Comments?

@llen
Network Security
Office of Residential Computing
UC Berkeley



More information about the unisog mailing list