[unisog] Rogue DHCP and nmap

Daxter Gulje dgulje at housing.ucsb.edu
Wed Apr 24 15:18:50 GMT 2002

	I checked this out as a way of trolling for dhcp servers, and my results were somewhat similar to yours, except that I had more like a 70% accuracy rate.  I found switches and printers giving false positives frequently, and most common was 98/ME machines that were running Windows ICS.
	If someone is actively taking down part of your network, however, the 'arp -a' command from the prompt is by far the easiest method to identify the offending server.

Daxter Gulje
Assistant ResNet Coordinator
University of California, Santa Barbara

-----Original Message-----
From: Allen Chang [mailto:allen at rescomp.berkeley.edu]
Sent: Tuesday, April 23, 2002 2:20 PM
To: unisog at sans.org
Subject: [unisog] Rogue DHCP and nmap

        We had some fun tracking a rogue DHCP server down and did a nmap
on our subnet for UDP port 67. We ended up 2-3 computers but only 1 of
them was actually the culprit. Does anyone have experience with this?

Aside from the false positives, we believe that this is a pretty effective
way of remotely looking for a rogue DHCP server and will probably use it
in the future since it beats plugging something into the subnet and
logging. Comments?

Network Security
Office of Residential Computing
UC Berkeley

More information about the unisog mailing list