[unisog] Rogue DHCP and nmap
dgulje at housing.ucsb.edu
Wed Apr 24 15:18:50 GMT 2002
I checked this out as a way of trolling for dhcp servers, and my results were somewhat similar to yours, except that I had more like a 70% accuracy rate. I found switches and printers giving false positives frequently, and most common was 98/ME machines that were running Windows ICS.
If someone is actively taking down part of your network, however, the 'arp -a' command from the prompt is by far the easiest method to identify the offending server.
Assistant ResNet Coordinator
University of California, Santa Barbara
From: Allen Chang [mailto:allen at rescomp.berkeley.edu]
Sent: Tuesday, April 23, 2002 2:20 PM
To: unisog at sans.org
Subject: [unisog] Rogue DHCP and nmap
We had some fun tracking a rogue DHCP server down and did a nmap
on our subnet for UDP port 67. We ended up 2-3 computers but only 1 of
them was actually the culprit. Does anyone have experience with this?
Aside from the false positives, we believe that this is a pretty effective
way of remotely looking for a rogue DHCP server and will probably use it
in the future since it beats plugging something into the subnet and
Office of Residential Computing
More information about the unisog