Microsoft Windows DHCP Team Blog

The world's most deployed DHCP Server! Deploy and discuss about your fav. server, here!

Rogue DHCP Server detection

Rogue DHCP Server detection

  • Comments 20
  • Likes

Overview

Rogue DHCP servers are those DHCP servers that are misconfigured or unauthorized unknowingly or those that are configured with a malicious intent for network attacks. Either be the case the impact on clients that are serviced by the rogue DHCP servers are critical. That is the clients would experience network access problems due to rogue DHCP server leasing incorrect IP addresses & incorrect options to the client. Security threats are caused when malicious user with rogue DHCP server can spread bad network parameters and thereby sniff the traffic sent by the clients. There are also certain Trojans like DNS-changing that uses a compromised machine in the network to pollute the network by installing rogue DHCP servers on the machine.

Rogue detection tool is a GUI tool that checks if there are any rogue DHCP servers in the local subnet.

Following are the features with this tool:

1.     The tool can be run one time or can be scheduled to run at specified interval.

2.     Can be run on a specified interface by selecting one of the discovered interfaces.

3.     Retrieves all the authorized DHCP servers in the forest and displays them.

4.     Ability to validate (not Authorize in AD) a DHCP server which is not rogue and persist this information

5.     Minimize the tool, which makes it invisible. A tray icon will be present which would display the status.

Thanks,

Subhash Badri

DHCP Server Team

Attachment: RogueChecker.zip
Comments
  • Usage:

    Double click on the tool or launch the excutable from the command prompt.

    The tool on startup will query the AD and populates the authorized DHCP server.

    Thanks,

    Subhash Badri

  • Thanks for this, it looks useful. Are there any plans to add IPv6 support?

  • Yes, there are plans to add IPv6 support as well, but not immediately.

    Thanks,

    Subhash Badri

  • So does this tool have the basic functionality of the "DHCP" snap in that comes in the "Adminpak" for Active Directory, or

    The tool can also find non-AD dchp servers?

  • Yes, this tool finds DHCP servers in the subnet which are not authorized by the AD (I hope this is what you meant by non-AD dhcp servers).

    Thanks,

    Subhash Badri

  • I got a number of rogue servers detected 1 message, what do I do now.

  • It would have filled the "Discovered DHCP servers in the subnet" grid box with the DHCP server details. If the tool poped up a dialog for access permission for opening a port (First time), then there are chances that grid is not populated, please re-run the tool in that case.

    Once you get some details about the rogue dhcp server, find out if the discovered DHCP server is really a rogue in which case find out the server machine which is running the DHCP service and stop the DHCP service on that server.

    If this DHCP server for some reason is not a rogue (in test purposes) then click on the checkbox, which will tell the tool not to report this server as rogue in future discovers.

    Thanks,

    Subhash Badri

  • I am trying to run this on one of our servers, and we keep getting "Interface: 10.10.1.1:68 is used by DHCP client for DHCP operation and cannot be used by Rogue detection tool Configure the static IPv4 address for this interface, stop DHCP client and restart the application."

    The server I am trying to run this on has a static IP, and the DHCP client turned off.

  • Matt,

    Please run netstat -aon to see which process is having an exclusive lock on port 68. Generally it would be dhcp client.

    Dhcp client has a dependency on "WinHTTP Web Proxy Auto-Discovery Service". If you just stop the dhcp client it is restarted becuase of the dependency. First you have to disable "WinHTTP Web Proxy Auto-Discovery Service" and then stop the dhcp client.

    steps:

    1. Open services.msc

    2. Right click on "WinHTTP Web Proxy Auto-Discovery Service"

    3. click on the properties, select the statu type as disabled and click OK.

    4. stop the dhcp service by right clicking on "DHCP client" and click stop in services.msc, else use "net stop dhcp"

    5. Run the tool and it should work fine.

    Thanks,

    Subhash Badri

  • Nice tool, it's even useful if you are not using Windows Server for DHCP, which is my case.

  • Love this tool! As a feature request for future ones, it would be great to see the MAC of the rogue DHCP server. When we get one on our network it's usually an invalid network IP and it becomes difficult to find so we run it in conjunction with a network capture to find the MAC and then search our switches to find the intruding port.

  • Thank you,

    Excelent tool !!

    However i would like to save settings that i choose.

    For example i would like to save my interval time.

    It would be very nice if tool could be launched automatically and automatically listen for Rogue DHCP servers of specific time interval that user saved not that user has to click on the "Detect Rogue Servers" button and set frequency interval every time program starts.

    Matt: You must disable DHCP server on that machine, as it runs on ports 68,67.

  • Excellent indeed!

  • Thanks for this, I work at a Helpdesk and users are all the time plugging in non-approved routers into the network - and this helps pin point that it is a DHCP Issue!

    Thanks Subhash, and the DHCP Team!  :-)

  • Thank you! This is an excellent tool just looking to see the MAC address of the rogue DHCP server as a future feature if at all possible.  Hope to hearing from you in this regards.

    Thank you again!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment