Welcome to TechNet Blogs Sign in | Join | Help

Microsoft Windows DHCP Team Blog

The world's most deployed DHCP Server! Deploy and discuss about your fav. server, here!
Rogue DHCP Server detection

Overview

Rogue DHCP servers are those DHCP servers that are misconfigured or unauthorized unknowingly or those that are configured with a malicious intent for network attacks. Either be the case the impact on clients that are serviced by the rogue DHCP servers are critical. That is the clients would experience network access problems due to rogue DHCP server leasing incorrect IP addresses & incorrect options to the client. Security threats are caused when malicious user with rogue DHCP server can spread bad network parameters and thereby sniff the traffic sent by the clients. There are also certain Trojans like DNS-changing that uses a compromised machine in the network to pollute the network by installing rogue DHCP servers on the machine.

Rogue detection tool is a GUI tool that checks if there are any rogue DHCP servers in the local subnet.

Following are the features with this tool:

1.     The tool can be run one time or can be scheduled to run at specified interval.

2.     Can be run on a specified interface by selecting one of the discovered interfaces.

3.     Retrieves all the authorized DHCP servers in the forest and displays them.

4.     Ability to validate (not Authorize in AD) a DHCP server which is not rogue and persist this information

5.     Minimize the tool, which makes it invisible. A tray icon will be present which would display the status.

Thanks,

Subhash Badri

DHCP Server Team

Posted: Friday, July 03, 2009 12:58 PM by teamdhcp
Filed under:

Attachment(s): RogueChecker.zip

Comments

teamdhcp said:

Usage:

Double click on the tool or launch the excutable from the command prompt.

The tool on startup will query the AD and populates the authorized DHCP server.

Thanks,

Subhash Badri

# July 3, 2009 3:15 AM

Derek Morr said:

Thanks for this, it looks useful. Are there any plans to add IPv6 support?

# July 3, 2009 11:27 AM

teamdhcp said:

Yes, there are plans to add IPv6 support as well, but not immediately.

Thanks,

Subhash Badri

# July 3, 2009 9:55 PM

bhagirathrajabhai said:

So does this tool have the basic functionality of the "DHCP" snap in that comes in the "Adminpak" for Active Directory, or

The tool can also find non-AD dchp servers?

# July 6, 2009 9:45 AM

teamdhcp said:

Yes, this tool finds DHCP servers in the subnet which are not authorized by the AD (I hope this is what you meant by non-AD dhcp servers).

Thanks,

Subhash Badri

# July 6, 2009 10:53 AM

zep73 said:

I got a number of rogue servers detected 1 message, what do I do now.

# July 6, 2009 3:53 PM

teamdhcp said:

It would have filled the "Discovered DHCP servers in the subnet" grid box with the DHCP server details. If the tool poped up a dialog for access permission for opening a port (First time), then there are chances that grid is not populated, please re-run the tool in that case.

Once you get some details about the rogue dhcp server, find out if the discovered DHCP server is really a rogue in which case find out the server machine which is running the DHCP service and stop the DHCP service on that server.

If this DHCP server for some reason is not a rogue (in test purposes) then click on the checkbox, which will tell the tool not to report this server as rogue in future discovers.

Thanks,

Subhash Badri

# July 6, 2009 9:21 PM

Matt said:

I am trying to run this on one of our servers, and we keep getting "Interface: 10.10.1.1:68 is used by DHCP client for DHCP operation and cannot be used by Rogue detection tool Configure the static IPv4 address for this interface, stop DHCP client and restart the application."

The server I am trying to run this on has a static IP, and the DHCP client turned off.

# July 10, 2009 4:41 PM

teamdhcp said:

Matt,

Please run netstat -aon to see which process is having an exclusive lock on port 68. Generally it would be dhcp client.

Dhcp client has a dependency on "WinHTTP Web Proxy Auto-Discovery Service". If you just stop the dhcp client it is restarted becuase of the dependency. First you have to disable "WinHTTP Web Proxy Auto-Discovery Service" and then stop the dhcp client.

steps:

1. Open services.msc

2. Right click on "WinHTTP Web Proxy Auto-Discovery Service"

3. click on the properties, select the statu type as disabled and click OK.

4. stop the dhcp service by right clicking on "DHCP client" and click stop in services.msc, else use "net stop dhcp"

5. Run the tool and it should work fine.

Thanks,

Subhash Badri

# July 10, 2009 10:18 PM

Steven said:

Nice tool, it's even useful if you are not using Windows Server for DHCP, which is my case.

# October 12, 2009 1:47 PM

Scott said:

Love this tool! As a feature request for future ones, it would be great to see the MAC of the rogue DHCP server. When we get one on our network it's usually an invalid network IP and it becomes difficult to find so we run it in conjunction with a network capture to find the MAC and then search our switches to find the intruding port.

# October 20, 2009 8:23 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

  
Enter Code Here: Required

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker