Rogue DHCP Server detection

re: Rogue DHCP Server detection

teamdhcp — Fri, 03 Jul 2009 10:15:32 GMT

Usage:

Double click on the tool or launch the excutable from the command prompt.

The tool on startup will query the AD and populates the authorized DHCP server.

Thanks,

Subhash Badri

re: Rogue DHCP Server detection

Derek Morr — Fri, 03 Jul 2009 18:27:27 GMT

Thanks for this, it looks useful. Are there any plans to add IPv6 support?

re: Rogue DHCP Server detection

teamdhcp — Sat, 04 Jul 2009 04:55:52 GMT

Yes, there are plans to add IPv6 support as well, but not immediately.

Thanks,

Subhash Badri

re: Rogue DHCP Server detection

bhagirathrajabhai — Mon, 06 Jul 2009 16:45:41 GMT

So does this tool have the basic functionality of the "DHCP" snap in that comes in the "Adminpak" for Active Directory, or

The tool can also find non-AD dchp servers?

re: Rogue DHCP Server detection

teamdhcp — Mon, 06 Jul 2009 17:53:34 GMT

Yes, this tool finds DHCP servers in the subnet which are not authorized by the AD (I hope this is what you meant by non-AD dhcp servers).

Thanks,

Subhash Badri

re: Rogue DHCP Server detection

zep73 — Mon, 06 Jul 2009 22:53:56 GMT

I got a number of rogue servers detected 1 message, what do I do now.

re: Rogue DHCP Server detection

teamdhcp — Tue, 07 Jul 2009 04:21:10 GMT

It would have filled the "Discovered DHCP servers in the subnet" grid box with the DHCP server details. If the tool poped up a dialog for access permission for opening a port (First time), then there are chances that grid is not populated, please re-run the tool in that case.

Once you get some details about the rogue dhcp server, find out if the discovered DHCP server is really a rogue in which case find out the server machine which is running the DHCP service and stop the DHCP service on that server.

If this DHCP server for some reason is not a rogue (in test purposes) then click on the checkbox, which will tell the tool not to report this server as rogue in future discovers.

Thanks,

Subhash Badri

re: Rogue DHCP Server detection

Matt — Fri, 10 Jul 2009 23:41:27 GMT

I am trying to run this on one of our servers, and we keep getting "Interface: 10.10.1.1:68 is used by DHCP client for DHCP operation and cannot be used by Rogue detection tool Configure the static IPv4 address for this interface, stop DHCP client and restart the application."

The server I am trying to run this on has a static IP, and the DHCP client turned off.

re: Rogue DHCP Server detection

teamdhcp — Sat, 11 Jul 2009 05:18:57 GMT

Matt,

Please run netstat -aon to see which process is having an exclusive lock on port 68. Generally it would be dhcp client.

Dhcp client has a dependency on "WinHTTP Web Proxy Auto-Discovery Service". If you just stop the dhcp client it is restarted becuase of the dependency. First you have to disable "WinHTTP Web Proxy Auto-Discovery Service" and then stop the dhcp client.

steps:

1. Open services.msc

2. Right click on "WinHTTP Web Proxy Auto-Discovery Service"

3. click on the properties, select the statu type as disabled and click OK.

4. stop the dhcp service by right clicking on "DHCP client" and click stop in services.msc, else use "net stop dhcp"

5. Run the tool and it should work fine.

Thanks,

Subhash Badri

re: Rogue DHCP Server detection

Steven — Mon, 12 Oct 2009 20:47:14 GMT

Nice tool, it's even useful if you are not using Windows Server for DHCP, which is my case.

re: Rogue DHCP Server detection

Scott — Tue, 20 Oct 2009 15:23:29 GMT

Love this tool! As a feature request for future ones, it would be great to see the MAC of the rogue DHCP server. When we get one on our network it's usually an invalid network IP and it becomes difficult to find so we run it in conjunction with a network capture to find the MAC and then search our switches to find the intruding port.