John Rushing's Blog

« NAC ~ Going Live! | Main | Computrition upgrade »

May 6, 2009

DHCPLOC.exe

DHCPLOC.EXE is the scanner we used to detect a rouge DHCP server on the 72 VLAN. The computer running the scan has to be on the same VLAN as the rouge DHCP server

Install the Support Tools on a computer that is on the VLAN you wish to scan.
Open a Command prompt window and type the command:
dhcploc.exe /p /a /i 192.168.x.x (this is the IP of the computer running the scanner)

This will output the DHCP requests into the window. If you want to put the output into a file you can do this "dhcploc.exe /p /a /i 192.168.x.x > dhcp.txt"

The general output will look like this (no rogue DHCP server):
16:49:33 OFFER (IP)192.168.75.232 (S)192.168.1.23 (S1)192.168.72.1 ***
16:49:37 OFFER (IP)192.168.75.23 (S)192.168.1.23 (S1)192.168.72.1 ***
16:49:43 OFFER (IP)192.168.75.252 (S)192.168.1.23 (S1)192.168.72.1 ***

the (S) is the DHCP server IP, This will show up as the IP of the DHCP server when a Client does a IPCONFIG /ALL from a command prompt.
the (S1) is the IP of the Ethernet connection from where the request is coming from, in general this is the IP of the rouge box.

Here is output with a rouge DHCP server running.
23:05:03 ACK (IP)192.168.72.248 (S)192.168.1.23 (S1)192.168.72.1 ***
23:05:24 ACK (IP)192.168.74.214 (S)192.168.1.23 (S1)192.168.72.1 ***
23:05:50 OFFER (IP)192.168.72.183 (S)192.168.1.23 (S1)192.168.72.1 ***
23:05:50 ACK (IP)192.168.72.183 (S)192.168.1.23 (S1)192.168.72.1 ***
23:07:26 ACK (IP)192.168.72.248 (S)192.168.1.23 (S1)192.168.72.1 ***
23:08:59 OFFER (IP)192.168.75.176 (S)192.168.1.23 (S1)192.168.72.1 ***
23:08:59 ACK (IP)192.168.75.176 (S)192.168.1.23 (S1)192.168.72.1 ***
23:09:36 ACK (IP)192.168.72.194 (S)192.168.72.1 (S1)192.168.75.176 ***
23:09:36 OFFER (IP)192.168.72.31 (S)192.168.72.1 (S1)192.168.75.176 ***
23:09:36 ACK (IP)192.168.72.31 (S)192.168.72.1 (S1)192.168.75.176 ***
23:09:36 ACK (IP)192.168.72.31 (S)192.168.1.23 (S1)192.168.72.1 ***
23:09:37 OFFER (IP)192.168.73.23 (S)192.168.1.23 (S1)192.168.72.1 ***
23:10:37 ACK (IP)192.168.75.164 (S)192.168.72.1 (S1)192.168.75.176 ***
23:10:48 ACK (IP)192.168.75.164 (S)192.168.72.1 (S1)192.168.75.176 ***
23:11:16 ACK (IP)192.168.75.197 (S)192.168.72.1 (S1)192.168.75.176 ***
23:11:36 ACK (IP)192.168.72.194 (S)192.168.72.1 (S1)192.168.75.176 ***
From this output we can see that there are two DHCP servers with two different sets of IP's. Knowing that 192.168.1.23 is our DHCP server we can deduce that the rouge server is 192.168.75.176.

Posted by rushingj at May 6, 2009 8:40 AM