Detect Rogue DHCP Server with Wireshark [Step-by-Step]

Recently, I came across a question on “serverfault.com” about how to detect a rogue Install and Configure DHCP server in your network. There are some tools out there that can help, but the simplest method for me is to use Wireshark to detect the rogue DHCP server. Before a deep investigation, I would like to refresh your memory regarding how Dynamic Host Configuration Protocol (DHCP) works.

 

What is DHCP? and How does it work?

DHCP is a network management protocol that is enable us to dynamically configure a client. Assigning IP addresses dynamically through DHCP is just only one function of the protocol. A DHCP server uses DHCP options to provides information to its clients. Following screenshot shows the steps how to assign an IP address to the client.

Advertisement

How to Detect Rogue DHCP Server with Wireshark

 

Step-1: The client sends a broadcast DHCPDISCOVER packet to the network, which contains an identifier unique to the client (typically the MAC address). The packet might also contain other requests, such as requested options (for example, subnet mask, domain name server, domain name, or static route).

Step-2:  When the server receives a DHCPDISCOVER packet from the client, the server chooses a network address for the requesting client and responses back to the client with a DHCPOFFER packet.

Step-3: The client broadcasts a DHCPREQUEST packet that contains the offered IP address in Step-2, and shows acceptance of the offered IP address.

Step-4: The DHCP server acknowledges the client DHCPREQUEST for the IP address by sending a DHCPACK packet.

 

DHCP Message (Packet) Types

1. DHCP Discover

With this packet, a DHCP client broadcasts to locate available DHCP servers. As seen below, the packet includes the client Media Access Control (MAC) address, Host Name, Parameter Request List which is used by the DHCP client to request values for specified configuration parameters.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

2. DHCP Offer

It is a DHCP server’s response to DHCPDISCOVER packet with offer of configuration parameters.

Advertisement

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

3. DHCP Request

DHCP client sends a broadcast packet to DHCP server requesting offered parameters from the server.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

4. DHCP Ack

DHCP server sends this packet to DHCP client with configuration parameters, including committed network address.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

5. DHCP Nak (DHCP Negative Acknowledgement)

DHCP server sends this packet to client refusing request for configuration parameters (e.g., requested network address already allocated). Following screenshot shows the DHCPNAK packet coming from the DHCP server after attaching the client to a different network.  Before joining this new network, the client was assigned an IP address from 192.168.1.0/24 subnet. When the client was connected to the new network, it desired to keep its old IP address so it requested its old IP address from 192.168.1.0/24 subnet. Since the server was not configured for that scope (subnet), it did not handover the requested IP address and sent a DHCPNAK packet to the client.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

6. DHCP Decline

DHCP client sends it to server indicating configuration parameters (e.g., network address) invalid. It is mostly used when there is a conflict, which can be detected by either DHCP servers or clients to determine whether an IP address is already in use on the network before leasing or using the address. DHCP client computers running Windows that obtain an IP address use a gratuitous ARP request to perform client-based conflict detection before completing configuration and use of a server offered IP address. If the DHCP client detects a conflict, it will send a DHCP decline packet (DHCPDECLINE) to the server, and this will be evident in a network trace. The conflict is also can be detected by the server pinging the IP address before handing it over to a client. Following screenshot shows that the client found there was a conflict and notified the server with the  DHCP decline packet.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

7. DHCP Release

DHCP client sends this packet to DHCP server relinquishing network address and cancelling remaining lease. When you shut down your pc, you may release your IP address depending on your operating system.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

8. DHCP Inform

A DHCP Inform message is sent by a DHCP client to obtain other network configuration parameters such as the gateway address and DNS server address after the DHCP client has obtained an IP address. Assume that you have configured your IP address manually but you do not know information like domain name, dns suffix, TFTP server IP address etc. DHCP Inform can be used in the situations like that. Following figures shows that the client asked DHCP server for more information.

Advertisement

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Finding a Rogue DHCP Server (Step-by-Step)

A rogue DHCP server is one that is not authorized to provide IP addresses to devices on your network. A rogue DHCP server is usually introduced to the network accidentally. When a rogue DHCP server exists in the network, some of the clients may unable to browse the web or access other network resources. This happens when it introduces to the network accidentally, but when it is introduced to the network by malicious intent, the story changes. The attacker can pose a great treat to your network.

Assuming we have the topology below and we would like to find the rogue DHCP server and shut it down.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Step-1: Connect your computer to the network and launch Wireshark. We need to capture DHCP packets coming from the rogue DHCP server (attacker). If you have already an IP address, then open a command prompt/shell and perform “release” and “renew” command. After that your computer will send a DHCP discover packet like below.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Step-2: In this step both of the DHCP server will send an offer. Our aim is to obtain the rogue DHCP server’s MAC address, which can be seen from its DHCPOFFER packet (ca:03:46:64:00:00).

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

The authentic DHCP server also sends its DHCPOFFER, but it seems to be late.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Step-3: The client accepts the rogue DHCP server offer and sends back a DHCPREQUEST packet.

Advertisement

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Step-4: The rogue DHCP acknowledges the client request.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Step-5: Since the client DHCPREQUEST packet also reached the authentic DHCP server, it checks its configuration and see no relevant   IP pool, then it responses back with a DHCPNAK packet. MAC address is the only piece of the information we need to locate the rogue DHCP server and we found it in Step-2.

Detect Rogue DHCP Server with Wireshark [Step-by-Step]

 

Step-5: Once obtaining the MAC address, we need to find the port that has that MAC address entry, so we will connect to our switch and apply the command below.

CoreSW#sh mac address-table add ca03.4664.00.00
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    ca03.4664.00.00    DYNAMIC     Gi1/0/28
Total Mac Addresses for this criterion: 1
CoreSW#

 

Step-6: After finding the port (Gi1/0/28 ), we can disconnect it or shutdown it from remote.

 

Final Thoughts

Introducing a rogue DHCP server to the network can block the clients from reaching network resources. It mostly happens accidentally when a careless client plugs his/her modem into the office network. There are also cases when an attacker uses a rogue DHCP server to harm the network or clients, including performing a man-in-the-middle (MiTM) attack. Even though, finding the rogue DHCP server is easy, considering how much harm it may do to your network and clients, methods like DHCP Snooping should be implemented in your network.

 

References

RFC1531: Dynamic Host Configuration Protocol
DHCP client/server interaction
DHCP Messages

Advertisement

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X