Rogue DHCP Server Can't be found

networking dhcp-server

Over the last 3-4 weeks I have been trying to find a rogue DHCP server on my network but have been stumped! It is offering IP Addresses that do not work with my network, so any device that needs a Dynamic Address is getting one from the Rogue DHCP and then that device stops working. I need help to find and destroy this thing! I think it might be a Trojan of some sort.

My Main Router is the only valid DHCP Server and is 192.168.0.1 which offers a range of 192.160.0.150-199, and I have this configured in my AD as Authorized. This ROGUE DHCP claims to be coming from 192.168.0.20 and offering an IP Address in the range of 10.255.255.* which is messing up EVERYTHING on my network unless I assign a static IP Address to it. 192.168.0.20 does not exist on my network.

My network is a single AD Server on Windows 2008R2, 3 other physical servers (1-2008R2 and 2 2012R2) about 4 Hypervisor VM's, 3 laptops and a Windows 7 box.

I can't ping the rogue 192.160.0.20 IP, and I can't see it in the ARP -A output, so I can't get its MAC address. I'm hoping that someone reading this post has come across this before.


On one of the affected Windows clients start a packet capture (Wireshark, Microsoft Network Monitor, Microsoft Message Analyzer, etc.), then from an elevated command prompt run ipconfig /release. The DHCP client will send a DHCPRELEASE message to the DHCP server that it obtained it's ip address from. This should allow you to obtain the MAC address of the rogue DHCP server, which you can then track down in your switch MAC address table to find out which switch port it's connected to, then trace that switch port to the network jack and the device plugged into it.


Found it!! It was my DCS-5030L D-Link Network Camera! I have NO idea why this happened. This is how I found it.

  1. I changed my laptop IP Address to 10.255.255.150/255.255.255.0/10.255.255.1 and the DNS Server 8.8.8.8 so that it would be in the range of what the rogue dhcp was dishing out.
  2. I then did a ipconfig /all to populate the ARP table.
  3. Did a arp -a to get a list of the IP's in the table and there was the MAC Address for 10.255.255.1 which is the gateway of the rogue DHCP Server!
  4. I then used Wireless Network Watcher from Nirsoft.net so I could find the REAL IP Address of the device from the MAC Address I found. The actual IP of the Rogue DHCP was 192.168.0.153, which was dynamically picked up by the Camera.
  5. I then logged onto the Camera web page and saw that the it was previously set to 192.168.0.20 which was the IP Address of the rouge DHCP Server.
  6. Then I switched it to a static IP and kept it as 192.160.0.20.

Now I can get on with my life!! Thanks to everyone for support.


Do a binary search.

  1. Disconnect half the cables
  2. Using '/ipconfig release' test if it's still there
  3. If so, disconnect another half of the remaining and goto 2
  4. If not, reconnect the half of the previously disconnected first half, disconnect the second half and goto 2

This will divide the network into two each successive test, so if you have 1,000 machines it may take you up to 10 tests to find the individual port the DHCP server is running on.

You'll spend a lot of time plugging and unplugging devices, but it will narrow it down to the dhcp server without a lot of additional tools and techniques, so it'll work in any environment.

Related

How can I find the biggest directories in unix / Ubuntu?
PostgreSQL Replication
.nfsXXXX files appearing, what are those?
Is it possible to enable http compression for requests?
nginx name-based virtual hosts on IPv6
MySQL: creating a user that can connect from multiple hosts
Why rsync is faster than NFS?
Generate an OpenVPN profile for client user to import
Why was I able to delete a file owned by root in my home directory without being root?
PSCP: Upload an entire folder, Windows to Linux
ServerAliveCountMax in SSH
putty and screen and scroll-back buffer [closed]