Differences

This shows you the differences between two versions of the page.

--- networking:dhcp_find_rogue [2018/07/20 11:22]
gcooper created
+++ networking:dhcp_find_rogue [2018/07/20 12:46] (current)
gcooper
@@ Line 3: / Line 3: @@
 ===== DHCP Process =====
-DORA:
+**DORA**
-  - Discover
+  - **Discover**
-  - Offer
+    * Client
-  - Request
+  - **Offer**
-  - Acknowledge
+    * Server
+  - **Request**
+    * Client
+  - **Acknowledge**
+    * Server
+===== Capture the Process =====
+  - Note the IP address of valid DHCP server
+    * See DHCP Release packet from working client
+  - Start Wireshark
+  - ''ipconfig /release''
+  - ''ipconfig /renew''
+  - Save the capture
+    * ''find_rogue.pcap''
+===== Analyze the Capture =====
+In Wireshark:
+  - **Open** the ''.pcap'' file
+  - **Filter** on ''bootp'' packets
+    * Shows DORA
+  - **Filter** on ''bootp.option.dhcp == 2'' packets
+    * Shows DHCP Offer packets
+===== Track It Down =====
+From a CMD prompt, you can check for:
+  * Reverse DNS info
+  * Find the MAC address
+  * Check for NETBIOS name
+<file>
+nslookup <IP of rogue DHCP server>
+</file>
+<file>
+ping <IP of rogue DHCP server>
+arp -a
+</file>
+<file>
+nbtstat -A <IP of rogue DHCP server>
+</file>
+Knowing the manufacturer of the rogue device might help, once you know the MAC address.  Try a lookup here:
+https://macvendors.com/
+Finally, use '**Divide and Conquer**' to find the culprit.

Virtual Architects Support Wiki