This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
networking:dhcp_find_rogue [2018/07/20 11:30] gcooper |
networking:dhcp_find_rogue [2018/07/20 12:46] (current) gcooper |
||
---|---|---|---|
Line 5: | Line 5: | ||
**DORA** | **DORA** | ||
- | - Discover | + | - **Discover** |
- | - Offer | + | * Client |
- | - Request | + | - **Offer** |
- | - Acknowledge | + | * Server |
+ | - **Request** | ||
+ | * Client | ||
+ | - **Acknowledge** | ||
+ | * Server | ||
===== Capture the Process ===== | ===== Capture the Process ===== | ||
- Note the IP address of valid DHCP server | - Note the IP address of valid DHCP server | ||
+ | * See DHCP Release packet from working client | ||
- Start Wireshark | - Start Wireshark | ||
- '' | - '' | ||
Line 18: | Line 23: | ||
- Save the capture | - Save the capture | ||
* '' | * '' | ||
- | - | ||
+ | ===== Analyze the Capture ===== | ||
+ | |||
+ | In Wireshark: | ||
+ | |||
+ | - **Open** the '' | ||
+ | - **Filter** on '' | ||
+ | * Shows DORA | ||
+ | - **Filter** on '' | ||
+ | * Shows DHCP Offer packets | ||
+ | |||
+ | ===== Track It Down ===== | ||
+ | |||
+ | From a CMD prompt, you can check for: | ||
+ | |||
+ | * Reverse DNS info | ||
+ | * Find the MAC address | ||
+ | * Check for NETBIOS name | ||
+ | |||
+ | < | ||
+ | nslookup <IP of rogue DHCP server> | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ping <IP of rogue DHCP server> | ||
+ | arp -a | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | nbtstat -A <IP of rogue DHCP server> | ||
+ | </ | ||
+ | |||
+ | Knowing the manufacturer of the rogue device might help, once you know the MAC address. | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Finally, use ' |