Differences

This shows you the differences between two versions of the page.

--- networking:dhcp_find_rogue [2018/07/20 11:30]
gcooper
+++ networking:dhcp_find_rogue [2018/07/20 12:46] (current)
gcooper
@@ Line 5: / Line 5: @@
 **DORA**
-  - Discover
+  - **Discover**
-  - Offer
+    * Client
-  - Request
+  - **Offer**
-  - Acknowledge
+    * Server
+  - **Request**
+    * Client
+  - **Acknowledge**
+    * Server
 ===== Capture the Process =====
   - Note the IP address of valid DHCP server
+    * See DHCP Release packet from working client
   - Start Wireshark
   - ''ipconfig /release''
@@ Line 18: / Line 23: @@
   - Save the capture
     * ''find_rogue.pcap''
-  -
+===== Analyze the Capture =====
+In Wireshark:
+  - **Open** the ''.pcap'' file
+  - **Filter** on ''bootp'' packets
+    * Shows DORA
+  - **Filter** on ''bootp.option.dhcp == 2'' packets
+    * Shows DHCP Offer packets
+===== Track It Down =====
+From a CMD prompt, you can check for:
+  * Reverse DNS info
+  * Find the MAC address
+  * Check for NETBIOS name
+<file>
+nslookup <IP of rogue DHCP server>
+</file>
+<file>
+ping <IP of rogue DHCP server>
+arp -a
+</file>
+<file>
+nbtstat -A <IP of rogue DHCP server>
+</file>
+Knowing the manufacturer of the rogue device might help, once you know the MAC address.  Try a lookup here:
+https://macvendors.com/
+Finally, use '**Divide and Conquer**' to find the culprit.

Virtual Architects Support Wiki