====== Find a Rogue DHCP Server ======
===== DHCP Process =====
**DORA**
- **Discover**
* Client
- **Offer**
* Server
- **Request**
* Client
- **Acknowledge**
* Server
===== Capture the Process =====
- Note the IP address of valid DHCP server
* See DHCP Release packet from working client
- Start Wireshark
- ''ipconfig /release''
- ''ipconfig /renew''
- Save the capture
* ''find_rogue.pcap''
===== Analyze the Capture =====
In Wireshark:
- **Open** the ''.pcap'' file
- **Filter** on ''bootp'' packets
* Shows DORA
- **Filter** on ''bootp.option.dhcp == 2'' packets
* Shows DHCP Offer packets
===== Track It Down =====
From a CMD prompt, you can check for:
* Reverse DNS info
* Find the MAC address
* Check for NETBIOS name
nslookup
ping
arp -a
nbtstat -A
Knowing the manufacturer of the rogue device might help, once you know the MAC address. Try a lookup here:
https://macvendors.com/
Finally, use '**Divide and Conquer**' to find the culprit.