====== Find a Rogue DHCP Server ======

===== DHCP Process =====

**DORA**

  - **Discover**
    * Client
  - **Offer**
    * Server
  - **Request**
    * Client
  - **Acknowledge**
    * Server

===== Capture the Process =====

  - Note the IP address of valid DHCP server
    * See DHCP Release packet from working client
  - Start Wireshark
  - ''ipconfig /release''
  - ''ipconfig /renew''
  - Save the capture
    * ''find_rogue.pcap''

===== Analyze the Capture =====

In Wireshark:

  - **Open** the ''.pcap'' file
  - **Filter** on ''bootp'' packets
    * Shows DORA
  - **Filter** on ''bootp.option.dhcp == 2'' packets
    * Shows DHCP Offer packets

===== Track It Down =====

From a CMD prompt, you can check for:

  * Reverse DNS info
  * Find the MAC address
  * Check for NETBIOS name

<file>
nslookup <IP of rogue DHCP server>
</file>

<file>
ping <IP of rogue DHCP server>
arp -a
</file>

<file>
nbtstat -A <IP of rogue DHCP server>
</file>

Knowing the manufacturer of the rogue device might help, once you know the MAC address.  Try a lookup here:

https://macvendors.com/

Finally, use '**Divide and Conquer**' to find the culprit.