I needed something to detect rogue DHCP servers on our network so I created a small perl script that listens to DHCP broadcasts and prints the IP address of the DHCP server along with the originating MAC address. This is useful in an information gathering situation where you need to confirm that there is in fact a rogue DHCP server present on your LAN.
You can download the dhcp-server-sniffer perl script here.
This perl script uses libpcap to sniff the local subnet for DHCP broadcast packets that contain a DHCP server IP address. In particular we want to capture REQUEST packets sent by the client.
A typical DHCP session looks like the following:Client does a DISCOVER (broadcast)
Server sends and OFFER (can be broadcast or unicast)
Client sends a REQUEST (this is a broadcast)
Server sends an ACK
When a client sends one of these REQUEST packets, they also include the IP address of a DHCP server they are sending to. These are ethernet broadcast packets and so are ideal for our packet sniffer. Once captured, these packets are then processed and the IP address of the DHCP server is printed to the screen. If the packet being processed happens to be a reply from the server, the originating MAC address is also printed. This way we can easily see the IP addresses of any hosts that are acting as DHCP servers, be them legitimate or rogue.
You will need to run the script as root, and can optionally pass the interface name to listen on to the script at the command line.
This script was developed and tested on Debian GNU/Linux using Perl 5 and should run on any Linux based system without much problem.Some output from a sample run.
root@p1155-awdeb:~# ./dhcp-server-sniffer.pl DHCP Offer detected | DHCP Server IP: 10.100.32.5 | src MAC: 0004964145c0 DHCP Request detected | DHCP Server IP: 10.100.32.5 DHCP Ack detected | DHCP Server IP: 10.100.32.5 | src MAC: 0004964145c0 DHCP Release detected | DHCP Server IP: 10.100.32.5 DHCP Offer detected | DHCP Server IP: 10.100.32.5 | src MAC: 000496439f40 DHCP Request detected | DHCP Server IP: 10.100.32.5 DHCP Ack detected | DHCP Server IP: 10.100.32.5 | src MAC: 0004964145c0 DHCP Ack detected | DHCP Server IP: 10.100.32.5 | src MAC: 000496439f40
The CPAN Libaries needed to run this script:http://search.cpan.org/dist/Net-Pcap/
To install these CPAN libraries on debian based systems:
apt-get install libnetpacket-perl libnet-pcap-perl libnet-dhcp-perl