Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How can I fiind a rouge DHCP server?

Posted on 2009-04-16
6
Medium Priority
?
2,162 Views
Last Modified: 2013-11-22
I have figured out that it is the trojanflush.m virus/malware that is causing this.  It gives the machines a 1 hour lease time and gives your bogus dns addresses.  The site that is affected has around 400 computers so it's like finding a needle in a haystack.  Any help would be greatly appreciated.
0
Comment
Question by:HCSB
6 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24158651

Are your switches Managed? Can you tie a MAC address to a Port?

Or if it's a windows network, and you have the MAC it is possible to remotely check the MAC address on each client remotely (using WMI and a bit of scripting).

Chris
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 24162109
Where is your DNS normally pointed to?  If your Server is controlling DNS I would have thought you could setup the perimeter firewall to block all access to DNS requests from all pc's except for the server.  All pc's that have been zombied would try to connect to the rogue DNS address but would be barred by the perimeter firewall, so it is immediately obvious which pc's are affected.
0
 
LVL 7

Expert Comment

by:hau_it
ID: 24178305
You can always use the ethereal to capture data packets and make analysis after.
You can also be sure that rogue DHCP are not operating in your network if you enable DHCP snooping in your switches.
Cisco supports the feature. It is possible that other vendors will also have dhcp snooping support

Dimitris
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:HCSB
ID: 24187419
All switches expect for one building are managed cisco switches.  The only problem is there all out of date so in order to use dhcp snooping we would need to update all the switches we checked and our current version doesn't support it.

The dns addresses it uses were already blocked by our firewall so we know which ones are getting the bogus address the problem is finding the machine that is handing them out.
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 24195228
Hi

try using dhcploc.exe

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/DHCPandDNS/UsingtheDHCPLOCUtility.html

this will give you the Ip address of the server, NBTSTAT -A [IPADDRESS]

if you dont recognize the name do the following


On your switches  

check which port that MAC is on
via
show ip arp [ip-address]
or
show ip arp

Happy hunting


0
 
LVL 15

Accepted Solution

by:
xmachine earned 2000 total points
ID: 24264279
Hi,

Here's my checklist for detecting a rouge dhcp servers in your network:

1) If you are a Cisco shop, you are lucky enough because they have implemented a built-in security mechanism called "DHCP Snooping", is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. Read more about it.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf

This is an example of enabling DHCP Snooping on a Cisco Switch:

switch(config)# ip dhcp snooping
!Enables DHCP Snooping globally!
switch(config)# ip dhcp snooping vlan {,}
!Enables DHCP Snooping for Specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Sets the interface to trusted state; can then pass DHCP replies!
switch(config-if)# ip dhcp snooping limit rate
!Sets rate limit for DHCP Snooping!


2) Use " DHCPLOC Utility" to detect rogue DHCP servers on your network, Get it from here

(http://technet2.microsoft.com/windowsserver/en/library/8fa42e83-ec08-4a9b-9057-8909f7ed433e1033.mspx?mfr=true)

With this tool, you can determine which DHCP servers are available to a DHCP client and to detect unauthorized DHCP servers on a subnet.


3) Use " DhcpExplorer" , its a tool that allows you to discover DHCP servers on your local subnet or LAN. This is useful for locating servers that are not supposed to be on your network (rogue DHCP servers) as well as checking the expected output of known servers. The tool is designed with a user-friendly interface and is easy to use. Download it form here:

http://www.filesland.com/companies/Nsasoft-LLC/download/DhcpExplorer.exe

4) Use " DHCPing", it is a simple utility, like ping, except it tests for running DHCP servers. The results of a dhcping scan can be matched against a list of known DHCP servers on your network. Anything showing up in the scan, and not on your server inventory, should be suspect. Get it from

here: http://www.securiteam.com/tools/5TP0G0KDFG.html

5) If you are a Microsoft shop, make sure that you have configured authorized DHCP server correctly, read here for more details:

http://technet.microsoft.com/en-us/library/cc781697.aspx

6) If you use Nmap, and you should by the way. You can scan your network for hosts that listen to port 67. See this example:

nmap -sU -P0 -p 67-68 -oN dhcp-scan-results > 192.168.0-3.*

Replace 192.168.0-3.* with your network's IP range.


7) Snort, is your watch dog while you are busy. Modify your snort.conf file to add a new servers list, like this:

var Authorized_DHCP [1.1.1.1,2.2.2.2]

replace 1.1.1.1, 2.2.2.2 with your production servers

And use this rule to detect rogue dhcp servers:

alert udp !$AUTHORIZED_DHCP 67 -> 255.255.255.255 any (msg: "Rogue DHCP Server OnNetwork"; sid:1000001;)


8)If you have tcpdump around, you can run and use this Bpf filter to detect rogue dhcp servers:

tcpdump -i eth0 -nn 'udp port 67 and !(host x.x.xx or host x.x.xx)'

9) And last, double check with your host-based firewall vendor that their product dose support NDIS-level firewalling. This means the FW will protect against unauthorized NDIS protocol registration by hooking NdisRegisterProtocol()/NdisOpenAdapter(). So, the FW will be notified when a NDIS protocol is trying to be registered or when its binding to some adapter.

A Symantec Certified Specialist @ your service
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question