Scanning network for DHCP servers

pgb205 · 08-07-2008, 06:23 PM

we apparently have more than one dhcp server on our network which is causing issues. I tried using nmap -sU 192.168.0.1-254 -p 67
to find all the dhcp servers but doesn't look like this worked. Tried using wireshark and looking for boot.dhcp packet but this again doesn't seem to give consistent results. What utilities are there for linux (or methods available) to find out ip's for all the dhcp servers on a given subnet.

thanks

grepmasterd · 08-07-2008, 06:46 PM

if your clients are linux boxes you can examine the dhclient.leases to see what server the lease came from.

~$ locate dhclient*leases
/var/lib/dhcp3/dhclient.leases
/var/lib/dhcp3/dhclient.eth2.leases
/var/lib/dhcp3/dhclient.eth0.leases
/var/lib/dhcp3/dhclient.eth1.leases
/var/lib/dhcp3/dhclient.wlan0.leases

since I know that eth2 is connected to my LAN currently, I can search for the server string in this way

~$ grep dhcp-server-identifier /var/lib/dhcp3/dhclient.eth2.leases
option dhcp-server-identifier 192.168.99.254;
option dhcp-server-identifier 10.5.5.1;

there are my two servers.

pgb205 · 08-07-2008, 07:52 PM

If i understood you correctly there is a problem with you method. There is a good chance that you will get information about all DHCP servers in the lan. So linclientA may have information about DHCPServer1 and linclientB may have info from DHCPServer2. But it's also possible that all the linux clients got their information from the same DHCP server. So even I check a few clients there is no guarantee that i have information about ALL the DHCP servers.

grepmasterd · 08-07-2008, 08:02 PM

True, it's not an active scan, it's just a good place to look if your intent is to just fix the current problem.

if you want to run scans on a routine basis, there are allegedly tools that will do this. Search google for 'rogue dhcp servers'.

Also, have you seen this?

http://lists.sans.org/pipermail/unis...il/020295.html