Comments on: Problems Detecting Rogue DHCP Servers on Linux, not on Windows http://www.bartbusschots.ie/blog/?p=352 An Irish Voice in the Blogsphere Thu, 02 Sep 2010 09:53:46 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: reloc4 http://www.bartbusschots.ie/blog/?p=352&cpage=1#comment-46783 reloc4 Sat, 27 Mar 2010 19:26:50 +0000 http://www.bartbusschots.ie/blog/?p=352#comment-46783 After seaching the web for Days I found nothing satisfying. But now I hav got a easy solution: dhcping -s 255.255.255.255 -r -v After seaching the web for Days I found nothing satisfying. But now I hav got a easy solution:

dhcping -s 255.255.255.255 -r -v

]]> By: L Petrey http://www.bartbusschots.ie/blog/?p=352&cpage=1#comment-44346 L Petrey Tue, 09 Dec 2008 21:27:31 +0000 http://www.bartbusschots.ie/blog/?p=352#comment-44346 I recently experienced a rogue dhcp problem started by a virus. The problem I think I would have with DHCPLOC.EXE is that it identifies good or bad servers based on IP number. This malware spoofed the IP number of our valid DHCP server. I was hoping there would be a tool (Windows) that would identify a valid server using the mac address of the dhcp helper in each segment. I recently experienced a rogue dhcp problem started by a virus. The problem I think I would have with DHCPLOC.EXE is that it identifies good or bad servers based on IP number. This malware spoofed the IP number of our valid DHCP server. I was hoping there would be a tool (Windows) that would identify a valid server using the mac address of the dhcp helper in each segment.

]]> By: Gonzalo Balladares R. http://www.bartbusschots.ie/blog/?p=352&cpage=1#comment-44028 Gonzalo Balladares R. Wed, 24 Sep 2008 15:13:55 +0000 http://www.bartbusschots.ie/blog/?p=352#comment-44028 Hi. reading this:http://www.windowsecurity.com/articles/DHCP-Security-Part2.html i've found DHCP Probe http://www.net.princeton.edu/software/dhcp_probe/ Regards. Hi.
reading this:http://www.windowsecurity.com/articles/DHCP-Security-Part2.html

i’ve found DHCP Probe
http://www.net.princeton.edu/software/dhcp_probe/

Regards.

]]> By: Bart B http://www.bartbusschots.ie/blog/?p=352&cpage=1#comment-6996 Bart B Thu, 21 Dec 2006 20:09:34 +0000 http://www.bartbusschots.ie/blog/?p=352#comment-6996 Thanks for that Phil. I gave your suggestion a go and it would definitely work except that it is returns quite a few false-positives. However, it gave me the inspiration to try again and I finally found a Perl script that actually works and then spent the afternoon molding it into a Nagios plugin that I just got working a few minutes ago. I'll do up a blog post about it tomorrow with the code for my nagios plugin since it's a hacked version of a GPL script. Thanks for that Phil. I gave your suggestion a go and it would definitely work except that it is returns quite a few false-positives. However, it gave me the inspiration to try again and I finally found a Perl script that actually works and then spent the afternoon molding it into a Nagios plugin that I just got working a few minutes ago. I’ll do up a blog post about it tomorrow with the code for my nagios plugin since it’s a hacked version of a GPL script.

]]> By: phil http://www.bartbusschots.ie/blog/?p=352&cpage=1#comment-6978 phil Thu, 21 Dec 2006 10:58:55 +0000 http://www.bartbusschots.ie/blog/?p=352#comment-6978 Good post bart, nice to see that windows has some decent commands relating to standard internet protocols. In the longer term, you could have a permanent method of spotting rogue dhcp servers. I found a rule for snort: # # DHCP Servers # alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "possible rogue DHCP Server"; sid:1000001;) I know you use nagios, I dunno if theres a plugin for that yet. Good post bart, nice to see that windows has some decent commands relating to standard internet protocols. In the longer term, you could have a permanent method of spotting rogue dhcp servers. I found a rule for snort:

#
# DHCP Servers
#
alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: “possible rogue DHCP Server”; sid:1000001;)

I know you use nagios, I dunno if theres a plugin for that yet.

]]>