Categories: Windows 11 & Windows 10Windows Server

SOLVED: 5 Ways To Find a Rogue DHCP Server

There are two common scenarios in which IT administrators find themselves trying to find “unknown” DHCP server on their network:

A – Your Network Has Been Hacked

Aa hacker may install a DHCP server on your network to allow them to specify their own DNS server.  DNS (Domain Name Service) is a phone book for the internet; people use names but computers only use numbers, so if you control DNS, you can redirect users to any site you want.  For example, a ‘real’ DNS server will associate URTech.ca to 74.124.219.234 but what if the DNS tells your computer URTech.ca is actually at 104.215.148.63, you be sent to Microsoft.com.

B  – You Accidentally Have Authorized DHCP Servers On Your Network

You might think this is impossible but it is not.  It is quite easy to setup DHCP on your firewall, switches, Linux servers and Windows Servers.  That is a very bad thing and will cause you no end of grief.

How To Find DHCP Servers On Your Network?

1 – Free Program To Find DHCP Servers

There are a few free tools to locate DHCP servers on your network, including:

  1. download NetworkSecurity’s DHCP Explorer directly from us HERE or from them HERE
    .
  2. download Microsoft Subnet Based Rogue DHCP Server Detection Tool directly from us HERE or from TechyTelic HERE
    .
  3. download RoadKil.net’s DHCP FIND directly from us HERE or from them HERE.
2 – Boot Up a Windows PC

Next to using one of the free utlities above, the easiest way to find DHCP server on your network is:

  1. temporarily disable the DHCP service on the DHCP server you know about
    • this should not cause problems on your network as long as it is only disabled for a few minutes/hours
  2. power up (or reboot) a PC that is configured to receive DHCP
  3. Open a CMD prompt, PowerShell or Windows Terminal
  4. Type ipconfig /allpress the ENTER key:

If you find DHCP ENABLED (as it is on 99% of computers) and you see something other than AUTOCONFIGURATION IPV4 ADDRESS you should then find the DHCP Server IP.

If you see something like this screen shot, your computer was unable to locate a DHCP server on your network.
In case you are wondering Microsoft brought out Automatic Private IP Addressing (APIPA) with Windows Vista because Windows now requires an IP address to function.  Prior to Vista & APIPA, Windows computers would wait 180 seconds trying to find a DHCP server before they failed.  Now Windows machines give up on DHCP and assign themselves an address after just 6 seconds which show up in IPCONFIG as an Autoconfiguration IPv4 Address.

3 – Windows Authorized DHCP Servers

If you are only worried about Windows based DHCP servers you can easily determine what servers are authorized to provide DHCP by opening a PowerShell and typing Get-DhcpServerInDC

4 – Use a Packet Sniffer to Find DHCP Server

During boot a computer broadcasts packets on the network asking for DHCP server information.  If that computer receives a response, it will then ask for an address from the DHCP server.

Free utilities like Wireshark, WinDump and many others will easily collect all of the packets floating through your network and allow you to search for the DHCP server responses which use UDP on port 67.

5 – Paid Software to Find DHCP Server

There are many many professional tools from reliable name brands like Solar Winds to help you find authorized and unauthorized rogue DHCP servers on the network.

 

 

Leave a Comment
Published by
Ian Matthews
3 years ago

This website uses cookies.