Difference between revisions of "Detect rouge DHPC server"
Jump to navigation
Jump to search
(Created page with " *Billion router scanned with NMAP when DHCP was ON: Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:24 BST Nmap scan report for home.gateway.home.gateway (192.168.1...") |
|||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
I could not get connected to my Billion 7800GZ router but I have found following entries in syslog: | |||
Jul 25 09:51:18 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.126 | |||
Jul 25 09:51:19 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.111 | |||
Jul 25 09:52:51 192.168.1.254 DHCP SERVER: DHCPDISCOVER from 8c:70:5a:11:22:33 via br0 | |||
Jul 25 09:52:52 192.168.1.254 DHCP SERVER: DHCP offer to 8c:70:5a:11:22:33 | |||
'''Jul 25 09:52:52 192.168.1.254 DHCP SERVER: Exiting as another DHCP server is found''' | |||
Jul 25 09:57:48 192.168.1.254 syslog: web: logout (timeout) | |||
Jul 25 09:57:51 192.168.1.254 syslog: web: 192.168.1.250 login | |||
Jul 25 10:18:53 192.168.1.254 home -- MARK -- | |||
Jul 25 11:18:53 192.168.1.254 home -- MARK -- | |||
Jul 25 11:48:17 192.168.1.254 syslog: web: logout (timeout) | |||
Jul 25 11:48:19 192.168.1.254 syslog: web: 192.168.1.250 login | |||
Then I have rebooted the router to restart dhpc server. It start working as it should. The router was up for 9 days. Therefore I have started looking for a way to detect rouge DHCP server. | |||
== Step 1. Nmap scanning == | |||
*Billion router scanned with NMAP when DHCP was ON: | *Billion router scanned with NMAP when DHCP was ON: | ||
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:24 BST | Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:24 BST | ||
Nmap scan report for home.gateway.home.gateway (192.168.1.254) | Nmap scan report for home.gateway.home.gateway (192.168.1.254) | ||
Host is up (0.00042s latency). | Host is up (0.00042s latency). | ||
PORT STATE SERVICE | PORT STATE SERVICE | ||
67/udp open|filtered dhcps | 67/udp open|filtered dhcps | ||
68/udp closed dhcpc | 68/udp closed dhcpc | ||
MAC Address: 00:04:ED: | MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.) | ||
*Then DHCP server disabled with command | *Then DHCP server possibly can be disabled with when ssh'd to the router with its busybox command (see below Busybox section) | ||
> lan config --dhcpserver disable | > lan config --dhcpserver disable | ||
*The router has been rescanned | *The router has been rescanned | ||
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds | Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds | ||
$ sudo nmap -sU 192.168.1.254 -p 67-68 | $ sudo nmap -sU 192.168.1.254 -p 67-68 | ||
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST | |||
Nmap scan report for home.gateway.home.gateway (192.168.1.254) | |||
Host is up (0.00036s latency). | |||
PORT STATE SERVICE | |||
67/udp open|filtered dhcps | |||
68/udp closed dhcpc | |||
MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.) | |||
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST | Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds | ||
Nmap scan report for home.gateway.home.gateway (192.168.1.254) | $ sudo nmap -sU 192.168.1.254 -p 67-68 | ||
Host is up (0. | Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST | ||
PORT STATE SERVICE | Nmap scan report for home.gateway.home.gateway (192.168.1.254) | ||
67/udp open|filtered dhcps | Host is up (0.00040s latency). | ||
68/udp closed dhcpc | PORT STATE SERVICE | ||
MAC Address: 00:04:ED: | 67/udp open|filtered dhcps | ||
68/udp closed dhcpc | |||
MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.) | |||
So, looking at nmap report we cannot definitely say that dhpc server has been disabled. Let's dig further. | |||
* Billion router busybox interface | * Billion router busybox interface | ||
| Line 48: | Line 64: | ||
lan --help | lan --help | ||
> lan config --dhcpserver enable | > lan config --dhcpserver enable | ||
== Step 2. Wireshark == | |||
*Install Wireshark | |||
sudo apt-get install wireshark | |||
*To be able to configure capturing on interfaces run as root. It is not recommended and alternative way to run the application is included in its manual. | |||
*We are only interested with the DHCP traffic, so on the display filter type: '''bootp.option.type == 53''' and click apply. | |||
[[File:Bootp.option.type53.png|none|600px|thumb|left|Bootp.option.type53]] | |||
For more reference please visit Wireshark Wiki http://wiki.wireshark.org/DHCP | |||
[[Category:Linux]][[Category:Nmap]] | |||
Latest revision as of 00:28, 13 August 2019
I could not get connected to my Billion 7800GZ router but I have found following entries in syslog:
Jul 25 09:51:18 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.126 Jul 25 09:51:19 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.111 Jul 25 09:52:51 192.168.1.254 DHCP SERVER: DHCPDISCOVER from 8c:70:5a:11:22:33 via br0 Jul 25 09:52:52 192.168.1.254 DHCP SERVER: DHCP offer to 8c:70:5a:11:22:33 Jul 25 09:52:52 192.168.1.254 DHCP SERVER: Exiting as another DHCP server is found Jul 25 09:57:48 192.168.1.254 syslog: web: logout (timeout) Jul 25 09:57:51 192.168.1.254 syslog: web: 192.168.1.250 login Jul 25 10:18:53 192.168.1.254 home -- MARK -- Jul 25 11:18:53 192.168.1.254 home -- MARK -- Jul 25 11:48:17 192.168.1.254 syslog: web: logout (timeout) Jul 25 11:48:19 192.168.1.254 syslog: web: 192.168.1.250 login
Then I have rebooted the router to restart dhpc server. It start working as it should. The router was up for 9 days. Therefore I have started looking for a way to detect rouge DHCP server.
Step 1. Nmap scanning
- Billion router scanned with NMAP when DHCP was ON:
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:24 BST Nmap scan report for home.gateway.home.gateway (192.168.1.254) Host is up (0.00042s latency). PORT STATE SERVICE 67/udp open|filtered dhcps 68/udp closed dhcpc MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)
- Then DHCP server possibly can be disabled with when ssh'd to the router with its busybox command (see below Busybox section)
> lan config --dhcpserver disable
- The router has been rescanned
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds $ sudo nmap -sU 192.168.1.254 -p 67-68 Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST Nmap scan report for home.gateway.home.gateway (192.168.1.254) Host is up (0.00036s latency). PORT STATE SERVICE 67/udp open|filtered dhcps 68/udp closed dhcpc MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds $ sudo nmap -sU 192.168.1.254 -p 67-68 Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST Nmap scan report for home.gateway.home.gateway (192.168.1.254) Host is up (0.00040s latency). PORT STATE SERVICE 67/udp open|filtered dhcps 68/udp closed dhcpc MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)
So, looking at nmap report we cannot definitely say that dhpc server has been disabled. Let's dig further.
- Billion router busybox interface
> lan
Usage: lan config [--ipaddr <primary|secondary> <IP address> <subnet mask>]
[--dhcpserver <enable|disable>]
lan delete --ipaddr <primary|secondary>
lan show [<primary|secondary>]
lan --help
> lan config --dhcpserver enable
Step 2. Wireshark
- Install Wireshark
sudo apt-get install wireshark
- To be able to configure capturing on interfaces run as root. It is not recommended and alternative way to run the application is included in its manual.
- We are only interested with the DHCP traffic, so on the display filter type: bootp.option.type == 53 and click apply.
For more reference please visit Wireshark Wiki http://wiki.wireshark.org/DHCP