Difference between revisions of "Detect rouge DHPC server"

Latest revision as of 00:28, 13 August 2019

I could not get connected to my Billion 7800GZ router but I have found following entries in syslog:

Jul 25 09:51:18 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.126
Jul 25 09:51:19 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.111
Jul 25 09:52:51 192.168.1.254 DHCP SERVER: DHCPDISCOVER from 8c:70:5a:11:22:33 via br0
Jul 25 09:52:52 192.168.1.254 DHCP SERVER: DHCP offer to 8c:70:5a:11:22:33
Jul 25 09:52:52 192.168.1.254 DHCP SERVER: Exiting as another DHCP server is found
Jul 25 09:57:48 192.168.1.254 syslog: web: logout (timeout)
Jul 25 09:57:51 192.168.1.254 syslog: web: 192.168.1.250 login
Jul 25 10:18:53 192.168.1.254 home -- MARK --
Jul 25 11:18:53 192.168.1.254 home -- MARK --
Jul 25 11:48:17 192.168.1.254 syslog: web: logout (timeout)
Jul 25 11:48:19 192.168.1.254 syslog: web: 192.168.1.250 login

Then I have rebooted the router to restart dhpc server. It start working as it should. The router was up for 9 days. Therefore I have started looking for a way to detect rouge DHCP server.

Step 1. Nmap scanning

Billion router scanned with NMAP when DHCP was ON:

Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:24 BST
Nmap scan report for home.gateway.home.gateway (192.168.1.254)
Host is up (0.00042s latency).
PORT   STATE         SERVICE
67/udp open|filtered dhcps
68/udp closed        dhcpc
MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)

Then DHCP server possibly can be disabled with when ssh'd to the router with its busybox command (see below Busybox section)

> lan config --dhcpserver disable

The router has been rescanned

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
$ sudo nmap -sU 192.168.1.254 -p 67-68
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST
Nmap scan report for home.gateway.home.gateway (192.168.1.254)
Host is up (0.00036s latency).
PORT   STATE         SERVICE
67/udp open|filtered dhcps
68/udp closed        dhcpc
MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
$ sudo nmap -sU 192.168.1.254 -p 67-68
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-25 12:25 BST
Nmap scan report for home.gateway.home.gateway (192.168.1.254)
Host is up (0.00040s latency).
PORT   STATE         SERVICE
67/udp open|filtered dhcps
68/udp closed        dhcpc
MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)

So, looking at nmap report we cannot definitely say that dhpc server has been disabled. Let's dig further.

Billion router busybox interface

> lan       

Usage: lan config [--ipaddr <primary|secondary> <IP address> <subnet mask>]
                  [--dhcpserver <enable|disable>]
       lan delete --ipaddr <primary|secondary>
       lan show [<primary|secondary>]
       lan --help
> lan config --dhcpserver enable

Step 2. Wireshark

Install Wireshark

sudo apt-get install wireshark

To be able to configure capturing on interfaces run as root. It is not recommended and alternative way to run the application is included in its manual.

We are only interested with the DHCP traffic, so on the display filter type: bootp.option.type == 53 and click apply.

Bootp.option.type53

For more reference please visit Wireshark Wiki http://wiki.wireshark.org/DHCP

@@ Line 3: / Line 3: @@
   Jul 25 09:51:18 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.126
   Jul 25 09:51:19 192.168.1.254 DHCP SERVER: DHCPINFORM from 192.168.1.111
-  Jul 25 09:52:51 192.168.1.254 DHCP SERVER: DHCPDISCOVER from 8c:70:5a:66:2e:a4 via br0
+  Jul 25 09:52:51 192.168.1.254 DHCP SERVER: DHCPDISCOVER from 8c:70:5a:11:22:33 via br0
-  Jul 25 09:52:52 192.168.1.254 DHCP SERVER: DHCP offer to 8c:70:5a:66:2e:a4
+  Jul 25 09:52:52 192.168.1.254 DHCP SERVER: DHCP offer to 8c:70:5a:11:22:33
   '''Jul 25 09:52:52 192.168.1.254 DHCP SERVER: Exiting as another DHCP server is found'''
   Jul 25 09:57:48 192.168.1.254 syslog: web: logout (timeout)
@@ Line 15: / Line 15: @@
 Then I have rebooted the router to restart dhpc server. It start working as it should. The router was up for 9 days. Therefore I have started looking for a way to detect rouge DHCP server.
-==== Step 1. Nmap scanning ====
+== Step 1. Nmap scanning ==
 *Billion router scanned with NMAP when DHCP was ON:
@@ Line 25: / Line 25: @@
 /udp open|filtered dhcps
 /udp closed        dhcpc
-  MAC Address: 00:04:ED:B1:7F:AC (Billion Electric Co.)
+  MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)
 *Then DHCP server possibly can be disabled with when ssh'd to the router with its busybox command (see below Busybox section)
@@ Line 40: / Line 40: @@
 /udp open|filtered dhcps
 /udp closed        dhcpc
-  MAC Address: 00:04:ED:B1:7F:AC (Billion Electric Co.)
+  MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)
   Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
@@ Line 50: / Line 50: @@
 /udp open|filtered dhcps
 /udp closed        dhcpc
-  MAC Address: 00:04:ED:B1:7F:AC (Billion Electric Co.)
+  MAC Address: 00:04:ED:BB:CC:DD (Billion Electric Co.)
 So, looking at nmap report we cannot definitely say that dhpc server has been disabled. Let's dig further.
@@ Line 65: / Line 65: @@
   > lan config --dhcpserver enable
-==== Step 2. Wireshark ====
+== Step 2. Wireshark ==
 *Install Wireshark
@@ Line 78: / Line 78: @@
-[[Category:All]]
+[[Category:Linux]][[Category:Nmap]]

Difference between revisions of "Detect rouge DHPC server"

Latest revision as of 00:28, 13 August 2019

Step 1. Nmap scanning

Step 2. Wireshark

Navigation menu

Search