I Need To Make A Change With My IT Support! Call (225) 706-8414

How to find a Rogue DHCP Server using Linux

You need to scan for active DHCP servers from a Linux machine that has a statically assigned IP address. For example, you suspect there is a rogue DHCP server on your network

Solution

The dhclient command, which normally configures an interface with a DHCP address, can be run to only query but not configure the interface.

  1. As root, run dhclient -d -nw <interface> where <interface> is the name of an active interface connected to the network you want to scan.
    # dhclient -d -nw eth0
    Internet Systems Consortium DHCP Client 4.2.5

    Copyright 2004-2013 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/Listening on LPF/eth0/aa:bb:cc:dd:ee:ff
    Sending on LPF/eth0/aa:bb:cc:dd:ee:ff
    Sending on Socket/fallback
    DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6 (xid=0x76367945)
    DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x76367945)
    DHCPOFFER from 192.168.1.1
    DHCPACK from 192.168.1.1 (xid=0x76367945)
    <snip>
  2. Review the output for lines starting with DHCPOFFER; each distinct IP address is an active DHCP server.

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!