rouge dhcp server

uk_viper

uk_viper

uk_viper

Soldato
Joined
30 Jun 2003
Posts
2,807
Location
Berkshire
theres a rouge dhcp server running on our network and we need to disable it as it blocks our internal network functioning properly, any suggestions on how i can find out who is running it, or at least find the external ip it has set
 
Hmmm if you have managed switches do a tracert and see which switches it goes to? You can at least narrow it down to one switch?

**edit**

Or an even better idea go to one of the machines that has been affected by this dhcp server get the ip address of the dhcp server and try and remote desktop to it and shut it down or at least find the name out of it? Or am I way off?
 
If you don't have that much wireless try installing netstumbler on a laptop and hunting for access points that shouldn't be there. It's probably some cretin who doesn't know the difference between a router and an access point.
 
its on a netgear firewall/managed switch, considering the amount of customers we had finding one is not easy, i dont even get a model number of the switch
 
How many machines you got on this network? Tracert/managed switches will find the culprit.
 
if we're able to somehow track the ip/mac address we would be able to find out whatsa broadcasting it but im not sure how to do that
 
find a machine which has got a dhcp address via this router, then use your switches to track down the router to a port/device it is connected to, then disable the the actual port on the switch.

if it's wireless then again you should be able to work out the routers ip addy from the a wireless devices that connects to it and take it from there.
 
Some simple make up remover should work for your rouge problem.

( sorry i play a rogue in warcraft and come out in a nervous twitch when ever someone yells for a "rouge" to open a lockbox. ) :cool:
 
find affected machine...

'ipconfig /all' tells you the ip address of the dhcp server...

go to a machine on the same subnet as the ip address, ping it, then 'arp -a' shows you the mac address of it...

get onto your switch, display the arp cache (rtfm) and trace the mac address to the port it is connected to. if it is on an uplink port then follow it along displaying the the arp cache of the switches you pass through as you go. once you find it, disable the port...

then, trace the cable from the switch port to the patch panel...

find the other end at the wall socket, then kick the crap out of the person who installed it...

edit: someone mentioned wifi - if you have some wifi then a) blacklist the mac address on the ap/controller and then b) revise your wifi security quick smart!
 
Last edited:
atomiser said:
find affected machine...

'ipconfig /all' tells you the ip address of the dhcp server...

go to a machine on the same subnet as the ip address, ping it, then 'arp -a' shows you the mac address of it...

get onto your switch, display the arp cache (rtfm) and trace the mac address to the port it is connected to. if it is on an uplink port then follow it along displaying the the arp cache of the switches you pass through as you go. once you find it, disable the port...

then, trace the cable from the switch port to the patch panel...

find the other end at the wall socket, then kick the crap out of the person who installed it...

edit: someone mentioned wifi - if you have some wifi then a) blacklist the mac address on the ap/controller and then b) revise your wifi security quick smart!
Click to expand...

This man talks sense!
 
You must log in or register to reply here.
Back
Top Bottom