Security Basics mailing list archives

Re: unknown IP delivering DHCP

From: Kurt Buff <kurt.buff () gmail com>
Date: Sun, 15 Apr 2012 21:30:27 -0700

On Fri, Apr 13, 2012 at 02:48, Dirty Mortain <dirtymortain () gmail com> wrote:

Hello.

In my LAN I'm using the network 192.0.0.0/24 with a DHCP (192.0.0.14)
delivering for the entire LAN through 3 smart switches.
machine is it (a smart and humanized machine) and block it?

That depends on your switches and how smart they are.

Can you set them up with a monitor/mirror/span port? Can you print the
MAC table on each one and tell which MAC addresses are associated with
each port?

If you can do both, then your task will be relatively easy - set up
one port on each switch to monitor all of the other ports on that
switch (except the port that connects it to the production network),
using wireshark, and issue a DHCP request. Filter out answers from
your production DHCP server. When the rogue DHCP server answers,
you'll get its MAC address, and be able to find which port it's on by
examining the MAC address table for each switch.

If the above facilities aren't available on your switches, you can do
the following, which will be *very* tedious, and intrusive, and should
be done outside of business hours:

1) Disconnect one of your switches from the production network
2) Put one of your machines on that switch and do an address release and renew.
3a) If you don't get an answer, put that switch back on the network,
and go to your next switch.
3b) If it gets an address, the rogue DHCP server is on that switch.
3b1) Disconnect one port from that switch, and try step 2) again.
Repeat until you've found the port that, when disconnected, prevents
the rogue DHCP server from answering.

Kurt

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

unknown IP delivering DHCP Dirty Mortain (Apr 15)
- Re: unknown IP delivering DHCP Kurt Buff (Apr 15)
- Re: unknown IP delivering DHCP Ansgar Wiechers (Apr 16)
  - Re: unknown IP delivering DHCP Dirty Mortain (Apr 16)
  - Re: unknown IP delivering DHCP Jason Hellenthal (Apr 16)
- Re: unknown IP delivering DHCP Don Thomas (Apr 16)
- Message not available
  - Re: unknown IP delivering DHCP Dirty Mortain (Apr 16)