Featured image of post Monitoring with PowerShell: Monitoring Rogue DHCP Servers
Series: PowerShell Monitoring

Monitoring with PowerShell: Monitoring Rogue DHCP Servers

So recently we’ve had an issue with a co-managed client where a network projector suddenly started running a DHCP server on the network. Normally speaking this would get picked up by DHCP guarding options we set up on our unifi stack. In this case the DHCP guarding options did not work. So this was the result of the client not wanting to have their network managed by us.

The issue was solved and the client is letting us do all of the network management now, but this did turn into a thought exercise for me; how could I detect a rogue DHCP server using PowerShell, and alert on it?

The answer was not as simple as I expected; a lot of people tried to simulate DHCP discover requests and capture them, or use DHCPLOC. DHCPLOC is no longer supported and tends to break DHCP servers. After a couple hours of looking around I found this blog by CyberShadow. CyberShadow’s blog is from 2013, but he still updates the utility that you can find on his Github. Using his utility we can perform DHCP Discovers and find out if a different server is serving clients.

The Script

The script will download CyberShadow’s DHCP test client for you, run 3 discoveries and compare the results with the server you’ve given as “Allowed”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

$AllowedDHCPServer = "192.168.15.1"

#Replace the Download URL to where you've uploaded the DHCPTest file yourself. We will only download this file once.
$DownloadURL = "https://cyberdrain.com/wp-content/uploads/2020/04/dhcptest-0.7-win64.exe"
$DownloadLocation = "$($Env:ProgramData)\DHCPTest"
try {
$TestDownloadLocation = Test-Path $DownloadLocation
    if (!$TestDownloadLocation) { new-item $DownloadLocation -ItemType Directory -force }
    $TestDownloadLocationZip = Test-Path "$DownloadLocation\DHCPTest.exe"
if (!$TestDownloadLocationZip) { Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile "$($DownloadLocation)\DHCPTest.exe" }
}
catch {
    write-host "The download and extraction of DHCPTest failed. Error: $($\_.Exception.Message)"
exit 1
}
$Tests = 0
$ListedDHCPServers = do {
& "$DownloadLocation\DHCPTest.exe" --quiet --query --print-only 54 --wait --timeout 3
    $Tests ++
} while ($Tests -lt 2)

$DHCPHealth = foreach ($ListedServer in $ListedDHCPServers) {
    if ($ListedServer -ne $AllowedDHCPServer) { "Rogue DHCP Server found. IP of rogue server is $ListedServer" }
}

if (!$DHCPHealth) { $DHCPHealth = "Healthy. No Rogue DHCP servers found." }

So that’s it! Monitoring rogue DHCP servers becomes easy this way. As always, Happy PowerShelling!

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
© 2012 - 2023 CyberDrain - Kelvin Tegelaar
Built with Hugo
Theme Stack designed by Jimmy