So recently we’ve had an issue with a co-managed client where a network projector suddenly started running a DHCP server on the network. Normally speaking this would get picked up by DHCP guarding options we set up on our unifi stack. In this case the DHCP guarding options did not work. So this was the result of the client not wanting to have their network managed by us.
The issue was solved and the client is letting us do all of the network management now, but this did turn into a thought exercise for me; how could I detect a rogue DHCP server using PowerShell, and alert on it?
The answer was not as simple as I expected; a lot of people tried to simulate DHCP discover requests and capture them, or use DHCPLOC. DHCPLOC is no longer supported and tends to break DHCP servers. After a couple hours of looking around I found this blog by CyberShadow. CyberShadow’s blog is from 2013, but he still updates the utility that you can find on his Github. Using his utility we can perform DHCP Discovers and find out if a different server is serving clients.
The script will download CyberShadow’s DHCP test client for you, run 3 discoveries and compare the results with the server you’ve given as “Allowed”.
So that’s it! Monitoring rogue DHCP servers becomes easy this way. As always, Happy PowerShelling!