So recently we’ve had an issue with a co-managed client where a network projector suddenly started running a DHCP server on the network. Normally speaking this would get picked up by DHCP guarding options we set up on our unifi stack. In this case the DHCP guarding options did not work. So this was the result of the client not wanting to have their network managed by us.
The issue was solved and the client is letting us do all of the network management now, but this did turn into a thought exercise for me; how could I detect a rogue DHCP server using PowerShell, and alert on it?
The answer was not as simple as I expected; a lot of people tried to simulate DHCP discover requests and capture them, or use DHCPLOC. DHCPLOC is no longer supported and tends to break DHCP servers. After a couple hours of looking around I found this blog by CyberShadow. CyberShadow’s blog is from 2013, but he still updates the utility that you can find on his Github. Using his utility we can perform DHCP Discovers and find out if a different server is serving clients.
The Script
The script will download CyberShadow’s DHCP test client for you, run 3 discoveries and compare the results with the server you’ve given as “Allowed”.
$AllowedDHCPServer = "192.168.15.1"
#Replace the Download URL to where you've uploaded the DHCPTest file yourself. We will only download this file once.
$DownloadURL = "https://cyberdrain.com/wp-content/uploads/2020/04/dhcptest-0.7-win64.exe"
$DownloadLocation = "$($Env:ProgramData)\DHCPTest"
try {
$TestDownloadLocation = Test-Path $DownloadLocation
if (!$TestDownloadLocation) { new-item $DownloadLocation -ItemType Directory -force }
$TestDownloadLocationZip = Test-Path "$DownloadLocation\DHCPTest.exe"
if (!$TestDownloadLocationZip) { Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile "$($DownloadLocation)\DHCPTest.exe" }
}
catch {
write-host "The download and extraction of DHCPTest failed. Error: $($_.Exception.Message)"
exit 1
}
$Tests = 0
$ListedDHCPServers = do {
& "$DownloadLocation\DHCPTest.exe" --quiet --query --print-only 54 --wait --timeout 3
$Tests ++
} while ($Tests -lt 2)
$DHCPHealth = foreach ($ListedServer in $ListedDHCPServers) {
if ($ListedServer -ne $AllowedDHCPServer) { "Rogue DHCP Server found. IP of rogue server is $ListedServer" }
}
if (!$DHCPHealth) { $DHCPHealth = "Healthy. No Rogue DHCP servers found." }
So that’s it! Monitoring rogue DHCP servers becomes easy this way. As always, Happy PowerShelling!
We have 6 DHCP servers. How do I define all 6 servers as “$AllowedDHCPServer”?
I tried putting commas between each IP but it did not work.
Thank you,
That is actually a pretty good question – The script only checks for a single one. I’ve made an edit for you, for multiple DHCP servers:
$AllowedDHCPServers = @("192.168.15.1","192.168.15.2","192.168.15.3") #Replace the Download URL to where you've uploaded the DHCPTest file yourself. We will only download this file once. $DownloadURL = "https://cyberdrain.com/wp-content/uploads/2020/04/dhcptest-0.7-win64.exe" $DownloadLocation = "$($Env:ProgramData)\DHCPTest" try { $TestDownloadLocation = Test-Path $DownloadLocation if (!$TestDownloadLocation) { new-item $DownloadLocation -ItemType Directory -force } $TestDownloadLocationZip = Test-Path "$DownloadLocation\DHCPTest.exe" if (!$TestDownloadLocationZip) { Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile "$($DownloadLocation)\DHCPTest.exe" } } catch { write-host "The download and extraction of DHCPTest failed. Error: $($_.Exception.Message)" exit 1 } $Tests = 0 $ListedDHCPServers = do { & "$DownloadLocation\DHCPTest.exe" --quiet --query --print-only 54 --wait --timeout 3 $Tests ++ } while ($Tests -lt 2) $DHCPHealth = foreach ($ListedServer in $ListedDHCPServers) { if ($ListedServer -notin $AllowedDHCPServer) { "Rogue DHCP Server found. IP of rogue server is $ListedServer" } } if (!$DHCPHealth) { $DHCPHealth = "Healthy. No Rogue DHCP servers found." }Thanks so much for all these great scripts. Do you happen to know if there is a way to use the Autotask AEM to input a variable into the $AllowedDHCPServers field so that it automatically has the correct one per client and location? I’m trying to figure out how to deploy this script en masse across dozens of client sites and running the script from “DattoRMM” as they call it now.
This script is published in the Comstore as “Rogue DHCP Monitor [win]” 🙂
Hey Johnathan,
Site Variables are probably the easiest way if you want to use a high-level place to specify the value. The component is setup with the variable to be set on the component instance itself.
If you were to instead tweak the component to not set $AllowedDHCPServer from $env (which is a component variable) and remove the component input variable, you can instead define a site variable called the same thing “AllowedDHCPServer” you’ll be able to run it generically and the variable will be set at runtime. Oh and you’d need to add a conditional check – if its not set, don’t continue.
Note also the component only expects a single server IP, as variables values are strings
If you wanted an example, check out the GravityZone deployment component which uses site variables.