Identifying rogue DHCP servers on your LAN
You suspect that someone has installed an additional, unauthorized DHCP server on your LAN -- either unintentiously or maliciously. Thus you want to check for any active DHCP servers and identify their IP and MAC addresses.
Use Scapy to send a DHCP discover request and analyze the replies:
>>> conf.checkIPaddr = False >>> fam,hw = get_if_raw_hwaddr(conf.iface) >>> dhcp_discover = Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=hw)/DHCP(options=[("message-type","discover"),"end"]) >>> ans, unans = srp(dhcp_discover, multi=True) # Press CTRL-C after several seconds Begin emission: Finished to send 1 packets. .*...*.. Received 8 packets, got 2 answers, remaining 0 packets
In this case we got 2 replies, so there were two active DHCP servers on my test network:
>>> ans.summary() Ether / IP / UDP 0.0.0.0:bootpc > 255.255.255.255:bootps / BOOTP / DHCP ==> Ether / IP / UDP 192.168.1.1:bootps > 255.255.255.255:bootpc / BOOTP / DHCP Ether / IP / UDP 0.0.0.0:bootpc > 255.255.255.255:bootps / BOOTP / DHCP ==> Ether / IP / UDP 192.168.1.11:bootps > 255.255.255.255:bootpc / BOOTP / DHCP
We are only interested in the MAC and IP addresses of the replies:
>>> for p in ans: print p[Ether].src, p[IP].src ... 00:de:ad:be:ef:00 192.168.1.1 00:11:11:22:22:33 192.168.1.11
multi=True to make Scapy wait for more answer packets after the first response is received.
This is also the reason why we can't use the more convenient
dhcp_request() function and have to construct the DCHP packet manually:
srp1() for sending and receiving and thus would immediately return after the first answer packet.
Moreover, Scapy normally makes sure that replies come from the same IP address the stimulus was sent to. But our DHCP packet is sent to the IP broadcast address (255.255.255.255) and any answer packet will have the IP address of the replying DHCP server as its source IP address (e.g. 192.168.1.1). Because these IP addresses don't match, we have to disable Scapy's check with
conf.checkIPaddr = False before sending the stimulus.
First version of this recipe by Dirk Loss (2008-03-05), based on an idea by Uwe Weissenbacher.