Categories
Tech

Windows Rogue DHCP Monitor

I wanted to monitor the networks of a couple dozen clients for rogue DHCP servers. I couldn’t find a suitable application for my needs, so I made one here. It is designed to be deployed to Windows Servers configured as DHCP servers.

It was only after I made the application and bragged about it on IRC that I was told that Windows already has rogue DHCP server detection, lol. Oh well. I’ll keep this up since it’s pretty neat to me.

How it works is pretty simple. For each IPV4 interface of a Windows computer, it sends a DHCP packet(the contents of which were just copied from Wireshark and put into a broadcast.bin file) and listens for DHCP responses. Then it compares the system’s IP addresses to the seen DHCP servers. if there are seen DHCP servers that aren’t on the local system, it returns those IP addresses.

It was released with the MIT license, feel free to use it at work or whatever else.

Example usage in an administrative command prompt:

C:\Path\To\Executable\windows_rogue_dhcp.exe

It’s that simple at the moment. Be sure to run it in the same folder as the broadcast.bin file. Eventually there may be more features, but not yet.

Below is a compiled 64 bit executable, which isn’t guaranteed to be up-to-date. Please note that it must be run in the same folder as the broadcast.bin file.