Jump to content
DarrenWhite99

Find Rogue DHCP Servers, No DHCP, etc.

Recommended Posts

This post is largely just being moved from another thread into its own topic, BUT I have updated the monitor so that it is much simpler to implement.

This is how I test for DHCP Servers: I use the DHCP Test Utility from https://blog.thecybershadow.net/2013/01/10/dhcp-test-client/ along with a VBScript I wrote to manage the EXE. (By default the tool will use a random MAC, and each query will consume another DHCP Lease) This tool is testing DHCP Client operations, so it should NOT be run on the DHCP server. It should be run from agents that are in a position to act like DHCP clients. (Even if they have a static IP, it's OK.)

To install:

  • Extract the ZIP files.
  • Put the dhcptest.exe and dhcptest-wrapper.vbs into your LTShare\Transfer\Monitors folder. You can pull your own copy of dhcptest.exe from https://github.com/CyberShadow/dhcptest if desired. I have not had any problems with only using the 32 bit binary on 64 bit OS versions, but YMMV.
  • Edit "EXE - DHCPEnvironmentCheck.sql" and replace the current agent id (1183) with a valid agent ID for the monitor. Save and then import in Control Center -> Tools -> Import -> SQL File.

This monitor runs every 15 minutes. The VBS script will be automatically transferred to the agent by Automate. When it runs, it will check for dhcptest.exe and automatically download it from your server. Once the tool is in place, the script will perform a DHCP query on each active network interface and return the number of offers and DHCP Server IP's that responded. The Monitor Result should match ".*;DHCPServersActive=1;.*", which should be set to the number of valid DHCP Servers. I find this effective for the group monitor, and when I need to tailor it I can just check "Override Settings" and change the result expected to match the environment. You could easily add the IP of the DHCP server as part of the match condition, so that not only must the number of servers be correct, but the server IP must match. (Probably not important).

So a result with DHCPServersActive=0 is telling you that you failed to get any offers. This is clearly bad (unless there should be NO DHCP servers). Active=1 means you got an offer (Typical State). Active=2 is saying that you got more than 1 offer. This is clearly bad If only 1 server is authorized.

There are some DHCP error conditions that will not be caught:  All responses are specific to this agent, what you see may not match other agents because of:

1. DHCP Server Out of Leases  - If it has an offer for you, it will treat it like a lease even if you don't respond. Additional queries will continue to return the IP the server has reserved for you, but the server would ignore other requests if there are no leases available.

2: DHCP Request Filtering errors - If the switch is configured for DHCP Snooping and is blocking other devices, again success for you only is getting confirmation that YOU can get a lease offer.

3. Malfunctioning DHCP Clusters - An issue I have seen that is a blend of #1 and #2. If there are two DHCP Servers in a cluster, your initial request MIGHT prompt a response from both, but once they reconcile and decide which server should respond to you the other server will ignore you so you won't see two responses. But if YOU are getting an offer from an operating server, if the other DHCP cluster host is broken it may be ignoring other client requests.

So this has limited utility for testing that your DHCP server is working. But it is perfect for testing if unauthorized DHCP servers are running, or if your DHCP server is failing to offer any leases (even if the service is running, etc.)

 

DHCPMonitorCheck.zip

  • Like 4
  • Thanks 1

Share this post


Link to post
Share on other sites

@DarrenWhite99 - Quick note to update the .vbs file.  I didn't roll through it line-by-line but WinMerge pointed out a dozen or so lines that differed mostly to the code that seems to download the binary if it's missing.

 

 

Share this post


Link to post
Share on other sites
On 12/7/2017 at 8:20 PM, DarrenWhite99 said:

This post is largely just being moved from another thread into its own topic, BUT I have updated the monitor so that it is much simpler to implement.

This is how I test for DHCP Servers: I use the DHCP Test Utility from https://blog.thecybershadow.net/2013/01/10/dhcp-test-client/ along with a VBScript I wrote to manage the EXE. (By default the tool will use a random MAC, and each query will consume another DHCP Lease) This tool is testing DHCP Client operations, so it should NOT be run on the DHCP server. It should be run from agents that are in a position to act like DHCP clients. (Even if they have a static IP, it's OK.)

To install:

  • Extract the ZIP files.
  • Put the dhcptest.exe and dhcptest-wrapper.vbs into your LTShare\Transfer\Monitors folder. You can pull your own copy of dhcptest.exe from https://github.com/CyberShadow/dhcptest if desired. I have not had any problems with only using the 32 bit binary on 64 bit OS versions, but YMMV.
  • Edit "EXE - DHCPEnvironmentCheck.sql" and replace the current agent id (1183) with a valid agent ID for the monitor. Save and then import in Control Center -> Tools -> Import -> SQL File.

This monitor runs every 15 minutes. The VBS script will be automatically transferred to the agent by Automate. When it runs, it will check for dhcptest.exe and automatically download it from your server. Once the tool is in place, the script will perform a DHCP query on each active network interface and return the number of offers and DHCP Server IP's that responded. The Monitor Result should match ".*;DHCPServersActive=1;.*", which should be set to the number of valid DHCP Servers. I find this effective for the group monitor, and when I need to tailor it I can just check "Override Settings" and change the result expected to match the environment. You could easily add the IP of the DHCP server as part of the match condition, so that not only must the number of servers be correct, but the server IP must match. (Probably not important).

So a result with DHCPServersActive=0 is telling you that you failed to get any offers. This is clearly bad (unless there should be NO DHCP servers). Active=1 means you got an offer (Typical State). Active=2 is saying that you got more than 1 offer. This is clearly bad If only 1 server is authorized.

There are some DHCP error conditions that will not be caught:  All responses are specific to this agent, what you see may not match other agents because of:

1. DHCP Server Out of Leases  - If it has an offer for you, it will treat it like a lease even if you don't respond. Additional queries will continue to return the IP the server has reserved for you, but the server would ignore other requests if there are no leases available.

2: DHCP Request Filtering errors - If the switch is configured for DHCP Snooping and is blocking other devices, again success for you only is getting confirmation that YOU can get a lease offer.

3. Malfunctioning DHCP Clusters - An issue I have seen that is a blend of #1 and #2. If there are two DHCP Servers in a cluster, your initial request MIGHT prompt a response from both, but once they reconcile and decide which server should respond to you the other server will ignore you so you won't see two responses. But if YOU are getting an offer from an operating server, if the other DHCP cluster host is broken it may be ignoring other client requests.

So this has limited utility for testing that your DHCP server is working. But it is perfect for testing if unauthorized DHCP servers are running, or if your DHCP server is failing to offer any leases (even if the service is running, etc.)

 

DHCPMonitorCheck.zip

Would you please share some tips to be able to monitor the DHCP Scope remaining IP addresses to be leased and receive the alerts when is about 10?

Share this post


Link to post
Share on other sites
4 hours ago, Dayrak said:

Would you please share some tips to be able to monitor the DHCP Scope remaining IP addresses to be leased and receive the alerts when is about 10?

That would need to be a remote monitor ON the DHCP server. I believe the lease statistics are exposed as performance counters that can be monitored like any others. This monitor is specifically to test what servers respond to a DHCP request and can be performed from any agent in a subnet. But you only learn what servers responded, not how many leases are in use/available/etc. 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×