🖧 Understanding DHCP Servers – & How to Track Down a Rogue One

In most networks, devices like laptops and phones don’t come with pre-configured IP addresses. Instead, they ask the network to assign them one – and this is where the DHCP (Dynamic Host Configuration Protocol) server steps in. But what happens when there’s more than one DHCP server, and one of them isn’t supposed to be there? Enter: the rogue DHCP server.

Let’s break down what DHCP does, why rogue servers are dangerous, and how to hunt them down using just a Windows PC.

---

🧠 What Is a DHCP Server?

A DHCP server automatically assigns IP addresses, default gateways, DNS servers, and other networking details to client devices on a network. It ensures each device has a unique IP and doesn’t conflict with others.

• A client (e.g., your laptop) sends a DHCPDISCOVER broadcast message.

• The DHCP server replies with a DHCPOFFER.

• The client responds with a DHCPREQUEST to accept the offer.

• The server finalises it with a DHCPACK.

This automatic dance allows users to connect easily without manual configuration.

---

🚨 What Is a Rogue DHCP Server?

A rogue DHCP server is an unauthorised device on the network that responds to DHCP requests. It can cause all sorts of mayhem:

• Devices receive wrong IP addresses or gateway information.

• Network traffic can be redirected or intercepted (man-in-the-middle attacks).

• Users may experience no Internet connectivity, slow speeds, or odd routing.

These rogue servers can be accidental (e.g., a misconfigured router or access point) or malicious (a deliberate attack to hijack traffic).

---

🕵️‍♂️ How to Detect Rogue DHCP Servers Using a Windows PC

You don’t need fancy tools to start your investigation — just a basic Windows machine.

✅ Step 1: View Your Current DHCP Server

Open Command Prompt and type:

config /all

Look for:

• DHCP Server: This is the IP address of the server that gave you your IP.

• Default Gateway: Should typically be the same as the DHCP server in small networks.

⚠️ Red Flag: Unexpected IP?

If the DHCP server IP isn’t your actual router or known DHCP server (check your network design), that’s a red flag.

✅ Step 2: Use arp -a to Match IPs to MAC Addresses

Now we’ll try to get the MAC address of the rogue device.

arp -a

Find the suspicious DHCP IP in the list. Next to it will be a MAC address.

Example:

Interface: 192.168.1.100 --- 0x3
  Internet Address      Physical Address      Type
  192.168.1.1           00-14-22-01-23-45     dynamic
  192.168.1.50          00-25-9c-7e-3b-d1     dynamic

✅ Step 3: Identify the Vendor

Take the MAC address and look up the Organisationally Unique Identifier (OUI) — the first 6 characters.

Use a public lookup site like:

• https://macvendors.com/

• https://www.wireshark.org/tools/oui-lookup.html

This might tell you if it’s a TP-Link, Mikrotik, Cisco, or perhaps a random USB dongle.

🔎 Knowing the vendor can help you locate the rogue device physically — especially in a server room or office environment.

---

🛠️ Bonus | Using Wireshark to See DHCP Offers

If you want deeper insight, install Wireshark and apply this capture filter:

udp.port == 67 or udp.port == 68

Then restart your Ethernet or Wi-Fi adapter to trigger a DHCP exchange. Look for:

• Multiple DHCPOFFER packets from different IPs/MACs.

• You’ll clearly see the source MAC address of each offer.

---

🚫 How to Prevent Rogue DHCP Servers

• Enable DHCP snooping (on managed switches).

• Use VLANs to isolate devices.

• Physically secure your LAN — don’t let users plug in random routers or APs.

• Monitor your ARP table and audit regularly.

---

🧩 Real-World Example

A user plugs in a home router into the office LAN thinking it’s just “extending Wi-Fi.” Boom — it starts handing out 192.168.0.x addresses while your core network uses 10.0.0.x. Now, half the devices can't reach the Internet. With just ipconfig, arp -a, and a MAC lookup, you can trace it back to the culprit: a TP-Link router in meeting room B.

---

💬 Wrap

DHCP is one of the unsung heroes of modern networking — but it’s also a point of vulnerability. The more you understand how it works, the faster you can identify and eliminate rogue players. With just a Windows PC and some detective work, you can take back control of your network.