# 🖧 Understanding DHCP Servers – & How to Track Down a Rogue One

In most networks, devices like laptops and phones don’t come with pre-configured IP addresses. Instead, they ask the network to assign them one – and this is where the **DHCP (Dynamic Host Configuration Protocol) server** steps in. But what happens when there’s more than one DHCP server, and one of them isn’t supposed to be there? Enter: the **rogue DHCP server**.

Let’s break down what DHCP does, why rogue servers are dangerous, and how to hunt them down using just a Windows PC.

---

### **🧠 What Is a DHCP Server?**

A **DHCP server** automatically assigns IP addresses, default gateways, DNS servers, and other networking details to client devices on a network. It ensures each device has a unique IP and doesn’t conflict with others.

* A client (e.g., your laptop) sends a **DHCPDISCOVER** broadcast message.
    
* The DHCP server replies with a **DHCPOFFER**.
    
* The client responds with a **DHCPREQUEST** to accept the offer.
    
* The server finalises it with a **DHCPACK**.
    

This automatic dance allows users to connect easily without manual configuration.

---

### **🚨 What Is a Rogue DHCP Server?**

A **rogue DHCP server** is an **unauthorised device** on the network that responds to DHCP requests. It can cause all sorts of mayhem:

* Devices receive **wrong IP addresses** or gateway information.
    
* Network traffic can be **redirected or intercepted** (man-in-the-middle attacks).
    
* Users may experience **no Internet connectivity**, slow speeds, or odd routing.
    

These rogue servers can be accidental (e.g., a misconfigured router or access point) or malicious (a deliberate attack to hijack traffic).

---

### **🕵️‍♂️ How to Detect Rogue DHCP Servers Using a Windows PC**

You don’t need fancy tools to start your investigation — just a basic Windows machine.

#### ✅ Step 1: View Your Current DHCP Server

Open **Command Prompt** and type:

```plaintext
config /all
```

Look for:

* **DHCP Server**: This is the IP address of the server that gave you your IP.
    
* **Default Gateway**: Should typically be the same as the DHCP server in small networks.
    

#### ⚠️ Red Flag: Unexpected IP?

If the DHCP server IP isn’t your actual router or known DHCP server (check your network design), that’s a red flag.

#### ✅ Step 2: Use `arp -a` to Match IPs to MAC Addresses

Now we’ll try to get the **MAC address** of the rogue device.

```plaintext
arp -a
```

Find the suspicious DHCP IP in the list. Next to it will be a **MAC address**.

Example:

```plaintext
Interface: 192.168.1.100 --- 0x3
  Internet Address      Physical Address      Type
  192.168.1.1           00-14-22-01-23-45     dynamic
  192.168.1.50          00-25-9c-7e-3b-d1     dynamic
```

#### ✅ Step 3: Identify the Vendor

Take the MAC address and look up the **Organisationally Unique Identifier (OUI)** — the first 6 characters.

Use a public lookup site like:

* [https://macvendors.com/](https://macvendors.com/)
    
* https://www.wireshark.org/tools/oui-lookup.html
    

This might tell you if it’s a **TP-Link**, **Mikrotik**, **Cisco**, or perhaps **a random USB dongle**.

> 🔎 *Knowing the vendor can help you locate the rogue device physically — especially in a server room or office environment.*

---

### **🛠️ Bonus | Using Wireshark to See DHCP Offers**

If you want deeper insight, install **Wireshark** and apply this capture filter:

```plaintext
udp.port == 67 or udp.port == 68
```

Then restart your Ethernet or Wi-Fi adapter to trigger a DHCP exchange. Look for:

* **Multiple DHCPOFFER** packets from different IPs/MACs.
    
* You’ll clearly see the **source MAC address** of each offer.
    

---

### **🚫 How to Prevent Rogue DHCP Servers**

* **Enable DHCP snooping** (on managed switches).
    
* **Use VLANs** to isolate devices.
    
* **Physically secure** your LAN — don’t let users plug in random routers or APs.
    
* **Monitor your ARP table** and audit regularly.
    

---

### **🧩 Real-World Example**

### A user plugs in a home router into the office LAN thinking it’s just “extending Wi-Fi.” Boom — it starts handing out 192.168.0.x addresses while your core network uses 10.0.0.x. Now, half the devices can't reach the Internet. With just `ipconfig`, `arp -a`, and a MAC lookup, you can trace it back to the culprit: a TP-Link router in meeting room B.

---

### **💬 Wrap**

DHCP is one of the unsung heroes of modern networking — but it’s also a point of vulnerability. The more you understand how it works, the faster you can identify and eliminate rogue players. With just a Windows PC and some detective work, you can take back control of your network.

%[https://bsky.app/profile/mastelek.bsky.social/post/3lqugkprmms22]
