detect rogue DHCP server

C

Chris Henderson

I want to write a program to detect rogue DHCP server on my (switched)
network. It would broadcast a "dummy" MAC address and see which DHCP
server responds. My idea is to send a DHCPDISCOVER packet and see
which DHCP server sends an ACK packet (but never acknowledge the ACK
and terminate the connection).

How do I go about writing this in Ruby?

Thanks for any suggestions.
 
E

Eleanor McHugh

I want to write a program to detect rogue DHCP server on my (switched)
network. It would broadcast a "dummy" MAC address and see which DHCP
server responds. My idea is to send a DHCPDISCOVER packet and see
which DHCP server sends an ACK packet (but never acknowledge the ACK
and terminate the connection).

How do I go about writing this in Ruby?

Thanks for any suggestions.

First up grab a copy of RFC 2131 (assuming it's still current, this
isn't my area of expertise) and implement the protocol with Ruby's bit-
struct library (see the Camping presentation linked from my .sig for
some basic info on bit-struct). You'll want to use a raw socket for
sending the DHCPDISCOVER and there's some basic coverage of them in
the Pickaxe but if you're not familiar with network programming a copy
of Stevens' UNIX Networking Programming will come in handy.

In the presentation we also cover the use of libpcap for watching on-
the-wire traffic and that's probably the way to go for detecting the
ACK packet if you have the privileges to put your NIC in promiscuous
mode.

You'll also find a slew of network code of varying quality scattered
through the other linked presentations and some of that may give you
inspiration: the UDP client examples in the "Semantic DNS" and "Shoes"
presentations are particularly lightweight and should (with a big "I'm
guessing without writing the code myself" disclaimer) apply equally to
raw sockets.


Ellie

Eleanor McHugh
Games With Brains
http://slides.games-with-brains.net
 
L

lists

In the presentation we also cover the use of libpcap for watching on-
the-wire traffic and that's probably the way to go for detecting the
ACK packet if you have the privileges to put your NIC in promiscuous
mode.

You'll also find a slew of network code of varying quality scattered
through the other linked presentations and some of that may give you
inspiration: the UDP client examples in the "Semantic DNS" and
"Shoes" presentations are particularly lightweight and should (with
a big "I'm guessing without writing the code myself" disclaimer)
apply equally to raw sockets.

Ellie, you generously reference your slides pretty frequently. Had
you ever given thought to fleshing out some of your ideas in a book or
downloadable pdf?
 
J

Joel VanderWerf

Eleanor said:
First up grab a copy of RFC 2131 (assuming it's still current, this
isn't my area of expertise) and implement the protocol with Ruby's
bit-struct library (see the Camping presentation linked from my .sig for
some basic info on bit-struct). You'll want to use a raw socket for
sending the DHCPDISCOVER and there's some basic coverage of them in the
Pickaxe but if you're not familiar with network programming a copy of
Stevens' UNIX Networking Programming will come in handy.

FWIW, bit-struct includes a couple of raw socket examples.

http://redshift.sourceforge.net/bit-struct/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,770
Messages
2,569,586
Members
45,097
Latest member
RayE496148

Latest Threads

Top