Asp Forum - detect rogue DHCP server

Chris Henderson

3/17/2009 11:16:00 AM

I want to write a program to detect rogue DHCP server on my (switched)
network. It would broadcast a "dummy" MAC address and see which DHCP
server responds. My idea is to send a DHCPDISCOVER packet and see
which DHCP server sends an ACK packet (but never acknowledge the ACK
and terminate the connection).

How do I go about writing this in Ruby?

Thanks for any suggestions.

4 Answers

Eleanor McHugh

3/17/2009 12:17:00 PM

On 17 Mar 2009, at 11:15, Chris Henderson wrote:
> I want to write a program to detect rogue DHCP server on my (switched)
> network. It would broadcast a "dummy" MAC address and see which DHCP
> server responds. My idea is to send a DHCPDISCOVER packet and see
> which DHCP server sends an ACK packet (but never acknowledge the ACK
> and terminate the connection).
>
> How do I go about writing this in Ruby?
>
> Thanks for any suggestions.

First up grab a copy of RFC 2131 (assuming it's still current, this
isn't my area of expertise) and implement the protocol with Ruby's bit-
struct library (see the Camping presentation linked from my .sig for
some basic info on bit-struct). You'll want to use a raw socket for
sending the DHCPDISCOVER and there's some basic coverage of them in
the Pickaxe but if you're not familiar with network programming a copy
of Stevens' UNIX Networking Programming will come in handy.

In the presentation we also cover the use of libpcap for watching on-
the-wire traffic and that's probably the way to go for detecting the
ACK packet if you have the privileges to put your NIC in promiscuous
mode.

You'll also find a slew of network code of varying quality scattered
through the other linked presentations and some of that may give you
inspiration: the UDP client examples in the "Semantic DNS" and "Shoes"
presentations are particularly lightweight and should (with a big "I'm
guessing without writing the code myself" disclaimer) apply equally to
raw sockets.

Ellie

Eleanor McHugh
Games With Brains
http://slides.games-with-...
----
raise ArgumentError unless @reality.responds_to? :reason

lists

3/17/2009 1:50:00 PM

On Mar 17, 2009, at 7:16 AM, Eleanor McHugh wrote:

> In the presentation we also cover the use of libpcap for watching on-
> the-wire traffic and that's probably the way to go for detecting the
> ACK packet if you have the privileges to put your NIC in promiscuous
> mode.
>
> You'll also find a slew of network code of varying quality scattered
> through the other linked presentations and some of that may give you
> inspiration: the UDP client examples in the "Semantic DNS" and
> "Shoes" presentations are particularly lightweight and should (with
> a big "I'm guessing without writing the code myself" disclaimer)
> apply equally to raw sockets.

Ellie, you generously reference your slides pretty frequently. Had
you ever given thought to fleshing out some of your ideas in a book or
downloadable pdf?

Eleanor McHugh

3/17/2009 2:45:00 PM

On 17 Mar 2009, at 13:50, lists wrote:
> On Mar 17, 2009, at 7:16 AM, Eleanor McHugh wrote:
>> In the presentation we also cover the use of libpcap for watching
>> on-the-wire traffic and that's probably the way to go for detecting
>> the ACK packet if you have the privileges to put your NIC in
>> promiscuous mode.
>>
>> You'll also find a slew of network code of varying quality
>> scattered through the other linked presentations and some of that
>> may give you inspiration: the UDP client examples in the "Semantic
>> DNS" and "Shoes" presentations are particularly lightweight and
>> should (with a big "I'm guessing without writing the code myself"
>> disclaimer) apply equally to raw sockets.
>
> Ellie, you generously reference your slides pretty frequently. Had
> you ever given thought to fleshing out some of your ideas in a book
> or downloadable pdf?

I'd love to if I can find the time to do it justice :)

Ellie

Eleanor McHugh
Games With Brains
http://slides.games-with-...
----
raise ArgumentError unless @reality.responds_to? :reason

Joel VanderWerf

3/17/2009 9:11:00 PM

Eleanor McHugh wrote:
> On 17 Mar 2009, at 11:15, Chris Henderson wrote:
>> I want to write a program to detect rogue DHCP server on my (switched)
>> network. It would broadcast a "dummy" MAC address and see which DHCP
>> server responds. My idea is to send a DHCPDISCOVER packet and see
>> which DHCP server sends an ACK packet (but never acknowledge the ACK
>> and terminate the connection).
>>
>> How do I go about writing this in Ruby?
>>
>> Thanks for any suggestions.
>
> First up grab a copy of RFC 2131 (assuming it's still current, this
> isn't my area of expertise) and implement the protocol with Ruby's
> bit-struct library (see the Camping presentation linked from my .sig for
> some basic info on bit-struct). You'll want to use a raw socket for
> sending the DHCPDISCOVER and there's some basic coverage of them in the
> Pickaxe but if you're not familiar with network programming a copy of
> Stevens' UNIX Networking Programming will come in handy.

FWIW, bit-struct includes a couple of raw socket examples.

http://redshift.sourceforge.net/b...

--
vjoel : Joel VanderWerf : path berkeley edu : 510 665 3407

comp.lang.ruby

detect rogue DHCP server

Chris Henderson

Eleanor McHugh

lists

Eleanor McHugh

Joel VanderWerf

x Login to ForumsZone