Feature request: detection of (roque) DHCP-Servers

Started by Tilo2300

Tilo2300

Feature request: detection of (roque) DHCP-Servers   08 August 2010, 13:19

Would it be possible to implement detection of (roque) DHCP-Servers in the network?
Or is this already possible to actualize this via a specific Port?
Jake

Feature request   09 August 2010, 16:05

Will there be a 64bit Version of the network scanner? I would really appreciate it smile
Tilo2300

Feature request   09 August 2010, 20:05

Hey Jake, this is my thread, open your own! smile
SoftPerfect Support forum - Andrew avatar image

Feature request   10 August 2010, 00:38

Quote

Would it be possible to implement detection of (roque) DHCP-Servers in the network?


Yes, it'll be added shortly. Stay tuned.

Quote

Will there be a 64bit Version of the network scanner?


Some day, in the future smile
Tilo2300

Feature request   10 August 2010, 02:04

Oh great!
Can't wait to get it!

By the way, you have a great peace of Software here and you're doing a great job keeping it up-to-date and putting requests into effect!

Thumbs up!
SoftPerfect Support forum - Andrew avatar image

Feature request   12 August 2010, 23:04

DHCP server discovery is now available in this build (see under Actions in the main menu) ok, yes, thumb up

Feature request   14 August 2010, 09:26

(netscan 4 4 9 prelim)

Error 10048.

Tried with different DHCP servers, all got 10048.
SoftPerfect Support forum - Andrew avatar image

Feature request   14 August 2010, 16:01

You mean you ran the application a DHCP server not on a client machine? If so, please provide a complete output of the netstat -na command launched at a command prompt at the server.

Feature request   14 August 2010, 23:55

Sorry for being imprecise.

I ran netscan 4_4_9 prelim on a client (Win7 64bit). In my home network of twelve machines I have five that could be DHCP servers plus an assortment of routers, etc that could be the active DHCP server on the network. What I meant was that the DHCP discovery on the net as is failed, so I switched different servers/etc into DHCP mode. (There can only be one, as we all know). So, no matter what platform the DHCP server was running on (FreeBSD, linuxes, proprietary router OSs) the client instance of netscan 4_4_9 prelim failed on the DHCP server discovery function.

Just re-ran a test.
DHCP server is IPCop 1.4.21 (linux 2.4.36)
client 1 Win7 64 bit
client 2 winXp SP3

DHCP server running with no DHCP clients.
Both Win7 & XP runs DHCP discovery without the 10048 error.
Neither XP nor Win7 reported any running instances of a DHCP server.

DHCP server running with one DHCP client.
XP runs the DHCP discovery without error, but still does not report any instances of a DHCP server on the net.
Win7 fails with the 10048 error.


When I ran the first test there were DHCP clients so the Win7 fail seems consistent. Why Win7 throws a 10048 when there is a DHCP client is a mystery to me. I isolated the local net from the world and reduced the firewall settings and other security measures on the DHCP server to nothing. Ran same clients with same results. I'll try other configurations during the day and if anything different shoews up I'll report it.
SoftPerfect Support forum - Andrew avatar image

Feature request   15 August 2010, 03:58

Also please try this build where error 10048 should be fixed.

Feature request   15 August 2010, 06:24

netscan2.exe 10048 error

This build did stop Win7 etc. from throwing 10048 from DHCP discovery function.

Still no DHCP servers detected though.
SoftPerfect Support forum - Andrew avatar image

Feature request   19 August 2010, 18:26

In this case I'd like to see what's happening on your system. If possible, please capture a flow of packets using any sniffer like Wireshark or our Protocol Analyzer. Basically, I just need to see the DHCP query sent out by the network scanner and replies received from DHCP servers (if any).

Feature request   20 August 2010, 02:40

OK

Will use Wireshark later today to try to capture DHCP discovery.

Feature request   20 August 2010, 06:04

Seems like a normal transaction but no data displayed by the 'actions' pop up screen.

The 192.168.1.12 Lite-On nic asks for any DHCP servers and 192.168.1.4 offers 192.168.1.203

192.168.1.4 is IpCop

Anything more?
Attachments:
open | download – screenshot.2.png (17.7 KB)
SoftPerfect Support forum - Andrew avatar image

Feature request   20 August 2010, 07:21

Please attach the actual capture file, so we can check the packet(s) against the network scanner's DHCP parser, perhaps it's buggy.

Feature request   20 August 2010, 12:32

OK

Can't attach a .pcap file so I'll have to zip it.


DONE
Attachments:
open | download – dhcp_discovery_netscan_449.zip (1.2 KB)
SoftPerfect Support forum - Andrew avatar image

Feature request   20 August 2010, 18:43

Thank you, I had checked it out, but was unable to determine what went wrong.

Could you please run this build and see what it prints (there will be a console log window)?

Feature request   21 August 2010, 03:09

Can't get past error 10048.

If it will help, I'll run a packet sniff on this later today.
SoftPerfect Support forum - Andrew avatar image

Feature request   21 August 2010, 06:00

Sorry, that's because the previous fix was not in this build. Please re-download the file here and try again.

Feature request   21 August 2010, 09:34

no error
no data displayed

zipped pcap attached
Attachments:
open | download – dhcp_discovery_netscan3_449.zip (1.2 KB)
SoftPerfect Support forum - Andrew avatar image

Feature request   21 August 2010, 17:38

Nothing displayed in the console window at all?

Feature request   21 August 2010, 18:12

No, I meant no results.
Your messages about sending query/ waiting/ finished appear, but nothing else. (see attached pngs)
Attachments:
open | download – screenshot.3.png (605 bytes)
open | download – screenshot.5.png (15.7 KB)
SoftPerfect Support forum - Andrew avatar image

Feature request   22 August 2010, 20:00

I think I have figured it out. Normally the DHCP server broadcasts a DHCP offer to the client. For some reason, your specific implementation sends it directly to the client. It falls flat as the network scanner uses a bogus MAC address in the query 0A:0B:0C:0D:0E:0F, so the offer is rejected by the network card as it assumes the packet is not destined to it. I will add a workaround shortly.

Feature request   23 August 2010, 00:33

That makes sense as I use a best practice standard of employing MAC based ACLs.

Spurious or spoofed MACs won't get anywhere on my systems.

(I even filter on MAC for DHCP)
SoftPerfect Support forum - Andrew avatar image

Feature request   23 August 2010, 02:01

Please try out this build. It should work normally smile

Feature request   23 August 2010, 03:54

1. winHTTP Proxy Auto discovery Service must be disabled
and, then
2. DHCP Client Service must be switched off.

With the above netscan4.exe picks up two out of four DHCP servers on the network. (Specifically it detects two old Linksys routers netscan4.exe fails to detect a PcLinuxOS and a IPCop DHCP server)

The MicroSoft DHCP Team published a Rouge DHCP Server Detector.. This tool found all four DHCP servers on the network.

[blogs.technet.com]

What's the difference between netscan and MS DHCP Team's RogueChecker ?
SoftPerfect Support forum - Andrew avatar image

Feature request   23 August 2010, 19:59

Well, we had been asked to add DHCP discovery in netscan, so we have implemented it. Technically these tools are similar, although I believe we can make ours more convenient.

We've made some further changes to the DHCP discovery feature to make it more standard-compliant. Please try the new build here. If it also fails to find all the 4 servers, please let me know whether you have more than one network interface on that machine, so that machine is multihomed.

Feature request   24 August 2010, 02:56

OK

Will download netscan5 and reply.

Yes, Three machines in the current configuration of the network are laptops with both ethernet and wireless interfaces. Usually they are all 'either/or' nics, but I've noticed that sometimes Win7 and WinXP "forget" to ignore the inactive interface. I.E., some apps (like netscan ??? ) don't differentiate between nics in use and 'inactivated' nics - so the apps will willy nilly think one or another is active without real world checking. (Even in the case where a wireless interface has it's radio switched off manually).

There must be a lookup table that enumerates potential interfaces that is being referenced without any reality checking.

Feature request   24 August 2010, 03:11

Success.
All DHCP servers found.
I switched the net config around a bit to try variations and netscan functioned for DHCP discovery in all I tried.

Now, UDP?
SoftPerfect Support forum - Andrew avatar image

Feature request   25 August 2010, 02:55

Glad to hear that it's working finally. Not sure what you mean by the 'Now, UDP?' question though.

Author:

Subject

A brief and informative title for your message, approximately 4–8 words:

     

Spam prevention: please enter the following code in the input field below.

 ********   **      **  **     **   ******    **     ** 
 **     **  **  **  **  **     **  **    **   ***   *** 
 **     **  **  **  **  **     **  **         **** **** 
 **     **  **  **  **  **     **  **   ****  ** *** ** 
 **     **  **  **  **  **     **  **    **   **     ** 
 **     **  **  **  **  **     **  **    **   **     ** 
 ********    ***  ***    *******    ******    **     ** 

Message: