1 00:00:00,000 --> 00:00:08,179 2 00:00:08,179 --> 00:00:09,816 Ok, welcome back. 3 00:00:09,816 --> 00:00:13,679 In this segment, we will talk about DHCP servers. 4 00:00:13,677 --> 00:00:19,915 Again however, we were going to talk about the concept of rogue DHCP server. 5 00:00:19,923 --> 00:00:26,142 A rogue DHCP server is very common on networks today. 6 00:00:26,142 --> 00:00:34,520 Believe it or not, it's not necessarily a black hat hacker infiltrating your network 7 00:00:34,522 --> 00:00:38,658 and attempting to place a server on your network 8 00:00:38,658 --> 00:00:43,994 to corrupt your clients with data so that it can spoof and so on and so forth. 9 00:00:43,994 --> 00:00:48,426 A rogue DHCP server can be a router that you deploy, 10 00:00:48,426 --> 00:00:57,137 DHCP configured on the actual device as well as placing that on a segment with, 11 00:00:57,149 --> 00:01:01,801 where there is already a DHCP server. That's an example. 12 00:01:01,801 --> 00:01:06,755 Another example is a lot of Apple-based systems 13 00:01:06,760 --> 00:01:11,473 as they are being used and brought into networks more and more. 14 00:01:11,473 --> 00:01:16,498 Generally, sometimes it's a BYOB type of thing where people are bringing them in. 15 00:01:16,498 --> 00:01:23,020 It's not necessarily locked down by IT and they had DHCP servers configured on them. 16 00:01:23,030 --> 00:01:27,324 Another example, people want to set up their own wireless segment. 17 00:01:27,324 --> 00:01:32,210 So, they set this up on the network which you could lock down and take out. 18 00:01:32,210 --> 00:01:36,383 But if it was something that they were able to set up, 19 00:01:36,383 --> 00:01:42,407 they can configure this and they can also start doughing out addresses 20 00:01:42,423 --> 00:01:45,108 and cause problems on your network. 21 00:01:45,109 --> 00:01:54,367 So as you could see, it's not necessarily this, this anomaly that's on your network. 22 00:01:54,367 --> 00:02:00,042 You know, you're taking security classes, the concept of a rogue DHCP server 23 00:02:00,042 --> 00:02:06,045 would be one where you would assume somebody was setting up for malicious reasons. 24 00:02:06,045 --> 00:02:07,856 Yes, that does happen. 25 00:02:07,856 --> 00:02:12,976 However, rogue DHCP server can also be set up accidentally. 26 00:02:12,976 --> 00:02:17,635 And by doing so, clients may start responding 27 00:02:17,635 --> 00:02:23,782 with it and to it, and it may respond to those clients and give it information and 28 00:02:23,791 --> 00:02:27,684 therefore doesn't connect to or participate on your network. 29 00:02:27,684 --> 00:02:30,407 And why is this an issue? 30 00:02:30,407 --> 00:02:35,275 Well, if you want to have your clients participate on a network correctly 31 00:02:35,268 --> 00:02:39,174 and access their resources, essentially what you will do is 32 00:02:39,178 --> 00:02:42,727 you will give it an IP that works on that subnet. 33 00:02:42,727 --> 00:02:50,658 On that segment, give a DNS server so that it can resolve its web browsers and applications 34 00:02:50,657 --> 00:02:56,896 and file shares and so on. Send the email and if a rogue is deployed 35 00:02:56,896 --> 00:03:02,926 it will get information that may not have that, those assignments in it. 36 00:03:02,926 --> 00:03:08,329 And will create what's considered to be an outage on that segment. 37 00:03:08,327 --> 00:03:12,029 And depending on the size of the segment, it could be quite a large outage. 38 00:03:12,029 --> 00:03:16,170 So, just remember a rogue DHCP server 39 00:03:16,170 --> 00:03:22,428 is something that could possibly take down your network, your clients, 40 00:03:22,435 --> 00:03:26,435 disable them from being able to use resources. 41 00:03:26,435 --> 00:03:30,985 And it is definitely more common than you may think or know or 42 00:03:30,985 --> 00:03:34,191 you may already be seeing this pretty often. 43 00:03:34,191 --> 00:03:37,710 So, what is, why is it an issue? 44 00:03:37,710 --> 00:03:42,339 It breaks the appropriate logical addressing scheme on your subnet 45 00:03:42,333 --> 00:03:45,200 if it's not configured identically. 46 00:03:45,200 --> 00:03:51,217 If clients do not get, this is primarily for Windows clients, 47 00:03:51,217 --> 00:03:57,205 if they do not or not able to get a DHCP server, they will flip to APIPA and be on that range. 48 00:03:57,192 --> 00:04:00,034 It's also something to look out for. 49 00:04:00,034 --> 00:04:04,373 But essentially, what that means is it's completely disconnected 50 00:04:04,376 --> 00:04:06,456 from your enterprise network. 51 00:04:06,474 --> 00:04:12,733 Your client may not be able to access resources, shares, email, so on and so forth. 52 00:04:12,733 --> 00:04:16,216 And it could also be, in my opinion, the least 53 00:04:16,216 --> 00:04:21,780 common security violation where somebody will actually set up a server on that segment 54 00:04:21,778 --> 00:04:25,564 to re-route that client to some spoof material. 55 00:04:25,564 --> 00:04:32,076 So just remember that it could be intentional and it could be accidental. 56 00:04:32,076 --> 00:04:37,162 So that being said, this is what it would look like on the network. 57 00:04:37,162 --> 00:04:43,415 I flagged it here in red. Essentially, I'd put it on the local segment. 58 00:04:43,415 --> 00:04:47,366 And what's happening here is it may be responding to that client 59 00:04:47,362 --> 00:04:51,127 before it can get its information from another client. 60 00:04:51,127 --> 00:04:53,113 Now, one of the key things here is you 61 00:04:53,113 --> 00:04:57,901 may have to have the client time out on its lease. 62 00:04:57,901 --> 00:05:04,202 A lot of times if it's for example, Windows, you can IP config, release for new, 63 00:05:04,202 --> 00:05:08,777 and clear the IP information, you will try to request another IP. 64 00:05:08,777 --> 00:05:11,813 It may pull it from the rogue and there you go. 65 00:05:11,813 --> 00:05:15,269 If it's not on a correct, if it does not have the correct settings, 66 00:05:15,269 --> 00:05:22,915 it could quite possibly cause you some disruption. 67 00:05:22,915 --> 00:05:29,583 So Wireshark analysis of a rogue DHCP, very, very easy to see. 68 00:05:29,583 --> 00:05:33,910 So when you actually run the capture and you collect it up, 69 00:05:33,910 --> 00:05:40,499 you will start seeing through the door process. You will see primarily that your source 70 00:05:40,507 --> 00:05:44,372 and destination information here, if you're looking at the capture, 71 00:05:44,366 --> 00:05:47,976 and you know that your DHCP server's on another segment, 72 00:05:47,976 --> 00:05:49,597 you know what the IP address is. 73 00:05:49,597 --> 00:05:52,879 If you're seeing it show up as a different IP address, 74 00:05:52,910 --> 00:05:54,847 it's likely that it's a rogue. 75 00:05:54,847 --> 00:05:58,544 And what's nice about that is you could start looking through the MAC table, 76 00:05:58,544 --> 00:06:02,014 looking through your ARP table and try to find which port 77 00:06:02,014 --> 00:06:05,694 this rogue is on and you could find it and disable it 78 00:06:05,694 --> 00:06:12,839 or take it off your network and stop it from responding to your clients. 79 00:06:12,835 --> 00:06:22,688 Another way you can stop this is or help prevent this 80 00:06:22,688 --> 00:06:27,459 is by configuring snooping on your Cisco devices. 81 00:06:27,459 --> 00:06:30,707 I've put the router or the device config 82 00:06:30,808 --> 00:06:34,878 in here so that you could see it's very simple, IP DHCP snooping. 83 00:06:34,877 --> 00:06:41,018 We'll look for and help to prevent rogue DHCP servers. 84 00:06:41,018 --> 00:06:43,840 However, if you do not have this configured 85 00:06:43,840 --> 00:06:47,872 and this does gets through and you do have rogue on your network, 86 00:06:47,872 --> 00:06:51,101 it's likely that you can use Wireshark 87 00:06:51,101 --> 00:06:54,894 to quickly look at this source and destination addresses 88 00:06:54,905 --> 00:06:57,896 and if does not match your DHCP server 89 00:06:57,896 --> 00:07:00,126 it's likely that you have a rogue 90 00:07:00,126 --> 00:07:02,151 and you will be able to trace it down 91 00:07:02,151 --> 00:07:07,936 through looking at IP resolution, ARP cache, MAC address table 92 00:07:07,943 --> 00:07:12,110 down to port, find out the source and disconnect it from your network. 93 00:07:12,110 --> 00:07:17,937 And or you can prevent it completely by using port security 94 00:07:17,942 --> 00:07:22,229 and not allowing things to be connected to your network that you do not know about. 95 00:07:22,229 --> 00:07:24,483 That is extremely helpful tool. 96 00:07:24,483 --> 00:07:27,478 It will allow you to provide a high level 97 00:07:27,478 --> 00:07:31,944 of security to your network so that on 98 00:07:31,944 --> 00:07:35,615 ports that have not been opened and authorized for use 99 00:07:35,614 --> 00:07:38,973 somebody may not be able to just simply stick 100 00:07:38,973 --> 00:07:43,330 a wireless router which has a DHCP router on it. 101 00:07:43,330 --> 00:07:46,685 It will not allow you to connect the hub 102 00:07:46,685 --> 00:07:52,877 which could create a loop and take down your network and so on and so forth. 103 00:07:52,877 --> 00:07:56,465 In here lastly is just the zoom in 104 00:07:56,465 --> 00:07:59,687 on the, where you see the source and destination. 105 00:07:59,687 --> 00:08:04,392 As we mentioned if you're seeing packets come from a DHCP server, 106 00:08:04,392 --> 00:08:09,410 that is not recognizable, that is likely your rogue. 107 00:08:09,410 --> 00:08:16,537