Annotation of embedaddon/dhcdrop/man/dhcdrop.8, revision 1.1
1.1 ! misho 1: .TH DHCDROP 8 "18/08/2009"
! 2: .SH NAME
! 3: dhcdrop \- program for searching and suppress false DHCP servers in Ethernet.
! 4: .SH SYNOPSIS
! 5: .BI "dhcdrop
! 6: .RB [ " \-h "]
! 7: .RB [ " \-D "]
! 8: .RB [ " \-t "]
! 9: .RB [ " \-y "]
! 10: .RB [ " \-r "]
! 11: .RB [ " \-b "]
! 12: .RB [ " \-a "]
! 13: .RB [ " \-A "]
! 14: .RB [ " \-f "]
! 15: .RB [ " \-R "]
! 16: .RB [ " \-q "]
! 17: .LP
! 18: .RB [ " \-m "
! 19: .I count
! 20: ]
! 21: .RB [ " \-c "
! 22: .I count
! 23: ]
! 24: .RB [ " \-n "
! 25: .I hostname
! 26: ]
! 27: .RB [ " \-N "
! 28: .I clientname
! 29: ]
! 30: .RB [ " \-p "
! 31: .I port
! 32: ]
! 33: .RB [ " \-P "
! 34: .I port
! 35: ]
! 36: .RB [ " \-w "
! 37: .I seconds
! 38: ]
! 39: .LP
! 40: .RB [ " \-T "
! 41: .I timeout
! 42: ]
! 43: .RB [ " \-M "
! 44: .I max-hosts-scan
! 45: ]
! 46: .RB [ " \-l "
! 47: .I MAC-address
! 48: ]
! 49: .RB [ " \-L "
! 50: .I network
! 51: ]
! 52: .RB [ " \-S "
! 53: .I network/mask
! 54: ]
! 55: .RB [ " \-F "
! 56: .I from-IP
! 57: ]
! 58: .LP
! 59: .RB [ " \-s "
! 60: .I server-IP
! 61: ]
! 62: .RB [ " \-C "
! 63: .I children count (2 - 32)
! 64: ]
! 65: .LP
! 66: .RB [ " \initial-MAC-address " ]
! 67: .RB < " \-i "
! 68: .I interface-name|interface-index
! 69: >
! 70: .LP
! 71: .SH DESCRIPTION
! 72: Suppressing DHCP server is made by
! 73: .B dhcdrop
! 74: with a help of an attack DHCP
! 75: starvation or with a help of flooding with DHCPDISCOVER messages.
! 76: Look for details below. Besides dhcdrop can be used as a diagnostical
! 77: tool and stress-testing when setting and developing DHCP servers
! 78: .SH OPTIONS
! 79: .TP
! 80: .B "-h"
! 81: prints help-message and also codes of program's return.
! 82: .TP
! 83: .B "-D"
! 84: list of available network interfaces. Format - index:name.
! 85: .TP
! 86: .B "-t"
! 87: test mode. Using this mode
! 88: .B dhcdrop
! 89: does not execute suppression of server. DHCPDISCOVER is being sent.
! 90: If the answer comes to it from the non\-ignored server then the program is
! 91: completes returning code 200 and printing the string:
! 92: .IP
! 93: DHCP SRV: 10.7.7.1 (IP-hdr: 10.7.7.1) SRV ether: 00:02:44:75:77:E4, YIP: 10.7.7.205
! 94: .IP
! 95: which consists of the MAC address of found false DHCP server.
! 96: .TP
! 97: .B "-y"
! 98: answer 'yes' to all questions.
! 99: .TP
! 100: .B "-r"
! 101: disable ethernet address randomize. Every further source MAC address differs from previous for 1.
! 102: .TP
! 103: .BI "-b"
! 104: points on necessity of using flag
! 105: .B BROADCAST
! 106: in DHCP packets sent.
! 107: .TP
! 108: .B "-a"
! 109: always wait for server's response to default DHCP client port (68) even if a
! 110: number of client's port set differs from default value.
! 111: .TP
! 112: .B "-A"
! 113: always wait for server's response from default DHCP server port (67),
! 114: even if a number of client's port set differs from default value.
! 115: .TP
! 116: .B "-f"
! 117: flood mode with DHCPDISCOVER requests. SHOULD BE USED ATTENTIVELY.
! 118: It is convenient for stress-testing of the server.
! 119: In case of using option
! 120: .B "-r"
! 121: all the packets sent have the same MAC address.
! 122: .TP
! 123: .BI "-R"
! 124: send DHCPRELEASE from source MAC address specified by
! 125: .B "<initial MAC address>"
! 126: and IP address specified by option
! 127: .B "-F"
! 128: to server specified by option
! 129: .B "-s"
! 130: .
! 131: .TP
! 132: .B "-q"
! 133: quiet mode.
! 134: .TP
! 135: .BI "-m" " count"
! 136: maximum number of attempts to receive answer from DHCP server. (default: 5).
! 137: .TP
! 138: .BI "-c" " count"
! 139: maximum number of receiving addresses from DHCP server (default: 255).
! 140: .TP
! 141: .BI "-n" " hostname"
! 142: value of DHCP-option 'HostName' (default: 'DHCP-dropper').
! 143: .TP
! 144: .BI "-N" " clientname"
! 145: value of DHCP-option 'Vendor-Class' (default: 'DHCP-dropper').
! 146: .TP
! 147: .BI "-p" " port"
! 148: set client port value (default: 68).
! 149: .TP
! 150: .BI "-P" " port"
! 151: set server port value (default: 67).
! 152: .TP
! 153: .BI "-w" " seconds"
! 154: set timeout after which the process will be restarted when using
! 155: agressive mode (see option
! 156: .B "-L"
! 157: ) (default: 60 secs).
! 158: .TP
! 159: .BI "-T" " timeout"
! 160: set timeout of waiting server response in seconds (default: 3).
! 161: .TP
! 162: .BI "-M" " maximum-hosts"
! 163: maximum number of hosts scanned if agressive mode used (option -L).
! 164: .TP
! 165: .BI "-l" " MAC-address"
! 166: ethernet address of DHCP server which need to ignore.
! 167: May be several servers. Need option
! 168: .B -l
! 169: for each server.
! 170: .TP
! 171: .BI "-L" " legal-network"
! 172: specify legal network(s) on interfase. May be
! 173: several networks. If this parameter is set, dhcdrop
! 174: uses agressive mode: it scans address range assigned
! 175: by DHCP server for searching hosts with incorrect addresses,
! 176: sends DHCPRELEASE to server from every found host after
! 177: this it restarts process of receiving addreses. Need option
! 178: .B -L
! 179: for each network.
! 180: .TP
! 181: .BI "-S" " network/mask"
! 182: ARP-scan for network 'network' with network mask 'mask' (CIDR notation).
! 183: Source IP address for scanning specified by option
! 184: .B -F
! 185: .
! 186: If source IP is not set - using random IP address from network address range.
! 187: .TP
! 188: .BI "-F" " source-ip"
! 189: source IP for scanning network or sending DHCPRELEASE (see option
! 190: .B -S
! 191: and
! 192: .B -R
! 193: ).
! 194: .TP
! 195: .BI "-s" " server-ip-adress"
! 196: specify DHCP server IP address. Used with option
! 197: .B -R
! 198: .
! 199: .TP
! 200: .BI "-C" " count"
! 201: children number (default: 0, minimal value: 2, maximum: 32). Compatible only with flag
! 202: .B -f
! 203: .
! 204: .TP
! 205: .B "initial-MAC-address"
! 206: specify source MAC address for sending first DHCP message.
! 207: If address not set - used random value.
! 208: .TP
! 209: .BI "-i" " interface"
! 210: defines network interface, can be name or index (cannot be 'any').
! 211: For listing available interfaces use option
! 212: .B -D
! 213: .
! 214: .SH THEORETICAL BASICS
! 215: In DHCP protocol there is an option which specifies duration of leasing an IP address
! 216: (Lease Time). During this time DHCP server gives IP address for client's use.
! 217: After this time period a client have to make an attempt to refresh IP address
! 218: for the purpose of extension the lease. For the server giving out IP address in
! 219: lease means that during the lease this IP address can be given only to an owner
! 220: of the lease and nobody else. Identification of clients is usually done by the
! 221: server on the ground of MAC address. Usually every server has a pool of dynamic
! 222: IP addresses. These are addresses which are not assigned to concrete MAC addresses
! 223: and are given dynamically after any client's request. Pool on SOHO routers with
! 224: default settings is not very big - from tens to about 200 addresses. In case
! 225: of using software which performs the function of DHCP server the size of the pool
! 226: is defined by the one who sets. If the pool of addresses is over then DHCP server
! 227: ignores the requests from new clients (probably documenting this in logs).
! 228: Actually it's not in action.
! 229:
! 230: Thereby in case of appearance false DHCP they can be supressed rather easy.
! 231: It's necessary to receive lease for every IP address available on this server
! 232: sending requests from unique clients every time. The more Lease Time is in server
! 233: settings, the bigger period of DHCP server suppression in case of exhaustion of
! 234: dynamical pool is. For most of SOHO routers Lease time comes to a number of days
! 235: or even weeks. In case of using WinGate, dhcpd and other similar soft as DHCP
! 236: server the lease time depends on the fantasy of the man who launched false DHCP server.
! 237: .SH PRINCIPLE OF DHCDROP OPERATION
! 238: The program opens the interface specified in command line options using promiscuous
! 239: mode then forms DHCP message (DHCPDISCOVER) using random source MAC address
! 240: (if another conduct isn't specified) and sends it to the interface:
! 241:
! 242: .nf
! 243: 01:58:04.681600 00:70:de:3b:b9:05 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800),
! 244: length 342: (tos 0x10, ttl 64, id 33964, offset 0, flags [none],
! 245: proto UDP (17), length 328)
! 246: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:70:de:3b:b9:05,
! 247: length 300, xid 0xcc1cfc5c, Flags [none]
! 248: Client-Ethernet-Address 00:70:de:3b:b9:05
! 249: Vendor-rfc1048 Extensions
! 250: Magic Cookie 0x63825363
! 251: DHCP-Message Option 53, length 1: Discover
! 252: Parameter-Request Option 55, length 3:
! 253: Domain-Name-Server, Default-Gateway, Subnet-Mask
! 254: Hostname Option 12, length 12: "DHCP-dropper"
! 255: Vendor-Class Option 60, length 12: "DHCP-dropper"
! 256: Client-ID Option 61, length 7: ether 00:70:de:3b:b9:05
! 257: .fi
! 258:
! 259: After this it starts to wait for server's answer (DHCPOFFER). If the answer with
! 260: offering IP address lease is received then the next DHCP message (DHCPREQUEST)
! 261: is send to the interface. On this message server answers with DHCPACK-packet
! 262: which confirms the possibility of using the IP address by a client.
! 263: This completes the operation of receiving IP address suggested by the server.
! 264: The program changes source MAC address and sends DHCPDISCOVER again.
! 265: After that all the above operations of receiving the lease of a new
! 266: IP address are repeated. It's worth paying attention that the program
! 267: changes not only the client's MAC address in DHCP message but also the
! 268: MAC address in the header of Ethernet-frame. This possibility brings the work
! 269: of the program maximally nearer to the work of real DHCP client (and also
! 270: allows to avoid DHCP snooping).
! 271:
! 272: Cycle of receiving IP addresses from server comes to an end when the maximum
! 273: number of IP addresses set by the option is received or in case of exhausting
! 274: dynamical pool of the server. In the second case you gained a victory.
! 275: In the first case if you have an aim to reject the DHCP server then there
! 276: is a point to set another value of maximum number of leased address option.
! 277: .SH USAGE OF THE PROGRAM
! 278: \fIInterfaces listing\fP
! 279: .sp
! 280: First of all it's necessary to understand how the network interface,
! 281: where there is DHCP server, is called. This is easy to understand in UNIX-like OS
! 282: by outputting ifconfig command. But in Windows OS it is not so evident.
! 283: Because of this let's launch the program with
! 284: .B -D
! 285: option first of all:
! 286:
! 287: .nf
! 288: C:\>dhcdrop -D
! 289: Available interfaces:
! 290: 1:\\Device\\NPF_GenericDialupAdapter
! 291: descr: Adapter for generic dialup and VPN capture
! 292: 2:\\Device\\NPF_{0C796DB5-22D9-46AB-9301-9C7ADC2304AF}
! 293: descr: ZyXEL GN650 1000Base-T Adapter (Microsoft's Packet Scheduler)
! 294: iaddr: 192.168.1.2/24 bcast: 255.255.255.255
! 295: iaddr: 10.7.7.7/24 bcast: 255.255.255.255
! 296: .fi
! 297:
! 298: According to the output information it's evident that we need the second interface.
! 299: As an argument for program's option
! 300: .B -i
! 301: any index of the second interface or its name
! 302: .B "\\\\Device\\\\NPF_{0C796DB5-22D9-46AB-9301-9C7ADC2304AF}"
! 303: can be set. To my mind it's more easy to use index and to launch the
! 304: program with pointing index instead of a name. For example:
! 305: .B dhcdrop -i 2
! 306:
! 307: \fIInteractive mode, by default\fP
! 308: .sp
! 309: The easiest way of using the program for searching and choosing the rejected
! 310: server manually:
! 311:
! 312: .nf
! 313: $ sudo dhcdrop -i eth1
! 314: Using interface: 'eth1'
! 315: Got response from server 10.7.7.1 (IP-header 10.7.7.1), server ethernet address: 00:02:44:75:77:E4, lease time: 1.1h (3960s)
! 316: Got BOOTREPLY (DHCPOFFER) for client ether: 00:16:09:D8:CF:60 You IP: 10.7.7.201/24
! 317: Drop him? [y/n] n
! 318: Searching next server...
! 319: Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
! 320: Got BOOTREPLY (DHCPOFFER) for client ether: 00:16:09:D8:CF:60 You IP: 192.168.1.2/24
! 321: Drop him? [y/n] y
! 322: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:16:09:D8:CF:60 You IP: 192.168.1.2/24
! 323: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:A2:FA:12:41:F7 You IP: 192.168.1.3/24
! 324: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:56:EA:F8:1C:B0 You IP: 192.168.1.4/24
! 325: 4. Got BOOTREPLY (DHCPACK) for client ether: 00:EA:91:1A:C8:A8 You IP: 192.168.1.5/24
! 326: 5. Got BOOTREPLY (DHCPACK) for client ether: 00:83:8A:25:C7:1C You IP: 192.168.1.6/24
! 327: 6. Got BOOTREPLY (DHCPACK) for client ether: 00:CA:A7:FF:C1:70 You IP: 192.168.1.7/24
! 328: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 329: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 330: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 331: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 332: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 333: Finished.
! 334: .fi
! 335:
! 336: As it's seen from the example when receiving an answer from DHCP server
! 337: .B dhcdrop
! 338: reports information from the server about given IP address and asks of necessity
! 339: to suppress this server. Receiving a negative answer it goes on searching for
! 340: servers in the network ignoring the server discovered before. In case of
! 341: receiving a positive answer it starts a process for rejecting the server with a
! 342: method shown above.
! 343:
! 344: \fIAutomatical suppresion mode of all the servers except the legitimate one\fP
! 345: .sp
! 346: In case of knowing (and usually we know) MAC address of the legal DHCP server in our
! 347: network the operation of suppressing illegal servers can be simplified:
! 348:
! 349: .nf
! 350: $ sudo dhcdrop -i eth1 -y -l 00:02:44:75:77:E4
! 351: Using interface: 'eth1'
! 352: Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
! 353: Got BOOTREPLY (DHCPOFFER) for client ether: 00:37:C5:10:BE:16 You IP: 192.168.1.2/24
! 354: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:37:C5:10:BE:16 You IP: 192.168.1.2/24
! 355: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:94:26:88:33:BD You IP: 192.168.1.3/24
! 356: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:E5:AC:7B:79:BB You IP: 192.168.1.4/24
! 357: <skipped>
! 358: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 359: Finished.
! 360: .fi
! 361:
! 362: In this version of using
! 363: .B dhcdrop
! 364: rejects any server except that ones states with
! 365: .B -l
! 366: option without asking additional questions (due to using option
! 367: .B -y
! 368: ).
! 369:
! 370: \fITest mode\fP
! 371: .sp
! 372: Test mode (
! 373: .B -t
! 374: ) is comfortable to use for execution the program from code in computer-aided mode.
! 375: An example of the simplest code is below:
! 376:
! 377: .nf
! 378: 00 #!/bin/bash
! 379: 01 LEGAL_SERVER="00:11:22:33:44:55"
! 380: 02 DROPPER="/usr/sbin/dhcdrop"
! 381: 03 IFNAME="eth1"
! 382:
! 383: 04 $DROPPER -i $IFNAME -t -l $LEGAL_SERVER -m 3
! 384:
! 385: 05 if [ $? = 200 ]
! 386: 06 then
! 387: 07 echo Illegal server found\! Dropping him\!
! 388: 08 $DROPPER -i eth1 -l $LEGAL_SERVER -y
! 389: 09 else
! 390: 10 echo Illegal server not found.
! 391: 11 fi
! 392: .fi
! 393:
! 394: In the forth line launching of
! 395: .B dhcdrop
! 396: is being executed in a test mode with setting an option of legal DHCP server
! 397: for the network (
! 398: .B -l
! 399: ), an option of testing (
! 400: .B -t
! 401: ) and an option of setting maximum number of attempts of sending DHCPDISCOVER
! 402: in mode of searching the server (
! 403: .B -m).
! 404: If there is no answer for all the requests been sent then the program
! 405: ends with 0 code. If there is answer for the server without
! 406: .B -l
! 407: option then the program ends with 200 code which leads to the further
! 408: launching of the program with options describing suppression of any DHCP server
! 409: in the network except the legal one.
! 410:
! 411: \fIUsage of aggressive mode for receiving addresses\fP
! 412: .sp
! 413: As you can guess from the description of DHCP protocol - if a client received
! 414: the configuration from illegal DHCP server then the server wouldn't give
! 415: this configuration iteratively to another client until the period of lease expires.
! 416: So a simple exhaustion of IP addresses' pool won't save clients who have already
! 417: received incorrect configuration. The server will give these addresses only to
! 418: the clients who requested them initially and will ignore requests from
! 419: .B dhcdrop
! 420: . When trying to refresh the address once more the clients will receive
! 421: information from illegal DHCP server again and it would be continued until
! 422: illegal DHCP server switched off. For solving such a problem there were added
! 423: the aggressive mode of receiving IP addresses in dhcdrop starting with version 0.5.
! 424: It is activated with
! 425: .B -L
! 426: option which points a legitimate IP subnet for the given Etherner segment of the network.
! 427: Here is the algorithm of its operation:
! 428: .B dhcdrop
! 429: launches an ordinary mode of suppression and exhausts the whole IP addresses'
! 430: pool of illegal DHCP server. Analyzes the first DHCPOFFER received from illegal
! 431: DHCP, with a help of the network mask and client's IP address given out by the
! 432: server receives the address of IP network attended by this server.
! 433: Launches ARP-scanning of received subnet for the purpose of exposing hosts
! 434: which received incorrect configurational information, default number of scanned
! 435: hosts is limited to 512 (can be changed with
! 436: .B -M
! 437: option), some servers gives out configurational set with a mask /8 which
! 438: conforms to approximately 16 million of hosts - scanning of such an address range
! 439: will take a lot of time. Sends messages DHCPRELEASE to the DHCP server from every
! 440: found host (except the server itself). Waits 60 seconds
! 441: (default value can be changed with
! 442: .B -w
! 443: option), after then restarts the process of receiving IP addresses.
! 444: As an example let's launch
! 445: .B dhcdrop
! 446: with the same options as in the previous example but
! 447: additionally state legal IP network 10.7.7.0:
! 448:
! 449: .nf
! 450: $ sudo dhcdrop -i eth1 -y -l 00:02:44:75:77:E4 -L 10.7.7.0
! 451: Using interface: 'eth1'
! 452: Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
! 453: Got BOOTREPLY (DHCPOFFER) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
! 454: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
! 455: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:FB:E7:A4:19:EC You IP: 192.168.1.6/24
! 456: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:CB:44:F9:A8:6F You IP: 192.168.1.7/24
! 457: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 458: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 459: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 460: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 461: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 462: Trying to use agressive mode.
! 463: Starting ARP scanning network in range: 192.168.1.0 - 192.168.1.255...
! 464: Illegal DHCP server perhaps assigned IP adresses to the following hosts:
! 465: 1. Received ARP-reply from: 00:1e:2a:52:c8:ca (192.168.1.1) - itself DHCP server.
! 466: 2. Received ARP-reply from: 00:03:ff:15:52:90 (192.168.1.3)
! 467: 3. Received ARP-reply from: 00:03:ff:14:52:90 (192.168.1.4)
! 468: 4. Received ARP-reply from: 00:a0:c5:30:52:90 (192.168.1.200)
! 469: Sending DHCPRELEASE for invalid clients:
! 470: Send DHCPRELEASE for host 00:03:ff:15:52:90 (192.168.1.3).
! 471: Send DHCPRELEASE for host 00:03:ff:14:52:90 (192.168.1.4).
! 472: Send DHCPRELEASE for host 00:a0:c5:30:52:90 (192.168.1.200).
! 473: Restart dropping DHCP server after 60 seconds timeout...
! 474: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
! 475: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:F1:32:14:60:A3 You IP: 192.168.1.3/24
! 476: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:2D:1C:80:ED:12 You IP: 192.168.1.4/24
! 477: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 478: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 479: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 480: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 481: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
! 482:
! 483: WARNING: Failed to take away all the IP addresses assigned by DHCP server.
! 484: Perhaps DHCP server checks availability of IP addresses by sending ARP-request
! 485: before assigning them. Try to restart dhcpdrop later. If it doesn't help
! 486: try to disconnect problem hosts temporarily, then send manually DHCPRELEASE
! 487: from address of this hosts (use option -R) and restart dhcdrop.
! 488:
! 489: Finished.
! 490: .fi
! 491:
! 492: Explanation of the program operation's results.
! 493:
! 494: After outputting the inscription "Trying to use aggressive mode" ARP-scanning of subnet,
! 495: serviced by illegal DHCP server in the stated range, starts.
! 496: As a result 4 hosts are found including the DHCP server itself (the first host).
! 497: Then dhcdrop sends DHCPRELEASE message to the server 192.168.1.1 from addresses
! 498: (Ethernet & IP) of all the hosts found in the subnet except DHCP server itself and stops
! 499: execution for 60 seconds. Timeout is necessary because some DHCP servers hold giving out
! 500: IP addresses to a new client during little period of time after receiving DHCPRELEASE from
! 501: a previous client. In case of necessity timeout's value can be changed with
! 502: .B -w
! 503: option. On the expiry of timeout dhcdrop launches the process of receiving released IP addresses.
! 504: We succeeded in receiving IP addresses 192.168.1.5 (it was received initially when
! 505: starting the program), 192.168.1.3 and 192.168.1.4. The last two addresses were
! 506: successfully released by the server after receiving DHCPRELEASE messages generated by
! 507: dhcdrop. Failed to receive the address 192.168.1.200, in spite of presence of this host
! 508: in the network, and the fact that from its address DHCPRELEASE message was send. One of
! 509: the reasons of failure was described in warning in the end of the program's output:
! 510: DHCP server before giving out the addresses can check if the host with the requested IP
! 511: address exists and only after this it can give out the address if such a host is absent
! 512: in the network. If not, a new lease for this address will not be given out. In this
! 513: situation switching off the problem hosts fron the network manually and sending DHCPRELEASE
! 514: messages from these hosts' addresses to the server (see an example below) can be helpful.
! 515: After this it's necessary to restart the process of receiving IP addresses.
! 516: But in our case the problem isn't hidden here. The host 192.168.1.200 has a statically set
! 517: IP address and because of this it has never requested the configuration from DHCP server.
! 518: The necessity itself of stating the legal network for launching the aggressive mode is
! 519: necessary to check of the address range given out by illegal DHCP server crosses the
! 520: address range of the subnet where it was discovered. If the address ranges cross each
! 521: other then ARP-scanning will be done with the hosts, which have the correct configuration
! 522: and will output the incorrect information. Because of this in case of discovering crossing
! 523: of the address ranges aggressive mode will not be launched.
! 524:
! 525: \fISending DHCPRELEASE message\fP
! 526: .sp
! 527: You will probably have a necessity to send DHCPRELEASE message manually. For example,
! 528: because of the reason mentioned in the previous example. You can do it with a help of
! 529: .B -R
! 530: option:
! 531:
! 532: .nf
! 533: $ sudo dhcdrop -i eth1 -R -s 192.168.1.1 -F 192.168.1.4 00:2D:1C:80:ED:12
! 534: Using interface: 'eth1'
! 535: Send DHCPRELEASE from 00:2D:1C:80:ED:12 client IP 192.168.1.4 to DHCP server 192.168.1.1
! 536: Finished.
! 537: .fi
! 538:
! 539: Option
! 540: .B -s
! 541: sets server's IP address,
! 542: .B -F
! 543: set DHCP client's IP address, 00:2D:1C:80:ED:12 set client's Ethernet address.
! 544: As a result such a sort of packet will be send in the network:
! 545: .nf
! 546:
! 547: 16:13:43.887735 00:2d:1c:80:ed:12 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342:
! 548: (tos 0x10, ttl 64, id 29807, offset 0, flags [none], proto UDP (17), length 328)
! 549: 0.0.0.0.68 > 192.168.1.1.67: BOOTP/DHCP, Request from 00:2d:1c:80:ed:12,
! 550: length 300, xid 0xb2f04a28, Flags [none]
! 551: Client-IP 192.168.1.4
! 552: Client-Ethernet-Address 00:2d:1c:80:ed:12
! 553: Vendor-rfc1048 Extensions
! 554: Magic Cookie 0x63825363
! 555: DHCP-Message Option 53, length 1: Release
! 556: Server-ID Option 54, length 4: 192.168.1.1
! 557: Client-ID Option 61, length 7: ether 00:2d:1c:80:ed:12
! 558: .fi
! 559:
! 560: \fIScanning the network's segment\fP
! 561: .sp
! 562: You can use ARP-scanning of the network for searching clients who received incorrect configurational information. It is realized with a help of
! 563: .B -S
! 564: option:
! 565:
! 566: .nf
! 567: $ dhcdrop -i eth1 -S 192.168.1.0/24
! 568: Using interface: 'eth1'
! 569: Starting ARP-scanning for subnet 192.168.1.0/24.
! 570: IP address range 192.168.1.0 - 192.168.1.255.
! 571: WARNING: Source IP is not set (use option -F).
! 572: Using random value for source IP address: 192.168.1.195
! 573: 1. Received ARP-reply from: 00:1e:2a:52:c8:ca (192.168.1.1).
! 574: 2. Received ARP-reply from: 00:a0:c5:30:52:90 (192.168.1.200).
! 575: Finished.
! 576: .fi
! 577:
! 578: According to the warning, which was printed by the program, when launching, the source
! 579: IP address wasn't set. Because of this dhcdrop chooses a random IP address from address
! 580: range of a stated subnet. If you need to set a source address then use
! 581: .B -F
! 582: option. For this kind of scanning factual settings of routing in your network aren't
! 583: important. Interface set by an option
! 584: .B -i
! 585: will always be used accepting that hosts of the
! 586: mentioned subnet are in the same Ethernet segment with the host where dhcdrop
! 587: is being launched. Also this option allows to discover duplication of IP addresses in
! 588: the same segment of the network even if the scanning is being done from the host
! 589: which IP address is being duplicated by another host.
! 590: .SH AUTHOR
! 591: This program was written by Roman Chebotarev <roma@ultranet.ru>
! 592: .SH REPORTING BUGS
! 593: Any bugs/remarks/suggestions/wishes concerning this program please send to
! 594: <roma@ultranet.ru>
! 595: .SH MAN FILE
! 596: Guidance page was made by Andrew Clark <andyc@altlinux.org>,
! 597: basing on the articles of the author of the program,
! 598: web page http://www.netpatch.ru/en/dhcdrop.html
! 599: .SH TRANSLATION
! 600: The translation from Russian into English was made by Anna Makhtinger <mailmnoo@rambler.ru>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>