Home > Network Access, Policy Enforcement > Rogue Machine Discovery Using DHCP Hostname Analysis

Rogue Machine Discovery Using DHCP Hostname Analysis

October 23rd, 2009 Leave a comment Go to comments

An important aspect of defending one’s network is controlling what devices actually get on said network. In fact, several of the big name IT regulatory schemes – SoX specifically, though probably some of the others as well – have specific requirements to control access to network assets. Depending on the nature of a business, the financial resources available, and the prevailing culture of the workplace this can either be a relatively simple task or something approaching the Sisyphean level. There are also two levels of people we are trying to keep off: end-users who are either ignorant or dismissive of established policy concerning network access and the “determined individual”, be them malicious or just not wanting to follow the rules.

This process was developed at ThatPlaceIWorkâ„¢ as a stop-gap measure to help determine machines that were attached to the internal network but which were not maintained or managed by us. It is definitely aimed at the first group mentioned above – it is somewhat trivial to overcome by a knowledgeable person, but that is not the goal of the exercise. Our business, by the nature of our industry, is very free-flowing and the culture does not adapt well to overt controls – any controls that are leveraged have to walk a fine line between effectiveness and intrusiveness. The vast majority of machines that are being placed on the network that should not be there are either personal machines of employees or those of guests being brought into the agency. Some of these machines come in infected with malware, as determined by our IPS systems. They have no business being on the internal network and there is written policy against such a practice. Weak consequences of policy infringement keep these policies from being effective on their own. Therefore we developed this process to help control the use of undesired machines until such time as a better process could be put in place. Again, this is not a NAC solution, it is merely a way to quickly narrow down a list of machines that may be on the network in defiance of policy. If you really want to keep machines properly segmented, either implement something like wired 802.1X (which we are moving to) or full-body cavity searches at the door.

Okay, so here is the juicy stuff. As part of a DHCP address request process, each host is supposed to register their hostname with the issuing DHCP server. In a typical corporate environment, hosts are named in a predictable manner e.g joesmith-0fa3, marythom-aa43, samanderso-fff5, etc. In this environment, each host also has a fairly standard set of ports that are open on the host. For us, each host has a set of ports open for our AV management software. These are fairly unique and not typical of a standard user’s machine. By examining both a list of open ports and hostnames as reported to DHCP, it becomes manageable to watch a network for machines that are not supposed to be there. To facilitate this, I’ve written a PERL application that uses an older element (DHCPCMD) of the NT 4 resource kit (for some reason this was not brought into new versions of Windows). Obviously, this method assumes you are using a MS DHCP server. The methodology here should work for other systems, but you’ll have to figure out how to grab the information from DHCP.

For the script, you’ll need the following:

  • PERL plus the Mail::Sender module.
  • DHCPCMD
  • nmap

You’ll also need to define the following in the script itself:

  • The pattern for a ‘good’ host
  • The path to DHCPCMD
  • An array of your DHCP servers
  • An array of your DHCP Scopes
  • The path to an ignored hostnames file. This is helpful in the case that you have strangely named hosts that are acceptable on the network. One hostname per line.
  • The path to your nmap executable
  • An address to email the results to
#! c:\Perl\Perl.exe

# DHCP lease reader and rogue machine scanner

use Mail::Sender;

# Define variables

# 1. Good machine regex pattern
$goodHost = "";

# 2. Array of exception names
@knownExceptions = ();

# 3. DHCPCMD executable
$dhcpcmd = "";

# 4. DHCP servers
@dhcpServers = (  );

# 5. Scopes
@dhcpScopes = (  );

# 6. Ignore file location
$ignoreFile = "";

@ignoreThese = ();
# Open the ignore file and build the array
open(IGNORE, "< $ignoreFile");

while() {
chomp;
push(@ignoreThese, $_);
}

for $ignPatt  (@ignoreThese) {
$ignoreString .= "$ignPatt|";
}

chop $ignoreString;

# 7. Path to NMAP

$nmap = "";

# 8. Ports to scan

$ports = "";

# 9. Address to email results to

$address = "";

# Check each DHCP for current leases

foreach $server (@dhcpServers) {
foreach $scope (@dhcpScopes) {
$currentLeases = `"$dhcpcmd" $server enumclients $scope -h`;
@leaseArray = split(/\n/, $currentLeases);
foreach $lease (@leaseArray) {
next if $lease =~ m/DHCP\s+Server\s+version/;
next if $lease =~ m/Command\s+successfully\s+completed/;
chomp $lease;
@elems = split(/\s+/, $lease);
$ip = $elems[1];
$hostName = $elems[2];
$hostName =~ s/\..*//i;
$macAddress = $elems[3];
#if ( $hostName !~ m/\(null\)/i || $hostName !~ m/^(det1|jwt)/i ) {
if ( $hostName !~ m/^(det1|jwt|Netboot)/i && $hostName !~ m/($ignoreString)/i ){
$scan = `"$nmap" -sS --open -PN -p$ports $ip`;

@lines = split(/[\n\r]/, $scan);

$openPorts = "";
foreach $line (@lines) {
if ( $line =~ /^\d+\/tcp/ ) {
$openPorts .= "$line;";
}
}
if ( ! $openPorts ) {
$openPorts = "Host not online or no open ports";
}
$rogueMachines .= "

$ip
$hostName
$macAddress
$openPorts

";
}
}
}
}

if ( $rogueMachines ) {
$mailer = new Mail::Sender;
$mailer->Open({to => "$address", subject => "Rogue Machine Report", headers=> "MIME-Version: 1.0\r\nContent-type: text/html\r\nContent-Transfer-Encoding: 7bit"}) or die $Mail::Sender::Error,"\n";

$header = "

The following possible rogue machines have been found through scanning DHCP leases:

";
$footer = "
IP address Hostname MAC address Open Ports
"; chop $ipString; $msg = "$header" . "$rogueMachines" . "$footer"; $mailer->Send($msg); $mailer->Close(); }

The resulting email will contain a list of machines that did not match the defined hostname pattern, the MAC and IP of that machine, and the open ports that nmap found. This should allow you much faster analysis of the machines on your network that may not belong there. Is it perfect? Hell no! It is defeatable? Hell yes! Is it better than willful ignorance? Sure it is.

From the pentester’s perspective, what can we do with this same method? Well, if a domain account with sufficient level of permissions is gained, doing DHCP hostname analysis may allow us to discover the IP’s, MAC addresses, and hostnames of any device on the network that utilizes that server for DHCP. This is basically a way to do host enumeration without dropping a ton of packets on the wire or communicating with each host.

Now that you have a list of suspected rogue machines, what can you do to keep them off the network? Microsoft has an extension for Windows 2003 that allows for black or white listing machines via MAC address. I’ll detail this setup in another post. Happy hunting!

  1. No comments yet.
  1. No trackbacks yet.