I never new about this one but we had a reason so use it yesterday. Computers at one of the stores were being given false DNS entries by a false DHCP server. Since others may see this malware on their systems the DNS Servers it used were: 64.86.133.51 and 63.243.173.162
On one of the machines in the dealership that was acting as a DHCP server, but how to find it? The DHCP entries didn’t give any clues because they said the false DHCP server was our gateway router. Even though the gateway router could support DHCP it was not configured to do so. My first thought was to turn off our valid DHCP server, use Wireshark on a PC, intiate some DHCP request from a PC, and see where replies were coming from. Probably would’ve worked but this was even easier.
DHCPLOC is a ulitity included in Windows Support Tools. Basically you run it from a computer connected to the network and it will monitor DHCP replies. Depending on the syntax you use it can filter out responses from your valid DHCP servers or just show everything. The syntax I used was:
dhcploc /p ComputerIPAddresss ValidDHCPServerIPAddress
/p – dhcploc will not show packets from valid DHCP servers
ComputerIPAddress – ip address of the computer you are running dhcploc from
ValidDHCPServerIPAddress – ip address of valid DHCP server that /p will ignore
Anyway it worked like a charm. DHCP replies were coming from an IP that shouldn’t be responding to DHCP requests. I looked up the IP, called the store, and had them unplug it from the network till I could get out there. Problem solved.
I’ll refer you to WindowsNetworking.com for more information on using DHCPLOC since that’s were I learned about it.