I Googled rogue IP addresses, and reviewed: https://community.spiceworks.com/topic/1895432-how-to-detect-a-rogue-dhcp-server-in-a-lan, it gave the following which helps for Windows.
Windows
Oct 28, 2016 at 12:46 AM
Hi,
If you want to find the rogue server, you need to find its IP address and its hardware address. The 2nd address will help you identify where the server is physically on the network. Do this from one of the affected PCs at the command prompt:
Type "ipconfig/all" (without the quotes and press ENTER. Scroll up to where you can see these lines (about 15 lines down):
Lease Obtained. . . . . . . . . . : 24 October 2016 09:03:38
Lease Expires . . . . . . . . . . : 31 October 2016 08:59:46
Default Gateway . . . . . . . . . : 192.168.100.254
DHCP Server . . . . . . . . . . . : 192.168.100.10
The last 2 entries will probably be different for you. We need to focus on the address for "DHCP Server".
Then type "arp-a" in the command prompt.
Look down the list until you find the same IP address as the DHCP server. Ax example will look like this:
Interface: 192.168.100.46 --- 0xb
Internet Address Physical Address Type
192.168.100.5 00-08-9b-f2-5b-62 dynamic
192.168.100.10 00-15-5d-64-3c-01 dynamic
192.168.100.11 00-15-5d-64-3c-0b dynamic
192.168.100.254 b0-b2-dc-70-c9-70 dynamic
192.168.100.255 ff-ff-ff-ff-ff-ff static
224.0.0.1 01-00-5e-00-00-01 static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
We are interested in the hardware address which is the number in the 2nd column:
192.168.100.10 00-15-5d-64-3c-01 dynamic
Now google the first part of this number ie 00-15-5d
This will give you the manufacturer of the "bad" DHCP server.
Try this on your own PC to get the hardware address just to confirm your theory of a rogue DHCP server.
Macintosh and Linux
BTWarp- a works on Linux, andipconfig/all ispossibly replaced byifconfig–a on Linux (although I see nothing about leases in the man page). If you have sudo access then maybe the following will help:
[root@pinger cottrell]# dhclient -d -nw eth0
Internet Systems Consortium DHCP Client 4.1.1-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:50:56:be:ee:30
Sending on LPF/eth0/00:50:56:be:ee:30
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x4d00071d)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8 (xid=0x4d00071d)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 11 (xid=0x4d00071d)
<snip>
The follwing works on some systems:
sudo nmap --script broadcast-dhcp-discover -e eth0
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-16 09:25 UTC
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.14.67
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.14.1
| IP Address Lease Time: 0 days, 0:05:00
| Subnet Mask: 255.255.255.0
| Router: 192.168.14.1
| Domain Name Server: 193.190.127.150
| Domain Name: maas
| Broadcast Address: 192.168.14.255
|_ NTP Servers: 91.189.91.157, 91.189.89.199, 91.189.94.4, 91.189.89.198
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.27 sec
However at SLAC on pinger I got:
[root@pinger cottrell]# sudo nmap --script broadcast-dhcp-discover -e eth0
Starting Nmap 5.51 ( http://nmap.org ) at 2017-10-30 11:20 PDT
NSE: failed to initialize the script engine:
/usr/share/nmap/nse_main.lua:576: 'broadcast-dhcp-discover' did not match a category, filename, or directory
stack traceback:
[C]: in function 'error'
/usr/share/nmap/nse_main.lua:576: in function 'get_chosen_scripts'
/usr/share/nmap/nse_main.lua:1006: in main chunk
[C]: ?
QUITTING!