A Quick Reality Check
I’ve been working in security, and one of the things that genuinely bothers me is how many people think DHCP is just… boring background stuff. A protocol that assigns IP addresses. Nothing to worry about.
Wrong. Dead wrong.
Here’s the thing: every time someone plugs a laptop into your network, connects their phone to your Wi-Fi, or boots up a printer, your network is broadcasting identifying information about that device to literally anyone listening. And I mean anyone – they don’t need credentials, they don’t need to be clever, and they definitely don’t trigger any alarms.
This is how I’m going to walk you through it.
What Actually Happens When a Device Joins Your Network
Let me break down the simple version first. You’ve got a laptop. Employee walks in, connects to your network. What happens?
The laptop goes: “Hey, is there anyone out there who can give me an IP address?”
And it broadcasts this question on the network. I’m talking broadcasts to every single device on your VLAN. The DHCP server hears it and responds: “Sure, here’s an IP, here’s your DNS server, here’s your gateway.”
Sounds normal, right? Boring infrastructure stuff.
But here’s what nobody talks about: when that laptop asks the question, it’s not just asking for an IP. It’s also saying:
- “By the way, my name is ADMIN-LAPTOP-03”
- “I’m made by Dell (you can tell from my hardware address)”
- “I’m a Windows machine from this company (based on my network signature)”
- “I need DNS, a gateway, and a time server”
That last one might sound innocuous, but it tells an attacker: “This network has centralized DNS and NTP infrastructure.”
All of this information is broadcast. In plaintext. To everyone on the network.
Visual: What Happens During DHCP
Let me draw this out so it’s clearer:
┌─────────────────────────────────────────────────────────────────┐
│ YOUR NETWORK │
│ (VLAN 10) │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ PRINTER │ │ SERVER-DB │ │ FIREWALL │ │
│ │ (Listens) │ │ (Listens) │ │ (Listens) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌────────────────────────────────────┐ │
│ │ ATTACKER (on network) │ │
│ │ Running: tcpdump/Wireshark │ ◄─ Listening │
│ │ (Also Listens) │ │
│ └────────────────────────────────────┘ │
│ ▲ │
│ │ DHCP BROADCAST │
│ │ (to EVERYONE) │
│ │ │
│ ┌────┴──────┐ │
│ │ LAPTOP │ │
│ │ "Hi, I'm │ │
│ │ADMIN-LT-03"│ │
│ └────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
See the problem? The laptop is broadcasting. Everyone hears it. The DHCP server responds. But so could an attacker if they wanted to.
The Specific Intel Being Broadcast
Let me get into what an attacker actually learns from listening to these broadcasts:
1. Device Names (Hostnames)
When your laptop asks for an IP, it includes its hostname. You know, the name your IT department gave it.
I’ve seen:
ADMIN-LAPTOP-03FINANCE-WORKSTATION-7PROD-DB-SERVERDOMAIN-CONTROLLER-PRIMARYVPN-GATEWAY-01
An attacker sitting there hears these names and immediately thinks: “Okay, so the database servers are called PROD-DB-*, the domain controller is critical infrastructure, and there’s a VPN gateway I should target.”
They’ve built an organizational map without touching a damn thing.
2. Hardware Fingerprints (OUI)
Every network card has a MAC address. The first three bytes of that MAC address tell you the manufacturer. It’s literally registered with the IEEE (Institute of Electrical and Electronics Engineers).
Dell devices start with certain patterns. HP printers with others. Cisco gear with others. Oracle VirtualBox (virtual machines) with yet others.
So when an attacker sees MAC addresses, they immediately know:
00:1A:2B:xx:xx:xx → "This is Cisco networking equipment"
50:E5:49:xx:xx:xx → "This is HP (printers probably)"
08:00:27:xx:xx:xx → "This is a virtual machine (Oracle VirtualBox)"
DC:A6:32:xx:xx:xx → "This is a Raspberry Pi"
FC:AA:14:xx:xx:xx → "This is Apple hardware"
An attacker doesn’t need Shodan or fancy reconnaissance tools. They just look at the hardware addresses and think: “Okay, so they’ve got core networking gear from Cisco, probably 15 HP printers, and they’re running at least 3 virtualized systems.”
That tells them about your infrastructure.
3. Device Types (Vendor Class)
Devices also announce what they are. Your VoIP phone says “I’m a Yealink phone.” Your printer says “I’m an HP LaserJet.” Your network equipment says “I’m a Cisco device.”
This is in a field called the vendor class identifier. It’s there to help DHCP servers configure things correctly, but it also broadcasts what you own.
"yealink" → They have VoIP infrastructure
"HP-LaserJet" → They have HP printing infrastructure
"Cisco" → They have Cisco switches/routers
"Dell PowerEdge" → They have Dell servers
"Fortinet" → They have Fortinet firewalls
4. What Services Are Expected
When a device asks for an IP, it also says: “By the way, I’ll need DNS, a time server, a gateway, and maybe a TFTP server.”
That list of “I’ll need” tells an attacker what services your network probably has:
- Asking for DNS option? You’ve got centralized DNS.
- Asking for NTP (time server)? You’ve got time sync infrastructure.
- Asking for TFTP? You’ve got network boot infrastructure (probably for servers).
- Asking for WPAD (web proxy)? You’ve got a proxy gateway they need to know about.
An attacker builds a services map of your network just by listening.
Visual: What An Attacker Learns in One Day
Let me show you what a typical attacker sees if they sit on your network for 24 hours:
┌──────────────────────────────────────────────────────────────────┐
│ WHAT ATTACKER COLLECTS IN 24 HOURS (PASSIVE) │
├──────────────────────────────────────────────────────────────────┤
│ │
│ DEVICE INVENTORY: │
│ ├─ 47 Windows Workstations (Dell hardware mostly) │
│ ├─ 12 Servers (Mix of Dell and HP) │
│ ├─ 8 Printers (All HP) │
│ ├─ 3 Yealink VoIP Phones │
│ ├─ 2 Cisco Network Appliances │
│ └─ 15 Misc IoT devices (Raspberry Pis, smart devices) │
│ │
│ HOSTNAMES DISCOVERED: │
│ ├─ ADMIN-LAPTOP-01, ADMIN-LAPTOP-02 (High value) │
│ ├─ DB-PROD-01, DB-PROD-02 (Critical data) │
│ ├─ MAIL-SERVER-PRIMARY (Email infrastructure) │
│ ├─ DC-PRIMARY (Domain controller) │
│ ├─ BACKUP-SERVER-01 (Backup infrastructure) │
│ └─ FORTINET-FW (Firewall - worth compromising) │
│ │
│ INFRASTRUCTURE INTEL: │
│ ├─ They have NTP servers (time sync matters to them) │
│ ├─ They have centralized DNS (domain search: "company.local") │
│ ├─ They have TFTP infrastructure (network boot) │
│ └─ They use Fortinet for security (security tools to work around)│
│ │
│ OPERATIONAL PATTERNS: │
│ ├─ Workstations mostly offline on weekends │
│ ├─ Servers always on (stable uptime) │
│ ├─ Peak device connections 8am-5pm (normal business hours) │
│ └─ 3 devices boot at exactly 2am (automatic backup?) │
│ │
│ ORGANIZATIONAL STRUCTURE (from naming): │
│ ├─ Finance department (FINANCE-PRINTER-*, FINANCE-WS-*) │
│ ├─ HR department (HR-WORKSTATION-*) │
│ ├─ IT department (INFRA-*, ADMIN-*) │
│ └─ Research team (RESEARCH-LAB-SYSTEM-*) │
│ │
│ ZERO ALERTS TRIGGERED │
│ ZERO AUTHENTICATION NEEDED │
│ ZERO EVIDENCE THEY WERE LOOKING │
│ │
└──────────────────────────────────────────────────────────────────┘
All of that from just listening. No passwords needed. No fancy exploits. Just: connect to network, run tcpdump, wait.
Why This Works (The Technical Reality)
Here’s the boring but important part: DHCP was designed in 1993.
In 1993, the internet was different. Network access meant trust. If you were plugged into a network, you were probably authorized to be there. Attacks from inside the network? That wasn’t really a threat model.
So DHCP was built with these assumptions:
- Everyone on the network is (mostly) trusted
- Speed matters more than security
- We need broadcasts because clients don’t know the server’s address
The DHCP process works like this:
Client Server
│ │
├─ "DHCPDISCOVER" (broadcast to everyone) ──>│
│ (Contains: hostname, MAC, vendor, needs) │
│ │
│<─ "DHCPOFFER" (here's an IP) ──┤
│ │
├─ "DHCPREQUEST" (I'll take it) ──>│
│ (Broadcast again - everyone sees this) │
│ │
│<─ "DHCPACK" (IP is yours) ──┤
│ │
Notice something? The discover and request are broadcasts. That means every device on the VLAN hears them.
And here’s the kicker: there’s no encryption, no authentication, no “who are you?” None of that.
A legitimate DHCP server responds. But an attacker could respond too, and the client would just take the first offer it gets (in many cases).
Visual: DHCP Broadcast Path
┌──────────────────────────────────────────────────────────┐
│ DHCP DISCOVERY BROADCAST │
│ │
│ Step 1: Client broadcasts "I need an IP" │
│ │
│ ╔════════════════════════════════╗ │
│ ║ DHCPDISCOVER (Broadcast) ║ │
│ ║ ───────────────────────── ║ │
│ ║ Source IP: 0.0.0.0 ║ │
│ ║ Dest IP: 255.255.255.255 ║ │
│ ║ (Broadcast to ENTIRE VLAN) ║ │
│ ║ ║ │
│ ║ Contains: ║ │
│ ║ • Hostname: ADMIN-LAPTOP-03 ║ │
│ ║ • MAC: 00:1A:2B:A3:F4:D2 ║ │
│ ║ • Vendor: "Dell" ║ │
│ ║ • Needs: DNS, Gateway, NTP ║ │
│ ╚════════════════════════════════╝ │
│ │ │
│ ┌──────────────┼──────────────┐ │
│ ▼ ▼ ▼ ▼ │
│ [DHCP Srv] [Printer] [Switch] [Attacker] │
│ (hears it) (hears it) (hears it) (hears it) │
│ │ │ │
│ └─────────────────────────────────────────────┘ │
│ Everyone sees this! │
│ │
└──────────────────────────────────────────────────────────┘
This is the core problem. The broadcast reaches everyone.
Real Attack: How It Actually Plays Out
Let me walk you through what a real attacker does. I’ve seen this pattern repeated:
Day 1: Passive Reconnaissance
- Attacker gets on your network (physical port, Wi-Fi, compromised device, vendor connection)
- Runs
tcpdump -i eth0 'udp port 67 or 68' -w capture.pcapor opens Wireshark - Leaves it running for 24-48 hours
- No one notices anything. No alarms. No logs showing they did anything wrong.
What They Now Know
- Every device on the network and what it’s called
- The hardware each device uses (manufacturer intel)
- What type of device it is (server, printer, phone, workstation)
- Your organizational structure (HR, Finance, IT departments based on naming)
- Your critical infrastructure (database servers, domain controllers, backup systems)
- Your network services (DNS servers, time servers, proxy servers)
Day 2: Targeted Attack
- They now know exactly which systems matter
- They know which vendors you use (helpful for exploits)
- They know your naming convention (helps social engineering)
- They pick the highest-value targets: domain controller, database server, backup system
- They attack those specific systems instead of scanning randomly
The reconnaissance gives them a shopping list. Instead of attacking 87 random systems, they attack the 3 that actually matter.
Visual: Attacker’s Workflow
┌──────────────────────────────────────────────────────────────────┐
│ ATTACK WORKFLOW │
├──────────────────────────────────────────────────────────────────┤
│ │
│ PHASE 1: PASSIVE LISTENING (24-48 hours) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Attacker connects to network with monitoring interface │ │
│ │ Runs: tcpdump -i eth0 'udp port 67 or 68' │ │
│ │ Collects: All DHCP traffic (unencrypted, broadcast) │ │
│ │ Alert Level: ZERO ⬅ Nothing suspicious looking │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ PHASE 2: INTELLIGENCE GATHERING │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Parse DHCP packets: │ │
│ │ • Extract hostnames → identify critical systems │ │
│ │ • Extract MACs → determine manufacturers │ │
│ │ • Extract vendor class → identify device types │ │
│ │ • Map organizational structure from naming │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ INTELLIGENCE SUMMARY: │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Critical Systems Identified: │ │
│ │ ├─ DC-PRIMARY (Domain Controller) ← ATTACK FIRST │ │
│ │ ├─ DB-PROD-01 (Database with data) ← ATTACK SECOND │ │
│ │ ├─ BACKUP-SRV-01 (Backups) ← ATTACK THIRD │ │
│ │ ├─ MAIL-PRIMARY (Email) ← maybe later │ │
│ │ └─ All detected running Dell/Cisco/Fortinet │ │
│ │ │ │
│ │ Secondary Intel: │ │
│ │ ├─ Firewall is Fortinet → know how to bypass │ │
│ │ ├─ Using Cisco switches → DHCP option attacks possible │ │
│ │ ├─ NTP server present → timing attacks possible │ │
│ │ └─ Business hours show 8am-5pm peak activity │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ PHASE 3: TARGETED EXPLOITATION │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Instead of: Random port scanning 87 systems │ │
│ │ They do: Focused attack on 3 identified targets │ │
│ │ │ │
│ │ Search for Dell exploits → found! (CVE-XXXX-XXXXX) │ │
│ │ Search for Fortinet bypass → found! (technique ABC) │ │
│ │ Research NTP service vulnerabilities → found! │ │
│ │ │ │
│ │ Success rate: 10x higher than random scanning │ │
│ │ Detection risk: MUCH lower (fewer targets, quiet) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ PHASE 4: PERSISTENT ACCESS │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Compromise domain controller │ │
│ │ Extract credentials / install backdoor │ │
│ │ Now they own the entire network │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────┘Notice the key part: they learned all of this without being detected.
Why Your Current Defenses Don’t Help Much
I want to be real with you here. A lot of the security measures companies have in place don’t actually stop DHCP reconnaissance.
DHCP Snooping
This is a feature on managed switches that says: “Only certain ports can send DHCP offers.”
Problem: It stops rogue servers from responding, but it doesn’t stop anyone from listening. If an attacker is on your network, they can still capture DHCP broadcasts.
It’s like putting a lock on your front door but leaving all the windows open.
Network Segmentation
This is splitting your network into separate VLANs so devices can’t talk to each other.
Problem: This helps, but not as much as you’d think. If an attacker is in the guest network, they can’t see internal systems… but they can see everything else on the guest VLAN. And if they compromise a system on one VLAN, they can often move to another.
Plus, not everything is segmented. Management networks, vendor networks, contractor Wi-Fi often aren’t properly isolated.
Encryption
You can’t really encrypt DHCP. The whole point of DHCP is that it’s a broadcast protocol working at the network layer before encryption is even possible.
It’s like trying to send an encrypted postcard. Doesn’t work.
Monitoring/IDS Systems
These look for suspicious patterns – scanning, exploits, failed logins.
Problem: Just listening to DHCP looks completely normal. A legitimate device requesting an IP and getting one. The IDS has no idea someone is capturing these broadcasts.
What Actually Works (The Real Defense)
So if normal defenses don’t really stop this, what does?
1. Aggressive Network Access Control
Don’t let random devices on your network in the first place.
- Lock down physical ports (disable unused ones)
- Require 802.1X certificate authentication before anything connects
- Implement NAC (Network Access Control) that verifies device health
- Monitor for unknown devices and isolate them immediately
This is the real barrier. If an attacker can’t get on your network, they can’t listen.
2. Proper Segmentation (Actually Enforced)
Not just creating VLANs, but actually separating critical infrastructure:
- Your database servers should not be on the same VLAN as guest Wi-Fi
- Contractors should not see internal DHCP traffic
- IoT devices should be completely isolated
- Management networks should have their own broadcast domain
An attacker on the guest network might learn about printers and general infrastructure, but not about your critical systems.
3. Hostname Obfuscation
This is simple but effective: don’t use meaningful hostnames.
Instead of:
ADMIN-LAPTOP-03PROD-DB-SERVERDOMAIN-CONTROLLER-PRIMARY
Use:
WS-R7X2K9SRV-F4M1P3INFRA-8Q9L2W
If an attacker hears these broadcasts, they don’t immediately know what each device is. They have to do more work.
4. Monitor for Capture Activity
You can actually detect someone capturing network packets:
- Sustained tcpdump/Wireshark processes on non-admin machines
- Network interfaces in promiscuous mode
- Unusual packet capture patterns
- Multiple MAC addresses claiming the same source on a single port
It’s not foolproof, but it can catch someone who’s been listening for hours.
5. DHCP Snooping + Additional Controls
Even though snooping doesn’t stop listening, it does prevent rogue servers. Combine it with:
- Port security (limit MAC addresses per port)
- DAI (Dynamic ARP Inspection) to prevent spoofing
- Control which ports can respond with DHCP
- Actually monitor DHCP for anomalies
6. Clean Up Your Infrastructure
A lot of places have legacy devices still sending DHCP requests:
- Old test servers still on the network
- Demo systems that were never decommissioned
- Printers no one remembers owning
- VMs from projects that ended
Attacker sees all of this and thinks: “What is this? Is this a target? Is it forgotten and unpatched?”
Clean it up. Remove the noise. Make your network smaller and more identifiable.
Visual: Defense Layers
┌──────────────────────────────────────────────────────────────────┐
│ DEFENSE-IN-DEPTH STRATEGY │
├──────────────────────────────────────────────────────────────────┤
│ │
│ LAYER 1: PHYSICAL ACCESS CONTROL │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ ✓ Lock down ethernet ports │ │
│ │ ✓ Disable unused ports │ │
│ │ ✓ Require badge swipe for network room access │ │
│ │ ✓ Monitor for rogue ethernet cables │ │
│ │ │ │
│ │ Attacker barrier: Can't get on network physically │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ LAYER 2: AUTHENTICATION (802.1X / NAC) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ ✓ Require certificate to authenticate │ │
│ │ ✓ Verify device health before allowing access │ │
│ │ ✓ Check for unauthorized device types │ │
│ │ ✓ Implement Network Access Control │ │
│ │ │ │
│ │ Attacker barrier: Can't authenticate without cert │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ LAYER 3: SEGMENTATION (VLAN ISOLATION) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ ✓ Separate critical infrastructure (different VLAN) │ │
│ │ ✓ Isolate guest Wi-Fi completely │ │
│ │ ✓ Separate IoT/vendor networks │ │
│ │ ✓ Enforce VLAN boundaries at switch level │ │
│ │ │ │
│ │ Attacker barrier: Limited to one VLAN even if in │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ LAYER 4: OBFUSCATION (HOSTNAME HARDENING) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ ✓ Use generic/random hostnames │ │
│ │ ✓ Don't advertise critical systems │ │
│ │ ✓ Disable unnecessary DHCP options │ │
│ │ ✓ Don't broadcast vendor info │ │
│ │ │ │
│ │ Attacker barrier: Can't identify what they're seeing │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ LAYER 5: DETECTION (MONITORING) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ ✓ Monitor for packet capture tools │ │
│ │ ✓ Alert on promiscuous mode interfaces │ │
│ │ ✓ Track DHCP anomalies │ │
│ │ ✓ Detect unknown devices │ │
│ │ │ │
│ │ Attacker barrier: Get caught if they try anyway │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ Result: Attacker has to overcome EVERY layer, not just one │
│ │
└──────────────────────────────────────────────────────────────────┘The idea is: one layer failing doesn’t doom you. You’ve got backups.
What To Do Right Now
If you’re responsible for network security and this concerns you (and it should), here’s what I’d do:
Immediate (This Week)
- Run a DHCP audit: Capture 24 hours of DHCP traffic on your network. Parse it. See what information is being broadcast.
tcpdump -i eth0 'udp port 67 or udp port 68' -w dhcp_capture.pcapThen analyze it:
# See all hostnames
tcpdump -r dhcp_capture.pcap -l | grep -i "dhcp" | grep -i "hostname"
# See all vendor classes
tcpdump -r dhcp_capture.pcap | grep -i "vendor"- Check your physical security: Walk around your facility. Are there accessible ethernet ports? Are they labeled? Can a contractor physically plug in?
- Document your VLAN structure: Draw a diagram. What’s segmented? What’s not? Where would an attacker have access if they got on your guest Wi-Fi?
Short Term (This Month)
- Enable DHCP Snooping on all managed switches:
ip dhcp snooping
ip dhcp snooping vlan 1-100
- Implement port security to limit MAC addresses per port
- Audit device hostnames: Find anything that screams “I’m critical infrastructure” and plan renaming
- Identify forgotten devices: Do you have test servers, old VMs, decommissioned systems still on the network?
Medium Term (This Quarter)
- Implement 802.1X: Require authentication before network access
- Deploy Network Access Control: Verify devices are healthy before allowing access
- Redesign VLANs: Properly segment your network so attackers are confined
- Implement hostname masking: Stop broadcasting meaningful names
- Set up monitoring for suspicious network activity – especially packet capture tools
Long Term (This Year)
- Plan for DHCPv6 hardening (if using IPv6)
- Evaluate enterprise-grade solutions that provide better DHCP security
- Create incident response playbook for “someone is capturing network traffic”
- Regular testing: Run your own DHCP reconnaissance exercise quarterly
A Real-World Example
Let me give you a specific example from a company I worked with (anonymized, obviously).
They had pretty good perimeter security – firewalls, endpoint protection, the works. But internally, they figured people on the network were okay.
A contractor was onboarded and given access to the guest Wi-Fi while they set up some systems. What did they do?
Literally nothing malicious initially. They just ran Wireshark for 2 days while doing their actual job.
From DHCP traffic alone, they discovered:
- 3 domain controllers
- 2 backup servers
- 4 database servers
- A virtual machine host they didn’t know existed
- A Fortinet firewall they could target
- Organizational structure showing HR, Finance, IT, and R&D departments
- All the names, MAC addresses, vendor info
They told the client in a report: “Your internal network is completely broadcast-visible. I learned more from listening to DHCP than from any active scanning.”
The client hadn’t even realized this was a thing.
They implemented:
- Better vetting of contractor Wi-Fi
- Hostname masking (renamed everything)
- VLAN segmentation (separated guest network)
- Network monitoring (to detect future packet captures)
It cost maybe $15k in tools and staff time.
If an actual attacker had gotten that same intelligence? Could’ve cost millions in data theft or ransomware.
Final Takeaway
DHCP reconnaissance is not exotic. It’s not fancy. It’s default behavior of any network with devices connecting to it.
An attacker doesn’t need:
- Advanced exploits
- Credentials
- Special tools (tcpdump comes with Linux)
- Lots of time (24 hours is plenty)
- Permission (they just sit and listen)
They get:
- Your complete device inventory
- Hostnames of all systems
- Manufacturer intel (vulnerability targeting)
- Organizational structure
- Infrastructure details
- Zero detection
It’s why reconnaissance is the first step of every attack. And why DHCP is such a goldmine for attackers.
The good news? It’s preventable. Not with one magic solution, but with layered defenses that make it hard to get on your network, hard to see what you’ve got, and hard to not get caught trying.
Do it. Your future self will thank you.
Quick Reference: What To Protect
Here’s a simple checklist of what you’re actually protecting by stopping DHCP reconnaissance:
☐ Device Inventory
└─ If attacked knows all your devices, attacks become targeted
☐ Hostnames
└─ Critical infrastructure identified immediately
☐ Manufacturer Info (OUI)
└─ Enables device-specific exploits
☐ Vendor Class
└─ Shows what software/hardware you're running
☐ Organizational Structure
└─ Reveals departments, teams, hierarchy
☐ Service Infrastructure
└─ Shows DNS, NTP, proxy, TFTP, other services
☐ Device Behavior Patterns
└─ Shows what's always on, what's periodic
☐ All of This = Complete Reconnaissance Map
└─ Without which, attackers have to work much harder
Make an attacker work for their intelligence. Don’t hand it to them on a broadcast.
