The MS-DHCP whisperer – MACkerer2

Some may recall that in 2003 I wrote a tool which provides a useful extension to the DHCP server of Windows 2000 – MACkerer (no support!!!), written in Delphi. Meanwhile years have gone by, but I wasn’t lazy. In 2004 I ported the extension to C and extended it by an installation program. Furthermore the syntax and the logging functions have been really enhanced during this process. I called the new version MACkerer2.

Sadly I have never made this version available to the public – mea culpa :mrgreen: . This is done by this article now. Furthermore I have to announce that I am working on a C++ version of MACkerer2. This version will still be called MACkerer2 but will have an internal version number 2.x, while the C-version internally was a 1.x version (named MACkerer2). The 2 in the name has nothing to do with the actual version number, it shows that it was a complete rewrite. The version offered for download above has been tested on Windows 2003 Server meanwhile and worked without any problems.

But let us come back to the use of the extension. The MS-DHCP server offers to create reservations inside a scope, where you can assign the same IP to a certain machine identified by its MAC. That is quite useful but has its limits. Where, you ask? Well, that is easy to explain. As some readers may know, I was administrator of a PC pool at my university for some years. Somewhen users came with their laptops and asked whether they could connect to our network. The main university admins had no objections, but we did not want to loose control over the network. Sadly there was this significant problem – the limits of the MS-DHCP server. While you can create reservations, there is no solution if you want to allow a user base that is larger than the number of simultaneously available IP addresses to be limited in access to the DHCP server. Of course the case that all users would be online at once can be ruled out, so that we were stuck. No IPs could be assigned twice – an unsovable problem. But what for am I a software developer? I just created a solution for the problem!

The solution was – from its very beginning – an extension DLL for the MS-DHCP server. This DLL allowed to manipulate the output to the clients. The most important function is to read allowed MACs from a list. MACkerer2 can be configured to reject unknown MAC addresses (i.e. don’t assign IPs to them). Furthermore every MAC record can optionally contain a name, email address and status. This makes it possible to identify a specific user. Since the logging functionality has been enhanced significantly, one can track who requested an IP address from the server – or better, who plugged in the network cable at what time. Et voila you got what you wanted: a limited number of IP addresses can be shared by a bigger number of users while maintaining access restrictions.

Currently there is no GUI or other comfortable way to edit the configuration files – you have to do this manually. The syntax has been derived from the Apache configuration files. Here is an example:

# This is a comment
<MAC 11-22-33-DD-EE-FF>
  Name       = "Full Name"
  Status     = 1
  Email      = "me@server.tld"
  Registered = "2003-01-01@00-00-00"
</MAC>

In the above example you can easily see the identification of the record by the MAC, while the record can contain optional attributes. In the current version of MACkerer2 all attributes are optional. The name is a simple text string. The Status can take a value of 0 or 1. While 0 means that the user account is “active”. This means that if AllowOnlyRegistered = 1 in the main configuration (see below) an IP will be assigned to the machine identified by this MAC address. If the value is 1 or otherwise not equal 0, the machine will be rejected and does not receive an IP from the DHCP server. Attention: currently only the values 0 and 1 are defined. Another value bigger than 1 has currently the same meaning as 1, which may change in future versions, though. Therefore it is recommended to stick to 0 and 1. If not explicit value was given, the default is 0 (i.e. “active”).

Despite the records for the MAC addresses, which – while optional – should be filled with useful values to provide for good log file output, there is the main configuration block of the configuration file. It controls for example which actions will be logged by MACkerer2 and where the log file is to be stored. Here is the main configuration block from the template configuration file which is located in %SystemRoot%\System32\dhcp right after the installation:

<MAIN>

# Log any events connected with start/restart/stop-ing the service
# DEFAULT = 1 (On)
  LogDaemonEvents     = 1
# Log all events when a packet has been dropped or denied
# because of some reason
# DEFAULT = 1 (On)
  LogDrop             = 1
# Log events when a new packet was allowed to pass.
# DEFAULT = 1 (On)
  LogPass             = 1
# Log IP offers from the DHCP server
# DEFAULT = 1 (On)
  LogOffer            = 1
# Log IP released by client
# DEFAULT = 1 (On)
  LogRelease          = 1
# Log if a user has been added using the DLL functions
# DEFAULT = 1 (On)
  LogAddUsr           = 1
# Log if a user has been deleted using the DLL functions
# DEFAULT = 1 (On)
  LogDelUsr           = 1
# Log if a user has been updated using the DLL functions
# (does not include deletetion!)
# DEFAULT = 1 (On)
  LogUpdUsr           = 1

# Note: This is highly technical and may only be interesting
# for admins resolving DHCP server problems. This includes
# events from DhcpPktDropHook()
# DEFAULT = 0 (Off)
  LogDebugEvents      = 0

  # This defines wether any MAC is allowed to pass or only
  # registered ones
  AllowOnlyRegistered = 0

  # Defines the path to the logfile(s) (without trailing backslash!)
  # It may contain environment variables, but the expanded
  # path must not exceed 255 characters!
  LogfilePath         = "%SystemRoot%\System32\dhcp"

</MAIN>

The new version on which I am working will also support UTF-8 and UCS-2 for configuration files which will aid in better internationalization. Furthermore features will be added which allow to manipulate the parameters for a client identified by its MAC individually without having to create a reservation (e.e. lease duration).

Have a lot of fun meanwhile ;)

// Oliver

This entry was posted in EN, Programming. Bookmark the permalink.

31 Responses to The MS-DHCP whisperer – MACkerer2

  1. Oliver says:

    The same in German.
    The Ganze nochmal auf Deutsch.

  2. Oliver says:

    Just found a blog on MSDN about the DHCP server. And in particular an article about the callout APIs that are also used by MACkerer2:
    http://blogs.msdn.com/anto_rocks/archive/2005/02/25/380510.aspx

  3. shareef says:

    pls sent me step by step procedure to install MACkerer2
    in which directory to oput script

    Thanks Regards
    shareef

  4. Oliver says:

    Hi Shareef,

    actually the archive in which MACkerer2 comes already contains the documentation. However, if the DHCP server is installed you just call “install.exe” which is enclosed in the archive.

    This will copy the DLL in place and extract a template configuration file into the place that MACkerer2 uses to parse the file.

    The configuration file has to be in the following directory: %SystemRoot%\System32\dhcp (usually this would be C:\Windows\System32\dhcp).

    Feel free to contact me again with any questions.

    // Oliver

  5. Khirs says:

    HI,
    not is posible, ¿allow only get ip at pc that have create reservation?
    What api use this list (reserver mac) and not have do a list of the mac in the archive of configuration.

    P.D.:Sorry for my english..

  6. Oliver says:

    I am not sure what you mean. Could you please rephrase your question in Spanish? I’d ask one of my colleagues to translate it then.

    // Oliver

  7. Khirs says:

    Hi Oliver,
    Thanks for all.
    My question in spanish:

    Mi pregunta es si hay alguna forma de que el servidor dhcp, de solo ips a los pcs que tienen hecha una reserva en el servidor dhcp sin necesidad de tener que escribir las mac en el archivo mackerer2.conf de esos pcs que ya tienen reserva reserva.
    Ya sea con tu programa, o con alguna modificación de tu programa, si pudieras indicame como realizar dicha modificación.

    I Try in english:

    My question is there is any form what dhcp server, only get ips pcs that have do reserved in dhcp server haven’t write in the archive mackerer2.conf the mac of the pcs with reserved.
    With you program or with any modification the with program. If you can said how modified your program.

    Very thanks,
    Khirs

  8. Colin says:

    Thanks for creating MACkerer2! I’m not a programmer, so trying to work-out Microsoft’s “CalloutDlls”, APIs etcetera, was too much for me.

    I hope that you continue your work on MACkerer. If you do future versions, it would be great if the MACkerer2.conf file could be located in a common location, like SYSVOL, so that multiple DHCP servers could share it.

    Thanks.

    Colin

  9. FridayChild says:

    I quote Colin word by word.
    I’m about to install MS’s DHCP server on Windows 2003 to manage a bunch of teacher’s laptops, and I came across the same issue; I hoped that someone had already solved the problem and with a bit of Googling I came here.
    What more can I say? Thanks!

  10. Oliver says:

    Thanks for the kind words.

    At the moment I have no time to continue it, but in fact I intend to streamline the whole thing a bit.

    Colin, if you want to put it into SYSVOL and SYSVOL is located on the same partition, hardlinks may be the way to go. However, the change required for this is relatively minor, so if it is urgent, I can try to do the change ASAP, which would then still be based on the current code, not the one already on my hard drive.

    // Oliver

  11. Colin says:

    It’s not urgent, but would be a time/error saver, since a variety of IT staff will be updating the MACkerer2.conf file.

    We have DHCP running on one each of Windows 2000 and Windows 2003 servers. The SYSVOL share is in the default location (same partition), on each (C:\WinNT\SysVol on W2K and C:\Windows\SysVol on W2K3).

    Colin

  12. Justin says:

    Hi

    have been looking for a program like this for a while so congrats.

    However I manage 30+ dhcp scopes and was wondering if using you software I can migrate 1 scope at a time without moving to a temp server?

    any help would be cool

  13. Oliver says:

    Hi Justin,

    I am afraid I cannot really help in that respect. However, what do the scopes have to do with MACkerer2? My tool does not take scopes into account whatsoever. The only thing needed would be to install it and restart the DHCP server service. For any configuration you have to change afterwards, you only have to pause and resume the DHCP server service and MACkerer2 will re-read its configuration.

    The only thing you can achieve with MACkerer2 is to drop DHCP offers if the MAC address is not allowed through the configuration. If you don’t limit this part (AllowOnlyRegistered = 0), then the only thing you achieve is more detailed logging compared to the default logging facility. So since scopes are not considered, only the MACs have to be known to MACkerer2 (if: AllowOnlyRegistered = 1) to the tool to allow a client to receive a lease.

    So either I completely missed a way you could use MACkerer2 as well (in which case I’d ask you to tell me what it is), or I misunderstood you.

    Oliver

  14. Justin says:

    Oliver

    I want to use your software as it will be a solution to rouge machines plugging in at around 30 depots around the uk.

    I did’nt necessary want to turn it on for all users but migrate it slowly,

    my only concern is populating it, buts thats my problem,

    do you know if anyone out there has developed a web or gui front end?

    we are going to write a kix script to populate it for now.

  15. Justin says:

    Oliver

    sorry should have added this in the previous one,

    I guess I wanted to know if I can use Mackerer at a subnet level, ie

    control scope 192.168.75.x but not control 192.168.74.x

    Justin

  16. Oliver says:

    Hi Justin,

    it cannot be used for different subnets at the moment. I’d have to check whether this is possible at all, but I guess so.

    We have written our own front-end for MACkerer2 which runs on the DHCP server itself – don’t remember whether it was PHP or Perl. It also allowed us to see the log entries and filter them. I can give you the contact to the person in charge of the machines running the web-frontend at the moment. But I also guess I’m gonna do you and Colin a favor and make the path to the config file configurable through the registry, so at least deploying a new config will be easier if it is part of the Sysvol folder.

    Oliver

  17. Justin says:

    Oliver

    if you could give me your contact who is using the front end server then that would be great, it would save me a bundle of time

    cheers

    Justin

  18. Justin says:

    Oliver

    when creating the config file do we need to use the MAC address in the 00-19-b9-2d-51-e1 format or can we use 0019b92d51e1 format?

    ps any news on the GUI front end

  19. Oliver says:

    The former is the correct format.

    GUI frontend?

    // Oliver

  20. Francis Swipes says:

    Oliver

    Very nice job with this. I set it up and was able to use it in only a few minutes. Very detailed logging even if there were no other uses.
    Is there a way to create a blacklist of MAC addresses that I want to deny access to as opposed to registering all MAC addresses that I want to grant access to? The network I work with has 15K+ computers and it would be next to impossible to keep a current list of MACs. I could update a list of known bad MACs that I want to keep out.

  21. Oliver says:

    Hey Francis,

    no this, is currently not possible, but after the interest in MACkerer2 increased, I decided to pick up development again and would include this option. However, this is going to take a while.

    I just converted the project on Monday for my current compiler.

    // Oliver

  22. Colin says:

    Francis,

    I run a smaller system, but found I had two sources of legatimate MAC address. We use KixTart for logon batches. I’ve had it setup to log some basic information, including MAC addresses, for years. We also use PC-Duo (Vector Networks) to inventory our hardware. Current MAC addresses can be extracted from it’s database and probabily from other similar tools.

    Colin

    Oliver,

    I’m glad to hear you’re going back to work on MACkerer2. Windows 2007 and it’s DHCP server will be with us soon. Thanks for your efforts.

    Colin

  23. Oliver says:

    Although I have to admit that I really dislike Vista, I should be eligible to get Windows 2007 Server (largely the same codebase) with my MSDN subscription, so you can expect the next version to be compatible with it as well. However, I do not expect too many changes in the API … although I haven’t checked, yet.

    // Oliver

  24. Francis Swipes says:

    Oliver
    Sorry to hear that a ‘blacklist’ approach isn’t yet possible. Still a great utility if only for the logging. I’m looking forward to any new releases.

    Colin
    Sounds like your setup is much more streamlined than mine.
    I do capture login data (although not with Kixtart) but my problem is twofold: 50% of the network are Apple OSX machines. This means that I need two of most everything for network management. The OSX buildings also were not under any sort of centralized management until recently (separate passwords, etc.)
    The second problem is that this network is for a K-12 school district. Very poliiticized. Their motto seems to be that it’s better to let 100 bad guys onto the network than cause grief to one school administrator. So I need to err on the side of caution with this.
    We do have an excellent firewall which logs all activity inbound and outbound. If someone is hogging network bandwidth, I can find out who they are and stop them. Usually it’s a computer that doesn’t belong to the school district. Being able to deny that computer an ip address would make my life much simpler.
    I agree that a MAC address whitelist would be the way to go if I had administration support. That isn’t the case here.

  25. ChupaChu says:

    Hi to all, thanks for a good tool.

    I have a specific problme i need helo with.

    On my network somebody activates second dhcp server (unknowingly i suppose) on random times. When it happens all my PC’s with automatic settings get bad tcp/ip settings and wont be avaiable on the newtork.

    I cannot add any new hardvare (e.g. make private network inside existing one) so i need a way to “convinse” XP SP2 machines *not* to accept settings from any other DHCP but mine.

    Is there a way to do this!?

    TIA, ChupaChu!

  26. Oliver says:

    Hi,

    no, as far as I know there is no way of doing this on the client side. There are some configuration APIs on the client side, but nothing similar to the callout APIs on server side.

    // Oliver

  27. Sajith says:

    Hi Thanks for writing execlant tool and make it avalable for free.

    I’m not very good in c, know little bit only. If I want to change the coding to give ipaddress base on the Computer name (not base on MAC) which palce do I have to change?

    Thanks,

    Sajith

  28. Oliver says:

    Sorry Sajith, I must have completely missed your question. What I don’t get is, how do you want to retrieve the computer name without having an IP address?

    // Oliver

  29. gjpmp3 says:

    This tool has been fantastic. It was just what I have looking for to restrict unknown devices from getting an IP address via DHCP.
    Thanks.

  30. slash says:

    Hi,
    a whitelist function is available in Windows 2008 R2, but you where years ahead.. awesome..
    Great tool, that works wonders for us.. still in 2010!
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.