Results 1 to 3 of 3
  1. #1
    Star Lounger
    Join Date
    Dec 2009
    Location
    Findlay, Ohio
    Posts
    57
    Thanks
    4
    Thanked 6 Times in 6 Posts

    dhcp - using Allow & Deny - Check who is trying to use my dhcp at work

    I thought I would share a little powershell I wrote to see who is trying to connect to our dhcp and is not in our allow list. Maybe it will be of help to someone who is looking for something like this.
    Code:
    # by orangehat
    # check for somebody trying to use our DHCP and they are not in the allow list
    # Run as a task/cron every 2 hours
    $date1 = get-date                            # get date and time
    $date = $date1.addhours(-2)                    # We run as a task every 2 hours so back off 2 hours
    $outfile = "c:\ken\dhcpchk.csv"
    $outfile2 = "c:\ken\dhcpchk2.txt"
    # Okay, let's ask Windows if anybody has tried and failed to a DHCP address within our time frame
    Get-WinEvent -LogName "Microsoft-Windows-Dhcp-Server/FilterNotifications"  |? { $_.timecreated -gt $date } | export-csv $outfile
    # See if we got anything
    if((Get-Content $outfile) -eq $Null) {        # Null file?
        exit                                    # Okay, everybody out of the pool
    }
    # okay, since I don't really want all the duplicate attempts or all the other crap that I get let's get only get the message
    # I don't include the timestamp as I know was within the time slot that I set above.
    # Also, drop the annoying "in the Deny List" while we're at it. If we already denied it I want to hear about again.
    import-csv $outfile | sort message -Unique | select message | select-string -pattern "in the Deny List" -notmatch | out-file $outfile2 -width 300
    # Check again to see if we got anything after we added the nomatch to drop the annoying 'in the Deny list' stuff
    if((Get-Content $outfile2) -eq $Null) {        # Null file?
        exit                                    # Okay, everybody out of the pool
    }
    $subject = "DHCP Violation Detected"
    $body ="
        <p> It appears somebody is trying to use our DHCP<br>
        Attached is the list<br>
        <p>Thank you, <br> 
        <p> mydomain IT Department <br>    
        </P>"
    $smtpServer="YourEmailServer"
    $emailaddress="alert@mydomain.com"                                   # who gets it.            
    $SMTPMessage = New-Object System.Net.Mail.MailMessage            # create new mail
    $from = "mydomain IT Department <alert@mydomain.com>"            # who it's from
    $SMTPMessage.From = $from                                        # put in our from
    $SMTPMessage.To.Add($emailaddress)                                # put in who get this
    #$SMTPMessage.Bcc.Add($emailaddress1)                            # We get a free copy
    #$SMTPMessage.Bcc.Add($emailaddress2)                            # We get a free copy
    $SMTPMessage.Subject = $subject                                    # add the subject
    $SMTPMessage.IsBodyHtml = $true                                 # yes, we using html
    $SMTPMessage.Body = $body                                        # pull in the body of the message
    $attachment = new-object System.Net.Mail.Attachment $outfile2    # create our attachment
    $SMTPMessage.Attachments.Add($attachment)                        # attach it
    $SMTPwork = New-Object Net.Mail.SmtpClient($smtpServer,587)        # Ok, create client stuff and point to the Exchange server
    $myuser = "alert"                                                # my user I'm sending from (MUST MATCH the $from address
    $mypass = "mypassword"                                            # my password
    $mydom = "mydomain"                                                # I need the domain also.
    $SMTPwork.Credentials = New-Object System.Net.NetworkCredential($myuser,$mypass,$mydom); # build my credentials as Exchange requires it
    $SMTPwork.EnableSsl = $false                                    # Disable the ssl                                     
    $SMTPwork.Send($SMTPMessage)                                    # Okay, finally we can send the message
    # okay, everybody out of the pool.
    Last edited by RetiredGeek; 2015-12-11 at 15:33. Reason: Added Code Tags

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    I see you bother to authenticate to the SMTP server. I have never bothered with SMTP authentication, just turn off relaying for non-auth users.

    cheers, Paul

  3. #3
    Star Lounger
    Join Date
    Dec 2009
    Location
    Findlay, Ohio
    Posts
    57
    Thanks
    4
    Thanked 6 Times in 6 Posts
    I've always done authentication out of habit.

    Ken

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •