{
	"id": "5d9cf31d-2a52-4a20-82b9-dfe484268f1f",
	"created_at": "2026-04-06T00:08:19.968274Z",
	"updated_at": "2026-04-10T03:21:38.348646Z",
	"deleted_at": null,
	"sha1_hash": "18cdc7f090830818953cfa2a6bfd08f82d83c32f",
	"title": "Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 177419,
	"plain_text": "Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with\r\nPRTG and PowerShell\r\nBy Lockstep Group\r\nPublished: 2015-12-31 · Archived: 2026-04-05 21:39:01 UTC\r\nDHCP is one of those services that many systems administrators set and forget. Often, the reasoning is that they\r\nhave plenty of addresses (perhaps even 3 or 4 times the amount of devices), and it should never fill up. Any\r\nadministrator that has ever dealt with a sudden deficiency of available addresses knows that this can make for a\r\nvery bad day. After the crisis is dealt with (perhaps by lowering the lease time for addresses), he may ask himself:\r\n“How can I monitor my DHCP scopes so this never happens again?”\r\nAdditionally, the administrator may not be aware that full DHCP scopes can allow Man-In-The-Middle attacks on\r\nhis network. An attacker can create enough DHCP requests to fill the DHCP scope. He can then put a rogue DHCP\r\nserver on the network and any new DHCP requests will get fulfilled by his rogue DHCP server. The attacker will\r\nchange the default gateway and DNS address to point to his machine which causes traffic to route through his\r\nmachine allowing him to sniff unencrypted traffic.\r\nThe prudent Administrator will look for ways to decrease downtime and detect security risks. There are a number\r\nof options available for detecting when your DHCP scopes are running out of addresses; however, monitoring\r\nDHCP scopes isn’t as straight forward as one might imagine. Most administrators have the following options at\r\ntheir disposal:\r\n1. Manually track available addresses. Perhaps he makes this a daily check for the operations team.\r\nWhile this option is the easiest to implement since he only has to write some procedures for less\r\nsenior staff to follow, he is now relying on a manual process prone to human error. This doesn’t\r\ndetect MITM attacks in real time.\r\n2. Write a PowerShell script (or the language of your choice) to run periodically and search the event logs for\r\nevent ID’s 1020 (Low Address Warning) and 1063 (Scope Full). It may email him when it finds these\r\nevents.\r\nIf the administrator already is comfortable with PowerShell and the nuances of building scheduled\r\ntasks that run PowerShell scripts, this can be implemented fairly quickly. Additionally, it provides a\r\nform of real-time alerting. It does require the administrator to build a script that gathers and parses\r\nWindows event logs, though. This can detect MITM attacks, but doesn’t provide a single pane of\r\nglass for all scopes.\r\n3. Use monitoring software such as PRTG along with a custom PowerShell script to not only alert on low\r\naddresses, but also build usage statistics over time.\r\nThe administrator gets real-time alerts when the scope reaches a pre-defined threshold. Additionally,\r\nhe gets ongoing scope statistics so he can see track peak usage, daily averages, and trending data. If\r\nan attacker fills his DHCP scopes, he can detect this and mitigate any potential MITM attack\r\nquickly.\r\nhttps://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/\r\nPage 1 of 5\n\nThis blog post will focus on using PRTG Network Monitor which has a free tier that can be used if your company\r\nhas no network monitoring software. If your company already uses PRTG, then this will be very easy to\r\nimplement.\r\nMonitoring DHCP Scopes using PRTG and PowerShell\r\n*Note* — The following process has only been tested with both the PRTG server and the DHCP server running\r\nWindows Server 2012 R2. I would like to thank Brian Addicks and Josh Sanders for their help in making this\r\nscript ready for public consumption. I also recommend you look at this Lockstep Solutions Blog post if you don’t\r\nhave experience creating custom sensors in PRTG. The Extreme Basics of PRTG custom sensors with PowerShell\r\nThe overall process includes the following basic steps:\r\n1. Install the DHCP Role Management Tools on the PRTG server\r\n2. Add the custom script to the PRTG Server for use as a custom script sensor\r\n3. Create the custom script sensor in PRTG\r\nInstall the DHCP Role Management Tools on the PRTG Server\r\n1. Open PowerShell with Administrative Privileges and enter the following command.\r\n1. Install-WindowsFeature RSAT-DHCP   (This installs only the DHCP management tools)\r\nAdd the custom script to the PRTG Server for use as a custom script sensor\r\n1. Download the sensor script by filling out the form at the bottom of this post.\r\n2. Copy the Get-DHCPScopeStatistics.ps1 script to “C:\\Program Files (x86)\\PRTG Network\r\nMonitor\\Custom Sensors\\EXEXML” on the PRTG server\r\nhttps://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/\r\nPage 2 of 5\n\nCreate the custom script sensor in PRTG\r\n1. In PRTG, Right-Click the Windows DHCP server being monitored\r\n2. Click Add Sensor\r\n3. Choose EXE/Script Advanced\r\n4. Insert the correct options as follows\r\n1. Sensor Name:  DHCP Scope Statistics\r\n2. EXE/Script:  Get-DHCPScopeStatistics.ps1\r\n3. Parameters:  -ScopeID \u003cScope ID\u003e, \u003cScope ID\u003e\r\nIMPORTANT – PRTG will support up to 50 channels per sensor. This sensor will create 2\r\nchannels per DHCP scope, so if you need to monitor more than 25 DHCP scopes on a server,\r\nyou will need to create multiple sensors and specify the Scope ID’s separated by comma. If\r\nyou have less than 25 scopes, you can leave this field blank to monitor all scopes.\r\n4. Environment: Set placeholders as environment values (This allows the device name to be passed\r\nto the script automatically)\r\n5. Security Context:  Use Windows credentials of parent device\r\n6. Scanning Interval: 5 minutes or more\r\n7. When a Sensor Reports an Error: Set sensor to “down” immediately\r\n5. Click Continue\r\nhttps://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/\r\nPage 3 of 5\n\nFinal Result\r\nNotice that each scope has two channels that can be tuned individually. You may need to tune the Percentage Used\r\nchannel to alert earlier. The default is when 95% of all addresses in the scope are used.\r\nhttps://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/\r\nPage 4 of 5\n\n[activecampaign form=8]\r\nSource: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-atta\r\ncks/\r\nhttps://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/"
	],
	"report_names": [
		"monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18cdc7f090830818953cfa2a6bfd08f82d83c32f.pdf",
		"text": "https://archive.orkl.eu/18cdc7f090830818953cfa2a6bfd08f82d83c32f.txt",
		"img": "https://archive.orkl.eu/18cdc7f090830818953cfa2a6bfd08f82d83c32f.jpg"
	}
}