Nmap Development mailing list archives
Re: dhcp script!
From: Ron <ron () skullsecurity net>
Date: Tue, 08 Sep 2009 21:17:11 -0500
On 09/08/2009 06:32 PM, Walt Scrivens wrote:
Ron, I ran the scan with Wireshark. there were only 5 packets exchanged - 2 malformed packets from me, followed by a DCHP DISCOVER, then a DHCP OFFER from the router, and then "destination unreachable" when I tried to reply to the router. The capture file is attached, and here is the nmap output: **************** sh-3.2# nmap --send-ip -d -sU -p67 -PN --script=dhcp-inform --script-args=dhcptype=DHCPDISCOVER 192.168.1.1 Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-08 19:23 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. Warning: Unable to open interface vmnet8 -- skipping it. Warning: Unable to open interface vmnet1 -- skipping it. mass_rdns: Using DNS server 208.67.222.222 mass_rdns: Using DNS server 208.67.220.220 Initiating Parallel DNS resolution of 1 host. at 19:23 mass_rdns: 0.11s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 19:23, 0.07s elapsed DNS resolution of 1 IPs took 0.11s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating UDP Scan at 19:23 Scanning 192.168.1.1 [1 port] Packet capture filter (device en1): dst host 192.168.1.144 and (icmp or ((tcp or udp or sctp) and (src host 192.168.1.1))) Completed UDP Scan at 19:23, 2.01s elapsed (1 total ports) Overall sending rates: 0.99 packets / s, 27.81 bytes / s. NSE: Script scanning 192.168.1.1. NSE: Starting runlevel 1 scan Initiating NSE at 19:23 NSE: NSE Script Threads (1) running: NSE: Starting dhcp-inform against 192.168.1.1:67. NSE: Finished dhcp-inform against 192.168.1.1:67. Completed NSE at 19:23, 3.00s elapsed NSE: Script Scanning completed. Host 192.168.1.1 is up, received user-set. Scanned at 2009-09-08 19:23:22 EDT for 5s Interesting ports on 192.168.1.1: PORT STATE SERVICE REASON 67/udp open|filtered dhcps no-response Final times for host: srtt: -1 rttvar: -1 to: 1000000 Read from /usr/local/share/nmap: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 5.26 seconds Raw packets sent: 2 (56B) | Rcvd: 0 (0B) sh-3.2# **************** Walt
I just had a look at this one, and the Pcap actually looks fine. While I managed to reproduce this, and put in place a temporary fix, I'm hoping David can shed some light onto why this happens.
This is what I get for 10 runs without --send-ip:(10x) sudo ./nmap --script=dhcp-discover -sU -p67 -PN 192.168.1.1 | grep 'seconds'
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds And here's the same thing with --send-ip:(10x) sudo ./nmap --send-ip --script=dhcp-discover -sU -p67 -PN 192.168.1.1 | grep 'seconds'
Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds Nmap done: 1 IP address (1 host up) scanned in 3.26 seconds Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds Nmap done: 1 IP address (1 host up) scanned in 3.26 seconds Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds Nmap done: 1 IP address (1 host up) scanned in 3.23 secondsDue to the extra delay, the socket was timing out and giving up before the packet was received. I upped the timeout on the socket to 5 seconds, which is what I use in my other scripts, and it now works fine whether or not --send-ip was given.
When you have a chance, could you take a look at the new version of my script (I'll post it shortly) and let me know if it's fixed?
Thanks! -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- dhcp script! Ron (Sep 08)
- Re: dhcp script! Michael Pattrick (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Michael Pattrick (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! David Fifield (Sep 08)
- Re: dhcp script! Michael Pattrick (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Michael Pattrick (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Brandon Enright (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Kris Katterjohn (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)