Fwd: nmap dhcp library

[Mike Rykowski <mrykowski () gmail com>]

Hi nmap dev team,

I'm looking into having nmap gather PXE boot-related information from a
DHCP server, if it exists. From my research, it looks like the DHCP query
needs to ask for options 66 and 67, TFTP Server Name and Bootfile name,
respectively (I found that info here
<http://www.intel.com/support/network/sb/CS-028533.htm> and it is
corroborated here
<https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml>).
One of the problems is that the DHCP library (found at
https://svn.nmap.org/nmap/nselib/dhcp.lua) does not include these options.

Another issue I noticed is that, while the WPAD action was added, I don't
think the runtime ever gets there because the for loop just goes to 61
("for i = 1, 61, 1 do"). Additionally, in my testing, all actions are
requested regardless of verbosity, contrary (at least in my reading) to
what is commented in lines 394-396 of the original code. I believe this is
because of an off-by-one error: a default nmap run has nmap.verbosity() = 1
and an nmap -v run has nmap.verbosity() = 2. Thus if you used
if(nmap.verbosity() > 1) then you only query the non-default fields if the
user adds -v to their nmap command.

I have attached my suggestions in the updated dhcp.lua file. In my testing
with udhcpd, it does gather the additional PXE boot info. However, my
instance of udhcpd seems to respond with all options even when they aren't
requested, but I'm pretty sure the verbosity setting works now based on
Wireshark captures. It may be valuable to add the rest of the options IANA
lists (in the link above), let me know if you agree that this would be
valuable and I can do it. Please review them and let me know what you
think.

Thanks,
Mike

Attachment: dhcp.lua
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/