Re: dhcp script!

[Michael Pattrick <mpattrick () rhinovirus org>]

> From windows, against a netgear router... Nothing happens, but this
router is rather cheap.

Winpcap present, dynamic linked to: WinPcap version 4.0.2 (packet.dll
version 4.0.0.1040), based on libpcap version 0.9.5

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-08 09:19
Eastern Daylight Time
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 1 scripts for scanning.
Initiating ARP Ping Scan at 09:19
Scanning 10.0.0.1 [1 port]
Packet capture filter (device eth6): arp and arp[18:4] = 0x00112222
and arp[22:2] = 0x1100
Completed ARP Ping Scan at 09:19, 0.20s elapsed (1 total hosts)
Overall sending rates: 4.93 packets / s, 206.90 bytes / s.
mass_rdns: Using DNS server 10.100.200.61
mass_rdns: Using DNS server 10.100.200.62
mass_rdns: Using DNS server 208.67.222.222
mass_rdns: Using DNS server 205.211.180.196
mass_rdns: Using DNS server 205.211.181.196
Initiating Parallel DNS resolution of 1 host. at 09:19
mass_rdns: 0.01s 0/1 [#: 5, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 09:19, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 5, OK: 0, NX: 1,
DR: 0, SF: 0, TR: 1, CN: 0]
Initiating UDP Scan at 09:19
Scanning 10.0.0.1 [1 port]
Packet capture filter (device eth6): dst host 10.0.0.4 and (icmp or
((tcp or udp or sctp) and (src host 10.0.0.1)))
Completed UDP Scan at 09:19, 0.21s elapsed (1 total ports)
Overall sending rates: 9.52 packets / s, 266.67 bytes / s.
NSE: Script scanning 10.0.0.1.
NSE: Starting runlevel 1 scan
Initiating NSE at 09:19
NSE: NSE Script Threads (1) running:
NSE: Starting dhcp-inform against 10.0.0.1:67.
NSE: Finished dhcp-inform against 10.0.0.1:67.
Completed NSE at 09:20, 2.79s elapsed
NSE: Script Scanning completed.
Host 10.0.0.1 is up, received arp-response (0.0020s latency).
Scanned at 2009-09-08 09:19:59 Eastern Daylight Time for 3s
Interesting ports on 10.0.0.1:
PORT   STATE         SERVICE REASON
67/udp open|filtered dhcps   no-response
MAC Address: 00:0F:B5:13:E8:BE (Netgear)
Final times for host: srtt: 2000 rttvar: 5000  to: 100000

Read from c:\nmap\mswin32\Release: nmap-mac-prefixes nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 4.72 seconds
           Raw packets sent: 3 (98B) | Rcvd: 1 (42B)



On Tue, Sep 8, 2009 at 8:40 AM, Ron<ron () skullsecurity net> wrote:
> I put together a script to probe DHCP servers this weekend. Unfortunately, I
> only have my Linksys WRT54g with stock firmware to test against, so I'd
> appreciate others giving it a shot!
>
> Basically, do a UDP scan against port 67 on your gateway device, as root,
> and see what the response is.
>
> nmap -d -sU -p67 --script=dhcp-inform <target>
>
> I've attached it as a .patch because it requires an extra function added to
> ipOps.lua.
>
> The functions for building/parsing DHCP packets are generic enough that they
> can handle building/parsing *any* DHCP packet. So, if there are other ideas
> for things we can do with DHCP, let me know and I'll throw them into a
> NSELib and write extra DHCP scripts.
>
> Thanks!
>
> Ron
>
>
> --
> Ron Bowes
> http://www.skullsecurity.org/
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org