Nmap Development mailing list archives
Re: dhcp script!
From: Walt Scrivens <walts () gate net>
Date: Tue, 8 Sep 2009 14:52:30 -0400
Ron - thanks for the help with the patch! Here's a scan run against a Linksys WRT-54G running DD-WRT V.23. DHCP is up an running on this router. ****************** sh-3.2# nmap -d -sU -p67 --script=dhcp-inform 192.168.1.1Warning: File ./nmap.xsl exists, but Nmap is using /usr/local/share/ nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-08 14:39 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. Warning: Unable to open interface vmnet8 -- skipping it. Warning: Unable to open interface vmnet1 -- skipping it. Initiating ARP Ping Scan at 14:39 Scanning 192.168.1.1 [1 port]Packet capture filter (device en1): arp and ether dst host 00:23:6C: 99:EB:B1
Completed ARP Ping Scan at 14:39, 0.21s elapsed (1 total hosts) Overall sending rates: 9.36 packets / s, 392.98 bytes / s. mass_rdns: Using DNS server 208.67.222.222 mass_rdns: Using DNS server 208.67.220.220 Read from /usr/local/share/nmap: nmap-services.Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.30 seconds
Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
******************
Here's the same scan with --script-args dhcptype=DHCPDISCOVER
******************
sh-3.2# nmap -d -sU -p67 --script=dhcp-inform --script-args
dhcptype=DHCPDISCOVER 192.168.1.1
Warning: File ./nmap.xsl exists, but Nmap is using /usr/local/share/
nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to
give priority to files in your local directory (may affect the other
data files too).
Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-08 14:35 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. Warning: Unable to open interface vmnet8 -- skipping it. Warning: Unable to open interface vmnet1 -- skipping it. Initiating ARP Ping Scan at 14:35 Scanning 192.168.1.1 [1 port]Packet capture filter (device en1): arp and ether dst host 00:23:6C: 99:EB:B1
Completed ARP Ping Scan at 14:35, 0.21s elapsed (1 total hosts) Overall sending rates: 9.36 packets / s, 393.17 bytes / s. mass_rdns: Using DNS server 208.67.222.222 mass_rdns: Using DNS server 208.67.220.220 Read from /usr/local/share/nmap: nmap-services.Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.30 seconds
Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
************************
I don't know what effect -PN would have on a UDP scan, but I tried it
anyway - no difference.
Walt On Sep 8, 2009, at 8:40 AM, Ron wrote:
I put together a script to probe DHCP servers this weekend. Unfortunately, I only have my Linksys WRT54g with stock firmware to test against, so I'd appreciate others giving it a shot!Basically, do a UDP scan against port 67 on your gateway device, as root, and see what the response is.nmap -d -sU -p67 --script=dhcp-inform <target>I've attached it as a .patch because it requires an extra function added to ipOps.lua.The functions for building/parsing DHCP packets are generic enough that they can handle building/parsing *any* DHCP packet. So, if there are other ideas for things we can do with DHCP, let me know and I'll throw them into a NSELib and write extra DHCP scripts.Thanks! Ron -- Ron Bowes http://www.skullsecurity.org/ <dhcp.patch> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: dhcp script!, (continued)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Brandon Enright (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Kris Katterjohn (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! David Fifield (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Brandon Enright (Sep 08)