Re: dhcp script (version 3)

[Ron <ron () skullsecurity net>]

All right, I fixed a couple small bugs and implemented Fyodor's 
suggestions. Then one thing led to another, and I implemented a bunch 
more cool (and optional) stuff. I checked it in (r15411), since it's 
pretty much done. I'm happy to make more changes, of course. I made the 
following changes since last version:

* Added the category 'default' (not written in stone, of course -- 
Fyodor suggested it, and I did it for now)

* Fixed a comment about available types (thanks to Fyodor!)

* Fixed a bug where it occasionally got the wrong results when running 
in parallel to another script, which happens because I'm using the Pcap 
interface to receive the return packet on udp/68. I now check for the 
transaction ID before I trust a packet

* Changed 'time' values to display in days/hours/minutes/seconds instead 
of one big number. For example, my WRT54g returns:
|   IP Address Lease Time: 1 day, 0:00:00

* Set the 'lease time' to 1 second. My router doesn't honour it, but 
hopefully some will. The reserved time with DHCPDISCOVER requests 
appears to be 60 seconds on my router, so it isn't a huge period.

* Display the IP that's being offered by the server. This stays static 
for me as long as I'm sending from the same MAC address. Which bring me 
to...

* Added a 'randomize_mac' script-arg, which tricks the DHCP server into 
generating a new ip address, at least for me. Note that this changes the 
MAC at layer 7, not layer 2, but routers are supposed to honour it when 
selecting an IP address due to the fact that the request may have been 
redirected outside the subnet. If you want to try exhausting your IPs, 
you'll be happy to hear that I......

* Added a 'requests' script-arg. It sends that many requests, waiting 
for a proper response after each one. If there's a timeout during the 
requests, and at least one request had already succeeded, the successful 
requests are displayed. Of course, if you want to just fire a bunch of 
requests up front without waiting for responses, I.....

* Added a 'fake_requests' script-arg. It is an integer value, and the 
script sends that many fake requests before the real one. They're just 
fired out and ignored (they're never received). Unfortunately, my router 
rate limits the responses to 1/second, so it isn't all that useful. Even 
so, I.....

* Added a 'timeout' script-arg. Generally, you should set it to 5000 + 
(fake_requests * 1000), assuming other routers rate limit like mine. 
Really, though, I'd just go with the 'requests' arg.


For what it's worth, if you exhaust all the IPs on my router 
(192.168.1.100 - 192.168.1.149), it just stops responding to requests 
altogether until the 60-second timeout expires and the addresses are 
returned to the pool.



--
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org