Nmap Development mailing list archives

Re: DHCP payload probe?

From: Ron <ron () skullsecurity net>
Date: Thu, 10 Sep 2009 07:41:06 -0500

On 09/09/2009 11:09 PM, David Fifield wrote:

On Tue, Sep 08, 2009 at 07:40:42AM -0500, Ron wrote:

I put together a script to probe DHCP servers this weekend.
Unfortunately, I only have my Linksys WRT54g with stock firmware to test
against, so I'd appreciate others giving it a shot!

Basically, do a UDP scan against port 67 on your gateway device, as
root, and see what the response is.

nmap -d -sU -p67 --script=dhcp-inform<target>

I've attached it as a .patch because it requires an extra function added
to ipOps.lua.


With your knowledge of DHCP, can you recommend a safe response-provoking
payload that could be sent with all UDP probes to port 67 during port
scanning?

David Fifield


Yes and no.

There are three options:
a) Sending DHCPINFORM, which not everybody responds to

b) Sending DHCPDISCOVER, which has the side effect of reserving an ipaddress for a short period

c) Sending an invalid request, which results in a DHCPNAK error

(c) is probably the best one, I'm thinking. I'll have to investigate howto evoke an error reliably, though.


Ron

--
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: dhcp script!, (continued)
- - - Re: dhcp script! David Fifield (Sep 09)
    - Re: dhcp script! Walt Scrivens (Sep 12)
    - Re: dhcp script! David Fifield (Sep 22)
    - Re: dhcp script! Walt Scrivens (Sep 23)
- Re: dhcp script (version 2) Ron (Sep 08)
  - Re: dhcp script (version 2) Fyodor (Sep 09)
    - Re: dhcp script (version 2) Ron (Sep 09)
    - Re: dhcp script (version 2) Fyodor (Sep 10)
- Re: dhcp script (version 3) Ron (Sep 09)
- DHCP payload probe? David Fifield (Sep 09)
  - Re: DHCP payload probe? Ron (Sep 10)
    - Re: DHCP payload probe? David Fifield (Sep 10)