Re: DHCP payload probe?

[David Fifield <david () bamsoftware com>]

On Thu, Sep 10, 2009 at 07:41:06AM -0500, Ron wrote:
> On 09/09/2009 11:09 PM, David Fifield wrote:
> > On Tue, Sep 08, 2009 at 07:40:42AM -0500, Ron wrote:
> > > I put together a script to probe DHCP servers this weekend.
> > > Unfortunately, I only have my Linksys WRT54g with stock firmware to test
> > > against, so I'd appreciate others giving it a shot!
> > >
> > > Basically, do a UDP scan against port 67 on your gateway device, as
> > > root, and see what the response is.
> > >
> > > nmap -d -sU -p67 --script=dhcp-inform<target>
> > >
> > > I've attached it as a .patch because it requires an extra function added
> > > to ipOps.lua.
> >
> > With your knowledge of DHCP, can you recommend a safe response-provoking
> > payload that could be sent with all UDP probes to port 67 during port
> > scanning?
>
> Yes and no.
>
> There are three options:
> a) Sending DHCPINFORM, which not everybody responds to
> b) Sending DHCPDISCOVER, which has the side effect of reserving an ip  
> address for a short period
> c) Sending an invalid request, which results in a DHCPNAK error
>
> (c) is probably the best one, I'm thinking. I'll have to investigate how  
> to evoke an error reliably, though.

(c) sounds the best to me, too, if it's invalid in a way that won't mess
up a DHCP server. The response doesn't have to contain much information,
because for this purpose we only care if the port is open or the host is
up. We don't want side effects here.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org