Re: dhcp script (version 2)

[Fyodor <fyodor () insecure org>]

On Wed, Sep 09, 2009 at 06:48:25PM -0500, Ron wrote:
> On 09/09/2009 06:33 PM, Fyodor wrote:
> > o This is very valuable information and making this script run by
> >   default is worth consideration, IMHO.
>
> Agreed. It's pretty rare somebody would be scanning udp/67, though -- 

Not that rare.  As long as they specify UDP scan, Nmap scans 67 by
default.  Even a -F scan includes it.  Now that we have port
frequencies, maybe someday Nmap will be default scan both
protocols--maybe the top 1,000 TCP and the top 50 UDP or something.

I do agree that skipping UDP scans is very common, currently.  But
Nmap has improved so much in that department that I'm hoping we'll see
more usage of UDP scans in the future, and possibly make it default.

> should we consider running it when OS discovery indicates a router? Or 
> when port 80 is open (possibly with a specific service)? Are either of 
> those possible from inside a script? (I'm not sure if we have access to 
> that type of data, though I assume we do)

I'm thinking encouraging the user to scan UDP (and maybe even doing it
by default at some point) may be a more direct and reliable method.

> At work, the 'Server Identifier' is the core of the network, and the 
> routers at .1 just forward the request back and forth. So while I may be 
> scanning 10.100.100.1 (on a /24 network), the 'Server Identifier' would 
> point to 10.0.0.1. So for that reason, I'd keep it.

Makes sense.

> There are roughly 55 - 60 different fields that we're requesting. I'll 
> go through the list and mark any of them that contain valuable 
> information. I can probably clean up the 'time' values more, too, making 
> them minutes/hours/days/etc

Great!

> > o Perhaps the script could have an option for using raw packets to
> >   send a broadcast request on the network?
> That can be done, but it doesn't really fit with Nmap's paradigm of 
> scanning one server at a time. If we do a broadcast every time the 
> script is run, we're going to get 256 responses. If we only do it once, 
> we're going to end up with a result for one random host and no others.

I agree that it doesn't exactly match Nmap's normal paradigm, but if
we already have the script it might be nice to offer that option for
those cases where you are on an unknown network and want to learn more
but don't know the exact DHCP server IP.  Also, I wonder if all DHCP
servers respond to directed requests?

> Conceptually, it's like an "aux" module in Metasploit. Has anybody 
> considered having a new type of script that runs once/scan without a 
> specific host/port? I think that'd be something useful, and I can think 
> of other ideas for broadcast scripts, too (nbscan comes to mind).

It is an interesting idea.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org