Nmap Development mailing list archives
Re: dhcp script (version 2)
From: Fyodor <fyodor () insecure org>
Date: Thu, 10 Sep 2009 16:54:56 -0700
On Wed, Sep 09, 2009 at 06:48:25PM -0500, Ron wrote:
On 09/09/2009 06:33 PM, Fyodor wrote:o This is very valuable information and making this script run by default is worth consideration, IMHO.Agreed. It's pretty rare somebody would be scanning udp/67, though --
Not that rare. As long as they specify UDP scan, Nmap scans 67 by default. Even a -F scan includes it. Now that we have port frequencies, maybe someday Nmap will be default scan both protocols--maybe the top 1,000 TCP and the top 50 UDP or something. I do agree that skipping UDP scans is very common, currently. But Nmap has improved so much in that department that I'm hoping we'll see more usage of UDP scans in the future, and possibly make it default.
should we consider running it when OS discovery indicates a router? Or when port 80 is open (possibly with a specific service)? Are either of those possible from inside a script? (I'm not sure if we have access to that type of data, though I assume we do)
I'm thinking encouraging the user to scan UDP (and maybe even doing it by default at some point) may be a more direct and reliable method.
At work, the 'Server Identifier' is the core of the network, and the routers at .1 just forward the request back and forth. So while I may be scanning 10.100.100.1 (on a /24 network), the 'Server Identifier' would point to 10.0.0.1. So for that reason, I'd keep it.
Makes sense.
There are roughly 55 - 60 different fields that we're requesting. I'll go through the list and mark any of them that contain valuable information. I can probably clean up the 'time' values more, too, making them minutes/hours/days/etc
Great!
o Perhaps the script could have an option for using raw packets to send a broadcast request on the network?That can be done, but it doesn't really fit with Nmap's paradigm of scanning one server at a time. If we do a broadcast every time the script is run, we're going to get 256 responses. If we only do it once, we're going to end up with a result for one random host and no others.
I agree that it doesn't exactly match Nmap's normal paradigm, but if we already have the script it might be nice to offer that option for those cases where you are on an unknown network and want to learn more but don't know the exact DHCP server IP. Also, I wonder if all DHCP servers respond to directed requests?
Conceptually, it's like an "aux" module in Metasploit. Has anybody considered having a new type of script that runs once/scan without a specific host/port? I think that'd be something useful, and I can think of other ideas for broadcast scripts, too (nbscan comes to mind).
It is an interesting idea. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: dhcp script!, (continued)
- Re: dhcp script! Walt Scrivens (Sep 09)
- Re: dhcp script! Walt Scrivens (Sep 09)
- Re: dhcp script! Brandon Enright (Sep 09)
- Re: dhcp script! David Fifield (Sep 09)
- Re: dhcp script! Walt Scrivens (Sep 12)
- Re: dhcp script! David Fifield (Sep 22)
- Re: dhcp script! Walt Scrivens (Sep 23)
- Re: dhcp script (version 2) Fyodor (Sep 09)
- Re: dhcp script (version 2) Ron (Sep 09)
- Re: dhcp script (version 2) Fyodor (Sep 10)
- Re: DHCP payload probe? Ron (Sep 10)
- Re: DHCP payload probe? David Fifield (Sep 10)