UDP payload for DHCP

[Ron <ron () skullsecurity net>]

Hey,

This has been on my TODO list for quite awhile now, and I finally decided to do it. It's DHCP request for the address 
0.0.0.0 that is send to UDP/67. A DHCP server that conforms to the standards will send back NAK, which means "no way!". 
A broken DHCP server might send 'OK' back and allocate the address 0.0.0.0 to you, but that isn't really harmful. DHCP 
servers aren't supposed to ignore requests, though. 

That's the good news. The bad news is this: the response will come back to the broadcast address (255.255.255.255), and 
the broadcast MAC address (FF:FF:FF:FF:FF:FF) and UDP/68. This is because, due to the nature of the protocol, it's 
thinking "you idiot, your address is way off and you'll never see a response unless I broadcast it!"

The only way to get the response to come to your actual address is to renew that address with the DHCP server, which 
would mean a non-static probe and will also change the state of the DHCP server, which is bad. 

Any thoughts? Will this be possible? I realize this is a bad corner case. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: dhcp-payload.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/