Nmap Development mailing list archives

Re: Updated DHCP scripts

From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 27 Aug 2010 23:40:10 +0200


On 27 aug 2010, at 22.47, Ron wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 16 Aug 2010 10:20:05 -0600 David Fifield <david () bamsoftware com> wrote:

You need to make dhcp.lua into a proper module so it doesn't just
store everything globally. I think you just have to add the line

     module(... or "dhcp", package.seeall)

at the top. Then in the script you need to change everything like

     dhcp_make_request(host.ip, host.interface, request_type,
"0.0.0.0", mac_addr)

to

     dhcp.dhcp_make_request(host.ip, host.interface, request_type,
"0.0.0.0", mac_addr)

In fact, I would get rid of the "dhcp_" prefix on exported names,
because they will already be qualified by "dhcp.".

David Fifield

Thanks, that was a pretty boneheaded mistake. :)

Attached is the new patch. 

I also resolved a conflict that was introduced by a change to the connect() function. 

I have the 'prerule' mode prepared for whenever we figure out how to do broadcasts (I don't believe the issues that 
Patrik was investigating were resolved?)


I've made a few changes to the patches I submitted earlier in order to be able to do some more testing.
Broadcasting is interesting from more than the prerule perspective I think. There are a lot of scripts that could 
benefit from it.
While testing the patch I've adapted a few of the scripts so that they can be used when using broadcast.
The patch allows the scripts to send a single packet to the broadcast/multicast address and receive responses from 
multiple hosts.

As the approach is a little different I've moved some chunks of code around in some of the scripts to accomplish my 
tasks.
The patches are quick-n-dirty and meant to get stuff running, so please see them that way for now and not as a 
suggestion for permanent change.
When doing broadcast one packet is sent to the broadcast address and one or more packets are then received as response.
This means that we need to loop over the socket:receive call and also resolve the ip from which the response was 
received.
I've changed my previous patch that broke sending on the same socket after the first response was received. 
Each script supporting broadcast basically needs to do this:

socket:send( nifty_packet )

while(true) do
  local status, response = socket:receive_bytes(1)
  if ( not(status) ) then break end

  local status, _, _, peer_ip, peer_port = socket:get_info()
  result_part = parse_response(response)
  result_part.name = peer_ip

  table.insert( result, result_part )
end

return stdnse.format_output( true, result )

As we can receive multiple responses most of the changes I've made stuff the response in a table and add the ip as 
"name".
The response from each host is then stuffed into the another table and returned using stdnse.format_output at the end.

I've attached the patches if someone want's to try them out. Here are a few examples on how to run them:
sudo ./nmap -n -p 1900 -sU 239.255.255.250 --script upnp-info -d
sudo ./nmap -n -p 5353 -sU 255.255.255.255 --script dns-service-discovery -d

The same principle applies for the rest of the scripts. Oh, and yes the dhcp-discover script also seemed to work.
In addition to the patches I'm also attaching a new script, db2-discover, that detects db2 servers using broadcast.

Attachment: dns-broadcast.patch
Description:

Attachment: db2-discover.nse
Description:

Attachment: nmap-broadcast.patch
Description:

Attachment: dns-service-discovery-bcast.patch
Description:

Attachment: upnp-info-bcast.patch
Description:

Attachment: ms-sql-info-bcast.patch
Description:



//Patrik


- -- 
Ron Bowes

Blog: http://www.skullsecurity.org
Twitter: https://twitter.com/iagox86

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAkx4JFMACgkQ2t2zxlt4g/QmqwCghCEoXmFfrTH5LyWPhoJfPZUa
k08An3LdohJk1HTmx7T1Lbvk9wgO95da
=9lin
-----END PGP SIGNATURE-----
<dhcp_library_v2.patch>_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Updated DHCP scripts Ron (Aug 13)
- Re: Updated DHCP scripts David Fifield (Aug 16)
  - Re: Updated DHCP scripts Ron (Aug 27)
    - Re: Updated DHCP scripts David Fifield (Aug 27)
    - Re: Updated DHCP scripts Patrik Karlsson (Aug 27)
    - Re: Updated DHCP scripts Ron (Aug 27)
- Re: Updated DHCP scripts Ron (Aug 28)
  - Re: Updated DHCP scripts David Fifield (Sep 27)