Nmap Development mailing list archives
Re: attn RON re: DHCP script
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 15 Dec 2015 22:39:24 -0600
Mike, This is what I thought: the initial packets you are seeing are from the port scan phase, and have nothing to do with the NSE script. They are in the debug output where it says "SENT". Since UDP is connectionless, we often can't tell the difference between an open and a filtered port because both will result in a missing response. That's why the port is listed as "open|filtered" and the probe is sent twice to be sure there wasn't a response that we missed. To help speed up UDP port scans, we try to include a data payload [1] in the scan packets. This is usually a well-formed payload that is designed to elicit a response from otherwise-silent services. We have one for NTP, which is why you see that behavior there. DHCP doesn't have one, mostly because of the danger of DHCP exhaustion and the fact that requests result in long-term state changes on the server. You can't completely skip the port scan phase if you want to run NSE scripts because the way that NSE decides which scripts to run on which services involves checking the state (open, filtered, open|filtered, closed). Dan [1] https://nmap.org/book/nmap-payloads.html On Tue, Dec 15, 2015 at 9:09 PM, Mike . <dmciscobgp () hotmail com> wrote:
thanks for replying back. this is windump traffic, and , as you can see, 2 packets. actually, i see 3 now. first 2 go out empty/malformed, then the proper one. here is the dump you wanted: C:\Users\McKittrick\Tools>nmap -v -n -Pn -reason -T4 -p 67 -sU max-retries 1 -sc ript=dhcp-discover 192.168.0.10 -script-trace -packet-trace -d Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-15 20:59 Central Standard Tim e Winpcap present, dynamic linked to: WinPcap version 4.1.3 (packet.dll version 4. 1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.2. NSE: Arguments from CLI: NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 20:59 Completed NSE at 20:59, 0.00s elapsed Failed to resolve "max-retries". Failed to resolve "1". Initiating ARP Ping Scan at 20:59 Scanning 192.168.0.10 [1 port] Packet capture filter (device eth0): arp and arp[18:4] = 0x001C2574 and arp[22:2 ] = 0xABE1 SENT (1.6540s) ARP who-has 192.168.0.10 tell 192.168.0.16 RCVD (1.6550s) ARP reply 192.168.0.10 is-at 00:11:D9:61:3A:A6 Completed ARP Ping Scan at 20:59, 0.07s elapsed (1 total hosts) Overall sending rates: 15.15 packets / s, 636.36 bytes / s. Initiating UDP Scan at 20:59 Scanning 192.168.0.10 [1 port] Packet capture filter (device eth0): dst host 192.168.0.16 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.0.10))) SENT (1.6590s) UDP 192.168.0.16:34681 > 192.168.0.10:67 ttl=50 id=378 iplen=28 SENT (1.7600s) UDP 192.168.0.16:34682 > 192.168.0.10:67 ttl=40 id=59032 iplen=28 Completed UDP Scan at 20:59, 0.21s elapsed (1 total ports) Overall sending rates: 9.57 packets / s, 267.94 bytes / s. NSE: Script scanning 192.168.0.10. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 20:59 NSE: Starting dhcp-discover against 192.168.0.10:67. NSOCK INFO [1.5380s] nsock_iod_new2(): nsock_iod_new (IOD #1) NSOCK INFO [1.5380s] nsock_setup_udp(): UDP unconnected socket (IOD #1) NSOCK INFO [1.5380s] mksock_bind_addr(): Binding to 0.0.0.0:68 (IOD #1) NSOCK INFO [1.8700s] nsock_sendto(): Sendto request for 313 bytes to IOD #1 EID 11 [192.168.0.10:67] NSE: UDP 0.0.0.0:68 > 192.168.0.10:67 | 00000000: 01 01 06 00 40 07 a0 03 00 00 00 00 c0 a8 00 10 @ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 25 74 %t 00000020: ab e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 c Sc 000000f0: 35 01 08 37 3d 01 02 03 04 05 06 07 08 09 0a 0b 5 7= 00000100: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 00000110: 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b !"#$%&'()*+ 00000120: 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b ,-./0123456789:; 00000130: 3c 3d 33 04 00 00 00 01 ff <=3 NSOCK INFO [1.8750s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 11 [192.168.0.10:67] NSE: UDP 0.0.0.0:68 > 192.168.0.10:67 | SEND NSOCK INFO [1.8760s] nsock_read(): Read request from IOD #1 [ 192.168.0.10:67] (t imeout: 5000ms) EID 18 NSOCK INFO [6.8760s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [192.168.0.10:67] NSE: UDP 0.0.0.0:68 > 192.168.0.10:67 | CLOSE NSOCK INFO [6.8790s] nsock_iod_delete(): nsock_iod_delete (IOD #1) NSE: [dhcp-discover 192.168.0.10:67] dhcp: Couldn't receive packet: TIMEOUT NSE: [dhcp-discover 192.168.0.10:67] Couldn't send DHCP request: Couldn't receiv e packet: TIMEOUT NSE: Finished dhcp-discover against 192.168.0.10:67. Completed NSE at 20:59, 5.01s elapsed Nmap scan report for 192.168.0.10 Host is up, received arp-response (0.0010s latency). Scanned at 2015-12-15 20:59:44 Central Standard Time for 6s PORT STATE SERVICE REASON 67/udp open|filtered dhcps no-response | dhcp-discover: |_ ERROR: Couldn't receive packet: TIMEOUT MAC Address: 00:11:D9:61:3A:A6 (TiVo) Final times for host: srtt: 1000 rttvar: 5000 to: 100000 Nmap scan report for 192.168.0.10 Host is up, received arp-response (0.0010s latency). Scanned at 2015-12-15 20:59:44 Central Standard Time for 6s PORT STATE SERVICE REASON 67/udp open|filtered dhcps no-response | dhcp-discover: |_ ERROR: Couldn't receive packet: TIMEOUT MAC Address: 00:11:D9:61:3A:A6 (TiVo) Final times for host: srtt: 1000 rttvar: 5000 to: 100000 inal times for host: srtt: 1000 rttvar: 5000 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 20:59 Completed NSE at 20:59, 0.00s elapsed Read from C:\Program Files\Nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds Raw packets sent: 3 (84B) | Rcvd: 1 (28B) what i am seeing is, in that dump, you can still see the 2 bothersome packets. i tested this with other scripts. not all of them act this way. NTP -INFO sends out just 1 proper payload packet, nothing else. i have looked at this about 10 times now with windump, ngrep, tshark , and now nmap. it's funny because, it looks like NMAP first sends out those 2 packets for a "pre-scan/ping". but even with with -Pn set and even "max-retries 1" , it still sends out 2. why can we not have nmap supress it's scan when we KNOW a service is there, and just fire off the 1 proper packet? hopefully all this makes sense! Mike ------------------------------ *From:* Daniel Miller <bonsaiviking () gmail com> *Sent:* Tuesday, December 15, 2015 7:33 PM *To:* Mike . *Cc:* nmap-group *Subject:* Re: attn RON re: DHCP script Mike, I don't see in the code where 2 packets would be sent. Try your command with --script-trace --packet-trace -d and see if the packet shows up in the debug output. A full hex dump of the offending packet would also be helpful, since NSE and the UDP scan engine can build packets differently. Dan On Tue, Dec 15, 2015 at 9:05 AM, Mike . <dmciscobgp () hotmail com> wrote:group/Ron Bowes i tried to locate a direct email for you to no avail. simple question here. when i fire off your DHCP discovery script, i notice it sends not only your legit packet with all the proper params, but before that, it fires off either an empty or MALFORMED payload first. i am guessing this is just to see if you'll get an ICMP unreachable back (test purposes)? 2 questions here: why the need for the extra overhead involving 2 packets? would you not get the same effect with just 1 VALID payload packet being sent? and that would also have me say for part 2, if it is malformed in the beginning, would it not be dropped by said target anyway? examples below and thank you Mike 1st pkt sent=empty/malformed: [Malformed Packet: BOOTP/DHCP] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed] proper one after: Client IP address: 192.168.0.16 (192.168.0.16) Your (client) IP address: 0.0.0.0 (0.0.0.0) Next server IP address: 0.0.0.0 (0.0.0.0) Relay agent IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 00:1c:25:74:ab:e1 (00:1c:25:74:ab:e1) Client hardware address padding: 00000000000000000000 Server host name not given Boot file name not given Magic cookie: DHCP Option: (53) DHCP Message Type (Inform) Length: 1 DHCP: Inform (8) Option: (55) Parameter Request List Length: 61 Parameter Request List Item: (1) Subnet Mask Parameter Request List Item: (2) Time Offset .........................(snipped) and the cmd i am using : nmap -v -n -Pn -reason -T4 -p 67 -sU max-retries 1 -script=dhcp-discover 192.168.0.10 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- attn RON re: DHCP script Mike . (Dec 15)
- Re: attn RON re: DHCP script Daniel Miller (Dec 15)
- Message not available
- Re: attn RON re: DHCP script Daniel Miller (Dec 15)
- Message not available
- Re: attn RON re: DHCP script Daniel Miller (Dec 15)