Re: attn RON re: DHCP script

[Daniel Miller <bonsaiviking () gmail com>]

Mike,

This is what I thought: the initial packets you are seeing are from the
port scan phase, and have nothing to do with the NSE script. They are in
the debug output where it says "SENT". Since UDP is connectionless, we
often can't tell the difference between an open and a filtered port because
both will result in a missing response. That's why the port is listed as
"open|filtered" and the probe is sent twice to be sure there wasn't a
response that we missed.

To help speed up UDP port scans, we try to include a data payload [1] in
the scan packets. This is usually a well-formed payload that is designed to
elicit a response from otherwise-silent services. We have one for NTP,
which is why you see that behavior there. DHCP doesn't have one, mostly
because of the danger of DHCP exhaustion and the fact that requests result
in long-term state changes on the server.

You can't completely skip the port scan phase if you want to run NSE
scripts because the way that NSE decides which scripts to run on which
services involves checking the state (open, filtered, open|filtered,
closed).

Dan

[1] https://nmap.org/book/nmap-payloads.html

On Tue, Dec 15, 2015 at 9:09 PM, Mike . <dmciscobgp () hotmail com> wrote:

> thanks for replying back. this is windump traffic, and , as you can see, 2
> packets. actually, i see 3 now. first 2 go out empty/malformed, then the
> proper one. here is the dump you wanted:
>
>
>
> C:\Users\McKittrick\Tools>nmap -v -n -Pn -reason -T4 -p 67 -sU max-retries
> 1 -sc
> ript=dhcp-discover 192.168.0.10 -script-trace -packet-trace  -d
>
> Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-15 20:59 Central
> Standard Tim
> e
> Winpcap present, dynamic linked to: WinPcap version 4.1.3 (packet.dll
> version 4.
> 1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
> --------------- Timing report ---------------
>   hostgroups: min 1, max 100000
>   rtt-timeouts: init 500, min 100, max 1250
>   max-scan-delay: TCP 10, UDP 1000, SCTP 10
>   parallelism: min 0, max 0
>   max-retries: 6, host-timeout: 0
>   min-rate: 0, max-rate: 0
> ---------------------------------------------
> NSE: Using Lua 5.2.
> NSE: Arguments from CLI:
> NSE: Loaded 1 scripts for scanning.
> NSE: Script Pre-scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Initiating NSE at 20:59
> Completed NSE at 20:59, 0.00s elapsed
> Failed to resolve "max-retries".
> Failed to resolve "1".
> Initiating ARP Ping Scan at 20:59
> Scanning 192.168.0.10 [1 port]
> Packet capture filter (device eth0): arp and arp[18:4] = 0x001C2574 and
> arp[22:2
> ] = 0xABE1
> SENT (1.6540s) ARP who-has 192.168.0.10 tell 192.168.0.16
> RCVD (1.6550s) ARP reply 192.168.0.10 is-at 00:11:D9:61:3A:A6
> Completed ARP Ping Scan at 20:59, 0.07s elapsed (1 total hosts)
> Overall sending rates: 15.15 packets / s, 636.36 bytes / s.
> Initiating UDP Scan at 20:59
> Scanning 192.168.0.10 [1 port]
> Packet capture filter (device eth0): dst host 192.168.0.16 and (icmp or
> icmp6 or
>  ((tcp or udp or sctp) and (src host 192.168.0.10)))
> SENT (1.6590s) UDP 192.168.0.16:34681 > 192.168.0.10:67 ttl=50 id=378
> iplen=28
> SENT (1.7600s) UDP 192.168.0.16:34682 > 192.168.0.10:67 ttl=40 id=59032
> iplen=28
> Completed UDP Scan at 20:59, 0.21s elapsed (1 total ports)
> Overall sending rates: 9.57 packets / s, 267.94 bytes / s.
> NSE: Script scanning 192.168.0.10.
> NSE: Starting runlevel 1 (of 1) scan.
> Initiating NSE at 20:59
> NSE: Starting dhcp-discover against 192.168.0.10:67.
> NSOCK INFO [1.5380s] nsock_iod_new2(): nsock_iod_new (IOD #1)
> NSOCK INFO [1.5380s] nsock_setup_udp(): UDP unconnected socket (IOD #1)
> NSOCK INFO [1.5380s] mksock_bind_addr(): Binding to 0.0.0.0:68 (IOD #1)
> NSOCK INFO [1.8700s] nsock_sendto(): Sendto request for 313 bytes to IOD
> #1 EID
> 11 [192.168.0.10:67]
> NSE: UDP 0.0.0.0:68 > 192.168.0.10:67 | 00000000: 01 01 06 00 40 07 a0 03
> 00 00
> 00 00 c0 a8 00 10     @
> 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 25 74               %t
> 00000020: ab e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63             c Sc
> 000000f0: 35 01 08 37 3d 01 02 03 04 05 06 07 08 09 0a 0b 5  7=
> 00000100: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b
> 00000110: 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b      !"#$%&'()*+
> 00000120: 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b ,-./0123456789:;
> 00000130: 3c 3d 33 04 00 00 00 01 ff                      <=3
>
> NSOCK INFO [1.8750s] nsock_trace_handler_callback(): Callback: WRITE
> SUCCESS for
>  EID 11 [192.168.0.10:67]
> NSE: UDP 0.0.0.0:68 > 192.168.0.10:67 | SEND
> NSOCK INFO [1.8760s] nsock_read(): Read request from IOD #1 [
> 192.168.0.10:67] (t
> imeout: 5000ms) EID 18
> NSOCK INFO [6.8760s] nsock_trace_handler_callback(): Callback: READ
> TIMEOUT for
> EID 18 [192.168.0.10:67]
> NSE: UDP 0.0.0.0:68 > 192.168.0.10:67 | CLOSE
> NSOCK INFO [6.8790s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
> NSE: [dhcp-discover 192.168.0.10:67] dhcp: Couldn't receive packet:
> TIMEOUT
> NSE: [dhcp-discover 192.168.0.10:67] Couldn't send DHCP request: Couldn't
> receiv
> e packet: TIMEOUT
> NSE: Finished dhcp-discover against 192.168.0.10:67.
> Completed NSE at 20:59, 5.01s elapsed
> Nmap scan report for 192.168.0.10
> Host is up, received arp-response (0.0010s latency).
> Scanned at 2015-12-15 20:59:44 Central Standard Time for 6s
> PORT   STATE         SERVICE REASON
> 67/udp open|filtered dhcps   no-response
> | dhcp-discover:
> |_  ERROR: Couldn't receive packet: TIMEOUT
> MAC Address: 00:11:D9:61:3A:A6 (TiVo)
> Final times for host: srtt: 1000 rttvar: 5000  to: 100000
>
>
> Nmap scan report for 192.168.0.10
> Host is up, received arp-response (0.0010s latency).
> Scanned at 2015-12-15 20:59:44 Central Standard Time for 6s
> PORT   STATE         SERVICE REASON
> 67/udp open|filtered dhcps   no-response
> | dhcp-discover:
> |_  ERROR: Couldn't receive packet: TIMEOUT
> MAC Address: 00:11:D9:61:3A:A6 (TiVo)
> Final times for host: srtt: 1000 rttvar: 5000  to: 100000
> inal times for host: srtt: 1000 rttvar: 5000  to: 100000
>
> NSE: Script Post-scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Initiating NSE at 20:59
> Completed NSE at 20:59, 0.00s elapsed
> Read from C:\Program Files\Nmap: nmap-mac-prefixes nmap-payloads
> nmap-services.
> Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds
>            Raw packets sent: 3 (84B) | Rcvd: 1 (28B)
>
>
> what i am seeing is, in that dump, you can still see the 2 bothersome
> packets. i tested this with other scripts. not all of them act this way.
> NTP -INFO sends out just 1 proper payload packet, nothing else. i have
> looked at this about 10 times now with windump, ngrep, tshark , and now
> nmap. it's funny because, it looks like NMAP first sends out those 2
> packets for a "pre-scan/ping". but even with with -Pn set and even
> "max-retries 1" , it still sends out 2. why can we not have nmap supress
> it's scan when we KNOW a service is there, and just fire off the 1 proper
> packet? hopefully all this makes sense!
>
> Mike
>
>
>
>
>
>
>
> ------------------------------
> *From:* Daniel Miller <bonsaiviking () gmail com>
> *Sent:* Tuesday, December 15, 2015 7:33 PM
> *To:* Mike .
> *Cc:* nmap-group
> *Subject:* Re: attn RON re: DHCP script
>
> Mike,
>
> I don't see in the code where 2 packets would be sent. Try your command
> with --script-trace --packet-trace -d and see if the packet shows up in the
> debug output. A full hex dump of the offending packet would also be
> helpful, since NSE and the UDP scan engine can build packets differently.
>
> Dan
>
> On Tue, Dec 15, 2015 at 9:05 AM, Mike . <dmciscobgp () hotmail com> wrote:
>
> > group/Ron Bowes
> >
> >
> > i tried to locate a direct email for you to no avail. simple question
> > here. when i fire off your DHCP discovery script, i notice it sends not
> > only your legit packet with all the proper params, but before that, it
> > fires off either an empty or MALFORMED payload first. i am guessing this is
> > just to see if you'll get an ICMP unreachable back (test purposes)? 2
> > questions here: why the need for the extra overhead involving 2 packets?
> > would you not get the same effect with just 1 VALID payload packet being
> > sent? and that would also have me say for part 2, if it is malformed in the
> > beginning, would it not be dropped by said target anyway? examples below
> > and thank you
> >
> >
> > Mike
> >
> >
> >
> > 1st pkt sent=empty/malformed:
> >
> >
> > [Malformed Packet: BOOTP/DHCP]
> >     [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
> >         [Malformed Packet (Exception occurred)]
> >         [Severity level: Error]
> >         [Group: Malformed]
> >
> >
> > proper one after:
> >
> > Client IP address: 192.168.0.16 (192.168.0.16)
> > Your (client) IP address: 0.0.0.0 (0.0.0.0)
> > Next server IP address: 0.0.0.0 (0.0.0.0)
> > Relay agent IP address: 0.0.0.0 (0.0.0.0)
> > Client MAC address: 00:1c:25:74:ab:e1 (00:1c:25:74:ab:e1)
> > Client hardware address padding: 00000000000000000000
> > Server host name not given
> > Boot file name not given
> > Magic cookie: DHCP
> > Option: (53) DHCP Message Type (Inform)
> >     Length: 1
> >     DHCP: Inform (8)
> > Option: (55) Parameter Request List
> >     Length: 61
> >     Parameter Request List Item: (1) Subnet Mask
> >     Parameter Request List Item: (2) Time Offset
> > .........................(snipped)
> >
> >
> > and the cmd i am using :
> > nmap -v -n -Pn -reason -T4 -p 67 -sU max-retries 1 -script=dhcp-discover
> > 192.168.0.10
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > https://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/