Nmap Development mailing list archives
Re: dhcp script!
From: Ron <ron () skullsecurity net>
Date: Tue, 08 Sep 2009 13:55:43 -0500
Hi Walt,It looks like it's reading the router as 'down' -- PN should fix that. Is the output with -PN diffrent? If so, can you send that?
Thanks! Ron On 09/08/2009 01:52 PM, Walt Scrivens wrote:
Ron - thanks for the help with the patch! Here's a scan run against a Linksys WRT-54G running DD-WRT V.23. DHCP is up an running on this router. ****************** sh-3.2# nmap -d -sU -p67 --script=dhcp-inform 192.168.1.1 Warning: File ./nmap.xsl exists, but Nmap is using /usr/local/share/nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-08 14:39 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. Warning: Unable to open interface vmnet8 -- skipping it. Warning: Unable to open interface vmnet1 -- skipping it. Initiating ARP Ping Scan at 14:39 Scanning 192.168.1.1 [1 port] Packet capture filter (device en1): arp and ether dst host 00:23:6C:99:EB:B1 Completed ARP Ping Scan at 14:39, 0.21s elapsed (1 total hosts) Overall sending rates: 9.36 packets / s, 392.98 bytes / s. mass_rdns: Using DNS server 208.67.222.222 mass_rdns: Using DNS server 208.67.220.220 Read from /usr/local/share/nmap: nmap-services. Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.30 seconds Raw packets sent: 2 (84B) | Rcvd: 0 (0B) ****************** Here's the same scan with --script-args dhcptype=DHCPDISCOVER ****************** sh-3.2# nmap -d -sU -p67 --script=dhcp-inform --script-args dhcptype=DHCPDISCOVER 192.168.1.1 Warning: File ./nmap.xsl exists, but Nmap is using /usr/local/share/nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-08 14:35 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. Warning: Unable to open interface vmnet8 -- skipping it. Warning: Unable to open interface vmnet1 -- skipping it. Initiating ARP Ping Scan at 14:35 Scanning 192.168.1.1 [1 port] Packet capture filter (device en1): arp and ether dst host 00:23:6C:99:EB:B1 Completed ARP Ping Scan at 14:35, 0.21s elapsed (1 total hosts) Overall sending rates: 9.36 packets / s, 393.17 bytes / s. mass_rdns: Using DNS server 208.67.222.222 mass_rdns: Using DNS server 208.67.220.220 Read from /usr/local/share/nmap: nmap-services. Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.30 seconds Raw packets sent: 2 (84B) | Rcvd: 0 (0B) ************************ I don't know what effect -PN would have on a UDP scan, but I tried it anyway - no difference. Walt On Sep 8, 2009, at 8:40 AM, Ron wrote:I put together a script to probe DHCP servers this weekend. Unfortunately, I only have my Linksys WRT54g with stock firmware to test against, so I'd appreciate others giving it a shot! Basically, do a UDP scan against port 67 on your gateway device, as root, and see what the response is. nmap -d -sU -p67 --script=dhcp-inform <target> I've attached it as a .patch because it requires an extra function added to ipOps.lua. The functions for building/parsing DHCP packets are generic enough that they can handle building/parsing *any* DHCP packet. So, if there are other ideas for things we can do with DHCP, let me know and I'll throw them into a NSELib and write extra DHCP scripts. Thanks! Ron -- Ron Bowes http://www.skullsecurity.org/ <dhcp.patch> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: dhcp script!, (continued)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! jah (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Brandon Enright (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Kris Katterjohn (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! jah (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! David Fifield (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Brandon Enright (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)