Re: UDP payload for DHCP

[David Fifield <david () bamsoftware com>]

On Fri, Feb 19, 2010 at 02:00:37PM -0600, Ron wrote:
> This has been on my TODO list for quite awhile now, and I finally
> decided to do it. It's DHCP request for the address 0.0.0.0 that is
> send to UDP/67. A DHCP server that conforms to the standards will send
> back NAK, which means "no way!". A broken DHCP server might send 'OK'
> back and allocate the address 0.0.0.0 to you, but that isn't really
> harmful. DHCP servers aren't supposed to ignore requests, though. 
>
> That's the good news. The bad news is this: the response will come
> back to the broadcast address (255.255.255.255), and the broadcast MAC
> address (FF:FF:FF:FF:FF:FF) and UDP/68. This is because, due to the
> nature of the protocol, it's thinking "you idiot, your address is way
> off and you'll never see a response unless I broadcast it!"
>
> The only way to get the response to come to your actual address is to
> renew that address with the DHCP server, which would mean a non-static
> probe and will also change the state of the DHCP server, which is bad. 
>
> Any thoughts? Will this be possible? I realize this is a bad corner case. 

This is a good idea. I don't think that broadcasting the reply is a
major impediment to this being a payload. But does it work if you plug
it into payload.cc? I have a feeling that ultra_scan won't see the
broadcast replies.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/