Nmap NSE net: dhcp-discover

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_nmap_dhcp_discover_net.nasl 5505 2017-03-07 10:00:18Z teissa $
#
# Autogenerated NSE wrapper
#
# Authors:
# NSE-Script: Ron Bowes
# NASL-Wrapper: autogenerated
#
# Copyright:
# NSE-Script: The Nmap Security Scanner (http://nmap.org)
# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_summary = "Sends a DHCPDISCOVER request to a host on UDP port 67. The response comes back to UDP port 68, and
is read using pcap (due to the inability for a script to choose its source port at the moment).

DHCPDISCOVER is a DHCP request that returns useful information from a DHCP server. The request sends
a list of which fields it wants to know (a handful by default, every field if verbosity is turned
on), and the server responds with the fields that were requested. It should be noted that the server
doesn't have to return every field, nor does it have to return them in the same order, or honour the
request at all. A Linksys WRT54g, for example, completely ignores the list of requested fields and
returns a few  standard ones. This script displays every field it receives.

With script arguments, the type of DHCP request can be changed, which can lead to interesting
results.  Additionally, the MAC address can be randomized, which should override the cache on the
DHCP server and assign a new IP address. Extra requests can also be sent to exhaust the IP address
range more quickly.

DHCPINFORM is another type of DHCP request that requests the same information, but doesn't reserve
an address. Unfortunately, because many home routers simply ignore DHCPINFORM requests, we opted to
use DHCPDISCOVER instead.

Some of the more useful fields: * DHCP Server (the address of the server that responded) * Subnet
Mask * Router * DNS Servers * Hostname


SYNTAX:

fake_requests:  Set to an integer to make that many fake requests  before the real one(s).
This could be useful, for example, if you  also use 'randomize_mac'
and you want to try exhausting  all addresses. 


requests:  Set to an integer to make up to  that many requests (and display the results). 


randomize_mac:  Set to 'true' or '1' to  send a random MAC address with
the request (keep in mind that you may  not see the response). This should 
cause the router to reserve a new  IP address each time.


dhcptype:  The type of DHCP request to make. By default,  DHCPDISCOVER is sent, but this
argument can change it to DHCPOFFER,  DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, 
DHCPRELEASE or DHCPINFORM. Not all types will evoke a response from all servers,
and many require different fields to contain specific values.";

if(description)
{
    script_id(104065);
    script_version("$Revision: 5505 $");
    script_tag(name:"last_modification", value:"$Date: 2017-03-07 11:00:18 +0100 (Tue, 07 Mar 2017) $");
    script_tag(name:"creation_date", value:"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)");
    script_tag(name:"cvss_base", value:"0.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
    script_name("Nmap NSE net: dhcp-discover");


    script_category(ACT_INIT);
    script_tag(name:"qod_type", value:"remote_analysis");
    script_copyright("NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH");
    script_family("Nmap NSE net");
    script_dependencies("nmap_nse_net.nasl");
    script_mandatory_keys("Tools/Launch/nmap_nse_net");

    script_add_preference(name:"fake_requests", value:"", type:"entry");
    script_add_preference(name:"requests", value:"", type:"entry");
    script_add_preference(name:"randomize_mac", value:"", type:"entry");
    script_add_preference(name:"dhcptype", value:"", type:"entry");

    script_tag(name : "summary" , value : tag_summary);
    exit(0);
}


include("nmap.inc");

# The corresponding NSE script does't belong to the 'safe' category
if (safe_checks()) exit(0);

phase = 0;
if (defined_func("scan_phase")) {
    phase = scan_phase();
}

if (phase == 1) {
    # Get the preferences
    argv = make_array();

    pref = script_get_preference("fake_requests");
    if (!isnull(pref) && pref != "") {
        argv["fake_requests"] = string('"', pref, '"');
    }
    pref = script_get_preference("requests");
    if (!isnull(pref) && pref != "") {
        argv["requests"] = string('"', pref, '"');
    }
    pref = script_get_preference("randomize_mac");
    if (!isnull(pref) && pref != "") {
        argv["randomize_mac"] = string('"', pref, '"');
    }
    pref = script_get_preference("dhcptype");
    if (!isnull(pref) && pref != "") {
        argv["dhcptype"] = string('"', pref, '"');
    }
    nmap_nse_register(script:"dhcp-discover", args:argv);
} else if (phase == 2) {
    res = nmap_nse_get_results(script:"dhcp-discover");
    foreach portspec (keys(res)) {
        output_banner = 'Result found by Nmap Security Scanner (dhcp-discover.nse) http://nmap.org:\n\n';
        if (portspec == "0") {
            log_message(data:output_banner + res[portspec], port:0);
        } else {
            v = split(portspec, sep:"/", keep:0);
            proto = v[0];
            port = v[1];
            log_message(data:output_banner + res[portspec], port:port, protocol:proto);
        }
    }
}