Nmap NSE 6.01: dhcp-discover

2013-02-28T00:00:00
ID OPENVAS:803568
Type openvas
Reporter NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH
Modified 2017-08-24T00:00:00

Description

Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters without allocating a new address.

DHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP address. The request sends a list of which fields it wants to know (a handful by default, every field if verbosity is turned on), and the server responds with the fields that were requested. It should be noted that the server doesn't have to return every field, nor does it have to return them in the same order, or honour the request at all. A Linksys WRT54g, for example, completely ignores the list of requested fields and returns a few standard ones. This script displays every field it receives.

With script arguments, the type of DHCP request can be changed, which can lead to interesting results. Additionally, the MAC address can be randomized, which in should override the cache on the DHCP server and assign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly.

Some of the more useful fields: * DHCP Server (the address of the server that responded) * Subnet Mask * Router * DNS Servers * Hostname

SYNTAX:

requests: Set to an integer to make up to that many requests (and display the results).

randomize_mac: Set to 'true' or '1' to send a random MAC address with the request (keep in mind that you may not see the response). This should cause the router to reserve a new IP address each time.

dhcptype: The type of DHCP request to make. By default, DHCPINFORM is sent, but this argument can change it to DHCPOFFER, DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, DHCPRELEASE or DHCPINFORM. Not all types will evoke a response from all servers, and many require different fields to contain specific values.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_nmap6_dhcp_discover.nasl 7000 2017-08-24 11:51:46Z teissa $
#
# Autogenerated NSE wrapper
#
# Authors:
# NSE-Script: Ron Bowes
# NASL-Wrapper: autogenerated
#
# Copyright:
# NSE-Script: The Nmap Security Scanner (http://nmap.org)
# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_summary = "Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration
parameters without allocating a new address.

DHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating
an IP address. The request sends a list of which fields it wants to know (a handful by default,
every field if verbosity is turned on), and the server responds with the fields that were requested.
It should be noted that the server doesn't have to return every field, nor does it have to return
them in the same order, or honour the request at all. A Linksys WRT54g, for example, completely
ignores the list of requested fields and returns a few standard ones. This script displays every
field it receives.

With script arguments, the type of DHCP request can be changed, which can lead to interesting
results.  Additionally, the MAC address can be randomized, which in should override the cache on the
DHCP server and assign a new IP address. Extra requests can also be sent to exhaust the IP address
range more quickly.

Some of the more useful fields: * DHCP Server (the address of the server that responded) * Subnet
Mask * Router * DNS Servers * Hostname


SYNTAX:

requests:  Set to an integer to make up to  that many requests (and display the results). 



randomize_mac:  Set to 'true' or '1' to  send a random MAC address with
the request (keep in mind that you may  not see the response). This should 
cause the router to reserve a new  IP address each time.


dhcptype:  The type of DHCP request to make. By default,  DHCPINFORM is sent, but this
argument can change it to DHCPOFFER,  DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, 
DHCPRELEASE or DHCPINFORM. Not all types will evoke a response from all servers,
and many require different fields to contain specific values.";

if(description)
{
    script_id(803568);
    script_version("$Revision: 7000 $");
    script_tag(name:"cvss_base", value:"0.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
    script_tag(name:"last_modification", value:"$Date: 2017-08-24 13:51:46 +0200 (Thu, 24 Aug 2017) $");
    script_tag(name:"creation_date", value:"2013-02-28 19:00:57 +0530 (Thu, 28 Feb 2013)");
    script_name("Nmap NSE 6.01: dhcp-discover");


    script_category(ACT_ATTACK);
    script_tag(name:"qod_type", value:"remote_analysis");
    script_copyright("NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH");
    script_family("Nmap NSE");

    script_add_preference(name:"requests", value:"", type:"entry");
    script_add_preference(name:"randomize_mac", value:"", type:"entry");
    script_add_preference(name:"dhcptype", value:"", type:"entry");

    script_dependencies("toolcheck.nasl");
    script_mandatory_keys("Tools/Present/nmap6.01");
    script_mandatory_keys("Tools/Launch/nmap_nse");

    script_tag(name : "summary" , value : tag_summary);
    exit(0);
}



# Get the preferences
i = 0;
## DHCP Port
port = 67;

pref = script_get_preference("requests");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'requests', '=', pref, '"');
}
pref = script_get_preference("randomize_mac");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'randomize_mac', '=', pref, '"');
}
pref = script_get_preference("dhcptype");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'dhcptype', '=', pref, '"');
}

argv = make_list("nmap", "-sU", "--script=dhcp-discover.nse", "-p", port,
                  get_host_ip());

if(i > 0)
{
  scriptArgs= "--script-args=";
  foreach arg(args) {
    scriptArgs += arg + ",";
  }
  argv = make_list(argv,scriptArgs);
}

## Run nmap and Get the Result
res = pread(cmd: "nmap", argv: argv);

if(res)
{
  foreach line (split(res))
  {
    if(ereg(pattern:"^\|",string:line)) {
      result +=  substr(chomp(line),2) + '\n';
    }

    error = eregmatch(string:line, pattern:"^nmap: (.*)$");
    if (error) {
      msg = string('Nmap command failed with following error message:\n', line);
      log_message(data : msg, port:port);
    }
  }

  if("dhcp-discover" >< result) {
    msg = string('Result found by Nmap Security Scanner (dhcp-discover.nse) ',
                'http://nmap.org:\n\n', result);
    log_message(data : msg, port:port);
  }
}
else
{
  msg = string('Nmap command failed entirely:\n', 'nmap ', argv);
  log_message(data: msg, port:port);
}