Nmap NSE 6.01: dhcp-discover

🗓️ 28 Feb 2013 00:00:00Reported by NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbHType
Nmap NSE 6.01: dhcp-discover Sends DHCPINFORM request to obtain local configuration parameters without new address allocation
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_nmap6_dhcp_discover.nasl 7000 2017-08-24 11:51:46Z teissa $
#
# Autogenerated NSE wrapper
#
# Authors:
# NSE-Script: Ron Bowes
# NASL-Wrapper: autogenerated
#
# Copyright:
# NSE-Script: The Nmap Security Scanner (http://nmap.org)
# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_summary = "Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration
parameters without allocating a new address.

DHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating
an IP address. The request sends a list of which fields it wants to know (a handful by default,
every field if verbosity is turned on), and the server responds with the fields that were requested.
It should be noted that the server doesn't have to return every field, nor does it have to return
them in the same order, or honour the request at all. A Linksys WRT54g, for example, completely
ignores the list of requested fields and returns a few standard ones. This script displays every
field it receives.

With script arguments, the type of DHCP request can be changed, which can lead to interesting
results.  Additionally, the MAC address can be randomized, which in should override the cache on the
DHCP server and assign a new IP address. Extra requests can also be sent to exhaust the IP address
range more quickly.

Some of the more useful fields: * DHCP Server (the address of the server that responded) * Subnet
Mask * Router * DNS Servers * Hostname


SYNTAX:

requests:  Set to an integer to make up to  that many requests (and display the results). 



randomize_mac:  Set to 'true' or '1' to  send a random MAC address with
the request (keep in mind that you may  not see the response). This should 
cause the router to reserve a new  IP address each time.


dhcptype:  The type of DHCP request to make. By default,  DHCPINFORM is sent, but this
argument can change it to DHCPOFFER,  DHCPREQUEST, DHCPDECLINE, DHCPACK, DHCPNAK, 
DHCPRELEASE or DHCPINFORM. Not all types will evoke a response from all servers,
and many require different fields to contain specific values.";

if(description)
{
    script_id(803568);
    script_version("$Revision: 7000 $");
    script_tag(name:"cvss_base", value:"0.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
    script_tag(name:"last_modification", value:"$Date: 2017-08-24 13:51:46 +0200 (Thu, 24 Aug 2017) $");
    script_tag(name:"creation_date", value:"2013-02-28 19:00:57 +0530 (Thu, 28 Feb 2013)");
    script_name("Nmap NSE 6.01: dhcp-discover");


    script_category(ACT_ATTACK);
    script_tag(name:"qod_type", value:"remote_analysis");
    script_copyright("NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH");
    script_family("Nmap NSE");

    script_add_preference(name:"requests", value:"", type:"entry");
    script_add_preference(name:"randomize_mac", value:"", type:"entry");
    script_add_preference(name:"dhcptype", value:"", type:"entry");

    script_dependencies("toolcheck.nasl");
    script_mandatory_keys("Tools/Present/nmap6.01");
    script_mandatory_keys("Tools/Launch/nmap_nse");

    script_tag(name : "summary" , value : tag_summary);
    exit(0);
}



# Get the preferences
i = 0;
## DHCP Port
port = 67;

pref = script_get_preference("requests");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'requests', '=', pref, '"');
}
pref = script_get_preference("randomize_mac");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'randomize_mac', '=', pref, '"');
}
pref = script_get_preference("dhcptype");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'dhcptype', '=', pref, '"');
}

argv = make_list("nmap", "-sU", "--script=dhcp-discover.nse", "-p", port,
                  get_host_ip());

if(i > 0)
{
  scriptArgs= "--script-args=";
  foreach arg(args) {
    scriptArgs += arg + ",";
  }
  argv = make_list(argv,scriptArgs);
}

## Run nmap and Get the Result
res = pread(cmd: "nmap", argv: argv);

if(res)
{
  foreach line (split(res))
  {
    if(ereg(pattern:"^\|",string:line)) {
      result +=  substr(chomp(line),2) + '\n';
    }

    error = eregmatch(string:line, pattern:"^nmap: (.*)$");
    if (error) {
      msg = string('Nmap command failed with following error message:\n', line);
      log_message(data : msg, port:port);
    }
  }

  if("dhcp-discover" >< result) {
    msg = string('Result found by Nmap Security Scanner (dhcp-discover.nse) ',
                'http://nmap.org:\n\n', result);
    log_message(data : msg, port:port);
  }
}
else
{
  msg = string('Nmap command failed entirely:\n', 'nmap ', argv);
  log_message(data: msg, port:port);
}
24 Aug 2017 00:00Current
0.4Low risk
Vulners AI Score0.4