mailing list archives
Re: [NSE] Changes to dhcp-discover and dhcp.lua
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 29 Dec 2011 09:19:12 +0100
I absolutely agree with separating the DoS function into another script.
Running anything that mentions DoS in my environment brings the wrath of
management down on me. I would also like to throw in my vote for
re-supporting as many variations as possible. I think that getting
information of all kinds from a network is one of Nmap's strengths.
I spent way to much time on this yesterday and failed to successfully
implement the new DoS script.
I can't even get it to work with the old script, the reason being that
according to RFC 2131 the IP address is not allocated until the server
accepts the DHCPREQUEST request. In the old script this request is never
being sent, but I guess poorly implemented DHCP servers could be exhausted
just by running DHCPDISCOVER. In my case what happens is that the ip's
simply get recycled and not allocated. The next problem is that my two DHCP
servers (one running on Ubuntu dnsmasq and another running in my
TimeCapsule) fail to accept my DHCPREQUEST as it's not coming from 0.0.0.0
as stated in the section 4.1 of the RFC:
"DHCP messages broadcast by a client prior to that client obtaining its IP
address must have the source address field in the IP header set to 0."
I tried to get this working by using the raw ip_send code but as soon as I
put source address 0.0.0.0 in it falls back to my current address. Using
0.0.0.1 works though, so I'm not sure what's wrong.
Anyway, I removed the DoS code from dhcp-discover and changed it to be in
the safe and discover categories and pretty much gave up on the dhcp-dos
script. If anyone can figure out how to send packets from 0.0.0.0 please
let me know, otherwise I'm adding this to the bottom of my todo list.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/