o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request to query

dhcp servers instead of DHCPDISCOVER. Cleaned up some code in the DHCP library. [Patrik]
2025-12-29 02:49:01 +00:00 · 2011-12-27 18:48:34 +00:00
parent b085ba0283
commit 07e0426629
3 changed files with 41 additions and 58 deletions
--- a/scripts/dhcp-discover.nse
+++ b/scripts/dhcp-discover.nse
@@ -1,23 +1,18 @@
 description = [[
-Sends a DHCPDISCOVER request to a host on UDP port 67. The response
-comes back to UDP port 68, and
-is read using pcap (due to the inability for a script to choose its source port at the moment). 
+Sends a DHCPINFORM request to a host on UDP port 67 to obtain all the local configuration parameters
+without allocating a new address.

-DHCPDISCOVER is a DHCP request that returns useful information from a DHCP server. The request sends 
-a list of which fields it wants to know (a handful by default, every field if verbosity is turned on), and
-the server responds with the fields that were requested. It should be noted that the server doesn't have
-to return every field, nor does it have to return them in the same order, or honour the request at
-all. A Linksys WRT54g, for example, completely ignores the list of requested fields and returns a few 
-standard ones. This script displays every field it receives. 
+DHCPINFORM is a DHCP request that returns useful information from a DHCP server, without allocating an IP
+address. The request sends a list of which fields it wants to know (a handful by default, every field if
+verbosity is turned on), and the server responds with the fields that were requested. It should be noted
+that the server doesn't have to return every field, nor does it have to return them in the same order,
+or honour the request at all. A Linksys WRT54g, for example, completely ignores the list of requested
+fields and returns a few standard ones. This script displays every field it receives. 

 With script arguments, the type of DHCP request can be changed, which can lead to interesting results. 
-Additionally, the MAC address can be randomized, which should override the cache on the DHCP server and
+Additionally, the MAC address can be randomized, which in should override the cache on the DHCP server and
 assign a new IP address. Extra requests can also be sent to exhaust the IP address range more quickly. 

-DHCPINFORM is another type of DHCP request that requests the same information, but doesn't reserve
-an address. Unfortunately, because many home routers simply ignore DHCPINFORM requests, we opted
-to use DHCPDISCOVER instead. 
-
 Some of the more useful fields:
 * DHCP Server (the address of the server that responded)
 * Subnet Mask
@@ -76,19 +71,7 @@ function portrule(host, port)
 	return shortport.portnumber(67, "udp")(host, port)
 end

-- We will want to run as a prerule any time
--prerule  = function()
--	return true
--end
-
 local function go(host, port)
-	-- Set up a fake host for prerule
-	if(not(host)) then
-		host = {}
-		host.mac_addr_src = string.char(0xFF) .. string.char(0xFF) .. string.char(0xFF) .. string.char(0xFF) .. string.char(0xFF) .. string.char(0xFF)
-		host.ip = "255.255.255.255"
-		host.interface = "eth0" -- TODO: I'd like to have a better way of doing this
-	end

 	-- Create fake requests if the user asked to. These are fired and forgotten, we ignore the responses. 
 	if(nmap.registry.args.fake_requests) then
@@ -122,7 +105,7 @@ local function go(host, port)
 	local results = {}
 	for i = 1, requests, 1 do
 		-- Decide which type of request to make
-		local request_type = dhcp.request_types[nmap.registry.args.dhcptype or "DHCPDISCOVER"]
+		local request_type = dhcp.request_types[nmap.registry.args.dhcptype or "DHCPINFORM"]
 		if(request_type == nil) then
 			return false, "Valid request types: " .. stdnse.strjoin(", ", dhcp.request_types_str)
 		end
@@ -136,12 +119,16 @@ local function go(host, port)
 				mac_addr = mac_addr .. string.char(math.random(1, 255))
 			end
 		end
-	
-		-- Receive the result
-		local status, result = dhcp.make_request(host.ip, host.interface, request_type, "0.0.0.0", mac_addr)
-		if(status == false) then
+		
+		local iface, err = nmap.get_interface_info(host.interface)
+		if ( not(iface) or not(iface.address) ) then
+			return false, "Couldn't determine local ip for interface: " .. host.interface
+		end
+		
+		local status, result = dhcp.make_request(host.ip, host.interface, request_type, iface.address, mac_addr)
+		if( not(status) ) then
 			stdnse.print_debug(1, "dhcp-discover: Couldn't send DHCP request: %s", result)
-			return false, "Couldn't send DHCP request: " .. result
+			return false, result
 		end

 		table.insert(results, result)
@@ -174,7 +161,10 @@ action = function(host, port)
 	for i, result in ipairs(results) do
 		local result_table = {}

-		table.insert(result_table, string.format("IP Offered: %s", result.yiaddr_str))
+		if ( nmap.registry.args.dhcptype and 
+			 "DHCPINFORM" ~= nmap.registry.args.dhcptype ) then
+			table.insert(result_table, string.format("IP Offered: %s", result.yiaddr_str))
+		end
 		for _, v in ipairs(result.options) do
 			if(type(v['value']) == 'table') then
 				table.insert(result_table, string.format("%s: %s", v['name'], stdnse.strjoin(", ", v['value'])))