Allow broadcast-dhcp-discover to receive more than 1 response. Fixes #1908

2025-12-06 04:31:29 +00:00 · 2020-02-05 18:32:14 +00:00
parent 688f8b6f76
commit f15fc6bb78
1 changed files with 29 additions and 29 deletions
--- a/scripts/broadcast-dhcp-discover.nse
+++ b/scripts/broadcast-dhcp-discover.nse
@@ -32,6 +32,8 @@ The script needs to be run as a privileged user, typically root.
 --
 -- @output
 -- | broadcast-dhcp-discover:
+-- |   Response 1 of 1:
+-- |     Interface: wlp1s0
 -- |     IP Offered: 192.168.1.114
 -- |     DHCP Message Type: DHCPOFFER
 -- |     Server Identifier: 192.168.1.1
@@ -42,6 +44,8 @@ The script needs to be run as a privileged user, typically root.
 -- |_    Domain Name: localdomain
 --
 -- @xmloutput
+-- <table key="Response 1 of 1:">
+--   <elem key="Interface">wlp1s0</elem>
 --   <elem key="IP Offered">192.168.1.114</elem>
 --   <elem key="DHCP Message Type">DHCPOFFER</elem>
 --   <elem key="Server Identifier">192.168.1.1</elem>
@@ -50,6 +54,7 @@ The script needs to be run as a privileged user, typically root.
 --   <elem key="Router">192.168.1.1</elem>
 --   <elem key="Domain Name Server">192.168.1.1</elem>
 --   <elem key="Domain Name">localdomain</elem>
+-- </table>
 --
 -- @args broadcast-dhcp-discover.mac  Set to <code>random</code> or a specific
 --                client MAC address in the DHCP request. "DE:AD:C0:DE:CA:FE"
@@ -110,20 +115,15 @@ end
 -- @param timeout number of ms to wait for a response
 -- @param xid the DHCP transaction id
 -- @param result a table to which the result is written
-local function dhcp_listener(sock, timeout, xid, result)
+local function dhcp_listener(sock, iface, timeout, xid, result)
  local condvar = nmap.condvar(result)

-  sock:set_timeout(100)

  local start_time = nmap.clock_ms()
-  while( nmap.clock_ms() - start_time < timeout ) do
+  local now = start_time
+  while( now - start_time < timeout ) do
+    sock:set_timeout(timeout - (now - start_time))
    local status, _, _, data = sock:pcap_receive()
-    -- abort, once another thread has picked up our response
-    if ( #result > 0 ) then
-      sock:close()
-      condvar "signal"
-      return
-    end

    if ( status ) then
      local p = packet.Packet:new( data, #data )
@@ -131,13 +131,12 @@ local function dhcp_listener(sock, timeout, xid, result)
        local data = data:sub(p.udp_offset + 9)
        local status, response = dhcp.dhcp_parse(data, xid)
        if ( status ) then
+          response.iface = iface
          table.insert( result, response )
-          sock:close()
-          condvar "signal"
-          return
        end
      end
    end
+    now = nmap.clock_ms()
  end
  sock:close()
  condvar "signal"
@@ -195,7 +194,7 @@ action = function()
    local sock, co
    sock = nmap.new_socket()
    sock:pcap_open(iface, 1500, false, "ip && udp && port 68")
-    co = stdnse.new_thread( dhcp_listener, sock, timeout, transaction_id, result )
+    co = stdnse.new_thread( dhcp_listener, sock, iface, timeout, transaction_id, result )
    threads[co] = true
  end

@@ -223,6 +222,7 @@ action = function()
  for i, r in ipairs(result) do
    local result_table = stdnse.output_table()

+    result_table["Interface"] = r.iface
    result_table["IP Offered"] = r.yiaddr_str
    for _, v in ipairs(r.options) do
      if(type(v.value) == 'table') then