Nmap broadcast-dhcp-discover NSE Script


This page contains detailed information about how to use the broadcast-dhcp-discover NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/broadcast-dhcp-discover.nse
Script categories: broadcast, safe
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Script Description

The broadcast-dhcp-discover.nse script sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. By default, the script uses a static MAC address (DE:AD:CO:DE:CA:FE) in order to prevent IP pool exhaustion.

The script reads the response using pcap by opening a listening pcap socket on all available ethernet interfaces that are reported up. If no response has been received before the timeout has been reached (default 10 seconds) the script will abort execution.

The script needs to be run as a privileged user, typically root.

Broadcast-dhcp-discover NSE Script Arguments

This is a full list of arguments supported by the broadcast-dhcp-discover.nse script:

broadcast-dhcp-discover.mac

Set to random or a specific client MAC address in the DHCP request. "DE:AD:C0:DE:CA:FE" is used by default. Setting it to random will possibly cause the DHCP server to reserve a new IP address each time.

broadcast-dhcp-discover.timeout

Time in seconds to wait for a response (default: 10s)

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=broadcast-dhcp-discover --script-args broadcast-dhcp-discover.mac=value,broadcast-dhcp-discover.timeout=value <target>

Broadcast-dhcp-discover NSE Script Example Usage

Here's an example of how to use the broadcast-dhcp-discover.nse script:

sudo nmap --script broadcast-dhcp-discover

Broadcast-dhcp-discover NSE Script Example Output

Here's a sample output from the broadcast-dhcp-discover.nse script:

| broadcast-dhcp-discover:
|   Response 1 of 1:
|     Interface: wlp1s0
|     IP Offered: 192.168.1.114
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.1.1
|     IP Address Lease Time: 1 day, 0:00:00
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|     Domain Name Server: 192.168.1.1
|_    Domain Name: localdomain

Broadcast-dhcp-discover NSE Script Example XML Output

Here's a sample XML output from the broadcast-dhcp-discover.nse script produced by providing the -oX <file> Nmap option:

 <table key="Response 1 of 1:">
   <elem key="Interface">wlp1s0</elem>
   <elem key="IP Offered">192.168.1.114</elem>
   <elem key="DHCP Message Type">DHCPOFFER</elem>
   <elem key="Server Identifier">192.168.1.1</elem>
   <elem key="IP Address Lease Time">1 day, 0:00:00</elem>
   <elem key="Subnet Mask">255.255.255.0</elem>
   <elem key="Router">192.168.1.1</elem>
   <elem key="Domain Name Server">192.168.1.1</elem>
   <elem key="Domain Name">localdomain</elem>
 </table>

Author

  • Patrik Karlsson

References

See Also

Related NSE scripts to the broadcast-dhcp-discover.nse script:

Visit Nmap NSE Library for more scripts.

The broadcast-dhcp-discover.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

Invalid MAC address

Here is a relevant code snippet related to the "Invalid MAC address" error message:

154:	  if macaddr:find("^ra?nd") then
155:	    macaddr = rand.random_string(6)
156:	  else
157:	    macaddr = macaddr:gsub(":", "")
158:	    if not (#macaddr == 12 and macaddr:find("^%x+$")) then
159:	      return stdnse.format_output(false, "Invalid MAC address")
160:	    end
161:	    macaddr = stdnse.fromhex(macaddr)
162:	  end
163:	
164:	  local interfaces

Failed to retrieve interfaces (try setting one explicitly using -e)

Here is a relevant code snippet related to the "Failed to retrieve interfaces (try setting one explicitly using -e)" error message:

172:	    -- our packet went out on, so lets get a list of all interfaces and
173:	    -- run pcap on all of them, if they're a) up and b) ethernet.
174:	    interfaces = getInterfaces("ethernet", "up")
175:	  end
176:	
177:	  if( not(interfaces) ) then return fail("Failed to retrieve interfaces (try setting one explicitly using -e)") end
178:	
179:	  local transaction_id = string.pack("<I4", math.random(0, 0x7FFFFFFF))
180:	  local request_type = dhcp.request_types["DHCPDISCOVER"]
181:	  local ip_address = ipOps.ip_to_str("0.0.0.0")
182:

Failed to build packet

Here is a relevant code snippet related to the "Failed to build packet" error message:

181:	  local ip_address = ipOps.ip_to_str("0.0.0.0")
182:	
183:	  -- we need to set the flags to broadcast
184:	  local request_options, overrides, lease_time = nil, { flags = 0x8000 }, nil
185:	  local status, packet = dhcp.dhcp_build(request_type, ip_address, macaddr, nil, request_options, overrides, lease_time, transaction_id)
186:	  if (not(status)) then return fail("Failed to build packet") end
187:	
188:	  local threads = {}
189:	  local result = {}
190:	  local condvar = nmap.condvar(result)
191:

Version

This page has been created based on Nmap version 7.92.

Go back to menu.