nmap dhcp-discover script broken

Bug #1470343 reported by SBroker
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nmap (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Step to reproduce:

Log in as root.

# nmap -sU -p 67 -v -d -PN --script=dhcp-discover <a dhcp server>

Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-01 07:21 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
mass_rdns: Using DNS server 192.168.0.1
Initiating Parallel DNS resolution of 1 host. at 07:21
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 07:21, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating UDP Scan at 07:21
Scanning 192.168.166.2 [1 port]
Packet capture filter (device lo): dst host 192.168.166.2 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.166.2)))
Completed UDP Scan at 07:21, 2.03s elapsed (1 total ports)
Overall sending rates: 0.98 packets / s, 27.56 bytes / s.
NSE: Script scanning 192.168.166.2.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting dhcp-discover against 192.168.166.2:67.
Initiating NSE at 07:21
NSE: dhcp-discover against 192.168.166.2:67 threw an error!
/usr/bin/../share/nmap/nselib/dhcp.lua:449: attempt to get length of local 'mac_address' (a nil value)
stack traceback:
 /usr/bin/../share/nmap/nselib/dhcp.lua:449: in function 'dhcp_build'
 /usr/bin/../share/nmap/nselib/dhcp.lua:623: in function 'make_request'
 /usr/bin/../share/nmap/scripts/dhcp-discover.nse:108: in function 'go'
 /usr/bin/../share/nmap/scripts/dhcp-discover.nse:122: in function </usr/bin/../share/nmap/scripts/dhcp-discover.nse:121>
 (...tail calls...)

Completed NSE at 07:21, 0.00s elapsed
Nmap scan report for 192.168.166.2
Host is up, received user-set.
Scanned at 2015-07-01 07:21:45 CEST for 2s
PORT STATE SERVICE REASON
67/udp open|filtered dhcps no-response

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
           Raw packets sent: 2 (56B) | Rcvd: 2 (56B)

expected behaviour: nmap should report some details regarding scanned dhcp server

Revision history for this message
4b1d (4b1d) wrote :

+1

Robie Basak (racb)
Changed in nmap (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nmap (Ubuntu):
status: New → Confirmed
Revision history for this message
Gordon Mckeown (thefluffyone) wrote :

A workaround, provided you don't require the source MAC address to be correct for the executing machine:

nmap -sU -p 67 --script=dhcp-discover --script-args=randomize_mac=true <target-server>

Depending on your use case, an alternative could be to use the broadcast DHCP script:

nmap --script=broadcast-dhcp-discover

Revision history for this message
Gordon Mckeown (thefluffyone) wrote :

Btw, I actually see this issue on Raspbian Jessie, so not entirely relevant to this Ubuntu package. Nmap info:

Nmap version 6.47 ( http://nmap.org )
Platform: arm-unknown-linux-gnueabihf
Compiled with: liblua-5.2.3 openssl-1.0.1j libpcre-8.35 libpcap-1.6.2 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

I have a Trusty machine on which this works:

Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.2.3 openssl-1.0.1f libpcre-8.31 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Unable to test on Xenial at the moment as the nmap 7.01 package is currently compiled without liblua:

Nmap version 7.01 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: openssl-1.0.2f libpcre-8.38 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without: liblua
Available nsock engines: epoll poll select

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.