The NMAP man page for the script is here - broadcast-dhcp-discover. In these examples I am running the script on a Linux box but NMAP works on Windows/Linux/Mac.
Does the Switch have the DHCP service running?
I gave a client a static IP address and could ping the DHCP server. Wireshark showed that the client was sending a DHCP Discover but not getting an answer. So I ran nmap in broadcast discover mode:
C:\Windows\System32>nmap -sU -p67 --script broadcast-dhcp-discover
Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-15 22:26 Pacific Daylight Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 11.20 seconds
C:\Windows\System32>nmap -sU -p67 --script dhcp-discover 10.46.1.53
Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-15 22:27 Pacific Daylight Time
Nmap scan report for 10.46.1.53
Host is up (0.00s latency).
PORT STATE SERVICE
67/udp open dhcps
| dhcp-discover:
| DHCP Message Type: DHCPACK
| Server Identifier: 10.46.1.53
| Subnet Mask: 255.255.255.0
| Vendor Specific Information: \xDC\x03NAP
| Router: 10.40.109.1
| Domain Name Server: 192.168.10.221
|_ Domain Name: pu.pri
So the Layer 3 networking was correct, it looked like relay wasn't working. I wasn't able to put Wireshark on the customer's server so I couldn't verify that the DHCP Discover was getting to the server. I double checked the ip helper-address again to make sure that I hadn't fat fingered it and it was correct.
Next I ran:
sh run all | i service dhc
no service dhcp
Turns out the switch had the DHCP service disabled since it wasn't needed in the last deployment and Cisco best practice says to disable unused services.
Decommissioning a DHCP server
I was moving DHCP from a Cisco Router to a windows server recently. The customer set up the Windows server and I shut down the DHCP server on the router. But when we rebooted a couple clients got an address from another site!
I assigned the switch port that I was connected to the correct vlan, assigned a static IP and ran the script. It found the server and the scope options were wrong. It turned out to be a problem with the server that required a reboot. But the script was useful because it quickly showed that the correct server was replying with incorrect scope options.
Is there a Rogue DHCP sever on the network?
Then I opened a second terminal session, hit Enter on the first one then immediately hit Enter on the second. That seemed pretty reliable for finding both DHCP servers.
Is the DHCP Scope out of Addresses to Assign?
I typically don't have a log in to the customer's Windows Server but I do have access to the switches. To use the script in this situation you will need to connect to a port with an Ethernet cable and set the port to the correct vlan.
In this example I ran the script with a Windows Server that had an available IP address in the scope:
root@kali:~# nmap -sU -p67 --script broadcast-dhcp-discover
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-15 17:25 PDT
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.10.200
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Renewal Time Value: 0 days, 0:30:00
| Rebinding Time Value: 0 days, 0:52:30
| IP Address Lease Time: 0 days, 1:00:00
| Server Identifier: 192.168.10.221
| Router: 192.168.10.254
| Domain Name Server: 127.0.0.1, 8.8.8.8, 208.67.222.222, 208.67.220.220
|_ Domain Name: pu.pri
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.22 seconds
root@kali:~# nmap -sU -p67 --script broadcast-dhcp-discover
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-15 20:35 PDT
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.27 seconds
No IP address was offered. But is it a wireless or a DHCP issue? Next we will run the NMAP DHCP-Discover script. This script doesn't use a DHCP Discover in a broadcast, it sends a DHCPINFORM in a unicast. Here are the results right after the broadcast script failed:
root@kali:~# nmap -sU -p67 --script dhcp-discover 192.168.10.221
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-15 21:40 PDT
Nmap scan report for 192.168.10.221
Host is up (0.00048s latency).
PORT STATE SERVICE
67/udp open dhcps
| dhcp-discover:
| DHCP Message Type: DHCPACK
| Server Identifier: 192.168.10.221
| Subnet Mask: 255.255.255.0
| Vendor Specific Information: \xDC\x03NAP
| Router: 192.168.10.254
| Domain Name Server: 127.0.0.1, 8.8.8.8, 208.67.222.222
|_ Domain Name: pu.pri
MAC Address: 00:0C:29:2C:23:E0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
So the DHCP server is up but no addresses are being offered. The NMAP man page for the script is here - dhcp-discover
ReplyDeleteIP scan 2.2.1
fastest and good scanner for ever just put IP range which thing u want its scan and give u result
http://bicombusiness.blogspot.com/2016/01/ip-scan-221.html
Hubbard On Networking: Troubleshooting Dhcp With The Nmap Broadcast-Dhcp-Discover Script >>>>> Download Now
ReplyDelete>>>>> Download Full
Hubbard On Networking: Troubleshooting Dhcp With The Nmap Broadcast-Dhcp-Discover Script >>>>> Download LINK
>>>>> Download Now
Hubbard On Networking: Troubleshooting Dhcp With The Nmap Broadcast-Dhcp-Discover Script >>>>> Download Full
>>>>> Download LINK