Nmap is a great port scanner, it has many scanning options that allow us to adapt to different network scenarios but it also incorporates a scripting system with which it is possible to develop plugins, Nmap already brings some of these scripts by default, including the DHCP server scanning one.
We just have to install Nmap:
pkg install nmap
And finally execute the script indicating the network interface:
nmap –script broadcast-dhcp-discover -e em0
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 22:41 CEST
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| Interface: em0
| IP Offered: 192.168.69.205
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.69.200
| IP Address Lease Time: 49710d06h28m15s
| Subnet Mask: 255.255.255.0
| Router: 192.168.69.200
| Domain Name: alfaexploit.com
|_ Domain Name Server: 192.168.69.200
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.13 seconds
A really useful command is to detect the requests that arrive at our DHCP server, in this example we are going to filter by the MAC 00cafe00cafe.
tcpdump -i em0 -vvv -s 1500 ‘((port 67 or port 68) and (udp[38:4] = 0x00cafe00cafe))’