This page looks best with JavaScript enabled

Discover DHCP servers with Nmap

 ·  🎃 kr0m

Nmap is a great port scanner, it has many scanning options that allow us to adapt to different network scenarios but it also incorporates a scripting system with which it is possible to develop plugins, Nmap already brings some of these scripts by default, including the DHCP server scanning one.

We just have to install Nmap:

pkg install nmap

And finally execute the script indicating the network interface:

nmap –script broadcast-dhcp-discover -e em0

Starting Nmap 7.91 ( ) at 2021-04-07 22:41 CEST  
Pre-scan script results:  
| broadcast-dhcp-discover:   
|   Response 1 of 1:   
|     Interface: em0  
|     IP Offered:  
|     DHCP Message Type: DHCPOFFER  
|     Server Identifier:  
|     IP Address Lease Time: 49710d06h28m15s  
|     Subnet Mask:  
|     Router:  
|     Domain Name:
|_    Domain Name Server:  
WARNING: No targets were specified, so 0 hosts scanned.  
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.13 seconds

A really useful command is to detect the requests that arrive at our DHCP server, in this example we are going to filter by the MAC 00cafe00cafe.

tcpdump -i em0 -vvv -s 1500 ‘((port 67 or port 68) and (udp[38:4] = 0x00cafe00cafe))’

If you liked the article, you can treat me to a RedBull here