DHCP Discover

Talk about any languages right here. Share and discuss source, but don't expect your homework to be done for you.
Post Reply
nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

DHCP Discover

Post by nebloof » Wed Jul 18, 2012 10:55 pm

Has anyone had success writing a DHCP discovery program?

I've been fiddling with a program in C# for a few months now with the goal of discovering dhcp servers.
I'm using Winpcap/SharpPcap as the methods.

I THINK the program code is fine.
I'm able to capture DHCP packets and disassemble them to study the individual DHCP fields.

My problem is that I can't seemingly create a DHCP discover/request packet that a dhcp server would respond to (in this case my router). I'm thinking the problem is with DHCP options. The length of the packet is correct (when compared to a packet captured from ipconfig /renew). And when I look MY custom request packet, I can disassemble it properly and see all the DHCP packet fields, and can even get correct Ethernet, IP, and UDP header lengths.

I'll post code if requested, but I'm just looking to see if anyone has had success doing this, and how did you generate a custom discover/request packet?

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Wed Jul 18, 2012 11:42 pm

Ok, well after looking at my code again, the source and destination ports were flipped.
And I was using the wrong source MAC address >_<.

I can now get a reply from my dhcp server, but I'm using DHCP options captured from a request packet issued by ipconfig /renew.

If anyone could shed some light on DHCP options, and what the bare minimum is, that would be awesome.

In the meantime, I guess I'll tinker with the options until I can figure out something that works without the data captured off of my particular network.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: DHCP Discover

Post by Cool_Fire » Thu Jul 19, 2012 5:50 pm

I've never fiddled with DHCP on such an intricate level myself, but if I were to, this is the place I'd look for my info on the protocol: http://www.ietf.org/rfc/rfc2131.txt

It should tell you everything you need to know about DHCP.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Thu Jul 19, 2012 7:11 pm

Yeah, I've studied the protocol so much now that I could you tell everything you wanted to know about DHCP lol (other than DHCP Options).

But I have a working program now, and now I just have to break down the data in DHCP options. This is in the DHCP Options section of the DHCP ACK packet I get back from the DHCP server:

35010236040A0ADC013304FFFFFFFF0104FFFFFF0003040A0ADC0106040A0ADC010F09476F6C64656E657965FF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000

In here, I see 0A0ADC01 which is 10.10.220.1.
That comes up a couple of times, so one of them is the actual IP of the server, and I think maybe the other indicates it's the gateway, but I just don't know. There's so much fluff in-between that I can't decipher because I don't know what the bytes refer to.

And FFFFFF00 which is 255.255.255.0 which should be the subnet mask.

Then a whole bunch of garbly-gook that I can't figure out yet.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: DHCP Discover

Post by Cool_Fire » Fri Jul 20, 2012 5:38 am

I'm not sure I understand what you're looking at in that case?

Page 8 and 9 (and p. 27, 28, 36 & 37) should tell you in detail what every bit in a DHCP message is used for and what values to expect. But since you mentioned you studied it at length, I can only assume I'm misunderstanding what you're trying to do. Can you rephrase maybe?
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: DHCP Discover

Post by psilocybin » Fri Jul 20, 2012 9:10 am

let me start by saying that I don't know much about the nitty-gritty of DHCP so you probably know more about this than me, but I've broken up that string according to some uneducated guesses about what each field might be, hopefully my explanation will provide some insight (and hopefully correct insight):

Code: Select all

350102                              //preamble?
3604	                             //command delimeter (indicates default gateway?)
0A0ADC01	                         //gateway IP
3304                                //command delimeter
FFFFFFFF                            //mask
0104		                          //command delimeter (indicates subnet mask?)
FFFFFF00	                         //subnet mask
0304		                          //command delimeter (indicates default gateway?)
0A0ADC01
0604		                          //command delimeter (indicates DNS?)
0A0ADC01
0F09476F6C64656E657965FF00000		//no idea, maybe options etc and EOF, possibly contains a 
                                   //MAC
I guessed that the "04" suffix was a delimiter, with the previous number being an indicator, because that seems to be a pattern. I think a MAC address would be needed at some point, but I assume the MAC is already known for this interaction.

I'm afraid that's all I can really see, unless you want me to comb through the documentation and try to help that way. this is interesting, so it wouldn't be an imposition, but I'm not sure I could do any better than you have.

you could always fiddle around with the fields in each interaction and see what each change affects. might take a while though.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Fri Jul 20, 2012 10:47 am

Hey Cool_Fire,

First, thank you for the responses!!!
I was looking for what psilocybin printed out here, and looking for more help breaking the data down in DHCP Options.

I can break down the entire DHCP packet, and my program prints these results:

Code: Select all

OP Code: 02 (DHCP server reply)
HTYPE: 01
HLEN: 06
HOPS: 00
XID: 3903F326
SECS: 0000
FLAGS: 0000
Client IP Address: 0.0.0.0
Your IP Address: 10.10.220.7
Server IP Address: 0.0.0.0
Gateway IP Address: 0.0.0.0
Client Hardware Address: (Prints my laptops wifi MAC)
Magic Cookie: 63825363
DHCP Options: 35010236040A0ADC013304AFF684E70104FFFFFF0003040A0ADC0106040A0ADC010F09476F6C64656E657965FF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000
So here, you can see I CAN break down the entire DHCP packet.
Then it's at DHCP Options which is where things get hairy because it can be a variable-length field depending on what the DHCP server sends back.

I've been toying with the values in DHCP Options (of my custom DHCP request packet), so i'll be trial and error.

I know the 35 at the beginning HAS to be there. It's 53 in decimal which is:
53 DHCP Message Type 1 octet

I know there are different message types, and I thought 01, 02, 03, or 04 would go after it. If I put anything after 35 other than 37 (which requests parameters), I either don't get a response from the server, or I get a response with no data back in DHCP Options.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Fri Jul 20, 2012 10:51 am

I should mention that I simply pull the MAC Address of the DHCP Server from the Ethernet Header.

This was no easy program (for me) to write lol. I know I can get a chunk of this information from commands and such, but I thought it would be more interesting to capture a DHCP packet, pull it apart, then examine the contents. I've never done anything like this before in programming, and this is more of a "just to see if I can do it" thing.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Fri Jul 20, 2012 11:04 am

Also, this is what I use to send out a DHCP request. I built the program with the intention of finding DHCP servers on the network. So I broadcast a request to MAC FFFFFFFFFFFF and 255.255.255.255.

Code: Select all

            // define the source MAC address
            var srcHwAddr = System.Net.NetworkInformation.PhysicalAddress.Parse(CURRENT_MAC_ADDR);

            // define the destination MAC address
            var destHwAddr = System.Net.NetworkInformation.PhysicalAddress.Parse("FFFFFFFFFFFF");

            // create a new Ethernet packet
            EthernetPacket ethPacket = new EthernetPacket(srcHwAddr, destHwAddr, EthernetPacketType.IpV4);

            // set the source ip address
            var ipSourceAddress = System.Net.IPAddress.Parse("0.0.0.0");

            // set the destination ip address
            var ipDestinationAddress = System.Net.IPAddress.Parse("255.255.255.255");

            // create a new IPv4 packet
            var ipPacket = new IPv4Packet(ipSourceAddress, ipDestinationAddress);

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Fri Jul 20, 2012 11:19 am

It seems today is my luck day to find information.

http://myweb.cableone.net/xnih/download ... r-dhcp.pdf

The section - DHCP Options - The Easy Way has a crap-ton of info.
If I could get the OS running, that would be one of the best things ever.
I knew there was detailed information in DHCP Options, but not this much o_O.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Fri Jul 20, 2012 11:47 am

Well isn't that funtastic.

The last bit in the DHCP Options:
0F09476F6C64656E657965FF

I don't know if 0F and 09 should be literally translated to ASCII, but those would be a SHIFT and TAB

But the best part is the bytes after translate to my Wifi Access Point >_<. And the FF I guess is just EOF or something maybe.

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: DHCP Discover

Post by psilocybin » Fri Jul 20, 2012 9:18 pm

Goldeneye eh?

okay, so the 0F09... 9 is the length of the string, 0F might be just a delimiter for the beginning of a string. the trailing FF00000 then indicates the end of either the string or the entire DHCP options. probably the later since that seems to be a pascal-style string.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Fri Jul 20, 2012 10:56 pm

Yeah, Goldeneye >_<. I love that movie.

Thank you so much for the help psilocybin.
It would've taken me ages to research and think all of this through.
Though now I need to figure out how I can write code to properly pull the info from DHCP Options, but this is a huge jump-start to that.

This is a program I've literally worked on for months... though off and on. I don't have much time for coding because of my job and this sort of thing mentally drains me when I don't know what I'm doing.

We have a D-Link router, and what I would like to do now, is set up my own Windows server with DHCP and what not, and see what information that returns. I think that'll be the only way to really test thing, because I'm curious to see if I really can pull the OS and other information.

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: DHCP Discover

Post by psilocybin » Sat Jul 21, 2012 4:53 am

anytime mang, the problem was interesting and you seemed to have actually done your research and were willing to put in the hours. it's unfortunate how that is true for so few of the people that ask questions here.

nebloof
n00b
Posts: 17
Joined: Wed Jul 11, 2007 2:12 am

Re: DHCP Discover

Post by nebloof » Thu Jul 26, 2012 2:44 pm

So I actually understand DHCP Options now.

It goes DHCP Code -> Length -> Value

This is in the DHCP Options from a test server I set up, running Windows 2008 R2.


3501020104FFFFFF003A04000546003B0400093A803304000A8C003604C0A801010F12636F72702E6E616E6F746563682E636F6D000304C0A8010106087F000001C0A80102FF

35 = The DHCP Code
01 = length (1 octet)
02 = Value
THEN
01 = The DHCP Code
04 = octets
FF FF FF 00 = 4
3A = The DHCP Code
04 = 4 octets
00 05 46 00 = 4
3B = The DHCP Code
04 = 4 octets
...

And so on. So now I can break this down, and I understand how I can customize the DHCP options in the packet I send!

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: DHCP Discover

Post by psilocybin » Thu Jul 26, 2012 4:53 pm

makes sense.

Post Reply