当将计算机连接到大多数企业网络时,如果启用了动态主机配置协议(DHCP),它会为该计算机分配一个IP地址,并发送大量信息。名称服务器(DNS)和域名通常会通过DHCP Offer数据包进行设置。
在类Unix系统中,/etc/resolv.conf 文件会在收到DHCP Offer后存储用于名称解析操作的信息。
可以使用 nmap 工具配合其broadcast-dhcp-discover.nse脚本,轻松解析这些数据包:
nmap --script broadcast-dhcp-discover
┌──(root㉿kali)-[~]
└─# nmap --script broadcast-dhcp-discover
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-09 12:00 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| Interface: eth0
| IP Offered: 192.168.8.25
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.8.254
| IP Address Lease Time: 30m00s
| Subnet Mask: 255.255.255.0
| Router: 192.168.8.2
| Domain Name Server: 192.168.8.2
| Domain Name: localdomain
| Broadcast Address: 192.168.8.255
| NetBIOS Name Server: 192.168.8.2
| Renewal Time Value: 15m00s
|_ Rebinding Time Value: 26m15s
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.54 seconds
┌──(root㉿kali)-[~]
└─# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.8.2
在很多情况下,网络中会部署MAC地址过滤、静态IP分配、VLAN、其他网络访问控制(NAC)机制,或者802.1x认证,这些措施可能会阻止测试人员获取上述信息。在这种场景下,可以使用wireshark手动检查网络中传输的广播和多播数据包,从中发现有价值的信息,帮助绕过这些防御措施。