Wednesday, April 25, 2007

Discovering DHCP Discovery in SMTP25 Shell

Some of my readings and also knowledge made me put these notes together to see the DHCP process. To be honest the process explained below is in deep and should clear a lot of questions. In years I figured out being able to understand the process of DHCP is important. I have also included windows TCP/IP name resolution, which order it happens. Those of you who are familiar with host files and WINS might read the notes below.

DHCP Discovery

Discovering DHCP Discovery on Windows 2003 happens in four primary steps DHCP leas process is straight forward and 4 steps involves in it as below.

DHCP discovery

DHCP Lease offer

DHCP lease request

DHCP Lease acknowledgment

An IP address is required to communicate with other devices on a TCP/IP network, the DHCP negotiation happens very early in the Windows boot cycle. The Device without an IP address won't be able to talk to any other device within the TCP/IP network. So the process how client who has not yet have any IP address is described below in simple steps. At the time of the lease request, the client doesn't know what its IP address is, nor does it know the IP address of the server. To work around this, below how client is able to talk to a DHCP server

Client uses as its address and for the server's address.

Client who has not IP address will use 0.0.0.O ( all bits turned OFF)

And it uses (All Bits Turned on), It then sends out a broadcast

!!! Commercial Break!!!!

Special thanks to Zack Payton , who will be remembered by me at all the times, a Man , good friend who is truly master of TCP/IP subletting, and making me understand the concept , Thanks ZACK (-: I still owe you a cold beer

DHCP discover message on UDP port 68 and destination port 67.

UDP User datagram Protocol, Connectionless Protocol, small fast efficient, not good for reliable communications

TCP Transmission Control protocol, Connection Oriented Protocol, Slow, but reliable protocol, it makes sure all TCP/IP packets gets there eventually, by resending packets if there is no acknowledgment The discover message contains the hardware MAC address and NetBIOS name of the client.

Once the first discover message is sent, the client waits 1 second for an offer. If no DHCP server responds within that time, the client repeats its request four more times at 2-, 4-, 8-, and

16-second (plus a random amount of time from 0 to 1000 milliseconds) intervals. If the client Still doesn't get a response, it will revert to Automatic Private IP Addressing (APIPA) and Continue to broadcast discover messages every 5 minutes until it gets an answer. With APIPA, The Windows client will automatically pick what it thinks is an unused address

169.254. X.Y (From the Address block) instead of waiting indefinitely for an answer (don't forget the Client will attempt to lease, or locate DHCP server

DHCP Lease Offer

The offer message is a proposal from the server to the client, and it contains an IP address,

  • A subnet mask,

  • A lease period (in days), and

  • The IP address of the DHCP server offering the proposal,

    The IP address being offered is temporarily reserved so that the server doesn't offer the same address to multiple Clients. All offers are sent directly to the requesting client's hardware MAC address.

DHCP Lease Selection

Once the client has received at least one offer, the third phase of the DHCP lease process begins. In this phase, the client machine will select an offer from those it received. Windows 2000, XP, and Server 2003 typically accept the first offer that arrives. (FCFS -First come first server)

To signal acceptance, the client broadcasts an acceptance message containing the IP address of the server it selected. It has to be broadcast so that the servers whose offers weren't selected can un-reserve (pull back) the Addresses they offered.

DHCP Lease Acknowledgment

Once the chosen DHCP server receives the acceptance message from the client, it marks the selected IP address as leased and sends an acknowledgment message, called a DHCPACK Back to the client. It's also possible that the server might send an negative acknowledgment, or

DHCPNACK to the client.

DHCPNACKs are most often generated when the client is attempting to renew a

Lease for its old IP address after that address has been reassigned elsewhere. Negative acceptance

Messages can also mean that the requesting client has an inaccurate IP address resulting from Physically changing locations to an alternate subnet.

The DHCPACK message includes any DHCP options specified by the server along with the IP address and subnet mask. When the client receives this message, it integrates the parameters into the TCP/IP stack, which can then proceed just as though the user had manually given it new configuration parameters.

This four-step process may seem overly complicated, but each step is necessary. The aggregate

result of these steps is that one server assigns one address to one client. For example, if each

server offering a lease immediately assigned an IP address to a requesting workstation, there

would soon be no numbers left to assign. Likewise, if the DHCP client controlled whether it

accepted or rejected the lease (instead of waiting for a DHCPACK or DHCPNACK message),

a slow client could cause the server to mark an assigned address as free and assign it somewhere

else—leaving two clients with the same offer.

DHCP Lease Renewal

What happens when the lease expires or needs to be renewed? No matter how long the lease period

is, the client will send a new lease request message to the DHCP server when the lease period is half over.

If the server hears the request message and there's no reason to reject it, it sends a DHCPACK to the client.

This will reset the lease period, just as signing a renewal rider on a car lease does. If the DHCP server isn't available, the client realizes that the lease can't be renewed. The client can then use the address for the rest of the lease period; once 87.5 percent of the lease period has elapsed, the client will send out another renewal request. At that point, any DHCP server that hears the renewal could respond to this DHCP request message, which is a request

For a lease renewal, with a DHCPACK and renew the lease. Any time the client gets a DHCPNACK message; it must stop using its IP address immediately and start the leasing process over from the beginning by requesting a brand-new lease.

When a client initializes TCP/IP, it will always attempt to renew its old address. Just as with any other renewal, if the client

Has time left on the lease, it will continue to use the lease until its end. If the client is unable to get a new lease by that time, all TCP/IP functions will stop until a new, valid address can be obtained.

Best Regards



Miguel said...

Thanks again for the info Oz, it's always good to learn from you. All the information on this blog is very helpful. Thanks again. Miguel, MCP

Anonymous said...

Yo, my man!
Thanks for the shoutout ;)
Much appreciated.
I think this would be a good spot to add some other tips and tricks.
Since the title is telnet25 lets talk about what you can do if you telnet to an smtp server and how to send emails by hand. Back in the day when there were open relays everywhere you could spoof emails from anyone but this doesn't work these days as most SMTP servers implement reverse lookups on source IP addresses to ensure that you are a dns registered mx record IP address. This works if the mx record doesn't have reverse dns set up.

On with the show.

Lets say we wanted to send someone who had a gmail address an email from an email address we didn't own.

We could telnet to on port 25 and as long as you know how to speak the smtp language you can send email through telnet.

bash$ telnet 25
220 ESMTP Symantec Mail Security

first, the gmail smtp server has introduced itself to us as There is also a little banner to give us a little bit more information about what type of mail server it is... in this case we can see that gmail is using Symantec Mail Security proxy. This will prevent us from doing mean things but we can still do normal things like send email.

So, since the server was so polite, let's say hi back.



It should respond back with:

Ok, now we have to say where we want to send email from.
The smtp command is as follows:
mail from: < insert email here >

mail from:

You should get another 250 response indicating it took your command.
Not just any email will work however as a lot of domains have reverse dns configured on the mx record and many servers will reject connections from IP addresses that don't match the ip address for the mx record of the domain they are sending an email from.

Next we tell the server where we want to send email to. Note that unless it is an open relay server (which would be very good for spammers) we can only send email to addresses that belong to the domain for which the mail server is configured... in this case gmail or google.

So the command to specify the email recipient is:
rcpt to: < insert gmail address here >

so we type:
rcpt to:

Next it's time to send the message.
and hit enter
If you want a subject type:
subject: whaddup suckas!

and hit enter twice
Then you can start to type your message.

note that the email server even supports the backspace key so if you mess up... just fix your message

When you are done and the message is to your liking just hit enter
and then put a period on a line by itself...
this well queue the message for transmission if you did everything right.

This is nice for testing mail servers without having to go through the hassle of configuring sendmail/pine/mutt/outlook/whatever...

As I was writing this I found a nice writeup that is a lot more detailed at

A complete session would look something like this:

220 ESMTP Symantec Mail Security
mail from:
250 Ok
rcpt to:
250 Ok
354 End data with < CR>< LF> .< CR> < LF>
subject: just a spoofed email test

I'm hot cuz your not!
Hack non stop!
250 Ok: queued as 6A8F34DC011

Mind you though, your IP address will be included in the mail header so don't try to do some fraudulent shit here... ;)

Holla back atcha!

Anonymous said...

btw, in regard to my last comment. You can use these same tricks on almost any text based service such as smtp, imap, pop3, and many others.


Oz Ozugurlu said...

Thanks a lot for coming and sharing your knowledge with us
Wishing you the best