Script broadcast-dhcp-discover

Script types: prerule
Categories: broadcast, safe

Script Summary

Sends a DHCP request to the broadcast address ( and reports the results. By default, the script uses a static MAC address (DE:AD:CO:DE:CA:FE) in order to prevent IP pool exhaustion.

The script reads the response using pcap by opening a listening pcap socket on all available ethernet interfaces that are reported up. If no response has been received before the timeout has been reached (default 10 seconds) the script will abort execution.

The script needs to be run as a privileged user, typically root.

See also:

Script Arguments


Set to random or a specific client MAC address in the DHCP request. "DE:AD:C0:DE:CA:FE" is used by default. Setting it to random will possibly cause the DHCP server to reserve a new IP address each time.


time in seconds to wait for a response (default: 10s)


Client identifier to use in DHCP option 61. The value is a string, while hardware type 0, appropriate for FQDNs, is assumed. Example: clientid=kurtz is equivalent to specifying clientid-hex=00:6b:75:72:74:7a (see below).


Client identifier to use in DHCP option 61. The value is a hexadecimal string, where the first octet is the hardware type.

Example Usage

sudo nmap --script broadcast-dhcp-discover

Script Output

| broadcast-dhcp-discover:
|   Response 1 of 1:
|     Interface: wlp1s0
|     IP Offered:
|     DHCP Message Type: DHCPOFFER
|     Server Identifier:
|     IP Address Lease Time: 1 day, 0:00:00
|     Subnet Mask:
|     Router:
|     Domain Name Server:
|_    Domain Name: localdomain



  • Patrik Karlsson

License: Same as Nmap--See