Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
node-dhcp is a RFC compliant DHCP client and server implementation on top of node.js.
A DHCP server can be used to configure the entire local network. Typical parameters that can be organized with a DHCP server are ip-addresses, gateways / router, DNS server and really a lot more. DHCP is quite old and well establishd solutions are on the market, commercially and open source - so why a new implementation?
I was searching for a minimalistic DHCP server, which is robust and highly configurable. The first problem I had was: I wanted to deliver an IP address to a Raspberry PI without static configuration right out of my Macbook. However, Apple made it almost impossible to configure the onboard DHCP-server with newer versions of OSX.
In times of home automation and IoT, I was thinking of a solution, which can trigger something when I come home. DHCP is a good idea here, since any device will broadcast to the network, as soon as it connects. So why not playing the imperial march when you come back home?
Another problem I had was, I wanted to query DHCP servers without actually change the local configuration.
These problems were the trigger to start reading the RFC's and the protocol is really not that complicated. As such, this project was born.
Remark: By nature, network services are quite complex, so please test, test, test!
When installed globally, node-dhcp provides two executables, a client dhcp
and a server dhcpd
. The client simply retrieves network configuration from a DHCP server and prints the configuration after a complete handshake. All additional (defined in lib/options.js
) fields can be specified as list of arguments:
# sudo dhcp hostname [--mac 12:23:34:45:56:67]
output:
netmask : 255.255.255.0
router : 192.168.1.1
dns : 8.8.8.8, 8.8.4.4
server : 192.168.1.1
hostname : web392
On the other hand, the server can be used to provide the data:
sudo dhcpd --range 192.168.1.2-192.168.1.99 --hostname web392 --server 192.168.1.1 --router 192.168.1.1
All available options can be found in lib/options.js
. The more powerful interface however, is the JavaScript API.
var dhcp = require('dhcp');
var s = dhcp.createServer({
// System settings
range: [
"192.168.3.10", "192.168.3.99"
],
static: {
"11:22:33:44:55:66": "192.168.3.100"
},
// Option settings (there are MUCH more)
netmask: '255.255.255.0',
router: [
'192.168.0.1'
],
bootFile: function (req) {
if (req.clientId === 'foo bar') {
return 'x86linux.0';
} else {
return 'x64linux.0';
}
}
});
s.listen();
Any config directive can be a function, like illustrated with the bootFile directive for PXE boot. This way you get a fully programable DHCP server.
var dhcp = require('dhcp');
var s = dhcp.createClient();
s.on('bound', function (state) {
console.log("State: ", state);
// Configure your host system, based on the current state:
// `ip address add IP/MASK dev eth0`
// `echo HOSTNAME > /etc/hostname && hostname HOSTNAME`
// `ip route add default via 192.168.1.254`
// `sysctl -w net.inet.ip.forwarding=1`
});
s.listen();
s.sendDiscover();
For research purposes it's also possible to just get triggered when broadcast events occur. This way an own DHCP server can be implemented. It's also possible to just listen to the traffic on the network, without answering. This can be used to automate something when a device enters the network (you come back home from work and your mobile phone gets into wifi) or to spot malicious DHCP servers on the network:
var dhcp = require('dhcp');
var s = dhcp.createBroadcastHandler();
s.on('message', function (data) {
if (data.options[53] === dhcp.DHCPDISCOVER) {
if (data.chaddr === '12-34-56-78-90-AB') {
console.log('Welcome home!');
}
}
});
s.listen();
Installing node-dhcp is as easy as cloning this repo or use npmjs:
npm install dhcp
If command line tools dhcp
and dhcpd
shall be installed, npmjs can be used as well:
npm install dhcp -g
Besides options listed in the lib/options.js
file (with the config
key), a few global options can be used:
range
: Two element array, representing the IP range the server operates onforceOptions
: Array of options that are forced to be sentstatic
: A static IP binding object of the form mac -> ip
node-dhcp does not set timers already on the client to periodically send RENEW or REBIND messages. If you need this feature, please file a bug ticket.
Since the programs need to bind to port 67 and 68, root privileges are required. If you want to use dhcp and dhcpd without root privileges, change the port to something above 1024.
A broadcast is typically not spread across all interfaces. In order to route the broadcast to a specific interface, you can reroute 255.255.255.255.
route add -host 255.255.255.255 dev eth0
sudo route add -host 255.255.255.255 -interface en4
If you plan to enhance the library, make sure you add test cases and all the previous tests are passing. You can test the library with
npm test
Copyright (c) 2017, Robert Eisele Dual licensed under the MIT or GPL Version 2 licenses.
FAQs
A DHCP server written in JavaScript
The npm package dhcp receives a total of 131 weekly downloads. As such, dhcp popularity was classified as not popular.
We found that dhcp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.