Reading time: 16 – 26 minutes
When you want to discover LAN metadata without being part of that network. So, when you want to discover network address range, gateway, DNS IPs, DHCP server IPs, etc. this simple nmap parameter will help you so much.
# nmap --script broadcast-dhcp-discover Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-19 15:07 CEST Pre-scan script results: | broadcast-dhcp-discover: | Response 1 of 1: | IP Offered: 192.168.1.127 | DHCP Message Type: DHCPOFFER | Subnet Mask: 255.255.255.0 | Renewal Time Value: 4d00h00m00s | Rebinding Time Value: 7d00h00m00s | IP Address Lease Time: 8d00h00m00s | Server Identifier: 192.168.1.1 | Router: 192.168.1.1 |_ Domain Name Server: 8.8.8.8, 8.8.4.4 WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 1.43 seconds