hacktricks/network-services-pentesting/5353-udp-multicast-dns-mdns.md

95 lines
5.6 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# 5353/UDP Multicast DNS (mDNS) and DNS-SD
2022-04-28 16:01:33 +00:00
<details>
2024-01-05 22:36:48 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-05 22:36:48 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-05 22:36:48 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-02-08 21:36:35 +00:00
## **Basic Information**
2022-04-28 16:01:33 +00:00
2024-02-08 21:36:35 +00:00
**Multicast DNS (mDNS)** enables **DNS-like operations** within local networks without needing a traditional DNS server. It operates on **UDP port 5353** and allows devices to discover each other and their services, commonly seen in various IoT devices. **DNS Service Discovery (DNS-SD)**, often used alongside mDNS, aids in identifying services available on the network through standard DNS queries.
```
PORT STATE SERVICE
5353/udp open zeroconf
```
2024-02-08 21:36:35 +00:00
### **Operation of mDNS**
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
In environments without a standard DNS server, mDNS allows devices to resolve domain names ending in **.local** by querying the multicast address **224.0.0.251** (IPv4) or **FF02::FB** (IPv6). Important aspects of mDNS include a **Time-to-Live (TTL)** value indicating record validity and a **QU bit** distinguishing between unicast and multicast queries. Security-wise, it's crucial for mDNS implementations to verify that the packet's source address aligns with the local subnet.
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
### **Functioning of DNS-SD**
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
DNS-SD facilitates the discovery of network services by querying for pointer records (PTR) that map service types to their instances. Services are identified using a **_\<Service>.\_tcp or \_\<Service>.\_udp** pattern within the **.local** domain, leading to the discovery of corresponding **SRV** and **TXT records** which provide detailed service information.
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
### **Network Exploration**
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
#### **nmap Usage**
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
A useful command for scanning the local network for mDNS services is:
2022-02-19 19:42:58 +00:00
2021-07-27 12:31:20 +00:00
```bash
2024-02-08 21:36:35 +00:00
nmap -Pn -sUC -p5353 [target IP address]
```
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
This command helps identify open mDNS ports and the services advertised over them.
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
#### **Network Enumeration with Pholus**
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
To actively send mDNS requests and capture traffic, the **Pholus** tool can be utilized as follows:
2022-02-19 19:42:58 +00:00
```bash
2024-02-08 21:36:35 +00:00
sudo python3 pholus3.py [network interface] -rq -stimeout 10
2022-02-19 19:42:58 +00:00
```
2022-05-01 13:25:53 +00:00
## Attacks
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
### **Exploiting mDNS Probing**
2022-02-19 19:42:58 +00:00
2024-02-08 21:36:35 +00:00
An attack vector involves sending spoofed responses to mDNS probes, suggesting that all potential names are already in use, thus hindering new devices from selecting a unique name. This can be executed using:
2022-02-19 19:42:58 +00:00
```bash
2024-02-08 21:36:35 +00:00
sudo python pholus.py [network interface] -afre -stimeout 1000
2022-02-19 19:42:58 +00:00
```
2024-02-08 21:36:35 +00:00
This technique effectively blocks new devices from registering their services on the network.
**In summary**, understanding the workings of mDNS and DNS-SD is crucial for network management and security. Tools like **nmap** and **Pholus** offer valuable insights into local network services, while awareness of potential vulnerabilities helps in safeguarding against attacks.
2022-05-01 13:25:53 +00:00
### Spoofing/MitM
2022-02-19 19:42:58 +00:00
The most interesting attack you can perform over this service is to perform a **MitM** in the **communication between the client and the real server**. You might be able to obtain sensitive files (MitM the communication with the printer) of even credentials (Windows authentication).\
For more information check:
2022-05-01 13:25:53 +00:00
{% content-ref url="../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
2022-02-19 19:42:58 +00:00
{% endcontent-ref %}
2022-05-01 13:25:53 +00:00
## References
2022-02-19 19:42:58 +00:00
* [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y)
2022-04-28 16:01:33 +00:00
<details>
2024-01-05 22:36:48 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-05 22:36:48 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-05 22:36:48 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>