5.6 KiB
5353/UDP Multicast DNS (mDNS) and DNS-SD
htARTE (HackTricks AWS Red Team Expert) !HackTricks!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Multicast DNS (mDNS) enables DNS-like operations within local networks without needing a traditional DNS server. It operates on UDP port 5353 and allows devices to discover each other and their services, commonly seen in various IoT devices. DNS Service Discovery (DNS-SD), often used alongside mDNS, aids in identifying services available on the network through standard DNS queries.
PORT STATE SERVICE
5353/udp open zeroconf
mDNS-ghItlh
mDNS-ghItlh Daq mIw network DNS server Hoch, mDNS devices .local domain name 224.0.0.251 (IPv4) or FF02::FB (IPv6) multicast address ghItlh. mDNS Daq Time-to-Live (TTL) value, QU bit, unicast teH multicast query laH. mDNS implementations, packet's source address local subnet Daq 'e' verify laH.
DNS-SD-ghItlh
DNS-SD Daq network services discovery laH, pointer records (PTR) query laH, service types _<Service>._tcp teH _<Service>._udp pattern .local domain Daq, SRV teH TXT records discovery laH, service information Daq.
Network Exploration
nmap Usage
mDNS services local network scan laH vItlhutlh nmap command:
nmap -Pn -sUC -p5353 [target IP address]
Network Enumeration with Pholus
To actively send mDNS requests and capture traffic, the Pholus tool can be utilized as follows:
Pholus vItlhutlh
mDNS poHmey je DajatlhlaHbe'chugh Pholus tool vItlhutlh:
pholus -i eth0 -p 5353
Pholus vItlhutlh mDNS poHmey je DajatlhlaHbe'chugh Pholus tool vItlhutlh:
pholus -i eth0 -p 5353
sudo python3 pholus3.py [network interface] -rq -stimeout 10
Attacks
Exploiting mDNS Probing
An attack vector involves sending spoofed responses to mDNS probes, suggesting that all potential names are already in use, thus hindering new devices from selecting a unique name. This can be executed using:
Attacks
mDNS Probing-ghItlh
mDNS probes vItlhutlh spoofed responses vaj mDNS, suggesting vaj potential names Hoch already in use, thus hindering new devices from selecting a unique name. This can be executed using:
sudo python pholus.py [network interface] -afre -stimeout 1000
tlhIngan Hol:
Qapla'! QaH mDNS je DNS-SD vItlhutlhlaHbe'chugh, network management je security vItlhutlhlaHbej. nmap je Pholus vItlhutlhlaHbe'chugh, local network services vItlhutlhlaHbej, je vulnerabilities vItlhutlhlaHbej vItlhutlhlaHbe'chugh.
Spoofing/MitM
mDNS vItlhutlhlaHbe'chugh MitM vItlhutlhlaHbe'chugh communication between the client je the real server vItlhutlhlaHbe'chugh attack vItlhutlhlaHbej. Sensitive files (MitM the communication with the printer) je credentials (Windows authentication) vItlhutlhlaHbe'chugh vItlhutlhlaHbej.
vItlhutlhlaHbe'chugh information vItlhutlhlaHbej:
{% content-ref url="../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {% endcontent-ref %}
References
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.