hacktricks/network-services-pentesting/5353-udp-multicast-dns-mdns.md
Carlos Polop dc1a2bea04 b
2024-07-19 01:16:27 +02:00

5.6 KiB

5353/UDP Multicast DNS (mDNS) and DNS-SD

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

Multicast DNS (mDNS) enables DNS-like operations within local networks without needing a traditional DNS server. It operates on UDP port 5353 and allows devices to discover each other and their services, commonly seen in various IoT devices. DNS Service Discovery (DNS-SD), often used alongside mDNS, aids in identifying services available on the network through standard DNS queries.

PORT     STATE SERVICE
5353/udp open  zeroconf

Operation of mDNS

In environments without a standard DNS server, mDNS allows devices to resolve domain names ending in .local by querying the multicast address 224.0.0.251 (IPv4) or FF02::FB (IPv6). Important aspects of mDNS include a Time-to-Live (TTL) value indicating record validity and a QU bit distinguishing between unicast and multicast queries. Security-wise, it's crucial for mDNS implementations to verify that the packet's source address aligns with the local subnet.

Functioning of DNS-SD

DNS-SD facilitates the discovery of network services by querying for pointer records (PTR) that map service types to their instances. Services are identified using a _<Service>._tcp or _<Service>._udp pattern within the .local domain, leading to the discovery of corresponding SRV and TXT records which provide detailed service information.

Network Exploration

nmap Usage

A useful command for scanning the local network for mDNS services is:

nmap -Pn -sUC -p5353 [target IP address]

This command helps identify open mDNS ports and the services advertised over them.

Network Enumeration with Pholus

To actively send mDNS requests and capture traffic, the Pholus tool can be utilized as follows:

sudo python3 pholus3.py [network interface] -rq -stimeout 10

Attacks

Exploiting mDNS Probing

An attack vector involves sending spoofed responses to mDNS probes, suggesting that all potential names are already in use, thus hindering new devices from selecting a unique name. This can be executed using:

sudo python pholus.py [network interface] -afre -stimeout 1000

This technique effectively blocks new devices from registering their services on the network.

In summary, understanding the workings of mDNS and DNS-SD is crucial for network management and security. Tools like nmap and Pholus offer valuable insights into local network services, while awareness of potential vulnerabilities helps in safeguarding against attacks.

Spoofing/MitM

The most interesting attack you can perform over this service is to perform a MitM in the communication between the client and the real server. You might be able to obtain sensitive files (MitM the communication with the printer) of even credentials (Windows authentication).
For more information check:

{% content-ref url="../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {% endcontent-ref %}

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}