Nmap Development mailing list archives

Re: [PATCH] DNS-based Service Discovery service probe


From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 14 Aug 2009 21:00:38 +0000

David I think this looks great. I think you'd be supprised how much mDNS is out there. Many P2P apps such as Limewire use it. I know in some circumstances the iPhone sends it, etc.

Although I see it mostly used with multicast adresses, I suspect unicast will work most of the time.

Brandon

Sent from my phone. If you would like a digital signature for this email let me know and I will sign it later.


On Aug 14, 2009, at 20:43, David Fifield <david () bamsoftware com> wrote:

Hi,

I'm working on UDP payloads today and one of them so far would make a
good version probe.
Index: nmap-service-probes

##############################NEXT PROBE##############################
# DNS-based service discovery (DNS-SD). Asks for all services on the host.
# http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt, section 9.
Probe UDP DNS-SD q|\0\0\0\0\0\x01\0\0\0\0\0\0\x09_services\x07_dns-sd \x04_udp\x05local\0\0\x0c\0\x01|
rarity 4
ports 5353
# mDNSResponder-176.3
match mdns m|^\0\0\x84\0\0\x01..\0\0\0\0\x09_services\x07_dns-sd \x04_udp\x05local\0\0\x0c\0\x01| p/Apple mDNSResponder/

It's a DNS Service Discovery (DNS-SD) request. DNS-SD is combined with
multicast DNS in Apple's Zeroconf and other similar implementations. The response is a DNS reply that contains a list of services offered by the
host.

http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt

The port name in nmap-services is "zeroconf" but I think it should be
"mdns". Zeroconf is a collection of protocols of which multicast DNS and
DNS-SD are a part. Even though the probe we send is unicast, port 5353
is the one reserved for multicast DNS.

The format of the reply is fairly rigid so I don't know if this probe
will allow distinguishing different DNS-SD implementations. The only one
other than mDNSResponder I'm aware of is Avahi.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


Current thread: