Re: [NSE] broadcast-igmp-discovery

[Daniel Miller <bonsaiviking () gmail com>]

On 07/26/2012 08:59 AM, Hani Benhabiles wrote:
> Hi list,
>
> description = [[
> Discovers targets listening for multicast queries and their groups 
> through IGMP.
>
> The scripts works by sending IGMP Membership Query packets to the 
> 224.0.0.1 All
> multicast address and listening for IGMP Membership Report packets. It 
> extracts
> after that all the interesting information such as the version, group, 
> the
> mode, source addresses (depending on the version).
>
> The script defaults to sending an IGMPv2 Query but this could be 
> changed to
> another version or queries of all three version. If no interface was 
> specified
> as a script argument or with the -e option, the script will proceed to 
> sending
> queries through all the valid ethernet interfaces.
>
> ]]
>
> ---
> -- @args broadcast-igmp-discovery.timeout Time to wait for responses 
> in seconds.
> -- Defaults to <code>10</code> seconds.
> --
> -- @args broadcast-igmp-discovery.version IGMP version to use. Could be
> -- <code>1</code>, <code>2</code>, <code>3</code> or <code>all</code>. 
> Defaults to <code>2</code>
> --
> --@usage
> -- nmap --script broadcast-igmp-discovery
> -- nmap --script broadcast-igmp-discovery -e wlan0
> -- nmap --script broadcast-igmp-discovery
> -- --script-args 'broadcast-igmp-discovery.version=all, 
> broadcast-igmp-discovery.timeout=5'
> --
> --@output
> --Pre-scan script results:
> -- | broadcast-igmp-discovery:
> -- |   192.168.2.2
> -- |     Interface: tap0
> -- |     Version: 3
> -- |     Group: 239.1.1.1
> -- |       Mode: EXCLUDE
> -- |     Group: 239.1.1.2
> -- |       Mode: EXCLUDE
> -- |     Group: 239.1.1.44
> -- |       Mode: INCLUDE
> -- |       Sources:
> -- |           192.168.31.1
> -- |   192.168.1.3
> -- |     Interface: wlan0
> -- |     Version: 2
> -- |     Group: 239.255.255.250
> -- |   192.168.1.3
> -- |     Interface: wlan0
> -- |     Version: 2
> -- |     Group: 239.255.255.253
> -- |_  Use the newtargets script-arg to add the results as targets
> --
>
> This discovery method is amazing, I am getting very good information 
> even in small/home networks with no prior or fancy setups. Tests and 
> feedback are very welcome.
>
> Cheers,
> Hani.
>
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Hani,

This works on my local network, getting consistent responses from a 
Windows Vista machine on my network. A few observations, though:

1. The output is not sorted, so ndiff would show a difference between 
runs even when there was no difference.

2. The first time I ran the script, I got responses for version 2. Next, 
I ran with script-args version=all, and I saw only version 1 responses. 
Now, no matter what I put in the script-args, I only get version 1 
responses. I haven't done a packet capture to see if it's a parsing 
issue or what is going on.

3. Linux systems on my network reply inconsistently. I have seen replies 
from 3 different machines for 2 different groups, but never more than 1 
machine per run (Windows responds the same way every time). I don't know 
if this is expected behavior.

Overall, it looks good, and I look forward to seeing the final version 
in Nmap.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/