Re: [NSE] broadcast-igmp-discovery

[Hani Benhabiles <kroosec () gmail com>]

On 07/26/2012 03:20 PM, David Fifield wrote:
> On Thu, Jul 26, 2012 at 02:59:59PM +0100, Hani Benhabiles wrote:
> > This discovery method is amazing, I am getting very good information
> > even in small/home networks with no prior or fancy setups. Tests and
> > feedback are very welcome.
> I tested and it worked for me. It found my router (twice)

This is expected as a host running version 2 or 1 would send a distinct 
membership reply for each group. On version 3, would send one membership 
reply with a stacked group records (+ the mode they are running and 
source addresses).

> but missed a GNU/Linux laptop (the firewall of which might be too
> restrictive for this test).


This could simply be due to the laptop not being on any relevant groups 
(You could compare their /proc/sys/igmp and netstat -gn outputs)


On 07/26/2012 03:34 PM, Daniel Miller wrote:
> On 07/26/2012 08:59 AM, Hani Benhabiles wrote:
> > Hi list,
> >
> > description = [[
> > Discovers targets listening for multicast queries and their groups 
> > through IGMP.
> >
> > The scripts works by sending IGMP Membership Query packets to the 
> > 224.0.0.1 All
> > multicast address and listening for IGMP Membership Report packets. 
> > It extracts
> > after that all the interesting information such as the version, 
> > group, the
> > mode, source addresses (depending on the version).
> >
> > The script defaults to sending an IGMPv2 Query but this could be 
> > changed to
> > another version or queries of all three version. If no interface was 
> > specified
> > as a script argument or with the -e option, the script will proceed 
> > to sending
> > queries through all the valid ethernet interfaces.
> >
> > ]]
> >
> > ---
> > -- @args broadcast-igmp-discovery.timeout Time to wait for responses 
> > in seconds.
> > -- Defaults to <code>10</code> seconds.
> > --
> > -- @args broadcast-igmp-discovery.version IGMP version to use. Could be
> > -- <code>1</code>, <code>2</code>, <code>3</code> or 
> > <code>all</code>. Defaults to <code>2</code>
> > --
> > --@usage
> > -- nmap --script broadcast-igmp-discovery
> > -- nmap --script broadcast-igmp-discovery -e wlan0
> > -- nmap --script broadcast-igmp-discovery
> > -- --script-args 'broadcast-igmp-discovery.version=all, 
> > broadcast-igmp-discovery.timeout=5'
> > --
> > --@output
> > --Pre-scan script results:
> > -- | broadcast-igmp-discovery:
> > -- |   192.168.2.2
> > -- |     Interface: tap0
> > -- |     Version: 3
> > -- |     Group: 239.1.1.1
> > -- |       Mode: EXCLUDE
> > -- |     Group: 239.1.1.2
> > -- |       Mode: EXCLUDE
> > -- |     Group: 239.1.1.44
> > -- |       Mode: INCLUDE
> > -- |       Sources:
> > -- |           192.168.31.1
> > -- |   192.168.1.3
> > -- |     Interface: wlan0
> > -- |     Version: 2
> > -- |     Group: 239.255.255.250
> > -- |   192.168.1.3
> > -- |     Interface: wlan0
> > -- |     Version: 2
> > -- |     Group: 239.255.255.253
> > -- |_  Use the newtargets script-arg to add the results as targets
> > --
> >
> > This discovery method is amazing, I am getting very good information 
> > even in small/home networks with no prior or fancy setups. Tests and 
> > feedback are very welcome.
> >
> > Cheers,
> > Hani.
> >
> >
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived athttp://seclists.org/nmap-dev/
> Hani,
>
> This works on my local network, getting consistent responses from a 
> Windows Vista machine on my network. A few observations, though:
>
> 1. The output is not sorted, so ndiff would show a difference between 
> runs even when there was no difference.


Very good point. I will look into it.


> 2. The first time I ran the script, I got responses for version 2. 
> Next, I ran with script-args version=all, and I saw only version 1 
> responses. Now, no matter what I put in the script-args, I only get 
> version 1 responses. I haven't done a packet capture to see if it's a 
> parsing issue or what is going on.

This is expected behavior due to the target hosts downgrading to the 
lowest version they see on the network for backward compatibility.

> 3. Linux systems on my network reply inconsistently. I have seen 
> replies from 3 different machines for 2 different groups, but never 
> more than 1 machine per run (Windows responds the same way every 
> time). I don't know if this is expected behavior.

I believe this is due to the interval time between reports (some 
hosts/firewall may have a minimal one to prevent causing a DoS). A 
packet capture would give more insight.

> Overall, it looks good, and I look forward to seeing the final version 
> in Nmap.
>
> Dan

Thanks.

Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/