Nmap Development mailing list archives
Re: [NSE] broadcast-igmp-discovery
From: Hani Benhabiles <kroosec () gmail com>
Date: Thu, 26 Jul 2012 16:30:01 +0100
On 07/26/2012 03:20 PM, David Fifield wrote:
On Thu, Jul 26, 2012 at 02:59:59PM +0100, Hani Benhabiles wrote:This discovery method is amazing, I am getting very good information even in small/home networks with no prior or fancy setups. Tests and feedback are very welcome.I tested and it worked for me. It found my router (twice)
This is expected as a host running version 2 or 1 would send a distinct membership reply for each group. On version 3, would send one membership reply with a stacked group records (+ the mode they are running and source addresses).
but missed a GNU/Linux laptop (the firewall of which might be too restrictive for this test).
This could simply be due to the laptop not being on any relevant groups (You could compare their /proc/sys/igmp and netstat -gn outputs)
On 07/26/2012 03:34 PM, Daniel Miller wrote:
On 07/26/2012 08:59 AM, Hani Benhabiles wrote:Hi list, description = [[Discovers targets listening for multicast queries and their groups through IGMP.The scripts works by sending IGMP Membership Query packets to the 224.0.0.1 All multicast address and listening for IGMP Membership Report packets. It extracts after that all the interesting information such as the version, group, themode, source addresses (depending on the version).The script defaults to sending an IGMPv2 Query but this could be changed to another version or queries of all three version. If no interface was specified as a script argument or with the -e option, the script will proceed to sendingqueries through all the valid ethernet interfaces. ]] ----- @args broadcast-igmp-discovery.timeout Time to wait for responses in seconds.-- Defaults to <code>10</code> seconds. -- -- @args broadcast-igmp-discovery.version IGMP version to use. Could be-- <code>1</code>, <code>2</code>, <code>3</code> or <code>all</code>. Defaults to <code>2</code>-- --@usage -- nmap --script broadcast-igmp-discovery -- nmap --script broadcast-igmp-discovery -e wlan0 -- nmap --script broadcast-igmp-discovery-- --script-args 'broadcast-igmp-discovery.version=all, broadcast-igmp-discovery.timeout=5'-- --@output --Pre-scan script results: -- | broadcast-igmp-discovery: -- | 192.168.2.2 -- | Interface: tap0 -- | Version: 3 -- | Group: 239.1.1.1 -- | Mode: EXCLUDE -- | Group: 239.1.1.2 -- | Mode: EXCLUDE -- | Group: 239.1.1.44 -- | Mode: INCLUDE -- | Sources: -- | 192.168.31.1 -- | 192.168.1.3 -- | Interface: wlan0 -- | Version: 2 -- | Group: 239.255.255.250 -- | 192.168.1.3 -- | Interface: wlan0 -- | Version: 2 -- | Group: 239.255.255.253 -- |_ Use the newtargets script-arg to add the results as targets --This discovery method is amazing, I am getting very good information even in small/home networks with no prior or fancy setups. Tests and feedback are very welcome.Cheers, Hani. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived athttp://seclists.org/nmap-dev/Hani,This works on my local network, getting consistent responses from a Windows Vista machine on my network. A few observations, though:1. The output is not sorted, so ndiff would show a difference between runs even when there was no difference.
Very good point. I will look into it.
2. The first time I ran the script, I got responses for version 2. Next, I ran with script-args version=all, and I saw only version 1 responses. Now, no matter what I put in the script-args, I only get version 1 responses. I haven't done a packet capture to see if it's a parsing issue or what is going on.
This is expected behavior due to the target hosts downgrading to the lowest version they see on the network for backward compatibility.
3. Linux systems on my network reply inconsistently. I have seen replies from 3 different machines for 2 different groups, but never more than 1 machine per run (Windows responds the same way every time). I don't know if this is expected behavior.
I believe this is due to the interval time between reports (some hosts/firewall may have a minimal one to prevent causing a DoS). A packet capture would give more insight.
Overall, it looks good, and I look forward to seeing the final version in Nmap.Dan
Thanks. Cheers, Hani. -- Hani Benhabiles Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] broadcast-igmp-discovery Hani Benhabiles (Jul 26)
- Re: [NSE] broadcast-igmp-discovery David Fifield (Jul 26)
- Re: [NSE] broadcast-igmp-discovery Daniel Miller (Jul 26)
- Re: [NSE] broadcast-igmp-discovery Hani Benhabiles (Jul 26)
- Re: [NSE] broadcast-igmp-discovery Hani Benhabiles (Jul 27)
- Re: [NSE] broadcast-igmp-discovery Hani Benhabiles (Jul 26)