[PATCH] DNS-based Service Discovery service probe

[David Fifield <david () bamsoftware com>]

Hi,

I'm working on UDP payloads today and one of them so far would make a
good version probe.
Index: nmap-service-probes

##############################NEXT PROBE##############################
# DNS-based service discovery (DNS-SD). Asks for all services on the host.
# http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt, section 9.
Probe UDP DNS-SD q|\0\0\0\0\0\x01\0\0\0\0\0\0\x09_services\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01|
rarity 4
ports 5353
# mDNSResponder-176.3
match mdns m|^\0\0\x84\0\0\x01..\0\0\0\0\x09_services\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01| p/Apple mDNSResponder/

It's a DNS Service Discovery (DNS-SD) request. DNS-SD is combined with
multicast DNS in Apple's Zeroconf and other similar implementations. The
response is a DNS reply that contains a list of services offered by the
host.

http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt

The port name in nmap-services is "zeroconf" but I think it should be
"mdns". Zeroconf is a collection of protocols of which multicast DNS and
DNS-SD are a part. Even though the probe we send is unicast, port 5353
is the one reserved for multicast DNS.

The format of the reply is fairly rigid so I don't know if this probe
will allow distinguishing different DNS-SD implementations. The only one
other than mDNSResponder I'm aware of is Avahi.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org