Script idea: DNS-based service discovery

[David Fifield <david () bamsoftware com>]

Hi,

I had an idea for an NSE script that I'm going to share in case someone
wants to take it on. The idea is to discover services by querying the
DNS-SD (DNS-based Service Discovery) service on UDP port 5353.

The script will send the special service enumeration probe
(_services._dns-sd._udp.local) described in section 9 of this document.
It's the same probe as DNS-SD in nmap-service-probes.

http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt

The DNS-SD response is, not surprisingly, DNS, so the dns.lua library
should be able to parse it. UDP port 5353 is commonly open on Mac OS X
machines, and probably Windows machines that have installed Apple
software like iTunes.

The response can tell you a lot. When I run the above query against OS
X, I get answers for _ssh._tcp.local, _sftp-ssh._tcp.local, and
_rfb._tcp.local. A complete list of the registered services is at
http://www.dns-sd.org/ServiceTypes.html.

For experimenting with the protocol, use the dns-sd program that comes
with OS X. Here is a command that generates the above-mentioned probe.
        dns-sd -B _services._dns-sd._udp .

You can get even more information with follow-up probes. If, after you
run the above command, you want more information about the ssh service,
you run
        dns-sd -B _ssh._tcp .

That returns a PTR record for mac-mini._ssh_._tcp.local (mac-mini is a
host name). You can finally look that up:
        dns-sd -L mac-mini _ssh._tcp .

That returns a SRV record saying the service is on port 22, A and AAAA
records with the IPv4 and IPv6 addresses of the host, and a TXT record
identifying the hardware: "model=Macmini2,1". There are a lot of
possibilities here.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org