Re: NSE script targets-ipv6-multicast-mld.nse patched to include OS detection

[Daniel Miller <bonsaiviking () gmail com>]

Alex,

Thanks for your work on these scripts! I applied your changes to
targets-ipv6-multicast-mld as well as the new multicast.lua library which
handles sending MLD requests, caching, and parsing responses. The
fingerprint-ipv6-multicast-mld script was interesting, but as I dug into
what is behind the fingerprint idea, I decided to take it in a different
direction. Instead of a database of common addresses listened to by various
OSs, I retrieved the multicast address registry from IANA [1] and chose to
represent the description for each address. There is still room to do that
kind of categorization later, but this was interesting to me for a couple
of reasons:

1. Applications can be responsible for some of these addresses. I was
getting lower scores for a Windows 7 machine on my network because it was
listening for mDNS multicasts because iTunes and the Apple Bonjour service
were installed.
2. Using IANA's registry is easy to keep up-to-date, whereas an ongoing OS
database would quickly grow stale.

Because it no longer does "fingerprinting" I changed the name to
ipv6-multicast-mld-list [2].

Dan

[1]
https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
[2] https://nmap.org/nsedoc/scripts/ipv6-multicast-mld-list.html

On Wed, Jun 10, 2015 at 9:18 AM, Alexandru Geana <alex () alegen net> wrote:

> Hello devs,
>
> I finished a new version of these patches. The fingerprint-* script does
> not depend on the target-* script anymore, but instead there is a
> library called multicast.lua which contains the code for sending the MLD
> queries. The function which sends the packets is thread safe and may be
> called by multiple scripts at the same time.
>
> The responses are cached such that subsequent calls do not generate extra
> traffic. Furthermore, I also added the function which extract IPs from
> the MLD reports.
>
> I am open to further suggestions for improvements!
>
> Best regards,
> Alexandru Geana
> alegen.net
>
> On 05/18, Alexandru Geana wrote:
> > Hello devs,
> >
> > After some discussions, it was decided that some changes were needed for
> > this patch. Below is a description of this version of the patch against
> > the current codebase:
> >
> > 1) The bug in targets-ipv6-multicast-mld.nse script has been fixed and
> > now the script sends the mld query to the correct address. Furthermore,
> > it contains additional code which can parse MLD v1 and v2 reports and
> > extract multicast addresses. These addresses are place in the nmap
> > registry for other scripts to use.
> >
> > 2) A new script called fingerprint-ipv6-multicast-mld.nse was created
> > which attempts to guess what operating system a host is running based on
> > the multicast addresses it listens to. The multicast addresses are taken
> > from the registry and this script is supposed to be used together with
> > the targets-ipv6-multicast-mld.nse script.
> >
> > 3) I added a new generic utility function to ipOps.lua which takes one
> > unicast link-local ip address and returns the solicited node multicast
> > address.
> >
> > Let me know what you think!
> >
> > Best regards,
> > Alexandru Geana
> > alegen.net
> >
> > On 04/29, Alexandru Geana wrote:
> > > Hello devs,
> > >
> > > Attached to this email I am sending a patch which modifies the
> > > targets-ipv6-multicast-mld.nse script to guess the operating systems of
> > > detected hosts based on the multicast addresses present in the MLD
> > > reports. It is able to distinguish between different versions of
> > > Windows and specific Linux distros. The reason is that by default
> > > different OSes are listening on different IPv6 multicast addresses.
> > >
> > > I also managed to fix a bug where the script would send MLD queries
> with
> > > multiple addresses (including global unicast IPv6 and IPv4).
> > > Furthermore, I changed the maximum response delay from 0 to 1
> > > millisecond, since the former resulted in a crash of the TCP/IP stack
> of
> > > virtualbox when executing the script inside the guest.
> > >
> > > For convenience I am also attaching a new version of the script next to
> > > the diff so that it is easier to read.
> > >
> > > Let me know what you think and if anyone knows any other multicast
> > > addresses for other OSes, they are more than welcome.
> > >
> > > Sample output tested on a Windows 10 host:
> > >  Pre-scan script results:
> > >  | targets-ipv6-multicast-mld:
> > >  |
> > >  |   IP: fe80::8904:847b:f736:760d           MAC: 08:00:27:be:80:d0
> IFACE: eth0
> > >  |   Host reported the following addresses:
> > >  |       ff02::1:ff36:760d
> > >  |       ff02::fb
> > >  |       ff02::1:3
> > >  |       ff02::c
> > >  |   OS scores (max. 100):
> > >  |       Microsoft Windows 10      100
> > >  |       Microsoft Windows 7       50
> > >  |       Microsoft Windows 8.1     50
> > >  |       Ubuntu                    25
> > >  |
> > >  |_  Use --script-args=newtargets to add the results as targets
> > >
> > > Best regards,
> > > Alexandru Geana
> > > alegen.net
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/