Nmap Development mailing list archives
Re: NSE script targets-ipv6-multicast-mld.nse patched to include OS detection
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 19 Dec 2015 13:08:11 -0600
Alex, Thanks for your work on these scripts! I applied your changes to targets-ipv6-multicast-mld as well as the new multicast.lua library which handles sending MLD requests, caching, and parsing responses. The fingerprint-ipv6-multicast-mld script was interesting, but as I dug into what is behind the fingerprint idea, I decided to take it in a different direction. Instead of a database of common addresses listened to by various OSs, I retrieved the multicast address registry from IANA [1] and chose to represent the description for each address. There is still room to do that kind of categorization later, but this was interesting to me for a couple of reasons: 1. Applications can be responsible for some of these addresses. I was getting lower scores for a Windows 7 machine on my network because it was listening for mDNS multicasts because iTunes and the Apple Bonjour service were installed. 2. Using IANA's registry is easy to keep up-to-date, whereas an ongoing OS database would quickly grow stale. Because it no longer does "fingerprinting" I changed the name to ipv6-multicast-mld-list [2]. Dan [1] https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml [2] https://nmap.org/nsedoc/scripts/ipv6-multicast-mld-list.html On Wed, Jun 10, 2015 at 9:18 AM, Alexandru Geana <alex () alegen net> wrote:
Hello devs, I finished a new version of these patches. The fingerprint-* script does not depend on the target-* script anymore, but instead there is a library called multicast.lua which contains the code for sending the MLD queries. The function which sends the packets is thread safe and may be called by multiple scripts at the same time. The responses are cached such that subsequent calls do not generate extra traffic. Furthermore, I also added the function which extract IPs from the MLD reports. I am open to further suggestions for improvements! Best regards, Alexandru Geana alegen.net On 05/18, Alexandru Geana wrote:Hello devs, After some discussions, it was decided that some changes were needed for this patch. Below is a description of this version of the patch against the current codebase: 1) The bug in targets-ipv6-multicast-mld.nse script has been fixed and now the script sends the mld query to the correct address. Furthermore, it contains additional code which can parse MLD v1 and v2 reports and extract multicast addresses. These addresses are place in the nmap registry for other scripts to use. 2) A new script called fingerprint-ipv6-multicast-mld.nse was created which attempts to guess what operating system a host is running based on the multicast addresses it listens to. The multicast addresses are taken from the registry and this script is supposed to be used together with the targets-ipv6-multicast-mld.nse script. 3) I added a new generic utility function to ipOps.lua which takes one unicast link-local ip address and returns the solicited node multicast address. Let me know what you think! Best regards, Alexandru Geana alegen.net On 04/29, Alexandru Geana wrote:Hello devs, Attached to this email I am sending a patch which modifies the targets-ipv6-multicast-mld.nse script to guess the operating systems of detected hosts based on the multicast addresses present in the MLD reports. It is able to distinguish between different versions of Windows and specific Linux distros. The reason is that by default different OSes are listening on different IPv6 multicast addresses. I also managed to fix a bug where the script would send MLD querieswithmultiple addresses (including global unicast IPv6 and IPv4). Furthermore, I changed the maximum response delay from 0 to 1 millisecond, since the former resulted in a crash of the TCP/IP stackofvirtualbox when executing the script inside the guest. For convenience I am also attaching a new version of the script next to the diff so that it is easier to read. Let me know what you think and if anyone knows any other multicast addresses for other OSes, they are more than welcome. Sample output tested on a Windows 10 host: Pre-scan script results: | targets-ipv6-multicast-mld: | | IP: fe80::8904:847b:f736:760d MAC: 08:00:27:be:80:d0IFACE: eth0| Host reported the following addresses: | ff02::1:ff36:760d | ff02::fb | ff02::1:3 | ff02::c | OS scores (max. 100): | Microsoft Windows 10 100 | Microsoft Windows 7 50 | Microsoft Windows 8.1 50 | Ubuntu 25 | |_ Use --script-args=newtargets to add the results as targets Best regards, Alexandru Geana alegen.net_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE script targets-ipv6-multicast-mld.nse patched to include OS detection Daniel Miller (Dec 19)