Lucene search

K
nmapPatrik KarlssonNMAP:DNS-SERVICE-DISCOVERY.NSE
HistoryJan 21, 2010 - 1:53 a.m.

dns-service-discovery NSE Script

2010-01-2101:53:46
Patrik Karlsson
nmap.org
305

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Attempts to discover target hosts’ services using the DNS Service Discovery protocol.

The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a followup query for each one to try to get more information.

Script Arguments

max-newtargets, newtargets

See the documentation for the target library.

dnssd.services

See the documentation for the dnssd library.

Example Usage

nmap --script=dns-service-discovery -p 5353 <target>

Script Output

PORT     STATE SERVICE  REASON
5353/udp open  zeroconf udp-response
| dns-service-discovery:
|   548/tcp afpovertcp
|     model=MacBook5,1
|     Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678
|   3689/tcp daap
|     txtvers=1
|     iTSh Version=196609
|     MID=0xFB5338C04123456
|     Database ID=6FA9761FE123456
|     dmv=131078
|     Version=196616
|     OSsi=0x1F6
|     Machine Name=Patrik Karlsson\xE2\x80\x99s Library
|     Media Kinds Shared=1
|     Machine ID=8945A7123456
|     Password=0
|_    Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678

Requires


local dnssd = require "dnssd"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"

description=[[
Attempts to discover target hosts' services using the DNS Service Discovery protocol.

The script first sends a query for _services._dns-sd._udp.local to get a
list of services. It then sends a followup query for each one to try to
get more information.
]]


---
-- @usage
-- nmap --script=dns-service-discovery -p 5353 <target>
--
-- @output
-- PORT     STATE SERVICE  REASON
-- 5353/udp open  zeroconf udp-response
-- | dns-service-discovery:
-- |   548/tcp afpovertcp
-- |     model=MacBook5,1
-- |     Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678
-- |   3689/tcp daap
-- |     txtvers=1
-- |     iTSh Version=196609
-- |     MID=0xFB5338C04123456
-- |     Database ID=6FA9761FE123456
-- |     dmv=131078
-- |     Version=196616
-- |     OSsi=0x1F6
-- |     Machine Name=Patrik Karlsson\xE2\x80\x99s Library
-- |     Media Kinds Shared=1
-- |     Machine ID=8945A7123456
-- |     Password=0
-- |_    Address=192.168.0.2 fe80:0:0:0:223:6cff:1234:5678


-- Version 0.7
-- Created 01/06/2010 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 01/13/2010 - v0.2 - modified to use existing dns library instead of mdns, changed output to be less DNS like
-- Revised 02/01/2010 - v0.3 - removed incorrect try/catch statements
-- Revised 10/04/2010 - v0.4 - added prerule and add target support <[email protected]>
-- Revised 10/05/2010 - v0.5 - added ip sort function and
-- Revised 10/10/2010 - v0.6 - multicast queries are now used in parallel to collect service information <[email protected]>
-- Revised 10/29/2010 - v0.7 - factored out most of the code to dnssd library

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}


portrule = shortport.portnumber(5353, "udp")

action = function(host, port)
  local helper = dnssd.Helper:new( host, port )
  local status, result = helper:queryServices()

  if ( status ) then
    -- set port to open
    nmap.set_port_state(host, port, "open")
    return stdnse.format_output(true, result)
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:DNS-SERVICE-DISCOVERY.NSE