Security Weekly
Vulnerability Management

MDNSRecon

Recently I was chatting with my good friend Elliot Cutright also known in twitter as @nullthreat about the recent changes I have been doing to DNSRecon and several of the improvements. He commented that he would miss the MDNS enumeration feature I had on it originally. Do to my move of supporting Python 3.x and supporting Python 2.x and above for the tool I had to drop that feature in addition that library I used for it was abandoned by the author for quite some time. MDNS is a great way to find all sorts of information about hosts in your same subnet specially since the MDSN records act as regular DNS SRV records where we get Service name that most times include the protocol and name, Target for the service, Port and a text field with additional information. In addition to this one can resolve the hosts to their IPv4 and IPv6 addresses.

Based on the request I wrote a Ruby script that leveraged the tool avahi-browser and set as my goals for the script:

  • Detect most of the supported MDNS Records in the local subnet the attacker is connected on.
  • Do not resolve those services running on the attackers machine.
  • Make sure that the out put was useful and easy to parse and manipulate for a tester.

The resulting script I called MDNSRecon and can be downloaded from my GitHub account at https://github.com/darkoperator/MDNSRecon 

[email protected]:~# ./mdnsrecon.rb -h
MDNSRecon Script by Carlos Perez (carlos_perez[at]darkoperator.com)
Version 0.1
Usage: mdnsrecon.rb [OPTION]
--help, -h:
show help
--csv <file>, -c <file>:
CSV File to save records found.
--grep, -g:
Output grepable Output with a delimiter of
<service>domainhostIPporttxt
If no option is given it will print records found to standard output.

If ran with no option we get output similar to this one if machines are available:

[email protected]:~# ./mdnsrecon.rb 
[-] Records found:
[*] Host: bt.local
[*] IP: 192.168.192.128
[*] Port: 9
[*] Service:Workstation
[*] Text:''
[*]
[*] Host: ubuntu.local
[*] IP: 192.168.192.129
[*] Port: 9
[*] Service:Workstation
[*] Text:''
[*]
[*] Host: ubuntu.local
[*] IP: 192.168.192.129
[*] Port: 22
[*] Service:_udisks-ssh._tcp
[*] Text:''
[*]

If We want the output in a grepable format we use the -g options so the cut command and grep can be used to better find targets, in this example we will look for SSH services:

[email protected]:~# ./mdnsrecon.rb -g | grep ssh |cut -d '' -f4,5 --output-delimiter=" " -n
192.168.192.129 22

Now in the case we want to save the results in a format we can email someone or parse a larger set of results like those you can find on a conference floor ( or so I was told) you can select to save to a CSV file and later user a spreadsheet program or PowerShell on Windows to parse and slice:

[email protected]:~# ./mdnsrecon.rb -c lab.csv
[-] Saving found records to lab.csv
[*] 3 Records saved
[email protected]:~# cat lab.csv 
service,domain,host,ip,port,txt
Workstation,local,bt.local,192.168.192.128,9,''
_udisks-ssh._tcp,local,ubuntu.local,192.168.192.129,22,''
Workstation,local,ubuntu.local,192.168.192.129,9,''

So far I’m only supporting Debian, Ubuntu and Backtrack 5 as the platforms to run the script on, recommending Backtrack 5 as the preferred one. I will add other distributions of Linux depending on the amount of requests I get. I do hope you find the script useful and as with any of my projects feedback and feature request are always welcomed.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.