Comments on: Name (mDNS) Poisoning Attacks inside the LAN

By: WiFi Infestations – Viral Wardriving | GNUCITIZEN

WiFi Infestations – Viral Wardriving | GNUCITIZEN — Fri, 13 May 2011 21:22:18 +0000

[...] mDNS is also a good technology to make use of when wardriving in order to propagate malicious code. mDNS is incredibly useful for locating devices but also to install such for further reference. For example, many video management interfaces rely on mDNS. If the attacker registers a new mDNS server and points it to an external resource, she will be able to effectively hijack the video stream. This injection often stays present until it is overwritten – something that rarely happens. [...]

By: plumber hertfordshire

plumber hertfordshire — Thu, 02 Dec 2010 07:49:59 +0000

Interesting article for a newbie, A mDNS enabled client will perform a mDNS query on a multicast address. All clients that listen on that address will respond back with their names.

By: 11x17 priinter

11x17 priinter — Mon, 07 Dec 2009 14:04:18 +0000

I think Pyhon 2.5 is fine

By: Floss Your Mind » Blog Archive » Apple’s iPhone Enterprise Application Delivery- REVISTED

Mon, 14 Jul 2008 12:04:36 +0000

[...] http://www.gnucitizen.org/blog.....e-the-lan/ [...]

By: pdp

pdp — Tue, 29 Jan 2008 09:38:09 +0000

hackathology, what do u mean… all you need is Python, byBonjour and Bonjour.

By: hackathology

hackathology — Tue, 29 Jan 2008 08:43:25 +0000

i am interested in playing with mDNS, however too bad, i am quite restricted in terms of using tools

By: pdp

pdp — Sun, 27 Jan 2008 08:37:42 +0000

darcy, I think that you need Python 2.5

By: darcy

darcy — Sat, 26 Jan 2008 22:51:06 +0000

i install pyBonjour and ctypes. i'm running python 2.4 on a mac (leopard). i get this error:

$ python mDNS.py 
  File "mDNS.py", line 86
    yield result
SyntaxError: 'yield' not allowed in a 'try' block with a 'finally' clause

any suggestions?

By: Mark

Mark — Fri, 25 Jan 2008 22:42:31 +0000

For additional fun and games grab a copy of unicornscan (http://unicornscan.org/) and have a play around with various payloads on port 5353. Strange things often happen ;)

By: BMFO » Blog Archive » mDNS:0 PDP: 1

BMFO » Blog Archive » mDNS:0 PDP: 1 — Fri, 25 Jan 2008 22:38:02 +0000

[...] address. Therefore, successfully hijacking/poisoning the local name for a duration of time.” http://www.gnucitizen.org/blog.....de-the-lan A quick look at the code and it defiantly looks like it will do the job. The other thing that [...]

By: Inking’s Blog » Name (mDNS) Poisoning Attacks inside the LAN

Inking’s Blog » Name (mDNS) Poisoning Attacks inside the LAN — Thu, 24 Jan 2008 04:07:51 +0000

[...] http://www.gnucitizen.org/blog.....de-the-lan Â It is all due to mDNS. From Wikipediaâ€™s article: Multicast DNS (mDNS) is a protocol that uses similar APIs to the unicast DNS system but implemented differently. Each computer on the LAN stores its own list of DNS records (e.g. A, MX, PTR, SRV, etc) and when an mDNS client wants to know the IP address of a PC given its name, the PC with the corresponding A record replies with its IP address. Wikipedia The problem with mDNS is that it is spoof-able. Here is how it works. mDNS enabled client will perform a mDNS query on a multicast address. All clients that listen on that address will respond back with their names. Who ever is the first, wins the race. So for example, if your word processing application decides to print a document by looking for printer.local, attackers can easily send a respond to that DNS query with a forged answer which instructs to look for the printer on a different IP address. Therefore, successfully hijacking/poisoning the local name for a duration of time. On WiFi networks this type of attack might not be as useful as just picking up the DNS packets from the air and injecting forged DNS responses, but there are many cases where it does prove to be very, very useful. One such case is enumeration. Due to the fact that most devices support mDNS to one degree or another, with a single multicast packet, attackers can learn plethora of useful things such as the available devicesâ€™ versions and types, administrative URLs, email addresses of the owners, support information, etc, etc, etc. In a situation where the attack is taken over a network where DNS requests cannot be sniffed and subsequently forged by the attackers, a mDNS spoofing attack is most likely to occur due to the fact that it works no matter the type of the transport medium. Many products are affected by mDNS spoofing attacks, including but not only iTunes, Safari, XBox 360, various Routers, most available Printers, etc. I found out that not that many people know about mDNS or even if they have heard of it they have never played with it to realize how insecure it really is. Therefore, Iâ€™ve developed a simple mDNS testing tool written in Python. In order to run the tool, you need to install pyBonjour and Bonjour. The tool has a discovery mode which can locate devices in a matter of seconds and also very good spoofing capabilities which can be used for testing how mDNS spoofing attacks work. This tool can also be used for debugging and administrating mDNS. Enjoy! http://www.gnucitizen.org/blog.....pydownload: mDNS.py Â [...]