Luiz Eduardo ( @effffn) and Rodrigo Montoro ( @spookerlabs ) have presented "Mobile Snitch -Devices telling the world about you" at conferences around the world.Today we share a bit about the mDNS protocol and how it impacts the securitylandscape.
From the talk abstract:
"In the past few years, we have not onlyseen a significant growth in use of mobile devices, but also it is not uncommonto see people using more than one mobile device at the same time. Thecombination of the nature of mobile WiFi device operations along with the lackof user awareness, could lead someone to know things about your life, where'veyou been, where you work, and even who you are."
One protocol heavily investigated during testingwas Multicast DNS (mDNS). This protocol works by creating a device-uniqueidentifier to register as a hostname via a multicast service on local networks.Although Apple is not the only vendor using mDNS, by default all Apple devices(iPad, iPod, iPhone, Mac Book) have the protocol enabled for their applications.
A read through the IETF draftfor mDNS reveals some protocol features that also act asattractive targets from a security perspective:
Theprimary benefits of mDNS names are that (i) they require little or noadministration or configuration to set them up, (ii) they work when no infrastructureis present, and (iii) they work during infrastructure failures.
mDNS makes network configuration easier for homeand small business users. Access to devices is intuitive, their hostnames basedon identifiable information such as the user's or computer's name, device type,or some combination. While this ease ofuse is a competitive advantage in the market place, the result is identifiableinformation being broadcast on any network to which an mDNS enabled deviceattaches.
Ease of use is also popular in the corporatesetting, as the rising interest in Bring Your Own Device (BYOD) policiesdemonstrates. It is also not uncommon to find consumer-grade devices for use inpersonal offices or branch locations, devices that may also be equipped withmDNS abilities. As users move from the internal corporate network and into thewider wireless world, they continue to broadcast this identifiable information,at coffee shops, airports, malls, or any other place they jump on a hotspot.
The use of identifiable information is not astrict part of the mDNS protocol, but is the consequence of generatingeasy-to-use hostnames; remembering random names would be no better than IPaddresses. As can be seen in a packet capture of mDNS traffic, Apple devicesare particularly open in their default hostname choice of the users' first andlast names.
Basic tshark (wireshark text version) command line
$ tshark -n -T fields -e dns.qry.name -r file.pcap udp.srcport == 5353
Alex Shuker?\x80\x99s MacBook._afpovertcp._tcp.local,Alex Shuker?\x80\x99s MacBook._smb._tcp.local,Alex Shuker?\x80\x99s MacBook._ssh._tcp.local,Alex Shuker?\x80\x99s MacBook._sftp-ssh._tcp.local,Bluetooth DUN @ Alex Shuker?\x80\x99s MacBook._ipp._tcp.local,Alex-Shukers-MacBook.local,Alex-Shukers-MacBook.local
Using users' first and last names as thehostnames simplifies discovery of more information on them by making basicInternet searches. Plenty can be discovered from information posted atLinkedIn, Twitter, and Facebook. This cannot be overlooked as a valuable sourceof intelligence for penetration testers, especially for social engineering.Exposure is not limited to the corporate network, but extends to the coffeeshop down the block, on to busses and trains, and into the users' homes.
Also notice, in the above packet capture, theinclusion of service and protocol information, sent in the clear. That's right;mDNS even provides Passive Port-scanning!
Perl script reading a pcap file
Hostname: Rodrigo.Lab.local with Port Listening: 22
Hostname: Rodrigo.Lab.local with Port Listening: 5900
Care must always be taken to maintain securitywhen using mobile devices in the public spaces. TheNSA Security Configurations Guide for OS X recommends disablingthe mDNS protocol, and offers a command line method to do so. Apple offers an alterativemethod in their Knowledge Base. At a minimum, no matter the operatingsystem, mDNS advertisement should be disabled.
Penetration testers may be interested in mDNS Tools, an open source set of toolsfor exploring Multicast DNS.
Research for Mobile Snitch continues, with a newfocus on using mDNS to impersonating different types of information,services, and servers. Look forward to future updates, and provide yourfeedback on the security implications of mDNS.
Rodrigo "Sp0oKeR" Montoro & Luiz Eduardo