Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do I chase down who is doing a multicast?

From: Yuri Slobodyanyuk <yuri () yurisk info>
Date: Thu, 19 Apr 2018 08:58:31 +0300
Thanks for sharing, funny how MS decided to implement this in their own way
- in multicast as a protocol no packets are supposed to be sent with the
source IP set to the multicast one. Even in this ( LLMNR ) case the Name
resolution response is sent back as unicast to the querying host by a very
specific host, why set src IP to the destination IP of the original query?
Go figure.
As to the scan I guess it depends on whether both sender and responder are
enabled on a host or just sender. In the first case you may try this NSE
scipr to solicit answers:
https://nmap.org/nsedoc/scripts/llmnr-resolve.html
https://tools.ietf.org/html/rfc4795

On Sat, Apr 7, 2018 at 4:00 AM, ToddAndMargo <ToddAndMargo () zoho com> wrote:


On 04/06/2018 04:25 PM, ToddAndMargo wrote:


On 04/06/2018 04:23 PM, ToddAndMargo wrote:


Hi All,

How do I use namp to chase down who is doing a multicast
(224.0.0.252) on my local network.

My Windows Security log is gobsmacked with the following:

Network Information:
     Direction:        Inbound
     Source Address:        224.0.0.252
     Source Port:        5355
     Destination Address:    192.168.202.215
     Destination Port:        52860
     Protocol:        17

This gets me no where:

# nmap -A -T4 -Pn 224.0.0.252

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-06 16:22 PDT
Nmap done: 1 IP address (0 hosts up) scanned in 0.85 seconds


Many thanks,
-T



My firewall shows no traffic outbound to 224.0.0.252



Follow up:

It transpires that this was being caused by Windows
clients running the default Link-Local_Multicast_Name_
Resolution (LLMNR).  The vclue was port 5355.

So basically, EVERYONE was running it.  Fortunately,
LLMNR is not routable.

I turned LLMNR off on all the clients.  Let me know if
you want me notes on how to do this.

I would still love to know if there is a way to trace
back a particular offender.

-T


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/





-- 
Taking challenges one by one.
http://yurisk.info

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: