Notes
| Port |
|---|
| 5353/UDP |
Service Description
mDNS (Multicast DNS) is a zero-configuration networking protocol that allows devices on a local network to discover each other and resolve hostnames without a central DNS server. It operates on the .local top-level domain. It is part of the Bonjour (Apple) and Avahi (Linux) service discovery suites.
Warning
mDNS is unauthenticated and operates on a “trust on first answer” basis. Any device on the local network segment can respond to queries, making it highly susceptible to spoofing and Man-in-the-Middle (MitM) attacks. It should not be allowed on enterprise networks.
Attacks
Hostname/Service Spoofing An attacker can listen for mDNS queries (e.g., for a file share or web server) and send a malicious response that points the victim to an attacker-controlled machine. This is the primary attack vector.
Information Disclosure
By passively listening to mDNS traffic, an attacker can map out devices, services, and hostnames on the network without sending a single packet. Queries often reveal what services users are trying to access (e.g., _smb._tcp.local, _http._tcp.local).
Denial of Service (Name Collision Attack) An attacker can listen for mDNS “probe” messages, where a new device checks if a name is available. By immediately sending a spoofed response claiming the name is already in use, the attacker can force the legitimate device into a loop of trying to register new names (e.g., host-2.local, host-3.local), effectively preventing it from joining the network.
LLMNR/NBT-NS Poisoning (Related Attack) mDNS poisoning is almost always performed in conjunction with LLMNR and NBT-NS poisoning. When a standard DNS lookup fails, Windows clients fall back to LLMNR and then NBT-NS. Tools like Responder target all three protocols simultaneously to maximize the chances of capturing credentials.
Credential Grabbing
By spoofing a service like an SMB share (_smb._tcp.local), an attacker can prompt the victim client to automatically attempt authentication. This allows the attacker to capture the victim’s NTLMv1/v2 hash for offline cracking.
Tools & Exploits
Enumeration
nmap
Use the mdns-discover script to find services advertised via mDNS.
nmap -p 5353 --script mdns-discover <target>
# Note: mDNS is multicast, so you can often discover hosts without a direct target.
Avahi / dns-sd (Legitimate Clients) Use system tools to browse for mDNS services on the network.
# On Linux with avahi-utils installed:
avahi-browse -a -t -r
# On macOS or systems with Bonjour's dns-sd:
dns-sd -B _services._dns-sd._udp
Responder (Passive Discovery) Simply running Responder in analyze mode will show mDNS queries on the network.
responder -I <interface> -A
Exploitation or Post-Enum
Responder (Active Poisoning) This is the primary tool for mDNS exploitation. It listens for mDNS, LLMNR, and NBT-NS queries and sends spoofed responses to capture credentials or perform other MitM attacks.
# Start listening servers (SMB, HTTP, etc.) & poison responses
responder -I <interface> -v
# See traffic without poisoning:
responder -I <interface> -A -v
**Spoofing Specific Services**
Responder's configuration file (`Responder.conf`) can be edited to control which services are spoofed and how challenges are handled.
Wireshark Analysis Tips
Filters
# General mDNS traffic
mdns
# Filter for queries specifically
mdns.flags.response == 0
# Filter for responses specifically
mdns.flags.response == 1
What to look for:
- Queries for
.localhostnames. - High-value service queries like
_smb._tcp.local,_ftp._tcp.local,_http._tcp.local. - Multiple different responses to the same query (indicates potential spoofing).
- The contents of
TXTrecords in responses, which can sometimes contain version numbers or other metadata.