local ipOps = require "ipOps"
local coroutine = require "coroutine"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local multicast = require "multicast"
local math = require "math"
description = [[
Uses Multicast Listener Discovery to list the multicast addresses subscribed to
by IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6
Multicast Address Space Registry have their descriptions listed.
]]
---
-- @usage
-- nmap --script=ipv6-multicast-mld-list
--
-- @output
-- Pre-scan script results:
-- | ipv6-multicast-mld-list:
-- | fe80::9fb:25b7:1b7c:e53:
-- | device: wlan0
-- | mac: 38:60:77:3d:b1:ec
-- | multicast_ips:
-- | ff02::1:ff7c:e53 (NDP Solicited-node)
-- | ff02::fb (mDNSv6)
-- | ff02::c (SSDP)
-- |_ ff02::1:3 (Link-local Multicast Name Resolution)
--
-- @args ipv6-multicast-mld-list.timeout timeout to wait for
-- responses (default: 10s)
-- @args ipv6-multicast-mld-list.interface Interface to send on (default:
-- the interface specified with -e or every available Ethernet interface
-- with an IPv6 address.)
--
-- @xmloutput
--
-- wlan0
-- 38:60:77:3d:b1:ec
--
--
-- NDP Solicited-node
-- ff02::1:ff7c:e53
--
--
--
--
-- Link-local Multicast Name Resolution
-- ff02::1:3
--
--
--
author = {"alegen", "Daniel Miller"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
-- Technically multicast, not broadcast
categories = {"broadcast", "discovery"}
-- https://www.iana.org/assignments/ipv6-multicast-addresses/link-local.csv
-- Removed "variable scope" and "Unassigned"
-- Address(s),Description,Reference,Date Registered,Last Reviewed
local link_scope = [==[
FF02:0:0:0:0:0:0:1,All Nodes Address,[RFC4291],,
FF02:0:0:0:0:0:0:2,All Routers Address,[RFC4291],,
FF02:0:0:0:0:0:0:4,DVMRP Routers,[RFC1075][Jon_Postel],,
FF02:0:0:0:0:0:0:5,OSPFIGP,[RFC2328][John_Moy],,
FF02:0:0:0:0:0:0:6,OSPFIGP Designated Routers,[RFC2328][John_Moy],,
FF02:0:0:0:0:0:0:7,ST Routers,[RFC1190][],,
FF02:0:0:0:0:0:0:8,ST Hosts,[RFC1190][],,
FF02:0:0:0:0:0:0:9,RIP Routers,[RFC2080],,
FF02:0:0:0:0:0:0:A,EIGRP Routers,[draft-savage-eigrp],,
FF02:0:0:0:0:0:0:B,Mobile-Agents,[Bill_Simpson],1994-11-01,
FF02:0:0:0:0:0:0:C,SSDP,[UPnP_Forum],2006-09-21,
FF02:0:0:0:0:0:0:D,All PIM Routers,[Dino_Farinacci],,
FF02:0:0:0:0:0:0:E,RSVP-ENCAPSULATION,[Bob_Braden],1996-04-01,
FF02:0:0:0:0:0:0:F,UPnP,[UPnP_Forum],2006-09-21,
FF02:0:0:0:0:0:0:10,All-BBF-Access-Nodes,[RFC6788],,
FF02:0:0:0:0:0:0:12,VRRP,[RFC5798],,
FF02:0:0:0:0:0:0:16,All MLDv2-capable routers,[RFC3810],,
FF02:0:0:0:0:0:0:1A,all-RPL-nodes,[RFC6550],,
FF02:0:0:0:0:0:0:6A,All-Snoopers,[RFC4286],,
FF02:0:0:0:0:0:0:6B,PTP-pdelay,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,
FF02:0:0:0:0:0:0:6C,Saratoga,[Lloyd_Wood],2007-08-30,
FF02:0:0:0:0:0:0:6D,LL-MANET-Routers,[RFC5498],,
FF02:0:0:0:0:0:0:6E,IGRS,[Xiaoyu_Zhou],2009-01-20,
FF02:0:0:0:0:0:0:6F,iADT Discovery,[Paul_Suhler],2009-05-12,
FF02:0:0:0:0:0:0:FB,mDNSv6,[RFC6762],2005-10-05,
FF02:0:0:0:0:0:1:1,Link Name,[Dan_Harrington],1996-07-01,
FF02:0:0:0:0:0:1:2,All-dhcp-agents,[RFC3315],,
FF02:0:0:0:0:0:1:3,Link-local Multicast Name Resolution,[RFC4795],,
FF02:0:0:0:0:0:1:4,DTCP Announcement,[Moritz_Vieth][Hanno_Tersteegen],2004-05-01,
FF02:0:0:0:0:0:1:5,afore_vdp,[Michael_Richardson],2010-11-30,
FF02:0:0:0:0:0:1:6,Babel,[RFC6126],,
FF02::1:FF00:0000/104,Solicited-Node Address,[RFC4291],,
FF02:0:0:0:0:2:FF00::/104,Node Information Queries,[RFC4620],,
]==]
-- https://www.iana.org/assignments/ipv6-multicast-addresses/variable.csv
-- Removed "Unassigned"
local var_scope = [==[
FF0X:0:0:0:0:0:0:0,Reserved Multicast Address,[RFC4291],,
FF0X:0:0:0:0:0:0:C,SSDP,[UPnP_Forum],2006-09-21,
FF0X:0:0:0:0:0:0:FB,mDNSv6,[RFC6762],2005-10-05,
FF0X:0:0:0:0:0:0:FC,ALL_MPL_FORWARDERS,[RFC-ietf-roll-trickle-mcast-12],2013-04-10,
FF0X:0:0:0:0:0:0:FD,All CoAP Nodes,[RFC7252],2013-07-25,
FF0X:0:0:0:0:0:0:100,VMTP Managers Group,[RFC1045][Dave_Cheriton],,
FF0X:0:0:0:0:0:0:101,Network Time Protocol (NTP),[RFC1119][RFC5905][David_Mills],,
FF0X:0:0:0:0:0:0:102,SGI-Dogfight,[Andrew_Cherenson],,
FF0X:0:0:0:0:0:0:103,Rwhod,[Steve_Deering],,
FF0X:0:0:0:0:0:0:104,VNP,[Dave_Cheriton],,
FF0X:0:0:0:0:0:0:105,Artificial Horizons - Aviator,[Bruce_Factor],,
FF0X:0:0:0:0:0:0:106,NSS - Name Service Server,[Bill_Schilit],,
FF0X:0:0:0:0:0:0:107,AUDIONEWS - Audio News Multicast,[Martin_Forssen],,
FF0X:0:0:0:0:0:0:108,SUN NIS+ Information Service,[Chuck_McManis],,
FF0X:0:0:0:0:0:0:109,MTP Multicast Transport Protocol,[Susie_Armstrong],,
FF0X:0:0:0:0:0:0:10A,IETF-1-LOW-AUDIO,[Steve_Casner],,
FF0X:0:0:0:0:0:0:10B,IETF-1-AUDIO,[Steve_Casner],,
FF0X:0:0:0:0:0:0:10C,IETF-1-VIDEO,[Steve_Casner],,
FF0X:0:0:0:0:0:0:10D,IETF-2-LOW-AUDIO,[Steve_Casner],,
FF0X:0:0:0:0:0:0:10E,IETF-2-AUDIO,[Steve_Casner],,
FF0X:0:0:0:0:0:0:10F,IETF-2-VIDEO,[Steve_Casner],,
FF0X:0:0:0:0:0:0:110,MUSIC-SERVICE,[[Guido van Rossum]],,
FF0X:0:0:0:0:0:0:111,SEANET-TELEMETRY,[[Andrew Maffei]],,
FF0X:0:0:0:0:0:0:112,SEANET-IMAGE,[[Andrew Maffei]],,
FF0X:0:0:0:0:0:0:113,MLOADD,[Bob_Braden],1996-04-01,
FF0X:0:0:0:0:0:0:114,any private experiment,[Jon_Postel],,
FF0X:0:0:0:0:0:0:115,DVMRP on MOSPF,[John_Moy],,
FF0X:0:0:0:0:0:0:116,SVRLOC,[Erik_Guttman],2001-05-01,
FF0X:0:0:0:0:0:0:117,XINGTV,[],,
FF0X:0:0:0:0:0:0:118,microsoft-ds,[Arnold_M],,
FF0X:0:0:0:0:0:0:119,nbc-pro,[Bloomer],,
FF0X:0:0:0:0:0:0:11A,nbc-pfn,[Bloomer],,
FF0X:0:0:0:0:0:0:11B,lmsc-calren-1,[Yea_Uang],1994-11-01,
FF0X:0:0:0:0:0:0:11C,lmsc-calren-2,[Yea_Uang],1994-11-01,
FF0X:0:0:0:0:0:0:11D,lmsc-calren-3,[Yea_Uang],1994-11-01,
FF0X:0:0:0:0:0:0:11E,lmsc-calren-4,[Yea_Uang],1994-11-01,
FF0X:0:0:0:0:0:0:11F,ampr-info,[Rob_Janssen],1995-01-01,
FF0X:0:0:0:0:0:0:120,mtrace,[Steve_Casner],1995-01-01,
FF0X:0:0:0:0:0:0:121,RSVP-encap-1,[Bob_Braden],1996-04-01,
FF0X:0:0:0:0:0:0:122,RSVP-encap-2,[Bob_Braden],1996-04-01,
FF0X:0:0:0:0:0:0:123,SVRLOC-DA,[Erik_Guttman],2001-05-01,
FF0X:0:0:0:0:0:0:124,rln-server,[Brian_Kean],1995-08-01,
FF0X:0:0:0:0:0:0:125,proshare-mc,[Mark_Lewis],1995-10-01,
FF0X:0:0:0:0:0:0:126,dantz,[Dotty_Yackle],1996-02-01,
FF0X:0:0:0:0:0:0:127,cisco-rp-announce,[Dino_Farinacci],,
FF0X:0:0:0:0:0:0:128,cisco-rp-discovery,[Dino_Farinacci],,
FF0X:0:0:0:0:0:0:129,gatekeeper,[Jim_Toga],1996-05-01,
FF0X:0:0:0:0:0:0:12A,iberiagames,[Jose_Luis_Marocho],1996-07-01,
FF0X:0:0:0:0:0:0:12B,X Display,[John_McKernan],2003-05-01,
FF0X:0:0:0:0:0:0:12C,dof-multicast,[Bryant_Eastham],2005-04-01,2015-04-23
FF0X:0:0:0:0:0:0:12D,DvbServDisc,[Bert_van_Willigen],2005-09-16,
FF0X:0:0:0:0:0:0:12E,Ricoh-device-ctrl,[Kohki_Ohhira],2006-06-20,
FF0X:0:0:0:0:0:0:12F,Ricoh-device-ctrl,[Kohki_Ohhira],2006-06-20,
FF0X:0:0:0:0:0:0:130,UPnP,[UPnP_Forum],2006-09-21,
FF0X:0:0:0:0:0:0:131,Systech Mcast,[Dan_Jakubiec],2006-09-21,
FF0X:0:0:0:0:0:0:132,omasg,[Mark_Lipford],2006-09-21,
FF0X:0:0:0:0:0:0:133,ASAP,[RFC5352],,
FF0X:0:0:0:0:0:0:134,unserding,[Sebastian_Freundt],2009-11-30,
FF0X:0:0:0:0:0:0:135,PHILIPS-HEALTH,[Anthony_Kandaya],2010-02-26,
FF0X:0:0:0:0:0:0:136,PHILIPS-HEALTH,[Anthony_Kandaya],2010-02-26,
FF0X:0:0:0:0:0:0:137,Niagara,[Owen_Michael_James],2010-09-13,
FF0X:0:0:0:0:0:0:138,LXI-EVENT,[Tom_Fay],2011-01-31,
FF0X:0:0:0:0:0:0:139,LANCOM Discover,[Martin_Krebs],2011-05-09,
FF0X:0:0:0:0:0:0:13A,AllJoyn,[Craig_Dowell],2011-11-18,
FF0X:0:0:0:0:0:0:13B,GNUnet,[Christian_Grothoff],2011-11-22,
FF0X:0:0:0:0:0:0:13C,fos4Xdevices,[Rolf_Wojtech],2011-12-07,
FF0X:0:0:0:0:0:0:13D,USNAMES-NET-MC,[Christopher_Mettin],2013-01-24,
FF0X:0:0:0:0:0:0:13E,hp-msm-discover,[John_Flick],2013-02-28,
FF0X:0:0:0:0:0:0:13F,"SANYO DENKI CO., LTD.",[Yuuki_Hara],2014-03-20,
FF0X:0:0:0:0:0:0:140-FF0X:0:0:0:0:0:0:14F,EPSON-disc-set,[Seiko_Epson_Corp],2010-02-26,
FF0X:0:0:0:0:0:0:150,an-adj-disc,[Toerless_Eckert],2014-06-04,
FF0X:0:0:0:0:0:0:151,Canon-Device-control,[Hiroshi_Okubo],2014-08-01,
FF0X:0:0:0:0:0:0:152,TinyMessage,[Josip_Medved],2014-12-09,
FF0X:0:0:0:0:0:0:153,ZigBee NAN DS,[Yusuke_Doi],2015-08-21,
FF0X:0:0:0:0:0:0:154,ZigBee NAN DI,[Yusuke_Doi],2015-08-21,
FF0X:0:0:0:0:0:0:155,jini-announcement,[Jini Discovery and Join Specification][Peter_Grahame_Firmstone],2015-08-27,
FF0X:0:0:0:0:0:0:156,jini-request,[Jini Discovery and Join Specification][Peter_Grahame_Firmstone],2015-08-27,
FF0X:0:0:0:0:0:0:157,hbmdevices,[Stephan_Gatzka],2015-10-26,
FF0X:0:0:0:0:0:0:160-FF0X:0:0:0:0:0:0:16F,NMEA OneNet,[Steve_Spitzer],2015-06-29,
FF0X:0:0:0:0:0:0:175,all SIP servers,[Rick_van_Rein],2015-07-21,
FF0X:0:0:0:0:0:0:181,PTP-primary,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,
FF0X:0:0:0:0:0:0:182,PTP-alternate1,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,
FF0X:0:0:0:0:0:0:183,PTP-alternate2,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,
FF0X:0:0:0:0:0:0:184,PTP-alternate3,[http://ieee1588.nist.gov/][Kang_Lee],2007-02-02,
FF0X:0:0:0:0:0:0:18C,All ACs multicast address,[RFC5415],,
FF0X:0:0:0:0:0:0:201,"""rwho"" Group (BSD) (unofficial)",[Jon_Postel],,
FF0X:0:0:0:0:0:0:202,SUN RPC PMAPPROC_CALLIT,[Brendan_Eic],,
FF0X:0:0:0:0:0:0:204,All C1222 Nodes,[RFC6142],2009-08-28,
FF0X:0:0:0:0:0:0:205,Hexabus,[Mathias_Dalheimer],2013-08-09,
FF0X:0:0:0:0:0:0:206,multicast chat,[Patrik_Lahti],2013-08-13,
FF0X:0:0:0:0:0:0:2C0-FF0X:0:0:0:0:0:0:2FF,Garmin Marine,[Nathan_Karstens],2015-02-19,
FF0X:0:0:0:0:0:0:300,Mbus/Ipv6,[RFC3259],,
FF0X:0:0:0:0:0:0:3486,IFSF Heartbeat,[John_Carrier],2015-06-15,
FF0X:0:0:0:0:0:0:BAC0,BACnet,[Coleman_Brumley],2010-11-22,
FF0X::1:1000/118,"Service Location, Version 2",[RFC3111],,
FF0X:0:0:0:0:0:2:0000-FF0X:0:0:0:0:0:2:7FFD,Multimedia Conference Calls,[Steve_Casner],,
FF0X:0:0:0:0:0:2:7FFE,SAPv1 Announcements,[Steve_Casner],,
FF0X:0:0:0:0:0:2:7FFF,SAPv0 Announcements (deprecated),[Steve_Casner],,
FF0X:0:0:0:0:0:2:8000-FF0X:0:0:0:0:0:2:FFFF,SAP Dynamic Assignments,[Steve_Casner],,
FF0X::DB8:0:0/96,Documentation Addresses,[RFC6676],,
]==]
local function sort_ip_ascending(a, b)
return ipOps.compare_ip(a[0], "lt", b[0])
end
local multicast_addresses = {}
local multicast_ranges = {}
do
local starts, ends, addr, name = string.find(link_scope, "^([^,]+),([^,]+),.-\n")
while starts do
if string.match(addr, "[/-]") then
local low, high, err = ipOps.get_ips_from_range(addr)
if not low then
stdnse.debug1("Error parsing IP range %s: %s", addr, err)
else
table.insert(multicast_ranges, {low, high, name})
end
else
multicast_addresses[string.lower(ipOps.expand_ip(addr))] = name
end
starts, ends, addr, name = string.find(link_scope, "^([^,]+),([^,]+),.-\n", ends + 1)
end
starts, ends, addr, name = string.find(var_scope, "^([^,]+),([^,]+),.-\n")
while starts do
addr = string.gsub(addr, "FF0X", "FF02")
if string.match(addr, "[/-]") then
local low, high, err = ipOps.get_ips_from_range(addr)
if not low then
stdnse.debug1("Error parsing IP range %s: %s", addr, err)
else
table.insert(multicast_ranges, {low, high, name})
end
else
multicast_addresses[string.lower(ipOps.expand_ip(addr))] = name
end
starts, ends, addr, name = string.find(link_scope, "^([^,]+),([^,]+),.-\n", ends + 1)
end
table.sort(multicast_ranges, sort_ip_ascending)
end
local function get_interfaces()
local if_list = nmap.list_interfaces()
local if_ret = {}
local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. ".interface") or nmap.get_interface()
for _, if_nfo in pairs(if_list) do
if (arg_interface == nil or if_nfo.device == arg_interface) -- check for correct interface
and ipOps.ip_in_range(if_nfo.address, "fe80::/10") -- link local address
and if_nfo.link == "ethernet" then -- not the loopback interface
table.insert(if_ret, if_nfo)
end
end
return if_ret
end
local function single_interface_broadcast(if_nfo, results)
stdnse.debug2("Starting " .. SCRIPT_NAME .. " on " .. if_nfo.device)
local condvar = nmap.condvar(results)
local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. '.timeout')) or 10
local reports = multicast.mld_query(if_nfo, timeout)
for addr, info in pairs(multicast.mld_report_addresses(reports)) do
if results[addr] then
stdnse.debug1("Duplicate address found: %s, interface %s", addr, info.device)
end
results[addr] = info
end
condvar("signal")
end
---
-- Calculates the solicited-node multicast address used by NDP from a unicast
-- link-local IPv6 address.
--
-- @param ll_ip String representation of a link-local IPv6 unicast address
-- @usage
-- mcast_ip = get_sol_mcast(ll_ip)
-- @return The calculated solicited-node multicast address or nil
-- if the given parameter is not a valid link-local address.
--
local function get_sol_mcast (ll_ip)
-- check if address is link-local
local is_ll, err = ipOps.ip_in_range(ll_ip, "FE80::/10")
if not(is_ll) then
return nil
end
-- calculate multicast address
local three_bytes = string.sub(ipOps.ip_to_str(ll_ip), 14, 16)
local thirteen_bytes = "\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\00\x01\xff"
return ipOps.str_to_ip(thirteen_bytes .. three_bytes)
end
local function sorted_keys(t)
local ret = {}
local k, v
-- deliberately avoiding pairs() because of __pairs metamethod in action
repeat
k, v = next(t, k)
ret[#ret+1] = k
until k == nil
table.sort(ret, sort_ip_ascending)
return ret
end
prerule = function()
if not(nmap.is_privileged()) then
stdnse.verbose1("not running for lack of privileges.")
return false
end
return true
end
action = function()
local results = {}
local threads = {}
local condvar = nmap.condvar(results)
for _, if_nfo in ipairs(get_interfaces()) do
-- create a thread for each interface
local co = stdnse.new_thread(single_interface_broadcast, if_nfo, results)
threads[co] = true
end
repeat
for thread in pairs(threads) do
if coroutine.status(thread) == "dead" then threads[thread] = nil end
end
if ( next(threads) ) then
condvar "wait"
end
until next(threads) == nil
local guesses = {}
local mip_metatable = {
__tostring = function(t)
return ("%-25s (%s)"):format(t.ip, t.description)
end
}
for target_ip, info in pairs(results) do
table.sort(info.multicast_ips, sort_ip_ascending)
for i=1, #info.multicast_ips do
local ip = info.multicast_ips[i]
local t = {ip=ip}
local tmp = string.lower(ipOps.expand_ip(ip))
local desc = multicast_addresses[tmp]
if not desc then
if ipOps.compare_ip(ip, "eq", get_sol_mcast(target_ip)) then
desc = "NDP Solicited-node"
else
stdnse.debug1("Addr: %s", ip)
for j=1, #multicast_ranges do
if ipOps.compare_ip(ip, "le", multicast_ranges[j][2]) then
stdnse.debug1("<= %s", multicast_ranges[j][2])
if ipOps.compare_ip(ip, "ge", multicast_ranges[j][1]) then
stdnse.debug1(">= %s", multicast_ranges[j][1])
desc = multicast_ranges[j][3]
else
stdnse.debug1("> %s", multicast_ranges[j][2])
end
stdnse.debug1("done %s", multicast_ranges[j][3])
break
end
stdnse.debug1("> %s", multicast_ranges[j][2])
end
end
end
t.description = desc or "unknown"
setmetatable(t, mip_metatable)
info.multicast_ips[i] = t
end
end
setmetatable(results, {
__pairs = function(t)
local order = sorted_keys(t)
return coroutine.wrap(function()
for i,k in ipairs(order) do
coroutine.yield(k, t[k])
end
end)
end
})
if next(results) then
return results
end
end