Script broadcast-listener

Script types: prerule
Categories: broadcast, safe
Download: https://svn.nmap.org/nmap/scripts/broadcast-listener.nse

Script Summary

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

The script attempts to sniff all ethernet based interfaces with an IPv4 address unless a specific interface was given using the -e argument to Nmap.

Script Arguments

broadcast-listener.timeout

specifies the amount of seconds to sniff the network interface. (default 30s)

The script attempts to discover all available ipv4 network interfaces, unless the Nmap -e argument has been supplied, and then starts sniffing packets on all of the discovered interfaces. It sets a BPF filter to exclude all packets that have the interface address as source or destination in order to capture broadcast traffic.

Incoming packets can either be either layer 3 (usually UDP) or layer 2. Depending on the layer the packet is matched against a packet decoder loaded from the external nselib/data/packetdecoder.lua file. A more detailed description on how the decoders work can be found in that file. In short, there are two different types of decoders: udp and ether. The udp decoders get triggered by the destination port number, while the ether decoders are triggered by a pattern match. The port or pattern is used as an index in a table containing functions to process packets and fetch the decoded results.

Example Usage

nmap --script broadcast-listener
nmap --script broadcast-listener -e eth0

Script Output

| broadcast-listener:
|   udp
|       Netbios
|         ip           query
|         192.168.0.60 \x01\x02__MSBROWSE__\x02\x01
|       DHCP
|         srv ip       cli ip       mask             gw           dns
|         192.168.0.1  192.168.0.5  255.255.255.0    192.168.0.1  192.168.0.18, 192.168.0.19
|       DropBox
|         displayname  ip            port   version  host_int  namespaces
|         39000860     192.168.0.107 17500  1.8      39000860  28814673, 29981099
|       HSRP
|         ip             version  op     state   prio  group  secret  virtual ip
|         192.168.0.254  0        Hello  Active  110   1      cisco   192.168.0.253
|   ether
|       CDP
|         ip  id      platform       version
|         ?   Router  cisco 7206VXR  12.3(23)
|       ARP Request
|         sender ip     sender mac         target ip
|         192.168.0.101 00:04:30:26:DA:C8  192.168.0.60
|_        192.168.0.1   90:24:1D:C8:B9:AE  192.168.0.60

Requires

• coroutine
• nmap
• packet
• stdnse
• table

---

Author:

• Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html