Wednesday, 18 May 2011

Nmap nse broadcast scanning in Backtrack 5

One of the more recent developments in nmap, over the past couple of years, is the addition of nmap nse scripts making nmap a much more flexible and expandable network-mapper and vulnerability-scanner (it seems like there are many more scripts being contributed with every release).

There are now over 170 different scripts included by default in nmap. (I've been playing with nmap version 5.51, which comes with Backtrack 5)

One of the more interesting new types of nse scripts are the broadcast discovery scripts, which I feel are certainly very interesting currently. To me, it looks like these new scanning techniques will become much more important in the future, as more IPv6 is deployed and used, and IPv4 gradually wanes. (though I do think some IPv4 could be around for another 15-20 years, these protocols will gradually decrease in importance)

IPv6-only networks mean a lot of changes in the way hosts can be discovered, as scanning entire net-blocks will become much more difficult due to the vast size of the address-space, but broadcast scanning, and passive sniffing can help identify IPv6 systems.

I've seen it reported that "nse broadcast-scans, are stealthy because they are passive". This is not true, they are still active scans. However, they are very low traffic scans, which attempt to discover network services using inbuilt ease-of-use functionality in the target network. (This type of scanning is perhaps something that could be done early in reconnaissance or discovery as a first network scan.)

What are broadcast scans?

Rather than UDP or TCP port-scans or network scans using ICMP or ARP, broadcast scans are a lot less intrusive. Think of broadcast scans as nmap saying:

"Hi there. I'm new on the network. Do any computers out there have any services I might want to use?"

Whilst this sounds a bit dumb from a security perspective, there are lots of computers and various protocols that could respond, even systems that have firewalls enabled with all ports blocked will respond in some cases.

From a network visibility perspective, we are also talking about only a very few packets per protocol, rather than the thousands required for a port-scan, and these "conversations" should be normal on the network, so this is much less likely to be detected by network security software.

I set up a couple of systems in my test network. Broadcast scans don't need an IP address range. They are simply run like this:

nmap -P0 --script=broadcast

..and here is one of my initial results

This shows Universal Plug and Play running on a couple of systems which lets us know of their existence. As you can see from a wireshark capture, this is not a passive scan, but is low bandwidth:

Here is another example with Web Services Dynamic Discovery responding (this is another Windows 7 system on my test network).

nmap -P0 --script=broadcast

Starting Nmap 5.51 ( ) at 2011-05-18 05:23 EDT
Pre-scan script results:
| broadcast-wsdd-discover:
|   Devices
|         Message id: c6cf6b9b-834d-4320-85e1-e1a65299ee2f
|         Address:
|_        Type: Device pub:Computer
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 40.08 seconds

The responses

So these responses for the target systems are basically telling us their IP address (in this case with its IPv4 address) the fact that the system has a HTTP service, and a service it might be running. Basically, following the broadcast, these systems are contacting the attacker to the him their addresses.

In both these cases Windows 7 has the firewall enabled (with default "secure" settings, so you be the judge of whether this is a good default behavior or not).

So, in short, I think we will be hearing a lot more about broadcast-based service scans, (and also passive data collection) as IPv6 rolls out in corporate infrastructure.


  1. Would be pretty cool if you showed an example of how this could be used to compromise the machine/network with this method of scanning. How is this a danger?

  2. Hi anonymous,
    This (in itself) is not a direct danger that leads compromise. It's a way of identifying active systems on a network.

    These systems are giving away free information about themselves (information that you would not want to give in a secure environment).

    Using this technique, an attacker can gain information on live systems; often the system version information and some of the services that the system is running.

    This would be part of the reconnaissance and mapping phase of an attack (pre-exploitation).

  3. thank you Ben

    your comment helpfull