Merge pull request #1827 from HackTricks-wiki/research_update_src_network-services-pentesting_5353-udp-multicast-dns-mdns_20260129_162240

Research Update Enhanced src/network-services-pentesting/535...

Author: carlospolop

src/linux-hardening/linux-basics.md

@@ -0,0 +1,4 @@
+# Linux Basics
+
+{{#include ../banners/hacktricks-training.md}}
+

src/network-services-pentesting/5353-udp-multicast-dns-mdns.md

@@ -83,6 +83,8 @@ sudo bettercap -iface <iface> -eval "zerogod.discovery on"
 
 # Show all services seen from a host
 > zerogod.show 192.168.1.42
+# Show full DNS records for a host (newer bettercap)
+> zerogod.show-full 192.168.1.42
 
 # Impersonate all services of a target host automatically
 > zerogod.impersonate 192.168.1.42
@@ -105,7 +107,15 @@ Also see generic LLMNR/NBNS/mDNS/WPAD spoofing and credential capture/relay work
 ### Notes on recent implementation issues (useful for DoS/persistence during engagements)
 
 - Avahi reachable-assertion and D-Bus crash bugs (2023) can terminate avahi-daemon on Linux distributions (e.g. CVE-2023-38469..38473, CVE-2023-1981), disrupting service discovery on target hosts until restart.
-- Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (2024, CVE-2024-20303) allows adjacent attackers to drive high CPU and disconnect APs. If you encounter an mDNS gateway between VLANs, be aware of its stability under malformed or high-rate mDNS.
+- Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (CVE-2024-20303) lets adjacent WLAN clients flood crafted mDNS, spiking WLC CPU and dropping AP tunnels—handy if you need to force client roaming or controller resets during an engagement.
+- Apple mDNSResponder logic error DoS (CVE-2024-44183) lets a sandboxed local process crash Bonjour to briefly suppress service publication/lookup on Apple endpoints; patched in current iOS/macOS releases.
+- Apple mDNSResponder correctness issue (CVE-2025-31222) allowed local privilege escalation via mDNSResponder; useful for persistence on unmanaged Macs/iPhones, fixed in recent iOS/macOS updates.
+
+### Browser/WebRTC mDNS considerations
+
+Modern Chromium/Firefox obfuscate host candidates with random mDNS names. You can re-expose LAN IPs on managed endpoints by pushing the Chrome policy `WebRtcLocalIpsAllowedUrls` (or toggling `chrome://flags/#enable-webrtc-hide-local-ips-with-mdns`/Edge equivalent) so ICE exposes host candidates instead of mDNS; set via `HKLM\Software\Policies\Google\Chrome`.
+
+When users disable the protection manually (common in WebRTC troubleshooting guides), their browsers start advertising plain host candidates again, which you can capture via mDNS or ICE signaling to speed up host discovery.
 
 ## Defensive considerations and OPSEC
 
@@ -154,6 +164,8 @@ For more information check:
 - [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical_IoT_Hacking.html?id=GbYEEAAAQBAJ&redir_esc=y)
 - [Nmap NSE: broadcast-dns-service-discovery](https://nmap.org/nsedoc/scripts/broadcast-dns-service-discovery.html)
 - [bettercap zerogod (mDNS/DNS-SD discovery, spoofing, impersonation)](https://www.bettercap.org/modules/ethernet/zerogod/)
+- [Cisco IOS XE WLC mDNS gateway DoS (CVE-2024-20303) advisory](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-wlc-mdns-dos-4hv6pBGf.html)
+- [Rapid7 advisory for Apple mDNSResponder CVE-2024-44183](https://www.rapid7.com/db/vulnerabilities/apple-mdnsresponder-cve-2024-44183/)
+- [Rapid7 writeup of Apple mDNSResponder CVE-2025-31222](https://www.rapid7.com/db/vulnerabilities/apple-osx-mdnsresponder-cve-2025-31222/)
 
 {{#include ../banners/hacktricks-training.md}}
-