site  contact  subhomenews

EasyShare probing computers to obtain hostnames

August 07, 2018 — BarryK

EasyShare has automatic discovery of shared folders and printers on the local network. To achieve this, it has to discover the hostnames of the computers, and in the case of Windows computers, the netbios-name.

EasyShare has two ways of doing this, by probing for SMB servers and then using the 'nbtscan' utility to retrieve the hostname or netbios-name, or by probing a modified dnsmasq server and using the 'nmap' utility to retrieve the hostname.

In the latter case, EasyOS (and Quirky) runs the dnsmasq server in a special configuration such that it will return the hostname upon receiving a query from nmap. A problem is that this is a corruption of how dnsmasq is normally used, so if someone wanted to use dnsmasq in the normal way, they can't.

What I want is a lightweight server that upon receiving a request, will return an arbitrary string. It would be nice if I could write such a server, but I don't know how. Instead, looking for something ready-made...

After googling, I discovered the 'identd' server. Busybox has a very cutdown version, name 'fakeidentd'. On one of the computers, run it, with any arbitrary string:

# fakeidentd HITHERE

fakeidentd listens on port 113, so we need some way to query this port, from another computer on the network. I could not see how to use 'nmap', however, found a perl script:

http://pentestmonkey.net/tools/user-enumeration/ident-user-enum

EasyOS and Quirky have a cut-down perl named "perl_tiny", and with the devx sfs, the full perl. I tried this script first with the devx loaded, so had the full perl, and it required just one more module, Net::Ident. This was easy to install:

# perl -MCPAN -e shell
> install Net::Ident
> quit

...which I made into a PET package. I then tested without the devx, and Net::Ident was missing some dependencies. Those missing deps are now included in perl_tiny.

Now, on another computer on my network, with Net::Ident and ident-user-enum installed, where 192.168.1.4 is the computer running fakeidentd:

# ident-user-enum.pl 192.168.1.4 113
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )

192.168.1.4:113    HITHERE

...yay!

So, we have a simple mechanism to broadcast the hostname. My intention is to use this instead of dnsmasq. 'perl-net-ident' will be a PET package, in the noarch repo, and 'ident-user-enum.pl' will be builtin at /usr/sbin in woofQ.

Of course, this discovery mechanism will apply to computers running EasyOS and Quirky only. For other computers, they must be running the SMB server ('smbd' daemon in the case of Samba). EasyShare probes for both.

Tags: easy, quirky