[NSE] matter-identify: identify Matter smart-home devices via mDNS

Mon, 11 May 2026 07:01:17 -0700 

 Hi,

  Attached is matter-identify.nse, a new discovery script for identifying
  Matter (formerly Project CHIP) smart-home devices.

  It sends DNS PTR queries to 5353/udp for the three Matter service types
  defined in the Matter Core Spec section 4:

    _matter._tcp.local   commissioned / operational nodes
    _matterc._udp.local  nodes in commissioning mode
    _meshcop._udp.local  Thread border routers

  TXT records are decoded into VID, PID, device type, fabric/node IDs,
  discriminator, commissioning mode, TCP support, session intervals and
  pairing-hint flags. Vendor and device-type lookup tables are sourced
  from connectedhomeip (CHIPVendorIdentifiers.hpp and matter-devices.xml).
  The portrule also fires on 5540 (Matter operational) and flags the
  open port.

  Built on the existing dns and shortport libraries; no new dependencies.

  Categories: discovery, safe.

  Sample output against a Matter test device behind a Thread Border Router:

sudo nmap -sU -p 5353 --open --script matter-identify 192.168.124.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-11 13:09 UTC
Nmap scan report for 192.168.124.245
Host is up (0.00037s latency).
PORT     STATE SERVICE
5353/udp open  zeroconf
| matter-identify:
|   Commissioned Matter device (_matter._tcp) #1:
|     Instance: 92E5DE45A4357164-0000000000000019
|     Fabric ID: 0x92E5DE45A4357164
|     Node ID: 0x0000000000000019
|     Session Idle Interval: 2000 ms
|     Session Active Interval: 2000 ms
|     Session Active Threshold: 4000 ms
|     Port: 5540
|     Host: DAA69B29F9D12EEE.local
....
|   Commissioning Matter device (_matterc._udp):
|     Instance: 9BB722E74A9CAEBB
|     Vendor ID: 0x130A
|     Product ID: 0x0050
|     *Device type: 0x010A (On/Off Plug-in Unit)*
|     *Device name: Eve Energy*
|     Discriminator: 408
|     Commissioning mode: 2 (enhanced commissioning mode)
|     Rotating device ID: 0C00A65A406F5F8689445667357195EA6FB7
|     Pairing hint: 36 (Administrator; Device manual)
|     Session Idle Interval: 2000 ms
|     Session Active Interval: 2000 ms
|     Session Active Threshold: 4000 ms
|     Port: 5540
|     Host: DAA69B29F9D12EEE.local
|   Thread border router (_meshcop._udp):
|     Instance: New Apple TV
|     Network name: MyHome1004112387
|     Extended PAN ID: \x04\x8E\x89\xF2\xC4+D\x11
|     Thread version: 1.3.0
|     Extended address: \x8A\xD9\x9E,\xDA45\xBC
|     Border agent port: \xB3\xD2\x91I
|     Sequence number:
|     BBR seq number: \xF0\xBF
|     State bitmap: \x00\x00\x0F\xB1
|     Port: 49153
|_    Host: New-Apple-TV.local

Comments welcome.

  Thanks,
  Zoltan Balazs

Attachment: matter-identify.nse
Description: Binary data

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Reply via email to