what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NTP Monitor List Scanner

NTP Monitor List Scanner
Posted Aug 31, 2024
Authored by H D Moore | Site metasploit.com

This Metasploit module identifies NTP servers which permit "monlist" queries and obtains the recent clients list. The monlist feature allows remote attackers to cause a denial of service (traffic amplification) via spoofed requests. The more clients there are in the list, the greater the amplification.

tags | exploit, remote, denial of service, spoof
advisories | CVE-2013-5211
SHA-256 | a5bd2be6d6639dad2ac8a8c5aadde7826dba8b96423872299961fe6135ef827c

NTP Monitor List Scanner

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::NTP
include Msf::Auxiliary::DRDoS

def initialize
super(
'Name' => 'NTP Monitor List Scanner',
'Description' => %q{
This module identifies NTP servers which permit "monlist" queries and
obtains the recent clients list. The monlist feature allows remote
attackers to cause a denial of service (traffic amplification)
via spoofed requests. The more clients there are in the list, the
greater the amplification.
},
'References' =>
[
['CVE', '2013-5211'],
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-013A'],
['URL', 'https://support.ntp.org/bin/view/Main/SecurityNotice'],
['URL', 'https://nmap.org/nsedoc/scripts/ntp-monlist.html'],
],
'Author' => 'hdm',
'License' => MSF_LICENSE
)

register_options(
[
OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', false])
])

register_advanced_options(
[
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', false])
])
end

# Called for each response packet
def scanner_process(data, shost, sport)
@results[shost] ||= { messages: [], peers: [] }
@results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new.read(data).to_binary_s
@results[shost][:peers] << extract_peer_tuples(data)
end

# Called before the scan block
def scanner_prescan(batch)
@results = {}
@aliases = {}
@probe = Rex::Proto::NTP.ntp_private(datastore['VERSION'], datastore['IMPLEMENTATION'], 42, "\0" * 40).to_binary_s
end

# Called after the scan block
def scanner_postscan(batch)
@results.keys.each do |k|
response_map = { @probe => @results[k][:messages] }
peer = "#{k}:#{rport}"

# TODO: check to see if any of the responses are actually NTP before reporting
report_service(
:host => k,
:proto => 'udp',
:port => rport,
:name => 'ntp'
)

peers = @results[k][:peers].flatten(1)
unless peers.empty?
print_good("#{peer} NTP monlist request permitted (#{peers.length} entries)")
# store the peers found from the monlist
report_note(
:host => k,
:proto => 'udp',
:port => rport,
:type => 'ntp.monlist',
:data => {:monlist => peers}
)
# print out peers if desired
if datastore['SHOW_LIST']
peers.each do |ntp_peer|
print_status("#{peer} #{ntp_peer}")
end
end
# store any aliases for our target
report_note(
:host => k,
:proto => 'udp',
:port => rport,
:type => 'ntp.addresses',
:data => {:addresses => peers.map { |p| p.last }.sort.uniq }
)

if (datastore['StoreNTPClients'])
print_status("#{peer} Storing #{peers.length} NTP client hosts in the database...")
peers.each do |r|
maddr,mport,mserv = r
next if maddr == '127.0.0.1' # some NTP servers peer with themselves..., but we can't store loopback
report_note(
:host => maddr,
:type => 'ntp.client.history',
:data => {
:address => maddr,
:port => mport,
:server => mserv
}
)
end
end
end

vulnerable, proof = prove_amplification(response_map)
what = 'NTP Mode 7 monlist DRDoS (CVE-2013-5211)'
if vulnerable
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
report_vuln({
:host => k,
:port => rport,
:proto => 'udp',
:name => what,
:refs => self.references
})
else
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
end
end

end

# Examine the monlist response +data+ and extract all peer tuples (saddd, dport, daddr)
def extract_peer_tuples(data)
return [] if data.length < 76

# NTP headers 8 bytes
ntp_flags, ntp_auth, ntp_vers, ntp_code = data.slice!(0,4).unpack('C*')
pcnt, plen = data.slice!(0,4).unpack('nn')
return [] if plen != 72

idx = 0
peer_tuples = []
1.upto(pcnt) do
# u_int32 firsttime; /* first time we received a packet */
# u_int32 lasttime; /* last packet from this host */
# u_int32 restr; /* restrict bits (was named lastdrop) */
# u_int32 count; /* count of packets received */
# u_int32 addr; /* host address V4 style */
# u_int32 daddr; /* destination host address */
# u_int32 flags; /* flags about destination */
# u_short port; /* port number of last reception */

_,_,_,_,saddr,daddr,_,dport = data[idx, 30].unpack("NNNNNNNn")

peer_tuples << [ Rex::Socket.addr_itoa(saddr), dport, Rex::Socket.addr_itoa(daddr) ]
idx += plen
end
peer_tuples
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close