2010-01-27 06:53:24 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-01-27 06:53:24 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2014-08-20 21:41:00 +00:00
|
|
|
include Msf::Exploit::Remote::Udp
|
|
|
|
include Msf::Auxiliary::UDPScanner
|
|
|
|
include Msf::Auxiliary::NTP
|
|
|
|
include Msf::Auxiliary::DRDoS
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'NTP Monitor List Scanner',
|
2014-03-21 15:39:53 +00:00
|
|
|
'Description' => %q{
|
2014-03-25 19:03:25 +00:00
|
|
|
This module identifies NTP servers which permit "monlist" queries and
|
|
|
|
obtains the recent clients list. The monlist feature allows remote
|
|
|
|
attackers to cause a denial of service (traffic amplification)
|
|
|
|
via spoofed requests. The more clients there are in the list, the
|
|
|
|
greater the amplification.
|
2014-03-21 15:39:53 +00:00
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2013-5211'],
|
|
|
|
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-013A'],
|
|
|
|
['URL', 'http://support.ntp.org/bin/view/Main/SecurityNotice'],
|
|
|
|
['URL', 'http://nmap.org/nsedoc/scripts/ntp-monlist.html'],
|
|
|
|
],
|
2013-08-30 21:28:54 +00:00
|
|
|
'Author' => 'hdm',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2014-03-25 19:03:25 +00:00
|
|
|
OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
|
2016-03-06 05:11:39 +00:00
|
|
|
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', false])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
2016-03-06 05:11:39 +00:00
|
|
|
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', false])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2015-04-03 11:12:23 +00:00
|
|
|
# Called for each response packet
|
2014-08-20 21:41:00 +00:00
|
|
|
def scanner_process(data, shost, sport)
|
|
|
|
@results[shost] ||= { messages: [], peers: [] }
|
2017-06-16 18:39:04 +00:00
|
|
|
@results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new.read(data).to_binary_s
|
2014-08-20 21:41:00 +00:00
|
|
|
@results[shost][:peers] << extract_peer_tuples(data)
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2014-08-20 21:41:00 +00:00
|
|
|
# Called before the scan block
|
|
|
|
def scanner_prescan(batch)
|
2013-08-30 21:28:54 +00:00
|
|
|
@results = {}
|
|
|
|
@aliases = {}
|
2017-06-16 18:39:04 +00:00
|
|
|
@probe = Rex::Proto::NTP.ntp_private(datastore['VERSION'], datastore['IMPLEMENTATION'], 42, "\0" * 40).to_binary_s
|
2014-08-20 21:41:00 +00:00
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2014-08-20 21:41:00 +00:00
|
|
|
# Called after the scan block
|
|
|
|
def scanner_postscan(batch)
|
2013-08-30 21:28:54 +00:00
|
|
|
@results.keys.each do |k|
|
2014-08-20 21:41:00 +00:00
|
|
|
response_map = { @probe => @results[k][:messages] }
|
|
|
|
peer = "#{k}:#{rport}"
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2014-08-20 21:41:00 +00:00
|
|
|
# TODO: check to see if any of the responses are actually NTP before reporting
|
2013-08-30 21:28:54 +00:00
|
|
|
report_service(
|
|
|
|
:host => k,
|
|
|
|
:proto => 'udp',
|
2014-08-20 21:41:00 +00:00
|
|
|
:port => rport,
|
2013-08-30 21:28:54 +00:00
|
|
|
:name => 'ntp'
|
|
|
|
)
|
|
|
|
|
2014-08-20 21:41:00 +00:00
|
|
|
peers = @results[k][:peers].flatten(1)
|
|
|
|
unless peers.empty?
|
|
|
|
print_good("#{peer} NTP monlist request permitted (#{peers.length} entries)")
|
|
|
|
# store the peers found from the monlist
|
|
|
|
report_note(
|
|
|
|
:host => k,
|
|
|
|
:proto => 'udp',
|
|
|
|
:port => rport,
|
|
|
|
:type => 'ntp.monlist',
|
|
|
|
:data => {:monlist => peers}
|
|
|
|
)
|
|
|
|
# print out peers if desired
|
|
|
|
if datastore['SHOW_LIST']
|
|
|
|
peers.each do |ntp_peer|
|
|
|
|
print_status("#{peer} #{ntp_peer}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
# store any aliases for our target
|
2013-08-30 21:28:54 +00:00
|
|
|
report_note(
|
|
|
|
:host => k,
|
|
|
|
:proto => 'udp',
|
2014-08-20 21:41:00 +00:00
|
|
|
:port => rport,
|
2013-08-30 21:28:54 +00:00
|
|
|
:type => 'ntp.addresses',
|
2014-08-20 22:10:45 +00:00
|
|
|
:data => {:addresses => peers.map { |p| p.last }.sort.uniq }
|
2013-08-30 21:28:54 +00:00
|
|
|
)
|
|
|
|
|
2014-08-20 21:41:00 +00:00
|
|
|
if (datastore['StoreNTPClients'])
|
|
|
|
print_status("#{peer} Storing #{peers.length} NTP client hosts in the database...")
|
|
|
|
peers.each do |r|
|
2014-08-20 22:10:45 +00:00
|
|
|
maddr,mport,mserv = r
|
2014-08-20 22:48:54 +00:00
|
|
|
next if maddr == '127.0.0.1' # some NTP servers peer with themselves..., but we can't store loopback
|
2014-08-20 21:41:00 +00:00
|
|
|
report_note(
|
|
|
|
:host => maddr,
|
|
|
|
:type => 'ntp.client.history',
|
|
|
|
:data => {
|
|
|
|
:address => maddr,
|
|
|
|
:port => mport,
|
|
|
|
:server => mserv
|
|
|
|
}
|
|
|
|
)
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
2014-08-20 21:41:00 +00:00
|
|
|
|
2014-08-26 14:48:44 +00:00
|
|
|
vulnerable, proof = prove_amplification(response_map)
|
2014-08-20 21:41:00 +00:00
|
|
|
what = 'NTP Mode 7 monlist DRDoS (CVE-2013-5211)'
|
|
|
|
if vulnerable
|
|
|
|
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
|
|
|
|
report_vuln({
|
|
|
|
:host => k,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'udp',
|
|
|
|
:name => what,
|
|
|
|
:refs => self.references
|
|
|
|
})
|
|
|
|
else
|
|
|
|
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2014-08-20 22:10:45 +00:00
|
|
|
# Examine the monlist reponse +data+ and extract all peer tuples (saddd, dport, daddr)
|
2014-08-20 21:41:00 +00:00
|
|
|
def extract_peer_tuples(data)
|
2014-08-20 22:02:21 +00:00
|
|
|
return [] if data.length < 76
|
2014-08-20 21:41:00 +00:00
|
|
|
|
|
|
|
# NTP headers 8 bytes
|
|
|
|
ntp_flags, ntp_auth, ntp_vers, ntp_code = data.slice!(0,4).unpack('C*')
|
|
|
|
pcnt, plen = data.slice!(0,4).unpack('nn')
|
|
|
|
return [] if plen != 72
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
peer_tuples = []
|
|
|
|
1.upto(pcnt) do
|
2015-04-03 11:12:23 +00:00
|
|
|
# u_int32 firsttime; /* first time we received a packet */
|
|
|
|
# u_int32 lasttime; /* last packet from this host */
|
|
|
|
# u_int32 restr; /* restrict bits (was named lastdrop) */
|
|
|
|
# u_int32 count; /* count of packets received */
|
|
|
|
# u_int32 addr; /* host address V4 style */
|
|
|
|
# u_int32 daddr; /* destination host address */
|
|
|
|
# u_int32 flags; /* flags about destination */
|
|
|
|
# u_short port; /* port number of last reception */
|
2014-08-20 21:41:00 +00:00
|
|
|
|
|
|
|
_,_,_,_,saddr,daddr,_,dport = data[idx, 30].unpack("NNNNNNNn")
|
|
|
|
|
2014-08-20 22:10:45 +00:00
|
|
|
peer_tuples << [ Rex::Socket.addr_itoa(saddr), dport, Rex::Socket.addr_itoa(daddr) ]
|
2014-08-20 21:41:00 +00:00
|
|
|
idx += plen
|
|
|
|
end
|
|
|
|
peer_tuples
|
|
|
|
end
|
2010-01-27 06:53:24 +00:00
|
|
|
end
|