2010-01-27 06:53:24 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-01-27 06:53:24 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'NTP Monitor List Scanner',
|
2014-03-21 15:39:53 +00:00
|
|
|
'Description' => %q{
|
2014-03-25 19:03:25 +00:00
|
|
|
This module identifies NTP servers which permit "monlist" queries and
|
|
|
|
obtains the recent clients list. The monlist feature allows remote
|
|
|
|
attackers to cause a denial of service (traffic amplification)
|
|
|
|
via spoofed requests. The more clients there are in the list, the
|
|
|
|
greater the amplification.
|
2014-03-21 15:39:53 +00:00
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2013-5211'],
|
|
|
|
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-013A'],
|
|
|
|
['URL', 'http://support.ntp.org/bin/view/Main/SecurityNotice'],
|
|
|
|
['URL', 'http://nmap.org/nsedoc/scripts/ntp-monlist.html'],
|
|
|
|
],
|
2013-08-30 21:28:54 +00:00
|
|
|
'Author' => 'hdm',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(123),
|
|
|
|
Opt::CHOST,
|
2014-03-25 19:03:25 +00:00
|
|
|
OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
|
2014-03-21 15:39:53 +00:00
|
|
|
OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
|
2014-03-25 19:03:25 +00:00
|
|
|
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', 'false'])
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', 'false'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Define our batch size
|
|
|
|
def run_batch_size
|
|
|
|
datastore['BATCHSIZE'].to_i
|
|
|
|
end
|
|
|
|
|
|
|
|
# Fingerprint a single host
|
|
|
|
def run_batch(batch)
|
|
|
|
|
|
|
|
@results = {}
|
|
|
|
@aliases = {}
|
|
|
|
|
2014-03-21 15:39:53 +00:00
|
|
|
vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
begin
|
|
|
|
udp_sock = nil
|
|
|
|
idx = 0
|
|
|
|
|
|
|
|
# Create an unbound UDP socket if no CHOST is specified, otherwise
|
|
|
|
# create a UDP socket bound to CHOST (in order to avail of pivoting)
|
2014-03-21 15:39:53 +00:00
|
|
|
udp_sock = Rex::Socket::Udp.create({
|
|
|
|
'LocalHost' => datastore['CHOST'] || nil,
|
|
|
|
'Context' => {'Msf' => framework, 'MsfExploit' => self}
|
|
|
|
})
|
2013-08-30 21:28:54 +00:00
|
|
|
add_socket(udp_sock)
|
|
|
|
|
2014-03-21 15:39:53 +00:00
|
|
|
# Try more times since NTP servers can be a bit busy
|
|
|
|
1.upto(datastore['RETRY'].to_i) do
|
|
|
|
batch.each do |ip|
|
|
|
|
next if @results[ip]
|
|
|
|
|
|
|
|
begin
|
2014-03-25 19:03:25 +00:00
|
|
|
data = probe_pkt_ntp
|
2014-03-21 15:39:53 +00:00
|
|
|
udp_sock.sendto(data, ip, datastore['RPORT'].to_i, 0)
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
|
|
|
|
nil
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2014-03-21 15:39:53 +00:00
|
|
|
if (idx % 30 == 0)
|
|
|
|
while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
|
|
|
|
parse_reply(r)
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2014-03-21 15:39:53 +00:00
|
|
|
idx += 1
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
while (r = udp_sock.recvfrom(65535, 10) and r[1])
|
|
|
|
parse_reply(r)
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("Unknown error: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
|
|
|
|
@results.keys.each do |k|
|
|
|
|
|
|
|
|
report_service(
|
|
|
|
:host => k,
|
|
|
|
:proto => 'udp',
|
|
|
|
:port => datastore['RPORT'].to_i,
|
|
|
|
:name => 'ntp'
|
|
|
|
)
|
|
|
|
|
|
|
|
report_note(
|
|
|
|
:host => k,
|
|
|
|
:proto => 'udp',
|
|
|
|
:port => datastore['RPORT'].to_i,
|
|
|
|
:type => 'ntp.monlist',
|
|
|
|
:data => {:monlist => @results[k]}
|
|
|
|
)
|
|
|
|
|
|
|
|
if (@aliases[k] and @aliases[k].keys[0] != k)
|
2014-03-21 15:39:53 +00:00
|
|
|
print_good("#{k}:#{datastore['RPORT'].to_i} NTP monlist request permitted (#{@results[k].length} entries)")
|
2013-08-30 21:28:54 +00:00
|
|
|
report_note(
|
|
|
|
:host => k,
|
|
|
|
:proto => 'udp',
|
|
|
|
:port => datastore['RPORT'].to_i,
|
|
|
|
:type => 'ntp.addresses',
|
|
|
|
:data => {:addresses => @aliases[k].keys}
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
if (datastore['StoreNTPClients'])
|
|
|
|
print_status("#{k} Storing #{@results[k].length} NTP client hosts in the database...")
|
|
|
|
@results[k].each do |r|
|
|
|
|
maddr,mport,mserv = r
|
2014-03-21 15:39:53 +00:00
|
|
|
report_note(
|
|
|
|
:host => maddr,
|
|
|
|
:type => 'ntp.client.history',
|
|
|
|
:data => {
|
|
|
|
:address => maddr,
|
|
|
|
:port => mport,
|
|
|
|
:server => mserv
|
|
|
|
}
|
|
|
|
)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_reply(pkt)
|
|
|
|
|
|
|
|
# Ignore "empty" packets
|
|
|
|
return if not pkt[1]
|
|
|
|
|
|
|
|
if(pkt[1] =~ /^::ffff:/)
|
|
|
|
pkt[1] = pkt[1].sub(/^::ffff:/, '')
|
|
|
|
end
|
|
|
|
|
|
|
|
data = pkt[0]
|
|
|
|
host = pkt[1]
|
|
|
|
port = pkt[2]
|
|
|
|
|
|
|
|
return if pkt[0].length < (72 + 16)
|
2014-03-21 15:39:53 +00:00
|
|
|
|
|
|
|
# NTP headers 8 bytes
|
2013-08-30 21:28:54 +00:00
|
|
|
ntp_flags, ntp_auth, ntp_vers, ntp_code = data.slice!(0,4).unpack('C*')
|
2014-03-21 15:39:53 +00:00
|
|
|
vprint_status("#{host}:#{port} - ntp_auth: #{ntp_auth}, ntp_vers: #{ntp_vers}")
|
|
|
|
pcnt, plen = data.slice!(0,4).unpack('nn')
|
2013-08-30 21:28:54 +00:00
|
|
|
return if plen != 72
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
1.upto(pcnt) do
|
2014-03-21 15:39:53 +00:00
|
|
|
#u_int32 firsttime; /* first time we received a packet */
|
|
|
|
#u_int32 lasttime; /* last packet from this host */
|
|
|
|
#u_int32 restr; /* restrict bits (was named lastdrop) */
|
|
|
|
#u_int32 count; /* count of packets received */
|
|
|
|
#u_int32 addr; /* host address V4 style */
|
|
|
|
#u_int32 daddr; /* destination host address */
|
|
|
|
#u_int32 flags; /* flags about destination */
|
|
|
|
#u_short port; /* port number of last reception */
|
|
|
|
|
|
|
|
firsttime,lasttime,restr,count,saddr,daddr,flags,dport = data[idx, 30].unpack("NNNNNNNn")
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
@results[host] ||= []
|
|
|
|
@aliases[host] ||= {}
|
2014-03-21 15:39:53 +00:00
|
|
|
@results[host] << [ Rex::Socket.addr_itoa(daddr), dport, Rex::Socket.addr_itoa(saddr) ]
|
|
|
|
@aliases[host][Rex::Socket.addr_itoa(saddr)] = true
|
|
|
|
if datastore['SHOW_LIST']
|
2014-03-25 19:03:25 +00:00
|
|
|
print_status("#{host}:#{port} #{Rex::Socket.addr_itoa(saddr)} (lst: #{lasttime}sec., cnt: #{count})")
|
2014-03-21 15:39:53 +00:00
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
idx += plen
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-03-25 19:03:25 +00:00
|
|
|
def probe_pkt_ntp
|
|
|
|
"\x17\x00\x03\x2a" + "\x00" * 188
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2010-01-27 06:53:24 +00:00
|
|
|
|
|
|
|
end
|