metasploit-framework/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::NTP

  def initialize
    super(
      'Name'        => 'NTP Mode 6 REQ_NONCE DRDoS Scanner',
      'Description' => %q{
        This module identifies NTP servers which permit mode 6 REQ_NONCE requests that
        can be used to conduct DRDoS attacks.  In some configurations, NTP servers will
        respond to REQ_NONCE requests with a response larger than the request,
        allowing remote attackers to cause a denial of services (traffic
        amplification) via spoofed requests.
      },
      'References'  =>
        [
        ],
      'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',
      'License'     => MSF_LICENSE
    )
  end

  # Called for each IP in the batch
  def scan_host(ip)
    scanner_send(@probe, ip, datastore['RPORT'])
  end

  # Called for each response packet
  def scanner_process(data, shost, sport)
    @results[shost] ||= []
    @results[shost] << Rex::Proto::NTP::NTPControl.new(data)
  end

  # Called before the scan block
  def scanner_prescan(batch)
    @results = {}
    @probe = Rex::Proto::NTP::NTPControl.new
    @probe.version = 2
    @probe.operation = 12
    vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
  end

  # Called after the scan block
  def scanner_postscan(batch)
    @results.keys.each do |k|
      packets = @results[k]
      report_service(
        :host  => k,
        :proto => 'udp',
        :port  => rport,
        :name  => 'ntp'
      )

      total_size = packets.map(&:size).reduce(:+)
      if packets.size > 1 || total_size > @probe.size
        print_good("#{k}:#{rport} NTP req_nonce request permitted with amplified response (#{packets.size} packets, #{total_size} bytes)")
      end
    end
  end
end
Initial commit of modules for NTP vulns described in R7-2014-12 Not entirely functional or polished, but mostly working 2014-08-09 04:00:43 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Auxiliary::Report`
			`include Msf::Exploit::Remote::Udp`
			`include Msf::Auxiliary::UDPScanner`
			`include Msf::Auxiliary::NTP`

			`def initialize`
			`super(`
			`'Name' => 'NTP Mode 6 REQ_NONCE DRDoS Scanner',`
			`'Description' => %q{`
			`This module identifies NTP servers which permit mode 6 REQ_NONCE requests that`
			`can be used to conduct DRDoS attacks. In some configurations, NTP servers will`
			`respond to REQ_NONCE requests with a response larger than the request,`
			`allowing remote attackers to cause a denial of services (traffic`
			`amplification) via spoofed requests.`
			`},`
			`'References' =>`
			`[`
			`],`
			`'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',`
			`'License' => MSF_LICENSE`
			`)`
			`end`

			`# Called for each IP in the batch`
			`def scan_host(ip)`
			`scanner_send(@probe, ip, datastore['RPORT'])`
			`end`

			`# Called for each response packet`
			`def scanner_process(data, shost, sport)`
Gut admin functions from R7-2014-12 NTP modules None of these are admin modules. All of that stuff should eventually go in auxiliary/admin 2014-08-09 04:22:11 +00:00			`@results[shost] \|\|= []`
			`@results[shost] << Rex::Proto::NTP::NTPControl.new(data)`
Initial commit of modules for NTP vulns described in R7-2014-12 Not entirely functional or polished, but mostly working 2014-08-09 04:00:43 +00:00			`end`

			`# Called before the scan block`
			`def scanner_prescan(batch)`
			`@results = {}`
			`@probe = Rex::Proto::NTP::NTPControl.new`
			`@probe.version = 2`
			`@probe.operation = 12`
			`vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")`
			`end`

			`# Called after the scan block`
			`def scanner_postscan(batch)`
			`@results.keys.each do \|k\|`
			`packets = @results[k]`
			`report_service(`
			`:host => k,`
			`:proto => 'udp',`
			`:port => rport,`
			`:name => 'ntp'`
			`)`
Gut admin functions from R7-2014-12 NTP modules None of these are admin modules. All of that stuff should eventually go in auxiliary/admin 2014-08-09 04:22:11 +00:00
Initial commit of modules for NTP vulns described in R7-2014-12 Not entirely functional or polished, but mostly working 2014-08-09 04:00:43 +00:00			`total_size = packets.map(&:size).reduce(:+)`
			`if packets.size > 1 \|\| total_size > @probe.size`
			`print_good("#{k}:#{rport} NTP req_nonce request permitted with amplified response (#{packets.size} packets, #{total_size} bytes)")`
			`end`
			`end`
			`end`
			`end`