diff --git a/modules/auxiliary/scanner/ntp/ntp_readvar.rb b/modules/auxiliary/scanner/ntp/ntp_readvar.rb new file mode 100644 index 0000000000..34cbd132f9 --- /dev/null +++ b/modules/auxiliary/scanner/ntp/ntp_readvar.rb @@ -0,0 +1,67 @@ +##### + + +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + + include Msf::Exploit::Remote::Udp + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NTP Clock Variables Disclosure', + 'Description' => %q{ + This module reads the system internal NTP variables. These variables contain potentially sensitive + information, such as the NTP software version, operating system version, peers, and more.. + }, + 'Author' => 'Ewerson Guimaraes(Crash) ', + 'License' => MSF_LICENSE, + 'Version' => '', + 'References' => + [ + ['URL','http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ], + ] + ) + ) + register_options( + [ + Opt::RPORT(123) + ], self.class) + end + + def run_host(ip) + + connect_udp + + readvar = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" #readvar command + print_status("Connecting target #{rhost}:#{rport}...") + + print_status("Sending command") + udp_sock.put(readvar) + reply = udp_sock.recvfrom(65535, 0.1) + p_reply =( reply[0].split(",")) + arr_count = 0 + while ( arr_count < p_reply.size) + if arr_count == 0 + print_good (p_reply[arr_count].slice(12,p_reply[arr_count].size)) #12 is the adjustment of packet garbage + arr_count = arr_count + 1 + else + print_good (p_reply[arr_count].strip) + arr_count = arr_count + 1 + end + end + disconnect_udp + + end + +end \ No newline at end of file