Land #3132, ntp_monlist improvements

bug/bundler_fix
William Vu 2014-03-25 15:19:45 -05:00
commit cd448ba46c
No known key found for this signature in database
GPG Key ID: E761DCB4C1629024
1 changed files with 73 additions and 51 deletions

View File

@ -3,10 +3,8 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
@ -15,7 +13,20 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'NTP Monitor List Scanner',
'Description' => 'Obtain the list of recent clients from an NTP server',
'Description' => %q{
This module identifies NTP servers which permit "monlist" queries and
obtains the recent clients list. The monlist feature allows remote
attackers to cause a denial of service (traffic amplification)
via spoofed requests. The more clients there are in the list, the
greater the amplification.
},
'References' =>
[
['CVE', '2013-5211'],
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-013A'],
['URL', 'http://support.ntp.org/bin/view/Main/SecurityNotice'],
['URL', 'http://nmap.org/nsedoc/scripts/ntp-monlist.html'],
],
'Author' => 'hdm',
'License' => MSF_LICENSE
)
@ -24,17 +35,17 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(123),
Opt::CHOST,
OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256])
OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', 'false'])
], self.class)
register_advanced_options(
[
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', 'false'])
], self.class)
end
# Define our batch size
def run_batch_size
datastore['BATCHSIZE'].to_i
@ -46,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
@results = {}
@aliases = {}
print_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
begin
udp_sock = nil
@ -54,16 +65,19 @@ class Metasploit3 < Msf::Auxiliary
# Create an unbound UDP socket if no CHOST is specified, otherwise
# create a UDP socket bound to CHOST (in order to avail of pivoting)
udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
udp_sock = Rex::Socket::Udp.create({
'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self}
})
add_socket(udp_sock)
# Try three times since NTP servers can be a bit busy
1.upto(3) do
# Try more times since NTP servers can be a bit busy
1.upto(datastore['RETRY'].to_i) do
batch.each do |ip|
next if @results[ip]
begin
data = probe_pkt_ntp(ip)
data = probe_pkt_ntp
udp_sock.sendto(data, ip, datastore['RPORT'].to_i, 0)
rescue ::Interrupt
raise $!
@ -109,6 +123,7 @@ class Metasploit3 < Msf::Auxiliary
)
if (@aliases[k] and @aliases[k].keys[0] != k)
print_good("#{k}:#{datastore['RPORT'].to_i} NTP monlist request permitted (#{@results[k].length} entries)")
report_note(
:host => k,
:proto => 'udp',
@ -122,7 +137,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{k} Storing #{@results[k].length} NTP client hosts in the database...")
@results[k].each do |r|
maddr,mport,mserv = r
report_note(:host => maddr, :type => 'ntp.client.history', :data => {:address => maddr, :port => mport, :server => mserv})
report_note(
:host => maddr,
:type => 'ntp.client.history',
:data => {
:address => maddr,
:port => mport,
:server => mserv
}
)
end
end
end
@ -143,40 +166,39 @@ class Metasploit3 < Msf::Auxiliary
port = pkt[2]
return if pkt[0].length < (72 + 16)
# NTP headers 8 bytes
ntp_flags, ntp_auth, ntp_vers, ntp_code = data.slice!(0,4).unpack('C*')
pcnt, plen, hlen, tmp = data.slice!(0,12).unpack('nnNN')
vprint_status("#{host}:#{port} - ntp_auth: #{ntp_auth}, ntp_vers: #{ntp_vers}")
pcnt, plen = data.slice!(0,4).unpack('nn')
return if plen != 72
idx = 0
1.upto(pcnt) do
tmp1,mcnt,madd,sadd,tmp3,tmp4,mport = data[idx, plen].unpack("NNNNn3")
#u_int32 firsttime; /* first time we received a packet */
#u_int32 lasttime; /* last packet from this host */
#u_int32 restr; /* restrict bits (was named lastdrop) */
#u_int32 count; /* count of packets received */
#u_int32 addr; /* host address V4 style */
#u_int32 daddr; /* destination host address */
#u_int32 flags; /* flags about destination */
#u_short port; /* port number of last reception */
firsttime,lasttime,restr,count,saddr,daddr,flags,dport = data[idx, 30].unpack("NNNNNNNn")
@results[host] ||= []
@aliases[host] ||= {}
@results[host] << [ Rex::Socket.addr_itoa(madd), mport, Rex::Socket.addr_itoa(sadd) ]
@aliases[host][Rex::Socket.addr_itoa(sadd)] = true
print_status("#{host}:#{port} #{Rex::Socket.addr_itoa(madd)}:#{mport} (#{Rex::Socket.addr_itoa(sadd)})")
@results[host] << [ Rex::Socket.addr_itoa(daddr), dport, Rex::Socket.addr_itoa(saddr) ]
@aliases[host][Rex::Socket.addr_itoa(saddr)] = true
if datastore['SHOW_LIST']
print_status("#{host}:#{port} #{Rex::Socket.addr_itoa(saddr)} (lst: #{lasttime}sec., cnt: #{count})")
end
idx += plen
end
end
def probe_pkt_ntp(ip)
data =
"\x17\x00\x03\x2a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
return data
def probe_pkt_ntp
"\x17\x00\x03\x2a" + "\x00" * 188
end
end