## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Udp include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'NTP Clock Variables Disclosure', 'Description' => %q{ This module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more. }, 'Author' => [ 'Ewerson Guimaraes(Crash) ' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL','http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ], ] ) ) register_options( [ Opt::RPORT(123) ], self.class) end def run_host(ip) connect_udp readvar = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" #readvar command print_status("Connecting target #{rhost}:#{rport}...") print_status("Sending command") udp_sock.put(readvar) reply = udp_sock.recvfrom(65535, 0.1) if not reply or reply[0].empty? print_error("#{rhost}:#{rport} - Couldn't read NTP variables") return end p_reply = reply[0].split(",") arr_count = 0 while ( arr_count < p_reply.size) if arr_count == 0 print_good("#{rhost}:#{rport} - #{p_reply[arr_count].slice(12,p_reply[arr_count].size)}") #12 is the adjustment of packet garbage arr_count = arr_count + 1 else print_good("#{rhost}:#{rport} - #{p_reply[arr_count].strip}") arr_count = arr_count + 1 end end disconnect_udp end end