CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ntp/ntp_readvar.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Udp

9
  include Msf::Auxiliary::UDPScanner

10
  include Msf::Auxiliary::NTP

11
  include Msf::Auxiliary::DRDoS

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'NTP Clock Variables Disclosure',

16
      'Description'    => %q(

17
        This module reads the system internal NTP variables. These variables contain

18
        potentially sensitive information, such as the NTP software version, operating

19
        system version, peers, and more.

20
      ),

21
      'Author'         =>

22
        [

23
          'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', # original Metasploit module

24
          'Jon Hart <jon_hart[at]rapid7.com>' # UDPScanner version for faster scans

25
        ],

26
      'License'        => MSF_LICENSE,

27
      'References'     =>

28
        [

29
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb

30
          [ 'URL', 'https://www.rapid7.com/db/vulnerabilities/ntp-clock-variables-disclosure/' ]

31
        ]

32
      )

33
    )

34
  end

35


36
  def scanner_process(data, shost, _sport)

37
    @results[shost] ||= []

38
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)

39
  end

40


41
  def scan_host(ip)

42
    if spoofed?

43
      datastore['ScannerRecvWindow'] = 0

44
      scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])

45
    else

46
      scanner_send(@probe, ip, datastore['RPORT'])

47
    end

48
  end

49


50
  def scanner_prescan(batch)

51
    @results = {}

52
    print_status("Sending NTP v2 READVAR probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")

53
    @probe = Rex::Proto::NTP::NTPControl.new

54
    @probe.version = datastore['VERSION']

55
    @probe.operation = 2

56
  end

57


58
  def scanner_postscan(_batch)

59
    @results.keys.each do |k|

60
      # TODO: check to see if any of the responses are actually NTP before reporting

61
      report_service(

62
        host: k,

63
        proto: 'udp',

64
        port: rport,

65
        name: 'ntp',

66
        info: @results[k].map { |r| r.payload.slice(0,r.payload_size) }.join.inspect

67
      )

68


69
      peer = "#{k}:#{rport}"

70
      response_map = { @probe => @results[k] }

71
      vulnerable, proof = prove_amplification(response_map)

72
      what = 'NTP Mode 6 READVAR DRDoS'

73
      if vulnerable

74
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")

75
        report_vuln(

76
          host: k,

77
          port: rport,

78
          proto: 'udp',

79
          name: what,

80
          refs: references

81
        )

82
      else

83
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")

84
      end

85
    end

86
  end

87
end

88


89