Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::Udp
9
  include Msf::Auxiliary::UDPScanner
10
  include Msf::Auxiliary::NTP
11
  include Msf::Auxiliary::DRDoS
12

13
  def initialize
14
    super(
15
      'Name'           => 'NTP Mode 6 REQ_NONCE DRDoS Scanner',
16
      'Description'    => %q{
17
        This module identifies NTP servers which permit mode 6 REQ_NONCE requests that
18
        can be used to conduct DRDoS attacks. In some configurations, NTP servers will
19
        respond to REQ_NONCE requests with a response larger than the request,
20
        allowing remote attackers to cause a distributed, reflected
21
        denial of service (aka, "DRDoS" or traffic amplification) via spoofed
22
        requests.
23
      },
24
      'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
25
      'References'     =>
26
        [
27
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
28
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
29
          ['URL', 'https://www.rapid7.com/blog/post/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/']
30
        ],
31
      'DisclosureDate' => 'Aug 25 2014',
32
      'License'        => MSF_LICENSE
33
    )
34
  end
35

36
  # Called for each response packet
37
  def scanner_process(data, shost, sport)
38
    @results[shost] ||= []
39
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)
40
  end
41

42
  # Called before the scan block
43
  def scanner_prescan(batch)
44
    @results = {}
45
    @probe = Rex::Proto::NTP::NTPControl.new
46
    @probe.version = datastore['VERSION']
47
    @probe.operation = 12
48
  end
49

50
  # Called after the scan block
51
  def scanner_postscan(batch)
52
    @results.keys.each do |k|
53
      response_map = { @probe => @results[k] }
54
      # TODO: check to see if any of the responses are actually NTP before reporting
55
      report_service(
56
        :host  => k,
57
        :proto => 'udp',
58
        :port  => rport,
59
        :name  => 'ntp'
60
      )
61

62
      peer = "#{k}:#{rport}"
63
      vulnerable, proof = prove_amplification(response_map)
64
      what = 'R7-2014-12 NTP Mode 6 REQ_NONCE DRDoS'
65
      if vulnerable
66
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
67
        report_vuln({
68
          :host  => k,
69
          :port  => rport,
70
          :proto => 'udp',
71
          :name  => what,
72
          :refs  => self.references
73
        })
74
      else
75
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
76
      end
77
    end
78
  end
79
end
80

81