CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Udp

9
  include Msf::Auxiliary::UDPScanner

10
  include Msf::Auxiliary::NTP

11
  include Msf::Auxiliary::DRDoS

12


13
  def initialize

14
    super(

15
      'Name'           => 'NTP Mode 6 REQ_NONCE DRDoS Scanner',

16
      'Description'    => %q{

17
        This module identifies NTP servers which permit mode 6 REQ_NONCE requests that

18
        can be used to conduct DRDoS attacks. In some configurations, NTP servers will

19
        respond to REQ_NONCE requests with a response larger than the request,

20
        allowing remote attackers to cause a distributed, reflected

21
        denial of service (aka, "DRDoS" or traffic amplification) via spoofed

22
        requests.

23
      },

24
      'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',

25
      'References'     =>

26
        [

27
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb

28
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],

29
          ['URL', 'https://www.rapid7.com/blog/post/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/']

30
        ],

31
      'DisclosureDate' => 'Aug 25 2014',

32
      'License'        => MSF_LICENSE

33
    )

34
  end

35


36
  # Called for each response packet

37
  def scanner_process(data, shost, sport)

38
    @results[shost] ||= []

39
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)

40
  end

41


42
  # Called before the scan block

43
  def scanner_prescan(batch)

44
    @results = {}

45
    @probe = Rex::Proto::NTP::NTPControl.new

46
    @probe.version = datastore['VERSION']

47
    @probe.operation = 12

48
  end

49


50
  # Called after the scan block

51
  def scanner_postscan(batch)

52
    @results.keys.each do |k|

53
      response_map = { @probe => @results[k] }

54
      # TODO: check to see if any of the responses are actually NTP before reporting

55
      report_service(

56
        :host  => k,

57
        :proto => 'udp',

58
        :port  => rport,

59
        :name  => 'ntp'

60
      )

61


62
      peer = "#{k}:#{rport}"

63
      vulnerable, proof = prove_amplification(response_map)

64
      what = 'R7-2014-12 NTP Mode 6 REQ_NONCE DRDoS'

65
      if vulnerable

66
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")

67
        report_vuln({

68
          :host  => k,

69
          :port  => rport,

70
          :proto => 'udp',

71
          :name  => what,

72
          :refs  => self.references

73
        })

74
      else

75
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")

76
      end

77
    end

78
  end

79
end

80


81