Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Udp

9
  include Msf::Auxiliary::UDPScanner

10
  include Msf::Auxiliary::NTP

11
  include Msf::Auxiliary::DRDoS

12


13
  def initialize

14
    super(

15
      'Name' => 'NTP Mode 6 REQ_NONCE DRDoS Scanner',

16
      'Description' => %q{

17
        This module identifies NTP servers which permit mode 6 REQ_NONCE requests that

18
        can be used to conduct DRDoS attacks. In some configurations, NTP servers will

19
        respond to REQ_NONCE requests with a response larger than the request,

20
        allowing remote attackers to cause a distributed, reflected

21
        denial of service (aka, "DRDoS" or traffic amplification) via spoofed

22
        requests.

23
      },

24
      'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',

25
      'References' => [

26
        ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb

27
        ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],

28
        ['URL', 'https://www.rapid7.com/blog/post/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/']

29
      ],

30
      'DisclosureDate' => 'Aug 25 2014',

31
      'License' => MSF_LICENSE

32
    )

33
  end

34


35
  # Called for each response packet

36
  def scanner_process(data, shost, sport)

37
    @results[shost] ||= []

38
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)

39
  end

40


41
  # Called before the scan block

42
  def scanner_prescan(batch)

43
    @results = {}

44
    @probe = Rex::Proto::NTP::NTPControl.new

45
    @probe.version = datastore['VERSION']

46
    @probe.operation = 12

47
  end

48


49
  # Called after the scan block

50
  def scanner_postscan(batch)

51
    @results.keys.each do |k|

52
      response_map = { @probe => @results[k] }

53
      # TODO: check to see if any of the responses are actually NTP before reporting

54
      report_service(

55
        :host => k,

56
        :proto => 'udp',

57
        :port => rport,

58
        :name => 'ntp'

59
      )

60


61
      peer = "#{k}:#{rport}"

62
      vulnerable, proof = prove_amplification(response_map)

63
      what = 'R7-2014-12 NTP Mode 6 REQ_NONCE DRDoS'

64
      if vulnerable

65
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")

66
        report_vuln({

67
          :host => k,

68
          :port => rport,

69
          :proto => 'udp',

70
          :name => what,

71
          :refs => self.references

72
        })

73
      else

74
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")

75
      end

76
    end

77
  end

78
end

79


80