CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Udp

9
  include Msf::Auxiliary::UDPScanner

10
  include Msf::Auxiliary::NTP

11
  include Msf::Auxiliary::DRDoS

12


13
  def initialize

14
    super(

15
      'Name'           => 'NTP Mode 6 UNSETTRAP DRDoS Scanner',

16
      'Description'    => %q{

17
        This module identifies NTP servers which permit mode 6 UNSETTRAP requests that

18
        can be used to conduct DRDoS attacks.  In some configurations, NTP servers will

19
        respond to UNSETTRAP requests with multiple packets, allowing remote attackers

20
        to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic

21
        amplification) via spoofed requests.

22
      },

23
      'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',

24
      'References'     =>

25
        [

26
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb

27
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],

28
          ['URL', 'https://www.rapid7.com/blog/post/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/']

29
        ],

30
      'DisclosureDate' => 'Aug 25 2014',

31
      'License'        => MSF_LICENSE

32
    )

33
  end

34


35
  # Called for each response packet

36
  def scanner_process(data, shost, sport)

37
    @results[shost] ||= []

38
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)

39
  end

40


41
  # Called before the scan block

42
  def scanner_prescan(batch)

43
    @results = {}

44
    @probe = Rex::Proto::NTP::NTPControl.new

45
    @probe.version = datastore['VERSION']

46
    @probe.operation = 31

47
  end

48


49
  # Called after the scan block

50
  def scanner_postscan(batch)

51
    @results.keys.each do |k|

52
      response_map = { @probe => @results[k] }

53
      # TODO: check to see if any of the responses are actually NTP before reporting

54
      report_service(

55
        :host  => k,

56
        :proto => 'udp',

57
        :port  => rport,

58
        :name  => 'ntp'

59
      )

60


61
      peer = "#{k}:#{rport}"

62
      vulnerable, proof = prove_amplification(response_map)

63
      what = 'R7-2014-12 NTP Mode 6 UNSETTRAP DRDoS'

64
      if vulnerable

65
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")

66
        report_vuln({

67
          :host  => k,

68
          :port  => rport,

69
          :proto => 'udp',

70
          :name  => what,

71
          :refs  => self.references

72
        })

73
      else

74
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")

75
      end

76
    end

77
  end

78
end

79


80