Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::Udp
9
  include Msf::Auxiliary::UDPScanner
10
  include Msf::Auxiliary::NTP
11
  include Msf::Auxiliary::DRDoS
12

13
  def initialize
14
    super(
15
      'Name'           => 'NTP Mode 6 UNSETTRAP DRDoS Scanner',
16
      'Description'    => %q{
17
        This module identifies NTP servers which permit mode 6 UNSETTRAP requests that
18
        can be used to conduct DRDoS attacks.  In some configurations, NTP servers will
19
        respond to UNSETTRAP requests with multiple packets, allowing remote attackers
20
        to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic
21
        amplification) via spoofed requests.
22
      },
23
      'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
24
      'References'     =>
25
        [
26
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
27
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
28
          ['URL', 'https://www.rapid7.com/blog/post/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/']
29
        ],
30
      'DisclosureDate' => 'Aug 25 2014',
31
      'License'        => MSF_LICENSE
32
    )
33
  end
34

35
  # Called for each response packet
36
  def scanner_process(data, shost, sport)
37
    @results[shost] ||= []
38
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)
39
  end
40

41
  # Called before the scan block
42
  def scanner_prescan(batch)
43
    @results = {}
44
    @probe = Rex::Proto::NTP::NTPControl.new
45
    @probe.version = datastore['VERSION']
46
    @probe.operation = 31
47
  end
48

49
  # Called after the scan block
50
  def scanner_postscan(batch)
51
    @results.keys.each do |k|
52
      response_map = { @probe => @results[k] }
53
      # TODO: check to see if any of the responses are actually NTP before reporting
54
      report_service(
55
        :host  => k,
56
        :proto => 'udp',
57
        :port  => rport,
58
        :name  => 'ntp'
59
      )
60

61
      peer = "#{k}:#{rport}"
62
      vulnerable, proof = prove_amplification(response_map)
63
      what = 'R7-2014-12 NTP Mode 6 UNSETTRAP DRDoS'
64
      if vulnerable
65
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
66
        report_vuln({
67
          :host  => k,
68
          :port  => rport,
69
          :proto => 'udp',
70
          :name  => what,
71
          :refs  => self.references
72
        })
73
      else
74
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
75
      end
76
    end
77
  end
78
end
79

80