CoCalc -- ntp_unsettrap

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
¹⁹⁵¹⁶ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::Udp
9
  include Msf::Auxiliary::UDPScanner
10
  include Msf::Auxiliary::NTP
11
  include Msf::Auxiliary::DRDoS
12

13
  def initialize
14
    super(
15
      'Name' => 'NTP Mode 6 UNSETTRAP DRDoS Scanner',
16
      'Description' => %q{
17
        This module identifies NTP servers which permit mode 6 UNSETTRAP requests that
18
        can be used to conduct DRDoS attacks.  In some configurations, NTP servers will
19
        respond to UNSETTRAP requests with multiple packets, allowing remote attackers
20
        to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic
21
        amplification) via spoofed requests.
22
      },
23
      'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
24
      'References' => [
25
        ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
26
        ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
27
        ['URL', 'https://www.rapid7.com/blog/post/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/']
28
      ],
29
      'DisclosureDate' => 'Aug 25 2014',
30
      'License' => MSF_LICENSE
31
    )
32
  end
33

34
  # Called for each response packet
35
  def scanner_process(data, shost, sport)
36
    @results[shost] ||= []
37
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)
38
  end
39

40
  # Called before the scan block
41
  def scanner_prescan(batch)
42
    @results = {}
43
    @probe = Rex::Proto::NTP::NTPControl.new
44
    @probe.version = datastore['VERSION']
45
    @probe.operation = 31
46
  end
47

48
  # Called after the scan block
49
  def scanner_postscan(batch)
50
    @results.keys.each do |k|
51
      response_map = { @probe => @results[k] }
52
      # TODO: check to see if any of the responses are actually NTP before reporting
53
      report_service(
54
        :host => k,
55
        :proto => 'udp',
56
        :port => rport,
57
        :name => 'ntp'
58
      )
59

60
      peer = "#{k}:#{rport}"
61
      vulnerable, proof = prove_amplification(response_map)
62
      what = 'R7-2014-12 NTP Mode 6 UNSETTRAP DRDoS'
63
      if vulnerable
64
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
65
        report_vuln({
66
          :host => k,
67
          :port => rport,
68
          :proto => 'udp',
69
          :name => what,
70
          :refs => self.references
71
        })
72
      else
73
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
74
      end
75
    end
76
  end
77
end
78

79
Product

Resources

Company
