I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. The issue comes up when one NTP daemon queries another with the
If the target NTP server provides a response, it's vulnerable:
A denial of service condition could happen if an attacker spoof's the IP of a vulnerable NTP server, then sends a NTP query with the
MODE_PRIVATEflag set. The two NTP servers enter a continuous loop, sending
MODE_PRIVATEqueries back and forth. Metasploit’s auxiliary module
auxiliary/dos/ntp/ntpd_reserved_dosdemonstrates this issue, however it also executes the vulnerability so I wrote my own Ruby script to assess the remote server.
#Author: Gursev Singh Kalra require 'socket' TIMEOUT = 5 if(ARGV.count != 1) puts "[-] Target host not provided. Usage: ntp.rb
" exit end target_server = ARGV target_port = 123 socket = nil response = nil begin test_string = "\x97\x00\x00\x00\xAA\x00\x00\x00" socket = UDPSocket.open socket.send(test_string, 0, target_server, target_port) if select([socket], nil, nil, TIMEOUT) response = socket.recvfrom(10) end rescue (IOError ex) puts ex.to_s ensure socket.close if(socket) end if(response && response.index("\x97\x00\x00\x00")) puts "[+] Vulnerable to NTP Mode 7 Request Denial Of Service" else puts "[-] Not vulnerable to NTP Mode 7 Request Denial Of Service" end
Here's what the tool's output looks like:
Great minds...After I wrote this script I passed it on to a co-worker, Brad Antoniewicz, and to my suprise, I discovered that he actually wrote the same script, but in python! So we decided to throw up all of our scripts on GitHub to help avoid and future duplication.
Here are a bunch of pentest scripts that help speed up manual validation of vulnerabilities and the you can potentially leverage the outputs for further attack.