Metasploit has a few scanners for ntp vulns in the auxiliary/scanner/ntp/ntp_* and it will report hosts as being vulnerable to amplification attacks.
msf auxiliary(ntp_readvar) > run
[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)
[+] 1.1.1.1:123 - Vulnerable to NTP Mode 6 READVAR DRDoS: No packet amplification and a 34x, 396-byte bandwidth amplification
I've largely not paid attention to these types of attacks in the past but in this case needed to validate I could get the vulnerable host to send traffic to a target/spoofed IP.
I set up 2 boxes to run the attack; an attack box and a target box that I used as the spoofed source IP address. I ran tcpdump on the target/spoofed server (yes...listening for UDP packets) it was receiving no UDP packets when I ran the attack. If I didn't spoof the source IP, the vulnerable server would send data back to the attacker IP but not the spoofed IP.
Metasploit (running as root) can spoof the IP for you:
msf auxiliary(ntp_readvar) > set SRCIP 2.2.2.2
SRCIP => 2.2.2.2
msf auxiliary(ntp_readvar) > run
[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)
[*] Sending 1 packet(s) to 1.1.1.1 from 2.2.2.2
To rule out it wasn't a Metasploit thing I also worked thru the attack with scapy following the examples here:http://www.nothink.org/misc/snmp_reflected.php
So I asked on Twitter...fucking mistake...after getting past the trolls and well intentioned people that didn't think I understood basic networking/spoofing at all (heart u) link #1, link #2 as the likely reason I couldn't spoof the IP. As well as a hint that the last time someone got it to work they had to rent a physical server in a dodgy colo.
A bit of reading later I found https://spoofer.caida.org/recent_tests.php which allows you to check and see if a particular ASN supports spoofing along with the stats that only 20% of the Internet allows spoofing.
source: https://spoofer.caida.org/summary.php
Checking common ISP and cloud provider ASNs showed that most weren't vulnerable to spoofing.
So mystery solved and another aux module/vuln scanner result that can be quickly triaged and/or ignored.
If someone has had different results please let me know.
P.S.
Someone asked if the vuln host was receiving the traffic. I couldn't answer for the initial host but to satisfy my curiosity on the issue I built a vulnerable NTP server and it did NOT receive the traffic even with hosts from the same VPS provider in the same data center (different subnets).
No comments:
Post a Comment