Lucene search
K

UDP Amplification Scanner

🗓️ 25 Oct 2016 20:58:46Reported by Jon Hart <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 56 Views

UDP Amplification Scanner module to detect UDP endpoints with amplification vulnerabilitie

Related
Code
ReporterTitlePublishedViews
Family
0day.today
NTP ntpd monlist Query Reflection - Denial of Service
29 Apr 201400:00
zdt
IBM Security Bulletins
Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-5211)
14 Apr 202314:32
ibm
IBM Security Bulletins
Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb
11 Sep 201917:35
ibm
IBM Security Bulletins
Security Bulletin: Three potential vulnerabilities in IBM GCM16/GCM32 Global Console Managers (CVE-2014-3085, CVE-2014-3081, CVE-2014-3080)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: IBM Flex System Manager (FSM) is affected by security vulnerabilities. (CVE-2013-5772, CVE-2013-5803, CVE-2013-5372, CVE-2013-5780, CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: Libxml2 vulnerabilities in Network Intrusion Prevention System (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660, CVE-2013-5211)
23 Feb 202219:48
ibm
IBM Security Bulletins
Security Bulletin: The IBM Chassis Management Module (CMM) is affected by a vulnerability in NTP server (CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: NTP vulnerability in Network Intrusion Prevention System (CVE-2013-5211)
23 Feb 202219:48
ibm
IBM Security Bulletins
Security Bulletin: IBM Virtualization Engine TS7700 - The NTP monlist command is enabled (CVE-2013-5211)
18 Jun 201800:09
ibm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::DRDoS
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::UDPScanner

  def initialize
    super(
      'Name'        => 'UDP Amplification Scanner',
      'Description' => 'Detect UDP endpoints with UDP amplification vulnerabilities',
      'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A']
        ]
    )

    register_options(
      [
        OptString.new('PORTS', [true, 'Ports to probe']),
        OptString.new('PROBE', [false, 'UDP payload/probe to send.  Unset for an empty UDP datagram, or the `file://` resource to get content from a local file'])
      ]
    )

    # RPORT is unused in this scanner module because it supports multiple ports
    deregister_options('RPORT')
  end

  def setup
    super

    unless (@ports = Rex::Socket.portspec_crack(datastore['PORTS']))
      fail_with(Failure::BadConfig, "Unable to extract list of ports from #{datastore['PORTS']}")
    end

    @probe = datastore['PROBE'] ? datastore['PROBE'] : ''
  end

  def scanner_prescan(batch)
    print_status("Sending #{@probe.length}-byte probes to #{@ports.length} port(s) on #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
    @results ||= {}
  end

  def scan_host(ip)
    @ports.each do |port|
      scanner_send(@probe, ip, port)
    end
  end

  # Called for each response packet, overriding UDPScanner's so that we can
  # store all responses on a per-host, per-port basis
  def scanner_process(data, shost, sport)
    @results[shost] ||= {}
    @results[shost][sport] ||= []
    @results[shost][sport] << data
  end

  def scanner_postscan(batch)
    batch.each do |shost|
      next unless @results.key?(shost)
      @results[shost].each_pair do |sport, responses|
        report_service(host: shost, port: sport, proto: 'udp', info: responses.inspect, state: 'open')
        vulnerable, proof = prove_amplification(@probe => responses)
        next unless vulnerable
        print_good("#{shost}:#{sport} - susceptible to UDP amplification: #{proof}")
        report_vuln(
          host: shost,
          port: sport,
          proto: 'udp',
          name: 'UDP amplification',
          refs: references
        )
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
7.1High risk
Vulners AI Score7.1
CVSS 25
EPSS0.97549
56