Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

UDP Amplification Scanner

🗓️ 31 Aug 2024 00:00:00Reported by Jon Hart, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 198 Views

Detect UDP endpoints with UDP amplification vulnerabilities. Send probes to multiple ports

Related
Code
ReporterTitlePublishedViews
Family
0day.today		NTP ntpd monlist Query Reflection - Denial of Service
29 Apr 201400:00
zdt
IBM Security Bulletins		Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-5211)
14 Apr 202314:32
ibm
IBM Security Bulletins		Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb
11 Sep 201917:35
ibm
IBM Security Bulletins		Security Bulletin: Three potential vulnerabilities in IBM GCM16/GCM32 Global Console Managers (CVE-2014-3085, CVE-2014-3081, CVE-2014-3080)
31 Jan 201901:25
ibm
IBM Security Bulletins		Security Bulletin: IBM Flex System Manager (FSM) is affected by security vulnerabilities. (CVE-2013-5772, CVE-2013-5803, CVE-2013-5372, CVE-2013-5780, CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins		Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins		Security Bulletin: Libxml2 vulnerabilities in Network Intrusion Prevention System (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660, CVE-2013-5211)
23 Feb 202219:48
ibm
IBM Security Bulletins		Security Bulletin: The IBM Chassis Management Module (CMM) is affected by a vulnerability in NTP server (CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins		Security Bulletin: NTP vulnerability in Network Intrusion Prevention System (CVE-2013-5211)
23 Feb 202219:48
ibm
IBM Security Bulletins		Security Bulletin: IBM Virtualization Engine TS7700 - The NTP monlist command is enabled (CVE-2013-5211)
18 Jun 201800:09
ibm
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::DRDoS  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::UDPScanner  
  
def initialize  
super(  
'Name' => 'UDP Amplification Scanner',  
'Description' => 'Detect UDP endpoints with UDP amplification vulnerabilities',  
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb  
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A']  
]  
)  
  
register_options(  
[  
OptString.new('PORTS', [true, 'Ports to probe']),  
OptString.new('PROBE', [false, 'UDP payload/probe to send. Unset for an empty UDP datagram, or the `file://` resource to get content from a local file'])  
]  
)  
  
# RPORT is unused in this scanner module because it supports multiple ports  
deregister_options('RPORT')  
end  
  
def setup  
super  
  
unless (@ports = Rex::Socket.portspec_crack(datastore['PORTS']))  
fail_with(Failure::BadConfig, "Unable to extract list of ports from #{datastore['PORTS']}")  
end  
  
@probe = datastore['PROBE'] ? datastore['PROBE'] : ''  
end  
  
def scanner_prescan(batch)  
print_status("Sending #{@probe.length}-byte probes to #{@ports.length} port(s) on #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")  
@results ||= {}  
end  
  
def scan_host(ip)  
@ports.each do |port|  
scanner_send(@probe, ip, port)  
end  
end  
  
# Called for each response packet, overriding UDPScanner's so that we can  
# store all responses on a per-host, per-port basis  
def scanner_process(data, shost, sport)  
@results[shost] ||= {}  
@results[shost][sport] ||= []  
@results[shost][sport] << data  
end  
  
def scanner_postscan(batch)  
batch.each do |shost|  
next unless @results.key?(shost)  
@results[shost].each_pair do |sport, responses|  
report_service(host: shost, port: sport, proto: 'udp', info: responses.inspect, state: 'open')  
vulnerable, proof = prove_amplification(@probe => responses)  
next unless vulnerable  
print_good("#{shost}:#{sport} - susceptible to UDP amplification: #{proof}")  
report_vuln(  
host: shost,  
port: sport,  
proto: 'udp',  
name: 'UDP amplification',  
refs: references  
)  
end  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 25
EPSS0.92136
metasploitudpscannervulnerabilitiesprobingcventpcisaamplification
198