NTP monlist Scanner

1. #!/usr/bin/perl
2.  
3. ############################
4. #
5. # |]uck 7ape 5cripts 29-01-2014
6. # Rev: 0.00000000000000001
7. # Added in Forking
8. # Rev: 0.00000000000000002
9. # Added CIDR blocks
10. #
11. ############################
12.  
13. use Getopt::Long;
14. use Socket;
15. use Parallel::ForkManager;
16. use Net::DNS;
17. use Data::Dumper;
18. use NetAddr::IP;
19. my $date = `date +"%Y-%m-%d"`;
20. chomp ($date);
21. print "\nDate:$date\n";
22. my $loa = "0";
23. my @LOA = ();
24. my $debug = "0";
25. my $host = "0";
26. my $abuseemail;
27. my $hfile;
28. my $child;
29. my $res = Net::DNS::Resolver->new;
30. my @HFILE;
31. my $log;
32.  
33.  
34. help() if (@ARGV < 1 or ! GetOptions (
35. "hfile=s" => \$hfile,
36. "help" => \$help,
37. "log" => \$log,
38. "cidr=s" => \@cidr
39. ) );
40.  
41. if ($log eq 1 ) {
42. $fname = @cidr[0];
43. print ("\nfname=$fname\n");
44. $fname =~ s/\//\-/g;
45. $fname =~ s/\./\_/g;
46. $hlog = "$date-$fname-HIGH";
47. $mlog = "$date-$fname-MED";
48. open (HLOG, ">", "$hlog") or die "\nERROR:Cannot open file $hlog";
49. }
50. sub help () {
51. print ("\n\t\|\]uck 7ape script's presents:\n\t NTP monlist scanner\n");
52. print ("
53. This script finds NTP servers on a network and tries to run the monlist
54. command against it to see if CVE-2013-5211 applies\n\n");
55. print ("Options:\n");
56. print ("-hfile <file> : A file that contains a list of vaild /32 IP-addresses one per line\n");
57. print ("-cidr <x.x.x.x/yy> : CIDR block\n");
58. print ("-log : Eable log file in the log directory");
59. print ("\n")
60. }
61.  
62. if ( (defined $hfile ) and (@cidr) ) {
63. print ("Error: Can not use both --hfile and --cider at the same time\n");
64. help();
65. exit;
66. }
67.  
68. if ( defined $hfile ) {
69. #open the file hfile
70. open (HFILE, "<", "$hfile") or die "\nERROR:Cannot open file $hfile\n";
71. print ("Reading in the host file\n");
72. while (<HFILE>) {
73. chomp;
74. next if (/^#/);
75. push (@HFILE, $_);
76. }
77. }
78.  
79. if ( @cidr ) {
80.  
81. for my $cidr ( @cidr) {
82. print ("Converting $cdir into IP's\n");
83. my $n = NetAddr::IP->new( $cidr );
84. for my $ip ( @{$n->hostenumref}) {
85. $Bla = $ip->addr;
86. push (@HFILE, "$Bla");
87. }
88. }
89. }
90.  
91. my $pm = new Parallel::ForkManager(50);
92. foreach $HFILE(@HFILE) {
93. $pm->start and next;
94. if ( $resolved = $res->query("$HFILE","PTR") ){
95. for my $x ($resolved->answer) {
96. $PTR = $x->ptrdname;
97. }
98. } else {
99. $PTR = "No PTR";
100. }
101. #print Dumper(@resolved);
102. my $CMD = `ntpdc -n -c monlist $HFILE 2>&1`;
103. #print ("Debug\n$CMD\nEnd Debug\n");
104. if ( $CMD =~ /timed out/ ) {
105. print ("$date,$HFILE,NO RISK,NTP service timed out,$PTR\n");
106. $pm->finish;
107. next;
108. }
109. if ( $CMD =~ /implement this request/ ) {
110. print ("$date,$HFILE,MEDIUM,NTP does not implement the monlist command,$PTR\n");
111. if ( $log eq 1 ) {
112. print HLOG ("$date,$HFILE,MEDIUM,NTP does not implement the monlist command,$PTR\n");
113. }
114. $pm->finish;
115. next;
116. }
117. #if ( $CMD =~ /remote address/ ) {
118. if ( $CMD =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/ ) {
119. print ("$date,$HFILE,HIGH,Vulnerable to CVE-2013-5211,$PTR\n");
120. if ( $log eq 1) {
121. print HLOG ("$date,$HFILE,HIGH,Vulnerable to CVE-2013-5211,$PTR\n");
122. }
123. $pm->finish;
124. next;
125. }
126. if ( $CMD =~ /Server reports data not found/ ) {
127. print ("$date,$HFILE,MEDIUM,NTP server accepted monlist but no data returned,$PTR\n");
128. if ( $log eq 1) {
129. print HLOG ("$date,$HFILE,MEDIUM,NTP server accepted monlist but no data returned,$PTR\n");
130. }
131. $pm->finish;
132. next;
133. }
134. if ( $CMD =~ /Connection refused/ ) {
135. print ("$date,$HFILE,LOW,Connection refused,$PTR\n");
136. $pm->finish;
137. next;
138. }
139. print ("NTP out put, IP:$HFILE\n$CMD\n");
140. $pm->finish;
141. }
142. $pm->wait_all_children;