Nmap Development mailing list archives

Re: [NSE] NTP Peer Listing

From: David Fifield <david () bamsoftware com>
Date: Fri, 14 May 2010 20:50:28 -0600

On Sun, Apr 11, 2010 at 06:54:52PM +0100, jah wrote:

On 11/04/2010 02:14, Mak Kolybabi wrote:

Attached is an el-cheapo straight-up rip-off of the Metasploit
plugin that lists the most recent hosts that have connected to an
NTP server.

Some additional features that I'm considering are:
- Sorting the list of addresses.
- Separating the list between RFC1918 addresses and non-RFC1918 addresses.

Suggestions and testing would be appreciated.

Hi Mak, All,

Maybe we should join forces on this script - I've written a similar
script which is not quite finished.  The current version is in an
experimental svn branch at:
nmap-exp/jah/scripts/ntp-monlist.nse


I found some time to test these. I really like the idea; we have to
decide which parts of which scripts will be included. Here's a test
against localhost.

PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response
| ntp-monlist: discovered internal addresses:
| 127/8 (1)
| and discovered 1 alternative address for the target:
| 192.168.0.21
| and collected 4 IPv4 addresses:
|_66.79.152.35    69.36.241.112   169.229.70.64   208.77.19.5
| ntp-peers:
|   Private Peers (1)
|     127.0.0.1:56189
|   Public Peers (4)
|     66.79.152.35:123
|     69.36.241.112:123
|     169.229.70.64:123
|_    208.77.19.5:123

I like how both scripts separate out the private and public addresses. I
really like the bit "discovered 1 alternative address for the target" in
ntp-monlist. Do you get the netmask back from the NTP server in "127/8"
or is that inferred?

Here's the result from running against the first of the public peers
above (the only one that produced any output). I also included the
output of the Metasploit script.

PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response
| ntp-monlist: collected 600 IPv4 addresses:
| 4.78.155.130    66.151.63.26    72.184.160.70   140.182.214.208
| 12.21.127.78    66.152.137.15   72.203.133.69   141.156.191.175
... 146 lines ...
| 66.151.63.14    72.159.219.194  137.113.118.26  217.114.222.89
|_66.151.63.17    72.169.122.140  137.113.118.28  222.66.126.163
| ntp-peers:
|   Private Peers (0)
|   Public Peers (474)
|     4.78.155.130:11308
|     12.21.127.78:123
... 470 lines ...
|     217.114.222.89:123
|_    222.66.126.163:60514

msf auxiliary(ntp_monlist) > set RHOSTS 66.79.152.35
RHOSTS => 66.79.152.35
msf auxiliary(ntp_monlist) > run
[*] Sending probes to 66.79.152.35->66.79.152.35 (1 hosts)
[*] 66.79.152.35:123 96.245.144.224:123 (66.79.152.35)
[*] 66.79.152.35:123 66.83.13.6:123 (66.79.152.35)
... 596 lines ...
[*] 66.79.152.35:123 206.169.68.114:62582 (66.79.152.35)
[*] 66.79.152.35:123 69.7.96.116:6634 (66.79.152.35)
[*] Scanned 1 of 1 hosts (100% complete)

The first thing I see is that ntp-peers gets less than 600 records. This
is reproducible. But when I run it by itself, it gets the maximum of 600.

About the source port numbers: is it possible that these distinguish
between downstream (port 123) and upstream servers (not 123)?

In terms of payload, ntp-monlist's is much shorter than ntp-peer's or
Metasploit's.

ntp-monlist:
17 00 03 2a 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ntp-peers, ntp_monlist.rb:
17 00 03 2a 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

I prefer that the first commit of this script not write to a file. With
four addresses per row, we're looking at about 150 lines of output max,
which is big not but not that big.

jah, you mentioned that you had trouble with Nsock and decided to use
raw sockets and pcap to do the sending and receiving. Can you tell more
about that? Were you getting Nsock TIMEOUT errors? It should not be
necessary to use raw sockets for this script. It might be a bug in Nsock
that has to be fixed.

Overall I prefer the clarity of ntp-peers over ntp-monlist, but I much
appreciate the protocol documentation in ntp-monlist.

This is what I would like to see: A combination of these two scripts,
with the name ntp-monlist, using plain Nsock if possible, with the
shorter payload, not writing to a file, with columnar output.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] NTP Peer Listing Mak Kolybabi (Apr 10)
- Re: [NSE] NTP Peer Listing Ron (Apr 10)
  - Re: [NSE] NTP Peer Listing Mak Kolybabi (Apr 10)
- Re: [NSE] NTP Peer Listing jah (Apr 11)
  - Re: [NSE] NTP Peer Listing Fyodor (Apr 11)
    - Re: [NSE] NTP Peer Listing jah (Apr 11)
  - Re: [NSE] NTP Peer Listing David Fifield (May 14)
    - Re: [NSE] NTP Peer Listing jah (May 19)
    - Re: [NSE] NTP Peer Listing David Fifield (May 20)
    - Re: [NSE] NTP Peer Listing jah (May 20)
    - Re: [NSE] NTP Peer Listing jah (May 20)