04.10
Estava dando uma olhada no blog do carnal0wnage essa semana, e li sobre um novo auxiliary module que o HD Moore tinha liberado… ntp_monlist
é legal, porque ele faz uma consulta para servidores NTP e lista os últimos IPs dos clientes. O blog também faz um referencia a um post no blog da SensePost… Eles fizeram outros testes utilizando a ferramenta maltego por exemplo e alguns comentários interessantes:
Have data, what now?
The most immediate application of this method will probably be more revealing footprinting exercises. For example:Certain devices are pre-configured to use a certain ntp server, which one can query to find all those devices Certain products are pre-configured in a similar fashion, eg. Ubuntu NTP servers could leak internal network details and possible one of their other addresses(IPV6 or another network if multihomed) IPs that will never show up in customary rDNS and fDNS queries may now suddenly pop up
Bandwidth implications: So we know that a busy server’s ‘client cache’ will have 600 entries and wireshark tells us that each result packet is 468 bytes (IP+UDP+NTP). Each result packet only contains 6 results so one is looking at +- 45kbytes of data for each request packet of 220 bytes (IP+UDP+NTP). The NTP server will just dump the data so you will need a sizeable down-link to catch all 100 UDP packets. Moore mentioned that he has developed a technique to create a 30 gigabit/sec DDOS which is not easy to defend against. Our bet is that spoofing the source address of the monlist request may be a way for creating a DDOS attack.
Testando o módulo e manualmente..
Metasploit:
msf > use auxiliary/scanner/ntp/ntp_monlist
msf auxiliary(1mntp_monlist) > set RHOSTS a.ntp.br
RHOSTS => a.ntp.br
msf auxiliary(1mntp_monlist) > run
[*] Sending probes to 200.160.0.8->200.160.0.8 (1 hosts)
[*] 200.160.0.8:123 201.48.104.130:12559 (200.160.0.8)
[*] 200.160.0.8:123 201.28.104.202:247 (200.160.0.8)
[*] 200.160.0.8:123 201.72.252.178:40 (200.160.0.8)
[*] 200.160.0.8:123 201.16.68.16:1025 (200.160.0.8)
[*] 200.160.0.8:123 189.86.112.61:123 (200.160.0.8)
…
[*] 200.160.0.8:123 187.12.217.250:57265 (200.160.0.8)
[*] 200.160.0.8:123 187.16.138.10:123 (200.160.0.8)
[*] 200.160.0.8:123 187.16.241.3:55101 (200.160.0.8)
[*] 200.160.0.8:123 189.115.138.116:1626 (200.160.0.8)
[*] 200.160.0.8:123 201.70.200.170:123 (200.160.0.8)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
ntpdc:
root@bt:~# ntpdc -c monlist a.ntp.br
remote address port local address count m ver code avgint lstint
===============================================================================
187.59.59.152.static.h 59959 200.160.0.8 12 7 2 1b0 0 0 (oh eu aqui rsrsr)
200.99.150.227 100 200.160.0.8 11267899 1 3 1b0 0 0
201-28-104-202.custome 337 200.160.0.8 31789 1 3 1b0 0 0
200-140-168-34.pvoce20 62834 200.160.0.8 2688898 3 3 1b0 0 0
189-108-236-228.custom 1100 200.160.0.8 1199 3 4 190 31 0
router.compel.topnet.c 2049 200.160.0.8 1209 3 3 190 10 0
c9526933.virtua.com.br 35899 200.160.0.8 1605526 1 3 1b0 0 0
nataddr.pbh.gov.br 40401 200.160.0.8 21902 3 1 1b0 0 0
189-47-237-9.dsl.teles 123 200.160.0.8 1250 1 3 190 16 0
201.72.252.178 494 200.160.0.8 16435604 1 3 1b0 0 0
201-0-210-224.dial-up. 1323 200.160.0.8 14062 3 3 190 4 0
189.2.161.130 2487 200.160.0.8 13125 6 2 1b0 0 0
firewall.magal.ind.br 25667 200.160.0.8 5866570 1 3 1b0 0 0
autopistalitoralsul36. 354 200.160.0.8 11774 1 3 1b0 0 0
189.38.69.70 30710 200.160.0.8 2 3 3 190 27 0
….
Maltego:
Abs!
Refs:
http://carnal0wnage.attackresearch.com/node/410
http://www.sensepost.com/blog/4552.html
http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
No Comment.
Add Your Comment