Gut admin functions from R7-2014-12 NTP modules

None of these are admin modules.  All of that stuff should eventually go
in auxiliary/admin

Author: jhart-r7

modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb

@@ -27,11 +27,6 @@ def initialize
       'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',
       'License'     => MSF_LICENSE
     )
-
-    register_options(
-    [
-      OptBool.new('SHOW_PEERS', [false, 'Show peers', 'false'])
-    ], self.class)
   end
 
   # Called for each IP in the batch
@@ -63,90 +58,21 @@ def scanner_prescan(batch)
 
   # Called for each response packet
   def scanner_process(data, shost, sport)
-    this_peer = "#{shost}:#{sport}"
-    # sanity check that the reply is not overly large/small
-    if data.length < 8
-      print_error("#{this_peer} -- suspiciously small (#{data.length} bytes) NTP PEER_LIST response")
-      return
-    elsif data.length > 500
-      print_error("#{this_peer} -- suspiciously large (#{data.length} bytes) NTP PEER_LIST response")
-      return
-    end
-
-    # try to parse this response, alerting and aborting if it is invalid
-    response = Rex::Proto::NTP::NTPPrivate.new(data)
-    unless contains_relevant_message?(response, @probes)
-      print_error("#{this_peer} -- unexpected NTP PEER_LIST response: #{response.inspect}")
-      return
-    end
-
-    if response.error != 0
-      vprint_status("#{this_peer} -- error #{response.error} response to NTP PEER_LIST request")
-      return
-    end
-
-    if response.record_size != 32 || response.record_count == 0 || response.record_count > 15
-      print_error("#{this_peer} -- suspicious NTP PEER_LIST response with #{response.record_count} #{response.record_size}-byte entries: #{response.inspect}")
-      return
-    end
-
-    these_results = []
-    response.records.each do |record|
-      # TODO: Rex this
-      # u_int32 addr;           /* address of peer */
-      # u_short port;           /* port number of peer */
-      # u_char hmode;           /* mode for this peer */
-      # u_char flags;           /* flags (from above) */
-      # u_int v6_flag;          /* is this v6 or not */
-      # u_int unused1;          /* (unused) padding for addr6 */
-      # struct in6_addr addr6;  /* v6 address of peer */
-
-      src_addr4, src_port = record[0,6].unpack('Nn')
-      is_v6 = record[8,4].unpack('N').first
-
-      if is_v6 == 0
-        src_addr = Rex::Socket.addr_itoa(src_addr4)
-      else
-        # XXX: according to the struct, this should be record[16,16], but that doesn't work.  Why?
-        src_addr6_parts = record[12, 16].unpack("N*")
-        src_addr6 = 0
-        0.upto(3) do |off|
-          src_addr6 = src_addr6 | src_addr6_parts[off]
-          src_addr6 <<= 32
-        end
-        src_addr = Rex::Socket.addr_itoa(src_addr6, true)
-      end
-      these_results << [ src_addr, src_port ]
-      if datastore['SHOW_LIST']
-        print_status("#{this_peer} peers with #{src_addr}:#{src_port}")
-      end
-    end
-
     @results[shost] ||= []
-    @results[shost] << these_results
-
+    @results[shost] << Rex::Proto::NTP::NTPPrivate.new(data)
   end
 
   # Called after the scan block
   def scanner_postscan(batch)
     @results.keys.each do |k|
       packets = @results[k]
-      peers = packets.flatten(1)
-      print_good("#{k}:#{rport} NTP PEER_LIST request permitted (#{packets.size} packets with #{peers.size} peers total)")
+      # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
-
-      report_note(
-        :host  => k,
-        :proto => 'udp',
-        :port  => rport,
-        :type  => 'ntp.peer_list',
-        :data  => {:peer_list => @results[k]}
-      )
     end
   end
 end

modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb

@@ -27,11 +27,6 @@ def initialize
       'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',
       'License'     => MSF_LICENSE
     )
-
-    register_options(
-    [
-      OptBool.new('SHOW_PEERS', [false, 'Show peers', 'false'])
-    ], self.class)
   end
 
   # Called for each IP in the batch
@@ -41,77 +36,8 @@ def scan_host(ip)
 
   # Called for each response packet
   def scanner_process(data, shost, sport)
-    this_peer = "#{shost}:#{sport}"
-    # sanity check that the reply is not overly large/small
-    if data.length < 8
-      print_error("#{this_peer} -- suspiciously small (#{data.length} bytes) NTP PEER_LIST_SUM response")
-      return
-    elsif data.length > 500
-      print_error("#{this_peer} -- suspiciously large (#{data.length} bytes) NTP PEER_LIST_SUM response")
-      return
-    end
-
-    # try to parse this response, alerting and aborting if it is invalid
-    response = Rex::Proto::NTP::NTPPrivate.new(data)
-    unless [ @version, @implementation, @request_code ] == [ response.version, response.implementation, response.request_code ]
-      print_error("#{this_peer} -- unexpected NTP PEER_LIST_SUM response: #{response.inspect}")
-      return
-    end
-
-    if response.error != 0
-      vprint_status("#{this_peer} -- error #{response.error} response to NTP PEER_LIST request")
-      return
-    end
-
-    if response.record_size != 72 || response.record_count == 0 || response.record_count > 9
-      print_error("#{this_peer} -- suspicious NTP PEER_LIST_SUM response with #{response.record_count} #{response.record_size}-byte entries: #{response.inspect}")
-      return
-    end
-
-    these_results = []
-    response.records.each do |record|
-      # TODO: Rex this
-      # u_int32 dstadr;         /* local address (zero for undetermined) */
-      # u_int32 srcadr;         /* source address */
-      # u_short srcport;        /* source port */
-      # u_char stratum;         /* stratum of peer */
-      # s_char hpoll;           /* host polling interval */
-      # s_char ppoll;           /* peer polling interval */
-      # u_char reach;           /* reachability register */
-      # u_char flags;           /* flags, from above */
-      # u_char hmode;           /* peer mode */
-      # s_fp delay;             /* peer.estdelay */ (int32)
-      # l_fp offset;            /* peer.estoffset */ (2x int32)
-      # u_fp dispersion;        /* peer.estdisp */ (u_int32)
-      # u_int v6_flag;                  /* is this v6 or not */
-      # u_int unused1;                  /* (unused) padding for dstadr6 */
-      # struct in6_addr dstadr6;        /* local address (v6) */
-      # struct in6_addr srcadr6;        /* source address (v6) */
-
-      dst_addr4, src_addr4, src_port, stratum = record[0,12].unpack('NNnC')
-      is_v6 = record[32,4].unpack('N').first
-
-      if is_v6 == 0
-        src_addr = Rex::Socket.addr_itoa(src_addr4)
-      else
-        # XXX: is there a better way to do this?
-        src_addr6_parts = record[52, 16].unpack("N*")
-        src_addr6 = 0
-        0.upto(3) do |off|
-          src_addr6 = src_addr6 | src_addr6_parts[off]
-          src_addr6 <<= 32
-        end
-        src_addr = Rex::Socket.addr_itoa(src_addr6, true)
-      end
-      these_results << [ src_addr, src_port, stratum]
-      if datastore['SHOW_LIST']
-        print_status("#{this_peer} peers with #{src_addr}:#{src_port} (stratum #{stratum})")
-      end
-    end
-
     @results[shost] ||= []
-    @results[shost] << these_results
-
+    @results[shost] << Rex::Proto::NTP::NTPPrivate.new(data)
   end
 
   # Called before the scan block
@@ -128,22 +54,13 @@ def scanner_prescan(batch)
   def scanner_postscan(batch)
     @results.keys.each do |k|
       packets = @results[k]
-      peers = packets.flatten(1)
-      print_good("#{k}:#{rport} NTP PEER_LIST_SUM request permitted (#{packets.size} packets with #{peers.size} peers total)")
+      # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
-
-      report_note(
-        :host  => k,
-        :proto => 'udp',
-        :port  => rport,
-        :type  => 'ntp.peer_list_sum',
-        :data  => {:peer_list_sum => @results[k]}
-      )
     end
   end
 end

modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb

@@ -37,24 +37,8 @@ def scan_host(ip)
 
   # Called for each response packet
   def scanner_process(data, shost, sport)
-    this_peer = "#{shost}:#{sport}"
-    # sanity check that the reply is not overly large/small
-    if data.length < 12
-      print_error("#{this_peer} -- suspiciously small (#{data.length} bytes) NTP req_nonce response")
-      return
-    elsif data.length > 500
-      print_error("#{this_peer} -- suspiciously large (#{data.length} bytes) NTP req_nonce response")
-      return
-    end
-
-    # try to parse this response, alerting and aborting if it is invalid
-    response = Rex::Proto::NTP::NTPControl.new(data)
-    if [ @probe.version, @probe.operation ] == [ response.version, response.operation ]
-      @results[shost] ||= []
-      @results[shost] << response
-    else
-      print_error("#{this_peer} -- unexpected NTP req_nonce response: #{response.inspect}")
-    end
+    @results[shost] ||= []
+    @results[shost] << Rex::Proto::NTP::NTPControl.new(data)
   end
 
   # Called before the scan block
@@ -76,13 +60,7 @@ def scanner_postscan(batch)
         :port  => rport,
         :name  => 'ntp'
       )
-      report_note(
-        :host  => k,
-        :proto => 'udp',
-        :port  => rport,
-        :type  => 'ntp.req_nonce',
-        :data  => {:req_nonce => @results[k]}
-      )
+
       total_size = packets.map(&:size).reduce(:+)
       if packets.size > 1 || total_size > @probe.size
         print_good("#{k}:#{rport} NTP req_nonce request permitted with amplified response (#{packets.size} packets, #{total_size} bytes)")

modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb

@@ -29,12 +29,6 @@ def initialize
       'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',
       'License'     => MSF_LICENSE
     )
-
-    register_options(
-    [
-      OptBool.new('SHOW_LIST', [false, 'Show the restrictions list', 'false'])
-    ], self.class)
-
   end
 
   # Called for each IP in the batch
@@ -44,69 +38,8 @@ def scan_host(ip)
 
   # Called for each response packet
   def scanner_process(data, shost, sport)
-    this_peer = "#{shost}:#{sport}"
-    # sanity check that the reply is not overly large/small
-    if data.length < 12
-      print_error("#{this_peer} -- suspiciously small (#{data.length} bytes) NTP reslist response")
-      return
-    elsif data.length > 500
-      print_error("#{this_peer} -- suspiciously large (#{data.length} bytes) NTP reslist response")
-      return
-    end
-
-    # try to parse this response, alerting and aborting if it is invalid
-    response = Rex::Proto::NTP::NTPPrivate.new(data)
-    unless [ @version, @implementation, @request_code ] == [ response.version, response.implementation, response.request_code ]
-      print_error("#{this_peer} -- unexpected NTP reslist response: #{response.inspect}")
-      return
-    end
-
-    if response.record_size != 56 || response.record_count == 0 || response.record_count > 9
-      print_error("#{this_peer} -- suspicious NTP reslist response with #{response.record_count} #{response.record_size}-byte entries: #{response.inspect}")
-      return
-    end
-
-    these_results = []
-    response.records.each do |record|
-      # TODO: Rex this
-      # u_int32 addr;           /* match address */
-      # u_int32 mask;           /* match mask */
-      # u_int32 count;          /* number of packets matched */
-      # u_short flags;          /* restrict flags */
-      # u_short mflags;         /* match flags */
-      # u_int v6_flag;          /* is this v6 or not */
-      # u_int unused1;          /* unused, padding for addr6 */
-      # struct in6_addr addr6;  /* match address (v6) */
-      # struct in6_addr mask6;  /* match mask (v6) */
-
-      addr4, mask4, count, rflags, mflags, is_v6 = record[0,20].unpack("NNNnnnn")
-
-      if is_v6 == 0
-        addr = Rex::Socket.addr_itoa(addr4)
-        mask = Rex::Socket.addr_itoa(mask4)
-      else
-        # XXX: is there a better way to do this?
-        addr6_parts = record[20, 16].unpack("N*")
-        mask6_parts = record[36, 16].unpack("N*")
-        addr6 = 0
-        mask6 = 0
-        0.upto(3) do |off|
-          addr6 = addr6 | addr6_parts[off]
-          addr6 <<= 32
-          mask6 = mask6 | mask6_parts[off]
-          mask6 <<= 32
-        end
-        addr = Rex::Socket.addr_itoa(addr6, true)
-        mask = Rex::Socket.addr_itoa(mask6, true)
-      end
-      these_results << [ addr, mask, rflags, mflags]
-      if datastore['SHOW_LIST']
-        print_status("#{this_peer} #{addr}/#{mask} (count: #{count}, restrict flags: #{rflags}, match flags: #{mflags})")
-      end
-    end
-
     @results[shost] ||= []
-    @results[shost] << these_results
+    @results[shost] << Rex::Proto::NTP::NTPPrivate.new(data)
   end
 
   # Called before the scan block
@@ -123,22 +56,12 @@ def scanner_prescan(batch)
   def scanner_postscan(batch)
     @results.keys.each do |k|
       packets = @results[k]
-      entries = packets.flatten(1)
-      print_good("#{k}:#{rport} NTP reslist request permitted (#{packets.size} packets with #{entries.size} total entries)")
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
-
-      report_note(
-        :host  => k,
-        :proto => 'udp',
-        :port  => rport,
-        :type  => 'ntp.reslist',
-        :data  => {:reslist => @results[k]}
-      )
     end
   end
 end