Update R7-2014-12 NTP modules to use new DRDoS mixin

Author: jhart-r7

modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb

@@ -11,10 +11,11 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::Udp
   include Msf::Auxiliary::UDPScanner
   include Msf::Auxiliary::NTP
+  include Msf::Auxiliary::DRDoS
 
   def initialize
     super(
-      'Name'        => 'NTP PEER_LIST DoS Scanner',
+      'Name'        => 'NTP Mode 7 PEER_LIST DoS Scanner',
       'Description' => %q{
         This module identifies NTP servers which permit "PEER_LIST" queries and
         return responses that are larger in size or greater in quantity than
@@ -31,29 +32,13 @@ def initialize
 
   # Called for each IP in the batch
   def scan_host(ip)
-    @probes.each do |probe|
-      scanner_send(probe, ip, datastore['RPORT'])
-    end
+    scanner_send(@probe, ip, datastore['RPORT'])
   end
 
   # Called before the scan block
   def scanner_prescan(batch)
-    # build a probe for all possible variations of the PEER_LIST request, which
-    # means using all combinations of NTP version, mode 7 implementations and
-    # with and without payloads.
-    @probes = []
-    versions = datastore['VERSIONS'].split(/,/).map { |v| v.strip.to_i }
-    implementations = datastore['IMPLEMENTATIONS'].split(/,/).map { |i| i.strip.to_i }
-    payloads = ['', "\x00"*40]
-    versions.each do |v|
-      implementations.each do |i|
-        payloads.each do |p|
-          @probes << Rex::Proto::NTP.ntp_private(v, i, 0, p)
-        end
-      end
-    end
     @results = {}
-    vprint_status("Sending #{@probes.size} NTP PEER_LIST probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
+    @probe = Rex::Proto::NTP.ntp_private(2, 3, 0)
   end
 
   # Called for each response packet
@@ -65,14 +50,30 @@ def scanner_process(data, shost, sport)
   # Called after the scan block
   def scanner_postscan(batch)
     @results.keys.each do |k|
-      packets = @results[k]
+      response_map = { @probe => @results[k] }
       # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
+
+      peer = "#{k}:#{rport}"
+      vulnerable, proof = prove_drdos(response_map)
+      what = 'R7-2014-12 NTP Mode 7 PEER_LIST DRDoS'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln({
+          :host  => k,
+          :port  => rport,
+          :proto => 'udp',
+          :name  => what,
+          :refs  => self.references
+        })
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
+      end
     end
   end
 end

modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb

@@ -11,10 +11,11 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::Udp
   include Msf::Auxiliary::UDPScanner
   include Msf::Auxiliary::NTP
+  include Msf::Auxiliary::DRDoS
 
   def initialize
     super(
-      'Name'        => 'NTP PEER_LIST_SUM DoS Scanner',
+      'Name'        => 'NTP Mode 7 PEER_LIST_SUM DoS Scanner',
       'Description' => %q{
         This module identifies NTP servers which permit "PEER_LIST_SUM" queries and
         return responses that are larger in size or greater in quantity than
@@ -43,24 +44,36 @@ def scanner_process(data, shost, sport)
   # Called before the scan block
   def scanner_prescan(batch)
     @results = {}
-    @version = 2
-    @implementation = 3
-    @request_code = 1
-    @probe = Rex::Proto::NTP.ntp_private(@version, @implementation, @request_code)
-    vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
+    @probe = Rex::Proto::NTP.ntp_private(2, 3, 1)
   end
 
   # Called after the scan block
   def scanner_postscan(batch)
     @results.keys.each do |k|
-      packets = @results[k]
+      response_map = { @probe => @results[k] }
       # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
+
+      peer = "#{k}:#{rport}"
+      vulnerable, proof = prove_drdos(response_map)
+      what = 'R7-2014-12 NTP Mode 7 PEER_LIST_SUM DRDoS'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln({
+          :host  => k,
+          :port  => rport,
+          :proto => 'udp',
+          :name  => what,
+          :refs  => self.references
+        })
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
+      end
     end
   end
 end

modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb

@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::Udp
   include Msf::Auxiliary::UDPScanner
   include Msf::Auxiliary::NTP
+  include Msf::Auxiliary::DRDoS
 
   def initialize
     super(
@@ -47,23 +48,34 @@ def scanner_prescan(batch)
     @probe = Rex::Proto::NTP::NTPControl.new
     @probe.version = 2
     @probe.operation = 12
-    vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
   end
 
   # Called after the scan block
   def scanner_postscan(batch)
     @results.keys.each do |k|
-      packets = @results[k]
+      response_map = { @probe => @results[k] }
+      # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
 
-      total_size = packets.map(&:size).reduce(:+)
-      if packets.size > 1 || total_size > @probe.size
-        print_good("#{k}:#{rport} NTP req_nonce request permitted with amplified response (#{packets.size} packets, #{total_size} bytes)")
+      peer = "#{k}:#{rport}"
+      vulnerable, proof = prove_drdos(response_map)
+      what = 'R7-2014-12 NTP Mode 6 REQ_NONCE DRDoS'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln({
+          :host  => k,
+          :port  => rport,
+          :proto => 'udp',
+          :name  => what,
+          :refs  => self.references
+        })
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
       end
     end
   end

modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb

@@ -11,10 +11,11 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::Udp
   include Msf::Auxiliary::UDPScanner
   include Msf::Auxiliary::NTP
+  include Msf::Auxiliary::DRDoS
 
   def initialize
     super(
-      'Name'        => 'NTP GET_RESTRICT DoS Scanner',
+      'Name'        => 'NTP Mode 7 GET_RESTRICT DRDoS Scanner',
       'Description' => %q{
         This module identifies NTP servers which permit "reslist" queries and
         obtains the list of restrictions placed on various network interfaces,
@@ -45,23 +46,36 @@ def scanner_process(data, shost, sport)
   # Called before the scan block
   def scanner_prescan(batch)
     @results = {}
-    @version = 2
-    @implementation = 3
-    @request_code = 16
-    @probe = Rex::Proto::NTP.ntp_private(@version, @implementation, @request_code)
-    vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
+    @probe = Rex::Proto::NTP.ntp_private(2, 3, 16)
   end
 
   # Called after the scan block
   def scanner_postscan(batch)
     @results.keys.each do |k|
-      packets = @results[k]
+      response_map = { @probe => @results[k] }
+      # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
+
+      peer = "#{k}:#{rport}"
+      vulnerable, proof = prove_drdos(response_map)
+      what = 'R7-2014-12 NTP Mode 7 GET_RESTRICT DRDoS'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln({
+          :host  => k,
+          :port  => rport,
+          :proto => 'udp',
+          :name  => what,
+          :refs  => self.references
+        })
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
+      end
     end
   end
 end

modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb

@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::Udp
   include Msf::Auxiliary::UDPScanner
   include Msf::Auxiliary::NTP
+  include Msf::Auxiliary::DRDoS
 
   def initialize
     super(
@@ -46,22 +47,34 @@ def scanner_prescan(batch)
     @probe = Rex::Proto::NTP::NTPControl.new
     @probe.version = 2
     @probe.operation = 31
-    vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
   end
 
   # Called after the scan block
   def scanner_postscan(batch)
     @results.keys.each do |k|
-      packets = @results[k]
+      response_map = { @probe => @results[k] }
+      # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
         :port  => rport,
         :name  => 'ntp'
       )
-      total_size = packets.map(&:size).reduce(:+)
-      if packets.size > 1 || total_size > @probe.size
-        print_good("#{k}:#{rport} NTP unsettrap request permitted with amplified response (#{packets.size} packets, #{total_size} bytes)")
+
+      peer = "#{k}:#{rport}"
+      vulnerable, proof = prove_drdos(response_map)
+      what = 'R7-2014-12 NTP Mode 6 UNSETTRAP DRDoS'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln({
+          :host  => k,
+          :port  => rport,
+          :proto => 'udp',
+          :name  => what,
+          :refs  => self.references
+        })
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
       end
     end
   end