|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + Any reachable UDP endpoint is a potential target. |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | + Example steps in this format: |
| 8 | + |
| 9 | + 1. Start `msfconsole` |
| 10 | + 2. Do: ```use auxiliary/scanner/udp/udp_amplification``` |
| 11 | + 3. Do ```set RHOSTS <targets>```, replacing `<targets>` with the hosts you wish to assess. |
| 12 | + 4. Do ```set PORTS <ports>```, replacing `<ports>` with the list of UDP ports you wish to assess on each asset. |
| 13 | + 5. Optionally, ```set PROBE <probe>```, replacing `<probe>` with a string or `file://` resource to serve as the UDP payload |
| 14 | + 6. Do: ```run``` |
| 15 | + 7. If any of the endpoints were discovered to be vulnerable to UDP amplification with the probe you specified, status will be printed indicating as such. |
| 16 | + |
| 17 | +## Options |
| 18 | + |
| 19 | + **PORTS** |
| 20 | + |
| 21 | + This is the list of ports to test for UDP amplification on each host. |
| 22 | + Formats like `1,2,3`, `1-3`, `1,2-3`, etc, are all supported. You'll |
| 23 | + generally only want to specify a small, targeted set of ports with an |
| 24 | + appropriately tailored `PROBE` value, described below |
| 25 | + |
| 26 | + **PROBE** |
| 27 | + |
| 28 | + This is the payload to send in each UDP datagram. Unset or set to the empty |
| 29 | + string `''` or `""` to send empty UDP datagrams, or use the `file://` |
| 30 | + resource to specify a local file to serve as the UDP payload. |
| 31 | + |
| 32 | +## Scenarios |
| 33 | + |
| 34 | + ``` |
| 35 | + resource (amp.rc)> use auxiliary/scanner/udp/udp_amplification |
| 36 | + resource (amp.rc)> set RHOSTS 10.10.16.0/20 192.168.3.0/23 |
| 37 | + RHOSTS => 10.10.16.0/20 192.168.3.0/23 |
| 38 | + resource (amp.rc)> set PORTS 17,19,12345 |
| 39 | + PORTS => 17,19,12345 |
| 40 | + resource (amp.rc)> set THREADS 100 |
| 41 | + THREADS => 100 |
| 42 | + resource (amp.rc)> set PROBE 'test' |
| 43 | + PROBE => test |
| 44 | + resource (amp.rc)> run |
| 45 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts) |
| 46 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts) |
| 47 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts) |
| 48 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts) |
| 49 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts) |
| 50 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts) |
| 51 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts) |
| 52 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts) |
| 53 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts) |
| 54 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts) |
| 55 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts) |
| 56 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts) |
| 57 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts) |
| 58 | + [*] Sending 4-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts) |
| 59 | + [*] Sending 4-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts) |
| 60 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts) |
| 61 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts) |
| 62 | + [*] Sending 4-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts) |
| 63 | + [*] Scanned 512 of 4608 hosts (11% complete) |
| 64 | + [+] 10.10.17.153:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 65 | + [+] 10.10.20.47:17 - susceptible to UDP amplification: No packet amplification and a 40x, 159-byte bandwidth amplification |
| 66 | + [*] Scanned 2560 of 4608 hosts (55% complete) |
| 67 | + [+] 10.10.23.199:19 - susceptible to UDP amplification: No packet amplification and a 256x, 1020-byte bandwidth amplification |
| 68 | + [+] 10.10.23.248:17 - susceptible to UDP amplification: No packet amplification and a 26x, 103-byte bandwidth amplification |
| 69 | + [*] Scanned 3584 of 4608 hosts (77% complete) |
| 70 | + [*] Scanned 3840 of 4608 hosts (83% complete) |
| 71 | + [+] 10.10.30.202:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 72 | + [*] Scanned 4096 of 4608 hosts (88% complete) |
| 73 | + [+] 192.168.3.64:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 74 | + [+] 192.168.3.71:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 75 | + [+] 192.168.3.73:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 76 | + [+] 192.168.3.77:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 77 | + [+] 192.168.3.100:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 78 | + [+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 79 | + [+] 192.168.3.118:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 80 | + [+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification |
| 81 | + [+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification |
| 82 | + [*] Scanned 4352 of 4608 hosts (94% complete) |
| 83 | + [+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification |
| 84 | + [*] Scanned 4608 of 4608 hosts (100% complete) |
| 85 | + [*] Auxiliary module execution completed |
| 86 | + ``` |
| 87 | + |
| 88 | + Similarly, but with empty UDP datagrams instead: |
| 89 | + |
| 90 | + ``` |
| 91 | + resource (amp.rc)> unset PROBE |
| 92 | + Unsetting PROBE... |
| 93 | + resource (amp.rc)> run |
| 94 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts) |
| 95 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts) |
| 96 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts) |
| 97 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts) |
| 98 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts) |
| 99 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts) |
| 100 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts) |
| 101 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts) |
| 102 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts) |
| 103 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts) |
| 104 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts) |
| 105 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts) |
| 106 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts) |
| 107 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts) |
| 108 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts) |
| 109 | + [*] Sending 0-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts) |
| 110 | + [*] Sending 0-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts) |
| 111 | + [*] Sending 0-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts) |
| 112 | + [+] 10.10.17.229:17 - susceptible to UDP amplification: No packet amplification and a 107x, 107-byte bandwidth amplification |
| 113 | + [+] 10.10.26.252:19 - susceptible to UDP amplification: No packet amplification and a 3892x, 3892-byte bandwidth amplification |
| 114 | + [*] Scanned 4096 of 4608 hosts (88% complete) |
| 115 | + [+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification |
| 116 | + [+] 192.168.3.114:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification |
| 117 | + [+] 192.168.3.115:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification |
| 118 | + [+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification |
| 119 | + [+] 192.168.3.184:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification |
| 120 | + [*] Scanned 4352 of 4608 hosts (94% complete) |
| 121 | + [+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification |
| 122 | + [+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification |
| 123 | + [*] Scanned 4608 of 4608 hosts (100% complete) |
| 124 | + [*] Auxiliary module execution completed |
| 125 | + ``` |
0 commit comments