By Gursev Singh Kalra.
I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. The issue comes up when one NTP daemon queries another with the
![]()
If the target NTP server provides a response, it's vulnerable:
![]()
A denial of service condition could happen if an attacker spoof's the IP of a vulnerable NTP server, then sends a NTP query with the
Download:
Here's what the tool's output looks like:
![]()
Here are a bunch of pentest scripts that help speed up manual validation of vulnerabilities and the you can potentially leverage the outputs for further attack.
![]()
I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. The issue comes up when one NTP daemon queries another with the
MODE_PRIVATE flag set:
If the target NTP server provides a response, it's vulnerable:
A denial of service condition could happen if an attacker spoof's the IP of a vulnerable NTP server, then sends a NTP query with the
MODE_PRIVATE flag set. The two NTP servers enter a continuous loop, sending MODE_PRIVATE queries back and forth. Metasploit’s auxiliary module auxiliary/dos/ntp/ntpd_reserved_dos demonstrates this issue, however it also executes the vulnerability so I wrote my own Ruby script to assess the remote server. Download:
#Author: Gursev Singh Kalra
require 'socket'
TIMEOUT = 5
if(ARGV.count != 1)
puts "[-] Target host not provided. Usage: ntp.rb "
exit
end
target_server = ARGV[0]
target_port = 123
socket = nil
response = nil
begin
test_string = "\x97\x00\x00\x00\xAA\x00\x00\x00"
socket = UDPSocket.open
socket.send(test_string, 0, target_server, target_port)
if select([socket], nil, nil, TIMEOUT)
response = socket.recvfrom(10)
end
rescue (IOError ex)
puts ex.to_s
ensure
socket.close if(socket)
end
if(response && response[0].index("\x97\x00\x00\x00"))
puts "[+] Vulnerable to NTP Mode 7 Request Denial Of Service"
else
puts "[-] Not vulnerable to NTP Mode 7 Request Denial Of Service"
end
Here's what the tool's output looks like:
Great minds...
After I wrote this script I passed it on to a co-worker, Brad Antoniewicz, and to my suprise, I discovered that he actually wrote the same script, but in python! So we decided to throw up all of our scripts on GitHub to help avoid and future duplication.Here are a bunch of pentest scripts that help speed up manual validation of vulnerabilities and the you can potentially leverage the outputs for further attack.
