Tuesday, June 20, 2017

NTP/SNMP amplification attacks


I needed to verify a SNMP and NTP amplification vulnerability was actually working.

Metasploit  has a few scanners for ntp vulns in the auxiliary/scanner/ntp/ntp_* and it will report hosts as being vulnerable to amplification attacks.

msf auxiliary(ntp_readvar) > run

[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)

[+] 1.1.1.1:123 - Vulnerable to NTP Mode 6 READVAR DRDoS: No packet amplification and a 34x, 396-byte bandwidth amplification


I've largely not paid attention to these types of attacks in the past but in this case needed to validate I could get the vulnerable host to send traffic to a target/spoofed IP.

I set up 2 boxes to run the attack; an attack box and a target box that I used as the spoofed source IP address.  I  ran tcpdump on the target/spoofed server (yes...listening for UDP packets) it was receiving no UDP packets when I ran the attack.  If I didn't spoof the source IP,  the vulnerable server would send data back to the attacker IP but not the spoofed IP.

Metasploit (running as root) can spoof the IP for you:

msf auxiliary(ntp_readvar) > set SRCIP 2.2.2.2
SRCIP => 2.2.2.2
msf auxiliary(ntp_readvar) > run

[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)

[*] Sending 1 packet(s) to 1.1.1.1 from 2.2.2.2

To rule out it wasn't a Metasploit thing I also worked thru the attack with scapy following the examples here:
http://www.nothink.org/misc/snmp_reflected.php

So I asked on Twitter...fucking mistake...after getting past the trolls and well intentioned people that didn't think I understood basic networking/spoofing at all (heart u) link #1,  link #2 as the likely reason I couldn't spoof the IP. As well as a hint that the last time someone got it to work they had to rent a physical server in a dodgy colo.

A bit of reading later I found https://spoofer.caida.org/recent_tests.php which allows you to check and see if a particular ASN supports spoofing along with the stats that only 20% of the Internet allows spoofing.




source: https://spoofer.caida.org/summary.php

Checking common ISP and cloud provider ASNs showed that most weren't vulnerable to spoofing.

So mystery solved and another aux module/vuln scanner result that can be quickly triaged and/or ignored.

If someone has had different results please let me know.


P.S.
Someone asked if the vuln host was receiving the traffic. I couldn't answer for the initial host but to satisfy my curiosity on the issue  I built a vulnerable NTP server and it did NOT receive the traffic even with hosts from the same VPS provider in the same data center (different subnets).







CG

No comments: