Archive for April, 2010

 

Using NTP to Enumerate Client IPs

Apr 29, 2010 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

THE NTP ISSUE [PDF Version Here]

The buzz around the internets lately has been about NTP.  Security researchers, such as HD Moore, have been doing extensive investigation on the “features” of NTP.  HD Moore discovered that, by default, NTP servers allow you to query them for additional information.  Some of the basic queries were listpeers, show peers, peers, sysstat, and most important monlist.

Monlist is used as a diagnostic tool to provide the user the last 600 IP addresses of clients who queried that NTP server.  What does this mean?  This means with a single request, you can get a good feel of all the IPs in a network.  Also, if there is an NTP server in the DMZ, an external attacker could potentially get the internal IPs.

FYI: I haven’t been successful with attacking Windows version of NTP.

SO WHAT’S THE TRICK:

You can install the NTP client on your favorite nix and run:
ntpdc -n -c monlist <ip address>

But this seems to only work half of the time.  It seems as sometimes the sequence numbers get messed up and it crashes.  You can use the new auxiliary tool from metasploit (ntp_monlist) or sensepost’s python tool, but both those have issues due to payloads that do not support version 3 of ntp.  They only support version 2.  The best tool is included called ntp_ip_enum.txt (click to view) which is a version of the sensepost script that I had modified the payloads allowing both NTP version 2 and version 3.

COMMAND: NTP_IP_ENUM.TXT

./ntp_ip_enum.py <ip_address of a NTP server> <optional another ip_address of a different NTP server>

When this is complete, an output file is created in the directory where the ntp_ip_enum script was run labeled NTP.txt.  This will include the clients that have connected to that NTP server within the last 5 minutes or last 600 requests.

Give it a try:
./ntp_ip_enum.py time.euro.apple.com

This will give you a list of clients that have recently contacted Apple’s Europe timeserver.  Wowzers!

SCRAPING THE INTERNETS NTP
MAPPING TIME.EURO.APPLE.COM

So I took the entire client IP’s listed from time.euro.apple.com and plotted them against Google earth.  This gave us some interesting views on which countries use Apple laptops and which do not.

Apple's EURO NTP Server

THE FIX
This could have all been averted by not allowing external users to query these types of commands.  Monlist is usually used for debugging but should only be allowed locally.

ADDITIONAL ATTACKS
HD Moore also discussed that he had figured out a way to DDoS a system using NTP with very minimal requests.  Although he has not released data on this type of DDoS, we put our heads together here on what the attack could be.  When you make a monlist request, you send 1 udp packet to the NTP server and 600+ responses are returned.  We think that using this request against all the NTP servers and peers, you could send hundreds of thousands of UDP packets to a victim with minimal request packets.  By spoofing the source address and requesting monlists repetitively, all responses from those NTP servers will be forwarded to the victim.

-Cheetz