I needed to verify a SNMP and NTP amplification vulnerability was actually working.
Metasploit has a few scanners for ntp vulns in the auxiliary/scanner/ntp/ntp_* and it will report hosts as being vulnerable to amplification attacks.
I’ve largely not paid attention to these types of attacks in the past but in this case needed to validate I could get the vulnerable host to send traffic to a target/spoofed IP.
I set up 2 boxes to run the attack; an attack box and a target box that I used as the spoofed source IP address. I ran tcpdump on the target/spoofed server (yes…listening for UDP packets) it was receiving no UDP packets when I ran the attack. If I didn’t spoof the source IP, the vulnerable server would send data back to the attacker IP but not the spoofed IP.
Metasploit (running as root) can spoof the IP for you:
To rule out it wasn’t a Metasploit thing I also worked thru the attack with scapy following the examples here:
So I asked on Twitter…fucking mistake…after getting past the trolls and well intentioned people that didn’t think I understood basic networking/spoofing at all (heart u) link #1, link #2 as the likely reason I couldn’t spoof the IP. As well as a hint that the last time someone got it to work they had to rent a physical server in a dodgy colo.
A bit of reading later I found https://spoofer.caida.org/recent_tests.php which allows you to check and see if a particular ASN supports spoofing along with the stats that only 20% of the Internet allows spoofing.
Checking common ISP and cloud provider ASNs showed that most weren’t vulnerable to spoofing.
So mystery solved and another aux module/vuln scanner result that can be quickly triaged and/or ignored.
If someone has had different results please let me know.
Someone asked if the vuln host was receiving the traffic. I couldn’t answer for the initial host but to satisfy my curiosity on the issue I built a vulnerable NTP server and it did NOT receive the traffic even with hosts from the same VPS provider in the same data center (different subnets).
This is a Security Bloggers Network syndicated blog post authored by CG. Read the original post at: Carnal0wnage & Attack Research Blog