Skip to content

Commit 3f19d88

Browse files
zeroSteinerzeroSteiner
committed
WIP: Fix the ntp_nak_to_the_future module
Needs pending changes that add the NTPHeader class
1 parent 2355ab5 commit 3f19d88

File tree

1 file changed

+9
-14
lines changed

1 file changed

+9
-14
lines changed

modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb

Lines changed: 9 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -47,18 +47,13 @@ def initialize(info = {})
4747
end
4848

4949
def build_crypto_nak(time)
50-
probe = Rex::Proto::NTP::NTPSymmetric.new
50+
probe = NTPHeader.new
51+
probe.version_number = 3
5152
probe.stratum = 1
5253
probe.poll = 10
5354
probe.mode = 1
5455
unless time
55-
now = Time.now
56-
# compute the timestamp. NTP stores a timestamp as 64-bit unsigned
57-
# integer, the high 32-bits representing the number of seconds since era
58-
# epoch and the low 32-bits representing the fraction of a second. The era
59-
# epoch in this case is Jan 1 1900, so we must add the number of seconds
60-
# between then and the ruby era epoch, Jan 1 1970, which is 2208988800
61-
time = ((now.to_i + 2208988800 + datastore['OFFSET']) << 32) + now.nsec
56+
time = Time.now
6257
end
6358

6459
# TODO: use different values for each?
@@ -67,24 +62,24 @@ def build_crypto_nak(time)
6762
probe.receive_timestamp = time
6863
probe.transmit_timestamp = time
6964
# key-id 0
70-
probe.payload = "\x00\x00\x00\x00"
65+
probe.key_identifier = 0
7166
probe
7267
end
7368

7469
def check
7570
connect_udp
7671

7772
# pick a random 64-bit timestamp
78-
canary_timestamp = rand((2**32)..((2**64) - 1))
73+
canary_timestamp = Time.now.utc - (60 * 5)
7974
probe = build_crypto_nak(canary_timestamp)
80-
udp_sock.put(probe)
75+
udp_sock.put(probe.to_binary_s)
8176

82-
expected_length = probe.to_binary_s.length - probe.payload.length
77+
expected_length = probe.offset_of(probe.key_identifier)
8378
response = udp_sock.timed_read(expected_length)
8479
disconnect_udp
8580
if response.length == expected_length
86-
ntp_symmetric = Rex::Proto::NTP::NTPSymmetric.new.read(response)
87-
if ntp_symmetric.mode == 2 && ntp_symmetric.origin_timestamp == canary_timestamp
81+
ntp_symmetric = NTPHeader.read(response)
82+
if ntp_symmetric.mode == 2 && ntp_symmetric.origin_timestamp == nil
8883
vprint_good("#{rhost}:#{rport} - NTP - VULNERABLE: Accepted a NTP symmetric active association")
8984
report_vuln(
9085
host: rhost,

0 commit comments

Comments
 (0)