NTP reflection DDoS attacks

At the end of 2013 there were several NTP reflection DDoS attacks. Let's see what are these, and how they work. A reflection DDoS attack in general looks like the following:

1. Attacker spoofs victim IP address, and generates lots of small request to a service (in this case NTP, but there are similar methods for DNS)

2. The server receives the request, and will generate a much larger answer (because of the request type)

This allows the attacker to have low bandwidth only, and can easily overload a much larger pipe, because of a much larger answer. If we add that multiple attackers can generate this traffic (e.g.: botnet) then we have a DDoS. How it looks in the NTP case:

1. Attacker spoofs the IP and sends a MON_GETLIST_1 command to the server. (In the screenshots below I just query my own NTP server to show the packets, and don't do any spoofing)

 

2. The server responds with the last 600(!!!) IP address who have connected to the server.

 
The specific NTP vulnerability is documented under: CVE-2013-5211

To show it, and get the above capture I started a NTP server on my Kali Linux:

root@kali:~# service ntp start
[ ok ] Starting NTP server: ntpd.

We can then query the list either with a single command:

root@kali:~# ntpdc -c monlist 127.0.0.1
remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
bolha.lvs.iif.hu         123 192.168.1.10           3 4 4    1d0      1       0
login-vlan87.budapest.   123 192.168.1.10           4 4 4    1d0      1       0
bart.nexellent.net       123 192.168.1.10           3 4 4    1d0      1       1
194.38.104.240           123 192.168.1.10           4 4 4    1d0      1       1

or with using NMAP's ntp-monlist NSE script:

root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-06 22:07 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist:
|   Target is synchronised with 193.224.65.146
|   Alternative Target Interfaces:
|       192.168.1.10   
|   Public Servers (4)
|       193.224.65.146  193.225.14.181  194.38.104.240  217.147.223.78 
|   Private Clients (1)
|_      127.0.0.1      

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

I uploaded the packet captures to the blog's "Packet Capture" page.

How we can secure our NTP server?

1. Update NTP server version to 4.2.7.p26 or later
2. Add "disable monitor" to the /etc/ntp.conf file

Once it's done, we will see the following responses:

root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-06 22:45 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
PORT    STATE SERVICE
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
root@kali:~# ntpdc -c monlist 127.0.0.1
***Server reports data not found
root@kali:~#

Kali Forensics: rahash2

Menu: Forensics -> Hashing Tools
Directory: N/A
Official website: https://github.com/radare/radare2
License: GPL 2/3

rahash2 is another hashing tool in the distribution, it's part of the radare2 malware reverse engineering toolkit. The unique thing about this application, is that it's capable hash only part of a file, or blocks of a file. It supports the following hashes: md4, md5, sha1, sha256, sha384, sha512, crc16, crc32, xor, xorpair, parity, mod255, hamdist, entropy, pcprint

Let's see it in action:

We can do regular hashes with specifying the algorithm (by default it's SHA-1), as with any other hashing tool:

root@kali:~# rahash2 -a sha1 radare2-master.zip
0x00000000-0x0036e170 sha1: 980fd175cc48b18707c92b9fbb05b4c33f88282c
 
root@kali:~# rahash2 -a md5 radare2-master.zip
0x00000000-0x0036e170 md5: 43cef41da5239d0a24d7d8497810c1d6

To calculate hashes of smaller blocks, we need to specify the blocksize (-b) and need to instruct to show per-block hashes (-B); if we forget this it will show only the full file hash, regardless of the block size.

root@kali:~# rahash2 -b 0x100000 -B radare2-master.zip
0x00000000-0x00100000 md5: 0409937fa5b8b4a9f86699ec690c91e9
0x00100000-0x00200000 md5: 05415f5dc59d38838db5bba658c4f695
0x00200000-0x00300000 md5: 81086380efabe5889e5fb9f2ca47c605
0x00300000-0x00400000 md5: 1b15a320dc9721aa5955300a434b8778
0x00000000-0x00100000 sha1: 1a50ae2df3f64f3b8c9a7669cbdafd308dc2b586
0x00100000-0x00200000 sha1: 2b7a3a1b63ed09feaf65197cef44397276463e80
0x00200000-0x00300000 sha1: 774f15a66c8b507e737818fa2cbe1110f71b4cf4
0x00300000-0x00400000 sha1: dfa5632239204ee50982ab870d2a7e0d4f058a1f

If we want we can calculate hashes only of a sub-portion of the file, with specifying the from (-f) and to (-t) options.

root@kali:~# rahash2 -b 0x100000 -B -f 0x100000 -t 0x200000 radare2-master.zip
0x00100000-0x00200000 md5: 05415f5dc59d38838db5bba658c4f695
0x00100000-0x00200000 sha1: 2b7a3a1b63ed09feaf65197cef44397276463e80

Kali Forensics: chntpw

Menu: Forensics -> Password Forensics Tools
Directory: N/A
Official website: http://pogostick.net/~pnh/ntpasswd/
License: GPL 2

As Kali Linux is out, I will continue to explore the available forensics tools coming with the distribution, which was not available in Backtrack. I will use the application menu as a basis.

The first tool is "chntpw", which is not strictly a forensic tool. This is basically a password reset utility for Windows. you need to shut down the Windows machine, boot in from a CD which has chntpw installed (e.g.: Kali) and use this on the SAM / system hives. The tool also offers setting a new password or editing the registry.

Here is in example:

The help is available via the usual "-h" option:

I have a sample SAM and system file from a Hungarian Windows XP. We can list the users with:

chntpw -l SAM system

As we can see it will list the available users and some other options, like lock status and if the actual account is administrator or not.

If we know which to reset, we can run:

chntpw -u Csabi

and it will offer us various options (reset password, set new, etc...) as you can see on the screenshot below.

We can also run the tool in full interactive mode with the "-i" option.