【安全牛學習筆記】NTP放大攻擊
NTP放大攻擊 網路時間協議 - Network Time Protocol - 保證網路裝置時間同步 - 電子裝置相互干擾導致時鐘差異越來越大 - 影響應用正常執行、日誌審計不可信 - 服務埠 UDP 123 攻擊原理 - NTP服務提monlist (MON_GETLIST) 查詢功能 監控NTP伺服器的狀態 - 客戶端查詢時,NTP伺服器返回最後同步時間的 600 個客戶IP 每6個IP個數據包,最多100個數據包(放大約100倍) |
NTP放大攻擊 發現NTP服務 - nmap -sU -p123 1.1.1.1 / 127.0.0.1 發現漏洞 - ntpdc -n -c monlist 1.1.1.1 - ntpq -c rv 1.1.1.1 - ntpdc -c sysinfo 192.168.20.5 配置檔案 - /etc/ntp.conf restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery |
yuanfh@Bodhi:~$ ifconfig
192.168.1.125
yuanfh@Bodhi:~$ sudo apt-get update
yuanfh@Bodhi:~$ sudo apt-get install ntp
yuanfh@Bodhi:~$ netstat -pantu | grep 123
(Not all processes could be identified, non-wened process info
will not be shown, you would hava to be root to see it all.)
udp 0 0 192.168.1.125:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp6 0 0 fe00::a00:27ff:fe78:123 :::* -
udp6 0 0 ::1:123 :::* -
udp6 0 0 :::123 :::* -
root@K:~# nmap -sU -p123 192.168.1.0/24 --open
Startomh Nmap 7.12 (https://nmap.org) at 2016-06-28 06:38 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0021s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
MAC Address: 14:75:90:21:4F:56 (Tp-link Technologies)
Nmap scan report for 192.168.1.115
Host is up (0.0018s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
MAC address: 78:920:9C:03:6F:18 (Intel Corporate)
Nmap scan report for 192.168.1.125
Host is up (0.0018s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
MAC address: 08:00:27:78:23:0D (Oracle VirtualBox virtual NIC)
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.79 seconds
root@K:~# nmap -sU -p123 -sv 192.168.1.125
Startomh Nmap 7.12 (https://nmap.org) at 2016-06-28 06:38 EDT
Nmap scan report for 192.168.1.125
Host is up (0.0018s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
MAC address: 08:00:27:78:23:0D (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect result at https://nmap.org/submit/ .
Nmap done: 1 IP addresses (4 hosts up) scanned in 1.36 seconds
root@K:~# ntpdc -n -c monlist 192.168.1.125 //不支援放大攻擊
192.168.1.125: time out, nothing received
***Request timed out
yuanfh@Bodhi:~$ sudo vi /etc/ntp.conf
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
把這兩行用#禁用掉!
yuanfh@Bodhi:~$ sudo service ntp
fore-reload restart start status stop try-restart
yuanfh@Bodhi:~$ sudo service ntp stop
* Stopping NTP server ntpd [ OK ]
yuanfh@Bodhi:~$ sudo service ntp start
* Starting NTP server ntpd [ OK ]
root@K:~# ntpdc -n -c monlist 192.168.1.125
temote address port local address count m ver rstr avgint lstint
===============================================================================
91.189.89.199 123 192.168.1.125 1 4 4 0 4 4
202.118.1.130 123 192.168.1.125 1 4 3 0 5 5
root@K:~# ntpdc -n -c monlist 192.168.1.125
temote address port local address count m ver rstr avgint lstint
===============================================================================
91.189.89.199 123 192.168.1.125 1 4 4 0 29 29
202.118.1.130 123 192.168.1.125 1 4 3 0 30 30
root@K:~# ntpdc -n -c monlist 192.168.1.125
temote address port local address count m ver rstr avgint lstint
===============================================================================
91.189.89.199 123 192.168.1.125 1 4 4 0 31 31
202.118.1.130 123 192.168.1.125 1 4 3 0 32 32
root@K:~# ntpq -c rv 192.168.1.125 //查詢伺服器端的配置
associd=0 status=c011 leap_alarm, sync_unspec, 1 event, freq_not_set,
version="ntpd [email protected] Thu Feb 11 18:30:40 UTC 2016 (1)",
processor="x86_64", system="Linux/4.2.0-30-generic", leap=11, stratum=16,
precision=-23, rootdelay=0.000, rootdisp=1.560, refid=INIT,
reftime=00000000.00000000 Thu, Feb 7 2036 1:28:16.00
clock-db1cd43a.f78cda79 Thu, Jun 28 2016 6:47:22.966, peer=0, tc=3,
minc=3, offset=0.000, frequency=0.00., sys_jitter=0.000
clk_jitter=0.000, clk_wander=0.000
root@K:~# ntpdc -c sysinfo 192.168.1.125 //查詢其他的系統資訊
system peer: 0.0.0.0
system peer mode: unspce
leap indicator: 11
stratum: 16
precision: -23
root distance: 0.00000 s
root dispersion: 0.00247 s
reference ID: [73.78.73.84]
reference time: 00000000.00000000 Thu, Feb 7 2036 1:28:16.00
system flags: auth monitor ntp kernel stats
jtter: 0.000000 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
autdelay: 0.000000 s
NTP放大攻擊 NTP攻擊對策 - 升級到 ntpd 4.2.7p26 及以上的版本(預設關閉monlist查詢) - 手動關閉monlist查詢功能 |