Skip to content

Commit

Permalink
Add documentation to the module with testing steps
Browse files Browse the repository at this point in the history
  • Loading branch information
zeroSteiner committed Dec 20, 2024
1 parent a68b9dc commit 5385b3d
Showing 1 changed file with 94 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
## Vulnerable Application

## Verification Steps

1. Use the supplied Dockerfile to start a vulnerable instance of the application
1. Build it with: `docker build -t ntpd:4.2.8p3 .`
1. Run it with: `docker run --rm -it --name ntp-server -p 123:123/udp ntpd:4.2.8p3`
1. Start `msfconsole` and use the module
1. Set the `RHOSTS` value as necessary
1. Run the module and see that the target is vulnerable

### Dockerfile
Use this as `ntp.conf`:
```
# Basic NTP configuration
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
driftfile /var/lib/ntp/ntp.drift
# Enable authentication for secure associations
enable auth
# Define trusted keys
trustedkey 1
# Open restrictions for all clients on the local network (example: 192.168.0.0/16)
restrict default kod nomodify notrap
restrict 127.0.0.1
restrict ::1
restrict 192.168.0.0 mask 255.255.0.0 autokey
# Uncomment to allow all clients (use cautiously)
# restrict default kod nomodify notrap
```

Use this as `Dockerfile`:
```
ARG version=4.2.8p3
FROM ubuntu:16.04
ARG version
# Install dependencies
RUN apt-get update && apt-get install -y \
wget \
build-essential \
libcap-dev \
libssl-dev && \
apt-get clean
# Download and build NTPD
WORKDIR /tmp
RUN wget https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-$version.tar.gz && \
tar -xzf ntp-$version.tar.gz && \
cd ntp-$version && \
./configure --prefix=/usr/local --enable-linuxcaps && \
make && \
make install && \
cd .. && \
rm -rf ntp-$version*
# Add configuration file
COPY ntp.conf /etc/ntp.conf
# Expose NTP port (123)
EXPOSE 123/udp
# Run ntpd
ENTRYPOINT ["/usr/local/bin/ntpd"]
CMD ["-g", "-d", "-d"]
```

## Options

## Scenarios

### Ubuntu 16.04 NTPd 4.2.8p3

```
metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > set RHOSTS 192.168.159.128, 192.168.159.10
RHOSTS => 192.168.159.128, 192.168.159.10
metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > run
[+] 192.168.159.128:123 - NTP - VULNERABLE: Accepted a NTP symmetric active association
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) >
```

0 comments on commit 5385b3d

Please sign in to comment.