{"id":59335,"date":"2024-09-01T04:10:32","date_gmt":"2024-09-01T01:10:32","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180934\/udp_amplification.rb.txt"},"modified":"2024-09-01T04:10:32","modified_gmt":"2024-09-01T01:10:32","slug":"udp-amplification-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/udp-amplification-scanner\/","title":{"rendered":"UDP Amplification Scanner"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Auxiliary::DRDoS<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Auxiliary::UDPScanner<\/p>\n<p>def initialize<br \/>super(<br \/>&#8216;Name&#8217; =&gt; &#8216;UDP Amplification Scanner&#8217;,<br \/>&#8216;Description&#8217; =&gt; &#8216;Detect UDP endpoints with UDP amplification vulnerabilities&#8217;,<br \/>&#8216;Author&#8217; =&gt; &#8216;Jon Hart &lt;jon_hart[at]rapid7.com&gt;&#8217;,<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[&#8216;CVE&#8217;, &#8216;2013-5211&#8217;], # see also scanner\/ntp\/ntp_monlist.rb<br \/>[&#8216;URL&#8217;, &#8216;https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/TA14-017A&#8217;]])<\/p>\n<p>register_options(<br \/>[<br \/>OptString.new(&#8216;PORTS&#8217;, [true, &#8216;Ports to probe&#8217;]),<br \/>OptString.new(&#8216;PROBE&#8217;, [false, &#8216;UDP payload\/probe to send. Unset for an empty UDP datagram, or the `file:\/\/` resource to get content from a local file&#8217;])<br \/>])<\/p>\n<p># RPORT is unused in this scanner module because it supports multiple ports<br \/>deregister_options(&#8216;RPORT&#8217;)<br \/>end<\/p>\n<p>def setup<br \/>super<\/p>\n<p>unless (@ports = Rex::Socket.portspec_crack(datastore[&#8216;PORTS&#8217;]))<br \/>fail_with(Failure::BadConfig, &#8220;Unable to extract list of ports from #{datastore[&#8216;PORTS&#8217;]}&#8221;)<br \/>end<\/p>\n<p>@probe = datastore[&#8216;PROBE&#8217;] ? datastore[&#8216;PROBE&#8217;] : &#8221;<br \/>end<\/p>\n<p>def scanner_prescan(batch)<br \/>print_status(&#8220;Sending #{@probe.length}-byte probes to #{@ports.length} port(s) on #{batch[0]}-&gt;#{batch[-1]} (#{batch.length} hosts)&#8221;)<br \/>@results ||= {}<br \/>end<\/p>\n<p>def scan_host(ip)<br \/>@ports.each do |port|<br \/>scanner_send(@probe, ip, port)<br \/>end<br \/>end<\/p>\n<p># Called for each response packet, overriding UDPScanner&#8217;s so that we can<br \/># store all responses on a per-host, per-port basis<br \/>def scanner_process(data, shost, sport)<br \/>@results[shost] ||= {}<br \/>@results[shost][sport] ||= []@results[shost][sport] &lt;&lt; data<br \/>end<\/p>\n<p>def scanner_postscan(batch)<br \/>batch.each do |shost|<br \/>next unless @results.key?(shost)<br \/>@results[shost].each_pair do |sport, responses|<br \/>report_service(host: shost, port: sport, proto: &#8216;udp&#8217;, info: responses.inspect, state: &#8216;open&#8217;)<br \/>vulnerable, proof = prove_amplification(@probe =&gt; responses)<br \/>next unless vulnerable<br \/>print_good(&#8220;#{shost}:#{sport} &#8211; susceptible to UDP amplification: #{proof}&#8221;)<br \/>report_vuln(<br \/>host: shost,<br \/>port: sport,<br \/>proto: &#8216;udp&#8217;,<br \/>name: &#8216;UDP amplification&#8217;,<br \/>refs: references<br \/>)<br \/>end<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Auxiliary::DRDoSinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::UDPScanner def initializesuper(&#8216;Name&#8217; =&gt; &#8216;UDP Amplification Scanner&#8217;,&#8216;Description&#8217; =&gt; &#8216;Detect UDP endpoints with UDP amplification vulnerabilities&#8217;,&#8216;Author&#8217; =&gt; &#8216;Jon Hart &lt;jon_hart[at]rapid7.com&gt;&#8217;,&#8216;License&#8217; =&gt; MSF_LICENSE,&#8216;References&#8217; =&gt;[[&#8216;CVE&#8217;, &#8216;2013-5211&#8217;], # see also scanner\/ntp\/ntp_monlist.rb[&#8216;URL&#8217;, &#8216;https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/TA14-017A&#8217;]]) register_options([OptString.new(&#8216;PORTS&#8217;, [true, &#8216;Ports to probe&#8217;]),OptString.new(&#8216;PROBE&#8217;, [false, &#8216;UDP payload\/probe to send. Unset for &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59335","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59335"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59335\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}