{"id":59379,"date":"2024-09-01T22:40:06","date_gmt":"2024-09-01T19:40:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181210\/portmap_amp.rb.txt"},"modified":"2024-09-01T22:40:06","modified_gmt":"2024-09-01T19:40:06","slug":"portmapper-amplification-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/portmapper-amplification-scanner\/","title":{"rendered":"Portmapper Amplification Scanner"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Auxiliary::UDPScanner<br \/>include Msf::Auxiliary::DRDoS<\/p>\n<p>def initialize<br \/>super(<br \/>&#8216;Name&#8217; =&gt; &#8216;Portmapper Amplification Scanner&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module can be used to discover Portmapper services which can be used in an<br \/>amplification DDoS attack against a third party.<br \/>},<br \/>&#8216;Author&#8217; =&gt; [&#8216;xistence &lt;xistence[at]0x90.nl&gt;&#8217;],<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[&#8216;CVE&#8217;, &#8216;2013-5211&#8217;], # see also scanner\/ntp\/ntp_monlist.rb<br \/>[&#8216;URL&#8217;, &#8216;https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/TA14-017A&#8217;],<br \/>[&#8216;URL&#8217;, &#8216;http:\/\/blog.level3.com\/security\/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry\/&#8217;]],<br \/>)<\/p>\n<p>register_options( [<br \/>Opt::RPORT(111),<br \/>])<br \/>end<\/p>\n<p>def rport<br \/>datastore[&#8216;RPORT&#8217;]end<\/p>\n<p>def xid_summary<br \/>@xid_summary ||= [Rex::Text::rand_text_numeric(8).to_i].pack(&#8216;N&#8217;)<br \/>end<\/p>\n<p>def xid_dump<br \/>@xid_dump ||= [Rex::Text::rand_text_numeric(8).to_i].pack(&#8216;N&#8217;)<br \/>end<\/p>\n<p>def xid_metrics<br \/>@xid_metrics ||= [Rex::Text::rand_text_numeric(8).to_i].pack(&#8216;N&#8217;)<br \/>end<\/p>\n<p>def setup<br \/>super<\/p>\n<p># RPC DUMP (Program version: 3) request: rpcinfo -T udp -s &lt;IP&gt;<br \/>@portmap_summary = &#8221;<br \/>@portmap_summary &lt;&lt; xid_summary # Random ID<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Message Type: 0 (Call)<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x02&#8221; # RPC Version: 2<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x01\\x86\\xa0&#8221; # Program: Portmap (10000)<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x03&#8221; # Program version: 3<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x04&#8221; # Procedure: DUMP (4)<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Credentials Flavor: AUTH_NULL (0)<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Credentials Length: 0<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Verifier Flavor: AUTH_NULL (0)<br \/>@portmap_summary &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Verifier Length: 0<\/p>\n<p># RPC DUMP (Program version: 2) request: rpcinfo -T udp -p &lt;IP&gt;<br \/>@portmap_dump = &#8221;<br \/>@portmap_dump &lt;&lt; xid_dump # Random ID<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Message Type: 0 (Call)<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x02&#8221; # RPC Version: 2<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x01\\x86\\xa0&#8221; # Program: Portmap (10000)<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x02&#8221; # Program version: 2<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x04&#8221; # Procedure: DUMP (4)<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Credentials Flavor: AUTH_NULL (0)<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Credentials Length: 0<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Verifier Flavor: AUTH_NULL (0)<br \/>@portmap_dump &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Verifier Length: 0<\/p>\n<p># RPC GETSTAT request: rpcinfo -T udp -m &lt;IP&gt;<br \/>@portmap_metrics = &#8221;<br \/>@portmap_metrics &lt;&lt; xid_metrics # Random ID<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Message Type: 0 (Call)<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x02&#8221; # RPC Version: 2<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x01\\x86\\xa0&#8221; # Program: Portmap (10000)<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x04&#8221; # Program version: 4<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x0c&#8221; # Procedure: GETSTAT (12)<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Credentials Flavor: AUTH_NULL (0)<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Credentials Length: 0<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Verifier Flavor: AUTH_NULL (0)<br \/>@portmap_metrics &lt;&lt; &#8220;\\x00\\x00\\x00\\x00&#8221; # Verifier Length: 0<br \/>end<\/p>\n<p>def scanner_prescan(batch)<br \/>print_status(&#8220;Sending Portmap RPC probes to #{batch[0]}-&gt;#{batch[-1]} (#{batch.length} hosts)&#8221;)<br \/>@results_summary = {}<br \/>@results_dump = {}<br \/>@results_metrics = {}<br \/>end<\/p>\n<p>def scan_host(ip)<br \/>if spoofed?<br \/>datastore[&#8216;ScannerRecvWindow&#8217;] = 0<br \/>scanner_spoof_send(@portmap_summary, ip, rport, datastore[&#8216;SRCIP&#8217;], datastore[&#8216;NUM_REQUESTS&#8217;])<br \/>scanner_spoof_send(@portmap_dump, ip, rport, datastore[&#8216;SRCIP&#8217;], datastore[&#8216;NUM_REQUESTS&#8217;])<br \/>scanner_spoof_send(@portmap_metrics, ip, rport, datastore[&#8216;SRCIP&#8217;], datastore[&#8216;NUM_REQUESTS&#8217;])<br \/>else<br \/>scanner_send(@portmap_summary, ip, rport)<br \/>scanner_send(@portmap_dump, ip, rport)<br \/>scanner_send(@portmap_metrics, ip, rport)<br \/>end<br \/>end<\/p>\n<p>def scanner_process(data, shost, sport)<br \/>if data =~ \/#{@xid_summary}\\x00\\x00\\x00\\x01\/<br \/>@results_summary[shost] ||= []@results_summary[shost] &lt;&lt; data<br \/>elsif data =~ \/#{@xid_metrics}\\x00\\x00\\x00\\x01\/<br \/>@results_metrics[shost] ||= []@results_metrics[shost] &lt;&lt; data<br \/>elsif data =~ \/#{@xid_dump}\\x00\\x00\\x00\\x01\/<br \/>@results_dump[shost] ||= []@results_dump[shost] &lt;&lt; data<br \/>else<br \/>vprint_error(&#8220;Skipping #{data.size}-byte non-Portmap response from #{shost}:#{sport}&#8221;)<br \/>end<br \/>end<\/p>\n<p># Called after the scan block<br \/>def scanner_postscan(batch)<br \/>@results_summary.keys.each do |k|<br \/>response_map_summary = { @portmap_summary =&gt; @results_summary[k] }<br \/>what = &#8216;Portmap RPC DUMP (Program version: 3) amplification&#8217;<br \/>report_result(k, what, response_map_summary)<br \/>end<\/p>\n<p>@results_dump.keys.each do |k|<br \/>response_map_dump = { @portmap_dump =&gt; @results_dump[k] }<br \/>what = &#8216;Portmap RPC DUMP (Program version: 2) amplification&#8217;<br \/>report_result(k, what, response_map_dump)<br \/>end<\/p>\n<p>@results_metrics.keys.each do |k|<br \/>response_map_metrics = { @portmap_summary =&gt; @results_metrics[k] }<br \/>what = &#8216;Portmap RPC GETSTAT amplification&#8217;<br \/>report_result(k, what, response_map_metrics)<br \/>end<br \/>end<\/p>\n<p>def report_result(host, attack, map)<br \/>report_service(<br \/>host: host,<br \/>proto: &#8216;udp&#8217;,<br \/>port: rport,<br \/>name: &#8216;portmap&#8217;<br \/>)<\/p>\n<p>peer = &#8220;#{host}:#{rport}&#8221;<br \/>vulnerable, proof = prove_amplification(map)<br \/>if vulnerable<br \/>print_good(&#8220;#{peer} &#8211; Vulnerable to #{attack}: #{proof}&#8221;)<br \/>report_vuln(<br \/>host: host,<br \/>port: rport,<br \/>proto: &#8216;udp&#8217;,<br \/>name: attack,<br \/>refs: references<br \/>)<br \/>else<br \/>vprint_status(&#8220;#{peer} &#8211; Not vulnerable to #{attack}: #{proof}&#8221;)<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::UDPScannerinclude Msf::Auxiliary::DRDoS def initializesuper(&#8216;Name&#8217; =&gt; &#8216;Portmapper Amplification Scanner&#8217;,&#8216;Description&#8217; =&gt; %q{This module can be used to discover Portmapper services which can be used in anamplification DDoS attack against a third party.},&#8216;Author&#8217; =&gt; [&#8216;xistence &lt;xistence[at]0x90.nl&gt;&#8217;],&#8216;License&#8217; =&gt; MSF_LICENSE,&#8216;References&#8217; =&gt;[[&#8216;CVE&#8217;, &#8216;2013-5211&#8217;], # see also scanner\/ntp\/ntp_monlist.rb[&#8216;URL&#8217;, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59379","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59379"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59379\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}