获取NTP服务器最后活动的IP地址、monlist 命令

来源:岁月联盟 编辑:exp 时间:2012-03-13
测试NTP 时间服务器用的,ntp_ip_enum.py,源码如下:
 
#!/usr/bin/env python
"""
Basic script to pull addresses from a NTP server using the monlist command. Can also output Maltego resultset.
 
Gert Burger <gert A@T sensepost.com>
SensePost (Pty) Ltd
www.sensepost.com
 
This work is licensed under the Creative Commons Attribution 2.5 South Africa License available at http://creativecommons.org/licenses/by/2.5/za/ www.2cto.com
 
Edited by SECUREPLA.NET
"""
from struct import unpack, pack
import socket
import select
import sys
import string
 
OUTPUT_FORMAT='normal'  #'maltego' for maltego xml or any other string for normal output
DEBUG=False             #Enables basic debug info
TIMEOUT=2               #Read timeout in seconds
TRIES=3                 #Number of times to do the monlist request
filename="NTP.txt"
 
 
def int_ip_to_str(ip_num):
    return socket.inet_ntoa(pack('!L', ip_num))
 
def str_ip_to_int(ip):
    return unpack('!L',socket.inet_aton(ip))
 
def get_payload():
    return """/x17/x00/x02/x2a/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"""
 
def parse_monlist_packet(data):
    result = dict(response=False, more=False, error=None, records=[])
 
    if len(data) < 8:
        result['error'] = 'NO_HEADER'
        return result
 
    ntp_flags, ntp_auth, ntp_vers, ntp_req_code, num_items, item_size  = unpack('!BBBBHH', data[0:8])
    data = data[8:]
 
    result['response'] = ntp_flags & (1 << 7) > 0
    result['more'] = ntp_flags & (1 << 6) > 0
 
    if not result['response']: #Return if its a request
        result['error'] = "REQUEST_PACKET"
    elif ntp_req_code == 42: #Check if its a monlist packet
        if DEBUG: print "item_size[%s] /tnum_items[%s] /tlen(data)[%s]" % (item_size, num_items, len(data))
 
        if item_size != 32:
            result['error'] = "WRONG_ITEM_SIZE"
        elif num_items < 1:
            result['error'] = "WRONG_ITEM_COUNT"
        elif len(data) < num_items*item_size:
            result['error'] = "SHORT_PACKET"
        else:
            for offset in range(0, num_items*item_size, item_size):
                parts = unpack('!IIIIIIII', data[offset:offset+item_size])
                ip = int_ip_to_str(parts[4])
                port = parts[7]
                result['records'].append((ip, port))
    else:
        result['error'] = "WRONG_REQUEST_CODE"
 
    return result
 
def fetch(ntp_server, timeout=5):
    def send_payload(sock, target):
        data = get_payload()
        bytes_sent = sock.sendto(data, (target, 123))
        if bytes_sent != len(data) and DEBUG:
            print "Failed to send payload"
 
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.bind(('0.0.0.0', 0))
 
    send_payload(sock, ntp_server)
 
    results = set()
    count = 0
    while True:
        rlist, wlist, xlist = select.select([sock], [], [], TIMEOUT)
        if sock in rlist:
            data, addr = sock.recvfrom(1024)
            ret = parse_monlist_packet(data)
            if ret['error']:
                if DEBUG: print "Error parsing packet[%s]" % ret['error']
            else:
                results.update([x[0] for x in ret['records']])
        else:
            count += 1
            if count >= TRIES:
                break
            send_payload(sock, ntp_server)
 
    return list(results)
 
 
def print_maltego(results):
    from xml.dom.minidom import Document
    doc = Document()
    mm = doc.createElement('MaltegoMessage')
    doc.appendChild(mm)
    mtrm = doc.createElement('MaltegoTransformResponseMessage')
    mm.appendChild(mtrm)
    entities = doc.createElement('Entities')
    mtrm.appendChild(entities)
 
    for result in results:
        entity = doc.createElement('Entity')
        entity.setAttribute('Type', 'IPAddress')
 
        value = doc.createElement('Value')
        value_node = doc.createTextNode(result)
 
        value.appendChild(value_node)
        entity.appendChild(value)
        entities.appendChild(entity)
 
    output = doc.toxml()
    print output[output.index("<Maltego"):] # Hack to rip out <? xml ?> so that maltego can function
 
 
if __name__ == '__main__':
    if len(sys.argv) > 1:
        targets = sys.argv[1:]     
    else:
        print "Usage: %s target ntp servers/n/nThis script will return a unique set of IP's obtained from the list of ntp servers via the monlist command" % sys.argv[0]
        sys.exit(-1)
 
    results = set()
    for target in targets:
        results.update(fetch(target))
        results = sorted(results, key=str_ip_to_int)
 
    if str(OUTPUT_FORMAT).lower() == 'maltego':
        print_maltego(results)
    else:
        delimiter = '/n'
        print "Target host: %s" % targets
        print "------------------------------- MonList ------------------------------"
        print delimiter.join(results)
        print "------------------------------- MonList ------------------------------"
        print "Number of results %s" % len(results)
        #FILE = open(filename,"a")
        #FILE.writelines("-------------------------------NTP List------------------------------")
        #FILE.writelines("/n")
        #FILE.writelines("Target host: ")
        #FILE.writelines(targets)
        #FILE.writelines("/n")
        #FILE.writelines("/n".join(results))
        #FILE.writelines("/n")
        #FILE.writelines("Number of results %s" % len(results))
        #print "Completed.  Check NTP.txt"
 
#spidermark sensepostdata ntp_monlist.py
 
 
摘自 :Nuclear'Atk 网络安全研究中心,本文地址:http://lcx.cc/?FoxNews=2307.html

图片内容