Closed robertdavidgraham closed 10 years ago
kicdu
commented
10 years ago I have most of it already coded, need to test it and do some clean up.
Later I'll push a pull request so you can look at it and test it. If it's ok with you merge it in mainline.
robertdavidgraham
commented
10 years ago Lol, I, too, am nearly complete on a solution. Mine is to send a simple packet, then decode the first packet in response.
kicdu
commented
10 years ago Yep, I was doing the same thing. :) Btw. Have you thought about implementing some kind of reception loop to resolve situations where one request gives multiple response packets?
So, never mind, push your NTP solution and I'll add something if I have.
robertdavidgraham
commented
10 years ago I'm thinking of a solution. If you look at my changes I'm adding "script"/"plugin" logic, whereby the responses are handled by a connection-tracking logic similar to TCP.
For right now, though, I'm just doing just the bare minimum to do the basic detection.
robertdavidgraham
commented
10 years ago Right now, it looks like: C:\dev\masscan>bin\masscan 78.46.52.39 -pU:123 --banners
Starting masscan 1.0.2 (http://bit.ly/14GZzcT) at 2014-01-23 00:01:42 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [1 port/host] Banner on port 123/udp on 78.46.52.39: [ntp] XNTPD MON_GETLIST_1 response-size=432-bytes more=true Discovered open port 123/udp on 78.46.52.39 Banner on port 123/udp on 78.46.52.39: [ntp] XNTPD MON_GETLIST_1 response-size=432-bytes more=true Discovered open port 123/udp on 78.46.52.39 Banner on port 123/udp on 78.46.52.39: [ntp] XNTPD MON_GETLIST_1 response-size=216-bytes more=false Discovered open port 123/udp on 78.46.52.39
I'm going to do an entire Internet scan with this and see the results.
Need to add NTP logic to check for the DDoS capable servers