579
edits
Changes
Jump to navigation
Jump to search
Line 2:
Line 2: − + − Links to other areas of the wiki:+ − + − + − + − + − + − + − + − − − − + − − As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software. Line 36:
Line 31: + + + + + + + + − + − − − <adsense>1</adsense>
→Links to other material
IPscan includes the following tests to identify known weak protocols or poorly configured services, which may be exploited.
IPscan includes the following tests to identify known weak protocols or poorly configured services, which may be exploited.
It is important to note that the same exploits may well apply to IPv4 hosts running the same protocols.
It is important to note that the same exploits may well apply to IPv4 hosts running the same protocols.
===Links to other material===
* [[IPv6]] - an overview of IPscan (IPv6 Port Scanner)
* [[IPv6_Firewalls]] - some observations on IPv6 firewalls and address selections
* [[IPv6 IPscan Firewall tester]] - an overview of IPscan (IPv6 Port Scanner)
* [[IPv6_Ports]] - a list of the default TCP/IP and UDP/IP ports which IPscan will test
* [[IPv6_Firewalls IPv6 Firewalls]] - some observations on IPv6 firewalls and address selections
* [[ScanStatus]] - a description of the reportable states for each tested TCP/IP or UDP/IP port
* [[IPv6_Ports IPscan default ports]] - a list of the default TCP/IP and UDP/IP ports which IPscan will test
* [[ScanAutomation]] - a quick overview of IPv6 TCP/UDP port scan automation using wget
* [[ScanStatus IPscan reporting]] - a description of the reportable states for each tested TCP/IP or UDP/IP port
* [[IPv6_DEBUG]] - some steps for debugging IPv6 access to the IPscan IPv6 Port Scanner
* [[ScanAutomation IPscan test automation]] - a quick overview of IPv6 TCP/UDP port scan automation using wget
* [[IPv6_Windows7]] - some useful Win7 IPv6-related commands
* [[IPv6_DEBUG IPscan Debug]] - some steps for debugging IPv6 access to my IPv6 Port Scanner
* [[Raspberry_Pi_IPv6_firewall_tester]] - a quick HowTo describing the steps to make your own RasPi-powered IPv6 firewall tester.
* [[IPv6_Windows7 Windows 7 IPv6]] - some useful Win7 IPv6-related commands
* [[Raspberry_Pi_IPv6_firewall_tester RasPi IPv6 Firewall tester]] - a quick HowTo describing the steps to make your own RasPi-powered IPv6 firewall tester.
===NTP Monitor List Query '''UDP/161[1]'''===
===NTP Monitor List Query '''UDP/123[1]'''===
The NTP protocol daemon, in versions prior to 4.2.7, supported a feature which reported a list of up to 600 clients which had used the queried NTP server as their time reference.
The NTP protocol daemon, in versions prior to 4.2.7, supported a feature which reported a list of up to 600 clients which had used the queried NTP server as their time reference.
If an attacker uses a spoofed source address then a victim can be flooded with considerable NTP traffic. The size of the response is typically considerably larger than the request and consequently the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.
If an attacker uses a spoofed source address then a victim can be flooded with considerable NTP traffic. The size of the response is typically considerably larger than the request and consequently the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.
To prevent your NTP daemon being used in DDoS attacks it is necessary to disable “monlist” functionality. On a public-facing NTP server that cannot be updated to version 4.2.7 or later, add the “noquery” directive to the “restrict default” line in the system’s ntpd.conf, as shown below:
To prevent your NTP daemon being used in DDoS attacks it is necessary to disable “monlist” functionality. On a public-facing NTP server that cannot be updated to version 4.2.7 or later, add the “noquery” directive to the “restrict default” line in the system’s ntpd.conf, as shown below:
See [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 CVE-2013-5211] for further details.
See [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 CVE-2013-5211] for further details.
===SNMP Queries '''UDP/161'''===
IPscan performs three SNMP queries. SNMP supports a variety of versions and authentication methods and since IPscan cannot know the credentials to use to test your system it defaults to using commonly-used, and therefore '''''insecure''''', community strings.
<TABLE border="1" style="width:300px">
<TR><TH>Port/Special Case</TH><TH>SNMP version</TH><TH>Test performed, credentials used</TH></TR>
<TR><TD>UDP/161</TD><TD>v1</TD><TD>GET with 'public' community string</TD></TR>
<TR><TD>UDP/161[1]</TD><TD>v2c</TD><TD>GET with 'private' community string</TD></TR>
<TR><TD>UDP/161[2]</TD><TD>v3</TD><TD>EngineID Discovery, credentials not required</TD></TR>
</TABLE>
This website publishes a Privacy Policy. Continued use of this website implies your consent to the use of data outlined in the policy.
----
----