UDP Amplification Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/udp/udp_amplification metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Table Of Contents
hide
Module Overview
Name: UDP Amplification Scanner
Module: auxiliary/scanner/udp/udp_amplification
Source code: modules/auxiliary/scanner/udp/udp_amplification.rb
Disclosure date: -
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2013-5211
Detect UDP endpoints with UDP amplification vulnerabilities
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/udp/udp_amplification
msf auxiliary(udp_amplification) > show options
... show and set options ...
msf auxiliary(udp_amplification) > set RHOSTS ip-range
msf auxiliary(udp_amplification) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(udp_amplification) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(udp_amplification) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(udp_amplification) > set RHOSTS file:/tmp/ip_list.txt
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
PORTS: Ports to probe
Knowledge Base
Vulnerable Application
Any reachable UDP endpoint is a potential target.
Verification Steps
Example steps in this format:
- Start
msfconsole - Do:
use auxiliary/scanner/udp/udp_amplification - Do
set RHOSTS [targets], replacing[targets]with the hosts you wish to assess. - Do
set PORTS [ports], replacing[ports]with the list of UDP ports you wish to assess on each asset. - Optionally,
set PROBE [probe], replacing[probe]with a string orfile://resource to serve as the UDP payload - Do:
run - If any of the endpoints were discovered to be vulnerable to UDP amplification with the probe you specified, status will be printed indicating as such.
Options
PORTS
This is the list of ports to test for UDP amplification on each host.
Formats like 1,2,3, 1-3, 1,2-3, etc, are all supported. You'll
generally only want to specify a small, targeted set of ports with an
appropriately tailored PROBE value, described below
PROBE
This is the payload to send in each UDP datagram. Unset or set to the empty
string '' or "" to send empty UDP datagrams, or use the file://
resource to specify a local file to serve as the UDP payload.
Scenarios
resource (amp.rc)> use auxiliary/scanner/udp/udp_amplification
resource (amp.rc)> set RHOSTS 10.10.16.0/20 192.168.3.0/23
RHOSTS => 10.10.16.0/20 192.168.3.0/23
resource (amp.rc)> set PORTS 17,19,12345
PORTS => 17,19,12345
resource (amp.rc)> set THREADS 100
THREADS => 100
resource (amp.rc)> set PROBE 'test'
PROBE => test
resource (amp.rc)> run
[*] Sending 4-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts)
[*] Sending 4-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts)
[*] Scanned 512 of 4608 hosts (11% complete)
[+] 10.10.17.153:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 10.10.20.47:17 - susceptible to UDP amplification: No packet amplification and a 40x, 159-byte bandwidth amplification
[*] Scanned 2560 of 4608 hosts (55% complete)
[+] 10.10.23.199:19 - susceptible to UDP amplification: No packet amplification and a 256x, 1020-byte bandwidth amplification
[+] 10.10.23.248:17 - susceptible to UDP amplification: No packet amplification and a 26x, 103-byte bandwidth amplification
[*] Scanned 3584 of 4608 hosts (77% complete)
[*] Scanned 3840 of 4608 hosts (83% complete)
[+] 10.10.30.202:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[*] Scanned 4096 of 4608 hosts (88% complete)
[+] 192.168.3.64:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.3.71:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.3.73:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.3.77:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.3.100:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.3.118:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification
[+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
[*] Scanned 4352 of 4608 hosts (94% complete)
[+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification
[*] Scanned 4608 of 4608 hosts (100% complete)
[*] Auxiliary module execution completed
Similarly, but with empty UDP datagrams instead:
resource (amp.rc)> unset PROBE
Unsetting PROBE...
resource (amp.rc)> run
[*] Sending 0-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts)
[*] Sending 0-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts)
[+] 10.10.17.229:17 - susceptible to UDP amplification: No packet amplification and a 107x, 107-byte bandwidth amplification
[+] 10.10.26.252:19 - susceptible to UDP amplification: No packet amplification and a 3892x, 3892-byte bandwidth amplification
[*] Scanned 4096 of 4608 hosts (88% complete)
[+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
[+] 192.168.3.114:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
[+] 192.168.3.115:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
[+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
[+] 192.168.3.184:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
[*] Scanned 4352 of 4608 hosts (94% complete)
[+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification
[+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification
[*] Scanned 4608 of 4608 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/udp/udp_amplification auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/udp/udp_amplification
msf6 auxiliary(scanner/udp/udp_amplification) > show info
Name: UDP Amplification Scanner
Module: auxiliary/scanner/udp/udp_amplification
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Jon Hart <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
PORTS yes Ports to probe
PROBE no UDP payload/probe to send. Unset for an empty UDP datagram, or the `file://` resource to get content from a local file
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 10 yes The number of concurrent threads
Description:
Detect UDP endpoints with UDP amplification vulnerabilities
References:
https://nvd.nist.gov/vuln/detail/CVE-2013-5211
https://www.us-cert.gov/ncas/alerts/TA14-017A
Module Options
This is a complete list of options available in the scanner/udp/udp_amplification auxiliary module:
msf6 auxiliary(scanner/udp/udp_amplification) > show options
Module options (auxiliary/scanner/udp/udp_amplification):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
PORTS yes Ports to probe
PROBE no UDP payload/probe to send. Unset for an empty UDP datagram, or the `file://` resource to get content from a local file
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 10 yes The number of concurrent threads
Advanced Options
Here is a complete list of advanced options supported by the scanner/udp/udp_amplification auxiliary module:
msf6 auxiliary(scanner/udp/udp_amplification) > show advanced
Module advanced options (auxiliary/scanner/udp/udp_amplification):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
NUM_REQUESTS 1 no Number of requests to send
SRCIP no Use this source IP
ScannerMaxResends 10 yes The maximum times to resend a packet when out of buffers
ScannerRecvInterval 30 yes The maximum numbers of sends before entering the processing loop
ScannerRecvQueueLimit 100 yes The maximum queue size before breaking out of the processing loop
ScannerRecvWindow 15 yes The number of seconds to wait post-scan to catch leftover replies
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/udp/udp_amplification module can do:
msf6 auxiliary(scanner/udp/udp_amplification) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/udp/udp_amplification auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/udp/udp_amplification) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Error Messages
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unable to extract list of ports from <PORTS>
Here is a relevant code snippet related to the "Unable to extract list of ports from <PORTS>" error message:
34:
35: def setup
36: super
37:
38: unless (@ports = Rex::Socket.portspec_crack(datastore['PORTS']))
39: fail_with(Failure::BadConfig, "Unable to extract list of ports from #{datastore['PORTS']}")
40: end
41:
42: @probe = datastore['PROBE'] ? datastore['PROBE'] : ''
43: end
44:
Go back to menu.
Related Pull Requests
- #8518 Merged Pull Request: update CVE reference in where modules report_vuln
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
References
See Also
Check also the following modules related to this module:
- auxiliary/scanner/ntp/ntp_monlist
- auxiliary/scanner/ntp/ntp_peer_list_dos
- auxiliary/scanner/ntp/ntp_peer_list_sum_dos
- auxiliary/scanner/ntp/ntp_readvar
- auxiliary/scanner/ntp/ntp_req_nonce_dos
- auxiliary/scanner/ntp/ntp_reslist_dos
- auxiliary/scanner/ntp/ntp_unsettrap_dos
- auxiliary/scanner/portmap/portmap_amp
- auxiliary/scanner/upnp/ssdp_amp
- auxiliary/scanner/discovery/udp_probe
- auxiliary/scanner/discovery/udp_sweep
- auxiliary/scanner/discovery/empty_udp
- auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum
- auxiliary/scanner/memcached/memcached_udp_version
- auxiliary/scanner/motorola/timbuktu_udp
- auxiliary/scanner/pcanywhere/pcanywhere_udp
- exploit/linux/misc/netcore_udp_53413_backdoor
- exploit/windows/brightstor/discovery_udp
- exploit/windows/license/sentinel_lm7_udp
- payload/cmd/unix/bind_socat_udp
- payload/cmd/unix/python/shell_reverse_udp
- payload/cmd/unix/reverse_bash_udp
- payload/cmd/unix/reverse_socat_udp
- payload/cmd/windows/powershell/custom/reverse_udp
- payload/cmd/windows/powershell/shell/reverse_udp
- payload/cmd/windows/powershell/upexec/reverse_udp
- payload/python/shell_reverse_udp
- payload/windows/custom/reverse_udp
- payload/windows/shell/reverse_udp
- payload/windows/upexec/reverse_udp
Authors
Jon Hart <jon_hart[at]rapid7.com>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
