For NTP, masscan
(1.3.1) sends by default "monlist" packets. We only get responses from IPs that have this feature enabled (which is great for NTP amplification DDoS attacks). Since we get no response we miss open NTPs that don't have this feature.
$ masscan -pU:123 <ip>
# tcpdump capture for IP with no monlist
x → <ip> NTP 92 NTP Version 2, private, Request, MON_GETLIST_1
# no response
We need to send a payload for which the target IP will respond. You can specify UDP payloads using --pcap-payloads
or --nmap-payloads
. Using the later, we can check the payloads available in /usr/share/nmap/nmap-payloads
. Currently there are two there, and this one works:
# NTPRequest
udp 123
"\xE3\x00\x04\xFA\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xC5\x4F\x23\x4B\x71\xB1\x52\xF3"
Store it in a file nmap-payloads-ntpv4-mode3
. And use it:
$ masscan -pU:123 --nmap-payloads nmap-payloads-ntpv4-mode3 -oG results.txt <ip>
# tcpdump capture
x → <ip> NTP 92 NTP Version 4, client
<ip> → x NTP 92 NTP Version 4, server
$ cat results.txt
# Masscan 1.3.1 scan initiated Sat Jan 30 23:04:20 2021
# Ports scanned: TCP(0;) UDP(1;65659-65659) SCTP(0;) PROTOCOLS(0;)
Timestamp: 1612047860 Host: <ip> () Ports: 123/open/udp//ntp//
# Masscan done at Sat Jan 30 23:04:30 2021
We may also steal nmap
's script ntp-info
payload, which is basically the same but uses NTPv2.
-- /usr/share/nmap/scripts/ntp-info.nse
-- This is a ntp v2 mode3 (client) date/time request.
local treq = string.char(
0xd3, 0x00, 0x04, 0xfa, 0x00, 0x01, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00)
Note: the current masscan
version seems to be buggy in that even when open NTP ports are found it still says found=0
.
The default payload seems to work fine.
$ masscan -pU:161 -oG results.txt <ip>
x → <ip> SNMP 103 get-request 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.5.0
<ip> → x SNMP 319 get-response 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.5.0
$ cat results.txt
# Masscan 1.3.1 scan initiated Sat Jan 30 23:33:09 2021
# Ports scanned: TCP(0;) UDP(1;65697-65697) SCTP(0;) PROTOCOLS(0;)
Timestamp: 1612049589 Host: <ip> () Ports: 161/open/udp//snmp//
# Masscan done at Sat Jan 30 23:33:20 2021