biontdv/CVE-1999-0524-POC

GitHub: biontdv/CVE-1999-0524-POC

一个纯 Python 实现的多线程 ICMP 时间戳扫描器,用于检测目标主机是否存在 CVE-1999-0524 信息泄露漏洞。

Stars: 1 | Forks: 0

# ICMP 时间戳扫描器 — CVE-1999-0524
``` ╔══════════════════════════════════════════════════════════════════╗ ║ ██╗ ██████╗███╗ ███╗██████╗ ████████╗███████╗ ║ ║ ██║██╔════╝████╗ ████║██╔══██╗ ██╔══╝██╔════╝ ║ ║ ██║██║ ██╔████╔██║██████╔╝ ██║ ███████╗ ║ ║ ██║██║ ██║╚██╔╝██║██╔═══╝ ██║ ╚════██║ ║ ║ ██║╚██████╗██║ ╚═╝ ██║██║ ██║ ███████║ ║ ║ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚══════╝ ║ ╠══════════════════════════════════════════════════════════════════╣ ║ CVE-1999-0524 · ICMP Timestamp Request/Reply Scanner ║ ║ Author : Muhamad Bion Tadavi — VPSI ║ ║ Org : Vantage Point Security — Authorized Use Only ║ ╚══════════════════════════════════════════════════════════════════╝ ``` ![Python](https://img.shields.io/badge/Python-3.8%2B-blue?logo=python) ![License](https://img.shields.io/badge/License-MIT-green) ![Root Required](https://img.shields.io/badge/Requires-Root%2FSudo-red) ![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS-lightgrey) ![Authorized Use](https://img.shields.io/badge/Use-Authorized%20Testing%20Only-orange) **快速、多线程的 ICMP 时间戳扫描器,提供带颜色标识的十六进制输出和详细的时间戳分析。**
## 概述 通过发送 **ICMP Type 13 (Timestamp Request)** 数据包,检测易受 **CVE-1999-0524** (ICMP 时间戳信息泄露) 攻击的主机。回复 **ICMP Type 14 (Timestamp Reply)** 的主机会被标记为**存在漏洞** —— 它们会泄露内部系统时钟,这有助于设备指纹识别和基于时间的攻击链构建。 零外部依赖构建 —— 纯 Python 标准库实现。 ## 漏洞详情 | 字段 | 值 | |---|---| | **CVE ID** | CVE-1999-0524 | | **CWE** | CWE-200 — 信息泄露 | | **CVSS v3** | 0.0 (低) | | **类型** | 信息泄露 | | **协议** | ICMP Type 13 / Type 14 | | **受影响范围** | Cisco IOS, Cisco ASA, Linux, Windows (取决于配置) | ### 工作原理 ``` Attacker Target │ │ │──── ICMP Type 13 (Timestamp Request) ──▶│ │ │ [host processes request] │◀─── ICMP Type 14 (Timestamp Reply) ─────│ │ │ Reply contains three 32-bit timestamp fields (ms since midnight UTC): ├── Originate Timestamp (set by requester — often 0) ├── Receive Timestamp ◀── server clock leaked here └── Transmit Timestamp ◀── server clock leaked here ``` ### 影响 - **系统时间泄露** — 泄露内部时钟 (自 UTC 午夜以来的毫秒数) - **设备指纹识别** — TTL + 响应行为揭示供应商 (Cisco ASA, IOS 等) - **攻击链构建** — 准确的服务器时间有助于伪造基于时间的 token、TOTP 分析或日志关联 ## 功能 | 功能 | 详情 | |---|---| | 多线程扫描 | 可配置的并行探测 (默认:30 个线程) | | 灵活的输入方式 | 单个 IP · 逗号分隔 · CIDR 范围 · 文件 (`-t` / `-f`) | | 彩色十六进制输出 | IP header · ICMP header · Type byte · Timestamps — 每个部分都有独特的颜色标识 | | 时间戳解码 | 将原始毫秒数解码为 `HH:MM:SS.mmm UTC` | | 摘要中的十六进制证据 | 最终摘要中为每个存在漏洞的主机打印彩色十六进制数据及图例 | | 完整十六进制转储 (`-v`) | 为每个响应提供 Offset + hex + ASCII 列 | | 进度条 (`-v`) | 仅在详细模式下显示实时进度条 | | 汇总表 | 排序后的易受攻击主机表格,包含 TTL、RTT 和服务器时间 | | 零依赖 | 纯 Python 标准库 — 无需 pip install | ## 环境要求 - Python **3.8+** - **Root / sudo** 权限 (原始 ICMP socket 需要) - 无需外部库 ``` python3 --version # must be 3.8+ ``` ## 安装说明 ``` git clone https://github.com//CVE-1999-0524-ICMP-Timestamp-Scanner.git cd CVE-1999-0524-ICMP-Timestamp-Scanner chmod +x icmp_timestamp_scan.py ``` ## 使用说明 ``` sudo python3 icmp_timestamp_scan.py [OPTIONS] Options: -t, --target IP, comma-separated IPs, or CIDR (terminal input) -f, --file Path to file with one IP/CIDR per line --timeout SECS Seconds to wait per host (default: 2.0) --threads N Concurrent threads (default: 30) -v, --verbose Show progress bar + full hex dump per host -h, --help Show help ``` ### 显示模式 | 模式 | 行为 | |---|---| | 默认 (无 `-v`) | 每个主机响应后立即打印结果 — 每个主机的彩色十六进制数据 + 时间戳,随后是摘要 | | 详细模式 (`-v`) | 扫描期间显示实时进度条,随后是每个主机的完整十六进制转储,最后是摘要 | ### 示例 ``` # 单一主机 sudo python3 icmp_timestamp_scan.py -t 192.168.1.1 # 多个主机 sudo python3 icmp_timestamp_scan.py -t 192.168.1.1,192.168.1.2,192.168.1.3 # CIDR 子网扫描 sudo python3 icmp_timestamp_scan.py -t 192.168.1.0/24 # 从文件 sudo python3 icmp_timestamp_scan.py -f hosts.txt # Verbose — 进度条 + 完整 hex dump sudo python3 icmp_timestamp_scan.py -f hosts.txt -v # 快速宽扫描 sudo python3 icmp_timestamp_scan.py -t 10.0.0.0/16 --threads 100 --timeout 1 ``` ### `hosts.txt` 格式 ``` # 每行一个 IP 或 CIDR。以 # 开头的行将被忽略。 192.168.1.1 192.168.1.2 192.168.1.3 10.0.0.1 10.0.0.2 10.0.0.0/24 ``` ## 示例输出 ### 默认模式 (无 `-v`) ``` [*] Targets : 4 hosts [*] Timeout : 2.0s | Threads: 30 [*] Started : 2026-07-14 06:37:25 UTC [*] Probe : ICMP Type 13 (Timestamp Request) [*] Expect : ICMP Type 14 (Timestamp Reply) from vulnerable hosts ╔══ VULNERABLE ══════════════════════════════════════════╗ ║ Host : 192.168.1.1 ║ ICMP Type : 14 — Timestamp Reply (sent Type 13) ║ TTL : 59 ║ RTT : 1.84 ms ║ ── Timestamps (ms since midnight UTC) ────────────── ║ Originate : 0 ms → 00:00:00.000 (not set) ║ Receive : 22,974,518 ms → 06:22:54.518 UTC ║ Transmit : 22,974,518 ms → 06:22:54.518 UTC ← server time ║ ── Raw Response (hex) ────────────────────────────── ║ 45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ... ║ Legend: ██=IP header ██=ICMP header ██=ICMP type14 ██=timestamps ╚════════════════════════════════════════════════════════╝ [-] 192.168.1.2 no response (filtered or not vulnerable) ╔══ VULNERABLE ══════════════════════════════════════════╗ ║ Host : 192.168.1.3 ║ TTL : 59 | RTT : 2.11 ms ║ Transmit : 22,977,926 ms → 06:22:57.926 UTC ← server time ╚════════════════════════════════════════════════════════╝ ══════════════════════════════════════════════════════════════════ SCAN SUMMARY ══════════════════════════════════════════════════════════════════ Scanner time : 2026-07-14 13:37:25 WIB (06:37:25 UTC) Total probed : 4 Vulnerable : 2 No response : 2 Errors : 0 ┌─ VULNERABLE HOSTS ────────────────────────────────────────────┐ │ Host TTL RTT Server Time (UTC) Transmit ms │ ├───────────────────────────────────────────────────────────────┤ │ 192.168.1.1 59 1.8ms 06:22:54.518 UTC 22,974,518 │ │ 192.168.1.3 59 2.1ms 06:22:57.926 UTC 22,977,926 │ └───────────────────────────────────────────────────────────────┘ ── Hex Evidence ───────────────────────────────────────────── [192.168.1.1] TTL=59 RTT=1.84ms Server→ 06:22:54.518 UTC 45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ... Legend: ██=IP header ██=ICMP header ██=ICMP type14 ██=timestamps [192.168.1.3] TTL=59 RTT=2.11ms Server→ 06:22:57.926 UTC 45 48 00 28 1a c3 00 00 3b 01 27 46 c0 a8 01 03 c0 a8 01 64 0e 00 f3 7e ... Legend: ██=IP header ██=ICMP header ██=ICMP type14 ██=timestamps Impact : Information Disclosure — server time exposed CWE : CWE-200 Exposure of Sensitive Information CVSS v3 : 0.0 (Low) — network access required Fix : Block ICMP type 13 at perimeter ACL/firewall Cisco : access-list deny icmp any any 13 ``` ## 十六进制响应解析 ``` Byte Field Example Description ───── ───────────────── ─────────── ────────────────────────────────────── 0 IP Version/IHL 45 IPv4, header length = 20 bytes 1 DSCP/ECN 48 2-3 Total Length 0028 40 bytes 4-5 Identification 1476 6-7 Flags/Fragment 0000 8 TTL 3b 59 hops 9 Protocol 01 ICMP 10-11 IP Checksum 2d93 12-15 Source IP c0a80101 192.168.1.1 ← responding host 16-19 Destination IP c0a80164 192.168.1.100 ← scanner ──── ICMP header starts at byte 20 ──────────────────────────────────────── 20 ICMP Type 0e 14 = Timestamp Reply ← VULNERABLE 21 ICMP Code 00 22-23 ICMP Checksum f915 24-25 Identifier d5bf 26-27 Sequence Number 0001 28-31 Originate TS 00000000 0 ms (requester field, not filled) 32-35 Receive TS 015e9036 22,974,518 ms = 06:22:54 UTC ← leaked 36-39 Transmit TS 015e9036 22,974,518 ms = 06:22:54 UTC ← leaked ``` ## 修复建议 ### Cisco IOS / IOS XE ``` ip access-list extended BLOCK-ICMP-TS deny icmp any any 13 deny icmp any any 17 permit ip any any ! interface GigabitEthernet0/0 ip access-group BLOCK-ICMP-TS in ``` ### Cisco ASA ``` access-list OUTSIDE_IN deny icmp any any 13 access-list OUTSIDE_IN deny icmp any any 17 access-group OUTSIDE_IN in interface outside ``` ### Linux — iptables ``` iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP ``` ### Linux — nftables ``` nft add rule inet filter input icmp type timestamp-request drop nft add rule inet filter output icmp type timestamp-reply drop ``` ### Windows 防火墙 ``` netsh advfirewall firewall add rule ` name="Block ICMP Timestamp Request" ` protocol=icmpv4:13,any action=block dir=in ``` ## 参考文献 - [CVE-1999-0524 — NVD](https://nvd.nist.gov/vuln/detail/CVE-1999-0524) - [RFC 792 — ICMP (Type 13/14 规范)](https://datatracker.ietf.org/doc/html/rfc792) - [CWE-200 — 信息泄露](https://cwe.mitre.org/data/definitions/200.html) - [Nessus Plugin 10114 — ICMP 时间戳请求远程日期泄露](https://www.tenable.com/plugins/nessus/10114) ## 免责声明
*由 **Muhamad Bion Tadavi** — Vantage Point Security (VPSI) 用 ♥ 制作*
标签:ICMP协议, Maven, Python, 云存储安全, 插件系统, 无后门, 漏洞验证, 网络扫描, 逆向工具