biontdv/CVE-1999-0524-POC
GitHub: biontdv/CVE-1999-0524-POC
一个纯 Python 实现的多线程 ICMP 时间戳扫描器,用于检测目标主机是否存在 CVE-1999-0524 信息泄露漏洞。
Stars: 1 | Forks: 0
# ICMP 时间戳扫描器 — CVE-1999-0524
/CVE-1999-0524-ICMP-Timestamp-Scanner.git
cd CVE-1999-0524-ICMP-Timestamp-Scanner
chmod +x icmp_timestamp_scan.py
```
## 使用说明
```
sudo python3 icmp_timestamp_scan.py [OPTIONS]
Options:
-t, --target IP, comma-separated IPs, or CIDR (terminal input)
-f, --file Path to file with one IP/CIDR per line
--timeout SECS Seconds to wait per host (default: 2.0)
--threads N Concurrent threads (default: 30)
-v, --verbose Show progress bar + full hex dump per host
-h, --help Show help
```
### 显示模式
| 模式 | 行为 |
|---|---|
| 默认 (无 `-v`) | 每个主机响应后立即打印结果 — 每个主机的彩色十六进制数据 + 时间戳,随后是摘要 |
| 详细模式 (`-v`) | 扫描期间显示实时进度条,随后是每个主机的完整十六进制转储,最后是摘要 |
### 示例
```
# 单一主机
sudo python3 icmp_timestamp_scan.py -t 192.168.1.1
# 多个主机
sudo python3 icmp_timestamp_scan.py -t 192.168.1.1,192.168.1.2,192.168.1.3
# CIDR 子网扫描
sudo python3 icmp_timestamp_scan.py -t 192.168.1.0/24
# 从文件
sudo python3 icmp_timestamp_scan.py -f hosts.txt
# Verbose — 进度条 + 完整 hex dump
sudo python3 icmp_timestamp_scan.py -f hosts.txt -v
# 快速宽扫描
sudo python3 icmp_timestamp_scan.py -t 10.0.0.0/16 --threads 100 --timeout 1
```
### `hosts.txt` 格式
```
# 每行一个 IP 或 CIDR。以 # 开头的行将被忽略。
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1
10.0.0.2
10.0.0.0/24
```
## 示例输出
### 默认模式 (无 `-v`)
```
[*] Targets : 4 hosts
[*] Timeout : 2.0s | Threads: 30
[*] Started : 2026-07-14 06:37:25 UTC
[*] Probe : ICMP Type 13 (Timestamp Request)
[*] Expect : ICMP Type 14 (Timestamp Reply) from vulnerable hosts
╔══ VULNERABLE ══════════════════════════════════════════╗
║ Host : 192.168.1.1
║ ICMP Type : 14 — Timestamp Reply (sent Type 13)
║ TTL : 59
║ RTT : 1.84 ms
║ ── Timestamps (ms since midnight UTC) ──────────────
║ Originate : 0 ms → 00:00:00.000 (not set)
║ Receive : 22,974,518 ms → 06:22:54.518 UTC
║ Transmit : 22,974,518 ms → 06:22:54.518 UTC ← server time
║ ── Raw Response (hex) ──────────────────────────────
║ 45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ...
║ Legend: ██=IP header ██=ICMP header ██=ICMP type14 ██=timestamps
╚════════════════════════════════════════════════════════╝
[-] 192.168.1.2 no response (filtered or not vulnerable)
╔══ VULNERABLE ══════════════════════════════════════════╗
║ Host : 192.168.1.3
║ TTL : 59 | RTT : 2.11 ms
║ Transmit : 22,977,926 ms → 06:22:57.926 UTC ← server time
╚════════════════════════════════════════════════════════╝
══════════════════════════════════════════════════════════════════
SCAN SUMMARY
══════════════════════════════════════════════════════════════════
Scanner time : 2026-07-14 13:37:25 WIB (06:37:25 UTC)
Total probed : 4
Vulnerable : 2
No response : 2
Errors : 0
┌─ VULNERABLE HOSTS ────────────────────────────────────────────┐
│ Host TTL RTT Server Time (UTC) Transmit ms │
├───────────────────────────────────────────────────────────────┤
│ 192.168.1.1 59 1.8ms 06:22:54.518 UTC 22,974,518 │
│ 192.168.1.3 59 2.1ms 06:22:57.926 UTC 22,977,926 │
└───────────────────────────────────────────────────────────────┘
── Hex Evidence ─────────────────────────────────────────────
[192.168.1.1] TTL=59 RTT=1.84ms Server→ 06:22:54.518 UTC
45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ...
Legend: ██=IP header ██=ICMP header ██=ICMP type14 ██=timestamps
[192.168.1.3] TTL=59 RTT=2.11ms Server→ 06:22:57.926 UTC
45 48 00 28 1a c3 00 00 3b 01 27 46 c0 a8 01 03 c0 a8 01 64 0e 00 f3 7e ...
Legend: ██=IP header ██=ICMP header ██=ICMP type14 ██=timestamps
Impact : Information Disclosure — server time exposed
CWE : CWE-200 Exposure of Sensitive Information
CVSS v3 : 0.0 (Low) — network access required
Fix : Block ICMP type 13 at perimeter ACL/firewall
Cisco : access-list deny icmp any any 13
```
## 十六进制响应解析
```
Byte Field Example Description
───── ───────────────── ─────────── ──────────────────────────────────────
0 IP Version/IHL 45 IPv4, header length = 20 bytes
1 DSCP/ECN 48
2-3 Total Length 0028 40 bytes
4-5 Identification 1476
6-7 Flags/Fragment 0000
8 TTL 3b 59 hops
9 Protocol 01 ICMP
10-11 IP Checksum 2d93
12-15 Source IP c0a80101 192.168.1.1 ← responding host
16-19 Destination IP c0a80164 192.168.1.100 ← scanner
──── ICMP header starts at byte 20 ────────────────────────────────────────
20 ICMP Type 0e 14 = Timestamp Reply ← VULNERABLE
21 ICMP Code 00
22-23 ICMP Checksum f915
24-25 Identifier d5bf
26-27 Sequence Number 0001
28-31 Originate TS 00000000 0 ms (requester field, not filled)
32-35 Receive TS 015e9036 22,974,518 ms = 06:22:54 UTC ← leaked
36-39 Transmit TS 015e9036 22,974,518 ms = 06:22:54 UTC ← leaked
```
## 修复建议
### Cisco IOS / IOS XE
```
ip access-list extended BLOCK-ICMP-TS
deny icmp any any 13
deny icmp any any 17
permit ip any any
!
interface GigabitEthernet0/0
ip access-group BLOCK-ICMP-TS in
```
### Cisco ASA
```
access-list OUTSIDE_IN deny icmp any any 13
access-list OUTSIDE_IN deny icmp any any 17
access-group OUTSIDE_IN in interface outside
```
### Linux — iptables
```
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
```
### Linux — nftables
```
nft add rule inet filter input icmp type timestamp-request drop
nft add rule inet filter output icmp type timestamp-reply drop
```
### Windows 防火墙
```
netsh advfirewall firewall add rule `
name="Block ICMP Timestamp Request" `
protocol=icmpv4:13,any action=block dir=in
```
## 参考文献
- [CVE-1999-0524 — NVD](https://nvd.nist.gov/vuln/detail/CVE-1999-0524)
- [RFC 792 — ICMP (Type 13/14 规范)](https://datatracker.ietf.org/doc/html/rfc792)
- [CWE-200 — 信息泄露](https://cwe.mitre.org/data/definitions/200.html)
- [Nessus Plugin 10114 — ICMP 时间戳请求远程日期泄露](https://www.tenable.com/plugins/nessus/10114)
## 免责声明
```
╔══════════════════════════════════════════════════════════════════╗
║ ██╗ ██████╗███╗ ███╗██████╗ ████████╗███████╗ ║
║ ██║██╔════╝████╗ ████║██╔══██╗ ██╔══╝██╔════╝ ║
║ ██║██║ ██╔████╔██║██████╔╝ ██║ ███████╗ ║
║ ██║██║ ██║╚██╔╝██║██╔═══╝ ██║ ╚════██║ ║
║ ██║╚██████╗██║ ╚═╝ ██║██║ ██║ ███████║ ║
║ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚══════╝ ║
╠══════════════════════════════════════════════════════════════════╣
║ CVE-1999-0524 · ICMP Timestamp Request/Reply Scanner ║
║ Author : Muhamad Bion Tadavi — VPSI ║
║ Org : Vantage Point Security — Authorized Use Only ║
╚══════════════════════════════════════════════════════════════════╝
```





**快速、多线程的 ICMP 时间戳扫描器,提供带颜色标识的十六进制输出和详细的时间戳分析。**
## 概述
通过发送 **ICMP Type 13 (Timestamp Request)** 数据包,检测易受 **CVE-1999-0524** (ICMP 时间戳信息泄露) 攻击的主机。回复 **ICMP Type 14 (Timestamp Reply)** 的主机会被标记为**存在漏洞** —— 它们会泄露内部系统时钟,这有助于设备指纹识别和基于时间的攻击链构建。
零外部依赖构建 —— 纯 Python 标准库实现。
## 漏洞详情
| 字段 | 值 |
|---|---|
| **CVE ID** | CVE-1999-0524 |
| **CWE** | CWE-200 — 信息泄露 |
| **CVSS v3** | 0.0 (低) |
| **类型** | 信息泄露 |
| **协议** | ICMP Type 13 / Type 14 |
| **受影响范围** | Cisco IOS, Cisco ASA, Linux, Windows (取决于配置) |
### 工作原理
```
Attacker Target
│ │
│──── ICMP Type 13 (Timestamp Request) ──▶│
│ │ [host processes request]
│◀─── ICMP Type 14 (Timestamp Reply) ─────│
│ │
Reply contains three 32-bit timestamp fields (ms since midnight UTC):
├── Originate Timestamp (set by requester — often 0)
├── Receive Timestamp ◀── server clock leaked here
└── Transmit Timestamp ◀── server clock leaked here
```
### 影响
- **系统时间泄露** — 泄露内部时钟 (自 UTC 午夜以来的毫秒数)
- **设备指纹识别** — TTL + 响应行为揭示供应商 (Cisco ASA, IOS 等)
- **攻击链构建** — 准确的服务器时间有助于伪造基于时间的 token、TOTP 分析或日志关联
## 功能
| 功能 | 详情 |
|---|---|
| 多线程扫描 | 可配置的并行探测 (默认:30 个线程) |
| 灵活的输入方式 | 单个 IP · 逗号分隔 · CIDR 范围 · 文件 (`-t` / `-f`) |
| 彩色十六进制输出 | IP header · ICMP header · Type byte · Timestamps — 每个部分都有独特的颜色标识 |
| 时间戳解码 | 将原始毫秒数解码为 `HH:MM:SS.mmm UTC` |
| 摘要中的十六进制证据 | 最终摘要中为每个存在漏洞的主机打印彩色十六进制数据及图例 |
| 完整十六进制转储 (`-v`) | 为每个响应提供 Offset + hex + ASCII 列 |
| 进度条 (`-v`) | 仅在详细模式下显示实时进度条 |
| 汇总表 | 排序后的易受攻击主机表格,包含 TTL、RTT 和服务器时间 |
| 零依赖 | 纯 Python 标准库 — 无需 pip install |
## 环境要求
- Python **3.8+**
- **Root / sudo** 权限 (原始 ICMP socket 需要)
- 无需外部库
```
python3 --version # must be 3.8+
```
## 安装说明
```
git clone https://github.com/
*由 **Muhamad Bion Tadavi** — Vantage Point Security (VPSI) 用 ♥ 制作*
标签:ICMP协议, Maven, Python, 云存储安全, 插件系统, 无后门, 漏洞验证, 网络扫描, 逆向工具