CVE-2013-5211

EXPLOITED IN THE WILD

NTP Monitor List Scanner

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2013-5211 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 16 public exploits from researchers including Danilo PC, dani87, sepehrdaddev, including a Metasploit module auxiliary/scanner/ntp/ntp_reslist_dos.

AI-analyzed exploit summary This PoC demonstrates NTP DDoS amplification (CVE-2013-5211) by crafting a spoofed UDP packet with a MON_GETLIST request to an NTP server, which can be abused to reflect traffic to a target. The code constructs raw IP/UDP/NTP packets and sends a single packet for educational purposes.

Description

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

Exploits (16)

exploitdb WORKING POC
by Danilo PC · cdoslinux
https://www.exploit-db.com/exploits/33073

This PoC demonstrates NTP DDoS amplification (CVE-2013-5211) by crafting a spoofed UDP packet with a MON_GETLIST request to an NTP server, which can be abused to reflect traffic to a target. The code constructs raw IP/UDP/NTP packets and sends a single packet for educational purposes.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: NTP servers (pre-2013 versions with monlist enabled)
No auth needed
Prerequisites: Access to a vulnerable NTP server with monlist enabled · Ability to spoof source IP addresses
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 15 stars
by dani87 · poc
https://github.com/dani87/ntpscanner

This repository contains a Python-based scanner for detecting NTP servers vulnerable to CVE-2013-5211, an NTP amplification DDoS vulnerability. It sends a crafted NTP packet and checks the response for signs of vulnerability.

Classification
Scanner 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP servers (unspecified version)
No auth needed
Prerequisites: Network access to target NTP server · UDP port 123 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by sepehrdaddev · dos
https://github.com/sepehrdaddev/ntpdos

This repository contains a functional proof-of-concept for CVE-2013-5211, an NTP reflection DoS vulnerability. The tool crafts and sends spoofed NTP packets to amplify traffic towards a target, leveraging vulnerable NTP servers.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: NTP servers (versions vulnerable to monlist amplification)
No auth needed
Prerequisites: List of vulnerable NTP servers · Network access to send spoofed UDP packets
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by 0xhav0c · infoleak
https://github.com/0xhav0c/CVE-2013-5211

This PoC exploits CVE-2013-5211, a DoS vulnerability in NTP servers by sending a crafted UDP packet to trigger the monlist command, which can exhaust server resources. The script checks for vulnerability by analyzing the server's response.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP (Network Time Protocol) <= 4.2.7-p26
No auth needed
Prerequisites: Network access to the target NTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 2 stars
by suedadam · poc
https://github.com/suedadam/ntpscanner

This repository contains a scanner for CVE-2013-5211, which targets the NTP monlist feature. The code sends crafted UDP packets to a range of IP addresses and listens for responses to identify vulnerable NTP servers.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: NTP (Network Time Protocol) servers with monlist enabled
No auth needed
Prerequisites: Network access to target IP range · NTP servers with monlist feature enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by requiempentest · poc
https://github.com/requiempentest/NTP_CVE-2013-5211

This repository contains a C# scanner for CVE-2013-5211, which checks if an NTP server is vulnerable to a DoS attack by sending a crafted NTP packet and analyzing the response. It does not exploit the vulnerability but only detects its presence.

Classification
Scanner 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP Daemon (ntpd) with monlist command enabled
No auth needed
Prerequisites: Network access to the target NTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb

This Metasploit module scans for NTP servers vulnerable to DRDoS amplification via the GET_RESTRICT query (CVE-2013-5211). It sends a crafted UDP packet and checks responses to identify vulnerable hosts.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP (Network Time Protocol) servers with reslist enabled
No auth needed
Prerequisites: Network access to UDP port 123 (NTP)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb

This Metasploit module scans for NTP servers vulnerable to DRDoS attacks via mode 6 REQ_NONCE requests, checking for amplification vulnerabilities. It sends UDP probes and analyzes responses to determine if the server can be exploited for traffic amplification.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP servers (various versions)
No auth needed
Prerequisites: Network access to target NTP servers · Ability to send UDP packets
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_monlist.rb

This Metasploit module scans for NTP servers vulnerable to CVE-2013-5211 by querying the 'monlist' feature, which can be exploited for DRDoS attacks. It identifies vulnerable servers and extracts recent client lists for analysis.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: NTP servers with monlist enabled
No auth needed
Prerequisites: Network access to the target NTP server · UDP port 123 open
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_readvar.rb

This Metasploit module scans NTP servers for clock variable disclosure via NTP Mode 6 READVAR requests, potentially exposing sensitive system information. It also checks for DRDoS amplification vulnerabilities.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: NTP (Network Time Protocol) servers
No auth needed
Prerequisites: Network access to NTP servers · UDP port 123 accessibility
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb

This Metasploit module scans for NTP servers vulnerable to a DRDoS amplification attack via the PEER_LIST query. It sends a crafted UDP packet and checks if the response is larger than the request, indicating potential for abuse in denial-of-service attacks.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP (Network Time Protocol) servers with Mode 7 PEER_LIST enabled
No auth needed
Prerequisites: Network access to UDP port 123 on target NTP servers
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb

This Metasploit module scans for NTP servers vulnerable to DRDoS attacks via mode 6 UNSETTRAP requests, which can amplify traffic in response to spoofed packets. It checks for amplification potential by analyzing server responses.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP servers (various versions)
No auth needed
Prerequisites: Network access to target NTP server · UDP connectivity
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb

This Metasploit module scans for NTP servers vulnerable to a DRDoS amplification attack via the PEER_LIST_SUM query. It sends a crafted UDP packet and checks if the response is larger than the request, indicating potential for abuse in amplification attacks.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: NTP servers (versions permitting PEER_LIST_SUM queries)
No auth needed
Prerequisites: Network access to the target NTP server · UDP port 123 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/udp/udp_amplification.rb

This Metasploit module scans for UDP endpoints vulnerable to amplification attacks by sending probes and analyzing responses. It does not exploit a specific CVE but checks for a general UDP amplification vulnerability.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: UDP services (various)
No auth needed
Prerequisites: Network access to target UDP ports
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/upnp/ssdp_amp.rb

This Metasploit module scans for SSDP amplification vulnerabilities by sending M-SEARCH probes to discover devices vulnerable to amplification attacks. It checks for responses indicating potential amplification and reports vulnerable hosts.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Devices with SSDP (Simple Service Discovery Protocol) enabled
No auth needed
Prerequisites: Network access to UDP port 1900 · Devices with SSDP enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/portmap/portmap_amp.rb

This Metasploit module scans for Portmapper services vulnerable to amplification DDoS attacks by sending RPC DUMP and GETSTAT requests. It identifies hosts that can be exploited for DRDoS by analyzing responses to crafted UDP packets.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Portmapper (RPC services)
No auth needed
Prerequisites: Network access to UDP port 111 · Spoofed IP for DRDoS testing
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59288
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-09/msg00031.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=138971294629419&w=2
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/ncas/alerts/TA14-013A
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/64692
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/348126
Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=144182594518755&w=2
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2013/12/30/6
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59726
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1030433
Third Party Advisory, US Government Resource x_refsource_misc
http://ics-cert.us-cert.gov/advisories/ICSA-14-051-04
Third Party Advisory x_refsource_confirm
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory.asc
Broken Link mailing-list x_refsource_mlist
http://lists.ntp.org/pipermail/pool/2011-December/005616.html
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2013/12/30/7
Issue Tracking x_refsource_confirm
http://bugs.ntp.org/show_bug.cgi?id=1532

Scores

EPSS 0.9214
EPSS Percentile 99.7%

Details

VulnCheck KEV 2014-01-02
InTheWild.io 2018-10-30
CWE
CWE-20
Status published
Products (5)
ntp/ntp 4.2.7 (27 CPE variants)
ntp/ntp < 4.2.7
opensuse/opensuse 11.4
oracle/linux 6
oracle/linux 7
Published Jan 02, 2014
Tracked Since Feb 18, 2026