FValkyrie_17's Infosec Notes
  • 1nf05EC N0TE5
  • Networking and Network Security
    • Security Models
    • Host Discovery
    • Port Scanning - Service and OS Discovery
    • Port Scanning - Common Firewall and IDS Evasion
    • Naming/Name Service and Directory Service
    • DNS
      • DNS Basics
      • DNS Pentest
    • NetBIOS
      • NetBIOS Basics
      • NetBIOS Pentest
    • BGP(Border Gateway Protocol) and AS Numbers (Autonomous System Numbers)
    • MS-RPC (Remote Procedure Call)
    • SMB (Server Message Block)
      • Basics of SMB
      • SMB Pentesting
    • LDAP (Lightweight Directory Access Protocol)
      • LDAP Working
      • LDAP Exploitation
    • RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing)
    • Telnet (Teletype Network Protocol)
    • FTP (File Transfer Protocol)
    • NFS (Network File System)
    • SSH (Secure Socket Shell)
      • Port Forwarding Primer
    • SQL servers
      • MS-SQL (Microsoft SQL Service)
      • MySQL
    • Hydra Cheat Sheet
    • SMTP
    • SLP (Service Location Protocol)
    • SNMP
      • SNMP Basics
      • SNMP Pentest
    • NTP
    • File Transfer Primers
    • Regex 101
  • Make your dumb netcat shell interactive and awesome
  • Metasploit Primer
    • Important Terminologies
    • Working with Metasploit Database
  • Reverse Engineering 101
    • x86-64 assembly tutorial
      • Introduction to x86-64
  • Web Application Security
    • Security Policies
      • Same Origin Policy
      • Security Headers
        • CSP (Content Security Policy)
        • HSTS (Strict-Transport-Security Header)
        • X-Content-Type-Options
        • X-Frame-Options
        • Referrer-Policy
    • Authentication Bypass
  • Linux Privilege Escalation
    • Permissions in Linux
    • Enumeration
    • Using files with SUID/SGID permission set
    • Using Kernel Exploits
    • Using Service Exploits
    • Exploiting Weak File Permissions
    • Exploiting Sudo
    • Cron Jobs
  • windows privilege escalation
    • Windows Basics
    • PsTools Primer
    • Persistence Techniques
  • Android application security testing
    • Setting it Up
      • Installing Android SDK and emulator
      • Setting up Frida-Server on Android Device
  • HTB writeups
    • Archetype (HTB Starting Point 2x1)
    • Oopsie (HTB Starting Point 2x2)
    • Lame
    • Jerry
  • THM writeups
    • Vulnuniversity
  • Preparation Notes
    • CEH Practical Prep Notes
Powered by GitBook
On this page
  • Enumeration
  • Using ntpdate
  • Using ntptrace
  • Using ntpq
  • Using ntpdc
  • Using nmap

Was this helpful?

  1. Networking and Network Security

NTP

A primer on NTP enumeration and exploitation

Network Time Protocol (NTP) is designed to synchronize the clocks of networked computers.

It uses UDP port 123 as its primary means of communication.

The following are some pieces of information an attacker can obtain by querying an NTP server:

▪ List of hosts connected to the NTP server.

▪ Clients IP addresses in the network, their system names, and OSs.

▪ Internal IPs, if the NTP server is in the demilitarized zone (DMZ).

Enumeration

NTP enumeration commands such as ntpdate, ntptrace, ntpdc, and ntpq are used to query an NTP server for valuable information.

  • ntpdate: This command collects the number of time samples from a number of time sources

  • ntptrace: This command determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source

  • ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state

  • ntpq: This command monitors NTP daemon ntpd operations and determine performance

Using ntpdate

The ntpdate command collects the number of time samples from several time sources. Its syntax is as follows:

ntpdate [-46bBdqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout] [ -U user_name] server

More Options:

Flag
Function

-4

Force DNS resolution of given host names to the IPv4 namespace

-6

Force DNS resolution of given host names to the IPv6 namespace

-a key

Enable the authentication function/specify the key identifier to be used for authentication

-B

Force the time to always be slewed

-b

Force the time to be stepped

-d

Enable debugging mode

-e authdelay

Specify the processing delay to perform an authentication function

-k keyfile

Specify the path for the authentication key file as the string "keyfile"; the default is /etc/ntp/keys

-O version

Specify the NTP version for outgoing packets as an integer version, which can be 1 or 2; the default is 4.

-p samples

Specify the number of samples to be acquired from each server, with values ranging from 1-8; the default is 4

-q

Query only; do not set the clock

-s

Divert logging output from the standard output (default) to the system syslog facility

-t timeout

Specify the maximum wait time for a server response; the default is 1 S

-u

Use an unprivileged port for outgoing packets

-V

Be verbose; logs ntpdate's version identification string

Using ntptrace

The ntptrace command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network.

Its syntax is as follows:

ntptrace [-n] [-m maxhosts] [servername/IP_address]

More options

Flag
Function

-n

Do not print host names and show only IP addresses; may be useful if a name server is down.

-m maxhosts

Set the maximum number of levels up the chain to be followed.

ntptrace


localhost: stratum 4, offset 0.0019529, synch distance 0.143235 
10.10.0.1: stratum 2, offset 0.01142 73, synch distance 0.115554 
10.10.1.1: stratum 1, offset 0.0017698, synch distance 0.011193

Using ntpq

The ntpq command monitors the operations of the NTP daemon ntpd and determines its performance.

Its syntax is as follows:

ntpq [-46dinp] [-c command] [host/IP_address]

More options:

Example commands:

ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpq> version 
ntpq 4.2.8p15@1.3728-o 

ntpq> host

current host is localhost

Using ntpdc

The ntpdc command queries the ntpd daemon regarding its current state and requests changes in that state. Attackers use this command to retrieve the state and statistics of each NTP server connected to the target network.

Its syntax is as follows: 

ntpdc [ -46dilnps ] [ -c command] [hostname/IP_address]

More Options:

Flag
Function

-4

Force DNS resolution of the given hostname to the IPv4 namespace

-6

Force DNS resolution of the given hostname to the IPv6 namespace

-d

Set the debugging mode to on

-c

The following argument is interpreted as an interactive format command; multiple -c options may be given

-i

Force ntpdc to operate in the interactive mode

-l

Obtain a list of peers known to the server(s); this switch is equivalent to -c listpeers

-n

Output all host addresses in the dotted-quad numeric format, rather than host names

-p

Print a list of the peers as well as a summary of their states; this is equivalent to -c peers

-s F

Print a list of the peers as well as a summary of their states, but in a slightly different format from that for the -p switch; this is equivalent to -c dmpeers.

Usage examples:

ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>

Using nmap

nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>
PreviousSNMP PentestNextFile Transfer Primers

Last updated 1 year ago

Was this helpful?