NTP
A primer on NTP enumeration and exploitation
Network Time Protocol (NTP) is designed to synchronize the clocks of networked computers.
It uses UDP port 123 as its primary means of communication.
The following are some pieces of information an attacker can obtain by querying an NTP server:
▪ List of hosts connected to the NTP server.
▪ Clients IP addresses in the network, their system names, and OSs.
▪ Internal IPs, if the NTP server is in the demilitarized zone (DMZ).
Enumeration
NTP enumeration commands such as ntpdate, ntptrace, ntpdc, and ntpq are used to query an NTP server for valuable information.
ntpdate: This command collects the number of time samples from a number of time sources
ntptrace: This command determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source
ntpdc: This command queries the ntpd daemon about its current state and requests changes in that state
ntpq: This command monitors NTP daemon ntpd operations and determine performance
Using ntpdate
The ntpdate command collects the number of time samples from several time sources. Its syntax is as follows:
More Options:
| Flag | Function |
|---|---|
| Force DNS resolution of given host names to the IPv4 namespace |
| Force DNS resolution of given host names to the IPv6 namespace |
| Enable the authentication function/specify the key identifier to be used for authentication |
| Force the time to always be slewed |
| Force the time to be stepped |
| Enable debugging mode |
| Specify the processing delay to perform an authentication function |
| Specify the path for the authentication key file as the string "keyfile"; the default is /etc/ntp/keys |
| Specify the NTP version for outgoing packets as an integer version, which can be 1 or 2; the default is 4. |
| Specify the number of samples to be acquired from each server, with values ranging from 1-8; the default is 4 |
| Query only; do not set the clock |
| Divert logging output from the standard output (default) to the system syslog facility |
| Specify the maximum wait time for a server response; the default is 1 S |
| Use an unprivileged port for outgoing packets |
| Be verbose; logs ntpdate's version identification string |
Using ntptrace
The ntptrace command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network.
Its syntax is as follows:
More options
| Flag | Function |
|---|---|
| Do not print host names and show only IP addresses; may be useful if a name server is down. |
| Set the maximum number of levels up the chain to be followed. |
Using ntpq
The ntpq command monitors the operations of the NTP daemon ntpd and determines its performance.
Its syntax is as follows:
More options:
Example commands:
Using ntpdc
The ntpdc command queries the ntpd daemon regarding its current state and requests changes in that state. Attackers use this command to retrieve the state and statistics of each NTP server connected to the target network.
Its syntax is as follows:
More Options:
| Flag | Function |
|---|---|
| Force DNS resolution of the given hostname to the IPv4 namespace |
| Force DNS resolution of the given hostname to the IPv6 namespace |
| Set the debugging mode to on |
| The following argument is interpreted as an interactive format command; multiple |
| Force ntpdc to operate in the interactive mode |
| Obtain a list of peers known to the server(s); this switch is equivalent to |
| Output all host addresses in the dotted-quad numeric format, rather than host names |
| Print a list of the peers as well as a summary of their states; this is equivalent to |
| Print a list of the peers as well as a summary of their states, but in a slightly different format from that for the |
Usage examples:
Using nmap
Last updated