hacktricks/network-services-pentesting/pentesting-ntp.md

123/udp - Pentesting NTP

htARTE (HackTricks AWS Red Team Expert) tlhIngan Hol!

HackTricks yIqImHa' tlhIngan Hol:

• HackTricks tlhIngan Hol advertise company want or HackTricks PDF download want If Check SUBSCRIPTION PLANS!
• official PEASS & HackTricks swag Get
• The PEASS Family Discover, NFTs our collection exclusive
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

HackenProof Discord server Join communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

Network Time Protocol (NTP) computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy essential, but it also poses security risks if not properly managed.

Summary & Security Tips:

• Purpose: Syncs device clocks over networks.
• Importance: Critical for security, logging, and operations.
• Security Measures:
• Use trusted NTP sources with authentication.
• Limit NTP server network access.
• Monitor synchronization for signs of tampering.

Default port: 123/udp

PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response

Enumeration

NTP Enumeration

NTP (Network Time Protocol) is a protocol used to synchronize the time of computer systems over a network. It is commonly used to ensure accurate timekeeping on devices.

NTP Version Detection

To determine the version of NTP running on a target system, you can use the ntpdate command with the -q option:

ntpdate -q <target_ip>

NTP Server Enumeration

To enumerate NTP servers, you can use the ntpdc command with the -c monlist option:

ntpdc -c monlist <target_ip>

This command will retrieve a list of the last 600 clients that have connected to the NTP server, including their IP addresses.

NTP Mode Enumeration

To determine the mode of operation of an NTP server, you can use the ntpdc command with the -c sysinfo option:

ntpdc -c sysinfo <target_ip>

This command will provide information about the server's mode, version, and other details.

NTP Vulnerability Scanning

There are several vulnerabilities that can affect NTP servers, such as NTP amplification attacks and remote code execution vulnerabilities. To scan for these vulnerabilities, you can use tools like Nmap or Nessus.

SNMP Enumeration

SNMP (Simple Network Management Protocol) is a protocol used for network management and monitoring. It allows devices to be monitored and controlled remotely.

SNMP Version Detection

To determine the version of SNMP running on a target system, you can use the snmpwalk command with the -v option:

snmpwalk -v<version> -c <community_string> <target_ip>

Replace <version> with the desired SNMP version (1, 2c, or 3) and <community_string> with the community string used for authentication.

SNMP Community String Enumeration

To enumerate SNMP community strings, you can use the onesixtyone tool:

onesixtyone -c <community_file> <target_ip>

Replace <community_file> with the path to a file containing a list of community strings.

SNMP MIB Enumeration

To enumerate SNMP Management Information Base (MIB) objects, you can use the snmpwalk command with the -m option:

snmpwalk -v<version> -c <community_string> -m <mib_file> <target_ip>

Replace <mib_file> with the path to a MIB file containing the desired objects.

SNMP Vulnerability Scanning

There are several vulnerabilities that can affect SNMP, such as default community strings and insecure SNMP configurations. To scan for these vulnerabilities, you can use tools like Nmap or Nessus.

ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>

nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>

Examine configuration files

• ntp.conf

NTP Amplification Attack

How NTP DDoS Attack Works

The NTP protocol, using UDP, allows for operation without the need for handshake procedures, unlike TCP. This characteristic is exploited in NTP DDoS amplification attacks. Here, attackers create packets with a fake source IP, making it seem as if the attack requests come from the victim. These packets, initially small, prompt the NTP server to respond with much larger data volumes, amplifying the attack.

The MONLIST command, despite its rare use, can report the last 600 clients connected to the NTP service. While the command itself is simple, its misuse in such attacks highlights critical security vulnerabilities.

ntpdc -n -c monlist <IP>

Shodan

• ntp

HackTricks Automatic Commands

Protocol_Name: NTP    #Protocol Abbreviation if there is one.
Port_Number:  123     #Comma separated if there is more than one.
Protocol_Description: Network Time Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for NTP
Note: |
The Network Time Protocol (NTP) ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy is essential, but it also poses security risks if not properly managed.

https://book.hacktricks.xyz/pentesting/pentesting-ntp

Entry_2:
Name: Nmap
Description: Enumerate NTP
Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP}

HackenProof Discord server jImejDaq experienced hackers je bug bounty hunters vItlhutlh!

Hacking Insights
Hacking vItlhutlh je challenges vItlhutlh content vItlhutlh engage

Real-Time Hack News
Real-time news je insights vItlhutlh hacking vItlhutlh up-to-date vItlhutlh

Latest Announcements
Newest bug bounties launching je crucial platform updates vItlhutlh stay informed

Discord join je top hackers collaborate vItlhutlh start today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks je HackTricks Cloud github repos.