pentesting-ntp
$
npx mdskill add xalgord/xalgorix/pentesting-ntp- Default port `123/udp` (data + legacy Mode-6/7 control); `4460/tcp` for NTS-KE (RFC 8915, TLS 1.3 key establishment). - When `nmap` shows `123/udp open ntp udp-response`. - NTP syncs clocks for auth, crypto and logging — an attacker who influences NTP can bypass time-based controls or hinder forensics. - Internet-facing NTP is a prime DDoS reflection/amplification source (the legacy `monlist` query).
SKILL.md
.github/skills/pentesting-ntpView on GitHub ↗
--- name: pentesting-ntp description: Testing NTP services (default 123/UDP for time data and legacy control, 4460/TCP for NTS-KE/TLS) for monlist/Mode-7 amplification exposure, remote query/control leakage, time-shift MITM, weak NTS-KE TLS, and known ntpd/chrony/ntpd-rs CVEs during authorized engagements. domain: cybersecurity subdomain: network-services-pentesting tags: - penetration-testing - network-services - ntp version: '1.0' author: xalgorix license: Apache-2.0 --- # Pentesting NTP (port 123) ## When to Use - Default port `123/udp` (data + legacy Mode-6/7 control); `4460/tcp` for NTS-KE (RFC 8915, TLS 1.3 key establishment). - When `nmap` shows `123/udp open ntp udp-response`. - NTP syncs clocks for auth, crypto and logging — an attacker who influences NTP can bypass time-based controls or hinder forensics. - Internet-facing NTP is a prime DDoS reflection/amplification source (the legacy `monlist` query). ## Quick Enumeration ```bash # Safe discovery + vuln scripts (excludes dos/brute) nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP> # Explicit monlist amplification check nmap -sU -p123 --script ntp-monlist <IP> # Read server variables / peers / associations ntpq -c rv <IP> ntpq -c readvar <IP> ntpq -c peers <IP> ntpq -c associations <IP> # Legacy Mode-7 control (often disabled >= 4.2.8p9) ntpdc -c monlist <IP> ntpdc -c listpeers <IP> ntpdc -c sysinfo <IP> # chrony remote monitoring (only when cmdallow is enabled) chronyc -a -n tracking -h <IP> chronyc -a -n sources -v -h <IP> chronyc -a -n sourcestats -h <IP> # Mass scan for the monlist flag (zgrab2) zgrab2 ntp --monlist --timeout 3 --output-file monlist.json -f zmap_results.csv ``` ## Critical: Checks Most Often Missed - **Mode-7 `monlist` amplification** — returns up to **600 host addresses**; the reply (428-468 bytes/entry) is ~200x the 8-byte request, giving triple-digit amplification. Still present on thousands of hosts. - **Remote `ntpq`/`ntpdc` query leakage** — peers, associations and system variables disclose upstream servers and topology when `noquery` is not set. - **NTS-KE TLS weakness (4460/tcp)** — self-signed/expired certs, non-AEAD cipher suites; CVE-2023-33192 (ntpd-rs) crashes on malformed NTS cookies even when NTS is disabled. - **Time-shift MITM** — an on-path attacker can silently shift a client clock by dropping/delaying packets, even with authentication. - **Unpatched ntpd OOB-writes** — CVE-2023-26551..26555 (libntp `mstolfp`/`praecis_parse`) reachable via `ntpq` responses; fixed in 4.2.8p16. ### How to CONFIRM - monlist enabled: `ntpdc -c monlist <IP>` returns a populated host list (not an empty/timeout), or `nmap ntp-monlist` reports entries; `zgrab2 --monlist` flags `monlist:true`. - Query leakage: `ntpq -c peers <IP>` / `-c rv <IP>` returns data from a remote (non-local) source. - Weak NTS-KE: `openssl s_client` on 4460 shows a self-signed/expired cert or weak (non-AEAD) ciphers. - Amplification: measured response-size to request-size ratio >> 1 (monlist ~200x). ## Workflow ### Step 1: Enumerate Confirm `123/udp` is open and version it: `nmap -sU -sV --script "ntp* and discovery" -p 123 <IP>`. Note daemon (ntpd vs chrony vs ntpd-rs) and version for CVE mapping. ### Step 2: Query / control access Pull variables and peers with `ntpq -c rv`, `-c peers`, `-c associations`. Try legacy Mode-7 with `ntpdc -c monlist`/`sysinfo`. For chrony, test `chronyc -a -n tracking -h <IP>`. ### Step 3: Exploit / Extract - Confirm and document `monlist` amplification (DoS/reflection surface — do not weaponize against third parties). - Probe NTS-KE TLS on 4460: ```bash nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP> openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof ``` - Map version to known CVEs (ntpd OOB-write series, ntpd-rs NTS DoS). ### Step 4: Post-access / pivot Use disclosed upstream/peer servers and internal topology for further recon. In a lab/authorized MITM scenario, demonstrate clock-shift impact on time-based auth (Kerberos, TOTP, cert validity) — e.g. BetterCap `set ntp.time.delta`. ## Key Concepts | Concept | Description | |---------|-------------| | **Mode-6 / Mode-7** | Legacy control/query modes (`ntpq`/`ntpdc`); `monlist` is the abused Mode-7 query | | **monlist** | Returns recent clients (up to 600) -> reflection/amplification vector | | **NTS / NTS-KE** | Network Time Security; TLS 1.3 key-establishment on `4460/tcp` (RFC 8915) | | **Kiss-o'-Death (kod)** | Rate-limit response; `restrict ... kod limited` mitigates abuse | | **Time-shift attack** | Drop/delay packets to move a client's clock and defeat time-based controls | | **Stratum** | Distance from an authoritative reference clock | ## Tools & Systems | Tool | Purpose | |------|---------| | **nmap ntp-* NSE** | Discovery, monlist, version, vuln detection | | **ntpq** | Query variables/peers/associations (Mode-6) | | **ntpdc** | Legacy Mode-7 control incl. monlist | | **chronyc** | Remote monitoring of chrony (tracking/sources) | | **zgrab2 ntp** | Mass scanning with JSON output incl. monlist flag | | **openssl s_client** | NTS-KE TLS inspection on 4460 | | **BetterCap** | NTP packet injection / time-shift MITM (lab) | ## Common Scenarios ### Scenario 1: Internet-facing monlist amplifier An edge NTP server answers `ntpdc -c monlist` with 600 entries; it is usable as a high-ratio UDP reflection source and must have `disable monitor` set. ### Scenario 2: Topology disclosure `ntpq -c peers <IP>` from an external host returns upstream servers and internal peers, leaking infrastructure detail (no `restrict ... noquery`). ### Scenario 3: NTS-KE DoS A `4460/tcp` listener runs an unpatched ntpd-rs (< 0.3.3); a malformed NTS cookie crashes the daemon (CVE-2023-33192). ## Output Format ``` ## NTP Finding **Service**: NTP (123/udp) / NTS-KE (4460/tcp) **Severity**: <High|Medium|Low> **Target**: <IP>:123 Daemon/Version: <ntpd 4.2.8pX | chrony 4.x | ntpd-rs> ### Evidence - monlist enabled: ntpdc -c monlist returned <N> hosts (amplification ~200x) - Query leakage: ntpq -c peers disclosed upstream/internal peers - NTS-KE: self-signed cert / non-AEAD ciphers on 4460 - Version maps to CVE-2023-26551..55 / CVE-2023-33192 ### Reproduction nmap -sU -p123 --script ntp-monlist <IP> ntpq -c peers <IP> ### Recommendation 1. Add `disable monitor` (ntpd 4.2.8p15+) to kill monlist 2. Restrict with `restrict default noquery nomodify`, enable `kod`/`limited` 3. Enable BCP 38 egress filtering to stop source spoofing 4. Patch to ntpd 4.2.8p16 / current chrony; validate NTS-KE certs and ciphers 5. Use >= 4 diverse time sources to resist single-source poisoning ```