HackTricks
HackTricks
Ask or search…
⌃K
Links

123/udp - Pentesting NTP

HackenProof is home to all crypto bug bounties.
Get rewarded without delays HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
Get experience in web3 pentesting Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
Become the web3 hacker legend Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
​Sign up on HackenProof start earning from your hacks!

Basic Information

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Default port: 123/udp
PORT STATE SERVICE REASON
123/udp open ntp udp-response

Enumeration

ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>

Examine configuration files

  • ntp.conf

NTP Amplification Attack

NTP protocol by design uses UDP to operate, which does not require any handshake like TCP, thus no record of the request. So, NTP DDoS amplification attack begins when an attacker crafts packets with a spoofed source IP to make the packets appear to be coming from the intended target and sends them to NTP server. Attacker initially crafts the packet of few bytes, but NTP responds with a large amount of data thus adding to amplification of this attack.
MONLIST command: It is a NTP protocol command which has very little use, but it is this command which is the main culprit for this attack. However, the use of MONLIST command is to give details of the last 600 clients that have connected to the NTP time service. Below is the command syntax:
ntpdc -n -c monlist <IP>

Shodan

  • ntp

HackTricks Automatic Commands

Protocol_Name: NTP #Protocol Abbreviation if there is one.
Port_Number: 123 #Comma separated if there is more than one.
Protocol_Description: Network Time Protocol #Protocol Abbreviation Spelled out
​
Entry_1:
Name: Notes
Description: Notes for NTP
Note: |
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
​
https://book.hacktricks.xyz/pentesting/pentesting-ntp
​
Entry_2:
Name: Nmap
Description: Enumerate NTP
Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP}
​
HackenProof is home to all crypto bug bounties.
Get rewarded without delays HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
Get experience in web3 pentesting Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
Become the web3 hacker legend Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
​Sign up on HackenProof start earning from your hacks!