NTP (Network Time Protocol)

Default Port: 3389

Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source. Even though it's a simple and often overlooked protocol, it can be a valuable attack vector if not properly secured.

Connect

Connect Using ntpq

To connect to an NTP server, you can manually query it using the ntpq command-line utility.

ntpq -p X.X.X.X

Enumeration

Nmap

Nmap has a script for NTP information enumeration

nmap -sU -p 123 --script ntp-info X.X.X.X

Attack Vectors

NTP Amplification Attacks

In this type of Distributed Denial of Service (DDoS) attack, an attacker exploits a vulnerable NTP server's monlist feature (which sends data about the last 600 hosts connecting to the server). The attacker spoofs their target's IP and sends a small query to the server, which responds by sending a large amount of data to the spoofed IP. This saturates the target's network with excessive traffic, disrupting its normal function.

Even though it's a simple protocol, NTP can be exploited if not properly secured. Keeping NTP servers updated and properly configured is essential for preventing such attacks.

# A simple ntpdc command to demonstrate interaction with monlist feature
# Note: Most modern NTP servers have this feature disabled due to its potential for misuse
ntpdc -n -c monlist [Target IP]

Post-Exploitation

Changing Server Time

You could potentially adjust the time on the server and cause Havoc for any processes that are dependant on the system time.

To change the server time manually, use the following command

date -s "14 Oct 2020 18:00:00"

NTP (Network Time Protocol)

Connect​

Connect Using ntpq​

Enumeration​

Nmap​

Attack Vectors​

NTP Amplification Attacks​

Post-Exploitation​

Changing Server Time​