NTP Mode 6 Vulnerabilities

Basic Information

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Default port: 123/udp

PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response

Enumeration

ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>

nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>

Examine configuration files

• ntp.conf

Option 2

The vulnerability can confirmed with the following nmap command:

An example response should be received:

REMEDIATION OF MODE 6 VULNERABILITIES

The easiest and most common way to remediate this issue is by firewalling NTP. Unless you require external clients to use the NTP service from the public internet, it is best to restrict the attack surface completely and firewall or disable the service completely.

NTP ON IOS

When enabling NTP on IOS, by default the NTP server is also enabled on all interfaces.

SOLUTION 1: DISABLE NTP COMPLETELY

To disable NTP completely, the following command can be used:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp1510820932

SOLUTION 2: RESTRICT NTP VIA ACCESS CONTROLS

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810

REFERENCES

The full NTP Mode 6 specification can be found here: https://docs.ntpsec.org/latest/mode6.html