NTP Mode 6 Vulnerabilities
Basic Information
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Default port: 123/udp
PORT STATE SERVICE REASON
123/udp open ntp udp-response
Enumeration
ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>
Examine configuration files
ntp.conf
Option 2
The vulnerability can confirmed with the following nmap command:
$ sudo nmap -Pn -sU -p123 --script ntp-info –n {host}
An example response should be received:
PORT STATE SERVICE
123/udp open ntp
| ntp-info:
| receive time stamp: 2021-06-10T16:34:52
| version: ntpd [email protected] Mon Jun 24 12:37:15 UTC 2013 (79)
| processor: x86_64
| system: Linux/2.6.99.99
| leap: 3
| stratum: 16
| precision: -21
| rootdelay: 0.000
| rootdispersion: 3286057.565
| peer: 0
| refid: INIT
| reftime: 0x00000000.00000000
| poll: 3
| clock: 0xe3c51e85.3c189ffa
| offset: 0.000
| frequency: 0.000
| noise: 0.000
| jitter: 0.000
|_ stability: 0.000\x0D
Service Info: OS: Linux/2.6.99.99
REMEDIATION OF MODE 6 VULNERABILITIES
The easiest and most common way to remediate this issue is by firewalling NTP. Unless you require external clients to use the NTP service from the public internet, it is best to restrict the attack surface completely and firewall or disable the service completely.
NTP ON IOS
When enabling NTP on IOS, by default the NTP server is also enabled on all interfaces.
SOLUTION 1: DISABLE NTP COMPLETELY
To disable NTP completely, the following command can be used:
disable ntp
SOLUTION 2: RESTRICT NTP VIA ACCESS CONTROLS
ntp access-group { access-list-number | access-list-number-expanded | access-list-name }
REFERENCES
The full NTP Mode 6 specification can be found here: https://docs.ntpsec.org/latest/mode6.html
Last updated
Was this helpful?