NTP Mode 6 Vulnerabilities

Basic Information

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Default port: 123/udp

PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response

Enumeration

ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>

Examine configuration files

  • ntp.conf

Option 2

The vulnerability can confirmed with the following nmap command:

$ sudo nmap -Pn -sU -p123 --script ntp-info –n {host}

An example response should be received:

PORT    STATE SERVICE
123/udp open  ntp
| ntp-info:
|   receive time stamp: 2021-06-10T16:34:52
|   version: ntpd [email protected] Mon Jun 24 12:37:15 UTC 2013 (79)
|   processor: x86_64
|   system: Linux/2.6.99.99
|   leap: 3
|   stratum: 16
|   precision: -21
|   rootdelay: 0.000
|   rootdispersion: 3286057.565
|   peer: 0
|   refid: INIT
|   reftime: 0x00000000.00000000
|   poll: 3
|   clock: 0xe3c51e85.3c189ffa
|   offset: 0.000
|   frequency: 0.000
|   noise: 0.000
|   jitter: 0.000
|_  stability: 0.000\x0D
Service Info: OS: Linux/2.6.99.99

REMEDIATION OF MODE 6 VULNERABILITIES

The easiest and most common way to remediate this issue is by firewalling NTP. Unless you require external clients to use the NTP service from the public internet, it is best to restrict the attack surface completely and firewall or disable the service completely.

NTP ON IOS

When enabling NTP on IOS, by default the NTP server is also enabled on all interfaces.

SOLUTION 1: DISABLE NTP COMPLETELY

To disable NTP completely, the following command can be used:

disable ntp

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp1510820932

SOLUTION 2: RESTRICT NTP VIA ACCESS CONTROLS

ntp access-group { access-list-number | access-list-number-expanded | access-list-name }

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810

REFERENCES

The full NTP Mode 6 specification can be found here: https://docs.ntpsec.org/latest/mode6.html

PreviousMicrosoft SQL Server (MSSQL)NextBloodHound

Last updated

Was this helpful?