# NTP Mode 6 Vulnerabilities

## Basic Information

The Network Time Protocol (**NTP**) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

**Default port:** 123/udp

```
PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response
```

## Enumeration

```bash
ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>
```

```bash
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>
```

## Examine configuration files

* ntp.conf

## Option 2

The vulnerability can confirmed with the following [nmap](https://nmap.org/) command:

```
$ sudo nmap -Pn -sU -p123 --script ntp-info –n {host}
```

An example response should be received:

```
PORT    STATE SERVICE
123/udp open  ntp
| ntp-info:
|   receive time stamp: 2021-06-10T16:34:52
|   version: ntpd 4.2.6p2@1.2194 Mon Jun 24 12:37:15 UTC 2013 (79)
|   processor: x86_64
|   system: Linux/2.6.99.99
|   leap: 3
|   stratum: 16
|   precision: -21
|   rootdelay: 0.000
|   rootdispersion: 3286057.565
|   peer: 0
|   refid: INIT
|   reftime: 0x00000000.00000000
|   poll: 3
|   clock: 0xe3c51e85.3c189ffa
|   offset: 0.000
|   frequency: 0.000
|   noise: 0.000
|   jitter: 0.000
|_  stability: 0.000\x0D
Service Info: OS: Linux/2.6.99.99
```

### REMEDIATION OF MODE 6 VULNERABILITIES

The easiest and most common way to remediate this issue is by firewalling NTP. Unless you require external clients to use the NTP service from the public internet, it is best to restrict the attack surface completely and firewall or disable the service completely.

#### NTP ON IOS

When enabling NTP on IOS, by default the NTP server is also enabled on all interfaces.

**SOLUTION 1: DISABLE NTP COMPLETELY**

To disable NTP completely, the following command can be used:

```
disable ntp
```

<https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp1510820932>

**SOLUTION 2: RESTRICT NTP VIA ACCESS CONTROLS**

```
ntp access-group { access-list-number | access-list-number-expanded | access-list-name }
```

<https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810>

#### REFERENCES

The full NTP Mode 6 specification can be found here: <https://docs.ntpsec.org/latest/mode6.html>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.smhuda.com/pentesting/infrastructure-security/network-infrastructure/ntp-mode-6-vulnerabilities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.