Wiki
  • Introduction
  • 👾Penetration Testing
    • Application Security
      • Mobile App Security
        • Android Application Testing
          • Security Checklist
          • SSL Pinning Bypasses
          • Non-Proxy Aware Applications
            • Setting up VPN Server
            • Bypasses
          • Common Proxying Issues
          • Android Local Storage Checks
          • Android Task Hijacking
          • Kiosk Mode / Breakout Testing
          • Magisk on GenyMotion
        • iOS Application Testing
          • iOS Testing Using Objection
          • IPA Analysis Using MobSF
          • iOS Jailbreak Bypass
          • Decrypting iOS Apps
          • iOS Reverse Engineering
          • Jailbreak Detection Bypasses
          • iOS Local Storage Checks
          • Installing IPA
          • ATS Auditing
          • iOS Jailbreaking
          • Frida Pinning Bypasses
          • iOS Jailbreaking
        • Code Security
        • Frida on Windows
      • Web Application Security
        • Web Shells
        • CSV Injection
        • Measure Response Time using CURL
        • OSINT
          • EyeWitness
        • GraphQL Hacking
      • API Security
        • Security Checklist
        • Postman and Burp
        • CURL via BurpSuite
        • SOAP API Pentesting
    • Infrastructure Security
      • Network Infrastructure
        • Red Team Powershell Scripts
        • Mounting NFS Shares
        • Password Cracking/Auditing
        • Remote Access Sheet
        • Password Cracking Using Hashcat
        • Calculate IP Addresses from CIDR
        • Grep IP addresses or IP Ranges from a File
        • Default Credentials Checking
        • Check SSL/TLS Certificates
        • Log a terminal session
        • Unauthenticated Mongo DB
        • Microsoft SQL Server (MSSQL)
        • NTP Mode 6 Vulnerabilities
        • BloodHound
        • AD Offensive Testing
        • CrackMapExec
        • Select all IP addresses in Sublime Text
        • Convert CIDRs to an IP address list
        • Microsoft Exchange Client Access Server Information Disclosure
        • Web Server HTTP Header Internal IP Disclosure
        • smbclient.py
        • GetUserSPNs.py
        • Get-GPPPassword.py
        • SMBMap
        • Mounting Shares
        • mitm6
        • AD Attacks
        • Weak IKE Security Configurations
        • Locked BIOS Password Bypass
      • Wireless Security
        • Cached Wireless Keys
        • Aircrack Suite
    • SSL/TLS Security
    • Secure Code Review
      • Python
      • Semgrep
        • Semgrep to HTML Report
    • Cloud Security
      • Cloud Penetration Testing
    • Social Engineering
      • Simulated Phishing
        • GoPhish
    • Tool Usage
      • Docker
      • Split
      • PhantomJS
      • Aquatone
      • Tmux
      • Ipainstaller
      • Public IP From Command Line
      • Wifite
      • IKE Scan
      • Grep
      • Pulling APKs
      • Bitsadmin
      • Drozer
      • Iptables
      • Python Web Server
      • Crackmapexec
      • Impacket
      • Nessus
      • Adding SUDO User
      • Nmap
      • Metasploit Payloads
      • SMTP Open Relay
      • SQLMap
      • Screen
      • Remove All After Colon
      • Remove Old Linux Kernels
      • CURL
      • Hashcat
      • Secure Copy Protocol (SCP)
      • SSH & PGP Tools
      • IP Calculator
      • BloodHound
      • Netcat File Transfer
      • OpenVAS
      • BurpSuite
      • Exiftool
      • Python Virtual Environments
    • Errors and Solutions
      • Kill Process On Specific Port
      • Kill SSH Port Forwarding
      • SSH Key
      • Expanding Disk on Kali VM
    • Scoping
      • Scoping Questionnaires
        • Mobile App Testing
    • OSINT
      • Dark Web OSINT
      • Certificate Chain Check
      • EyeWitness - Web Service Screenshot
      • Tor to Browse Onion Links
      • DarkDump - Scan Dark Web for Onion Links
      • Domain related File Search
      • Google Dorking
      • IP / Network Blocks owned by a Company
  • ⌨️Programming
    • Automation
      • Running a Service at Boot
      • Network Connectivity Cron
    • Python
      • Adding Columns in Pandas
      • Copy Entire Column Data To New Column Pandas
      • Loading Progress Bar
      • Reorder Columns in Pandas
      • Filename with Date/Time Stamp
      • Command Line Arguments
      • Changing Date Format
      • Removing Index Column Pandas
      • Regex - Remove HTML Tags
      • Column Header Mapping
  • 🌐Miscellaneous
    • Scripts
      • Clickjacking Checker
      • Bulk WHOIS
      • SMB Signing Check
      • FDQN to IP Address
      • Grep IP Addresses
      • Nessus Parser
      • Build Review Audit
      • Nessus Merger
      • Nmap2CSV
      • Remove Audio From Videos
    • Favourite Reads/Links
    • Hacking Posters
    • Windows Developer VMs
    • Windows Workspaces
    • GitHub Pages
    • Interview Prep
      • Senior Penetration Tester
    • CVSS Formula
    • Android Rooting
      • Lineage OS 18.1 on OnePlus X
      • TWRP Recover on OnePlus X
      • Magisk Rooting
    • Presentation Slides
      • BlackHat - USA [2022]
  • 🐞Vulnerability Wiki
    • 🌐APPLICATION LEVEL
      • 🔒AUTHENTICATION
        • Authentication Bypass
        • Lack of Password Confirmation
        • 2FA Code Brute-forceable
        • Lack of Verification
        • Lack of Throttling on Form Submissions
        • Lack of Rate Limiting on Login
        • Weak Password Complexity Rules
        • 🖥️SESSION MANAGEMENT
        • 🔑ACCESS CONTROL
      • 🔢INPUT VALIDATION
      • ➗CRYPTOGRAPHY
      • 📉LOGGING
      • 📕DATA PROTECTION
      • 📲COMMUNICATION
      • 👨‍💻MALICIOUS CODE
      • 💡LOGIC
      • 🗄️FILE UPLOAD
      • ⚙️API ISSUES
      • 🔍CONFIGURATIONS
    • 💾INFRASTRUCTURE LEVEL
      • ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)
      • ASP.NET Debug Mode Validation
Powered by GitBook
On this page
  • Verifying If a System is Vulnerable
  • Fixing the Vulnerability
  • Rolling Back the Fixes
  • Verifying the Fix

Was this helpful?

  1. Vulnerability Wiki
  2. INFRASTRUCTURE LEVEL

ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)

The ICMP Timestamp Request Remote Date Disclosure vulnerability occurs when an attacker is able to send an ICMP (Internet Control Message Protocol) timestamp request to a target system, which then responds with the system's timestamp information. This can expose the exact time of the target system.

ICMP is a protocol used for network error messages and diagnostics (e.g., "ping" commands). The vulnerability specifically affects ICMP timestamp requests (type 13) and responses (type 14), which can inadvertently reveal sensitive system information like the current date and time.

Severity Rating: Low


Verifying If a System is Vulnerable

You can use tools like Nessus, hping3, or nping to check if a device is vulnerable to this issue.

Using Nessus

Scan the device using Nessus Plugin ID 10114 to check if it is susceptible to this vulnerability.

Using hping3

To check for the vulnerability with hping3, run the following command to send an ICMP timestamp request (type 13):

hping3 -1 --icmp-ts <target_ip>
  • Check for Replies: If the target system responds with an ICMP timestamp reply (type 14), this indicates that the system is vulnerable.

  • Analyze the Response: Review the timestamp in the reply. If it reveals the system’s current time or uptime, the target is vulnerable.

Using nping

You can also use nping to perform a similar test:

nping --icmp --icmp-type timestamp-request <target_ip>

If you receive an ICMP timestamp reply (type 14), your system is vulnerable to the ICMP Timestamp Request Remote Date Disclosure.

Here's what each part means:

  • "-1" sets ICMP mode

  • "--icmp-ts" specifies ICMP timestamp request (type 13)


Fixing the Vulnerability

To mitigate this vulnerability, block ICMP timestamp requests (type 13) and responses (type 14) from external sources. Below are instructions for applying fixes on various platforms.

HP-UX

Run the following command to disable timestamp responses:

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Cisco IOS

Use Access Control Lists (ACLs) to block timestamp requests and replies:

deny icmp any any 13
deny icmp any any 14

Linux

Use iptables to block ICMP timestamp requests and replies:

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

Windows NT

Block ICMP timestamp requests through the firewall.

OpenBSD

Disable timestamp responses by setting the sysctl variable:

sysctl -w net.inet.icmp.tstamprepl=0

Cisco PIX

To block timestamp requests and replies, run:

icmp deny any 13
icmp deny any 14

Sun Solaris

Disable timestamp responses with the following commands:

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Windows 2000

Block ICMP types 13 and 14 with an IPSec filter.

Windows XP / Server 2003

Disable incoming timestamp requests through the Windows Firewall settings.

Windows Vista / Server 2008

Use the netsh command to disable timestamp requests:

netsh firewall set icmpsetting 13 disable

General Solution

For all platforms, the most effective fix is to configure your firewall to block ICMP types 13 (timestamp request) and 14 (timestamp reply).


Rolling Back the Fixes

If you need to undo the changes, follow the commands specific to your platform:

HP-UX

Re-enable timestamp responses with:

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1

Cisco IOS

Remove the ACL entries:

no access-list <ACL_ID> deny icmp any any 13
no access-list <ACL_ID> deny icmp any any 14

Linux

Remove the iptables rules:

iptables -D INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -D OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

Windows NT

Adjust firewall settings to allow ICMP requests.

OpenBSD

Re-enable timestamp responses with:

sysctl -w net.inet.icmp.tstamprepl=1

Cisco PIX

To enable ICMP timestamp responses again, run:

icmp permit any 13
icmp permit any 14

Sun Solaris

Re-enable timestamp responses with:

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1

Windows 2000

Remove the IPSec filter that blocks ICMP types 13 and 14.

Windows XP / Server 2003

Adjust Windows Firewall settings to allow incoming timestamp requests.

Windows Vista / Server 2008

Re-enable timestamp requests using the following command:

netsh firewall set icmpsetting 13 enable

Verifying the Fix

After applying the fix, you can verify that the vulnerability has been addressed:

  1. Rescan the system with Nessus Plugin ID 10114 to ensure that the vulnerability is no longer present.

  2. Use hping3 or nping to send a timestamp request and verify that no reply is received. If no reply is received, the fix has been successfully applied.

PreviousINFRASTRUCTURE LEVELNextASP.NET Debug Mode Validation

Last updated 5 months ago

Was this helpful?

<target_ip> is the IP address of your target

This command will send an ICMP timestamp request to the specified target, which can be used to potentially disclose the remote date of the target system.ShareRewrite

🐞
💾
5
9
8