123 - Ntp

💡 学习提示: 本文档介绍 Ntp 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

Advanced Attacks

1. NTP Amplification / Reflection

The legacy Mode-7 monlist query returns up to 600 host addresses and is still present on thousands of Internet hosts. Because the reply (428-468 bytes/entry) is ~ 200× larger than the 8-byte request, an attacker can reach triple-digit amplification factors. Mitigations:

Upgrade to ntp 4.2.8p15+ and add disable monitor.
Rate-limit UDP/123 on the edge or enable sessions-required on 分布式拒绝服务 appliances.
Enable BCP 38 egress filtering to block source spoofing.

See Cloudflare’s learning-center article for a step-by-step breakdown.

2. Time-Shift / Delay attacks (Khronos / Chronos research)

Even with authentication, an on-path attacker can silently shift the client clock by dropping/delaying packets. The IETF Khronos (formerly Chronos) draft proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (maxdistance / maxjitter).

3. NTS abuse & 4460/tcp exposure

NTS moves the heavy crypto to a separate TLS 1.3 channel on 4460/tcp (ntske/1). Poor implementations (see CVE-2023-33192) crash when parsing cookies or allow weak ciphers. Pentesters should:

## TLS reconnaissance
nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>

## Grab banner & ALPN
openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof

Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4.

Hardening / Best-Current-Practice (BCP-233 / RFC 8633)

Operators SHOULD:

Use ≥ 4 independent, diverse time sources (public pools, GPS, PTP-bridges) to avoid single-source poisoning.
Enable kod and limited/nomodify restrictions so abusive clients receive Kiss-o’-Death rate-limit packets instead of full responses.
Monitor daemon logs for panic events or step adjustments > 1000 s. (Signatures of attack per RFC 8633 §5.3.)
Consider leap-smear to avoid leap-second outages, but ensure all downstream clients use the same smear window.
Keep polling ≤24 h so leap-second flags are not missed.

See RFC 8633 for a comprehensive checklist.

Shodan / Censys Dorks

port:123 "ntpd"          # Version banner
udp port:123 monlist:true # Censys tag for vulnerable servers
port:4460 "ntske"         # NTS-KE

Useful Tools

Tool	Purpose	示例
`ntpwn`	Script-kiddie wrapper to spray monlist & peers queries	`python ntpwn.py --monlist targets.txt`
zgrab2 ntp	Mass scanning / JSON output including monlist flag	See command above
`chronyd` with `allow`	Run rogue NTP server in pentest lab	`chronyd -q 'server 127.127.1.0 iburst'`
`BetterCap`	Inject NTP packets for time-shift 中间人攻击 on Wi-Fi	`set arp.spoof.targets <victim>; set ntp.time.delta 30s; arp.spoof on`

HackTricks Automatic Commands

Protocol_Name: NTP
Port_Number: 123
Protocol_Description: Network Time Protocol

Entry_1:
  Name: Notes
  Description: Notes for NTP
  Note: |
    The Network Time Protocol (NTP) ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy is essential, but it also poses security risks if not properly managed.

    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ntp.html

Entry_2:
  Name: Nmap
  Description: Enumerate NTP
  Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP}

搜索引擎语法

FOFA

# FOFA 搜索语法
port="123"

Shodan

# Shodan 搜索语法
port:123

ZoomEye

# ZoomEye 搜索语法
port:123

📖 参考资料

HackTricks - 123-ntp