Monday, April 5, 2010

Network Time Protocol (NTP) Fun


@hdmoore released a new auxiliary module a few days ago that went along with his NTP research he has been doing.

msf auxiliary(ntp_monlist) > set RHOSTS time.euro.apple.com

RHOSTS => time.euro.apple.com
msf auxiliary(ntp_monlist) > info

Name: NTP Monitor List Scanner
Version: 8432
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
hdm

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
CHOST no The local client address
RHOSTS time.euro.apple.com yes The target address range or CIDR identifier
RPORT 123 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
Obtain the list of recent clients from an NTP server

msf auxiliary(ntp_monlist) >

And when you run the module, it looks a bit like this:

msf auxiliary(ntp_monlist) > run

[*] Sending probes to 17.72.255.11->17.72.255.11 (1 hosts)
[*] 17.72.255.11:123 86.138.33.93:56042 (17.72.255.11)
[*] 17.72.255.11:123 188.192.151.225:52210 (17.72.255.11)
[*] 17.72.255.11:123 81.167.222.18:36866 (17.72.255.11)
[*] 17.72.255.11:123 89.247.73.227:63929 (17.72.255.11)
[*] 17.72.255.11:123 80.39.165.55:123 (17.72.255.11)
[*] 17.72.255.11:123 82.19.218.58:123 (17.72.255.11)
[*] 17.72.255.11:123 82.123.121.154:123 (17.72.255.11)
[*] 17.72.255.11:123 90.207.190.29:123 (17.72.255.11)
[*] 17.72.255.11:123 193.52.24.125:38377 (17.72.255.11)
[*] 17.72.255.11:123 91.10.239.87:64361 (17.72.255.11)
--SNIP--
[*] 17.72.255.11:123 89.241.98.89:27213 (17.72.255.11)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ntp_monlist) >

Other neat shiz...

Sensepost put out a cool post talking about some of the other neat queries you can do using the ntp tools.

http://www.sensepost.com/blog/4552.html

Some quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:

  • listpeers - List the peers(NTP servers) for the time server
  • showpeer - Give time keeping info about a specific peer time server
  • peers - List peers and some basic time keeping info
  • sysstats - Info regarding ntp daemon itself


$ ntpq -c readvar time.euro.apple.com
assID=0 status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,version="ntpd 4.2.2@1.1532-o Mon Sep 24
01:42:27 UTC 2007 (1)", processor="i386", system="Darwin/9.6.0", leap=00, stratum=2, precision=-20, rootdelay=0.682, rootdispersion=10.719, peer=8126,
refid=17.72.133.54, reftime=cf648929.538400d4 Mon, Apr 5 2010 12:07:05.326, poll=7, clock=cf648a97.2560d91c Mon, Apr 5 2010 12:13:11.146, state=4, offset=0.149, frequency=43.608, jitter=0.058, noise=0.041, stability=0.000, tai=0

$ ntpdc -c peers time.euro.apple.com
remote local st poll reach delay offset disp
=======================================================================
*time1.euro.appl 17.72.255.11 1 128 377 0.00069 0.000155 0.07887
=time2.euro.appl 17.72.255.11 1 128 377 0.00061 0.000177 0.08919
=17.254.0.49 17.72.255.11 1 128 377 0.14996 0.000237 0.06696
=TrueTime.asia.a 17.72.255.11 1 128 377 0.31990 -0.000027 0.04962
=A17-106-100-13. 17.72.255.11 2 128 0 0.17369 0.007904 3.99217
+time4.euro.appl 17.72.255.11 2 32 376 0.00015 -0.000151 0.04303

$ ntpdc -c listpeers time.euro.apple.com
client time1.euro.apple.com
client time2.euro.apple.com
client 17.254.0.49
client TrueTime.asia.apple.com
client A17-106-100-13.apple.com
sym_active time4.euro.apple.com

Of course if you just want to do the monlist yourself you can...

$ ntpdc -c monlist time.euro.apple.com
remote address port local address count m ver code avgint lstint
===============================================================================
94.96.201.223.dynamic. 50951 17.72.255.12 5 3 4 0 0 0
static-86-51-114-108.m 316 17.72.255.12 25 3 4 0 0 0
207-38-154-68.c3-0.ave 40311 17.72.255.12 7 3 4 0 0 0
62-177-171-130.dsl.bbe 501 17.72.255.12 1 3 4 0 0 0
bb6a37ee.virtua.com.br 123 17.72.255.12 1 3 4 0 0 0
p4FC7545E.dip.t-dialin 123 17.72.255.12 1 3 4 0 0 0
--SNIP--


Still Interested?
http://www.ntp.org/documentation.html
CG

No comments: