Home » Blogs » cg's blog

Network Time Protocol (NTP) Fun

Mon, 04/05/2010 - 20:31 by cg  

@hdmoore released a new auxiliary module a few days ago that went along with his NTP research he has been doing.

msf auxiliary(ntp_monlist) > set RHOSTS time.euro.apple.com

RHOSTS => time.euro.apple.com
msf auxiliary(ntp_monlist) > info

    Name: NTP Monitor List Scanner
 Version: 8432
 License: Metasploit Framework License (BSD)
    Rank: Normal

Provided by:
hdm 

Basic options:
Name       Current Setting      Required  Description
----       ---------------      --------  -----------
BATCHSIZE    256                  yes       The number of hosts to probe in each set
CHOST                             no        The local client address
RHOSTS       time.euro.apple.com  yes       The target address range or CIDR identifier
RPORT        123                  yes       The target port
THREADS      1                    yes       The number of concurrent threads

Description:
Obtain the list of recent clients from an NTP server

msf auxiliary(ntp_monlist) >

And when you run the module, it looks a bit like this:

msf auxiliary(ntp_monlist) > run

[*] Sending probes to 17.72.255.11->17.72.255.11 (1 hosts)
[*] 17.72.255.11:123 86.138.33.93:56042 (17.72.255.11)
[*] 17.72.255.11:123 188.192.151.225:52210 (17.72.255.11)
[*] 17.72.255.11:123 81.167.222.18:36866 (17.72.255.11)
[*] 17.72.255.11:123 89.247.73.227:63929 (17.72.255.11)
[*] 17.72.255.11:123 80.39.165.55:123 (17.72.255.11)
[*] 17.72.255.11:123 82.19.218.58:123 (17.72.255.11)
[*] 17.72.255.11:123 82.123.121.154:123 (17.72.255.11)
[*] 17.72.255.11:123 90.207.190.29:123 (17.72.255.11)
[*] 17.72.255.11:123 193.52.24.125:38377 (17.72.255.11)
[*] 17.72.255.11:123 91.10.239.87:64361 (17.72.255.11)
--SNIP--
[*] 17.72.255.11:123 89.241.98.89:27213 (17.72.255.11)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ntp_monlist) >

Other neat shiz...

Sensepost put out a cool post talking about some of the other neat queries you can do using the ntp tools.

http://www.sensepost.com/blog/4552.html

Some quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:

  • listpeers - List the peers(NTP servers) for the time server
  • showpeer - Give time keeping info about a specific peer time server
  • peers - List peers and some basic time keeping info
  • sysstats - Info regarding ntp daemon itself
$ ntpq -c readvar time.euro.apple.com
assID=0 status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,version="ntpd 4.2.2@1.1532-o Mon Sep 24 
01:42:27 UTC 2007 (1)", processor="i386", system="Darwin/9.6.0", leap=00, stratum=2, precision=-20, rootdelay=0.682, rootdispersion=10.719, peer=8126, 
refid=17.72.133.54, reftime=cf648929.538400d4  Mon, Apr  5 2010 12:07:05.326, poll=7, clock=cf648a97.2560d91c  Mon, Apr  5 2010 12:13:11.146, state=4, offset=0.149, frequency=43.608, jitter=0.058, noise=0.041, stability=0.000, tai=0 
$ ntpdc -c peers time.euro.apple.com
remote           local      st poll reach  delay   offset    disp
=======================================================================
*time1.euro.appl 17.72.255.11     1  128  377 0.00069  0.000155 0.07887
=time2.euro.appl 17.72.255.11     1  128  377 0.00061  0.000177 0.08919
=17.254.0.49     17.72.255.11     1  128  377 0.14996  0.000237 0.06696
=TrueTime.asia.a 17.72.255.11     1  128  377 0.31990 -0.000027 0.04962
=A17-106-100-13. 17.72.255.11     2  128    0 0.17369  0.007904 3.99217
+time4.euro.appl 17.72.255.11     2   32  376 0.00015 -0.000151 0.04303

$ ntpdc -c listpeers time.euro.apple.com
client    time1.euro.apple.com
client    time2.euro.apple.com
client    17.254.0.49
client    TrueTime.asia.apple.com
client    A17-106-100-13.apple.com
sym_active time4.euro.apple.com

Of course if you just want to do the monlist yourself you can...

$ ntpdc -c monlist time.euro.apple.com
remote address          port local address      count m ver code avgint  lstint
===============================================================================
94.96.201.223.dynamic. 50951 17.72.255.12           5 3 4      0      0       0
static-86-51-114-108.m   316 17.72.255.12          25 3 4      0      0       0
207-38-154-68.c3-0.ave 40311 17.72.255.12           7 3 4      0      0       0
62-177-171-130.dsl.bbe   501 17.72.255.12           1 3 4      0      0       0
bb6a37ee.virtua.com.br   123 17.72.255.12           1 3 4      0      0       0
p4FC7545E.dip.t-dialin   123 17.72.255.12           1 3 4      0      0       0
--SNIP--

Still Interested?
http://www.ntp.org/documentation.html

Trackback URL for this post:

http://carnal0wnage.attackresearch.com/trackback/410
»