Understanding and Exploiting Network Time Protocol

NTP is the longest running, continuously operating, and a distributed application on the Internet. The objective of NTP is simple: to allow a client to synchronize its clock with UTC (Coordinated Universal Time, standard time scale used by most nations), and to do so with a high degree of accuracy and a high degree of stability.

NTP (currently version 4) is a combination of three things; first it is a software program that runs in the background of Windows/UNIX secondly it is a protocol that exchanges time that is been valued between servers and clients and finally it is a suite of algorithms that process the time values to advance or retreat the system clock.

The term NTP applies to both the protocols and the client-server programs that keep running on PCs. NTP time servers work inside the TCP/IP suite and depend on User Datagram Protocol (UDP) port 123. NTP servers are ordinarily committed NTP devices that utilize a single time reference to which they can synchronize a system.

How NTP works?

NTP timestamps are stored as seconds since January 1, 1900. 32 bits for the number of seconds, and 32 bits for the fractions of a second.

Let’s try to understand how the synchronization works.


Note: NTP assumes that the time spent on the network is the same for sending and receiving.

We understand that the hard and fast travel time from sending the interest to getting the response was B-A seconds. We have to clear the time that the server spent setting up the interest (Y-X), leaving only the framework traversal time, with the objective that is B-A-(Y-X). Since we're expecting the framework traversal time is symmetric, the proportion of time it took the response to get from the server to the client is [B-A-(Y-X)]/2. So we understand that the server sent its response at time Y, and it took us [B-A-(Y-X)]/2 seconds for that response to get to us.

Also, that is the methods by which NTP works!

We understand that the full-scale travel time from sending the interest to getting the response was B-A seconds. We have to empty the time that the server spent setting up the interest (Y-X), leaving only the framework traversal time, with the objective that is B-A-(Y-X). Since we're expecting the framework traversal time is symmetric, the proportion of time it took the response to get from the server to the client is [B-A-(Y-X)]/2. So we understand that the server sent its response at time Y, and it took us [B-A-(Y-X)]/2 seconds for that response to get to us.

Also, that is the methods by which NTP works!

In an appropriate usage, the customer keeps running as a daemon, always. Over a significant lot of time with numerous examples, NTP can really decide whether the PC's clock is moderate or quick, and consequently alter it in like manner, enabling it to keep sensibly great time regardless of whether it is later detached from the system.

Enumeration

Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OS running on the client system in a network. All this information can be enumerated by querying NTP server.

NMAP Scripts
  • ntp-info.nse
           Gets the time and configuration variables from an NTP server.

Example:
nmap -sU -p 123 --script ntp-info <target>


The ntp-info script can extract the remote system's timestamp against the first host and a great deal of information about the second host including kernel version and ntpd version.
As expected, a misconfigured NTP server reveals version and system details among other information which can be used to search for exploits against the vulnerable host.
  • ntp-monlist
          It obtains and prints an NTP Server's monitor data. 

Example:
nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>
This can be automated by using a Metasploit auxiliary module which we’ll explore next.

Metasploit Auxiliary Module
  • NTP Monitor List Scanner
This module identifies NTP servers which permit the above mentioned "monlist" queries and obtains the recent client's list. The monlist feature allows remote attackers to cause a denial of service (traffic amplification) via spoofed requests. The more clients there are in the record, the higher the amplification.

auxiliary/scanner/ntp/ntp_monlist



The exhibit mentioned above shows that the given server is vulnerable to a DOS attack by exploiting how mode 7 requests are handled. Besides this, there are various other Metasploit modules one should explore for a thorough information gathering process.

Network Time Protocol Daemon (ntpd)

The ntpd program is an operating system daemon which sets and maintains the system time of day in synchronism with Internet standard time servers. It is a complete implementation of the Network Time Protocol (NTP) version 4 but also retains compatibility with version 3.
Syntax: ntpdc [-ilnps] [-c command] [hostname/IP_address]



Available commands (abridged)

listpeers: Obtains and prints a brief list of the peers.
Peers: Obtains a list of peers for which the server is maintaining state.
Sysinfo: Print a variety of system state variables.
Reslist: Obtain and print the server's restriction list.
monlist [version]: Obtain and print traffic counts collected and maintained by the monitor facility.
Other tools that can be used:

ntpq

The ntpq utility program is used to query NTP servers which implement the recommended NTP mode 6 control message format about the current state and to request changes in that state.

Syntax
ntpq [-inp] [-c command] [host] [...]

ntptrace

ntptrace is a Perl script that uses the ntpq utility program to follow the chain of NTP servers from a given host back to the primary time source. For ntptrace to work correctly, each of these servers must implement the NTP Control, and Monitoring Protocol specified in RFC 1305 and enable NTP Mode 6 packets.
Synopsis
ntptrace [ -n ] [ -m maxhosts ] [ server ]

Exploitation

Once the enumeration phase is complete, it’s time to gather up all the information and exploit the vulnerable components.

  • In the vulnerable machine considered from the above examples, the NTP version disclosed was version: ntpd 4.2.4p4@1.1520-o Fri Mar  7 20:24:07 UTC 2008 (1)

  • Also, the NTP Monlist Scanner Metasploit module showed the given machine to be vulnerable to a particular DOS attack (CVE-2013-5211).

Searching for the given information, I chose the following two exploits that could be used to compromise the machine, among many relevant exploits.
https://www.exploit-db.com/exploits/44909/
https://www.exploit-db.com/exploits/33073/  

The exploitation part is not covered in this blog, but the information gathering methods discussed are an excellent start to enumerate a misconfigured NTP service and explore how to exploit it.

Post a Comment

0 Comments