NTP - Port 123/UDP

Basic info

The Network Time Protocol (NTP) is a critical component of modern computing, ensuring accurate time synchronization across networked devices. Accurate timekeeping is essential for various IT functions, including system logs, security mechanisms, scheduling, and distributed systems.

How NTP Works

NTP operates on a client-server model:

1. Time Sources (Stratum Levels):

   • Stratum 0: High-precision timekeeping devices (e.g., atomic clocks, GPS receivers).

   • Stratum 1: Servers directly connected to Stratum 0 devices.

   • Stratum 2+: Clients synchronized to higher strata.

2. Time Synchronization Process:

   • Devices communicate with NTP servers using UDP on port 123.

   • NTP calculates time offsets and round-trip delays to adjust the local clock.

3. Clock Hierarchy:

   • Stratum levels prevent looping dependencies and ensure reliability.

Why Accurate Timekeeping Matters

1. Event Correlation: Logs from different systems must have consistent timestamps for effective troubleshooting and forensic analysis.

2. Security Mechanisms:

   • Authentication protocols like Kerberos require synchronized clocks to prevent replay attacks.

   • Digital certificates rely on valid timeframes for their operation.

3. Distributed Systems: Coordinated tasks and transactions depend on precise timekeeping to avoid conflicts.

Default port: 123/udp

PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response

Enumeration Techniques

Querying NTP Servers

NTP servers support various commands that provide detailed information. Tools like ntpq and ntpdc allow querying the server.

ntpq -p <target-ip>

Retrieves a list of clients connected to the server:

ntpdc -c monlist <target-ip>

Nmap:

nmap -sU -p 123 --script=ntp-info <target-ip>
nmap -sU -p 123 --script=ntp-monlist <target-ip>

Exploiting the monlist Command

The monlist command, available on older NTP servers, lists up to 600 recent clients.

ntpq -c rv <target-ip>

Chrony:

For environments using Chrony as an NTP daemon, enumeration requires specific tools or commands:

chronyc sources

Metasploit Framework:

use auxiliary/scanner/ntp/ntp_monlist

Files

he ntp.conf file is the primary configuration file for NTP (Network Time Protocol) servers and clients. It governs how an NTP service operates, defines server associations, and sets access restrictions. Misconfigured ntp.conf files can expose systems to risks such as unauthorized access, information leakage, or exploitation in DDoS amplification attacks.

Default Locations for ntp.conf

1. Linux (Most Distributions)

   • Common path:

     Copy

     /etc/ntp.conf
     /etc/inet/ntp.conf
     /etc/xntp.conf

2. Windows

   • For NTP services like w32time, configuration is done via the registry:

     Copy

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

3. macOS

   • Usually found at:

     Copy

     /etc/ntp.conf

Finding the Configuration File

1. Linux:

   Copy

   find /etc -name ntp.conf

2. macOS or Unix:

   Copy

   locate ntp.conf

3. Verify Running NTP Process (Linux):

   Copy

   ps -ef | grep ntpd