# NTP - Port 123/UDP

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
  {% endtab %}
  {% endtabs %}

## Basic info

The **Network Time Protocol (NTP)** is a critical component of modern computing, ensuring accurate time synchronization across networked devices. Accurate timekeeping is essential for various IT functions, including system logs, security mechanisms, scheduling, and distributed systems.

### **How NTP Works**

NTP operates on a client-server model:

1. **Time Sources (Stratum Levels):**
   * **Stratum 0:** High-precision timekeeping devices (e.g., atomic clocks, GPS receivers).
   * **Stratum 1:** Servers directly connected to Stratum 0 devices.
   * **Stratum 2+:** Clients synchronized to higher strata.
2. **Time Synchronization Process:**
   * Devices communicate with NTP servers using UDP on port 123.
   * NTP calculates time offsets and round-trip delays to adjust the local clock.
3. **Clock Hierarchy:**
   * Stratum levels prevent looping dependencies and ensure reliability.

### **Why Accurate Timekeeping Matters**

1. **Event Correlation:** Logs from different systems must have consistent timestamps for effective troubleshooting and forensic analysis.
2. **Security Mechanisms:**
   * Authentication protocols like Kerberos require synchronized clocks to prevent replay attacks.
   * Digital certificates rely on valid timeframes for their operation.
3. **Distributed Systems:** Coordinated tasks and transactions depend on precise timekeeping to avoid conflicts.

**Default port:** 123/udp

```
PORT    STATE SERVICE REASON
123/udp open  ntp     udp-response
```

## **Enumeration Techniques**

**Querying NTP Servers**

NTP servers support various commands that provide detailed information. Tools like `ntpq` and `ntpdc` allow querying the server.

```bash
ntpq -p <target-ip>
```

Retrieves a list of clients connected to the server:

```bash
ntpdc -c monlist <target-ip>
```

**`Nmap:`**

```bash
nmap -sU -p 123 --script=ntp-info <target-ip>
nmap -sU -p 123 --script=ntp-monlist <target-ip>
```

**Exploiting the `monlist` Command**

The `monlist` command, available on older NTP servers, lists up to 600 recent clients.&#x20;

```bash
ntpq -c rv <target-ip>
```

**`Chrony:`**

For environments using Chrony as an NTP daemon, enumeration requires specific tools or commands:

```bash
chronyc sources
```

**Metasploit Framework:**

```
use auxiliary/scanner/ntp/ntp_monlist
```

## **Files**

he `ntp.conf` file is the primary configuration file for NTP (Network Time Protocol) servers and clients. It governs how an NTP service operates, defines server associations, and sets access restrictions. Misconfigured `ntp.conf` files can expose systems to risks such as unauthorized access, information leakage, or exploitation in DDoS amplification attacks.

#### **Default Locations for `ntp.conf`**

1. **Linux (Most Distributions)**
   * Common path:

     ```bash
     /etc/ntp.conf
     /etc/inet/ntp.conf
     /etc/xntp.conf
     ```
2. **Windows**
   * For NTP services like `w32time`, configuration is done via the registry:

     ```sql
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
     ```
3. **macOS**
   * Usually found at:

     ```bash
     /etc/ntp.conf
     ```

#### **Finding the Configuration File**

1. **Linux:**

   ```bash
   find /etc -name ntp.conf
   ```
2. **macOS or Unix:**

   ```bash
   locate ntp.conf
   ```
3. **Verify Running NTP Process (Linux):**

   ```bash
   ps -ef | grep ntpd
   ```

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/ntp-port-123-udp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.