Question

I want to gather information on Network Time Protocol (NTP) servers within a network and check their configurations for security purposes. Are there specific command-line tools or methods to enumerate NTP servers and assess their settings?

If there are standard commands or utilities that work well for this type of analysis, I’d like some guidance on how to use them effectively.

Answer 1

Improperly configured NTP servers can be used for a variety of attacks, such as time-based attacks or NTP amplification, counting NTP servers and evaluating their configurations is a crucial element in network security audits. Thankfully, there are a number of tools and techniques available for learning about NTP servers and their configurations.

Tools and Commands for Enumerating NTP Servers

1. Nmap

Nmap is one of the most widely used tools for network enumeration and can be used to discover NTP servers and extract configuration details.

Nmap NTP-related Scripts:

Nmap has several NTP NSE scripts that can be used to gather detailed information from NTP servers.

Discover NTP servers: To scan a range of IP addresses and find NTP servers (default NTP port is 123), run:

nmap -p 123 --open <target-IP-range>

NTP Version and Configuration Info: You can use the ntp-info script to query for NTP configuration details like the NTP version, peer information, and more.

nmap -p 123 --script=ntp-info <target-IP>

Example output include:

• NTP version
• Reference time
• Poll interval
• Number of peers
• Offset/Delay information

NTP Monlist Query: This script checks for the monlist command, which, if enabled on the server, can provide a list of recent clients that queried the server.

nmap -p 123 --script=ntp-monlist <target-IP>

Warning: Enabling monlist on NTP servers is a security vulnerability and can be used for amplification attacks.

2. ntpq (NTP Query Tool)

The ntpq command is a standard utility for querying NTP servers for configuration and status information. It provides a lot of detailed information regarding NTP server operations.

Query NTP Server Status:

ntpq -p <target-IP>

This will provide information about the NTP peers, including:

• Hostname or IP of peers
• Offset (time difference)
• Jitter
• Reachability
• Stratum level

Get Detailed NTP Server Configuration:

ntpq -c "rv 0" <target-IP>

This command retrieves detailed internal information about the NTP server configuration, such as:

• Reference clock
• Polling intervals
• Synchronization status
• Stratum and offset details

3. ntpdc (NTP Control Utility)

ntpdc is a tool similar to ntpq but more focused on querying the NTP daemon's status and configuration directly.

ntpdc -c "sysinfo" <target-IP>

This command provides basic server status information like:

• Version number
• Stratum
• Reachability
• Precision
• Time reference

4. chrony (for Chrony NTP Servers)

If the NTP server is running Chrony instead of the traditional NTP daemon (ntpd), you can use the chronyc tool to query its status.

Query the status of Chrony NTP server:

chronyc tracking <target-IP>

This shows synchronization status, including time offset, stratum, and more.

Query Chrony server sources:

chronyc sources <target-IP>

This command shows the list of NTP servers that Chrony is using as time sources.

5. sntp (Simple NTP)

For basic time synchronization and querying, sntp can be used to check the time from an NTP server.

sntp <target-IP>

This will return the current time from the specified NTP server.