Hacktricks-skills ntp-pentest

Pentest NTP (Network Time Protocol) services on port 123/UDP and 4460/TCP. Use this skill whenever you need to enumerate NTP servers, check for monlist vulnerabilities, assess NTS security, or harden NTP configurations. Trigger this for any NTP assessment, time-sync security review, or when you see port 123/UDP open in a scan.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/pentesting-ntp/SKILL.MD

source content

NTP Pentesting Skill

This skill guides you through assessing Network Time Protocol (NTP) services for security vulnerabilities. NTP is critical infrastructure—compromised time sync can bypass authentication, break crypto-protocols, and obscure forensic trails.

When to Use This Skill

Port 123/UDP is open in your scan results
You need to enumerate NTP or chrony services
You're assessing time synchronization security
You found NTS-KE on port 4460/tcp
You need hardening recommendations for NTP infrastructure

Quick Start

# Basic NTP discovery
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <TARGET_IP>

# Check for dangerous monlist
nmap -sU -p123 --script ntp-monlist <TARGET_IP>

Phase 1: Service Enumeration

Identify the NTP Implementation

First, determine which NTP daemon is running:

# ntpd (classic)
ntpq -c rv <IP>
ntpq -c readvar <IP>
ntpq -c peers <IP>
ntpq -c associations <IP>

# chrony (modern Linux)
chronyc -a -n tracking -h <IP>
chronyc -a -n sources -v -h <IP>
chronyc -a -n sourcestats -h <IP>

# Legacy mode-7 (often disabled in ntpd >=4.2.8p9)
ntpdc -c monlist <IP>
ntpdc -c listpeers <IP>
ntpdc -c sysinfo <IP>

What to look for:

Stratum level (1 = authoritative, higher = downstream)
Number of peers configured
Whether remote queries are allowed
Version string (check against CVE list below)

Nmap Reconnaissance

# Safe discovery and vulnerability detection
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>

# Explicit monlist check (amplification risk)
map -sU -p123 --script ntp-monlist <IP>

# NTS-KE TLS channel (port 4460)
nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>

Mass Scanning (if you have many targets)

# zgrab2 for large-scale monlist detection
zgrab2 ntp --monlist --timeout 3 --output-file monlist.json -f "zmap_results.csv"

Phase 2: Vulnerability Assessment

Check for CVE-2023-26551 to 26555 (ntpd 4.2.8p15)

These are out-of-bounds write vulnerabilities in libntp reachable via ntpq responses.

Affected: ntp 4.2.8p15 and earlier Fix: Upgrade to 4.2.8p16 or later

# Check version
ntpq -c rv <IP> | grep -i version

# If version is 4.2.8p15 or earlier, flag as vulnerable

Check for CVE-2023-33192 (ntpd-rs NTS DoS)

Malformed NTS cookies cause remote DoS even when NTS is disabled.

Affected: ntpd-rs versions before 0.3.3 Impact: Port 123 DoS even with NTS disabled

Check for monlist Amplification Risk

The

monlist

command returns up to 600 host addresses (~200x amplification factor).

# Test if monlist is enabled
ntpdc -c monlist <IP>

# Or with nmap
nmap -sU -p123 --script ntp-monlist <IP>

If monlist returns data:

This is a DDoS amplification risk
Recommend immediate disable via
```
disable monitor
```
in ntp.conf
Rate-limit UDP/123 at the network edge

NTS-KE Security Assessment (Port 4460/tcp)

# TLS reconnaissance
nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>

# Manual TLS inspection
openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof

Check for:

Self-signed or expired certificates
Weak cipher suites (non-AEAD)
TLS version < 1.3
Certificate validity and chain

Phase 3: Configuration Review

If you have access to configuration files, review these:

ntpd Configuration (

/etc/ntp.conf

)

cat /etc/ntp.conf

Look for:

```
restrict
```
lines - should limit query access
```
kod
```
(Kiss-o'-Death) - should be enabled for rate limiting
```
disable monitor
```
- should be present to disable monlist
```
nts enable
```
- check if NTS is properly configured
```
includefile
```
entries - check for crypto configuration

Good restrict example:

restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

chrony Configuration (

/etc/chrony/chrony.conf

)

cat /etc/chrony/chrony.conf

Look for:

```
cmdallow
```
- should be restricted to localhost or specific IPs
```
maxdistance
```
/
```
maxjitter
```
- sanity filters for time-shift attacks
```
nts
```
directives - NTS configuration

systemd-timesyncd (

/etc/systemd/timesyncd.conf

)

cat /etc/systemd/timesyncd.conf

Note: This is client-only, no server functionality.

Phase 4: Attack Testing (Authorized Only)

Time-Shift Attack Detection

On-path attackers can silently shift client clocks by dropping/delaying packets.

Detection:

Monitor for step adjustments > 1000 seconds in daemon logs
Check for
```
panic
```
events in NTP logs
Use Khronos-style sanity checking (query diverse servers)

Modern chrony (4.4+) already implements:

```
maxdistance
```
- maximum acceptable time difference
```
maxjitter
```
- maximum acceptable jitter

NTP Amplification Testing

DO NOT perform amplification attacks against unauthorized targets. This is illegal and harmful.

Instead, document the risk:

Risk: NTP amplification attack vector
Impact: DDoS amplification factor up to 200x
Mitigation: Disable monlist, rate-limit UDP/123, enable BCP 38

Phase 5: Hardening Recommendations

Immediate Actions

Disable monlist (if ntpd):
```
disable monitor
```

Enable rate limiting:

restrict default kod nomodify notrap nopeer noquery

Upgrade ntpd to 4.2.8p16+ if running vulnerable version
Restrict chrony cmdallow to localhost only:
```
cmdallow 127.0.0.1
```

Best Practices (BCP-233 / RFC 8633)

Use ≥4 independent time sources (public pools, GPS, PTP-bridges)
Enable NTS (Network Time Security) for authenticated time sync
Monitor logs for panic events or step adjustments > 1000s
Consider leap-smear to avoid leap-second outages
Keep polling ≤24 hours so leap-second flags aren't missed
Enable BCP 38 egress filtering to block source spoofing

NTS Configuration

# Check NTS status
chronyc -a -n tracking -h <IP>

# NTS-KE port should be 4460/tcp
nmap -sV -p 4460 <IP>

Reporting Template

## NTP Security Assessment

### Service Details
- Port: 123/UDP (NTP), 4460/TCP (NTS-KE if enabled)
- Daemon: [ntpd/chrony/timesyncd]
- Version: [version string]
- Stratum: [stratum level]

### Vulnerabilities Found
- [ ] CVE-2023-26551-26555 (ntpd OOB write) - [Status]
- [ ] CVE-2023-33192 (ntpd-rs NTS DoS) - [Status]
- [ ] monlist enabled (amplification risk) - [Status]
- [ ] Weak NTS TLS configuration - [Status]

### Configuration Issues
- [ ] Missing restrict directives
- [ ] cmdallow too permissive
- [ ] No NTS enabled
- [ ] Single time source

### Recommendations
1. [Priority 1 item]
2. [Priority 2 item]
3. [Priority 3 item]

Useful Tools Reference

Tool	Purpose	Command
`ntpq`	ntpd query tool	`ntpq -c rv <IP>`
`ntpdc`	ntpd control (legacy)	`ntpdc -c monlist <IP>`
`chronyc`	chrony query tool	`chronyc -a -n sources -h <IP>`
`nmap`	Service discovery	See Phase 1
`zgrab2`	Mass scanning	`zgrab2 ntp --monlist`
`openssl`	TLS inspection	`openssl s_client -connect <IP>:4460`

Shodan/Censys Dorks (for reconnaissance)

port:123 "ntpd"          # Version banner
udp port:123 monlist:true # Censys tag for vulnerable servers
port:4460 "ntske"         # NTS-KE exposure

References

RFC 8915 – Network Time Security for NTP (port 4460)
RFC 8633 – NTP Best Current Practice
CVE-2023-26551 to 26555 – ntpd OOB write vulnerabilities
CVE-2023-33192 – ntpd-rs NTS DoS
Cloudflare DDoS Report 2024 Q4 (5.6 Tbps NTP amplification)
Khronos/Chronos draft – Time-shift mitigation

Safety Notes

Only test NTP services you have authorization to assess
Do not perform amplification attacks - they are illegal and harmful
monlist queries can trigger rate limiting - use responsibly
Time-shift attacks can break systems - only test in controlled environments
Document all findings - NTP is critical infrastructure

Hacktricks-skills ntp-pentest

NTP Pentesting Skill

When to Use This Skill

Quick Start

Phase 1: Service Enumeration

Identify the NTP Implementation

Nmap Reconnaissance

Mass Scanning (if you have many targets)

Phase 2: Vulnerability Assessment

Check for CVE-2023-26551 to 26555 (ntpd 4.2.8p15)

Check for CVE-2023-33192 (ntpd-rs NTS DoS)

Check for monlist Amplification Risk

NTS-KE Security Assessment (Port 4460/tcp)

Phase 3: Configuration Review

ntpd Configuration (
`/etc/ntp.conf`
)

chrony Configuration (
`/etc/chrony/chrony.conf`
)

systemd-timesyncd (
`/etc/systemd/timesyncd.conf`
)

Phase 4: Attack Testing (Authorized Only)

Time-Shift Attack Detection

NTP Amplification Testing

Phase 5: Hardening Recommendations

Immediate Actions

Best Practices (BCP-233 / RFC 8633)

NTS Configuration

Reporting Template

Useful Tools Reference

Shodan/Censys Dorks (for reconnaissance)

References

Safety Notes

Hacktricks-skills ntp-pentest

NTP Pentesting Skill

When to Use This Skill

Quick Start

Phase 1: Service Enumeration

Identify the NTP Implementation

Nmap Reconnaissance

Mass Scanning (if you have many targets)

Phase 2: Vulnerability Assessment

Check for CVE-2023-26551 to 26555 (ntpd 4.2.8p15)

Check for CVE-2023-33192 (ntpd-rs NTS DoS)

Check for monlist Amplification Risk

NTS-KE Security Assessment (Port 4460/tcp)

Phase 3: Configuration Review

ntpd Configuration (/etc/ntp.conf)

chrony Configuration (/etc/chrony/chrony.conf)

systemd-timesyncd (/etc/systemd/timesyncd.conf)

Phase 4: Attack Testing (Authorized Only)

Time-Shift Attack Detection

NTP Amplification Testing

Phase 5: Hardening Recommendations

Immediate Actions

Best Practices (BCP-233 / RFC 8633)

NTS Configuration

Reporting Template

Useful Tools Reference

Shodan/Censys Dorks (for reconnaissance)

References

Safety Notes

ntpd Configuration (
`/etc/ntp.conf`
)

chrony Configuration (
`/etc/chrony/chrony.conf`
)

systemd-timesyncd (
`/etc/systemd/timesyncd.conf`
)