0) What is NTP?
NTP (Network Time Protocol) synchronizes clocks of computers over packet-switched, variable-latency networks. It normally uses UDP port 123. Accurate time is essential for logging, authentication (Kerberos), certificates, and event correlation. Misconfigured or outdated NTP servers can be abused for amplification DDoS, information disclosure (monlist/peer lists), or time-based attacks.
1) Recon Phase
- Discover UDP/123 on hosts: nmap -sU -p 123 <target>
- Grab server responses and version (ntp control/query replies)
- Use nmap NSE for NTP: nmap -sU -p 123 --script ntp-info,ntp-monlist <target>
- Passive recon: check DNS MX/A records for known time servers or public NTP servers
Start with an Nmap UDP scan and ntp-aware scripts to see if the server responds to control queries (many modern servers disable risky queries by default).
2) Enumeration Phase
- Query NTP peers and status:
ntpq -p <target> # peers and offsets
ntpq -c rv <target> # runtime variables
- Test for legacy monlist (may be disabled on newer servers):
ntpdc -n <target> monlist (legacy; may be blocked)
- Check for open NTP amplifiers (reflection test) and rate-limiting
- Inspect server stratum, reference ID, and offsets for misconfigurations
- Use ntpstat and chronyc (if available) to check sync state
Look for large peer lists, public access to control/query commands, or servers advertising themselves as stratum 1/2 that are exposed to the internet.
3) Exploitation / Abuse
- Amplification / reflection DDoS:
# legacy monlist response could be used to amplify traffic; modern servers should disable it
- Time spoofing / manipulation (authorized labs only):
# If attacker controls upstream time source or can MITM, they can shift time to break logs/auth
- Information gathering:
# Harvest server configuration hints from ntpq/ntpdc replies (peers, refid, drift)
- Misconfiguration impact:
# Kerberos/Cert auth failures if system time is skewed; audit/log tampering risks
Primary risks are DDoS amplification (if server responds to certain control queries) and operational impact from incorrect time (authentication, logging). Active exploitation must be authorized.
NTP Info — What to Look For
- Server responds to control queries (monlist/ntpdc/ntpq) from arbitrary hosts
- High-stratum misreporting or large peer lists exposed
- No rate-limiting on control responses (amplification risk)
- Use of old/unsupported NTP implementations (vulnerabilities/bugs)
- Servers used as public time sources inside private networks (cross-boundary risk)
Tools Required
sudo apt install nmap ntpdate ntp ntpstat ntpsec chrony
# Useful utilities:
# - ntpq (query peers/status)
# - ntpdc (legacy control utility; monlist may be supported on old servers)
# - chronyc (for chrony-managed systems)
# - nmap NSE: ntp-info, ntp-monlist
Quick copy-paste command cheatsheet
# discovery
nmap -sU -p 123 --script=ntp-info,ntp-monlist <target>
# list peers & status
ntpq -p <target>
ntpq -c rv <target>
# legacy monlist (may be disabled; use only in authorized testing)
ntpdc -n <target> monlist
# check time sync (local)
ntpstat
# test querying via ntpdate (read-only)
ntpdate -q <target>
# chrony client check
chronyc -a -m 'sourcestats' 'sources' 'tracking' | chronyc -n -m
Citations
- RFC 5905 — Network Time Protocol Version 4
- Nmap NSE — ntp-info / ntp-monlist
- US-CERT Advisory — NTP amplification (historical)
Disclaimer: Use these techniques only on systems you own or are explicitly authorized to test. Abuse of NTP (reflection/amplification, spoofing, or unauthorized queries) is illegal and unethical.