NTP Enumeration is a process by which an attacker can discover NTP servers on the network. This information can then be used to find vulnerable NTP servers, or simply to further enumerate the network. Servers that are allowed access from the internet usually have a much higher chance of being exploitable. An attacker will often use both DNS and brute force methods to find these servers, as well as using Shodan.io or Censys to find unprotected devices.
Exploit Vulnerability:
While NTP servers are typically given special access to the network, they do not always have to be on the same network. For example, an attacker may compromise a server with an open port and use NTP to take a list of hosts that are connected to him/her. The attacker can then send that list to scanners that scan for vulnerable hosts. The difference between this and other types of vulnerability is the amount of research involved and harder exploitation options. This can be used against wireless networks because many manufacturers will disable wireless access from their default factory settings. There are also less obvious ways to use it as well, such as traffic mirroring.
Properties:
- Since NTP can be used to enumerate many hosts on a network, some basic checks should be done before using it as an alternative route.
- “-NTP only” and “-NTP enabled” are easy checks that can often be done on a simple server to identify if they are vulnerable or not.
- A “ping sweep” is another easy test that can often reveal which servers may or may not be vulnerable, simply by sending packets from the attacker and recording the reply from his/her victim.
- Many of these tests can also be automated with ping with tcpdump. There are also many programs available for Nessus and OpenVAS that can scan for vulnerabilities in NTP configurations.
- Nessus is a network security scanner available for most Operating Systems. This program will run checks against a range of services. NTP should be added to this list and the vulnerabilities will be identified by a plugin or rule. This can often cause a short outage if downtime is required for maintenance, updating software, repairing, etc.
- OpenVAS is an open-source vulnerability scanner that can scan networks for common known vulnerabilities. It can also scan for many more obscure vulnerabilities like NTP Enumeration and other issues that are not yet documented in the official documentation.
- Several applications are available online that will automate vulnerability scanning on OpenVAS (Stratumnscan, ASVScan).
NTP Security Model:
- NTP runs over UDP and TCP. NTP can also be sent via IP multicast, as well as running on Layer 2 (Ethernet).
- NTP uses symmetric encryption with a shared key between each server and client.
- There are two types of keys, Autokey, and Symmetric keys. Autokey is used for broadcast communication. The source of the time message is known as a “stratum 1” server, but since this system has been deprecated, many NTP servers no longer use it. All modern servers use a Symmetric key for communication between clients and servers.
- It uses only one type of packet, the NTP packet. The only difference between the NTP and UDP and TCP packets is how they’re encrypted.
- The symmetric key is used for every packet sent by a client, it also allows multicast communication, however multicast packets are less efficient because of this.
- A client should use the local unicast IP address to identify itself in packets (not the MAC address).
- The NTP packets contain a checksum and port number which is sent once, upon connection.
- Firewalls need to be configured to allow NTP to operate properly.
- NTP can operate in non-authenticated or authenticated mode.
Important Points:
- In practice, the whole network is not required to be controlled by NTP; only the first level of infrastructure.
- NTP should not be used in parallel to DNS.
- Network time can often be disabled in wrong configured devices, or over-ridden in clients and servers.
- Servers should use different time sources, and clients should use the NTP options to set their own source (otherwise the client might be vulnerable).
Conclusion:
NTP is an old protocol that reveals less information about the network, more than other protocols. There are some types of vulnerabilities in NTP servers, and even if it’s not a serious issue, it’s always better to at least make sure the server is patched before connecting to it. Security expert Bruce Schneier says this about NTP: “NTP has been used for years as a legitimate way to share clock timing between devices so that they know what time it is and can be synchronized. However, serious vulnerabilities have always been there and remain today. Since they’re easy to exploit, NTP should be kept off the corporate network.”