The Hive
GitHubLinkedInEmail
  • 🏠Home
  • 🌐RECON
    • πŸ“‘Passive (OSINT)
      • ⏩Metadata
      • ⏩Social Platforms
        • Email
        • Tumbler
        • Redit
        • Github
        • Tinder
        • TikTok
        • Snapchat
        • Instagram
        • Facebook
        • Twitter
        • Google
        • LinkedIn
    • πŸ“‘Active
      • ⏩Host Discovery / Network Mapping
      • ⏩nmap cheat sheet
      • ⏩masscan cheat sheet
    • πŸ“‘Web Recon
      • ⏩Web Server Discovery
      • ⏩Hidden Hosts
      • ⏩Directories & Subdomains
      • ⏩SSL Certs
      • ⏩CMS
      • ⏩WAF Detection
    • πŸ“‘Firewall Evasion
  • πŸ“—Web Attacks
    • 🟒Server Side
      • 🟩Authentication Mechanisms
      • 🟩Access Control (Authorization)
      • 🟩Directory Traversal
      • 🟩OS Command Injection
      • 🟩Server-Side Request Forgery (SSRF)
      • 🟩XML External Entity (XXE) Injection
      • 🟩File Upload
      • πŸ”§SQL Injection
      • 🟩Information Disclosure
      • 🟩Business Logic
    • 🟒Client Side
      • 🟩Cross-site request forgery (CSRF)
      • πŸ”§Cross-site scripting (XSS)
  • πŸ“’Network attacks
    • 🟑Network Services
      • 🟨Brute Force
      • 🟨DNS
      • 🟨IPv6
      • 🟨FTP
      • 🟨SSH
      • 🟨SMB
      • 🟨SNMP
      • 🟨SMTP
      • 🟨POP3
      • 🟨IMAP
      • 🟨MSSQL
      • 🟨MySQL
      • 🟨MSRPC / RPCbind
      • 🟨LDAP
      • 🟨NTP
      • 🟨NFS
      • 🟨Telnet
      • 🟨WebDAV
      • 🟨RDP
      • 🟨RSIP
      • 🟨Rlogin
      • 🟨VPNs
      • 🟨Echo
      • πŸ”§RTP
      • πŸ”§VOIP
        • SIP
    • 🟑Network Devices
      • 🟨IPv6 Attacks
        • Neighbor Impersonation
        • Router Advertisement Flooding
      • 🟨Switch Attacks
        • Cisco Exploitation
        • STP Spoofing
        • VLAN Hopping
        • MAC Flood
      • 🟨Router Attacks
        • Router Exploitation
        • HSRP Hijacking
        • πŸ”§RIP Spoofing
        • πŸ”§OSPF Attacks
        • πŸ”§VRRP MitM
      • 🟨NAC Bypass
        • Captive Portal
        • 802.1X / EAP Bypass
      • 🟨Printer Exploitation
    • 🟑MITM & Poisoning
      • 🟨Bettercap
      • 🟨HTTPS Downgrade / HSTS Bypass
      • 🟨Session Hijackings
      • 🟨Malicious Update
      • 🟨RDP Downgrade
      • 🟨DNS Spoofing
      • 🟨NTP Spoofing
      • 🟨ARP Spoofing
      • 🟨DHCP Poisoning
      • 🟨DHCPv6 Spoofing
      • 🟨SSDP Spoofing
      • 🟨WSUS Spoofing
      • 🟨ADIDNS Poisoning
      • 🟨WPAD Abuse
    • 🟑Wireless Attacks
      • 🟨Protocol Concepts
      • 🟨Basics
      • 🟨Attacks
    • 🟑Sniffing
      • 🟨Wireshark
      • 🟨tcpdump
    • 🟑Denial of Service
  • πŸ“•Red Team
    • πŸ”΄Windows
      • β­•Security Concepts
        • Windows Security Components
        • Active Directory Components
        • Kerberos
        • Loggon Sessions and Access Tokens
        • Permissions and Access Control
        • Windows Registry
        • Object Management
      • β­•Physical Attack
      • β­•Enumeration
      • β­•Privilege Escalation
        • DLL Hijacking
          • Phantom DLL Hijacking / Replacement
          • Search Order Hijacking ( Preloading )
          • DLL Side-Loading
        • Service Misconfigurations
          • Weak Registry Permissions
          • Insecure Service Executables
          • Insecure Permission
          • Unquoted Service Path
        • Creating a New Service (admin to system)
        • Registry
          • AlwaysInstallElevated
          • AutoRuns
        • Scheduled Tasks
        • Mass Roll-outs
        • Startup Apps
        • Installed Applications
        • Loopback Services
        • Insecure GUI APPs
        • Potatos
        • Printspoofer / SEImpersonate
        • PSEXEC (admin to system)
      • β­•Credential Dumping
      • β­•Persistence
        • Invisible Account Forger
        • Add User
        • Scheduled Tasks
        • Run Registry Keys
        • Logon Scripts
        • Screensavers Hijack
        • Powershell Profiles & Modules
        • Service Creation/Modification
        • Shortcut Modification
        • Startup Folder
        • RDP backdoors
        • COM Hijacking
    • πŸ”΄Active Directory
      • β­•Domain Enumeration
      • β­•Tools & Frameworks
        • Evil-WinRM
        • CME cheat sheet
        • SharpSploit
        • impacket cheat sheet
        • DeathStar
      • β­•Exploitation
        • LLMNR Poisoning
        • SMB/NTLM Relay
        • DNS Takeover + LDAP Relay
        • Cracking Hashes
        • Password spraying
        • ADCS + PetitPotam NTLM Relay
        • EternalBlue
        • ZeroLogon
        • MS Exchange ProxyShell
        • MS Exchange ProxyLogon
        • Java JBOSS
      • β­•Privilege Escalation
        • Token Impersonation
        • DNS Admins
        • AD CS Abuse
        • ACL Abuse
          • GenericAll
          • Write Property
          • Self-membership
          • ForceChangePassword
          • Managed Security Groups
          • Exchange Windows Permissions
        • Group Policy Objects (GPOs)
        • Custom SSPs
        • PrintNightmare
      • β­•Lateral Movement
        • RDP Password Decryption
        • RDP Session Hijacking
        • headless RDP with SharpRDP
        • Domain Shares
        • SCF File Attacks
        • Pass the Hash / Password
        • Overpass the Hash / Pass the Key
        • Pass The Ticket
        • Kerberosting / AS-REP Rosting
        • Kerberos Delegation
      • β­•Credential Dumping
        • CredSSP / TSPKG
        • Wdigest Clear Text
        • DPAPI secrets
        • SAM & Registry
        • NTDS.dit & vshadow
        • comsvcs.dll
        • Meterpreter
        • Procdump & LSASS
        • AD User Comments
        • SYSVOL & Group Policy Preferences
        • LAPS Passwords
        • GSMA Passwords
        • HiveNightmare
        • Mimikatz Cheat sheet
        • Other Tools / Techniques
      • β­•Persistence
        • Certificates
        • DCSync
        • DCShadow
        • Silver Ticket
        • Golden Ticket
        • Skeleton Key
        • WMI
        • PowerShell Remoting
        • Remote Registry
        • Rights Abuse
        • AdminSDHolder
        • DSRM
        • Kerberos Checksum Validation ( MS14-068 )
    • πŸ”΄Linux
      • β­•Physical Attacks
      • β­•Enumeration
      • β­•Privilege Escalation
        • SUID / SGID abuse
        • /etc/shadow & /etc/passwd
        • cron/crontab abuse
        • Sudo Abuse
        • Capabilities Abuse
        • Environment Variables
          • LD_LIBRARY_PATH
          • LD_PRELOAD
        • Shared Object Injection
        • NFS
        • man CE Pager Argument
        • MySQL UDF
        • UDEVD
        • STDIN/STDOUT
        • Unix Socket Exploitation
        • Dirty Pipe
        • Docker
          • SUID Docker
      • β­•Lateral Movement
        • Infecting Running Processes
        • VIM Config File Keylogger
        • SSH Hijacking
        • Samba Secrets to Domain Admin
        • Hiding Processes
        • Simple User-mode Rootkits
        • Vino VNC Server
      • β­•Credential Dumping
        • Swap Dump
        • mimipinguin
        • unshadow
        • 3snake
      • β­•Persistence
        • Startup User File Backdoor
        • PHP Backdoor
        • Apache mod_rootme
        • Startup Service Backdoor
        • xdg Backdoor
        • rootbash SUID
        • apt Backdoor
        • Driver Backdoor
        • Core Pattern
        • dash Backdoor
        • Creating an SUID Binary
        • Systemd netcat bind shell
        • Xinetd UDP portnock
        • openSSL reverse shell
        • motd Backdoor
        • Auth Log Backdoor
        • RSYSLOG Backdoor
        • sshd Backdoor
        • VIM Config Backdoor
        • .bashrc Backdoor
        • Adding a Root user
        • Crontab Reverse Shell
        • SSH persistence password-less
      • β­•Covering Tracks
    • πŸ”΄Command & Control (C2)
      • β­•Cobalt Strike
      • β­•Metasploit
      • β­•Empire & Starkiller
      • β­•Covenant
    • πŸ”΄Shells and Payloads
      • β­•Shell Escape / Interactive Shell
      • β­•LOL Binaries
      • β­•msfvenom
      • β­•SharpShooter & Ivy
      • β­•Other Payloads
    • πŸ”΄Payload Delivery
      • β­•Powershell Reflective DLL Load
      • β­•HTML Smuggling
      • β­•Office Macros
      • β­•DDE Auto - Word/Excel
      • β­•.SLK Excel
      • β­•XLM Macro 4.0
      • β­•LNK
      • β­•embedded OLE + LNK objects
      • β­•JScript
      • β­•HTA
      • β­•VBS
      • β­•VBA
      • β­•RTF
      • β­•REG
      • β­•MSI / MSIEXEC
      • β­•IQY
      • β­•CHM / HHC
      • β­•SCR
    • πŸ”΄Pivoting
      • β­•SSH Forwarding
      • β­•Socat Stealth Port Forward
      • β­•Socat Reverse Shell Relay
      • β­•HTTP Tunneling
      • β­•ICMP Tunneling
      • β­•DNS Tunneling
      • β­•Metasploit Pivoting
      • β­•Cobalt Strike Pivoteing
      • β­•VPN Tunneling
      • β­•Other Tools
    • πŸ”΄Exfiltration / File Transfer
      • β­•Encode / Decode Files
      • β­•TCP / UDP
      • β­•DNS
      • β­•SSH
      • β­•ICMP
      • β­•SMB
      • β­•FTP
      • β­•HTTP
      • β­•Other Methods
    • πŸ”΄Password Attacks
      • β­•Online Attacks
      • β­•Offline Attack
      • β­•Word List
      • β­•Cheat Sheet
    • πŸ”΄Defense Evasion
      • β­•Basic Tricks
      • πŸ”§Powershell Tricks
      • β­•Disabling Defenses
      • β­•UAC Bypass
      • β­•Process Migration
      • β­•Dechaining Macros
      • β­•VBA Sandbox Evasion
      • β­•AMSI Bypass
      • β­•SRP & AppLocker Bypass
      • β­•GPO Bypass
  • πŸ“˜Blue Team
    • πŸ”΅Threat Modeling / Hunting / Intelligence
    • πŸ”΅Linux Hardening
      • πŸ”ΉOS Security
        • Update Strategy
        • Service Management
        • Physical Security
        • Grub Hardening
        • Kernel Parameters
        • Process Isolation
      • πŸ”ΉAccounts & Passwords
        • Users & Groups
        • Password Security & Sudoers
      • πŸ”ΉAccess Control & Ownership
      • πŸ”ΉFile System Security
      • πŸ”ΉIntegrity Check
      • πŸ”ΉSandboxing
      • πŸ”ΉNetwork
      • πŸ”Ήiptables
        • Rule Sets
      • πŸ”ΉService Hardening
        • BIND9
        • vsftpd
        • Nginx
        • Apache
        • SSH
      • πŸ”ΉSystem Audit
      • πŸ”ΉLogging
        • auditd
      • πŸ”ΉEncryption
    • πŸ”΅Security Architecture
      • πŸ”ΉLayered Security
  • πŸŸͺPurple Teaming
    • 🟣Adversary Emulation
  • 🟧programming
    • 🟠C Programming
      • πŸ”ΈBasic Structure
      • πŸ”ΈGCC Compiler
      • πŸ”ΈPreprocessors
      • πŸ”ΈData Types
      • πŸ”ΈType Qualifiers
      • πŸ”ΈPointers
      • πŸ”ΈDynamic Memory Allocation
      • πŸ”ΈLoops
      • πŸ”ΈConditional Statements
      • πŸ”ΈFunctions
      • πŸ”ΈInput / Output
      • πŸ”ΈMacros
      • πŸ”ΈFiles
      • πŸ”ΈStrings Manipulation
      • πŸ”ΈBit Manipulation
      • πŸ”ΈData Structures
        • Arrays
        • Structures
        • Unions
      • πŸ”ΈAbstract Data Types
        • Stack
        • Queue
        • Linked List
          • Singly Linked List
          • Doubly Linked List
      • πŸ”ΈLibraries & Linking
      • πŸ”ΈError Recovery
    • πŸ”§Assembly ( NASM )
      • Intel IA-32 Environment
      • Basic Structure
      • Variables and Data Types
      • Most-used Instructions
      • input / output
  • 🟫Miscellaneous
    • 🟀GNU Screen / tmux
    • 🟀SSH Tricks
    • 🟀Cats
      • netcat
      • ncat
      • pwncat
      • socat
      • πŸ”§powercat
    • 🟀Curl
    • 🟀Cross-compiling Binaries
Powered by GitBook
On this page
  1. Network attacks
  2. MITM & Poisoning

NTP Spoofing

PreviousDNS SpoofingNextARP Spoofing

Last updated 2 years ago

Distributing accurate time is a vital part of sustaining network infrastructure. It’s also a critical element of network security, both when it comes to the expiry dates on certificates and timestamped system logs used for troubleshooting.

NTP Spoofing is hard to detect and the only mitigation is NTP encryption or synchronizing network time with GPS, so this type of attack is not as obvious as ARP spoofing or other types of spoofing for that matter.

NTP Spoofing is done after ARP spoofing and becoming the man in the middle

This attack can trick the victim systems to think that the web certificates or HSTS records are expired and thus they wont trust the old records anymore, in this case the attacker can run MitM attacks such as HTTPS downgrade and HSTS bypass more successfully.

A scapy script for spoofing NTP responses with an MITM attack

  1. ARP-Cache-Poisons the target and the gateway

  2. Positions your machine between target and gateway in MITM attack

  3. Listens for NTP-responses from gateway to target

  4. Modifies the NTP-timestamps

Run ARP Spoof

ettercap [options] [target1] [target2]

example:

ettercap -T -q -M arp::remote /172.16.0.1-254//   /172.16.0.1-254//

Run the script:

sudo ./ntp-spoof.py -i [interface] -t [target ip] -g [gateway ip] -d [date-time to spoof]

# example:
sudo ./ntp-spoof.py -i enp0s25 -t 192.168.1.42 -g 192.168.1.1 -d 13:37-31.12.1983
πŸ“’
🟑
🟨
GitHub - crazyarashi/ntp-spoof: A scapy script for spoofing NTP responses with a MITM attackGitHub
Logo