The Hive
GitHubLinkedInEmail
  • 🏠Home
  • 🌐RECON
    • 📡Passive (OSINT)
      • ⏩Metadata
      • ⏩Social Platforms
        • Email
        • Tumbler
        • Redit
        • Github
        • Tinder
        • TikTok
        • Snapchat
        • Instagram
        • Facebook
        • Twitter
        • Google
        • LinkedIn
    • 📡Active
      • ⏩Host Discovery / Network Mapping
      • ⏩nmap cheat sheet
      • ⏩masscan cheat sheet
    • 📡Web Recon
      • ⏩Web Server Discovery
      • ⏩Hidden Hosts
      • ⏩Directories & Subdomains
      • ⏩SSL Certs
      • ⏩CMS
      • ⏩WAF Detection
    • 📡Firewall Evasion
  • 📗Web Attacks
    • 🟢Server Side
      • 🟩Authentication Mechanisms
      • 🟩Access Control (Authorization)
      • 🟩Directory Traversal
      • 🟩OS Command Injection
      • 🟩Server-Side Request Forgery (SSRF)
      • 🟩XML External Entity (XXE) Injection
      • 🟩File Upload
      • 🔧SQL Injection
      • 🟩Information Disclosure
      • 🟩Business Logic
    • 🟢Client Side
      • 🟩Cross-site request forgery (CSRF)
      • 🔧Cross-site scripting (XSS)
  • 📒Network attacks
    • 🟡Network Services
      • 🟨Brute Force
      • 🟨DNS
      • 🟨IPv6
      • 🟨FTP
      • 🟨SSH
      • 🟨SMB
      • 🟨SNMP
      • 🟨SMTP
      • 🟨POP3
      • 🟨IMAP
      • 🟨MSSQL
      • 🟨MySQL
      • 🟨MSRPC / RPCbind
      • 🟨LDAP
      • 🟨NTP
      • 🟨NFS
      • 🟨Telnet
      • 🟨WebDAV
      • 🟨RDP
      • 🟨RSIP
      • 🟨Rlogin
      • 🟨VPNs
      • 🟨Echo
      • 🔧RTP
      • 🔧VOIP
        • SIP
    • 🟡Network Devices
      • 🟨IPv6 Attacks
        • Neighbor Impersonation
        • Router Advertisement Flooding
      • 🟨Switch Attacks
        • Cisco Exploitation
        • STP Spoofing
        • VLAN Hopping
        • MAC Flood
      • 🟨Router Attacks
        • Router Exploitation
        • HSRP Hijacking
        • 🔧RIP Spoofing
        • 🔧OSPF Attacks
        • 🔧VRRP MitM
      • 🟨NAC Bypass
        • Captive Portal
        • 802.1X / EAP Bypass
      • 🟨Printer Exploitation
    • 🟡MITM & Poisoning
      • 🟨Bettercap
      • 🟨HTTPS Downgrade / HSTS Bypass
      • 🟨Session Hijackings
      • 🟨Malicious Update
      • 🟨RDP Downgrade
      • 🟨DNS Spoofing
      • 🟨NTP Spoofing
      • 🟨ARP Spoofing
      • 🟨DHCP Poisoning
      • 🟨DHCPv6 Spoofing
      • 🟨SSDP Spoofing
      • 🟨WSUS Spoofing
      • 🟨ADIDNS Poisoning
      • 🟨WPAD Abuse
    • 🟡Wireless Attacks
      • 🟨Protocol Concepts
      • 🟨Basics
      • 🟨Attacks
    • 🟡Sniffing
      • 🟨Wireshark
      • 🟨tcpdump
    • 🟡Denial of Service
  • 📕Red Team
    • 🔴Windows
      • ⭕Security Concepts
        • Windows Security Components
        • Active Directory Components
        • Kerberos
        • Loggon Sessions and Access Tokens
        • Permissions and Access Control
        • Windows Registry
        • Object Management
      • ⭕Physical Attack
      • ⭕Enumeration
      • ⭕Privilege Escalation
        • DLL Hijacking
          • Phantom DLL Hijacking / Replacement
          • Search Order Hijacking ( Preloading )
          • DLL Side-Loading
        • Service Misconfigurations
          • Weak Registry Permissions
          • Insecure Service Executables
          • Insecure Permission
          • Unquoted Service Path
        • Creating a New Service (admin to system)
        • Registry
          • AlwaysInstallElevated
          • AutoRuns
        • Scheduled Tasks
        • Mass Roll-outs
        • Startup Apps
        • Installed Applications
        • Loopback Services
        • Insecure GUI APPs
        • Potatos
        • Printspoofer / SEImpersonate
        • PSEXEC (admin to system)
      • ⭕Credential Dumping
      • ⭕Persistence
        • Invisible Account Forger
        • Add User
        • Scheduled Tasks
        • Run Registry Keys
        • Logon Scripts
        • Screensavers Hijack
        • Powershell Profiles & Modules
        • Service Creation/Modification
        • Shortcut Modification
        • Startup Folder
        • RDP backdoors
        • COM Hijacking
    • 🔴Active Directory
      • ⭕Domain Enumeration
      • ⭕Tools & Frameworks
        • Evil-WinRM
        • CME cheat sheet
        • SharpSploit
        • impacket cheat sheet
        • DeathStar
      • ⭕Exploitation
        • LLMNR Poisoning
        • SMB/NTLM Relay
        • DNS Takeover + LDAP Relay
        • Cracking Hashes
        • Password spraying
        • ADCS + PetitPotam NTLM Relay
        • EternalBlue
        • ZeroLogon
        • MS Exchange ProxyShell
        • MS Exchange ProxyLogon
        • Java JBOSS
      • ⭕Privilege Escalation
        • Token Impersonation
        • DNS Admins
        • AD CS Abuse
        • ACL Abuse
          • GenericAll
          • Write Property
          • Self-membership
          • ForceChangePassword
          • Managed Security Groups
          • Exchange Windows Permissions
        • Group Policy Objects (GPOs)
        • Custom SSPs
        • PrintNightmare
      • ⭕Lateral Movement
        • RDP Password Decryption
        • RDP Session Hijacking
        • headless RDP with SharpRDP
        • Domain Shares
        • SCF File Attacks
        • Pass the Hash / Password
        • Overpass the Hash / Pass the Key
        • Pass The Ticket
        • Kerberosting / AS-REP Rosting
        • Kerberos Delegation
      • ⭕Credential Dumping
        • CredSSP / TSPKG
        • Wdigest Clear Text
        • DPAPI secrets
        • SAM & Registry
        • NTDS.dit & vshadow
        • comsvcs.dll
        • Meterpreter
        • Procdump & LSASS
        • AD User Comments
        • SYSVOL & Group Policy Preferences
        • LAPS Passwords
        • GSMA Passwords
        • HiveNightmare
        • Mimikatz Cheat sheet
        • Other Tools / Techniques
      • ⭕Persistence
        • Certificates
        • DCSync
        • DCShadow
        • Silver Ticket
        • Golden Ticket
        • Skeleton Key
        • WMI
        • PowerShell Remoting
        • Remote Registry
        • Rights Abuse
        • AdminSDHolder
        • DSRM
        • Kerberos Checksum Validation ( MS14-068 )
    • 🔴Linux
      • ⭕Physical Attacks
      • ⭕Enumeration
      • ⭕Privilege Escalation
        • SUID / SGID abuse
        • /etc/shadow & /etc/passwd
        • cron/crontab abuse
        • Sudo Abuse
        • Capabilities Abuse
        • Environment Variables
          • LD_LIBRARY_PATH
          • LD_PRELOAD
        • Shared Object Injection
        • NFS
        • man CE Pager Argument
        • MySQL UDF
        • UDEVD
        • STDIN/STDOUT
        • Unix Socket Exploitation
        • Dirty Pipe
        • Docker
          • SUID Docker
      • ⭕Lateral Movement
        • Infecting Running Processes
        • VIM Config File Keylogger
        • SSH Hijacking
        • Samba Secrets to Domain Admin
        • Hiding Processes
        • Simple User-mode Rootkits
        • Vino VNC Server
      • ⭕Credential Dumping
        • Swap Dump
        • mimipinguin
        • unshadow
        • 3snake
      • ⭕Persistence
        • Startup User File Backdoor
        • PHP Backdoor
        • Apache mod_rootme
        • Startup Service Backdoor
        • xdg Backdoor
        • rootbash SUID
        • apt Backdoor
        • Driver Backdoor
        • Core Pattern
        • dash Backdoor
        • Creating an SUID Binary
        • Systemd netcat bind shell
        • Xinetd UDP portnock
        • openSSL reverse shell
        • motd Backdoor
        • Auth Log Backdoor
        • RSYSLOG Backdoor
        • sshd Backdoor
        • VIM Config Backdoor
        • .bashrc Backdoor
        • Adding a Root user
        • Crontab Reverse Shell
        • SSH persistence password-less
      • ⭕Covering Tracks
    • 🔴Command & Control (C2)
      • ⭕Cobalt Strike
      • ⭕Metasploit
      • ⭕Empire & Starkiller
      • ⭕Covenant
    • 🔴Shells and Payloads
      • ⭕Shell Escape / Interactive Shell
      • ⭕LOL Binaries
      • ⭕msfvenom
      • ⭕SharpShooter & Ivy
      • ⭕Other Payloads
    • 🔴Payload Delivery
      • ⭕Powershell Reflective DLL Load
      • ⭕HTML Smuggling
      • ⭕Office Macros
      • ⭕DDE Auto - Word/Excel
      • ⭕.SLK Excel
      • ⭕XLM Macro 4.0
      • ⭕LNK
      • ⭕embedded OLE + LNK objects
      • ⭕JScript
      • ⭕HTA
      • ⭕VBS
      • ⭕VBA
      • ⭕RTF
      • ⭕REG
      • ⭕MSI / MSIEXEC
      • ⭕IQY
      • ⭕CHM / HHC
      • ⭕SCR
    • 🔴Pivoting
      • ⭕SSH Forwarding
      • ⭕Socat Stealth Port Forward
      • ⭕Socat Reverse Shell Relay
      • ⭕HTTP Tunneling
      • ⭕ICMP Tunneling
      • ⭕DNS Tunneling
      • ⭕Metasploit Pivoting
      • ⭕Cobalt Strike Pivoteing
      • ⭕VPN Tunneling
      • ⭕Other Tools
    • 🔴Exfiltration / File Transfer
      • ⭕Encode / Decode Files
      • ⭕TCP / UDP
      • ⭕DNS
      • ⭕SSH
      • ⭕ICMP
      • ⭕SMB
      • ⭕FTP
      • ⭕HTTP
      • ⭕Other Methods
    • 🔴Password Attacks
      • ⭕Online Attacks
      • ⭕Offline Attack
      • ⭕Word List
      • ⭕Cheat Sheet
    • 🔴Defense Evasion
      • ⭕Basic Tricks
      • 🔧Powershell Tricks
      • ⭕Disabling Defenses
      • ⭕UAC Bypass
      • ⭕Process Migration
      • ⭕Dechaining Macros
      • ⭕VBA Sandbox Evasion
      • ⭕AMSI Bypass
      • ⭕SRP & AppLocker Bypass
      • ⭕GPO Bypass
  • 📘Blue Team
    • 🔵Threat Modeling / Hunting / Intelligence
    • 🔵Linux Hardening
      • 🔹OS Security
        • Update Strategy
        • Service Management
        • Physical Security
        • Grub Hardening
        • Kernel Parameters
        • Process Isolation
      • 🔹Accounts & Passwords
        • Users & Groups
        • Password Security & Sudoers
      • 🔹Access Control & Ownership
      • 🔹File System Security
      • 🔹Integrity Check
      • 🔹Sandboxing
      • 🔹Network
      • 🔹iptables
        • Rule Sets
      • 🔹Service Hardening
        • BIND9
        • vsftpd
        • Nginx
        • Apache
        • SSH
      • 🔹System Audit
      • 🔹Logging
        • auditd
      • 🔹Encryption
    • 🔵Security Architecture
      • 🔹Layered Security
  • 🟪Purple Teaming
    • 🟣Adversary Emulation
  • 🟧programming
    • 🟠C Programming
      • 🔸Basic Structure
      • 🔸GCC Compiler
      • 🔸Preprocessors
      • 🔸Data Types
      • 🔸Type Qualifiers
      • 🔸Pointers
      • 🔸Dynamic Memory Allocation
      • 🔸Loops
      • 🔸Conditional Statements
      • 🔸Functions
      • 🔸Input / Output
      • 🔸Macros
      • 🔸Files
      • 🔸Strings Manipulation
      • 🔸Bit Manipulation
      • 🔸Data Structures
        • Arrays
        • Structures
        • Unions
      • 🔸Abstract Data Types
        • Stack
        • Queue
        • Linked List
          • Singly Linked List
          • Doubly Linked List
      • 🔸Libraries & Linking
      • 🔸Error Recovery
    • 🔧Assembly ( NASM )
      • Intel IA-32 Environment
      • Basic Structure
      • Variables and Data Types
      • Most-used Instructions
      • input / output
  • 🟫Miscellaneous
    • 🟤GNU Screen / tmux
    • 🟤SSH Tricks
    • 🟤Cats
      • netcat
      • ncat
      • pwncat
      • socat
      • 🔧powercat
    • 🟤Curl
    • 🟤Cross-compiling Binaries
Powered by GitBook
On this page
  • Introduction
  • How NTP works?
  • Checklist
  • Enumeration
  • nmap
  • metasploit modules
  1. Network attacks
  2. Network Services

NTP

PreviousLDAPNextNFS

Last updated 1 year ago

Introduction

NTP is the longest running, continuously operating, and a distributed application on the Internet. The objective of NTP is simple: to allow a client to synchronize its clock with UTC (Coordinated Universal Time, standard time scale used by most nations), and to do so with a high degree of accuracy and a high degree of stability.

NTP (currently version 4) is a combination of thr ee things; first it is a software program that runs in t he background of Windows/UNIX secondly it is a protocol th at exchanges time that is been valued between servers and cl ients and finally it is a suite of algorithms that process the time values to advance or retreat the system clock. The term NTP applies to both the protocols and the client-server programs that keep running on PCs. NTP time servers work inside the TCP/IP suite and depend on User Datagram Protocol (UDP) port 123. NTP servers are ordinarily committed NTP devices that utilize a single time reference to which they can synchronize a system.

How NTP works?

NTP timestamps are stored as seconds since January 1, 1900. 32 bits for the number of seconds, and 32 bits for the fractions of a second.

NTP assumes that the time spent on the network is the same for sending and receiving.

Enumeration

Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OS running on the client system in a network. All this information can be enumerated by querying NTP server.

nmap

nmap -sU -p 123 --script ntp-info [target]

The ntp-info script can extract the remote system's timestamp against the first host and a great deal of information about the second host including kernel version and ntpd version.

As expected, a misconfigured NTP server reveals version and system details among other information which can be used to search for exploits against the vulnerable host.

nmap -sU -pU:123 -Pn -n --script=ntp-monlist [target]

This can be automated by using a Metasploit auxiliary module

metasploit modules

auxiliary/scanner/ntp/ntp_monlist

This module identifies NTP servers which permit the above mentioned "monlist" queries and obtains the recent client's list. The monlist feature allows remote attackers to cause a denial of service (traf fic amplification) via spoofed requests. The more clients there ar e in the record, the higher the amplification

Checklist

📒
🟡
🟨
☑️
ℹ️
Network Time Protocol