Network Penetration Testing

NTP Mode 6 Vulnerabilities

our services

NTP services which respond to “Mode 6” queries are inherently vulnerable to amplification attacks. Amplification attacks occur when an attacker can use a small amount of network resources to consume an exponentially larger amount of resources on the victim network. Two common Mode 6 vulnerabilities exist:

  1. Mode 6 Amplification Attacks
  2. Mode 6 Information Disclosure

Mode 6 Amplification Attacks

Mode 6 allows a client to use a small query to cause the server to respond with a large response. Now this behavior is not something especially abnormal. After all, web clients do this all the time. But NTP communicates over UDP, not TCP.

Since UDP is a stateless protocol, packets can easily be forged. The behavior above becomes considerably more impactful if multiple hosts spoofed Mode 6 packets with the IP of a victim. In such a scenario, it wouldn’t take much resources to substantially amplify network resources and direct it to a victim IP.

Mode 6 Information Disclosure

Mode 6 queries can often be used to obtain system information such as system and kernel versions.

Network Time Protocol (NTP) Mode 6 Scanner

Vulnerability scanners will often raise this issue as medium risk. We agree with this assessment, with the exception of internal networks. Since the likelihood of exploitation on an internal network declines significantly, we rate this issue as low risk on internal networks.

The vulnerability can confirmed with the following nmap command:

$ sudo nmap -Pn -sU -p123 --script ntp-info –n {host}

An example response should be received:

PORT    STATE SERVICE
123/udp open  ntp
| ntp-info:
|   receive time stamp: 2021-06-10T16:34:52
|   version: ntpd 4.2.6p2@1.2194 Mon Jun 24 12:37:15 UTC 2013 (79)
|   processor: x86_64
|   system: Linux/2.6.99.99
|   leap: 3
|   stratum: 16
|   precision: -21
|   rootdelay: 0.000
|   rootdispersion: 3286057.565
|   peer: 0
|   refid: INIT
|   reftime: 0x00000000.00000000
|   poll: 3
|   clock: 0xe3c51e85.3c189ffa
|   offset: 0.000
|   frequency: 0.000
|   noise: 0.000
|   jitter: 0.000
|_  stability: 0.000\x0D
Service Info: OS: Linux/2.6.99.99

Remediation of Mode 6 Vulnerabilities

The easiest and most common way to remediate this issue is by firewalling NTP. Unless you require external clients to use the NTP service from the public internet, it is best to restrict the attack surface completely and firewall or disable the service completely.

NTP on IOS

When enabling NTP on IOS, by default the NTP server is also enabled on all interfaces.

Solution 1: Disable NTP Completely

To disable NTP completely, the following command can be used:

disable ntp

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp1510820932

Solution 2: Restrict NTP via Access Controls

ntp access-group { access-list-number | access-list-number-expanded | access-list-name }

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810

References

The full NTP Mode 6 specification can be found here: https://docs.ntpsec.org/latest/mode6.html

We
Are
Changing
The
Way
Pentesting
Is
Done
  • Application
  • Network
  • Mobile
  • AWS