NTP enumeration

An attacker can enumerate the following information by querying an NTP server.

  • List of hosts connected to the NTP server

  • Internal client IP addresses, hostnames and operating system used

Tools

  • ntptrace is a python script that uses the ntpq utility program to follow the chain of NTP servers from a given host back to the primary time source.

  • ntpdc queries the NTP daemon about its current state and to request changes in the state.

  • ntpq monitors NTP daemon NTPD operations and determines performance.

Remediation

  • Restrict the usage of NTP and enable the use of NTPSec, where possible.

  • Filter the traffic with IPTables.

  • Enable logging for the messages and events.


Last update: 2025-05-19 17:27