maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-ntp.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-07-10 09:32:39 +00:00
parent c9bdbf5131
commit 6680d6e43d
1 changed files with 143 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
src/network-services-pentesting/pentesting-ntp.md
View File

@ -4,59 +4,154 @@
## Basic Information
**Network Time Protocol (NTP)** inahakikisha kwamba kompyuta na vifaa vya mtandao katika mitandao yenye latensi tofauti zinaweza kusawazisha saa zao kwa usahihi. Ni muhimu kwa kudumisha usahihi wa wakati katika operesheni za IT, usalama, na uandishi wa kumbukumbu. Usahihi wa NTP ni muhimu, lakini pia unatoa hatari za usalama ikiwa hautasimamiwa vizuri.
**Network Time Protocol (NTP)** inahakikisha kwamba kompyuta na vifaa vya mtandao katika mitandao yenye latensi tofauti zinaweza kusawazisha saa zao kwa usahihi. Ni muhimu kwa kudumisha usahihi wa wakati katika operesheni za IT, usalama, na uandishi wa kumbukumbu. Kwa sababu wakati unatumika katika karibu kila uthibitisho, crypto-protocol na mchakato wa uchunguzi, **mshambuliaji ambaye anaweza kuathiri NTP mara nyingi anaweza kupita udhibiti wa usalama au kufanya mashambulizi kuwa magumu kuchunguza.**
### Summary & Security Tips:
### Summary & Security Tips
- **Purpose**: Inasawazisha saa za vifaa kupitia mitandao.
- **Importance**: Muhimu kwa usalama, uandishi wa kumbukumbu, na operesheni.
- **Importance**: Muhimu kwa usalama, uandishi wa kumbukumbu, crypto-protocols na mifumo iliyosambazwa.
- **Security Measures**:
- Tumia vyanzo vya NTP vilivyoaminika na uthibitisho.
- Punguza upatikanaji wa mtandao wa seva za NTP.
- Fuatilia usawazishaji kwa dalili za kuingilia kati.
- Tumia vyanzo vya NTP au NTS (Network Time Security) vilivyoaminika na uthibitisho.
- Punguza nani anaweza kuuliza/kutoa amri kwa daemon (``restrict default noquery``, ``kod`` n.k.).
- Zima maswali ya udhibiti ya Mode-6/7 ya zamani (``monlist``, ``ntpdc``) au punguza kiwango chao.
- Fuata mabadiliko ya usawazishaji/halisi ya sekunde za kuruka kwa udanganyifu.
- Hifadhi daemon ikisasishwa (angalia CVEs za hivi karibuni hapa chini).
**Default ports**
```
123/udp NTP (data + legacy control)
4460/tcp NTS-KE (RFC 8915) TLS key-establishment for NTP
```
**Default port:** 123/udp
```
PORT STATE SERVICE REASON
123/udp open ntp udp-response
```
---
## Uhesabu
```bash
ntpq -c readlist <IP_ADDRESS>
ntpq -c readvar <IP_ADDRESS>
ntpq -c peers <IP_ADDRESS>
ntpq -c associations <IP_ADDRESS>
ntpdc -c monlist <IP_ADDRESS>
ntpdc -c listpeers <IP_ADDRESS>
ntpdc -c sysinfo <IP_ADDRESS>
```
### Klasiki ntpd / ntpq / ntpdc
```bash
# Information & variables
ntpq -c rv <IP>
ntpq -c readvar <IP>
ntpq -c peers <IP>
ntpq -c associations <IP>
# Legacy mode-7 (often disabled >=4.2.8p9)
ntpdc -c monlist <IP>
ntpdc -c listpeers <IP>
ntpdc -c sysinfo <IP>
```
### chrony / chronyc (katika usambazaji wa kisasa wa Linux)
Ni amri chache tu za ufuatiliaji zinazokubaliwa kutoka kwa IP za mbali wakati ``cmdallow`` imewezeshwa:
```bash
chronyc -a -n tracking -h <IP>
chronyc -a -n sources -v -h <IP>
chronyc -a -n sourcestats -h <IP>
```
Tazama ukurasa wa mtu wa chronyc kwa maana ya bendera za **M/S** na maeneo mengine (stratum, reach, jitter, nk.).
### Nmap
```bash
# Safe discovery & vuln detection
nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>
# Explicit monlist check
nmap -sU -p123 --script ntp-monlist <IP>
```
## Examine configuration files
- ntp.conf
## NTP Amplification Attack
[**How NTP DDoS Attack Works**](https://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/#gref)
The **NTP protocol**, using UDP, allows for operation without the need for handshake procedures, unlike TCP. This characteristic is exploited in **NTP DDoS amplification attacks**. Here, attackers create packets with a fake source IP, making it seem as if the attack requests come from the victim. These packets, initially small, prompt the NTP server to respond with much larger data volumes, amplifying the attack.
The _**MONLIST**_ command, despite its rare use, can report the last 600 clients connected to the NTP service. While the command itself is simple, its misuse in such attacks highlights critical security vulnerabilities.
### Skanningi kwa Wingi/Intaneti
```bash
ntpdc -n -c monlist <IP>
# Check if MONLIST is enabled (zgrab2 module)
zgrab2 ntp --monlist --timeout 3 --output-file monlist.json -f "zmap_results.csv"
```
## Shodan
---
## Kagua faili za usanidi
- `ntp`
- ``/etc/ntp.conf`` (ntpd)
- ``/etc/chrony/chrony.conf`` (chrony)
- ``/etc/systemd/timesyncd.conf`` (timesyncd mteja pekee)
## HackTricks Automatic Commands
Zingatia kwa makini mistari ya ``restrict``, mipangilio ya ``kod`` (Kiss-o'-Death), ``disable monitor``/``includefile /etc/ntp/crypto`` na ikiwa *NTS* imewezeshwa (``nts enable``).
---
## Uthibitisho wa Hivi Karibuni (2023-2025)
| Mwaka | CVE | Kipengele | Athari |
|------|-----|-----------|--------|
| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Maandishi mengi ya nje ya mipaka yanayoweza kufikiwa kupitia majibu ya **ntpq**. Patch katika **4.2.8p16** 🡒 sasisha au rudisha marekebisho. citeturn1search1turn1search2turn1search0|
| 2023 | **CVE-2023-33192** | **ntpd-rs** (uteuzi wa Rust) | Keki ya **NTS** isiyo sahihi husababisha **DoS** ya mbali kabla ya v0.3.3 inahusisha bandari 123 hata wakati NTS **imezimwa**. citeturn4view0|
| 2024 | sasisho za distro | **chrony 4.4 / 4.5** uimarishaji wa usalama kadhaa & marekebisho ya NTS-KE (mfano SUSE-RU-2024:2022) citeturn2search2|
| 2024 | Rekodi ya DDoS | Cloudflare inaripoti shambulio la **5.6 Tbps UDP reflection** (NTP miongoni mwa protokali zinazotumika). Hifadhi *monitor* & *monlist* zimezimwa kwenye mwenyeji wanaokabiliwa na Mtandao. citeturn5search0|
> **Vifaa vya kuendeleza**: Mifano ya uthibitisho wa dhana kwa mfululizo wa 2023 ntpq OOB-write iko kwenye GitHub (ona andiko la Meinberg) na inaweza kutumika kama silaha kwa uvuvi wa upande wa mteja wa wasimamizi wa mifumo. citeturn1search4
---
## Mashambulizi ya Juu
### 1. NTP Amplification / Reflection
Swali la zamani la Mode-7 ``monlist`` linarejesha hadi **600 anwani za mwenyeji** na bado lipo kwenye maelfu ya mwenyeji wa Mtandao. Kwa sababu ya jibu (428-468 bytes/entry) ni *~ 200×* kubwa kuliko ombi la byte 8, mshambuliaji anaweza kufikia viwango vya kuimarisha vya tarakimu tatu. Mipango ya kupunguza:
- Sasisha hadi ntp 4.2.8p15+ na **ongeza** ``disable monitor``.
- Punguza kiwango cha UDP/123 kwenye ukingo au wezesha *sessions-required* kwenye vifaa vya DDoS.
- Wezesha *BCP 38* uchujaji wa kutoka kuzuia udanganyifu wa chanzo.
Tazama makala ya kituo cha kujifunza cha Cloudflare kwa muhtasari wa hatua kwa hatua. citeturn5search1
### 2. Mashambulizi ya Muda-Kuhamishwa / Kuchelewesha (utafiti wa Khronos / Chronos)
Hata na uthibitisho, mshambuliaji aliye kwenye njia anaweza kimya kimya **kuhamasisha saa ya mteja** kwa kuangusha/kuchelewesha pakiti. Rasimu ya IETF **Khronos (zamani Chronos)** inapendekeza kuuliza seti tofauti ya seva kwa nyuma na kuangalia matokeo ili kugundua mabadiliko > 𝚡 ms. Chrony ya kisasa (4.4+) tayari inatekeleza chujio kama hicho cha akili (``maxdistance`` / ``maxjitter``). citeturn9search1
### 3. Unyanyasaji wa NTS & 4460/tcp kufichuliwa
NTS inahamisha crypto nzito kwenye **kanali ya TLS 1.3 kwenye 4460/tcp** (``ntske/1``). Utekelezaji mbaya (ona CVE-2023-33192) unakufa wakati wa kuchambua keki au kuruhusu cipher dhaifu. Wapimaji wa usalama wanapaswa:
```bash
# TLS reconnaissance
nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>
# Grab banner & ALPN
openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof
```
Protocol_Name: NTP #Protocol Abbreviation if there is one.
Port_Number: 123 #Comma separated if there is more than one.
Protocol_Description: Network Time Protocol #Protocol Abbreviation Spelled out
Tafuta vyeti vilivyojitegemea au vilivyokwisha muda na cipher-suites dhaifu (non-AEAD). Kumbukumbu: RFC 8915 §4. citeturn11search0
---
## Kuimarisha / Mbinu Bora za Sasa (BCP-233 / RFC 8633)
*Opereta WANAPASWA:*
1. Tumia **≥ 4** vyanzo huru, tofauti vya muda (mabwawa ya umma, GPS, PTP-bridges) ili kuepuka sumu ya chanzo kimoja.
2. Washa ``kod`` na ``limited``/``nomodify`` vizuizi ili wateja wanaotumia vibaya wapokee pakiti za **Kiss-o'-Death** za mipaka ya kiwango badala ya majibu kamili.
3. Fuata kumbukumbu za daemon kwa matukio ya **panic** au marekebisho ya hatua > 1000 s. (Saini za shambulio kwa mujibu wa RFC 8633 §5.3.)
4. Fikiria **leap-smear** ili kuepuka kukosekana kwa sekunde za leap, lakini hakikisha *wateja wote* wa chini wanatumia dirisha sawa la smear.
5. Hifadhi polling ≤24 h ili bendera za sekunde za leap zisikosewe.
Tazama RFC 8633 kwa orodha kamili. citeturn8search0turn8search1
---
## Shodan / Censys Dorks
```
port:123 "ntpd" # Version banner
udp port:123 monlist:true # Censys tag for vulnerable servers
port:4460 "ntske" # NTS-KE
```
---
## Vyombo vya Kazi
| Chombo | Kusudi | Mfano |
|--------|--------|-------|
| ``ntpwn`` | Wrapper ya script-kiddie kutekeleza maswali ya monlist & peers | ``python ntpwn.py --monlist targets.txt`` |
| **zgrab2 ntp** | Skanning ya wingi / Matokeo ya JSON ikiwa na bendera ya monlist | Tazama amri hapo juu |
| ``chronyd`` na ``allow`` | Endesha seva ya NTP isiyo halali katika maabara ya pentest | ``chronyd -q 'server 127.127.1.0 iburst'`` |
| ``BetterCap`` | Ingiza pakiti za NTP kwa ajili ya MITM ya mabadiliko ya wakati kwenye Wi-Fi | ``set arp.spoof.targets <victim>; set ntp.time.delta 30s; arp.spoof on`` |
---
## Amri za Kiotomatiki za HackTricks
```
Protocol_Name: NTP
Port_Number: 123
Protocol_Description: Network Time Protocol
Entry_1:
Name: Notes
@ -71,4 +166,17 @@ Name: Nmap
Description: Enumerate NTP
Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP}
```
{{#include ../banners/hacktricks-training.md}}
---
## Marejeleo
- RFC 8915 *Usalama wa Wakati wa Mtandao kwa Protokali ya Wakati wa Mtandao* (bandari 4460) citeturn11search0
- RFC 8633 *Protokali ya Wakati wa Mtandao BCP* citeturn8search0
- Ripoti ya DDoS ya Cloudflare 2024 Q4 (5.6 Tbps) citeturn5search0
- Makala ya Cloudflare *Shambulio la Kuongeza NTP* citeturn5search1
- NTP 4.2.8p15 mfululizo wa CVE 2023-04 citeturn1search4
- Kuingia kwa NVD **CVE-2023-2655155**, **CVE-2023-33192** citeturn1search1turn1search2turn1search0turn4view0
- Sasisho la usalama la SUSE chrony 2024 (chrony 4.5) citeturn2search2
- Rasimu ya Khronos/Chronos (kupunguza mabadiliko ya wakati) citeturn9search1
- Mwongozo wa chronyc/mifano kwa ufuatiliaji wa mbali citeturn3search0turn10search1
- Nyaraka za moduli ya ntp ya zgrab2 citeturn7search0
{{#include /banners/hacktricks-training.md}}