NTP
Network Time Protocol on 123/udp. Leaks system/peer info, and misconfigured daemons answer monlist for traffic amplification. In AD, correct time is a hard requirement for Kerberos.
Ports
| Port | Proto | Notes |
|---|---|---|
123 | udp | NTP |
Fingerprint
- nmap ntp-info / ntp-monlist scripts respond
- ntpq returns peer and system variables
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2013-5211 | monlist amplification DoS |
Exploitation primitives
- ntpq/ntpdc leak OS, peers and internal hostnames (recon)
- monlist returns the last 600 clients — amplification and internal host discovery
- Sync your clock to the DC's NTP before Kerberos attacks (KRB_AP_ERR_SKEW)
Overview
NTP on 123/udp keeps clocks in sync. For us it’s a recon source (system/peer info, internal hosts) and — crucially in AD — the reason Kerberos fails when your clock skews more than 5 minutes.
Enumeration
Read system + peer variables:
ntpq -c readlist <TARGET>List peers:
ntpq -p <TARGET>nmap info + monlist:
nmap -sU -p123 --script ntp-info,ntp-monlist <TARGET>Query monlist (internal host discovery / amplification check):
ntpdc -n -c monlist <TARGET>Sync time for Kerberos
sudo ntpdate <DC_IP>Hardening
Restrict queries (restrict default noquery), disable monlist (disable monitor), and patch the daemon.