Network Time Protocol (NTP) Abuse for Enterprise Recon

Network Time Protocol (NTP) is used to synchronise time on servers and networking devices, but misconfigured instances can provide information that can be used in a cyber attack.
Attackers can obtain IP addresses, system uptime, hostnames and network topology by using commands including ntpq, ntpdc and monlist, the latter of which can provide the last 600 IP addresses that have queried the server.
NTPmonlist amplification attack was discovered in 2013, but many instances are still unsecured, which leaves enterprises open to cyber attacks.
NTP abuse is a method of cyber attack that allows the attacker to stealthily conduct network reconnaissance.
Security experts have warned that cyber criminals could use NTP to map network infrastructures and help them understand what systems and devices they could target.
It could also help them determine what vulnerabilities exist, which could then be used in an attack.
Red teamers and pentesters should understand the potential of NTP abuse while defenders should concentrate on putting protective measures in place.

Fast Feed