The intertubes have been humming lately around a certain NTP feature to gather lists of NTP servers' clients and it naturally grabbed our attention. The humming was started by HD Moore recently where he revealed that it is possible to query NTP servers to get lists of addresses and using the information for fun and profit. He also mentioned that he will be releasing a paper describing all this and how he can create a sizable DDOS using NTP, without giving too much detail about it.
Some quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:
Playing around: So, this command allows you to get the last 600 IPs that make requests to a NTP server (well, sortof). The ntpdc program is limited to 400 IPs and because of that limitation we whipped up a util for everyone to play with and modify which is attached. The information gathered using this method (as far as we can see) is not worth much except for being interesting. And very interesting in deed as we have noted towards the end of this post. We proceeded to examine the South African time servers since we depend on them and since we are always interested in the South African Internet and security landscape. One can get a list of (some) South African NTP servers at time.org.za which we used for this post. All except 3 or so allow the monlist command. Using Maltego we added all the servers from time.org.za and ran the script as a local transform on them which produced these:
These two images are different views of the NTP servers and their clients from one run. In the first image you can clearly see each NTP server(centers of those circles) with its unique clients forming a circle around it. The clients that query from more than one of the servers you can see as the mush in the center of the image. The second image shows which clients use more than one ntp server in a slightly more visible manner. The larger the sphere the more servers the clients get their time from. One can also see which NTP servers are more secluded. As Moore mentioned, NTP servers will divulge even their internal network clients. This is also the case with some major NTP servers in South Africa. Some are showing tens of private IPs which for some individuals/companies may be a serious information leak.
Have data, what now? The most immediate application of this method will probably be more revealing footprinting exercises. For example:
Have tool, will play nicely Attached are the monlist query script written in Python and the Maltego graph used in the example above. Just run ‘python ntp_monlist.py target_server' and wait 7-10 seconds(With default timeout and tries). If you dont receive close to 600 addresses then either your connection is too slow or the target server is not busy/popular enough. The script can act as a local transform for Maltego by changing the OUTPUT_FORMAT variable close to the top. You will need to set the speed/accuracy <---> #results slider to the far right for all results. If anyone has an idea on how to use this info better please drop a comment below.
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear to our hearts, with 3 Blackhat talks on it (or applications of it) ("Automation - Deus ex Machina or Rube Goldberg Machine?", "Putting The Tea Back Into CyberTerrorism", "The Role of Non Obvious Relationships in the Foot Printing Process"), a commercial tool almost dedicated to it, and a full blown chapter on it in Open Source Penetration Testing by charl and gareth. Footprinting is a genuinely important part of a companies security assessment, cause it doesn't matter if they have multi-layer firewalls and WAF's protecting the web app on their www.company.com, and an old barely used sql-injectable form on their community.company.com site that lets you grab SA on their SQL server anyway.. (Now that the shameless self promotion is over..) i wanted to touch on an interesting aspect of webserver discovery that is often skipped, and thats the issue of multiple websites running as name based virtual hosts on the same web-server. There was a time (not so long ago) when all of the popular scanning tools, failed to take into account that scanning 126.96.36.199 was not the same as scanning www.sensepost.com (or hackrack.sensepost.com which happens to be on the same ip address).
Quick Virtual Host Refresher:
An HTTP/1.1 compliant browser (you will struggle to find one that is not) sends along an additional required field when requesting a website, the Host: header.
So.. while a GET on our website looked like this using HTTP/1.0:
haroon$ telnet www.sensepost.com 80 Trying 188.8.131.52... Connected to www.sensepost.com. Escape character is '^]'. GET / HTTP/1.0This allows the web-server to correctly route the request to the name based virtual host running on it.What should be obviously apparent is that in the above example, attacking 184.108.40.206 != attacking www.sensepost.com != attacking hackrack.sensepost.com
HTTP/1.1 200 OK With HTTP/1.1 you also have to specify a host-header:
haroon$ telnet www.sensepost.com 80 Trying 220.127.116.11... Connected to www.sensepost.com. Escape character is '^]'. GET / HTTP/1.1 Host: www.sensepost.com
HTTP/1.1 200 OK
There is every possibility that a highly vulnerable CGI exists on www.sensepost.com/scripts/vuln.cgi which will not exist under 18.104.22.168/scripts/vuln.cgi or hackrack.sensepost.com/scripts/vuln.cgi
So.. 3 quick tips on this..