The intertubes have been humming lately around a certain NTP feature to gather lists of NTP servers' clients and it naturally grabbed our attention. The humming was started by HD Moore recently where he revealed that it is possible to query NTP servers to get lists of addresses and using the information for fun and profit. He also mentioned that he will be releasing a paper describing all this and how he can create a sizable DDOS using NTP, without giving too much detail about it.

Some quick research into NTP (from www.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program e.g. ntpdc target.ntp.server. Some of these commands include:

A lesser known command, that we will be focusing on, is called monlist which, via the ntpdc program's help, is described as display data the server's monitor routines have collected. Not what one might expect from a diagnostic function which will provide you with the last 600 addresses of clients who accessed the NTP server. Finding this function was relatively quick to do after we started analysing the source code available from www.ntp.org.

You can download the monlist query script written in Python here. Just run python ntp_monlist.py target_server and wait 7-10 seconds (with default timeout and retries). If you don't receive close to 600 addresses then either your connection is too slow or the target server is not busy/popular enough. The script can act as a local transform for Maltego by changing the OUTPUT_FORMAT variable close to the top. You will need to set the speed/accuracy <---> #results slider to the far right for all results.

You can learn more from our original blog post.

Source code available at GitHub.