Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasNSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbHOPENVAS:104153
HistoryJun 01, 2011 - 12:00 a.m.

Nmap NSE net: ntp-monlist

2011-06-0100:00:00
NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH
plugins.openvas.org
7
JSON

Obtains and prints an NTP server’s monitor data.

Monitor data is a list of the most recently used (MRU) having NTP associations with the target. Each
record contains information about the most recent NTP packet sent by a host to the target including
the source and destination addresses and the NTP version and mode of the packet. With this
information it is possible to classify associated hosts as Servers, Peers, and Clients.

A Peers command is also sent to the target and the peers list in the response allows differentiation
between configured Mode 1 Peers and clients which act like Peers (such as the Windows W32Time
service).

Associated hosts are further classified as either public or private. Private hosts are those having
IP addresses which are not routable on the public Internet and thus can help to form a picture about
the topology of the private network on which the target resides.

Other information revealed by the monlist and peers commands are the host with which the target
clock is synchronized and hosts which send Control Mode (6) and Private Mode (7) commands to the
target and which may be used by admins for the NTP service.

It should be noted that the very nature of the NTP monitor data means that the Mode 7 commands sent
by this script are recorded by the target (and will often appear in these results). Since the
monitor data is a MRU list, it is probable that you can overwrite the record of the Mode 7 command
by sending an innoccuous looking Client Mode request. This can be achieved easily using Nmap:
‘nmap -sU -pU:123 -Pn -n --max-retries=0 <target>’

Notes: * The monitor list in response to the monlist command is limited to 600 associations. * The
monitor capability may not be enabled on the target in which case you may receive an error number 4
(No Data Available). * There may be a restriction on who can perform Mode 7 commands (e.g. ‘restrict
noquery’ in ‘ntp.conf’) in which case you may not receive a reply. * This script does not
handle authenticating and targets expecting auth info may respond with error number 3 (Format
Error).

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_nmap_ntp_monlist_net.nasl 5505 2017-03-07 10:00:18Z teissa $
#
# Autogenerated NSE wrapper
#
# Authors:
# NSE-Script: jah
# NASL-Wrapper: autogenerated
#
# Copyright:
# NSE-Script: The Nmap Security Scanner (http://nmap.org)
# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_summary = "Obtains and prints an NTP server's monitor data.

Monitor data is a list of the most recently used (MRU) having NTP associations with the target. Each
record contains information about the most recent NTP packet sent by a host to the target including
the source and destination addresses and the NTP version and mode of the packet. With this
information it is possible to classify associated hosts as Servers, Peers, and Clients.

A Peers command is also sent to the target and the peers list in the response allows differentiation
between configured Mode 1 Peers and clients which act like Peers (such as the Windows W32Time
service).

Associated hosts are further classified as either public or private. Private hosts are those having
IP addresses which are not routable on the public Internet and thus can help to form a picture about
the topology of the private network on which the target resides.

Other information revealed by the monlist and peers commands are the host with which the target
clock is synchronized and hosts which send Control Mode (6) and Private Mode (7) commands to the
target and which may be used by admins for the NTP service.

It should be noted that the very nature of the NTP monitor data means that the Mode 7 commands sent
by this script are recorded by the target (and will often appear in these results). Since the
monitor data is a MRU list, it is probable that you can overwrite the record of the Mode 7 command
by sending an innoccuous looking Client Mode request. This can be achieved easily using Nmap:
'nmap -sU -pU:123 -Pn -n --max-retries=0 <target>'

Notes: * The monitor list in response to the monlist command is limited to 600 associations. * The
monitor capability may not be enabled on the target in which case you may receive an error number 4
(No Data Available). * There may be a restriction on who can perform Mode 7 commands (e.g. 'restrict
noquery' in 'ntp.conf') in which case you may not receive a reply. * This script does not
handle authenticating and targets expecting auth info may respond with error number 3 (Format
Error).";

if(description)
{
    script_id(104153);
    script_version("$Revision: 5505 $");
    script_tag(name:"last_modification", value:"$Date: 2017-03-07 11:00:18 +0100 (Tue, 07 Mar 2017) $");
    script_tag(name:"creation_date", value:"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)");
    script_tag(name:"cvss_base", value:"5.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
    script_name("Nmap NSE net: ntp-monlist");


    script_category(ACT_INIT);
    script_tag(name:"qod_type", value:"remote_analysis");
    script_copyright("NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH");
    script_family("Nmap NSE net");
    script_dependencies("nmap_nse_net.nasl");
    script_mandatory_keys("Tools/Launch/nmap_nse_net");


    script_tag(name : "summary" , value : tag_summary);
    exit(0);
}


include("nmap.inc");

# The corresponding NSE script does't belong to the 'safe' category
if (safe_checks()) exit(0);

phase = 0;
if (defined_func("scan_phase")) {
    phase = scan_phase();
}

if (phase == 1) {
    # Get the preferences
    argv = make_array();


    nmap_nse_register(script:"ntp-monlist", args:argv);
} else if (phase == 2) {
    res = nmap_nse_get_results(script:"ntp-monlist");
    foreach portspec (keys(res)) {
        output_banner = 'Result found by Nmap Security Scanner (ntp-monlist.nse) http://nmap.org:\n\n';
        if (portspec == "0") {
            security_message(data:output_banner + res[portspec], port:0);
        } else {
            v = split(portspec, sep:"/", keep:0);
            proto = v[0];
            port = v[1];
            security_message(data:output_banner + res[portspec], port:port, protocol:proto);
        }
    }
}
JSON