logo

Port 123 – NTP (Network Time Protocol)

Service:

ntpd ,
chronyd

Protocol:

UDP

Port:

123

Used for:

Time synchronization across devices on a network

Why It’s Open

NTP is one of those services you often find open on infrastructure devices, especially servers, routers, and domain controllers. Accurate timekeeping is essential for log correlation, authentication protocols (e.g., Kerberos), scheduled tasks, and even certificate validation.

Common Risks

Although NTP might seem harmless, leaving it exposed - especially to the public internet - can lead to:

  • **NTP Amplification Attacks: **Used in DDoS attacks. A small request from an attacker leads to a large response from the NTP server, overwhelming a target.
  • **Information Disclosure: **Misconfigured NTP servers can leak version info, system uptime, and internal IPs.
  • **Spoofing/Time Shifting: **Manipulating NTP responses can desynchronize systems, breaking logs or authentication.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if it’s open

Terminal window
nmap -sU -p 123
nmap -sU -p 123 --script=ntp-info

Use ntpdate to query

Terminal window
ntpdate -q

NTP monlist abuse check

Some legacy servers still support the vulnerable monlist command.

Terminal window
ntpdc -n -c monlist

If the server responds with a list of recent clients, it’s vulnerable to abuse.

What to Look For

CheckpointWhat it means
monlist availableVulnerable to amplification
Public NTP exposedShould not be internet-facing
Outdated ntpdMay be vulnerable to CVEs
Leaking version infoEnables fingerprinting & targeting

Known Exploits

  1. CVE-2013-5211

The monlist feature in ntpd allows remote attackers to cause a denial of service (traffic amplification) via forged requests, exploited in the wild in December 2013.

🔗 NVD Entry

🔗 CISA Advisory

Mitigation

  • Block UDP/123 from external networks using firewall rules.
  • Use authenticated NTP (e.g., with symmetric keys or Autokey) for snesitive systems.
  • Regularly update ntpd or replace with more secure alternatives like chrony,
  • Limit commands via NTP configuration:
Terminal window
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Real-World Example

In 2020, many outdated public NTP servers were still vulnerable to monlist, which was heavily exploited in DDoS attacks, peaking over **400 Gbps **in traffic. Even large hosting providers were affected because of default configurations left unchecked.

TL;DR

  • Service: NTP (Time Synchronization)
  • Default Port: 123/UDP
  • Risks: Denial of service, amplification attacks
  • Mitigation: Apply patches, disable monlist, restrict access