SKYCUBE.net

Solutions for Go, MySQL, PHP, Linux and more

Find NTP Time Servers in your network

Posted — Mar 10, 2014

Finding NTP-Server should no be to hard but or let’s say, as a network admin or server admin you should know your neighbourhood. Unfortunately, for some reasons some packages (Debian/Ubuntu) bring you to the point to install a ntp-server even when you don’t need it or even better like Ubuntu server, it comes with it! This should not be a problem as far you know about it and your network will not let them talk to the public (Hopefully your Cisco or local firewall e.g. iptables blocks it).

These days people/hackers/crackes get more and more creative in even using linux ntp-servers for ddos attacks. Therefore it could happen that you receive a message like this from your provider:

A public NTP server on your network, running on IP address xxx.xxx.xxx.xxx, participated in a very large-scale attack against a customer of ours today, generating UDP responses to spoofed “monlist” requests that claimed to be from the attack target…

How to find NTP Servers in your network??? I couldn’t figure out how to get something like a report with nmap or similar tools as well as I couldn’t find a script by someone. Therefore here is my solution:

If you have any recommendations please comment.

Copy and paste the content below following in a file e.g. ntp-check.sh and make the file executable, please note that you have to adjust the IP range!

Create a new file in your user space:

touch ntp-check.sh

Make the file executable:

chmod u+x ntp-check.sh

Open the file:

nano ntp-check.sh

Copy the content below, change the IP range and save it!

#!/bin/bash
################################################
#
# Simple Script to check for ntp servers in a network
# @author: Per Lasse Baasch (https://skycube.net)
# @Version: 2014-03-10
# NOTE: you need ntpdate installed (should be present)
# you will need write permissions in the directory where you executing this script
#
################################################
# CLASS C NETWORK TO SCAN
# Syntax 'xxx.xxx.xxx' NO TAILING DOT
BASEIP='192.168.0';
/bin/rm -f ntpfound.log;
/bin/touch ntpfound.log;
for (( c=1; c<=254; c++ ))
do
   echo "Checking $BASEIP.$c";
   /usr/sbin/ntpdate -q $BASEIP.$c > ntpcheck.log 2>&1; cat ntpcheck.log | grep 'adjust time server' >> ntpfound.log;
done
# Remove temporary log file
/bin/rm -f ntpcheck.log;
# Display results
cat ntpfound.log;
### Possible Output Which indicate there is a possible a nto server present
#10 Mar 13:16:01 ntpdate[25552]: adjust time server 192.168.0.23 offset 0.013292 sec
#10 Mar 13:16:09 ntpdate[25555]: adjust time server 192.168.0.66 offset 0.013306 sec
#10 Mar 13:16:39 ntpdate[30586]: adjust time server 192.168.0.102 offset -0.037400 sec
exit;

Execute the script:

./ntp-check.sh