NTP

From Noisebridge
Jump to: navigation, search

Network Time Protocol

Port: 123


https://tools.ietf.org/pdf/rfc5905.pdf

https://en.wikipedia.org/wiki/Network_Time_Protocol


Generate NTP Query/Response with netcat

echo -ne '\xE3\x00\x06\xEC\x31\x4E\x31\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | nc -xu time.nist.gov 123

Sent 48 bytes to the socket
00000000 E3 00 06 EC 31 4E 31 34 00 00 00 00 00 00 00 00 ....1N14........
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Received 48 bytes from the socket
00000000 24 01 06 E3 00 00 00 00 00 00 00 00 41 43 54 53 $...........ACTS
00000010 DB 7C 1C DC 4B E0 57 2D 00 00 00 00 00 00 00 00 .|..K.W-........
00000020 DB 7C 1C E4 49 93 89 E4 DB 7C 1C E4 49 94 47 B5 .|..I....|..I.G.

The 4 bytes underlined indicate the actual time stamp data, starting in the response at index 40, and are in the form of a 32-bit value representing the number of seconds since January 1st 1900.

Hex to Decimal:
0xDB = 219
0x7C = 124
0x1C = 28
0xE4 = 228

Binary equivalent:
11011011011111000001110011100100

Sum the 4 bytes in to one 32-bit value:
219 << 24 + 124 << 16 + 28 << 8 + 228 = 3674210304

Convert to epoch by subtracting 70 years worth of seconds:
epoch = 3682344164 - 2208988800

Extract the time:
hours = epoch % (24 * 60 * 60)
mins = epoch % (60 * 60)
secs = epoch % 60

The full time and date of the time stamp:
Thu, 08 Sep 2016 17:22:44 GMT