Spectracom - Essential Ingenuity

List NTP Clients Receiving Time from SecureSync/NetClock 9400 Using Monlist

Tutorial Steps

Note: The function described in this article, monlist, has been associated to Common Vulnerability and Exposure CVE-2013-5211 (see: DDoS / Amplification Attack using ntpdc monlist command). This article describes using 'ntpdc monlist' internally and does not require a query from an external source which is the source of the vulnerability.

In the SecureSync or 9400 series products there is a CLI command which will report the NTP Clients that are receiving time from the SecureSync. This is a ntpdc monlist command that can be run from Telnet or SSH connection.
 
From the command prompt open a Telnet or SSH (from Putty or similar) and login as spadmin. The default password is admin123 or use your set password.
 
The command ntpdc –n –c monlist will give a list of all clients receiving time from this Securesync. This includes all NTP Clients. Peers and internal NTP.
The 127 .X.X.X addresses are internal to the Securesync. You can disregard these.
 
In this case there is a single NTP client 10.2.100.42 receiving time from the 10.2.100.62 Securesync:
 
User-added image
To further separate and identify the NTP Peers use the ntpdc –n –c listppeers command. NTP Peers are other Securesync units that may be linked to this unit at the same Stratum level.
 
This list is limited to 600 Clients but is normally sufficient to list all devices. If  you have more that 600 clients, a packet capture of the network NTP traffic to the device should help identify the NTP Clients.

Was this information helpful?

 Yes  No