Its about time: OS Fingerprinting using NTP
By Dr. J on 2023-01-03 07:23:34
Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP. One of the most obvious and best-documented ways to identify an operating system based on NTP is the hostname of the NTP server. For examples:
  • time.apple.com for Apple
  • time.windows.com for Microsoft
Others use subdomains of pool.ntp.org. Pool.ntp.org offers free time servers provided by the community. They are currently claiming around 4,000 participating servers. In the past, vendors have, in a few cases, abused this system and caused a DoS against some public NTP servers. To better control traffic, vendors are offered subdomains, and you may see them used. For example:
  • android.pool.ntp.org - Android
  • amazon.pool.ntp.org - Amazon devices (Kindle, Echo)
  • askozia.pool.ntp.org
  • centos.pool.ntp.org
  • debian.pool.ntp.org
  • dragonfly.pool.ntp.org
  • freebsd.poo.ntp.org
  • irobot.pool.ntp.org
  • opnsense.pool.ntp.org
  • rhel.pool.ntp.org
  • smartos.pool.ntp.org And many more.
But the opportunities for fingerprinting continue beyond DNS. Different operating systems, or versions of operating systems, use different NTP implementations. There are, for example:
  • timed - used by Apple
  • chrony - used by newer Linux versions
  • ntpd - old "default" and probably most used ntp servers
  • Windows Time Service w32time - Windows
I collected the first NTP packet emitted by different operating systems after reboot. I picked the first one as it has yet to be informed by any responses from the timeserver. All systems were reasonably in sync before the reboot. tcpdump does a decent job analyzing NTP if the verbose options are selected, and below you will see the tcpdump output. Hosts participating in pool.ntp.org could also use that to fingerprint clients. Shodan once proposed joining pool.ntp.org to find more IPv6 hosts, as scanning for them is not feasible [3]. Here is a quick summary table outlining some of the differences:
Windows 10 Linux Chrony Linux ntpd iOS macOS
Source Port 123 > 1024 123 > 1024 123
NTP Version 3 4 4 3 4
Leap Indicator 192 0 192 0 0
Poll Interval 17 6 6 0 0
Root Dispersion 1 0 0 0 0
Reference TS current time 0 0 0 0
Transmit TS current time random random? current time random?
For more details, see https://isc.sans.edu/diary//29394 . [1] https://ntp.org [2] https://www.nist.gov/system/files/documents/el/isd/ieee/tutorial-basic.pdf [3] https://isc.sans.edu/diary/Targeted+IPv6+Scans+Using+pool.ntp.org+./20681