3

I'm trying to send a spoofed time to a Windows machine when it requests time from the NTP server.

My server so far will display packets and send back data, however I can't seem to figure out exactly what I need to send to give Windows a fake time. I've tried capturing legitimate packets to send but failed.

In this example I'm just sending white space, I'm trying to figure out what data to send to tell the computer for example the time is 10:00AM when it's actually 12PM.

I intend to spoof DNS queries on a LAN to redirect them to this server which will respond with an incorrect time.

I've heard it can be done but have never seen a tool to do it, so that's what I'm trying to do now.

require 'socket'

class UDPServer
  def initialize(port)
    @port = port
  end

    def start
    @socket = UDPSocket.new
    @socket.bind('', @port) 
    data = " "
    while true
      packet = @socket.recvfrom(1024)
      puts packet
      @socket.send("${data}", 0, '10.0.0.16', "#{@port}")
    end
  end
end

server = UDPServer.new(123)
server.start
John Hascall
  • 9,176
  • 6
  • 48
  • 72
Corrosive
  • 86
  • 1
  • 11
  • 4
    Fascinating question led me down a rabbit hole for the last two hours reading up on the SNTP protocol and Datagrams etc. The short answer is I don't think you can because the whole Network Time Server network is self-correcting. Spoofed packets, unless the time-server is orphaned completely, just get filtered out. – Dave Sag Nov 29 '14 at 01:44
  • I can see this being used in an malicious attempt to disrupt or corrupt service for a system, but can't see a good reason to try to do it. If you need to alter the time seen by a server, setting its LOCALE or timezone information would seem to be a better path. – the Tin Man Jul 01 '15 at 20:01
  • @the Tin Man It would be hard to spoof in the Intrnet since you would need to spoof the source addr and ISPs use uRPF (see https://www.rfc-editor.org/rfc/rfc3704.html) (among other reasons). The reason to spoof in a lab would be to test leap seconds and other issues, for example testing the fix to the ~34 year issue (new clock chips are @ 1970, so "raw"/old ntp could not normally set it after ~2004). – Andrew Sep 15 '22 at 20:02

1 Answers1

0

It can be done. You need to reply to the clients requests. In that reply, you will need to use the (you code does not do that):

T1 = client timestamp at time of departure of request packet from client
and
T2 = server timestamp at time of ARRIVAL of request packet at server
and
T3 = server timestamp at time of departure of REPLY packet from server (ca be thee same s T2).

I don't see that done in you code. Also, the rest of the pkt need to be "OK"--not sure if yours is (seems like no).

Andrew
  • 1
  • 4
  • 19