ChronoLeak

ChronoLeak

GitHub forks GitHub stars GitHub license Rawsec's CyberSecurity Inventory GitHub Workflow Status GitHub commit activity

ICMP Timestamp Remote Time Leaker

ChronoLeak logo

Leaks time on a remote machine by using ICMP timestamp requests (13) and replies (14).

Context, why this tool exists?

Knowing the time of a remote machine is important to perform time sensitive attacks.

For example, Time-based One Time Password (TOTP) generates a code that is valid only 30 seconds, but if the remote machine time drifted because it is not using NTP or has a timezone issue (sync with hardware clock) or whatever, the attack will fail because you are not targeting the right time range.

Other examples are network protocols, some have a handcheck sensitive to time, or even for the validity of a token or certificate were you could be denied because it is no yet or no longer valid. So you could have authentication issue just because you are not synchronized with the time of the remote machine.

Hopefully, ongoing ICMP timestamp requests (13), and outgoing ICMP timestamp replies (14) are rarelly filtered, allowing to disclose the remote machine time (CVE-1999-0524) remotly while being unauthenticated.

However, it should be noted that timestamps returned from machines running some versions of Windows are deliberately incorrect within 1000 seconds of the actual system time as a protection to deafeat such attacks.

Installation

gem install chronoleak

Check the installation page on the documentation to discover more methods.

Packaging status Gem Version GitHub tag (latest SemVer)

Documentation

Homepage / Documentation: https://noraj.github.io/ChronoLeak/

Author

Made by Alexandre ZANNI (@noraj).