Hello and welcome to the Wednesday, January 4th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, in Diaries today, I wrote up a little bit about profiling hosts or fingerprinting them using NTPD network

time protocol.

There are some well-known artifacts, like for example, the different host names that different

operating systems use in order to synchronize their time.

Like for example, time.microsoft.com or time.com,

but also within the pool.nTP.org domain, you have a couple of subdomains that are used by

specific vendors. What's not so well documented, something that I sort of took a quick step on here is

artifacts within the NPP payload itself. In order to make this more reproducible, what I did is I

basically collected the first NPP packet that comes from an operating system after it's being booted.

And there were a number of different artifacts, like for example, some of the older

NTP clients send packets from port 123 to 123.

The newer ones tend to use high ports.

Also, what polling interval is being used, changes a little bit

between different clients, and then also the client as part of its request is sending its own

timestamp. Well, some of the clients actually are randomizing this timestamp sort of as an

additional security feature.

If you're interested, well, take a look at the diary and if you have any input to this,

if you observe anything different here, then please let me know.

But note that some of these things, like, for example, whether or not the clock is synchronized

or not, or some of these flags, or things like the polling interval, they may change as the

...