Share
## https://sploitus.com/exploit?id=379FFFB3-48FB-5D0C-92C2-23B434647F8D
# ICMP Timestamp Scanner β€” CVE-1999-0524



```
╔══════════════════════════════════════════════════════════════════╗
β•‘  β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—     β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—           β•‘
β•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—       β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•”β•β•β•β•β•           β•‘
β•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•       β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—           β•‘
β•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•        β–ˆβ–ˆβ•‘   β•šβ•β•β•β•β–ˆβ–ˆβ•‘           β•‘
β•‘  β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β•šβ•β• β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘            β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘           β•‘
β•‘  β•šβ•β• β•šβ•β•β•β•β•β•β•šβ•β•     β•šβ•β•β•šβ•β•            β•šβ•β•   β•šβ•β•β•β•β•β•β•           β•‘
╠══════════════════════════════════════════════════════════════════╣
β•‘   CVE-1999-0524 Β· ICMP Timestamp Request/Reply Scanner          β•‘
β•‘   Author  : Muhamad Bion Tadavi β€” VPSI                          β•‘
β•‘   Org     : Vantage Point Security β€” Authorized Use Only        β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
```

![Python](https://img.shields.io/badge/Python-3.8%2B-blue?logo=python)
![License](https://img.shields.io/badge/License-MIT-green)
![Root Required](https://img.shields.io/badge/Requires-Root%2FSudo-red)
![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS-lightgrey)
![Authorized Use](https://img.shields.io/badge/Use-Authorized%20Testing%20Only-orange)

**Fast, multi-threaded ICMP Timestamp scanner with color-coded hex output and detailed timestamp analysis.**



---

## Overview

Detects hosts vulnerable to **CVE-1999-0524** (ICMP Timestamp Information Disclosure) by sending **ICMP Type 13 (Timestamp Request)** packets. Hosts that reply with **ICMP Type 14 (Timestamp Reply)** are flagged as **vulnerable** β€” they leak their internal system clock, which aids device fingerprinting and time-based attack chaining.

Built with zero external dependencies β€” pure Python stdlib.

---

## Vulnerability Details

| Field | Value |
|---|---|
| **CVE ID** | CVE-1999-0524 |
| **CWE** | CWE-200 β€” Exposure of Sensitive Information |
| **CVSS v3** | 0.0 (Low) |
| **Type** | Information Disclosure |
| **Protocol** | ICMP Type 13 / Type 14 |
| **Affected** | Cisco IOS, Cisco ASA, Linux, Windows (config-dependent) |

### How It Works

```
Attacker                                  Target
   β”‚                                         β”‚
   │──── ICMP Type 13 (Timestamp Request) ──▢│
   β”‚                                         β”‚  [host processes request]
   │◀─── ICMP Type 14 (Timestamp Reply) ─────│
   β”‚                                         β”‚
   Reply contains three 32-bit timestamp fields (ms since midnight UTC):
      β”œβ”€β”€ Originate Timestamp  (set by requester β€” often 0)
      β”œβ”€β”€ Receive Timestamp    ◀── server clock leaked here
      └── Transmit Timestamp   ◀── server clock leaked here
```

### Impact

- **System time disclosure** β€” leaks internal clock (ms since midnight UTC)
- **Device fingerprinting** β€” TTL + response behavior reveals vendor (Cisco ASA, IOS, etc.)
- **Attack chaining** β€” accurate server time assists in forging time-based tokens, TOTP analysis, or log correlation

---

## Features

| Feature | Detail |
|---|---|
| Multi-threaded scanning | Configurable parallel probes (default: 30 threads) |
| Flexible input | Single IP Β· Comma-separated Β· CIDR range Β· File (`-t` / `-f`) |
| Color-coded hex | IP header Β· ICMP header Β· Type byte Β· Timestamps β€” each uniquely colored |
| Timestamp decode | Raw milliseconds decoded to `HH:MM:SS.mmm UTC` |
| Hex evidence in summary | Colored hex + legend printed per vuln host in final summary |
| Full hex dump (`-v`) | Offset + hex + ASCII columns for each response |
| Progress bar (`-v`) | Live progress bar displayed only in verbose mode |
| Summary table | Sorted vulnerable host table with TTL, RTT, and server time |
| Zero dependencies | Pure Python stdlib β€” no pip install required |

---

## Requirements

- Python **3.8+**
- **Root / sudo** privileges (required for raw ICMP socket)
- No external libraries

```bash
python3 --version   # must be 3.8+
```

---

## Installation

```bash
git clone https://github.com//CVE-1999-0524-ICMP-Timestamp-Scanner.git
cd CVE-1999-0524-ICMP-Timestamp-Scanner
chmod +x icmp_timestamp_scan.py
```

---

## Usage

```
sudo python3 icmp_timestamp_scan.py [OPTIONS]

Options:
  -t, --target    IP, comma-separated IPs, or CIDR  (terminal input)
  -f, --file      Path to file with one IP/CIDR per line
  --timeout SECS  Seconds to wait per host  (default: 2.0)
  --threads N     Concurrent threads        (default: 30)
  -v, --verbose   Show progress bar + full hex dump per host
  -h, --help      Show help
```

### Display Modes

| Mode | Behavior |
|---|---|
| Default (no `-v`) | Results printed immediately as each host responds β€” colored hex + timestamps per host, then summary |
| Verbose (`-v`) | Live progress bar during scan, then full hex dump per host, then summary |

### Examples

```bash
# Single host
sudo python3 icmp_timestamp_scan.py -t 192.168.1.1

# Multiple hosts
sudo python3 icmp_timestamp_scan.py -t 192.168.1.1,192.168.1.2,192.168.1.3

# CIDR subnet sweep
sudo python3 icmp_timestamp_scan.py -t 192.168.1.0/24

# From file
sudo python3 icmp_timestamp_scan.py -f hosts.txt

# Verbose β€” progress bar + full hex dump
sudo python3 icmp_timestamp_scan.py -f hosts.txt -v

# Fast wide scan
sudo python3 icmp_timestamp_scan.py -t 10.0.0.0/16 --threads 100 --timeout 1
```

### `hosts.txt` Format

```
# One IP or CIDR per line. Lines starting with # are ignored.
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1
10.0.0.2
10.0.0.0/24
```

---

## Sample Output

### Default Mode (no `-v`)

```
  [*] Targets  : 4 hosts
  [*] Timeout  : 2.0s  |  Threads: 30
  [*] Started  : 2026-07-14 06:37:25 UTC
  [*] Probe    : ICMP Type 13 (Timestamp Request)
  [*] Expect   : ICMP Type 14 (Timestamp Reply) from vulnerable hosts

╔══ VULNERABLE ══════════════════════════════════════════╗
β•‘  Host       : 192.168.1.1
β•‘  ICMP Type  : 14 β€” Timestamp Reply  (sent Type 13)
β•‘  TTL        : 59
β•‘  RTT        : 1.84 ms
β•‘  ── Timestamps (ms since midnight UTC) ──────────────
β•‘  Originate  :            0 ms  β†’  00:00:00.000 (not set)
β•‘  Receive    :   22,974,518 ms  β†’  06:22:54.518 UTC
β•‘  Transmit   :   22,974,518 ms  β†’  06:22:54.518 UTC  ← server time
β•‘  ── Raw Response (hex) ──────────────────────────────
β•‘  45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ...
β•‘  Legend: β–ˆβ–ˆ=IP header  β–ˆβ–ˆ=ICMP header  β–ˆβ–ˆ=ICMP type14  β–ˆβ–ˆ=timestamps
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

  [-] 192.168.1.2        no response (filtered or not vulnerable)

╔══ VULNERABLE ══════════════════════════════════════════╗
β•‘  Host       : 192.168.1.3
β•‘  TTL        : 59  |  RTT : 2.11 ms
β•‘  Transmit   :   22,977,926 ms  β†’  06:22:57.926 UTC  ← server time
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

══════════════════════════════════════════════════════════════════
  SCAN SUMMARY
══════════════════════════════════════════════════════════════════
  Scanner time  : 2026-07-14 13:37:25 WIB  (06:37:25 UTC)
  Total probed  : 4
  Vulnerable    : 2
  No response   : 2
  Errors        : 0

  β”Œβ”€ VULNERABLE HOSTS ────────────────────────────────────────────┐
  β”‚  Host               TTL      RTT      Server Time (UTC)   Transmit ms β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚  192.168.1.1         59    1.8ms   06:22:54.518 UTC    22,974,518  β”‚
  β”‚  192.168.1.3         59    2.1ms   06:22:57.926 UTC    22,977,926  β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

  ── Hex Evidence ─────────────────────────────────────────────

  [192.168.1.1]  TTL=59  RTT=1.84ms  Server→ 06:22:54.518 UTC
  45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ...
  Legend: β–ˆβ–ˆ=IP header  β–ˆβ–ˆ=ICMP header  β–ˆβ–ˆ=ICMP type14  β–ˆβ–ˆ=timestamps

  [192.168.1.3]  TTL=59  RTT=2.11ms  Server→ 06:22:57.926 UTC
  45 48 00 28 1a c3 00 00 3b 01 27 46 c0 a8 01 03 c0 a8 01 64 0e 00 f3 7e ...
  Legend: β–ˆβ–ˆ=IP header  β–ˆβ–ˆ=ICMP header  β–ˆβ–ˆ=ICMP type14  β–ˆβ–ˆ=timestamps

  Impact   : Information Disclosure β€” server time exposed
  CWE      : CWE-200 Exposure of Sensitive Information
  CVSS v3  : 0.0 (Low) β€” network access required
  Fix      : Block ICMP type 13 at perimeter ACL/firewall
  Cisco    : access-list  deny icmp any any 13
```

---

## Hex Response Anatomy

```
Byte   Field              Example      Description
─────  ─────────────────  ───────────  ──────────────────────────────────────
 0     IP Version/IHL     45           IPv4, header length = 20 bytes
 1     DSCP/ECN           48
 2-3   Total Length       0028         40 bytes
 4-5   Identification     1476
 6-7   Flags/Fragment     0000
 8     TTL                3b           59 hops
 9     Protocol           01           ICMP
10-11  IP Checksum        2d93
12-15  Source IP          c0a80101     192.168.1.1  ← responding host
16-19  Destination IP     c0a80164     192.168.1.100  ← scanner
──── ICMP header starts at byte 20 ────────────────────────────────────────
20     ICMP Type          0e           14 = Timestamp Reply  ← VULNERABLE
21     ICMP Code          00
22-23  ICMP Checksum      f915
24-25  Identifier         d5bf
26-27  Sequence Number    0001
28-31  Originate TS       00000000     0 ms (requester field, not filled)
32-35  Receive TS         015e9036     22,974,518 ms = 06:22:54 UTC  ← leaked
36-39  Transmit TS        015e9036     22,974,518 ms = 06:22:54 UTC  ← leaked
```

---

## Remediation

### Cisco IOS / IOS XE

```
ip access-list extended BLOCK-ICMP-TS
 deny icmp any any 13
 deny icmp any any 17
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group BLOCK-ICMP-TS in
```

### Cisco ASA

```
access-list OUTSIDE_IN deny icmp any any 13
access-list OUTSIDE_IN deny icmp any any 17
access-group OUTSIDE_IN in interface outside
```

### Linux β€” iptables

```bash
iptables -A INPUT  -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply   -j DROP
```

### Linux β€” nftables

```bash
nft add rule inet filter input  icmp type timestamp-request drop
nft add rule inet filter output icmp type timestamp-reply   drop
```

### Windows Firewall

```powershell
netsh advfirewall firewall add rule `
  name="Block ICMP Timestamp Request" `
  protocol=icmpv4:13,any action=block dir=in
```

---

## References

- [CVE-1999-0524 β€” NVD](https://nvd.nist.gov/vuln/detail/CVE-1999-0524)
- [RFC 792 β€” ICMP (Type 13/14 specification)](https://datatracker.ietf.org/doc/html/rfc792)
- [CWE-200 β€” Exposure of Sensitive Information](https://cwe.mitre.org/data/definitions/200.html)
- [Nessus Plugin 10114 β€” ICMP Timestamp Request Remote Date Disclosure](https://www.tenable.com/plugins/nessus/10114)

---

## Legal Disclaimer

> This tool is intended **solely** for authorized penetration testing engagements, security research, and educational purposes.  
> Running this tool against any system without **explicit written permission** from the system owner is illegal and may violate computer crime laws in your jurisdiction.  
> The author and Vantage Point Security assume no liability for any misuse of this tool.

---



*Made with β™₯ by **Muhamad Bion Tadavi** β€” Vantage Point Security (VPSI)*