Share
## https://sploitus.com/exploit?id=379FFFB3-48FB-5D0C-92C2-23B434647F8D
# ICMP Timestamp Scanner β CVE-1999-0524
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β βββ βββββββββββ βββββββββββ βββββββββββββββββ β
β ββββββββββββββββ βββββββββββββ ββββββββββββββ β
β ββββββ βββββββββββββββββββ βββ ββββββββ β
β ββββββ ββββββββββββββββββ βββ ββββββββ β
β ββββββββββββββ βββ ββββββ βββ ββββββββ β
β βββ ββββββββββ ββββββ βββ ββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β CVE-1999-0524 Β· ICMP Timestamp Request/Reply Scanner β
β Author : Muhamad Bion Tadavi β VPSI β
β Org : Vantage Point Security β Authorized Use Only β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```





**Fast, multi-threaded ICMP Timestamp scanner with color-coded hex output and detailed timestamp analysis.**
---
## Overview
Detects hosts vulnerable to **CVE-1999-0524** (ICMP Timestamp Information Disclosure) by sending **ICMP Type 13 (Timestamp Request)** packets. Hosts that reply with **ICMP Type 14 (Timestamp Reply)** are flagged as **vulnerable** β they leak their internal system clock, which aids device fingerprinting and time-based attack chaining.
Built with zero external dependencies β pure Python stdlib.
---
## Vulnerability Details
| Field | Value |
|---|---|
| **CVE ID** | CVE-1999-0524 |
| **CWE** | CWE-200 β Exposure of Sensitive Information |
| **CVSS v3** | 0.0 (Low) |
| **Type** | Information Disclosure |
| **Protocol** | ICMP Type 13 / Type 14 |
| **Affected** | Cisco IOS, Cisco ASA, Linux, Windows (config-dependent) |
### How It Works
```
Attacker Target
β β
βββββ ICMP Type 13 (Timestamp Request) βββΆβ
β β [host processes request]
βββββ ICMP Type 14 (Timestamp Reply) ββββββ
β β
Reply contains three 32-bit timestamp fields (ms since midnight UTC):
βββ Originate Timestamp (set by requester β often 0)
βββ Receive Timestamp βββ server clock leaked here
βββ Transmit Timestamp βββ server clock leaked here
```
### Impact
- **System time disclosure** β leaks internal clock (ms since midnight UTC)
- **Device fingerprinting** β TTL + response behavior reveals vendor (Cisco ASA, IOS, etc.)
- **Attack chaining** β accurate server time assists in forging time-based tokens, TOTP analysis, or log correlation
---
## Features
| Feature | Detail |
|---|---|
| Multi-threaded scanning | Configurable parallel probes (default: 30 threads) |
| Flexible input | Single IP Β· Comma-separated Β· CIDR range Β· File (`-t` / `-f`) |
| Color-coded hex | IP header Β· ICMP header Β· Type byte Β· Timestamps β each uniquely colored |
| Timestamp decode | Raw milliseconds decoded to `HH:MM:SS.mmm UTC` |
| Hex evidence in summary | Colored hex + legend printed per vuln host in final summary |
| Full hex dump (`-v`) | Offset + hex + ASCII columns for each response |
| Progress bar (`-v`) | Live progress bar displayed only in verbose mode |
| Summary table | Sorted vulnerable host table with TTL, RTT, and server time |
| Zero dependencies | Pure Python stdlib β no pip install required |
---
## Requirements
- Python **3.8+**
- **Root / sudo** privileges (required for raw ICMP socket)
- No external libraries
```bash
python3 --version # must be 3.8+
```
---
## Installation
```bash
git clone https://github.com//CVE-1999-0524-ICMP-Timestamp-Scanner.git
cd CVE-1999-0524-ICMP-Timestamp-Scanner
chmod +x icmp_timestamp_scan.py
```
---
## Usage
```
sudo python3 icmp_timestamp_scan.py [OPTIONS]
Options:
-t, --target IP, comma-separated IPs, or CIDR (terminal input)
-f, --file Path to file with one IP/CIDR per line
--timeout SECS Seconds to wait per host (default: 2.0)
--threads N Concurrent threads (default: 30)
-v, --verbose Show progress bar + full hex dump per host
-h, --help Show help
```
### Display Modes
| Mode | Behavior |
|---|---|
| Default (no `-v`) | Results printed immediately as each host responds β colored hex + timestamps per host, then summary |
| Verbose (`-v`) | Live progress bar during scan, then full hex dump per host, then summary |
### Examples
```bash
# Single host
sudo python3 icmp_timestamp_scan.py -t 192.168.1.1
# Multiple hosts
sudo python3 icmp_timestamp_scan.py -t 192.168.1.1,192.168.1.2,192.168.1.3
# CIDR subnet sweep
sudo python3 icmp_timestamp_scan.py -t 192.168.1.0/24
# From file
sudo python3 icmp_timestamp_scan.py -f hosts.txt
# Verbose β progress bar + full hex dump
sudo python3 icmp_timestamp_scan.py -f hosts.txt -v
# Fast wide scan
sudo python3 icmp_timestamp_scan.py -t 10.0.0.0/16 --threads 100 --timeout 1
```
### `hosts.txt` Format
```
# One IP or CIDR per line. Lines starting with # are ignored.
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1
10.0.0.2
10.0.0.0/24
```
---
## Sample Output
### Default Mode (no `-v`)
```
[*] Targets : 4 hosts
[*] Timeout : 2.0s | Threads: 30
[*] Started : 2026-07-14 06:37:25 UTC
[*] Probe : ICMP Type 13 (Timestamp Request)
[*] Expect : ICMP Type 14 (Timestamp Reply) from vulnerable hosts
βββ VULNERABLE βββββββββββββββββββββββββββββββββββββββββββ
β Host : 192.168.1.1
β ICMP Type : 14 β Timestamp Reply (sent Type 13)
β TTL : 59
β RTT : 1.84 ms
β ββ Timestamps (ms since midnight UTC) ββββββββββββββ
β Originate : 0 ms β 00:00:00.000 (not set)
β Receive : 22,974,518 ms β 06:22:54.518 UTC
β Transmit : 22,974,518 ms β 06:22:54.518 UTC β server time
β ββ Raw Response (hex) ββββββββββββββββββββββββββββββ
β 45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ...
β Legend: ββ=IP header ββ=ICMP header ββ=ICMP type14 ββ=timestamps
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[-] 192.168.1.2 no response (filtered or not vulnerable)
βββ VULNERABLE βββββββββββββββββββββββββββββββββββββββββββ
β Host : 192.168.1.3
β TTL : 59 | RTT : 2.11 ms
β Transmit : 22,977,926 ms β 06:22:57.926 UTC β server time
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SCAN SUMMARY
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Scanner time : 2026-07-14 13:37:25 WIB (06:37:25 UTC)
Total probed : 4
Vulnerable : 2
No response : 2
Errors : 0
ββ VULNERABLE HOSTS βββββββββββββββββββββββββββββββββββββββββββββ
β Host TTL RTT Server Time (UTC) Transmit ms β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 192.168.1.1 59 1.8ms 06:22:54.518 UTC 22,974,518 β
β 192.168.1.3 59 2.1ms 06:22:57.926 UTC 22,977,926 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββ Hex Evidence βββββββββββββββββββββββββββββββββββββββββββββ
[192.168.1.1] TTL=59 RTT=1.84ms Serverβ 06:22:54.518 UTC
45 48 00 28 14 76 00 00 3b 01 2d 93 c0 a8 01 01 c0 a8 01 64 0e 00 f9 15 ...
Legend: ββ=IP header ββ=ICMP header ββ=ICMP type14 ββ=timestamps
[192.168.1.3] TTL=59 RTT=2.11ms Serverβ 06:22:57.926 UTC
45 48 00 28 1a c3 00 00 3b 01 27 46 c0 a8 01 03 c0 a8 01 64 0e 00 f3 7e ...
Legend: ββ=IP header ββ=ICMP header ββ=ICMP type14 ββ=timestamps
Impact : Information Disclosure β server time exposed
CWE : CWE-200 Exposure of Sensitive Information
CVSS v3 : 0.0 (Low) β network access required
Fix : Block ICMP type 13 at perimeter ACL/firewall
Cisco : access-list deny icmp any any 13
```
---
## Hex Response Anatomy
```
Byte Field Example Description
βββββ βββββββββββββββββ βββββββββββ ββββββββββββββββββββββββββββββββββββββ
0 IP Version/IHL 45 IPv4, header length = 20 bytes
1 DSCP/ECN 48
2-3 Total Length 0028 40 bytes
4-5 Identification 1476
6-7 Flags/Fragment 0000
8 TTL 3b 59 hops
9 Protocol 01 ICMP
10-11 IP Checksum 2d93
12-15 Source IP c0a80101 192.168.1.1 β responding host
16-19 Destination IP c0a80164 192.168.1.100 β scanner
ββββ ICMP header starts at byte 20 ββββββββββββββββββββββββββββββββββββββββ
20 ICMP Type 0e 14 = Timestamp Reply β VULNERABLE
21 ICMP Code 00
22-23 ICMP Checksum f915
24-25 Identifier d5bf
26-27 Sequence Number 0001
28-31 Originate TS 00000000 0 ms (requester field, not filled)
32-35 Receive TS 015e9036 22,974,518 ms = 06:22:54 UTC β leaked
36-39 Transmit TS 015e9036 22,974,518 ms = 06:22:54 UTC β leaked
```
---
## Remediation
### Cisco IOS / IOS XE
```
ip access-list extended BLOCK-ICMP-TS
deny icmp any any 13
deny icmp any any 17
permit ip any any
!
interface GigabitEthernet0/0
ip access-group BLOCK-ICMP-TS in
```
### Cisco ASA
```
access-list OUTSIDE_IN deny icmp any any 13
access-list OUTSIDE_IN deny icmp any any 17
access-group OUTSIDE_IN in interface outside
```
### Linux β iptables
```bash
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
```
### Linux β nftables
```bash
nft add rule inet filter input icmp type timestamp-request drop
nft add rule inet filter output icmp type timestamp-reply drop
```
### Windows Firewall
```powershell
netsh advfirewall firewall add rule `
name="Block ICMP Timestamp Request" `
protocol=icmpv4:13,any action=block dir=in
```
---
## References
- [CVE-1999-0524 β NVD](https://nvd.nist.gov/vuln/detail/CVE-1999-0524)
- [RFC 792 β ICMP (Type 13/14 specification)](https://datatracker.ietf.org/doc/html/rfc792)
- [CWE-200 β Exposure of Sensitive Information](https://cwe.mitre.org/data/definitions/200.html)
- [Nessus Plugin 10114 β ICMP Timestamp Request Remote Date Disclosure](https://www.tenable.com/plugins/nessus/10114)
---
## Legal Disclaimer
> This tool is intended **solely** for authorized penetration testing engagements, security research, and educational purposes.
> Running this tool against any system without **explicit written permission** from the system owner is illegal and may violate computer crime laws in your jurisdiction.
> The author and Vantage Point Security assume no liability for any misuse of this tool.
---
*Made with β₯ by **Muhamad Bion Tadavi** β Vantage Point Security (VPSI)*