The covert channel based on network protocol has been widely used for network attack. Mastering the mechanism of covert channel is important to the formulating of corresponding network defense strategy. Due to the widely use of network time protocol, a kind of covert channel technology based on NTP protocol is proposed in this paper. This paper analyzes features of query/response mechanisms in the NTP protocol, utilizes the message field as hidden payload and then designs separated downstream and upstream NTP covert channels, in which secret information is disguised and transmitted as normal NTP messages. The popularity and irreplaceability of NTP message make NTP covert channel endowed with the advantages of great ability of penetration and high quality of concealment. Test results show that the technology could carry relatively considerable information and easily penetrate the network monitoring device. The future work will focus on authentication, encryption and other security mechanisms in NTP covert channel.