TimeRoast

In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!

https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

Timeroast

GitHub - SecuraBV/Timeroast: Timeroasting scripts by Tom TervoortGitHub

NXC

nxc smb IP -M timeroast

Cracking

Use extra-scripts/timecrack.py from SecuraBV Timeroast tool

Or: Hashcat will add support for Timeroast hashes as hash type 31300. Currently, it's already available in the beta release.