In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!
Timeroast
NXC
nxc smb IP -M timeroast
Cracking
Use extra-scripts/timecrack.py from SecuraBV Timeroast tool
TargetedTimeroast
Or: Hashcat as hash type 31300. Currently, it's already available in the .