TimeRoast

In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective!

https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

On the Applicability of the Timeroasting Attacksnovvcrash@gh-pages:~$ _

Timeroast

GitHub - SecuraBV/Timeroast: Timeroasting scripts by Tom TervoortGitHub

NXC

nxc smb IP -M timeroast

Cracking

Use extra-scripts/timecrack.py from SecuraBV Timeroast tool

Or: Hashcat will add support for Timeroast hashes as hash type 31300. Currently, it's already available in the beta release.

TargetedTimeroast

GitHub - OffsecDeer/TargetedTimeroast: Tamper Active Directory user attributes to collect their hashes with MS-SNTPGitHub

Targeted Timeroasting: Stealing User Hashes With NTPMedium

PreviousADIDNS Spoofing NextUsers Identification

Last updated 5 months ago