SecuraBV / Timeroast

Timeroasting scripts by Tom Tervoort
MIT License
182 stars 18 forks source link

Timeroast scripts

Python and Powershell scripts accompanying the whitepaper Timeroasting, trustroasting and computer spraying: taking advantage of weak computer and trust account passwords in Active Directory. These support the timeroasting attack technique, which abuses the NTP protocol in order to extract password hashes for computer and trust accounts from a domain controller, which can then be attempted to be cracked offline. It turns out it is not uncommon for such accounts to have bad (default) passwords instead of the frequently rotated random passwords that are normally used, making password cracking possible in those cases.

How to run

Both the Python (timeroast.py) and Powershell (timeroast.ps1) scripts should run standalone with no need to install any dependencies. The Python script requires Python 3.6.

The extra-scripts/kirbi_to_hashcat.py script solely depends on Impacket.

Execute python timeroast.py -h or powershell timeroast.ps1 -? for usage instructions.

Timeroasting

Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer or trust account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.

Three scripts are included:

Hashcat will add support for Timeroast hashes as hash type 31300. Currently, it's already available in the beta release.

Alternative ways to abuse weak 'dollar account' passwords

If Timeroasting is not possible or desirable, there are some alternative attacks that can be used to identity and compromise computer or trust accounts with weak passwords. These are described in detail in the whitepaper. To summarize, these attacks work as follows:

  1. computer spraying: perform a password spray for computer accounts, where you try a legacy NT password (up to first 14 characters of the computer name, lowercased, without the dollar sign) for each computer account.
  2. extended kerberoasting: adjust a Kerberoasting tool to also fetch computer and trust tickets. Requires an AD account.
  3. trustroasting: obtain a trust ticket through a regular Kerberos referal, and brute-force the password used to encrypt it. Requires an AD account.

Computer spraying and Kerberoasting can easily be carried out with existing tools. I currently have not implemented a convenient trustroast.py script that will automatically enumerate trusts and fetch tickets. However, this can easily be achieved with Rubeus in the way described in the whitepaper. However, I did add a simple script which converts Rubeus' output format into something you can slot into Hashcat:

Credits

The attack and original script were developed by Tom Tervoort of Secura BV.

The Powershell port was contributed by Jacopo Scannella.

Special thanks to Garret Foster for pointing out that Timeroasting can also be used to obtain trust account hashes.