Timeroast scripts
Python and Powershell scripts accompanying the whitepaper Timeroasting, trustroasting and computer spraying: taking advantage of weak computer and trust account passwords in Active Directory. These support the timeroasting attack technique, which abuses the NTP protocol in order to extract password hashes for computer and trust accounts from a domain controller, which can then be attempted to be cracked offline. It turns out it is not uncommon for such accounts to have bad (default) passwords instead of the frequently rotated random passwords that are normally used, making password cracking possible in those cases.
How to run
Both the Python (timeroast.py
) and Powershell (timeroast.ps1
) scripts should run standalone with no need to install
any dependencies. The Python script requires Python 3.6.
The extra-scripts/kirbi_to_hashcat.py
script solely depends on Impacket.
Execute python timeroast.py -h
or powershell timeroast.ps1 -?
for usage instructions.
Timeroasting
Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer or trust account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.
Three scripts are included:
timeroast.py
: given a DC domain name or IP, will attempt to get 'NTP hashes' of the computer/trust accounts in the domain by enumerating RID's.timeroast.ps1
: Powershell port of the same script.extra-scripts/timecrack.py
: performs a simple, unoptimized, dictionary attack on the results oftimeroast.py
ortimeroast.ps1
.
Hashcat will add support for Timeroast hashes as hash type 31300. Currently, it's already available in the beta release.
Alternative ways to abuse weak 'dollar account' passwords
If Timeroasting is not possible or desirable, there are some alternative attacks that can be used to identity and compromise computer or trust accounts with weak passwords. These are described in detail in the whitepaper. To summarize, these attacks work as follows:
- computer spraying: perform a password spray for computer accounts, where you try a legacy NT password (up to first 14 characters of the computer name, lowercased, without the dollar sign) for each computer account.
- extended kerberoasting: adjust a Kerberoasting tool to also fetch computer and trust tickets. Requires an AD account.
- trustroasting: obtain a trust ticket through a regular Kerberos referal, and brute-force the password used to encrypt it. Requires an AD account.
Computer spraying and Kerberoasting can easily be carried out with existing tools. I currently have not implemented a convenient trustroast.py
script that will automatically enumerate trusts and fetch tickets. However, this can easily be achieved with Rubeus in the way described in the whitepaper. However, I did add a simple script which converts Rubeus' output format into something you can slot into Hashcat:
extra-scripts/kirbi_to_hashcat.py
: converts a Kerberos ticket (referal/trust, service, ticket-granting, etc.) that is encoded as a base64 KRB_CRED structure into Hashcat format. Hash types 13100, 19600, 19700 (i.e. RC-4 and AES tickets) are supported.
Credits
The attack and original script were developed by Tom Tervoort of Secura BV.
The Powershell port was contributed by Jacopo Scannella.
Special thanks to Garret Foster for pointing out that Timeroasting can also be used to obtain trust account hashes.