Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
I want to add the timeroast attack based on the research from SecuraBV as a module for NXC. This attack operates without requiring authentication and exploits the Microsoft NTP protocol to request password hashes for any computer or trust account from a Domain Controller/NTP Server.
These can be cracked offline with hashcat beta (-m 31300) https://hashcat.net/beta/ + hashcat/hashcat#3629
or the timercrack.py provided by SecuraBV https://github.com/SecuraBV/Timeroast/blob/main/extra-scripts/timecrack.py
More information: https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf
Current problem is that the protocol “NTP” is missing as an option in NXC or an alternative to use it without a protocol? Therefore it uses smb
Type of change
How Has This Been Tested?
Tested it in my Active Directory Lab with a Kali 2024.1 as Client and Windows Server 2022 as DC
Client with python3.11.8
Add the computer account with e.g.:
impacket-addcomputer domain/user:pw -computer-name "timeroast" -computer-pass "timeroast" -dc-ip ip
or
GUI, Computers -> New -> Computer -> name -> "timeroast" -> Click "Assign this computer account as a pre-Windows 2000 computer" -> OK (password will be the first 14 characters of your computer name without the $)
poetry run nxc smb ip -M timeroast
Screenshots (if appropriate):
Checklist:
poetry run python -m ruff check . --preview
, use--fix
to automatically fix what it can)