Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timeroast module #311

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Timeroast module #311

wants to merge 5 commits into from

Conversation

Disgame
Copy link

@Disgame Disgame commented May 17, 2024
edited
Loading

Description

I want to add the timeroast attack based on the research from SecuraBV as a module for NXC. This attack operates without requiring authentication and exploits the Microsoft NTP protocol to request password hashes for any computer or trust account from a Domain Controller/NTP Server.
These can be cracked offline with hashcat beta (-m 31300) https://hashcat.net/beta/ + hashcat/hashcat#3629
or the timercrack.py provided by SecuraBV https://github.com/SecuraBV/Timeroast/blob/main/extra-scripts/timecrack.py

More information: https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

Current problem is that the protocol “NTP” is missing as an option in NXC or an alternative to use it without a protocol? Therefore it uses smb

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Tested it in my Active Directory Lab with a Kali 2024.1 as Client and Windows Server 2022 as DC
Client with python3.11.8

Add the computer account with e.g.:
impacket-addcomputer domain/user:pw -computer-name "timeroast" -computer-pass "timeroast" -dc-ip ip
or
GUI, Computers -> New -> Computer -> name -> "timeroast" -> Click "Assign this computer account as a pre-Windows 2000 computer" -> OK (password will be the first 14 characters of your computer name without the $)

poetry run nxc smb ip -M timeroast

Screenshots (if appropriate):

grafik
grafik

Checklist:

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary
  • New and existing e2e tests pass locally with my changes
  • My code follows the style guidelines of this project (should be covered by Ruff above)
  • If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

@Disgame Disgame marked this pull request as draft May 17, 2024 23:56
@Marshall-Hallenbeck
Copy link
Collaborator

I'm working with @Disgame on this, we'll convert it to a full PR when it's ready

@Marshall-Hallenbeck Marshall-Hallenbeck added this to the v1.3.0 milestone May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
new module
Projects
None yet
Milestone
v1.3.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Disgame @Marshall-Hallenbeck