NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

Timeroast module

Open Disgame opened this issue 1 year ago • 5 comments

Description

I want to add the timeroast attack based on the research from SecuraBV as a module for NXC. This attack operates without requiring authentication and exploits the Microsoft NTP protocol to request password hashes for any computer or trust account from a Domain Controller/NTP Server. These can be cracked offline with hashcat beta (-m 31300) https://hashcat.net/beta/ + https://github.com/hashcat/hashcat/issues/3629 or the timercrack.py provided by SecuraBV https://github.com/SecuraBV/Timeroast/blob/main/extra-scripts/timecrack.py

More information: https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf

Current problem is that the protocol “NTP” is missing as an option in NXC or an alternative to use it without a protocol? Therefore it uses smb

Type of change

  • [x] New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Tested it in my Active Directory Lab with a Kali 2024.1 as Client and Windows Server 2022 as DC Client with python3.11.8

Add the computer account with e.g.: impacket-addcomputer domain/user:pw -computer-name "timeroast" -computer-pass "timeroast" -dc-ip ip or GUI, Computers -> New -> Computer -> name -> "timeroast" -> Click "Assign this computer account as a pre-Windows 2000 computer" -> OK (password will be the first 14 characters of your computer name without the $)

poetry run nxc smb ip -M timeroast

Screenshots (if appropriate):

grafik grafik

Checklist:

  • [x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary
  • [ ] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

Disgame avatar May 17 '24 23:05 Disgame

I'm working with @Disgame on this, we'll convert it to a full PR when it's ready

Marshall-Hallenbeck avatar May 17 '24 23:05 Marshall-Hallenbeck

Hi, this is a really cool PR! Any update on this? Is this ready for review?

NeffIsBack avatar Aug 27 '24 22:08 NeffIsBack

I like this attack and the work you have done but shouldn't we add a NTP protocol instead of joining a NTP attack to the SMB protocol ? Even if the NTP protocol isn't that much used ?

Dfte avatar Sep 30 '24 11:09 Dfte

I like this attack and the work you have done but shouldn't we add a NTP protocol instead of joining a NTP attack to the SMB protocol ? Even if the NTP protocol isn't that much used ?

We discussed this and there isnt really any point of an NTP protocol since the point of NetExec is ultimately to authenticate to services.

Marshall-Hallenbeck avatar Sep 30 '24 12:09 Marshall-Hallenbeck

@Disgame hey this is still a really cool technique. Any update on this? Is this ready to be reviewed?

NeffIsBack avatar Nov 26 '24 18:11 NeffIsBack

@Disgame hey this is still a really cool technique. Any update on this? Is this ready to be reviewed?

If we’re not planning to include NTP as a protocol option, then yes, it’s ready for review! 😄

Disgame avatar Nov 26 '24 22:11 Disgame

@NeffIsBack this uses a non-standard protocol (i.e. not one of the ones we have), so we can't really fit it into our architecture. We could create something weird like an "other" protocol, but that doesn't seem right.

@mpgn @Dfte @zblurx thoughts?

Marshall-Hallenbeck avatar Nov 26 '24 23:11 Marshall-Hallenbeck

@Disgame hey this is still a really cool technique. Any update on this? Is this ready to be reviewed?

If we’re not planning to include NTP as a protocol option, then yes, it’s ready for review! 😄

Ah damn, thought it was still WOP, as this is marked as a "Draft" PR, gonna convert it so we know its ready for review and review it soon tm

EDIT: ah saw you already did it :)

NeffIsBack avatar Nov 26 '24 23:11 NeffIsBack

@NeffIsBack this uses a non-standard protocol (i.e. not one of the ones we have), so we can't really fit it into our architecture. We could create something weird like an "other" protocol, but that doesn't seem right.

@mpgn @Dfte @zblurx thoughts?

Lets just use smb right.... :D

~~Honestly, imo we should combine it with the methods from the new pre2k module https://github.com/Pennyw0rth/NetExec/pull/328. So we query ntp responses, try to "crack" the hash using the computer account as password and if we are successful we request a TGT to immediately own the computer account (see https://github.com/Pennyw0rth/NetExec/pull/328 and the research from trustedsec). That would be a super cool technique to gain initial access to a domain. Though, an option would be probably appropriate to turn of this step (might be a bit computational expensive)~~

~~That would than also be a good excuse to use the smb protocol lol~~

EDIT: Nevermind, if that precreated account is used to domain join a machine the password gets reset...

NeffIsBack avatar Nov 26 '24 23:11 NeffIsBack

@Disgame do you have a twitter handle i could mention in a post?

NeffIsBack avatar Dec 01 '24 13:12 NeffIsBack