The Hidden Risks of Computer Account Passwords in Active Directory
Introduction
In a previous internal penetration test, I was stuck trying to get an account to authenticate to the Active Directory of my target. After some googling, I came across a technique I never heard about before: the timeroasting attack, discovered by Secura.
At a high level, this attack is capable of extracting computer password hashes by abusing the NTP protocol and may be useful as a last resort to get authenticated due to legacy behaviors in computer account password management.
This blog post aims to raise awareness on legacy computers passwords, explain the attack, and help defenders identify vulnerable computers in their own environment.
Computer passwords expectation
If, like me, you thought and expected computers accounts had a long random password, generated automatically, and rotated every thirty days, you may be wrong.
There are several cases it’s not the case. First, one may create a computer account and check the following:
Figure 1 - Creating a computer as a pre-Windows 2000 computer
Most of the time, administrators are not aware of the consequences. Joe described the impact of checking this box in an old blogpost from 2012. Checking the box will apply the “NT4 default computer password”.
Back in the days of Windows NT4, computer names were initialized with a default password that matched the first 14 characters of their computer name, in lowercase and without the dollar sign at the end.
For example, the password of MyLongComputerAccount$ will be mylongcomputer.
This practice was standard prior to Windows 2000 and carries potential security risks that can still impact modern environments since computer accounts are just a subclass of the user class and can carry out the same enumerations and attacks than a standard user.
The same behavior applies when using command lines or scripts to create computers, because most of the time, the old legacy API is used. For example, this is the case when using net computer.
Figure 2 – Creating a computer account with net computer
It is also the case if you reset the account.
Figure 3 – Resetting account of a computer
Computer names enumeration
After reading that computer accounts could have a password mostly identical to their names, the next question is how to gather the computer names?
From an unauthenticated point of view, the most probable ways to get them, in my opinion, are:
- Scanning SMB, for example using netexec smb ip_ranges.txt
- Reverse DNS zone if any, for example using dnsrecon -d domain.local -r 192.168.0.0/16
- Passive monitoring or man-in-the-middle using tools such as Wireshark or responder
- OSINT may help as well
If you only gathered few computers names, it may be enough to guess and create a computer list since most companies rely on a naming convention for their machines.
Computer spraying
Armed with a computer list, one may carry out a password spraying attack, with Kerbrute for example, and hopefully get valid computer credentials.
Figure 4 – Spraying computer accounts
The timeroasting attack
The timeroasting attack serves the same goal but differ by the technique used. Instead of spraying password, which is mostly detected in mature environments, the timeroasting technique abuses the NTP protocol to get computer accounts hashes and can be carried out by default in modern Active Directory environments.
Indeed, domain-joined computers use an authenticated version of NTP developed by Microsoft to prevent time spoofing attacks. This version adds a cryptographic Message Authentication Code (MAC) to NTP responses, using the NTLM hash of the computer account password.
However, any RID can be used to request a response, potentially allowing unauthenticated parties to obtain salted password hashes of all computer accounts. If passwords are not strong and random, these hashes can be cracked offline.
Details and scripts in Python and PowerShell to gather the hashes are provided in the Secura Github.
Figure 5 – Gathering computer accounts hashes using Timeroasting technique
From there, an attacker could brute force offline these hashes using hashcat beta version, thanks to a password list based on computer names, but also using well-known wordlists and rules. If the password was set manually by an administrator, it may be interesting.
./hashcat -m 31300 timeroast.hashes --username computers_pass.txt
Figure 6 - Cracking computer hashes using hashcat
Detecting potential vulnerable computers
A way of detection is to enumerate and review the computers with a password last set older than 30 days because nowadays computers accounts password is rotated automatically if there is no exception to this rule created by the administrators.
In addition, make sure to detect failed login attempts with computer accounts.
The following script may be useful to identify potential vulnerable legacy computers for defenders. It requires being authenticated and the Active Directory module.
Code Block 1 - Finding computers with password last set older than 30 days
Conclusion
To conclude, the timeroasting attack presents a threat by exploiting legacy behaviors in computer account password management.
By abusing the NTP protocol, attackers can extract computer password hashes and potentially gain unauthorized access to Active Directory environments. It is crucial for defenders to recognize the risks posed by legacy computer accounts and implement measures to mitigate these vulnerabilities.
Regularly reviewing and updating computer account passwords, especially those set manually or older than 30 days, is essential. By leveraging detection scripts and staying informed about emerging attack vectors like timeroasting, organizations can better protect their environments from sophisticated threats.
References
Author
