May 22, 2026

Timeroasting: stealing passwords with a time request

How a simple NTP request can expose Active Directory machine accounts

You ask a server for the time. It replies. And without realizing it, it just gave you a chance to crack its password.

That is Timeroasting.

A bit of context

In a Windows network with Active Directory, machines need to synchronize to the same time. For that, they use the NTP (Network Time Protocol) - nothing exotic, it is the same protocol as any internet-connected device.

But in AD, the domain controller (DC) does not just return the time. It signs its reply to prove it is legitimate. And that signature? It is computed from the NTLM hash of the machine account that made the request.

That is where it gets interesting.

How it works in practice

When a domain machine asks for the time, here is what happens behind the scenes:

Client  ---[Quelle heure est-il ?]---->  DC
Client  <---[14h30 + signature]--------  DC

The signature is a MAC (Message Authentication Code), computed like this:

MAC = HMAC(Hash_NTLM_du_compte_machine, message)

As an attacker, you do not need to be authenticated to send this request. You can do it from any machine that has network access to the DC. And the reply you receive contains that signature.

Once you have it, you can try to crack it offline, at your own pace, without alerting anyone.

Why it works (sometimes)

Normally, machine accounts have auto-generated passwords: 128 random characters, rotated every 30 days. In other words, brute-forcing is not realistic.

But sometimes an admin sets a machine account password manually. Maybe for compatibility, maybe out of habit, maybe laziness. And then, if the password is weak - like Rusty88! - it is game over.

There is an easy clue to spot in BloodHound: the account creation date versus the last password change date.

# Normal account (auto password at creation)
Created:           31/12/2024 13:19
Password Last Set: 31/12/2024 13:19  <- same time

# Suspicious account (password manually changed later)
Created:           31/12/2024 13:19
Password Last Set: 31/12/2024 19:45  <- 6 hours later

Commands

Step 1 - Collect hashes with NetExec:

nxc smb dc.domain.htb -M timeroast

You get something like:

TIMEROAST 10.10.11.75  1125:$sntp-ms$e29310adfef7175837324b2c7df35bd7$1c0111e9...

1125 is the RID of the machine account. The rest is the hash to crack.

Step 2 - Crack with hashcat:

hashcat -m 31300 timeroast.hashes rockyou.txt --user

If the password is in the wordlist:

$sntp-ms$e29310...:Rusty88!

Step 3 - Validate credentials:

nxc smb dc.domain.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k

What you can do with a machine account

A compromised machine account is not the end of the world by itself - but it provides a foothold in the domain. Depending on the account privileges, it can allow you to:

Enumerate other domain resources
Attempt privilege escalation (Kerberos delegation, etc.)
Pivot to other machines

How to defend against it

Two simple rules:

1. Never manually set a machine account password. Let Windows manage it automatically.

2. Automatic rotation every 30 days. This is the default behavior - do not disable it.

If you want to go further, monitor accounts where Password Last Set differs from Created: it is an anomaly indicator to investigate.

Timeroasting is a good example of how a security mechanism (NTP authentication) can become an attack vector when it is misconfigured. The flaw is not in the protocol itself - it is in the human practices around it.