Description
Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first 48 bytes of the NTP message (all fields preceding the key ID). An attacker can abuse this to recover hashes that can be cracked offline for machine and trust accounts. The attacker must know the accounts RID, but because RIDs are sequential, they can easily be enumerated.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/scanner/ntp/timeroastmsf undefined(timeroast) > show actions ...actions...msf undefined(timeroast) > set ACTION < action-name >msf undefined(timeroast) > show options ...show and set options...msf undefined(timeroast) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub