Timeroasting: Attacking Trust Accounts in Active Directory

Your "Strong and unhackable" computer account password might not be as unguessable as you might think...

The highly secured passwords between Windows computers within corporate networks appear to have an unexpected vulnerability. Passwords that are considered “unhackable” turn out to be easy to crack in some cases.

KERBEROASTING OR PASSWORD SPRAYING

Many common AD attack techniques, such as Kerberoasting or password spraying, take advantage of the predictability of passwords chosen by humans either for themselves or for a service account they manage. So far these types of attacks have been considered useless against the passwords of computer accounts because they tend to have very strong passwords.

FALSE ASSUMPTION

It turns out, however, that these types of passwords always being unguessable is a false assumption in practice: there are actually several situations in which computer or trust accounts can have highly predictable passwords, and we encountered this in a number of organizational domains. This fact has all kinds of interesting implications, and we have come up with four novel AD pentesting techniques to take advantage of this.

In domains where weak computer or trust accounts are present, these techniques can provide new (stealthy) methods of initial access and additional avenues for lateral movement and privilege escalation within AD environments.

TIMEROASTING WHITE PAPER and CUSTOM TOOLING

For an in-depth explanation of this weakness in company networks, please read our white paper "Timeroasting, Trustroasting and Computer Spraying".

And if you want to explore this further in your own network, you can find the custom tooling here in the GitHub repository.