Notes

Timeroasting is a relatively new attack vector in Active Directory environments which lets an unauthenticated attacker to query a DC for an NTP Response encrypted with the NT hash of a machine account for every computer in the domain by RID. It is possible due to the ability of abusing the [MS-SNTP] extension designed to prevent AitM attacks on computers’ clock synchronization procedure.

So how can the attacker make use of the NTP Response blobs encrypted with NT hashes of machine accounts that are meant to be derived from random passwords? On the Applicability of the Timeroasting Attack