Skip to content

Clock Skew Synchronization

(Thank you @NukingDragons)

Overview

Timestamps are a fundamental part of Kerberos authentication, with a 5 minute variation being the default tolerance. The purpose of this is to reduce the viability of "replay" attacks. Because of this, a lot of Active Directory attacks require the attacker's clock to be synchronized with the Domain Controller's.

sync-clockskew.sh

This script synchronizes the attacker's clock screw with a target Domain Controller.

#!/bin/bash

if [[ $# != 1 ]]
then
    echo "Usage: sync-clockskew <dc_ip>"
    exit 1
fi

echo "[+] Fetching clock skew (this can take a minute)..."
CLOCK_SKEW=$(sudo nmap -sC -sV -p445 $1 2>&1 | grep "clock-skew" | head -n1 | sed 's/mean: //g; s/,//g' | cut -d' ' -f2 | sed 's/d/ days /g; s/h/ hours /g; s/m/ minutes /g; s/s$/ seconds/g')

if [[ ! -z $CLOCK_SKEW ]]
then
    # Account for weird negative logic
    if [[ ! -z "$(echo $CLOCK_SKEW | grep '^-')" ]]
    then
        CLOCK_SKEW=$(echo $CLOCK_SKEW | sed 's/ \([0-9]\)/ -\1/g')
    fi
    echo " o  Clock Skew: $CLOCK_SKEW"

    echo " o  NTP disabled."
    sudo timedatectl set-ntp false

    echo " o  Updating your local clock (this might cause any VPN/remote application to restart or crash)."
    sudo date --set="$CLOCK_SKEW"
else
    echo "[!] Failed to fetch clock skew! Try \"rdate -n $1\" for NTP."
fi

To undo the synchronization, run the following command:

timedatectl set-ntp true