This is a Python implementation of the man-in-the-middle attack described by Charlie Clark (@exploitph) in his post, New Attack Paths? AS Requested Service Tickets, and demonstrated in his proof-of-concept, Roast in the Middle.
In short, this tool:
- Performs ARP spoofing between your target(s) and the gateway to obtain a man-in-the-middle position
- Sniffs traffic for an AS-REQ containing
PA-ENC-TIMESTAMPdata (yes, this will miss a valid AS-REQ where pre-auth is not required) - Replays the sniffed AS-REQ to a DC after changing the SPN to usernames/SPNs provided via a file
- Outputs any roasted account hashes
For a greater level of technical detail I recommend reading Charlie's blog.
Attempting to man-in-the-middle too many targets may cause latency issues for the victim machines. RITM has only been tested on <5 targets at a time.
RITM will restore the ARP caches of target machines upon complention or Ctrl-C. If un uncaught error is thrown and RITM errors out, you can restart RITM and quickly Ctrl-C to restore ARP caches.
RITM can be installed by cloning this repository and running pip3 install . and subsequently executed from PATH with either ritm or roastinthemiddle
- I highly recommend specifying a domain controller to roast with
--dc-ip - If target(s) and DC are on same subnet, set the DC's IP with
--gateway/-g
RITM uses Poetry to manage dependencies. Install from source and setup for development with:
git clone https://github.com/tw1sm/ritm
cd ritm
poetry install
poetry run ritm --help- Charlie Clark (@exploitph) - This tool is completely based off his research and proof-of-concept code
- Impacket - for Kerberos structures and code to send/parse AS-REQs, AS-REPs