This is a Python implementation of the man-in-the-middle attack described by Charlie Clark (@exploitph) in his post, New Attack Paths? AS Requested Service Tickets, and demonstrated in his proof-of-concept, Roast in the Middle.
In short, this tool:
- Performs ARP spoofing between your target(s) and the gateway to obtain a man-in-the-middle position
- Sniffs traffic for an AS-REQ containing
PA-ENC-TIMESTAMP
data (yes, this will miss a valid AS-REQ where pre-auth is not required) - Replays the sniffed AS-REQ to a DC after changing the SPN to usernames/SPNs provided via a file
- Outputs any roasted account hashes
Post about RITM. For a greater level of technical detail I recommend reading Charlie's blog.
WARNING: Attempting to man-in-the-middle too many targets may cause latency issues for the victim's machines. RITM has only been tested on <5 targets at a time. Specifying network equipment as targets with -t/--targets
and subsequently ARP spoofing against them will likely have a negative effect on the network.
RITM will restore the ARP caches of target machines upon completion or Ctrl-C
. If an uncaught error is thrown and RITM errors out, you can restart RITM and quickly Ctrl-C
to restore ARP caches.
RITM can be installed by cloning this repository and running pip3 install .
and subsequently executed from PATH with either ritm
or roastinthemiddle
- I highly recommend specifying a domain controller to roast with
--dc-ip
- If target(s) and DC are on same subnet, set the DC's IP with
--gateway
/-g
RITM uses Poetry to manage dependencies. Install from source and setup for development with:
git clone https://github.com/tw1sm/ritm
cd ritm
poetry install
poetry run ritm --help
Thank you to the following people for contributions to the code base!
- Charlie Clark (@exploitph) - This tool is completely based off his research and proof-of-concept code
- Impacket - for Kerberos structures and code to send/parse AS-REQs, AS-REPs