PCAP Kerberos AS-REP roast and WinRM command reconstruction
Advanced DFIR engagement: Wireshark capture of an AD compromise — open-port SYN/ACK map, AS-REP etype 23 for larry.doe cracked to Password1!, WinRM traffic decrypted to recover SAM/SYSTEM dump commands and the planted artifact.
- Case files
- PCAP Kerberos AS-REP roast and WinRM command reconstruction
traffic.pcap reconstructed the intrusion: Kerberos username spray → AS-REP roast of DIRECTORY.THM\larry.doe → WinRM with Password1! → reg save SAM/SYSTEM and a planted flag.
SYN/ACK map and kerberos.CNameString extraction identified larry.doe.
hashcat mode 18200 recovered Password1! from etype 23 AS-REP.
Decrypted WinRM Arguments showed SAM/SYSTEM dumps and the planted flag.
Engagement summary
traffic.pcap reconstructed the intrusion: Kerberos username spray → AS-REP roast of DIRECTORY.THM\larry.doe → WinRM with Password1! → reg save SAM/SYSTEM and a planted flag.
DIRECTORY was a music-company IR case with only a Wireshark capture (md5 23393189b3cb22f7ac01ce10427886de). TShark SYN/ACK enumeration showed AD-typical ports (53,80,88,135,139,389,445,…). Kerberos AS traffic identified DIRECTORY.THM\larry.doe as the foothold account. AS-REP etype 23 cipher material was formatted for hashcat -m 18200 and cracked to Password1!. Encrypted WinRM on 5985 was decrypted with that password; base64 rsp:Arguments recovered whoami, reg save HKLM\SYSTEM / SAM, and the operator artifact THM{Ya_G0t_R0aSt3d!}.
Business impact
Accounts without Kerberos pre-auth are offline AS-REP roast targets. Weak passwords plus WinRM exposure turn a single hash into interactive admin. Enforce pre-auth, long unique secrets, and monitor for AS-REP roasting and unusual WinRM command sequences.
Open ports and Kerberos foothold user
SYN/ACK map and kerberos.CNameString extraction identified larry.doe.
OPERATOR · TSHARK
savvy@lab:~$ tshark -r traffic.pcap -c 3000 -T fields -e tcp.srcport -Y "tcp.flags.syn == 1 && tcp.flags.ack == 1" | sort -n | uniq | paste -sd ','
53,80,88,135,139,389,445,464,593,636,3268,3269,5357
savvy@lab:~$ tshark -r traffic.pcap -Y kerberos -T fields -e kerberos.CNameString -e kerberos.crealm | awk 'NF==2 {print $2 "\\" $1}' | sort -u
DIRECTORY.THM\larry.doe
AS-REP extract and crack
hashcat mode 18200 recovered Password1! from etype 23 AS-REP.
HASH FORMAT
directory.hash
$krb5asrep$23$larry.doe@DIRECTORY.THM:<cipher>$<checksum>OPERATOR · HASHCAT
savvy@lab:~$ tshark -r traffic.pcap -Y "frame.number==4817" -T fields -e kerberos.cipher -e kerberos.CNameString -e kerberos.crealm
savvy@lab:~$ hashcat -a 0 -m 18200 directory.hash /usr/share/wordlists/rockyou.txt
Password1! (larry.doe@DIRECTORY.THM)
WinRM decrypt and command timeline
Decrypted WinRM Arguments showed SAM/SYSTEM dumps and the planted flag.
OPERATOR · WINRM
savvy@lab:~$ python3 decrypt.py -p 'Password1!' ./traffic.pcap > decrypted_traffic.txt
savvy@lab:~$ grep -oP '(?<=<rsp:Arguments>).*?(?=</rsp:Arguments>)' decrypted_traffic.txt | while read l; do echo "$l" | base64 -d; echo; done
whoami
reg save HKLM\SYSTEM C:\SYSTEM
reg save HKLM\SAM C:\SAM
THM{Ya_G0t_R0aSt3d!}
Remediation
Disable AS-REP roastable accounts; enforce strong passwords and Protected Users where appropriate. Restrict WinRM, alert on reg save of SAM/SYSTEM, and retain full packet capture for IR.