Case file

PCAP Kerberos AS-REP roast and WinRM command reconstruction

Advanced DFIR engagement: Wireshark capture of an AD compromise — open-port SYN/ACK map, AS-REP etype 23 for larry.doe cracked to Password1!, WinRM traffic decrypted to recover SAM/SYSTEM dump commands and the planted artifact.

Advanced35 minDFIR · Kerberos · WinRM · Active Directory
01

Engagement summary

traffic.pcap reconstructed the intrusion: Kerberos username spray → AS-REP roast of DIRECTORY.THM\larry.doe → WinRM with Password1! → reg save SAM/SYSTEM and a planted flag.

DIRECTORY was a music-company IR case with only a Wireshark capture (md5 23393189b3cb22f7ac01ce10427886de). TShark SYN/ACK enumeration showed AD-typical ports (53,80,88,135,139,389,445,…). Kerberos AS traffic identified DIRECTORY.THM\larry.doe as the foothold account. AS-REP etype 23 cipher material was formatted for hashcat -m 18200 and cracked to Password1!. Encrypted WinRM on 5985 was decrypted with that password; base64 rsp:Arguments recovered whoami, reg save HKLM\SYSTEM / SAM, and the operator artifact THM{Ya_G0t_R0aSt3d!}.

Business impact

Accounts without Kerberos pre-auth are offline AS-REP roast targets. Weak passwords plus WinRM exposure turn a single hash into interactive admin. Enforce pre-auth, long unique secrets, and monitor for AS-REP roasting and unusual WinRM command sequences.

02

Open ports and Kerberos foothold user

SYN/ACK map and kerberos.CNameString extraction identified larry.doe.

OPERATOR · TSHARK

savvy@lab:~$ tshark -r traffic.pcap -c 3000 -T fields -e tcp.srcport -Y "tcp.flags.syn == 1 && tcp.flags.ack == 1" | sort -n | uniq | paste -sd ','

53,80,88,135,139,389,445,464,593,636,3268,3269,5357

savvy@lab:~$ tshark -r traffic.pcap -Y kerberos -T fields -e kerberos.CNameString -e kerberos.crealm | awk 'NF==2 {print $2 "\\" $1}' | sort -u

DIRECTORY.THM\larry.doe

03

AS-REP extract and crack

hashcat mode 18200 recovered Password1! from etype 23 AS-REP.

HASH FORMAT

directory.hash

$krb5asrep$23$larry.doe@DIRECTORY.THM:<cipher>$<checksum>

OPERATOR · HASHCAT

savvy@lab:~$ tshark -r traffic.pcap -Y "frame.number==4817" -T fields -e kerberos.cipher -e kerberos.CNameString -e kerberos.crealm

savvy@lab:~$ hashcat -a 0 -m 18200 directory.hash /usr/share/wordlists/rockyou.txt

Password1! (larry.doe@DIRECTORY.THM)

04

WinRM decrypt and command timeline

Decrypted WinRM Arguments showed SAM/SYSTEM dumps and the planted flag.

OPERATOR · WINRM

savvy@lab:~$ python3 decrypt.py -p 'Password1!' ./traffic.pcap > decrypted_traffic.txt

savvy@lab:~$ grep -oP '(?<=<rsp:Arguments>).*?(?=</rsp:Arguments>)' decrypted_traffic.txt | while read l; do echo "$l" | base64 -d; echo; done

whoami

reg save HKLM\SYSTEM C:\SYSTEM

reg save HKLM\SAM C:\SAM

THM{Ya_G0t_R0aSt3d!}

Remediation

Disable AS-REP roastable accounts; enforce strong passwords and Protected Users where appropriate. Restrict WinRM, alert on reg save of SAM/SYSTEM, and retain full packet capture for IR.