ritm-windows-desktop-auth

# tl;dr This post illustrates an unusual example of using [Roast-in-the-Middle](https://github.com/Tw1sm/RITM) for initial access to a desktop ERP application with Windows-based authentication. I'm going to share weird cases once in a while, maybe something similar will turn up for other people. # backstory Initial network access was obtained by sucessfully cracking the cryptographic material I got from a simple deauth/WPA2 handshake capture. After exploring the broadcast spoofing approach (with tools like `pretender` and LDAP/ADCS relaying) and getting domain access that way, I came back for another round of intial domain access testing. # roast-in-the-middle The [Roast-in-the-Middle](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/) attack sets up a MITM using ARP spoofing and positions the attacker between a target and a domain controller. After that, it leverages the fact that the `sname` field can be changed without impacting the integrity of the AS-REQ (only a single intercepted packet is enough -- they can be replayed). After changing the `sname` field to point to a Kerberoastable account, it is possible to crack the hash and get initial domain access. It is intuitive to use, with only a handful parameters that are usually available from DHCP or network scanning: ```bash $ sudo poetry run ritm -i wlan0 --target <target> --gateway <gateway> --users-file userfile.txt --output-file o.txt ``` To conduct the attack, the attacker must have an account list to bruteforce. Usually, this is done via RID cycling, but in this particular case, there was another way. # the application The ERP application was developed in C# in-house and relied on Windows-based authentication as one of the possible methods. It was also available to download on several public FTP and SMB shares, which made it accessible to an unauthenticated attacker. To authenticate, it presented a service ticket for `appname/appname-svc.domain.local`. This meant that successfully cracking the `appname-svc` account hash would allow an attacker to fully impersonate another user. This vector was chosen for further investigation as the ERP system was one of the main objectives of the engagement. Also, surprisingly, `appname-svc` was not a gMSA. # the attack chain Thus, the full attack chain looked something like this: ```j handshake/PMKID bruteforce -> ERP download/analysis -> RitM for appname-svc and more bruteforce -> ERP admin impersonation via Silver Tickets -> data exfil ``` The only issue with the silver ticket (with `Rubeus` on a Windows laptop) approach for impersonation was that the application determined the user context separately from the authentication process. Instead of combating it by patching the application or setting up the environment, it was possible to rewrite it on the fly with `Burp Suite`, significantly simplifying exploitation.