No Hash? No Problem! - ASERepCatcher

Intro: Credentials Are Currency

In penetration testing, credentials are like currency. It doesn't matter where they come from, it can be from dark web dumps or captured network traffic, we are always chasing that initial foothold. When valid credentials land in our hands, it opens the doors to further attacks. And when those credentials belong to a domain user, the whole environment starts to look much better.

In comes ASRepCatcher, my go-to tool when testing an internal network without any credential access to Active Directory. Traditional AS-REP Roasting requires accounts with Kerberos pre-authentication disabled, and this is a misconfiguration that we cannot count on finding. ASRepCatcher removes that dependency and instead of requesting hashes directly from the domain controller (DC), it uses ARP spoofing to intercept Kerberos authentication traffic on the local network, capturing AS-REP responses in transit before they reach the workstation. The advantage here is clear since no account misconfiguration is required, so any domain user authenticating against the DC from that same segment becomes a target. But capturing the hash is only half of the battle.

First, We Build

Before running the tool, you will need the domain controller's IP address to intercept Kerberos traffic. So, whether you are in your lab or on a live network assessment, grabbing that while you get ASRepCatcher installed keeps things moving. Give the README a review before running and installing; it covers environment requirements and any dependencies. You can find this tool at the following GitHub repository: https://github.com/Yaxxine7/ASRepCatcher.git

Create a folder on VM → download from GitHub → read the install

git clone https://github.com/Yaxxine7/ASRepCatcher.git

cd ASRepCatcher

sudo python3 setup.py install

Once you are set up, the attack is pretty straightforward and breaks into two phases: capturing the hash and cracking it offline. Let's break down each one and what a successful hash capture looks like.

Part 1: Capturing a Hash

ASRepCatcher gives you two modes to work with, RELAY and LISTEN, both covered in the README. RELAY actively intercepts and forwards Kerberos exchanges via ARP spoofing, while LISTEN passively sniffs traffic on the segment waiting for authentication exchanges to capture. My go-to is RELAY. In my experience, it's more reliable in most assessment environments.

One thing to set expectations on: don't panic if nothing comes through immediately. Authentication traffic is opportunistic, and you are waiting on users to authenticate. Don't count the tool out just because things are quiet at first. Sometimes a hash comes through in 2 minutes, sometimes you are sitting there for 20 minutes before hashes are captured. Patience is part of the process.

Below is the relay command along with a successful AS-REP hash captured from the GOAD lab environment for reference.

Relay Command:

ASRepCatcher relay -dc <DC-IP> --stop-spoofing

Given a little time, you should capture a hash or two that look like the example below.

Part 2: Password Cracking

Once you have the hash, you will need to move it offline for cracking. For this example, we will be utilizing Hashcat as our cracking tool. You can use this in conjunction with your preferred word list and rule. But if you're looking for a place to start, I recommend the rockyou word list paired with the One Rule to Rule Them All. This combination will give you a great starting point with a large password combination to crack against. I have listed an example of the command below for reference.

hashcat -m 18200 <hashfile> <wordlist> -r <rule>

Go Forth and Conquer: Creds in Hand

Crack the hash and you are off to the races. A domain user's credential opens up a wide range of next steps, and you can start digging deeper into the environment. This is not a guaranteed win every time, and occasionally you will run into environments where ARP spoofing is restricted. But, at the end of the day, it all comes down to password policy. If common words and predictable patterns or weak complexity requirements are in play, there is a strong chance that hash is getting cracked.

From a mitigation standpoint, Dynamic ARP Inspection is the control that stops this attack at the network level, but most organizations are not running it consistently across every segment. That means this attack path is not going anywhere. Your most reliable defense is enforcing a strong password policy that is long, complex, and free of common patterns. When it comes to attacks like this one, that single control makes all the difference.