Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled

It is possible to kerberoast a user account with SPN even if the account supports Kerberos AES encryption by requesting an RC4 ecnrypted (instead of AES) TGS which easier to crack.

Execution

Confirm there is a user with an SPN set

Run:

PowerShell

Request a TGS for a user that does not support AES (RC4 returned)

If the user account does not support Kerberos AES encryption, requesting a TGS for kerberoasting (with Rubeus) will return an RC4-encrypted ticket.

Run:

Rubeus

Request a TGS when the user supports AES (AES returned by default)

If the user is configured to support AES encryption, the KDC will by default return tickets encrypted with the highest supported algorithm (AES):

Run:

Rubeus

Requesting RC4 Encrypted Ticket

It's possible to request an RC4-encrypted TGS even when AES is supported by both parties (provided RC4 is not disabled in the environment).

Run:

Rubeus

Even though AES is supported, a TGS encrypted with RC4 (enctype 0x17 / 23) can be returned.

Security operations may monitor for RC4-encrypted tickets — RC4 usage can be a detection indicator.

References

PreviousAS-REP Roasting NextKerberos Unconstrained Delegation

Last updated 2 months ago

hashtagExecution

hashtagConfirm there is a user with an SPN set

hashtagRequest a TGS for a user that does not support AES (RC4 returned)

hashtagRequest a TGS when the user supports AES (AES returned by default)

hashtagRequesting RC4 Encrypted Ticket

hashtagReferences

Execution

Confirm there is a user with an SPN set

Request a TGS for a user that does not support AES (RC4 returned)

Request a TGS when the user supports AES (AES returned by default)

Requesting RC4 Encrypted Ticket

References