Fix Kerberoasting against AES-only#1316
Conversation
|
CIA lvl reporting 🥷 |
|
My co-worker had what seems the same problem. I l |
Right, turns out this is literally MS's RC4 hardening rollout. When msDS-SupportedEncryptionTypes is unset/0 the KDC now defaults to AES-only that's exactly why the target refuses RC4 despite attr=0. Talked with Neff about that. Here is some explanation;
In impackets kerberosv5 file, AES not in etype
I think It's general, not roast-specific: any ST request from an RC4 TGT to an AES-only service fails the same way (incl. PtH-over-Kerberos). Normal password/AES login negotiates an AES TGT, so it works fine.
We last discussed that we would try to fix the issue on the Impacket side when Neff becomes available. |







Description
This PR adds an automatic fallback: on
KDC_ERR_ETYPE_NOSUPPfromgetKerberosTGS.On real life test, when kerberoasting over LDAP, nxc forces an RC4. Against AES-only service accounts / RC4-disabled domains the KDC rejects this with
KDC_ERR_ETYPE_NOSUPPand no hash is returned — mirroring Impacket GetUserSPNs.py, which only works there with-no-rc4flag.Type of change
Setup guide for the review
Against real life test (DC - Server 2022). nxc returns
Kerberos SessionError: KDC_ERR_ETYPE_NOSUPP(KDC has no support for encryption type). Target user'smsDS-SupportedEncryptionTypes 0Screenshots (if appropriate):
Before Fix:

Impacket GetUserSPNs.py results while not using

-no-rc4Impacket GetUserSPNs.py results while using
-no-rc4After Fix:

Checklist:
poetry run ruff check ., use--fixto automatically fix what it can)tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests)