"Could not find the correct encryption key! Ticket is encrypted with keytype 18, but keytype(s) were supplied"

[jsdhasfedssad]

Hi,

I can successfully perform the ADCS attack that you describe here. However, once I try for example targeting LDAPS on a DC in order to add a computer account it always fails with the error "Could not find the correct encryption key! Ticket is encrypted with keytype 18, but keytype(s) were supplied".

This is how I configure mitm6:

After this I disable then reenable the NIC on the machine I MITM using mitm6 (client1.adlab.local/10.0.0.210) in order for the machine to be MITM.

This is how I trigger a Kerberos authentication on the machine I MITM using mitm6 (client1.adlab.local/10.0.0.210):

This is how I configure krbrelayx and the error I get:

The DC is running a fully patched Server 2019 and the client is running a fully patched Windows 10.

Is this a bug or am I doing something wrong?

[BlWasp]

Hi @jsdhasfedssad how have you solved this point ? Only RC4 is currently supported by the tool ?

[dirkjanm]

I think the problem is that only the DNS server supports actual relaying, the other services only support unconstrained delegation abuse, which requires encryption keys to be provided.

[BlWasp]

In my case I was trying to perform an ESC8 attack from a mitm6 poisoning to an ADCS web endpoint that only supports Kerberos authentication. The poisoning works well and the relay too, the error araised during the certificate request. But I guess the problem comes from an autoenrollment issue on the targeted template