The KrbOfferedEncryptionTypes setting isn't respected if there's already a "matching" ticket in the kerberos cache.
Steps to reproduce
Setup: clear the kerberos cache (klist -d)
Use a kerberos-supported module
Run the module with kerberos auth (should default to AES256)
Observe the communications in wireshark - will likely be AES256
Note that the kerberos cache now has tickets (klist)
Re-run the module, forcibly setting krbofferedencryptiontypes to RC4-HMAC
Observe the communications in wireshark - should be RC4-HMAC, but is actually AES256
Delete kerberos tickets: klist -d
Re-run the module, forcibly setting krbofferedencryptiontypes to RC4-HMAC
Observe the communications in wireshark - is now RC4-HMAC
Expected behaviour
If an encryption type is set that does not match tickets in the kerberos cache, it should re-request a Kerberos ticket OR warn the user about this edge case
Tested on metasploit commit: c9dfb7e34ffd91af392648966f0e069685736298
Neustradamus
commented
1 week ago
The KrbOfferedEncryptionTypes setting isn't respected if there's already a "matching" ticket in the kerberos cache.
Steps to reproduce
klist -d)klist)klist -dExpected behaviour
Tested on metasploit commit: c9dfb7e34ffd91af392648966f0e069685736298