You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The KrbOfferedEncryptionTypes setting isn't respected if there's already a "matching" ticket in the kerberos cache.
Steps to reproduce
Setup: clear the kerberos cache (klist -d)
Use a kerberos-supported module
Run the module with kerberos auth (should default to AES256)
Observe the communications in wireshark - will likely be AES256
Note that the kerberos cache now has tickets (klist)
Re-run the module, forcibly setting krbofferedencryptiontypes to RC4-HMAC
Observe the communications in wireshark - should be RC4-HMAC, but is actually AES256
Delete kerberos tickets: klist -d
Re-run the module, forcibly setting krbofferedencryptiontypes to RC4-HMAC
Observe the communications in wireshark - is now RC4-HMAC
Expected behaviour
If an encryption type is set that does not match tickets in the kerberos cache, it should re-request a Kerberos ticket OR warn the user about this edge case
The KrbOfferedEncryptionTypes setting isn't respected if there's already a "matching" ticket in the kerberos cache.
Steps to reproduce
klist -d
)klist
)klist -d
Expected behaviour
Tested on metasploit commit: c9dfb7e
The text was updated successfully, but these errors were encountered: