1

I'm trying to verify the encryption types allowed for kerberos by viewing packet captures in order to prepare to remove support for RC4 with kerberos. Does anyone know what I can do on Windows Server machines to generate some kerberos traffic that will have this? More specifically, if possible I want to generate traffic that makes use of a domain trust. Windows Server 2012 R2 - 2019.

subbarayudu bandi
  • 51
  • 2
Roman
  • 386
  • 5
  • 16
  • This seems like an X-Y question. You don't want to capture traffic; you want to detect if RC4 is in use, to know if it's safe to disable it. It's probably better to *ask* about that. – vidarlo Sep 19 '22 at 19:24

1 Answers1

0

Accessing almost any resource should generate Kerberos authentication traffic, assuming you aren't already authenticated. This is one way:

klist purge  
dir \\hostfqdn\share

Where this could be problematic is if the trust is not enabled for AES encryption. There is a checkbox for that on the trust properties.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/unsupported-etype-error-accessing-trusted-domain

Also note it is possible to enable/disable etypes on user and computer objects.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81