Land rapid7#20264, adds processing of KERB-SUPERSEDED-BY-USER error message

Process and propagate KERB-SUPERSEDED-BY-USER error details

Author: msutovsky-r7

lib/metasploit/framework/login_scanner/kerberos.rb

@@ -87,8 +87,11 @@ def self.login_status_for_kerberos_error(krb_err)
             # It doesn't appear to be documented anywhere, but Microsoft gives us a bit
             # of extra information in the e-data section
             begin
-              pa_data_entry = krb_err.res.e_data_as_pa_data_entry
-              if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              pa_data_entry = krb_err.res.e_data_as_pa_data.find do |pa_data|
+                pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              end
+
+              if pa_data_entry
                 pw_salt = pa_data_entry.decoded_value
                 if pw_salt.nt_status
                   case pw_salt.nt_status.value
@@ -107,7 +110,7 @@ def self.login_status_for_kerberos_error(krb_err)
                   Metasploit::Model::Login::Status::DISABLED
                 end
               else
-                  Metasploit::Model::Login::Status::DISABLED
+                Metasploit::Model::Login::Status::DISABLED
               end
             rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
               # Could be a non-MS implementation?

lib/rex/proto/kerberos/model.rb

@@ -51,7 +51,9 @@ module NameType
           NT_UID = 5
         end
 
-        # From padata - https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
+        # See:
+        # * https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#pre-authentication
+        # * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/ae60c948-fda8-45c2-b1d1-a71b484dd1f7
 
         module PreAuthType
           PA_TGS_REQ = 1
@@ -65,6 +67,7 @@ module PreAuthType
           PA_FOR_USER = 129
           PA_SUPPORTED_ETYPES = 165
           PA_PAC_OPTIONS = 167
+          KERB_SUPERSEDED_BY_USER = 170
         end
 
         module AuthorizationDataType

lib/rex/proto/kerberos/model/error.rb

@@ -171,6 +171,19 @@ def message_for(error_code)
                 now = Time.now
                 skew = (res.stime - now).abs.to_i
                 return "#{error_code}. Local time: #{now}, Server time: #{res.stime}, off by #{skew} seconds"
+              elsif error_code == ErrorCodes::KDC_ERR_CLIENT_REVOKED && res&.respond_to?(:e_data) && res.e_data.present?
+                begin
+                  pa_datas = res.e_data_as_pa_data
+                rescue OpenSSL::ASN1::ASN1Error
+                else
+                  pa_data_entry = pa_datas.find do |pa_data|
+                    pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER
+                  end
+
+                  if pa_data_entry
+                    error_code = "#{error_code}. This account has been superseded by #{pa_data_entry.decoded_value}."
+                  end
+                end
               end
 
               "Kerberos Error - #{error_code}"

lib/rex/proto/kerberos/model/kerb_superseded_by_user.rb

@@ -0,0 +1,85 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Model
+        # This class provides a representation of a Kerberos KERB-SUPERSEDED-BY-USER
+        # message as defined in [MS-KILE 2.2.13](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/79170b21-ad15-4a1b-99c4-84b3992d9e70).
+        class KerbSupersededByUser < Element
+
+          attr_accessor :principal_name
+
+          attr_accessor :realm
+
+          def ==(other)
+            realm == other.realm && principal_name == other.principal_name
+          end
+
+          def to_s
+            "#{principal_name}@#{realm}"
+          end
+
+          def decode(input)
+            case input
+            when String
+              decode_string(input)
+            when OpenSSL::ASN1::Sequence
+              decode_asn1(input)
+            else
+              raise ::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError, 'Failed to decode KerbSupersededByUser, invalid input'
+            end
+
+            self
+          end
+
+          def encode
+            principal_name_asn1 = OpenSSL::ASN1::ASN1Data.new([encode_principal_name], 1, :CONTEXT_SPECIFIC)
+            realm_asn1 = OpenSSL::ASN1::ASN1Data.new([encode_realm], 2, :CONTEXT_SPECIFIC)
+            seq = OpenSSL::ASN1::Sequence.new([principal_name_asn1, realm_asn1])
+
+            seq.to_der
+          end
+
+          private
+
+          def decode_string(input)
+            asn1 = OpenSSL::ASN1.decode(input)
+
+            decode_asn1(asn1)
+          end
+
+          # Decodes a Rex::Proto::Kerberos::Model::KerbSupersededByUser from an
+          # OpenSSL::ASN1::Sequence
+          #
+          # @param input [OpenSSL::ASN1::Sequence] the input to decode from
+          def decode_asn1(input)
+            seq_values = input.value
+            self.principal_name = decode_principal_name(seq_values[0])
+            self.realm = decode_realm(seq_values[1])
+          end
+
+         def decode_principal_name(input)
+           PrincipalName.decode(input.value[0])
+          end
+
+          # Decodes the realm from an OpenSSL::ASN1::ASN1Data
+          #
+          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
+          # @return [Array<String>]
+          def decode_realm(input)
+            input.value[0].value
+          end
+
+          def encode_principal_name
+            self.principal_name.encode
+          end
+
+          def encode_realm
+            OpenSSL::ASN1::OctetString.new(self.realm)
+          end
+        end
+      end
+    end
+  end
+end

lib/rex/proto/kerberos/model/krb_error.rb

@@ -72,30 +72,24 @@ def encode
             raise ::NotImplementedError, 'KrbError encoding not supported'
           end
 
-          # Decodes the e_data field as an Array<PreAuthDataEntry>
+          # Decodes the e_data field as an Array<PreAuthDataEntry>.
           #
           # @return [Array<Rex::Proto::Kerberos::Model::PreAuthDataEntry>]
           def e_data_as_pa_data
+            return [] unless self.e_data
+
             pre_auth = []
             decoded = OpenSSL::ASN1.decode(self.e_data)
-            decoded.each do |pre_auth_data|
-              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
-            end
-
-            pre_auth
-          end
 
-          # Decodes the e_data field as a PreAuthData
-          #
-          # @return [Rex::Proto::Kerberos::Model::PreAuthData]
-          def e_data_as_pa_data_entry
-            if self.e_data
-              decoded = OpenSSL::ASN1.decode(self.e_data)
-              Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(decoded)
+            if decoded.first.tag_class == :UNIVERSAL && decoded.first.tag == 16
+              decoded.each do |pre_auth_data|
+                pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
+              end
             else
-              # This is implementation-defined, so may be different in some cases
-              nil
+              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(decoded)
             end
+
+            pre_auth
           end
 
           private

lib/rex/proto/kerberos/model/pre_auth_data_entry.rb

@@ -76,6 +76,9 @@ def decoded_value
             when Rex::Proto::Kerberos::Model::PreAuthType::PA_FOR_USER
               decoded = OpenSSL::ASN1.decode(self.value)
               PreAuthForUser.decode(decoded)
+            when Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER
+              decoded = OpenSSL::ASN1.decode(self.value)
+              KerbSupersededByUser.decode(decoded)
             else
               # Unknown type - just ignore for now
             end