Filter for an edge case in response codes

zeroSteiner · zeroSteiner · commit c27138a5bfc6 · 2025-09-12T16:49:49.000-04:00
diff --git a/lib/metasploit/framework/login_scanner/kerberos.rb b/lib/metasploit/framework/login_scanner/kerberos.rb
@@ -78,7 +78,30 @@ def self.login_status_for_kerberos_error(krb_err)
           case error_code
           when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_KEY_EXPIRED, Rex::Proto::Kerberos::Model::Error::ErrorCodes::KRB_AP_ERR_SKEW
             # Correct password, but either password needs resetting or clock is skewed
-            Metasploit::Model::Login::Status::SUCCESSFUL
+            begin
+              pa_data_entry = krb_err.res.e_data_as_pa_data.find do |pa_data|
+                pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              end
+
+              if pa_data_entry
+                pw_salt = pa_data_entry.decoded_value
+                if pw_salt.nt_status
+                  case pw_salt.nt_status.value
+                  when ::WindowsError::NTStatus::STATUS_PASSWORD_EXPIRED
+                    # Windows Server 2019 Build 17763 (possibly others) replies with STATUS_PASSWORD_EXPIRED even when the password is incorrect
+                    Metasploit::Model::Login::Status::INCORRECT
+                  else
+                    Metasploit::Model::Login::Status::SUCCESSFUL
+                  end
+                else
+                  Metasploit::Model::Login::Status::SUCCESSFUL
+                end
+              else
+                Metasploit::Model::Login::Status::SUCCESSFUL
+              end
+            rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
+              Metasploit::Model::Login::Status::SUCCESSFUL
+            end
           when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_C_PRINCIPAL_UNKNOWN
             # The username doesn't exist
             Metasploit::Model::Login::Status::INVALID_PUBLIC_PART
