Merge pull request #20542 from zeroSteiner/fix/smb-kerberos-login-exp

Fix a Kerberos Error Edge Case When Logging In

Author: jheysel-r7

lib/metasploit/framework/login_scanner/kerberos.rb

@@ -78,7 +78,30 @@ def self.login_status_for_kerberos_error(krb_err)
           case error_code
           when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_KEY_EXPIRED, Rex::Proto::Kerberos::Model::Error::ErrorCodes::KRB_AP_ERR_SKEW
             # Correct password, but either password needs resetting or clock is skewed
-            Metasploit::Model::Login::Status::SUCCESSFUL
+            begin
+              pa_data_entry = krb_err.res.e_data_as_pa_data.find do |pa_data|
+                pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              end
+
+              if pa_data_entry
+                pw_salt = pa_data_entry.decoded_value
+                if pw_salt.nt_status
+                  case pw_salt.nt_status.value
+                  when ::WindowsError::NTStatus::STATUS_PASSWORD_EXPIRED
+                    # Windows Server 2019 Build 17763 (possibly others) replies with STATUS_PASSWORD_EXPIRED even when the password is incorrect
+                    Metasploit::Model::Login::Status::INCORRECT
+                  else
+                    Metasploit::Model::Login::Status::SUCCESSFUL
+                  end
+                else
+                  Metasploit::Model::Login::Status::SUCCESSFUL
+                end
+              else
+                Metasploit::Model::Login::Status::SUCCESSFUL
+              end
+            rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
+              Metasploit::Model::Login::Status::SUCCESSFUL
+            end
           when Rex::Proto::Kerberos::Model::Error::ErrorCodes::KDC_ERR_C_PRINCIPAL_UNKNOWN
             # The username doesn't exist
             Metasploit::Model::Login::Status::INVALID_PUBLIC_PART

modules/auxiliary/scanner/smb/smb_login.rb

@@ -115,7 +115,7 @@ def run_host(ip)
       fail_with(Msf::Exploit::Failure::BadConfig, 'The SMBDomain option is required when using Kerberos authentication.') if datastore['SMBDomain'].blank?
       fail_with(Msf::Exploit::Failure::BadConfig, 'The DomainControllerRhost is required when using Kerberos authentication.') if datastore['DomainControllerRhost'].blank?
 
-      if !datastore['PASSWORD']
+      if datastore['SMBPass'].blank?
         # In case no password has been provided, we assume the user wants to use Kerberos tickets stored in cache
         # Write mode is still enable in case new TGS tickets are retrieved.
         ticket_storage = kerberos_ticket_storage({ read: true, write: true })
@@ -178,7 +178,7 @@ def run_host(ip)
       realm: domain,
       username: datastore['SMBUser'],
       password: datastore['SMBPass'],
-      nil_passwords: datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS && !datastore['PASSWORD']
+      nil_passwords: datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS && datastore['SMBPass'].blank?
     )
     cred_collection = prepend_db_hashes(cred_collection)