Process and propagate KERB-SUPERSEDED-BY-USER error details

[zeroSteiner]

While starting to look into the BadSuccessor attack it became apparent that Metasploit could benefit from processing the KERB-SUPERSEDED-BY-USER structure included in Kerberos error messages. This would be the case after an account has completed the migration process. FWIW, the error details also appear to be included even if the password is invalid so an attacker can identify an account has been migrated without knowing it's password.

Related to but does not complete #20217

Verification

• Set up a Server 2025 DC (for the full attack, 2025 is required)
• Use the this powershell code to create a new key and setup accounts to do the migration, updated msflab.local / DC=msflab,DC=local to the desired domain

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
New-ADUser -Name "svc_sql" -SamAccountName "svc_sql" -UserPrincipalName "[email protected]" -AccountPassword (ConvertTo-SecureString "Password1!" -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true

$params = @{
 Name = "dMSA"
 DNSHostName = "DMSA"
 CreateDelegatedServiceAccount = $true
 KerberosEncryptionType = "AES256"
}
New-ADServiceAccount @params

$params = @{
 Identity = "dMSA"
 Properties = "msDS-DelegatedMSAState"
}
Get-ADServiceAccount @params

$params = @{
 Identity = "dMSA"
 SupersededAccount = "CN=svc_sql,CN=Users,DC=msflab,DC=local"
}
Start-ADServiceAccountMigration @params -Verbose

$params = @{
 Identity = "dMSA"
 SupersededAccount = "CN=svc_sql,CN=Users,DC=msflab,DC=local"
}
Complete-ADServiceAccountMigration @params

• Run the auxiliary/admin/kerberos/get_ticket module
  • Set the user to the svc_sql account and use the GET_TGT action
  • See that the account was superseded in the error response

Demo

msf6 auxiliary(admin/kerberos/get_ticket) > show options 

Module options (auxiliary/admin/kerberos/get_ticket):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   AES_KEY                         no        The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits
   CERT_FILE                       no        The PKCS12 (.pfx) certificate file to authenticate with
   CERT_PASSWORD                   no        The certificate file's password
   DOMAIN         msflab.local     no        The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
   NTHASH                          no        The NT hash in hex string. Server must support RC4
   PASSWORD       Password1!       no        The domain user's password
   RHOSTS         192.168.159.10   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          88               yes       The target port
   Timeout        10               yes       The TCP timeout to establish Kerberos connection and read data
   USERNAME       svc_sql          no        The domain user


   When ACTION is GET_TGS:

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   IMPERSONATE                   no        The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)
   Krb5Ccname                    no        The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked
   SPN                           no        The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local


Auxiliary action:

   Name     Description
   ----     -----------
   GET_TGT  Request a Ticket-Granting-Ticket (TGT)



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/kerberos/get_ticket) > run
[*] Running module against 192.168.159.10
[*] 192.168.159.10:88 - Getting TGT for [email protected]
[-] Auxiliary aborted due to failure: unknown: Kerberos Error - KDC_ERR_CLIENT_REVOKED (18) - Clients credentials have been revoked. This account has been superseded by [email protected].
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/get_ticket) > run PASSWORD=roofasd
[*] Running module against 192.168.159.10
[*] 192.168.159.10:88 - Getting TGT for [email protected]
[-] Auxiliary aborted due to failure: unknown: Kerberos Error - KDC_ERR_CLIENT_REVOKED (18) - Clients credentials have been revoked. This account has been superseded by [email protected].
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/get_ticket) >

[adfoster-r7]

Started process with pid 6897
Metasploit::Framework::LoginScanner::Kerberos F

  1) Metasploit::Framework::LoginScanner::Kerberos#attempt_login when the account is locked returns the correct login status
     Failure/Error: input.value[0].value.to_i

     NoMethodError:
       undefined method `[]' for #<OpenSSL::BN:0x00007f8dea439b38>

Looks like the tests are failing 👀

[adfoster-r7]

Maybe one for the tester, verify the kerb enum user and kerberoasting module works as expected in this scenario