Propagate KERB-SUPERSEDED-BY-USER error details

zeroSteiner · zeroSteiner · commit 09c313003ba2 · 2025-05-28T17:57:01.000-04:00
diff --git a/lib/rex/proto/kerberos/model/error.rb b/lib/rex/proto/kerberos/model/error.rb
@@ -171,6 +171,16 @@ def message_for(error_code)
                 now = Time.now
                 skew = (res.stime - now).abs.to_i
                 return "#{error_code}. Local time: #{now}, Server time: #{res.stime}, off by #{skew} seconds"
+              elsif error_code == ErrorCodes::KDC_ERR_CLIENT_REVOKED && res&.respond_to?(:e_data) && res.e_data.present?
+                begin
+                  pa_datas = res.e_data_as_pa_data
+                rescue OpenSSL::ASN1::ASN1Error
+                else
+                  superseded_pa_data = pa_datas.find { |pa_data| pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER }
+                  if superseded_pa_data
+                    error_code = "#{error_code}. This account has been superseded by #{superseded_pa_data.decoded_value}."
+                  end
+                end
               end
 
               "Kerberos Error - #{error_code}"
diff --git a/lib/rex/proto/kerberos/model/kerb_superseded_by_user.rb b/lib/rex/proto/kerberos/model/kerb_superseded_by_user.rb
@@ -16,6 +16,10 @@ def ==(other)
             realm == other.realm && principal_name == other.principal_name
           end
 
+          def to_s
+            "#{principal_name}@#{realm}"
+          end
+
           def decode(input)
             case input
             when String
