forked from ropnop/kerbrute
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patherrors.go
61 lines (55 loc) · 2.07 KB
/
errors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package session
import (
"fmt"
"strings"
)
func (k KerbruteSession) HandleKerbError(err error) (bool, string) {
eString := err.Error()
// handle non KRB errors
if strings.Contains(eString, "client does not have a username") {
return true, "Skipping blank username"
}
if strings.Contains(eString, "Networking_Error: AS Exchange Error") {
return false, "NETWORK ERROR - Can't talk to KDC. Aborting..."
}
if strings.Contains(eString, " AS_REP is not valid or client password/keytab incorrect") {
return true, "Got AS-REP (no pre-auth) but couldn't decrypt - bad password"
}
// handle KRB errors
if strings.Contains(eString, "KDC_ERR_WRONG_REALM") {
return false, "KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting..."
}
if strings.Contains(eString, "KDC_ERR_C_PRINCIPAL_UNKNOWN") {
return true, "User does not exist"
}
if strings.Contains(eString, "KDC_ERR_PREAUTH_FAILED") {
return true, "Invalid password"
}
if strings.Contains(eString, "KDC_ERR_CLIENT_REVOKED") {
if k.SafeMode {
return false, "USER LOCKED OUT and safe mode on! Aborting..."
}
return true, "USER LOCKED OUT"
}
if strings.Contains(eString, " AS_REP is not valid or client password/keytab incorrect") {
return true, "Got AS-REP (no pre-auth) but couldn't decrypt - bad password"
}
if strings.Contains(eString, "KRB_AP_ERR_SKEW Clock skew too great") {
return true, "Clock skew too great"
}
return false, eString
}
// TestLoginError returns true for certain KRB Errors that only happen when the password is correct
// The correct credentials we're passed, but the error prevented a successful TGT from being retrieved
func (k KerbruteSession) TestLoginError(err error) (bool, error) {
eString := err.Error()
if strings.Contains(eString, "Password has expired") {
// user's password expired, but it's valid!
return true, fmt.Errorf("User's password has expired")
}
if strings.Contains(eString, "Clock skew too great") {
// clock skew off, but that means password worked since PRE-AUTH was successful
return true, fmt.Errorf("Clock skew is too great")
}
return false, err
}