KerberosTicketTrace: Add centralized Kerberos tracing with metadata/full modes + module integration#21152
Open
Pushpenderrathore wants to merge 10 commits intorapid7:masterfrom
Open
KerberosTicketTrace: Add centralized Kerberos tracing with metadata/full modes + module integration#21152Pushpenderrathore wants to merge 10 commits intorapid7:masterfrom
Pushpenderrathore wants to merge 10 commits intorapid7:masterfrom
Conversation
|
Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected. We've added the |
Pushpenderrathore
force-pushed
the
master
branch
2 times, most recently
from
14f68f5 to
fb7a910
Compare
Author
|
The flagged content was part of an accidentally committed archive file (project_dump.zip), which has now been removed from the repository history. No secrets are present in the current codebase. |
Author
|
This PR introduces a centralized Kerberos tracing system with metadata and full verbosity modes. Certificate tracing will be submitted as a follow-up PR. |
…cate trace support
Pushpenderrathore
force-pushed
the
master
branch
from
fb7a910 to
8d8337a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a centralized Kerberos tracing mechanism for the Metasploit Framework, allowing operators to inspect Kerberos ticket metadata inline during module execution.
The implementation follows the existing HttpTrace design pattern and introduces two verbosity levels:
metadata→ principal, realm, encryption typefull→ includes timestamps and flags (when decrypted)This improves visibility into Kerberos authentication flows without requiring external tools.
What This Change Does
Adds a new trace class:
lib/msf/core/trace/kerberos_ticket_trace.rbAdds centralized dispatcher in Kerberos client:
kerberos_trace_enabled?kerberos_trace()Registers new advanced option:
KerberosTrace(off,metadata,full)Integrates tracing into:
Adds module-level integration:
auxiliary/gather/kerberos_enumusersauxiliary/scanner/kerberos/kerberos_loginEnsures:
Verification
Steps to verify the feature works correctly:
msfconsoleuse auxiliary/gather/kerberos_enumusersset RHOSTS <target-ip>set DOMAIN <domain>set USER_FILE users.txtset PASSWORD testset KerberosTrace metadatarun[KerberosTrace] ----------------------------------------- Principal : DOMAIN / username Enc Type : <etype>KerberosTrace fullrunTesting
IRB validation completed
Basic RSpec test added for KerberosTicketTrace
Verified across:
Notes
Motivation
Modern Active Directory environments heavily rely on Kerberos authentication. Providing inline visibility into ticket metadata improves debugging, reduces reliance on external tooling, and aligns with Metasploit’s goal of maintaining a seamless exploitation workflow.