Add CertificateTrace support to LDAP Schannel authentication#21469
Draft
Pushpenderrathore wants to merge 2 commits into
Draft
Add CertificateTrace support to LDAP Schannel authentication#21469Pushpenderrathore wants to merge 2 commits into
Pushpenderrathore wants to merge 2 commits into
Conversation
Introduces an opt-in certificate trace facility for Kerberos PKINIT authentication. Operators enable it via the CertificateTrace advanced option (off / metadata / full / csr); when active, the client certificate submitted to the KDC during send_request_tgt_pkinit is rendered through CertificateTracePresenter and printed by the module instance. The presenter is a pure string builder. The dispatcher (certificate_trace in kerberos/client.rb) selects the verbosity, builds the string, and calls print_line on the including module. Tracing is nil-safe at every layer: bad PKCS12 input yields nil from the presenter and the dispatcher no-ops.
Extends the CertificateTrace facility (introduced in the cert presenter PR) to the LDAP Schannel auth path. Operators enable it via the CertificateTrace advanced option (off / metadata / full), gated on LDAP::Auth == SCHANNEL. When LDAP::CertFile loads a PKCS12 inside get_connect_opts, the certificate is rendered through CertificateTracePresenter and printed by the module instance before the LDAP bind. The nil-pfx guard is exercised by spec so the CertFile-not-set path is not dead code.
|
Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected. We've added the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #21198. Extends the
CertificateTracefacility (introduced there for PKINIT) to the LDAP Schannel authentication path so operators can inspect the client certificate used for an LDAPS bind.When
LDAP::Auth=SCHANNELandLDAP::CertFilepoints at a PKCS12, the certificate is rendered throughCertificateTracePresenterand printed by the module instance before the LDAP bind. Verbosity is controlled by the existingCertificateTraceadvanced option (off/metadata/full).Two files changed:
lib/msf/core/exploit/remote/ldap.rbwires the dispatcher intoget_connect_opts, with a nil-pfx guard for theCertFile-not-set path.spec/lib/msf/core/exploit/remote/ldap_spec.rb7 new examples covering both the cert-loaded and no-cert paths so the guard is not dead code in CI.Dependency
Stacked on #21198. Draft until that lands the
CertificateTracePresentercommit shown in the diff here is the same one under review there and will collapse out once #21198 merges into master.Verification
Run the LDAP spec (no DB required):
BUNDLER_VERSION=4.0.9 SPEC_HELPER_LOAD_METASPLOIT=false bundle exec rspec \ spec/lib/msf/core/exploit/remote/ldap_spec.rb \ --format documentationExpected: 16 examples, 0 failures (9 pre-existing + 7 new for the cert trace paths).
Rubocop on the changed lib file:
bundle exec rubocop lib/msf/core/exploit/remote/ldap.rbExpected: clean on lines I touched.
Test plan
ldap.rbLDAP::Auth=SCHANNEL,LDAP::CertFile=<path to PKCS12>,CertificateTrace=fullobserve the certificate dump in module output before the LDAP bindLDAP::CertFileunset, confirm the trace path is skipped silently (nil-pfx guard)