Add LDAP and RDP TLS peer cert tracing via CertificateTrace (Phase 2)#21607
Add LDAP and RDP TLS peer cert tracing via CertificateTrace (Phase 2)#21607Pushpenderrathore wants to merge 7 commits into
Conversation
Introduces Msf::Exploit::Remote::SslPeerCertTrace with an SSLPeerCertTrace enum datastore option (off/metadata/full). HttpClient includes the mixin and calls ssl_peer_cert_trace after each send_recv; the helper reads conn.peer_cert, deduplicates per host:port, and formats the server certificate through the existing CertificateTracePresenter.
Removes the standalone SSLPeerCertTrace mixin and SSLPeerCertTrace datastore option. Peer SSL certificate tracing now lives in CertificateTrace as #certificate_peer_cert_trace, reusing the existing CertificateTrace enum and CertificateTraceColors option so all cert output (issued, CSR, peer) is controlled by a single operator-facing option. Deduplication now uses the database when active (ssl.peer_cert_seen note per host:port, update: :unique) so the same server certificate is not reprinted across module runs. Falls back to in-memory dedup when no DB is connected. HttpClient is updated to include CertificateTrace instead of SslPeerCertTrace and calls certificate_peer_cert_trace after send_recv. The ssl_peer_cert_trace mixin file and its spec are removed; the 20 new peer cert examples are added to certificate_trace_spec.rb (46 examples, 0 failures).
Includes CertificateTrace in Exploit::Remote::LDAP so LDAP over TLS connections surface the server certificate through the same CertificateTrace option and CertificateTraceColors that HTTP uses. No new operator-facing option is introduced. ldap_open is updated for both paths: - keep_open: false (Rex::Proto::LDAP::Client.open) -- wraps the caller block and reads peer_cert from the @open_connection socket before yielding to the caller. - keep_open: true (Rex::Proto::LDAP::Client._open) -- reads peer_cert from ldap.socket after the connection is established and returned. A private _ldap_trace_peer_cert helper centralises the socket guard and the certificate_peer_cert_trace call so both paths share the same nil-safe check. Plain LDAP connections (no TLS, no peer_cert) are silently ignored. Dedup and DB recording are handled by certificate_peer_cert_trace in the CertificateTrace mixin. Spec: 14 examples (7 new for peer cert tracing), 0 failures.
Includes CertificateTrace in Exploit::Remote::RDP so the server TLS certificate is surfaced when an operator sets CertificateTrace to metadata or full. The hook is in swap_sock_plain_to_ssl, immediately after ssl.connect succeeds -- the OpenSSL socket has a valid peer_cert at that point and before it is wrapped into the Rex SslTcp layer. No new operator-facing option is introduced; RDP re-uses the same CertificateTrace enum as HTTP and LDAP. A nil peer_cert (e.g. when the server sends no certificate) is a silent no-op. Spec: 3 new examples covering TLS cert printed, off mode silent, and nil peer_cert silent.
|
Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected. We've added the |
Live lab validation against Windows Server 2022 AD CS DC (192.168.64.3)LDAPS port 636 -- metadata modeLDAPS port 636 -- full mode (shows AD CS template, SAN, EKU, extensions)RDP port 3389RDP produces a self-signed cert (Windows default) -- Subject equals Issuer, 6-month validity. Correctly identified as self-signed with no chain. Dedup (cross-run, DB-backed)Second run of the same module against the same host:port with NotesThe |
LoginScanner::LDAP includes Exploit::Remote::LDAP so it calls _ldap_trace_peer_cert via ldap_open. LoginScanner does not have datastore, so calling rhost (which calls datastore['RHOST']) raises NoMethodError, caught as UNABLE_TO_CONNECT in the scanner. Guard with certificate_trace_enabled? at the top so we return before evaluating rhost/rport when tracing is unavailable.
CI fix: LoginScanner::LDAP rspec failuresThe Root cause: Fix: Add |
certificate_trace already tested the invalid-cert no-raise case; add the same coverage for certificate_peer_cert_trace.
Summary
Extends
CertificateTracepeer cert tracing (introduced in #21599) to LDAP over TLS and RDP. No new operator-facing option -- operators use the existingCertificateTraceenum (off/metadata/full).LDAP (
Exploit::Remote::LDAP):CertificateTraceldap_openwraps both connection paths (keep_open: falseviaRex::Proto::LDAP::Client.open;keep_open: trueviaClient._open) to read the server cert from the socket after the TLS handshake_ldap_trace_peer_certhelper guards against non-TLS (plain LDAP) connections silentlyRDP (
Exploit::Remote::RDP):CertificateTraceswap_sock_plain_to_sslcallscertificate_peer_cert_traceimmediately afterssl.connectwhile the rawOpenSSL::SSL::SSLSocketis still in scopeDedup, color, and DB recording are delegated to
#certificate_peer_cert_traceinCertificateTrace(the same logic as HTTP).Test plan
bundle exec rspec spec/lib/msf/core/exploit/remote/ldap_spec.rb-- 21 examples, 0 failures (7 new peer cert examples)bundle exec rspec spec/lib/msf/core/exploit/remote/rdp_spec.rb-- 3 examples, 0 failuresset CertificateTrace metadataand confirm cert prints onceNotes
HttpClient)