Skip to content

Rpc creds reports domain#21285

Open
sjanusz-r7 wants to merge 1 commit intorapid7:masterfrom
sjanusz-r7:rpc-creds-reports-domain
Open

Rpc creds reports domain#21285
sjanusz-r7 wants to merge 1 commit intorapid7:masterfrom
sjanusz-r7:rpc-creds-reports-domain

Conversation

@sjanusz-r7
Copy link
Copy Markdown
Contributor

@sjanusz-r7 sjanusz-r7 commented Apr 13, 2026
edited
Loading

Closes #21241
The rpc creds command now returns the credential's realm key and value.

Before

=> missing domain

>> rpc.call("db.creds", {})
=> {"creds"=>[{"user"=>"sandy", "pass"=>"vagrant", "updated_at"=>1775812690, "type"=>"Metasploit::Credential::Password", "host"=>"x", "port"=>389, "proto"=>"tcp", "sname"=>"ldap"}]}

After

{"creds"=>
  [{"user"=>"sandy",
    "pass"=>"vagrant",
    "updated_at"=>1775812690,
    "type"=>"Metasploit::Credential::Password",
    "host"=>"x",
    "port"=>389,
    "proto"=>"tcp",
    "sname"=>"ldap",
    "realm_key"=>"Active Directory Domain",
    "realm_value"=>"ad.pro.local"}]}

Verification

You can load the RPC plugin in msfconsole using load msgrpc.
Connect to RPC by calling bundle exec ./msfrpc -- -U msf -P PASSWORD_HERE -a 127.0.0.1 -S -p 55552

  • Start msfconsole
  • load msgrpc
  • add a credential over rpc, for example:
  opts = {  
   origin_type: :service,  
   address: '192.168.1.100',  
   port: 445,  
   service_name: 'smb',  
   protocol: 'tcp',  
   module_fullname: 'auxiliary/scanner/smb/smb_login',  
   workspace_id: 1,  
   private_data: 'password1',  
   private_type: :password,  
   username: 'Administrator',
   realm_key: 'Active Directory Domain',
   realm_value: 'ad.pro.local'  
  }

rpc.call('db.create_credential', opts)
  • Verify creds outputs the domain:
Credentials
===========

id  host           origin         service        public         private    realm         private_type  JtR Format  cracked_password
--  ----           ------         -------        ------         -------    -----         ------------  ----------  ----------------
81  192.168.1.100  192.168.1.100  445/tcp (smb)  Administrator  password1  ad.pro.local  Password
  • Verify the rpc creds command returns the realm key and value:
>> rpc.call("db.creds", {})
=> 
{"creds"=>
  [{"user"=>"Administrator",
    "pass"=>"password1",
    "updated_at"=>1777374262,
    "type"=>"Metasploit::Credential::Password",
    "host"=>"",
    "port"=>0,
    "proto"=>"",
    "sname"=>"",
    "realm_key"=>"Active Directory Domain",
    "realm_value"=>"ad.pro.local"}]}

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 13, 2026

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We've added the additional-testing-required label to indicate that additional testing is required before this pull request can be merged.
For maintainers, this means visiting here.

@sjanusz-r7
Copy link
Copy Markdown
Contributor Author

sjanusz-r7 commented Apr 13, 2026

ICPR errors in tests:

      Failure/Error: host: icpr.tree.client.dispatcher.tcp_socket.peerhost,
        #<Double "icpr"> received unexpected message :tree with (no args)

don't think they're related, might be wrong.

@adfoster-r7 adfoster-r7 requested a review from Copilot April 13, 2026 14:48
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates LDAP and SMB login scanners to persist the provided domain as a credential “realm”, and exposes that realm information via the db.creds RPC endpoint.

Changes:

  • SMB login credential reporting now includes realm_key/realm_value when a domain/realm is present.
  • LDAP login now uses LDAPDomain consistently for credential realm and sets the realm key when a domain is provided.
  • rpc.call('db.creds', ...) responses now include realm_key and realm_value fields.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
modules/auxiliary/scanner/smb/smb_login.rb Persist SMB credential realm (domain) into reported credentials.
modules/auxiliary/scanner/ldap/ldap_login.rb Use LDAPDomain as the credential realm and set realm key when present.
lib/msf/core/rpc/v10/rpc_db.rb Add realm fields to the db.creds RPC response.

Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
@sjanusz-r7 sjanusz-r7 force-pushed the rpc-creds-reports-domain branch 2 times, most recently from 15280ea to 495385f Compare April 15, 2026 14:21
adfoster-r7
adfoster-r7 reviewed Apr 16, 2026
View reviewed changes
Comment thread lib/msf/core/rpc/v10/rpc_db.rb
:proto => proto,
:sname => sname
:sname => sname,
:realm_key => cred.realm.try(:key),
Copy link
Copy Markdown
Contributor

@adfoster-r7 adfoster-r7 Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are your thoughts on:

realm = cred.realm ? { key: cred.realm.key, value: cred.realm.value } : nil

...

ret[:creds] << {
  ...,
  :realm => realm
}

Copy link
Copy Markdown
Contributor Author

@sjanusz-r7 sjanusz-r7 Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach is consistent with the rpc_create_credential method here:

metasploit-framework/lib/msf/core/rpc/v10/rpc_db.rb

Line 197 in 41a937c

realm_value: core.realm.try(:value),

I can change it though if we'd prefer 👍

@smcintyre-r7 smcintyre-r7 linked an issue Apr 17, 2026 that may be closed by this pull request
Add an HTTP NTLM Relay Server #20763
Closed
@smcintyre-r7 smcintyre-r7 removed a link to an issue Apr 17, 2026
Add an HTTP NTLM Relay Server #20763
Closed
smcintyre-r7
smcintyre-r7 reviewed Apr 23, 2026
View reviewed changes
Comment thread modules/auxiliary/scanner/ldap/ldap_login.rb Outdated
}

realm_key = nil
realm_key = datastore['LDAPDomain'].present? ? Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN : nil
Copy link
Copy Markdown
Contributor

@smcintyre-r7 smcintyre-r7 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want this change reverted. This is a side by side comparison of the new behavior on the left and the old behavior on the right.

Image

We can see that the Server 2019 domain controller authentications with NTLM and AUTO (which is NTLM IIRC) but not plaintext. In both cases, it logs the incorrect domain, when it should be either MSFLAB or msflab.local. The old behavior leaves the domain blank which is probably better than logging an incorrect value.

@sjanusz-r7 sjanusz-r7 force-pushed the rpc-creds-reports-domain branch from 495385f to b91d6a5 Compare April 28, 2026 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

additional-testing-required

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add real/domain support to the db.creds RPC enpoint

4 participants

@sjanusz-r7 @smcintyre-r7 @adfoster-r7