Skip to content

RPC vulns and services reports resources and parents (service only)#21305

Merged
adfoster-r7 merged 3 commits into
rapid7:masterfrom
sjanusz-r7:db-vulns-and-services-rpc-new-report-approach
May 15, 2026
Merged

RPC vulns and services reports resources and parents (service only)#21305
adfoster-r7 merged 3 commits into
rapid7:masterfrom
sjanusz-r7:db-vulns-and-services-rpc-new-report-approach

Conversation

@sjanusz-r7
Copy link
Copy Markdown
Contributor

@sjanusz-r7 sjanusz-r7 commented Apr 15, 2026
edited
Loading

Closes #21250

This PR adds the reporting of resource for both the db.vulns and db.services RPC calls. It also adds the parents field to the services only.

Tested in Pro, no changes/impact.

Before

db.vulns

no resources

>> rpc.call("db.vulns", {})
=> 
{"vulns"=>
  [{"port"=>389, "proto"=>"tcp", "time"=>1776246155, "host"=>"192.168.112.3", "name"=>"LDAP Login Scanner", "refs"=>""},
   {"port"=>445, "proto"=>"tcp", "time"=>1776246892, "host"=>"10.140.108.118", "name"=>"ESC15", "refs"=>"URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc"},
   {"port"=>389, "proto"=>"tcp", "time"=>1776246437, "host"=>"10.140.108.118", "name"=>"LDAP Login Scanner", "refs"=>""},
   {"port"=>445, "proto"=>"tcp", "time"=>1776246891, "host"=>"10.140.108.118", "name"=>"ESC16_2", "refs"=>""},

db.services

No resources and no parents

>> rpc.call("db.services", {})
=> 
{"services"=>
  [{"host"=>"192.168.112.3", "created_at"=>1776246154, "updated_at"=>1776246154, "port"=>389, "proto"=>"tcp", "state"=>"open", "name"=>"ldap", "info"=>""},
   {"host"=>"10.140.108.118", "created_at"=>1776246437, "updated_at"=>1776246437, "port"=>389, "proto"=>"tcp", "state"=>"open", "name"=>"ldap", "info"=>""},
   {"host"=>"10.140.108.118", "created_at"=>1776246677, "updated_at"=>1776246677, "port"=>445, "proto"=>"tcp", "state"=>"open", "name"=>"icertpassage", "info"=>""},

After

db.vulns

>> rpc.call("db.vulns", {})
=> 
{"vulns"=>
  [{"port"=>389, "proto"=>"tcp", "time"=>1776246155, "host"=>"192.168.112.3", "name"=>"LDAP Login Scanner", "refs"=>"", "resource"=>{}},
   {"port"=>445,
    "proto"=>"tcp",
    "time"=>1776246892,
    "host"=>"10.140.108.118",
    "name"=>"ESC15",
    "refs"=>"URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc",
    "resource"=>{"ldap_dn"=>"CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=pro,DC=local", "template_name"=>"ESC15"}},
   {"port"=>389, "proto"=>"tcp", "time"=>1776246437, "host"=>"10.140.108.118", "name"=>"LDAP Login Scanner", "refs"=>"", "resource"=>{}},
   {"port"=>445,
    "proto"=>"tcp",
    "time"=>1776246891,
    "host"=>"10.140.108.118",
    "name"=>"ESC16_2",
    "refs"=>"",
    "resource"=>{"ldap_dn"=>"CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=pro,DC=local", "template_name"=>"Administrator"}},
    ...
  ]
}

db.services

>> rpc.call("db.services", {})
=> 
{"services"=>
   {"host"=>"10.140.108.118",
    "created_at"=>1776246677,
    "updated_at"=>1776246677,
    "port"=>445,
    "proto"=>"tcp",
    "state"=>"open",
    "name"=>"icertpassage",
    "info"=>"",
    "resource"=>{"dcerpc"=>{"pipe"=>"cert"}},
    "parents"=>
     [{"host"=>"10.140.108.118",
       "created_at"=>1776246676,
       "updated_at"=>1776246677,
       "port"=>445,
       "proto"=>"tcp",
       "state"=>"open",
       "name"=>"dcerpc",
       "info"=>"",
       "resource"=>{"smb"=>{"share"=>"IPC$"}},
       "parents"=>[{"host"=>"10.140.108.118", "created_at"=>1776246676, "updated_at"=>1776246676, "port"=>445, "proto"=>"tcp", "state"=>"open", "name"=>"smb", "info"=>"", "resource"=>{}, "parents"=>[]}]}]},

JSON RPC

This also works for JSON RPC:
=> Vulns

      {
        "port": 445,
        "proto": "tcp",
        "time": 1776246892,
        "host": "x",
        "name": "ESC15",
        "refs": "URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc",
        "resource": {
          "ldap_dn": "CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=pro,DC=local",
          "template_name": "ESC15"
        }
      },

=> services

      {
        "host": "x",
        "created_at": 1776246677,
        "updated_at": 1776246677,
        "port": 445,
        "proto": "tcp",
        "state": "open",
        "name": "icertpassage",
        "info": "",
        "resource": {
          "dcerpc": {
            "pipe": "cert"
          }
        },
        "parents": [
          {
            "host": "x",
            "created_at": 1776246676,
            "updated_at": 1776246677,
            "port": 445,
            "proto": "tcp",
            "state": "open",
            "name": "dcerpc",
            "info": "",
            "resource": {
              "smb": {
                "share": "IPC$"
              }
            },
            "parents": [
              {
                "host": "x",
                "created_at": 1776246676,
                "updated_at": 1776246676,
                "port": 445,
                "proto": "tcp",
                "state": "open",
                "name": "smb",
                "info": "",
                "resource": {},
                "parents": []
              }
            ]
          }
        ]
      },

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Use the ldap_login, smb_login, ldap_esc_vulnerable_cert_finder modules against the persistent Pro ADCS VM
  • start RPC server using load msgrpc
  • Connect to RPC server
  • Call rpc.call("db.services", {})
  • Call rpc.call("db.vulns", {})
  • Confirm the resources field is present for vulns
  • Confirm the resources and parents fields are present for services

@adfoster-r7 adfoster-r7 requested a review from Copilot April 16, 2026 09:11
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds richer reporting metadata to the RPC database endpoints to align with updated service/vulnerability reporting, specifically exposing resource data and service parent relationships to RPC consumers.

Changes:

  • db.services: refactors service serialization into a helper and adds resource + recursive parents.
  • db.vulns: adds resource to each returned vulnerability.

Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
Comment thread lib/msf/core/rpc/v10/rpc_db.rb
@sjanusz-r7 sjanusz-r7 force-pushed the db-vulns-and-services-rpc-new-report-approach branch from 73697ef to c07df96 Compare April 28, 2026 16:33
adfoster-r7
adfoster-r7 reviewed May 15, 2026
View reviewed changes
Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
# @param recursion_count [Integer] Current recursion iteration count
# @return [Hash] Serialized service data.
def process_service(mdm_service, recursion_count = 0)
return { error: :recursion_limit_reached } unless recursion_count >= 0 && recursion_count < 6
Copy link
Copy Markdown
Contributor

@adfoster-r7 adfoster-r7 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we bump this to 10, and raise an exception here for the depth issue instead? 👀

Not a blocker, I believe we can avoid the n+1 query issues here with a native SQL query

@sjanusz-r7 sjanusz-r7 force-pushed the db-vulns-and-services-rpc-new-report-approach branch from fe848ad to b327f29 Compare May 15, 2026 10:35
@github-project-automation github-project-automation Bot moved this from Todo to In Progress in Metasploit Kanban May 15, 2026
@adfoster-r7 adfoster-r7 merged commit 2c07ad3 into rapid7:master May 15, 2026
46 of 47 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban May 15, 2026
@sjanusz-r7 sjanusz-r7 added the rn-enhancement release notes enhancement label May 15, 2026
@sjanusz-r7
Copy link
Copy Markdown
Contributor Author

sjanusz-r7 commented May 15, 2026
edited by adfoster-r7
Loading

Release Notes

Updates the services RPC endpoint to additionally report the resource and parent services fields.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 approved these changes

Assignees

No one assigned

Labels

rn-enhancement release notes enhancement

Projects

Metasploit Kanban
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update the db.vulns and db.services RPC endpoints to align with the new way to report vulnerabilities and services

4 participants

@sjanusz-r7 @adfoster-r7 @smcintyre-r7