Add kerberos plugin#1933
Conversation
ikelos
left a comment
ikelos
left a comment
There was a problem hiding this comment.
Thanks very much for your submission, this looks like a really interesting plugin! In general there's a lot of good stuff in here and the style is pretty good. The main issues were:
- Mass exception catching
- Lots of singleton cases that won't work with a long lived framework
- Direct file open which won't work for a web interface, for example
And some suggestions for simple enhancements:
- Make dumping tickets a flag, rather than a separate plugin
- Output datetime.datetimes and then implement a small timeliner interface to get cheap timeliner support
- See if there's already existing code for finding the lsass process
| kerberos_symbol_table, proc_layer_name, offset=kerberos_base | ||
| ) | ||
|
|
||
| def _find_lsass_proc( |
There was a problem hiding this comment.
There may already be code to locate the lsass plugin, it might be worth looking through lsadump or hashdump to see if they expose that functionality? If you can avoid duplicating code that may already exist, it makes it easier to only have to fix issues in a single place.
There was a problem hiding this comment.
I was not able to find the code in other plugin so I keep it like that
citronneur
force-pushed
the
volatility
branch
3 times, most recently
from
be1012c to
8a80739
Compare
|
Really thank you for your review, we applied all the modification you requested that really improved the code !!! I will also try to implement timeliner interface in next commit |
|
We added the timeliner interface for the kerberos.Ticket plugin. |
2 participants
Hello Volatility team,
We are please to propose you a plugin that is able to list Kerberos sessions and parse and dump Kerberos ticket from a windows memory dump.
This plugin will facilitate the way track golden/silver ticket attempt, user tracking by listing service ticket in cache.
Thanks to consider my contribution.
Have a nice day