Kerberos & Certificate Trace Presenters for Metasploit
GSoC 2026 · mentored by @jheysel-r7 & @zeroSteiner
Welcome to my Google Summer of Code 2026 build log. This page tracks my work on two new inline tracing capabilities for the Metasploit Framework - KerberosTicketTracePresenter and CertificateTracePresenter - that bring HttpTrace-style transparency to Kerberos tickets and X.509 certificates inside msfconsole, so operators no longer need to export .ccache or .pfx artefacts to disk to inspect them.
About the Program
Google Summer of Code
GSoC is a global, online program focused on bringing new contributors into open-source software development. Contributors work with a mentor organisation on a 12+ week programming project, gain real-world experience, and ship production-grade code that lands in tools used by millions.
Metasploit Framework
Metasploit is the leading open-source penetration testing platform, written primarily in Ruby and maintained by Rapid7 alongside hundreds of community contributors. It powers exploit development, post-exploitation, payload generation, and red-team operations worldwide.
My Goal
To contribute meaningful, well-tested code to a framework I use daily, deepen my Ruby and offensive-security skills, and build long-term relationships with the Rapid7 maintainers and the wider open-source security community.
The Project
Two new inline tracing presenters for the Metasploit Framework that bring HttpTrace-style transparency to Kerberos and X.509 authentication artefacts. Backward-compatible by default and modelled directly on the existing krb5_ccache_presenter.rb precedent.
Proposal Abstract
This project introduces two new inline tracing capabilities to the Metasploit Framework: CertificateTracePresenter and KerberosTicketTracePresenter. These features let penetration-testing operators inspect every Kerberos ticket and X.509 certificate artefact produced during module execution - principal names, encryption types, validity windows, serial numbers, SHA-256 fingerprints, ticket flags, and session keys - all without leaving the msfconsole session.
The work is modelled directly on Metasploit's existing HttpTrace capability in Exploit::Remote::HttpClient. Just as HttpTrace brought transparent HTTP request/response debugging inline, these two presenters extend the same design philosophy to the authentication layer. The implementation follows the established presenter pattern exemplified by krb5_ccache_presenter.rb - instantiating a presenter, calling to_s_* instance methods that return formatted strings, and letting the module call print_line().
Modern red-team engagements are increasingly centred on Active Directory abuse and certificate-based authentication (ADCS ESC1–ESC16). This project eliminates the need to export artefacts to disk or switch to auxiliary modules mid-exploitation - a workflow break that degrades both operator efficiency and OPSEC. The implementation is fully backward-compatible: when options are set to off (the default), no behaviour changes occur in any existing module.
Project Title
KerberosTicketTracePresenter & CertificateTracePresenter Support for the Metasploit Framework
Mentors
@jheysel-r7 (primary) · @zeroSteiner (co-mentor)
Size & Difficulty
175 hours · Medium
Working Fork
Tech Stack
Current Status: Week 5 · Midterm Evaluation today (10 Jul 2026) - significantly ahead of schedule
Both presenter cores merged in Week 1 (originally scoped for Weeks 3–10). Three CertificateTrace PRs are now merged upstream (#21198, #21469, #21580), and SSL peer-cert tracing across four protocols is live-lab-tested and under upstream review. Today is the midterm evaluation checkpoint; focus is now shifting to PKINIT certificate tracing (Phase 4) and documentation.
CertificateTracePresenter (Phase 3 work, done early): fully implemented with a 343-line presenter + 88-line shared CertificateTrace mixin. Integrated into 10+ Metasploit modules: icpr_cert, web_enrollment_cert, certifried, esc_update_ldap_object, bad_successor, rbcd, shadow_credentials, ldap_esc_vulnerable_cert_finder, relay modules, and more. RSpec: 403-line presenter suite + 184-line mixin suite. PR #21198 merged, with multiple review cycles addressed including MS Application Policies OID decoding, X.509 version display, SAN parsing, and non-ASCII sanitisation. Featured in the Rapid7 Metasploit Wrap-Up (June 13, 2026).
KerberosTicketTracePresenter (Phase 2, Mingqing/@eve0805): core presenter merged upstream via PR #21466; enum-modes follow-up merged via PR #21637 (superseding the closed #21568). My initial draft on kerberos-trace was superseded by Mingqing's implementation.
Week 2: LDAP Schannel cert tracing merged upstream via PR #21469 (2026-06-18), extending CertificateTrace to LDAP authentication over Schannel. CSR trace follow-up PR #21580 opened the same week (2026-06-18) and merged upstream in Week 4 (2026-07-08): adds to_s_csr_metadata / to_s_csr_full presenter methods, a certificate_csr_trace hook in CertRequest#with_adcs_certificate_request, and 73 green RSpec examples decoding requested template, SAN, and EKU OIDs from a real PKCS#10 CSR.
Weeks 3–4: SSL peer-cert tracing extended across 4 protocols in 3 PRs (opened Week 3, live-lab-tested Week 4). Phase 1 (HTTP) via PR #21599 (open): certificate_peer_cert_trace wired into HttpClient after send_recv, dedup via DB note, 47 RSpec examples green. Phase 2 (LDAP + RDP) via PR #21607 (open): wraps ldap_open and swap_sock_plain_to_ssl with peer-cert capture, with a respond_to?(:datastore) guard to prevent crashes in scanner contexts. Phase 3+4 (Postgres TLS + full cert chain) via PR #21608 (open): reads peer cert from postgres_conn.conn with respond_to?(:peer_cert) guard for plain-TCP connections; chain members printed with "Chain N/M" headers in full mode. All three peer-cert PRs are mergeable, CI-green, live-lab-tested (2026-07-09), and awaiting upstream review.
Total: ~2,000+ lines of new production code + specs across all branches by end of Week 4.
Timeline
The 12-week / 175-hour build plan, mapped onto the four project phases from the accepted proposal. GSoC milestones - Community Bonding, midterm, and final submission - are anchored inside the relevant phases.
Community Bonding · Phase 1 (Study) ✓
Weeks 1–2 · 25 hrs · CompleteDeep-dived into HttpTrace in Exploit::Remote::HttpClient, mapped the Kerberos client mixin, stood up the Windows Server 2022 + ADCS lab on TEST.LOCAL, and verified AS-REQ / TGS-REQ ticket capture in Wireshark.
Phase 2 - KerberosTicketTracePresenter ✓ Mingqing
Weeks 3–6 · Delivered by @eve0805Implemented and merged upstream by fellow GSoC contributor Mingqing (@eve0805). Core presenter merged via PR #21466; enum-modes follow-up merged via PR #21637 (superseding the closed #21568). My initial draft on kerberos-trace (PRs #21152 / #21190, closed) was superseded by her implementation.
Midterm Evaluation Today
Week 5 · 10 July 2026Mentor review of progress against proposal milestones. With three CertificateTrace PRs already merged upstream (#21198, #21469, #21580) and SSL peer-cert tracing live-lab-tested and under review, the midterm bar is already well exceeded. Focus after the checkpoint: landing the peer-cert PRs and starting PKINIT certificate tracing (Phase 4).
Phase 3 - CertificateTracePresenter ✓ · LDAP Schannel ✓ · CSR trace ✓ · SSL peer-cert ✓
Originally Weeks 7–10 · Core merged Week 1 · Schannel Week 2 · peer-cert opened Week 3 · CSR merged Week 4CertificateTracePresenter (343 lines) + shared CertificateTrace mixin merged upstream via PR #21198 (Week 1, 2026-06-05). Week 2: LDAP Schannel cert tracing merged via PR #21469 (2026-06-18) and CSR trace opened as PR #21580. Week 3: SSL peer-cert tracing opened across HTTP (#21599 open), LDAP+RDP (#21607 open), and Postgres+chain (#21608 open). Week 4: CSR trace #21580 merged (2026-07-08) and all three peer-cert PRs live-lab-tested (2026-07-09).
Phase 4 - Test & Docs
Weeks 11–12 · 50 hrsFull AD lab integration testing across both presenters, documentation and worked msfconsole usage examples, PR polish across PR 1 and PR 2, plus a feedback-driven changes buffer for mentor review cycles.
Final Submission
Late August / early September 2026Final code submission, deliverables write-up, blog wrap-up, and final mentor evaluation.
Results Announcement
November 2026GSoC 2026 final results made public by Google. Contribution continues outside the program (LDAP-over-Kerberos, SMB-with-Kerberos modules, and the rest of the Rex::Proto::Kerberos consumers).
Weekly Updates Live blog
Weekly notes from the coding period - what I shipped, what blocked me, and what I learned. Updates will be published here every Sunday during GSoC.
Onboarding & env setup ✓
Completed HttpTrace deep-dive, mapped Kerberos client mixin, stood up Windows Server 2022 + ADCS lab on TEST.LOCAL, and validated AS-REQ / TGS-REQ flows in Wireshark. Groundwork for both presenters laid.
Both presenter cores merged upstream · #21198 + #21466
CertificateTracePresenter (Phase 3 work, done 6–9 weeks early): 343-line presenter + 88-line shared CertificateTrace mixin. Wired into 10+ modules: icpr_cert, web_enrollment_cert, certifried, esc_update_ldap_object, bad_successor, rbcd, shadow_credentials, ldap_esc_vulnerable_cert_finder, relay modules, and more. RSpec: 403-line presenter suite + 184-line mixin suite. Merged via PR #21198 (2026-06-05) after multiple review cycles: X.509 version display, SAN parsing, non-ASCII sanitisation, MS Application Policies OID decoding. Featured in the Rapid7 Metasploit Wrap-Up (June 13, 2026).
KerberosTicketTracePresenter (Phase 2, Mingqing/@eve0805): initial draft on kerberos-trace (PRs #21152 / #21190, closed) was superseded by Mingqing's implementation, which merged upstream as PR #21466 (2026-06-04).
LDAP Schannel merged · CSR trace PR opened
LDAP Schannel cert tracing merged upstream via PR #21469 (2026-06-18), extending CertificateTrace to cover LDAP authentication over Schannel TLS.
CSR tracing opened as a focused follow-up to the merged CertificateTracePresenter: to_s_csr_metadata / to_s_csr_full + coerce_csr, hook in CertRequest#with_adcs_certificate_request, 73 RSpec examples green, decoding requested template, SAN, and EKU OIDs from a real PKCS#10 CSR. PR #21580 opened (2026-06-18).
SSL peer-cert tracing built · 4 protocols · 3 PRs opened
Phase 1 (HTTP): PR #21599 opened (2026-06-23): certificate_peer_cert_trace wired into HttpClient after send_recv, DB dedup, 47 RSpec examples green. Live-tested against WEBrick HTTPS using auxiliary/scanner/http/http_version.
Phase 2 (LDAP + RDP): PR #21607 opened (2026-06-25): wraps ldap_open and swap_sock_plain_to_ssl; respond_to?(:datastore) guard prevents crashes in LoginScanner contexts. Phase 3+4 (Postgres TLS + full cert chain): PR #21608 opened (2026-06-25): reads peer cert from postgres_conn.conn, chain members printed with "Chain N/M" headers in full mode.
CSR + Kerberos enum-modes merged · peer-cert live-lab-tested
CSR trace PR #21580 merged upstream (2026-07-08), all test-plan checkboxes ticked. Kerberos enum-modes follow-up (Mingqing) PR #21637 merged the same day.
All three SSL peer-cert PRs (#21599, #21607, #21608) live-lab-tested against the Windows Server 2022 AD CS lab (2026-07-09) - mergeable, CI-green, and awaiting upstream review.
Midterm evaluation (10 Jul 2026) · peer-cert under review
Midterm evaluation checkpoint with mentors today. The three peer-cert PRs (#21599, #21607, #21608) are under upstream review; next up is the PKINIT certificate tracing (Phase 4) kickoff.
PKINIT tracing kickoff
Begin PKINIT certificate tracing (Phase 4): surfacing the client cert used in the PKINIT AS-REQ / shadow-credentials flow through CertificateTrace.
PKINIT tracing + SMB TLS research
Wire PKINIT cert tracing through CertificateTrace; scope SMB-over-TLS peer-cert tracing (blocked on Rex SMB TLS support) and further AD lab validation.
ADCS ESC lab validation
End-to-end ADCS ESC1 lab run against the certificate presenter; verify all 10+ integrated modules produce correct trace output.
Integration hardening
Wider module integration coverage; edge-case testing across the CertificateTrace presenter and peer-cert paths.
Documentation pass
Worked msfconsole usage examples, wiki/docs for CertificateTrace modes (Phase 6), and any remaining upstream review comments.
Full lab integration tests
End-to-end runs across CertificateTrace, CSR trace, peer-cert, and PKINIT paths.
Final wrap-up
Docs, PR polish, blog wrap-up, and deliverables write-up for final evaluation.
Resources & Links
Rapid7 Metasploit Blog
Every Rapid7 Metasploit wrap-up post, auto-synced daily. Posts marked Featured mention my GSoC work directly.
Operator Console Restricted
Authenticated channel · operator-only ledger. Access key required. Only legends know the key.