Google Summer of Code 2026

Kerberos & Certificate Trace Presenters for Metasploit

GSoC 2026 · mentored by @jheysel-r7 & @zeroSteiner

Welcome to my Google Summer of Code 2026 build log. This page tracks my work on two new inline tracing capabilities for the Metasploit Framework - KerberosTicketTracePresenter and CertificateTracePresenter - that bring HttpTrace-style transparency to Kerberos tickets and X.509 certificates inside msfconsole, so operators no longer need to export .ccache or .pfx artefacts to disk to inspect them.

Organization Metasploit · Rapid7
Project Size 175 hrs · Medium
Mentors @jheysel-r7 · @zeroSteiner
Timeline 12 weeks · Jun – Aug 2026

About the Program

Google Summer of Code

GSoC is a global, online program focused on bringing new contributors into open-source software development. Contributors work with a mentor organisation on a 12+ week programming project, gain real-world experience, and ship production-grade code that lands in tools used by millions.

Metasploit Framework

Metasploit is the leading open-source penetration testing platform, written primarily in Ruby and maintained by Rapid7 alongside hundreds of community contributors. It powers exploit development, post-exploitation, payload generation, and red-team operations worldwide.

My Goal

To contribute meaningful, well-tested code to a framework I use daily, deepen my Ruby and offensive-security skills, and build long-term relationships with the Rapid7 maintainers and the wider open-source security community.

The Project

Two new inline tracing presenters for the Metasploit Framework that bring HttpTrace-style transparency to Kerberos and X.509 authentication artefacts. Backward-compatible by default and modelled directly on the existing krb5_ccache_presenter.rb precedent.

Proposal Abstract

This project introduces two new inline tracing capabilities to the Metasploit Framework: CertificateTracePresenter and KerberosTicketTracePresenter. These features let penetration-testing operators inspect every Kerberos ticket and X.509 certificate artefact produced during module execution - principal names, encryption types, validity windows, serial numbers, SHA-256 fingerprints, ticket flags, and session keys - all without leaving the msfconsole session.

The work is modelled directly on Metasploit's existing HttpTrace capability in Exploit::Remote::HttpClient. Just as HttpTrace brought transparent HTTP request/response debugging inline, these two presenters extend the same design philosophy to the authentication layer. The implementation follows the established presenter pattern exemplified by krb5_ccache_presenter.rb - instantiating a presenter, calling to_s_* instance methods that return formatted strings, and letting the module call print_line().

Modern red-team engagements are increasingly centred on Active Directory abuse and certificate-based authentication (ADCS ESC1–ESC16). This project eliminates the need to export artefacts to disk or switch to auxiliary modules mid-exploitation - a workflow break that degrades both operator efficiency and OPSEC. The implementation is fully backward-compatible: when options are set to off (the default), no behaviour changes occur in any existing module.

Project Title

KerberosTicketTracePresenter & CertificateTracePresenter Support for the Metasploit Framework

Mentors

@jheysel-r7 (primary) · @zeroSteiner (co-mentor)

Size & Difficulty

175 hours · Medium

Tech Stack

Ruby Metasploit Framework RSpec OpenSSL Kerberos / ASN.1 OpenStruct adapter Active Directory · ADCS Wireshark validation Impacket · Rubeus

Current Status: Week 5 · Midterm Evaluation today (10 Jul 2026) - significantly ahead of schedule

Both presenter cores merged in Week 1 (originally scoped for Weeks 3–10). Three CertificateTrace PRs are now merged upstream (#21198, #21469, #21580), and SSL peer-cert tracing across four protocols is live-lab-tested and under upstream review. Today is the midterm evaluation checkpoint; focus is now shifting to PKINIT certificate tracing (Phase 4) and documentation.

CertificateTracePresenter (Phase 3 work, done early): fully implemented with a 343-line presenter + 88-line shared CertificateTrace mixin. Integrated into 10+ Metasploit modules: icpr_cert, web_enrollment_cert, certifried, esc_update_ldap_object, bad_successor, rbcd, shadow_credentials, ldap_esc_vulnerable_cert_finder, relay modules, and more. RSpec: 403-line presenter suite + 184-line mixin suite. PR #21198 merged, with multiple review cycles addressed including MS Application Policies OID decoding, X.509 version display, SAN parsing, and non-ASCII sanitisation. Featured in the Rapid7 Metasploit Wrap-Up (June 13, 2026).

KerberosTicketTracePresenter (Phase 2, Mingqing/@eve0805): core presenter merged upstream via PR #21466; enum-modes follow-up merged via PR #21637 (superseding the closed #21568). My initial draft on kerberos-trace was superseded by Mingqing's implementation.

Week 2: LDAP Schannel cert tracing merged upstream via PR #21469 (2026-06-18), extending CertificateTrace to LDAP authentication over Schannel. CSR trace follow-up PR #21580 opened the same week (2026-06-18) and merged upstream in Week 4 (2026-07-08): adds to_s_csr_metadata / to_s_csr_full presenter methods, a certificate_csr_trace hook in CertRequest#with_adcs_certificate_request, and 73 green RSpec examples decoding requested template, SAN, and EKU OIDs from a real PKCS#10 CSR.

Weeks 3–4: SSL peer-cert tracing extended across 4 protocols in 3 PRs (opened Week 3, live-lab-tested Week 4). Phase 1 (HTTP) via PR #21599 (open): certificate_peer_cert_trace wired into HttpClient after send_recv, dedup via DB note, 47 RSpec examples green. Phase 2 (LDAP + RDP) via PR #21607 (open): wraps ldap_open and swap_sock_plain_to_ssl with peer-cert capture, with a respond_to?(:datastore) guard to prevent crashes in scanner contexts. Phase 3+4 (Postgres TLS + full cert chain) via PR #21608 (open): reads peer cert from postgres_conn.conn with respond_to?(:peer_cert) guard for plain-TCP connections; chain members printed with "Chain N/M" headers in full mode. All three peer-cert PRs are mergeable, CI-green, live-lab-tested (2026-07-09), and awaiting upstream review.

Total: ~2,000+ lines of new production code + specs across all branches by end of Week 4.

Timeline

The 12-week / 175-hour build plan, mapped onto the four project phases from the accepted proposal. GSoC milestones - Community Bonding, midterm, and final submission - are anchored inside the relevant phases.

Community Bonding · Phase 1 (Study) ✓

Weeks 1–2 · 25 hrs · Complete

Deep-dived into HttpTrace in Exploit::Remote::HttpClient, mapped the Kerberos client mixin, stood up the Windows Server 2022 + ADCS lab on TEST.LOCAL, and verified AS-REQ / TGS-REQ ticket capture in Wireshark.

Phase 2 - KerberosTicketTracePresenter ✓ Mingqing

Weeks 3–6 · Delivered by @eve0805

Implemented and merged upstream by fellow GSoC contributor Mingqing (@eve0805). Core presenter merged via PR #21466; enum-modes follow-up merged via PR #21637 (superseding the closed #21568). My initial draft on kerberos-trace (PRs #21152 / #21190, closed) was superseded by her implementation.

Midterm Evaluation Today

Week 5 · 10 July 2026

Mentor review of progress against proposal milestones. With three CertificateTrace PRs already merged upstream (#21198, #21469, #21580) and SSL peer-cert tracing live-lab-tested and under review, the midterm bar is already well exceeded. Focus after the checkpoint: landing the peer-cert PRs and starting PKINIT certificate tracing (Phase 4).

Phase 3 - CertificateTracePresenter ✓ · LDAP Schannel ✓ · CSR trace ✓ · SSL peer-cert ✓

Originally Weeks 7–10 · Core merged Week 1 · Schannel Week 2 · peer-cert opened Week 3 · CSR merged Week 4

CertificateTracePresenter (343 lines) + shared CertificateTrace mixin merged upstream via PR #21198 (Week 1, 2026-06-05). Week 2: LDAP Schannel cert tracing merged via PR #21469 (2026-06-18) and CSR trace opened as PR #21580. Week 3: SSL peer-cert tracing opened across HTTP (#21599 open), LDAP+RDP (#21607 open), and Postgres+chain (#21608 open). Week 4: CSR trace #21580 merged (2026-07-08) and all three peer-cert PRs live-lab-tested (2026-07-09).

Phase 4 - Test & Docs

Weeks 11–12 · 50 hrs

Full AD lab integration testing across both presenters, documentation and worked msfconsole usage examples, PR polish across PR 1 and PR 2, plus a feedback-driven changes buffer for mentor review cycles.

Final Submission

Late August / early September 2026

Final code submission, deliverables write-up, blog wrap-up, and final mentor evaluation.

Results Announcement

November 2026

GSoC 2026 final results made public by Google. Contribution continues outside the program (LDAP-over-Kerberos, SMB-with-Kerberos modules, and the rest of the Rex::Proto::Kerberos consumers).

Weekly Updates Live blog

Weekly notes from the coding period - what I shipped, what blocked me, and what I learned. Updates will be published here every Sunday during GSoC.

Community Bonding

Onboarding & env setup ✓

Completed HttpTrace deep-dive, mapped Kerberos client mixin, stood up Windows Server 2022 + ADCS lab on TEST.LOCAL, and validated AS-REQ / TGS-REQ flows in Wireshark. Groundwork for both presenters laid.

Week 01

Both presenter cores merged upstream · #21198 + #21466

CertificateTracePresenter (Phase 3 work, done 6–9 weeks early): 343-line presenter + 88-line shared CertificateTrace mixin. Wired into 10+ modules: icpr_cert, web_enrollment_cert, certifried, esc_update_ldap_object, bad_successor, rbcd, shadow_credentials, ldap_esc_vulnerable_cert_finder, relay modules, and more. RSpec: 403-line presenter suite + 184-line mixin suite. Merged via PR #21198 (2026-06-05) after multiple review cycles: X.509 version display, SAN parsing, non-ASCII sanitisation, MS Application Policies OID decoding. Featured in the Rapid7 Metasploit Wrap-Up (June 13, 2026).

KerberosTicketTracePresenter (Phase 2, Mingqing/@eve0805): initial draft on kerberos-trace (PRs #21152 / #21190, closed) was superseded by Mingqing's implementation, which merged upstream as PR #21466 (2026-06-04).

Week 02

LDAP Schannel merged · CSR trace PR opened

LDAP Schannel cert tracing merged upstream via PR #21469 (2026-06-18), extending CertificateTrace to cover LDAP authentication over Schannel TLS.

CSR tracing opened as a focused follow-up to the merged CertificateTracePresenter: to_s_csr_metadata / to_s_csr_full + coerce_csr, hook in CertRequest#with_adcs_certificate_request, 73 RSpec examples green, decoding requested template, SAN, and EKU OIDs from a real PKCS#10 CSR. PR #21580 opened (2026-06-18).

Week 03

SSL peer-cert tracing built · 4 protocols · 3 PRs opened

Phase 1 (HTTP): PR #21599 opened (2026-06-23): certificate_peer_cert_trace wired into HttpClient after send_recv, DB dedup, 47 RSpec examples green. Live-tested against WEBrick HTTPS using auxiliary/scanner/http/http_version.

Phase 2 (LDAP + RDP): PR #21607 opened (2026-06-25): wraps ldap_open and swap_sock_plain_to_ssl; respond_to?(:datastore) guard prevents crashes in LoginScanner contexts. Phase 3+4 (Postgres TLS + full cert chain): PR #21608 opened (2026-06-25): reads peer cert from postgres_conn.conn, chain members printed with "Chain N/M" headers in full mode.

Week 04

CSR + Kerberos enum-modes merged · peer-cert live-lab-tested

CSR trace PR #21580 merged upstream (2026-07-08), all test-plan checkboxes ticked. Kerberos enum-modes follow-up (Mingqing) PR #21637 merged the same day.

All three SSL peer-cert PRs (#21599, #21607, #21608) live-lab-tested against the Windows Server 2022 AD CS lab (2026-07-09) - mergeable, CI-green, and awaiting upstream review.

Week 05 Now

Midterm evaluation (10 Jul 2026) · peer-cert under review

Midterm evaluation checkpoint with mentors today. The three peer-cert PRs (#21599, #21607, #21608) are under upstream review; next up is the PKINIT certificate tracing (Phase 4) kickoff.

Week 06

PKINIT tracing kickoff

Begin PKINIT certificate tracing (Phase 4): surfacing the client cert used in the PKINIT AS-REQ / shadow-credentials flow through CertificateTrace.

Week 07

PKINIT tracing + SMB TLS research

Wire PKINIT cert tracing through CertificateTrace; scope SMB-over-TLS peer-cert tracing (blocked on Rex SMB TLS support) and further AD lab validation.

Week 08

ADCS ESC lab validation

End-to-end ADCS ESC1 lab run against the certificate presenter; verify all 10+ integrated modules produce correct trace output.

Week 09

Integration hardening

Wider module integration coverage; edge-case testing across the CertificateTrace presenter and peer-cert paths.

Week 10

Documentation pass

Worked msfconsole usage examples, wiki/docs for CertificateTrace modes (Phase 6), and any remaining upstream review comments.

Week 11

Full lab integration tests

End-to-end runs across CertificateTrace, CSR trace, peer-cert, and PKINIT paths.

Week 12

Final wrap-up

Docs, PR polish, blog wrap-up, and deliverables write-up for final evaluation.

Rapid7 Metasploit Blog

Every Rapid7 Metasploit wrap-up post, auto-synced daily. Posts marked Featured mention my GSoC work directly.

Loading posts…

Operator Console Restricted

Authenticated channel · operator-only ledger. Access key required. Only legends know the key.

solitude_coder@rapid7:~/gsoc26$ auth --request stipend-ledger
awaiting access key · "only legends know the key"
access@gsoc26 $

Get In Touch

Email

bluedevil5177@gmail.com

Send Email

Phone

+91 7300301634

Call Now

Location

Bahal, Haryana for college

View on Map

WhatsApp

+91 7300301634

Send Message