Added: Option to adjust kerberos clock #20755
Merged
jheysel-r7 merged 4 commits intorapid7:masterfrom Jan 19, 2026
Merged
Conversation
- Added KrbClockSkew advanced option and parser to offset Kerberos timestamps - Propagate skew through Kerberos client/authenticators (LDAP/SMB/HTTP/WinRM/MSSQL) and scanners - Updated docs for new option and extended kerberos client specs for clock skew handling - Clean up kerberos client error handling/style per rubocop
rudraditya21
changed the title
jheysel-r7
reviewed
Dec 18, 2025
| fail_with(Msf::Exploit::Failure::BadConfig, 'The HTTP::Rhostname option is required when using Kerberos authentication.') if datastore['HTTP::Rhostname'].blank? | ||
| fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank? | ||
| offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['HTTP::KrbOfferedEncryptionTypes']) | ||
| kerberos_authenticator = nil |
Contributor
There was a problem hiding this comment.
Was this indentation intentional?
Contributor
Author
There was a problem hiding this comment.
these indents were not intentional there would have been some mistakes while writing code i will fix this
jheysel-r7
reviewed
Jan 6, 2026
Contributor
There was a problem hiding this comment.
Thanks for the great enhancement @rudraditya21, I can definitely see myself using this new feature.
One question, do you think it would be worth updating this error message:
to let the operator know that they can set either set
KrbClockSkew to fix the skew and or that the KrbClockSkew is not taken into account when calculating the skew printed in the error message?
I noticed in the testing below when setting KrbClockSkew = -24h, I was expecting a failure but the failure message was slightly confusing as it said the module failed due to a skew of 0 seconds. Let me know what you think. Other than that, everything looks great.
Testing
Spec
Run options:
include {:focus=>true}
exclude {:acceptance=>true}
All examples were filtered out; ignoring {:focus=>true}
Randomized with seed 1979
Msf::Exploit::Remote::Kerberos::Client .............
Top 10 slowest examples (0.14907 seconds, 25.2% of total time):
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt_pkinit when the authentication succeeds returns the ticket
0.0702 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:480
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt when kerberos preauth is required when the authentication fails returns the ticket
0.01133 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:651
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt when kerberos preauth is not required decrypts the ticket when the key is correct
0.01077 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:565
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt when kerberos preauth is required when the authentication succeeds returns the ticket
0.0096 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:627
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt when the account is unknown raises an erorr
0.00933 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:515
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt when kerberos preauth is not required decrypts the ticket when the password is correct
0.00904 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:549
Msf::Exploit::Remote::Kerberos::Client#send_request_tgt when kerberos preauth is not required returns the ticket when the key is incorrect
0.0088 seconds ./spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb:600
Authenticated successfully with kerberos
msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.16.199.200
[+] 172.16.199.200:88 - Received a valid TGT-Response
[*] 172.16.199.200:389 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20260106112347_default_172.16.199.200_mit.kerberos.cca_648171.bin
[+] 172.16.199.200:88 - Received a valid TGS-Response
[*] 172.16.199.200:389 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20260106112347_default_172.16.199.200_mit.kerberos.cca_936292.bin
[+] 172.16.199.200:88 - Received a valid delegation TGS-Response
[+] 172.16.199.200:88 - Received AP-REQ. Extracting session key...
[*] Discovering base DN automatically
[*] user: Administrator, domain: kerberos.issue
[*] Detected target Windows version: 10.0.17763.5206
[+] Detected Windows Server 2019 version 10.0.17763.5206 — appears vulnerable (below Sept 2025 threshold 10.0.17763.7792). Module will continue.
[!] Could not find any details on the LDAP server for SID S-1-5-21-2324486357-3075865580-3606784161-1603!
^C[-] Stopping running against current target...
[*] Control-C again to force quit all targets.
[*] Auxiliary module execution completed
Authenticated unsuccessfully with kerberos due to clock skew set via the new datastore options
msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set KrbClockSkew -24h
KrbClockSkew => -24h
msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.16.199.200
[-] Auxiliary aborted due to failure: no-access: KRB_AP_ERR_SKEW (37) - Clock skew too great. Local time: 2026-01-06 11:24:00 -0800, Server time: 2026-01-06 19:24:00 UTC, off by 0 seconds
[*] Auxiliary module execution completed
Contributor
Author
Yes, this is a good idea. Improving the error messages would help improve clarity. Do you have any suggestions for crafting better error messages? |
Contributor
|
@rudraditya21 I think updating it to say the following would suffice: |
jheysel-r7
approved these changes
Jan 14, 2026
github-project-automation
Bot
moved this from Waiting on Contributor
to In Progress
in Metasploit Kanban
Contributor
Release NotesThis adds an advanced datastore option, KrbClockSkew, to modules that use Kerberos authentication, allowing operators to adjust the Kerberos clock from the Metasploit side to fix clock skew errors. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #20587
Summary
Testing
Using KrbClockSkew in msfconsole