Skip to content

azure_ad_login: add context to error message #20669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 12, 2025
Merged

azure_ad_login: add context to error message #20669

merged 1 commit into from
Nov 12, 2025
+1 −1

Conversation

@stfnw
Copy link
Contributor

@stfnw stfnw commented Nov 1, 2025

Include domain and username in the default/catch-all error message, so that this information is not lost.

Verification

  • Start msfconsole
  • use auxiliary/scanner/http/azure_ad_login
  • set appropriate options (user/pass/domain)
  • Verify the thing does what it should: it prints an error message with context showing the corresponding username.
  • Verify the thing does not do what it should not: it doesn't omit the username information from the message.
  • Document the thing and how it works (Example): This is not necessary for a change this small.

@stfnw
azure_ad_login: add context to error message
00661fa 
Include domain and username in the default/catch-all error message,
so that this information is not lost.
@stfnw
Copy link
Contributor Author

stfnw commented Nov 1, 2025

Motivation behind this is to be able to map the error message back to the affected user.
More specifically, I had the case were I got AADSTS81016: Invalid STS request. as an error message (also see https://github.com/nyxgeek/AzureAD_Autologon_Brute/blob/main/README.md#update---20240221 which mentions that return code).

All in all, this change turns the following error message:

Received unknown response with error code: AADSTS81016: Invalid STS request.

Into this one:

Received unknown response for <domain>\<user>:<password> with error code: AADSTS81016: Invalid STS request.

@jheysel-r7 jheysel-r7 self-assigned this Nov 12, 2025
jheysel-r7
jheysel-r7 approved these changes Nov 12, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @stfnw, thanks for the PR. Makes sense to me, we should be printing username / password info when erroring. Could see how this would frustrating when running with multiple users and not knowing which one is throwing the error.

Simulated test environment for small change:

msf auxiliary(scanner/http/azure_ad_login) >  rexploit
[*] Reloading module...
[-] Received unknown response for kerberos.issue\msfuser:N0tpassword! with error code: AADSTS81016: Invalid STS request.
[*] Auxiliary module execution completed

@jheysel-r7 jheysel-r7 merged commit 90ff800 into rapid7:master Nov 12, 2025
18 checks passed
@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Nov 13, 2025
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Nov 14, 2025

Release Notes

This updates the auxiliary/scanner/http/azure_ad_login module to print the domain and username in error messages. This enables users to understand what user caused the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels

rn-enhancement release notes enhancement

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stfnw @smcintyre-r7 @jheysel-r7