search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.1k stars 13.76k forks source link

Fix PASSWORD_SPRAY being ignored for LDAP (and potetnially other modules) #19079

Closed nrathaus closed 1 month ago

nrathaus commented 2 months ago

Fixes #18994 which will fix the PASSWORD_SPRAY (unhandling) issue whenever the code is still using each for credentials rather than newer functions

I am unable to test it for all modules that use this - I did test it for LDAP

nrathaus commented 2 months ago

Setup of LDAP server:

docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.5.0

Setup the $LDAP_CID value based on the container that is created

docker exec $LDAP_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/new-user.ldif -H ldap://ldap.example.org -ZZ

Add another user:

ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -H ldap://127.0.0.1:389

Give it this text:

dn: uid=test,dc=example,dc=org
uid: test
cn: test
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/test
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: test@example.org
gecos: Test User

Metasploit test:

use scanner/ldap/ldap_login
set PASSWORD_SPRAY true
set USER_FILE /tmp/users.txt
set PASS_FILE /tmp/passwords.txt
set RHOSTS 127.0.0.1
run
adfoster-r7 commented 2 months ago

Thanks for the PR; I don't quite have the cycles to review this fully, but if this is building an in-memory array of permutations before executing things - then that pattern won't scale well for large user/password lists unfortunately

That's something I ran into with the older brute force mixin - https://github.com/rapid7/metasploit-framework/pull/15115 - that I believe the credential_collection doesn't suffer from in its current state of yielding values

nrathaus commented 2 months ago

@adfoster-r7 I agree that on large arrays (user count * password count) it can become very big and probably consume a lot of memory, so I reverted the patch and made a "duplicate" of the function with _password_first focus on it, and a yield picking between the two options

I don't have enough Ruby understanding to make sure it works (my Ruby skills aren't that great at the moment)

Also I don't see any unit-tests I can use to verify it works as expected on all scenarios

I did check it on FTP and LDAP with username/password files - seems to work as expected

adfoster-r7 commented 2 months ago

Also I don't see any unit-tests I can use to verify it works as expected on all scenarios

Hmm - do these work? Or do we need to add more 👀

https://github.com/rapid7/metasploit-framework/blob/9f22d67210334c3f0ef99b522aa3df4999ccaaa9/spec/lib/metasploit/framework/credential_collection_spec.rb

nrathaus commented 2 months ago

@adfoster-r7 opps, I have no idea how to use these as unittest - any guidance in Metapsloit guides or elsewhere on how to run these as standalone?

VS doesn't show them as tests

adfoster-r7 commented 1 month ago

Sorry for the delay; Do these steps work?

https://github.com/rapid7/metasploit-framework/pull/19088

nrathaus commented 1 month ago

Looks like it will help, I will give it a try

nrathaus commented 1 month ago

@adfoster-r7 bundle rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb

Should be: bundle exec rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb

nrathaus commented 1 month ago

Is the DB error I am getting for rspec, related to this step:

cd ~/metasploit-framework/config &&
cp database.yml.example database.yml
nrathaus commented 1 month ago

My bad, I misinterpreted the outcome, on main I see no errors:

$ bundle exec rspec spec/lib/metasploit/framework/credential_collection_spec.rb
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
Run options:
  include {:focus=>true}
  exclude {:acceptance=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 29966
Metasploit::Framework::CredentialCollection ...................

Top 10 slowest examples (0.0159 seconds, 56.5% of total time):
  Metasploit::Framework::CredentialCollection#empty? when :username is set and :password is not set is expected to eq true
    0.00427 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:205
  Metasploit::Framework::CredentialCollection#each is expected to yield with args(Metasploit::Framework::Credential)
    0.00242 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:35
  Metasploit::Framework::CredentialCollection#each when given a userspass_file is expected to yield successive args(#<Metasploit::Framework::Credential "asdf:jkl" >, #<Metasploit::Framework::Credential "foo:bar" >)
    0.00149 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:87
  Metasploit::Framework::CredentialCollection#each when given a username, user_file and pass_file is expected to yield successive args(#<Metasploit::Framework::Credential "my_username:asdf" >, #<Metasploit::Framework::Credential "my_username:jkl" >, #<Metasploit::Framework::Credential "asdf:asdf" >, #<Metasploit::Framework::Credential "asdf:jkl" >, #<Metasploit::Framework::Credential "jkl:asdf" >, #<Metasploit::Framework::Credential "jkl:jkl" >)
    0.00121 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:142
  Metasploit::Framework::CredentialCollection#each when given a pass_file and user_file is expected to yield successive args(#<Metasploit::Framework::Credential "asdf:asdf" >, #<Metasploit::Framework::Credential "asdf:jkl" >, #<Metasploit::Framework::Credential "jkl:asdf" >, #<Metasploit::Framework::Credential "jkl:jkl" >)
    0.00121 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:113
  Metasploit::Framework::CredentialCollection#each when given a pass_file and username is expected to yield successive args(#<Metasploit::Framework::Credential "user:asdf" >, #<Metasploit::Framework::Credential "user:jkl" >)
    0.00116 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:67
  Metasploit::Framework::CredentialCollection#each when :blank_passwords is true is expected to yield successive args(#<Metasploit::Framework::Credential "user:pass" >, #<Metasploit::Framework::Credential "user:" >)
    0.00115 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:176
  Metasploit::Framework::CredentialCollection#each when given a user_file and password is expected to yield successive args(#<Metasploit::Framework::Credential "asdf:pass" >, #<Metasploit::Framework::Credential "jkl:pass" >)
    0.00104 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:49
  Metasploit::Framework::CredentialCollection#each when :user_as_pass is true is expected to yield successive args(#<Metasploit::Framework::Credential "user:pass" >, #<Metasploit::Framework::Credential "user:user" >)
    0.00101 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:156
  Metasploit::Framework::CredentialCollection#empty? when :username is set and :password is not set and :nil_passwords is true is expected to eq false
    0.00094 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:211

Finished in 0.02814 seconds (files took 3.13 seconds to load)
19 examples, 0 failures

Randomized with seed 29966
Coverage report generated for RSpec to /home/noam/src/metasploit-framework/coverage. 2150 / 11805 LOC (18.21%) covered.
nrathaus commented 1 month ago

On branch fix_password_spray I see the same outcome:

Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
Run options:
  include {:focus=>true}
  exclude {:acceptance=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 47938
Metasploit::Framework::CredentialCollection ...................

Top 10 slowest examples (0.02078 seconds, 59.7% of total time):
  Metasploit::Framework::CredentialCollection#empty? when :username is not set and :password is not set is expected to eq true
    0.00513 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:229
  Metasploit::Framework::CredentialCollection#each when given a username, user_file and pass_file is expected to yield successive args(#<Metasploit::Framework::Credential "my_username:asdf" >, #<Metasploit::Framework::Credential "my_username:jkl" >, #<Metasploit::Framework::Credential "asdf:asdf" >, #<Metasploit::Framework::Credential "asdf:jkl" >, #<Metasploit::Framework::Credential "jkl:asdf" >, #<Metasploit::Framework::Credential "jkl:jkl" >)
    0.0035 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:142
  Metasploit::Framework::CredentialCollection#prepend_cred is expected to yield successive args(#<Metasploit::Framework::Credential "foo:bar" >, #<Metasploit::Framework::Credential "user:pass" >)
    0.00249 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:258
  Metasploit::Framework::CredentialCollection#each when :user_as_pass is true is expected to yield successive args(#<Metasploit::Framework::Credential "user:pass" >, #<Metasploit::Framework::Credential "user:user" >)
    0.00194 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:156
  Metasploit::Framework::CredentialCollection#empty? when :username is set and :password is not set is expected to eq true
    0.00148 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:205
  Metasploit::Framework::CredentialCollection#empty? when :username is not set and :password is not set and :additional_publics is not empty is expected to eq true
    0.00132 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:249
  Metasploit::Framework::CredentialCollection#empty? when :username is set and :password is set is expected to eq false
    0.00132 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:198
  Metasploit::Framework::CredentialCollection#each when given a pass_file and user_file is expected to yield successive args(#<Metasploit::Framework::Credential "asdf:asdf" >, #<Metasploit::Framework::Credential "asdf:jkl" >, #<Metasploit::Framework::Credential "jkl:asdf" >, #<Metasploit::Framework::Credential "jkl:jkl" >)
    0.00125 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:113
  Metasploit::Framework::CredentialCollection#each when :nil_passwords is true is expected to yield successive args(#<Metasploit::Framework::Credential "user" >, #<Metasploit::Framework::Credential "user:pass" >)
    0.00121 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:166
  Metasploit::Framework::CredentialCollection#each when given a user_file and password is expected to yield successive args(#<Metasploit::Framework::Credential "asdf:pass" >, #<Metasploit::Framework::Credential "jkl:pass" >)
    0.00115 seconds ./spec/lib/metasploit/framework/credential_collection_spec.rb:49

Finished in 0.03484 seconds (files took 3.6 seconds to load)
19 examples, 0 failures

Randomized with seed 47938
Coverage report generated for RSpec to /home/noam/src/metasploit-framework/coverage. 2152 / 11864 LOC (18.14%) covered.
nrathaus commented 1 month ago

Should I add a test for the password_spray part to verify it works as expected?

adfoster-r7 commented 1 month ago

That sounds good to me - thanks! 💯

nrathaus commented 1 month ago

I added a spec, but for some reason I get an error which I don't quite understand the root cause

It seems to be related to the inability to open the user_file, I don't see why it works when password_spray is false (the file is openable)

Randomized with seed 1002
Metasploit::Framework::CredentialCollection F

  1) Metasploit::Framework::CredentialCollection#each when given a pass_file and user_file and password spray is expected to yield successive args(#<Metasploit::Framework::Credential "user1:password1" >, #<Metasploit::Framework::Credential "user2:password1" >, #<Metasploit::Framework::Credential "user3:password1" >, #<Metasploit::Framework::Credential "user1:password2" >, #<Metasploit::Framework::Credential "user2:password2" >, #<Metasploit::Framework::Credential "user3:password2" >)
     Failure/Error: user_fd = File.open(user_file, 'r:binary')
       #<File (class)> asked to yield |[#<StringIO:0x000056262f2d9730>]| but no block was passed
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-support-3.13.0/lib/rspec/support.rb:110:in `block in <module:Support>'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-support-3.13.0/lib/rspec/support.rb:119:in `notify_failure'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/error_generator.rb:348:in `notify'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/error_generator.rb:332:in `__raise'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/error_generator.rb:143:in `raise_missing_block_error'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/message_expectation.rb:704:in `call'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/message_expectation.rb:761:in `block in call'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/message_expectation.rb:760:in `map'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/message_expectation.rb:760:in `call'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/message_expectation.rb:621:in `invoke_incrementing_actual_calls_by'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/message_expectation.rb:474:in `invoke'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/proxy.rb:209:in `message_received'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/proxy.rb:361:in `message_received'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/method_double.rb:98:in `proxy_method_invoked'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/verifying_proxy.rb:161:in `proxy_method_invoked'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-mocks-3.13.0/lib/rspec/mocks/method_double.rb:74:in `block (2 levels) in define_proxy_method'
     # ./lib/metasploit/framework/credential_collection.rb:248:in `each_unfiltered_password_first'
     # ./lib/metasploit/framework/credential_collection.rb:92:in `each_filtered'
     # ./spec/lib/metasploit/framework/credential_collection_spec.rb:144:in `block (5 levels) in <top (required)>'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/matchers/built_in/yield.rb:35:in `probe'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/matchers/built_in/yield.rb:16:in `probe'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/matchers/built_in/yield.rb:308:in `matches?'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/expectations/handler.rb:51:in `block in handle_matcher'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/expectations/handler.rb:27:in `with_matcher'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/expectations/handler.rb:48:in `handle_matcher'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/expectations/expectation_target.rb:65:in `to'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-expectations-3.13.0/lib/rspec/expectations/expectation_target.rb:139:in `to'
     # ./spec/lib/metasploit/framework/credential_collection_spec.rb:144:in `block (4 levels) in <top (required)>'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:263:in `instance_exec'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:263:in `block in run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/hooks.rb:486:in `block in run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/hooks.rb:626:in `block in run_around_example_hooks_for'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:352:in `call'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-rails-6.0.3/lib/rspec/rails/adapters.rb:75:in `block (2 levels) in <module:MinitestLifecycleAdapter>'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:457:in `instance_exec'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:457:in `instance_exec'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/hooks.rb:390:in `execute_with'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/hooks.rb:628:in `block (2 levels) in run_around_example_hooks_for'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:352:in `call'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/hooks.rb:629:in `run_around_example_hooks_for'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/hooks.rb:486:in `run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example.rb:259:in `run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:642:in `map'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:642:in `run_examples'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:607:in `run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:608:in `block in run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:608:in `map'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:608:in `run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:608:in `block in run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:608:in `map'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/example_group.rb:608:in `run'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'
     # ./vendor/bundle/ruby/3.0.0/gems/rspec-core-3.13.0/lib/rspec/core/runner.rb:121:in `map'
nrathaus commented 1 month ago

I have committed the changes as well as the rspec, I think we are ok with integration

cgranleese-r7 commented 1 month ago

Tested against SMB, with the change I suggested above added locally.

password_spray=true

msf6 auxiliary(scanner/smb/smb_login) > rerun rhost=xxx.xxx.xxx.xxx user_file=username.txt pass_file=password.txt CreateSession=true verbose=true use_windows_authent=true tdsencryption=false password_spray=true[*] Reloading module...
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session

[*] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Starting SMB login bruteforce
[+] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Success: '.\foo:password' Administrator
[*] SMB session 1 opened (xxx.xxx.xxx.xxx:60830 -> xxx.xxx.xxx.xxx:445) at 2024-04-19 12:58:45 +0100
[-] xxx.xxx.xxx.xxx:445   - 192.168.175.221:445 - Failed: '.\Administrator:password',
[+] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Success: '.\foobar:password' Administrator
[*] SMB session 2 opened (xxx.xxx.xxx.xxx:60833 -> xxx.xxx.xxx.xxx:445) at 2024-04-19 12:58:46 +0100
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password2',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password2',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password3',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password3',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:Password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:Password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:pass',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:pass',
[*] xxx.xxx.xxx.xxx:445   - Scanned 1 of 1 hosts (100% complete)
[*] xxx.xxx.xxx.xxx:445   - Bruteforce completed, 2 credentials were successful.
[*] xxx.xxx.xxx.xxx:445   - 2 SMB sessions were opened successfully.
[*] Auxiliary module execution completed

password_spray=false

msf6 auxiliary(scanner/smb/smb_login) > rerun rhost=xxx.xxx.xxx.xxx user_file=username.txt pass_file=password.txt CreateSession=true verbose=true use_windows_authent=true tdsencryption=false password_spray=false
[*] Reloading module...
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session

[*] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Starting SMB login bruteforce
[+] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Success: '.\foo:password' Administrator
[*] SMB session 3 opened (xxx.xxx.xxx.xxx:60849 -> xxx.xxx.xxx.xxx:445) at 2024-04-19 12:59:00 +0100
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password2',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:password3',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:Password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\Administrator:pass',
[+] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Success: '.\foobar:password' Administrator
[*] SMB session 4 opened (xxx.xxx.xxx.xxx:60856 -> xxx.xxx.xxx.xxx:445) at 2024-04-19 12:59:01 +0100
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password2',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:password3',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:Password1',
[-] xxx.xxx.xxx.xxx:445   - xxx.xxx.xxx.xxx:445 - Failed: '.\boo:pass',
[*] xxx.xxx.xxx.xxx:445   - Scanned 1 of 1 hosts (100% complete)
[*] xxx.xxx.xxx.xxx:445   - Bruteforce completed, 2 credentials were successful.
[*] xxx.xxx.xxx.xxx:445   - 2 SMB sessions were opened successfully.
[*] Auxiliary module execution completed
nrathaus commented 1 month ago

@cgranleese-r7 I added your suggestions - thank you for the review

cgranleese-r7 commented 1 month ago

Release Notes

Fixes an issue were the password_spray module option was being ignored.