search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.09k stars 13.96k forks source link

Unexpected PASSWORD_SPRAY and USER_AS_PASS Interaction #19525

Open jetbennett opened 1 month ago

jetbennett commented 1 month ago

Steps to reproduce

  1. use scanner/ssh/ssh_login
  2. set PASSWORD_SPRAY 1
  3. set USER_AS_PASS 1
  4. set USER_FILE ./usernames.txt
  5. set PASS_FILE ./passwords.txt
  6. set rhosts file:./targets.txt
  7. run

Expected behavior

If username.txt contains:

admin
root

And passwords.txt contains:

password

I expect the module to attempt the following credentials: admin:admin root:root admin:password root:password

Current behavior

Instead, makes the following attempts: password:password admin:password root:password

Metasploit version

6.4.20-dev

Additional Information

I believe the bug is related to the relatively recently implemented "PASSWORD_SPRAY" option.

Mathiou04 commented 3 weeks ago

I managed to reproduce the issue on my side, and created a PR that seem to fix it. I am not familiar with the different steps for issues here, looking at this basecode for the first time, so not sure what the next steps are. (maybe this bug needed more triaging? 😓 )