New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the DB_SKIP_EXISTING option to the AuthBrute mixin #15630
Conversation
Note to self: the Creating Metasploit Framework LoginScanners and How to write a HTTP LoginScanner pages should be updated to callout the new mixin method is the preferred way to initialize the |
This updates existing modules that use the AuthBrute mixin to use the new build_credential_collection API to consistently handle the new option.
These module should be using the PrivateCredentialCollection.
9f296a3
to
e2beff1
Compare
Awesome job on this @smcintyre-r7. Great refactor, this cleans up a lot of copy and pasted code. I've tested the Auth Brute mixin against the three modules suggested in the description and they seem to be working as expected:
@smcintyre-r7 Gentle reminder about this comment: |
I'll update the docs as described in that comment after PR has been landed and everything's finalized. That way if there are any changes that need to be made I can just write the docs once 😄 . |
Release NotesThis adds the option DB_SKIP_EXISTING to the AuthBrute mixin to give users the option to skip credentials already in the database when preforming brute force attacks. |
This updates the
PrivateCredentialCollection
class to allow a filter callback to be defined on it. It needs to be a callback, because theCredentialCollection
instance is often passed to another object that will blindly iterate over it. The other object (like a login scanner) should be unaware of the filter. TheAuthBrute
mixin is then updated to create theCredentialCollection
using the newbuild_credential_collection
method which will check the datastore options set the filter as appropriate.Prior to this, all of the modules using the
AuthBrute
mixin were building theirCredentialCollection
instances themselves which created alot of redundant copy-pasta code. It also meant that it was up to the options to honor theDB_ALL_*
datastore options that they had defined by including theAuthBrute
mixin. This lead to quite a few modules that appear to have been ignoring the options. All of the modules have been migrated to use the new mixin method. A few that were only brute-forcing passwords before thePrivateCredentialCollection
was created were switched to using that. Modules that are using thePrivateCredentialCollection
probably don't make sense to be filtered since there is no username field to filter on in the same way.The new
DB_SKIP_EXISTING
option is an enum so it can be extended with other conditions in the future. Right now three are defined:none
- Don't perform any filtering. This is the default value and retains the existing behavior.user
- Filter out credentials when the username can be found in the database. This ignores therealm
field.user&realm
- Filter out credentials when the username and realm match a single object in the database.Verification
USERNAME
,SMBUser
andHttpUsername
. Need to make sure these didn't change.auxiliary/scanner/ssh/ssh_login
auxiliary/scanner/smb/smb_login
auxiliary/scanner/http/http_login
creds -d
)DB_SKIP_EXISTING
set touser
VERBOSE
totrue
to see each individual attempt.DB_SKIP_EXISTING
set touser&realm
. See the expected results depending on the module. It will probably filter out the user, but it depends.Example
In the following example, all three
DB_SKIP_EXISTING
cases are shown using theauxiliary/scanner/ssh/ssh_login
module. The smcintyre user has a realm defined. Thessh_login
module does not define a realm so when the filtering is set touser&realm
the smcintyre user is included because the realm the module is using is nil.