Release v2.6.2 · x90skysn3k/brutespray

What's New in v2.6.2

Embedded ssh-badkeys bundle — Vendored snapshot of Rapid7's ssh-badkeys corpus plus the HashiCorp Vagrant insecure key and per-vendor defaults (F5 BIG-IP, ExaGrid, Barracuda, Ceragon FibeAir, Array Networks, Loadbalancer.org, Quantum DXi, Monroe DASDEC). Compiled into the binary — no external files
CVE-tagged metadata — Each key paired with its known-default username and CVE identifier; successful matches emit a BADKEY line (text mode) or type:badkey JSONL record with vendor + CVE
Opt-out / opt-in only — --no-badkeys skips the pre-pass; --badkeys-only runs the pre-pass and skips password attempts entirely. Mutually exclusive flag validation

NLA fingerprint (brute.ScanRDPRecon) — TCP-only X.224 RDPneg probe classifies NLA enforcement (NLARequired, NLAHybridEx, NLANotEnforced) without authentication
Sticky-keys backdoor probe — When NLA is not enforced, connects to the GINA logon screen, sends 5× Shift, snapshots framebuffer before/after, and runs a cmd.exe-console heuristic to detect the sticky-keys backdoor (sethc.exe / utilman.exe replaced with cmd.exe)
--no-rdp-scan disables both probes
Findings flow through normal output channels — text, JSONL (type:finding), and the new TUI Findings tab

Auto-detect — When -f is unset, no -H is supplied, and stdin is a pipe, brutespray reads targets from stdin and classifies the format: naabu line (host:port), Nerva URI (scheme://host:port), Nerva JSON, fingerprintx JSON, or masscan JSON
Masscan -oJ ingestion — Decode masscan's JSON array, filter open ports, map ports → services via the canonical default-port table
Slots brutespray into modern recon chains: naabu | fingerprintx | brutespray or masscan -oJ - | brutespray --badkeys-only

CouchDB (port 5984) — HTTP _session form auth. Stable
Elasticsearch (port 9200) — HTTP basic auth on /_cluster/health. Stable
InfluxDB (port 8086) — v2 token by default; -m mode:v1 for InfluxDB 1.x basic auth. Stable
Neo4j (port 7687) — Bolt v5 protocol via neo4j-go-driver/v5. Beta
Cassandra (port 9042) — CQL native protocol with PasswordAuthenticator. Beta
Service count: 36 → 41

-m mode:default|extended|full — Replaces per-attempt community strings with a curated embedded tier list (20 / 55 / 92 entries). full adds SCADA controllers, IP camera defaults, and storage-array defaults
Default behavior unchanged when -m mode is omitted (legacy -u / -p as community pair)

-c, --creds 'user:pass,user2:pass2' — Pass credential pairs inline without a file; splits on the first colon per pair so colons in passwords survive

New Finding and KeyMatch fields on BruteResult propagate through the dispatcher, output layer (text + JSONL), and TUI event bus
New Findings TUI tab populated from pre-auth recon, color-coded by severity (INFO/WARN/HIGH/CRITICAL)

golang.org/x/crypto v0.50.0 → v0.52.0 — Fixes 5 CVEs in golang.org/x/crypto/ssh (server-deadlock and byte-arithmetic panics) reachable from the new bad-keys attemptBadKey path
govulncheck clean on all dependencies

github.com/x90skysn3k/grdp v1.0.2 → v1.0.3 (adds FingerprintNLA + CaptureLogonScreen)
golang.org/x/crypto v0.50.0 → v0.52.0
golang.org/x/net v0.53.0 → v0.55.0
github.com/go-sql-driver/mysql v1.9.3 → v1.10.0
goreleaser/goreleaser-action v7.2.1 → v7.2.2
docker/login-action v4.1.0 → v4.2.0
docker/setup-buildx-action v4.0.0 → v4.1.0
docker/build-push-action v7.1.0 → v7.2.0
actions/dependency-review-action v4.9.0 → v5.0.0
New direct dependencies: github.com/neo4j/neo4j-go-driver/v5, github.com/gocql/gocql, gopkg.in/yaml.v3, golang.org/x/term

Seed user/password lists added for each new DB module (couchdb, elasticsearch, influxdb)
Three new SNMP community-string tier files compiled into the binary

Full Changelog: v2.6.1...v2.6.2