v2.6.3

What's New in v2.6.3

New Feature: RDP Sticky-Keys Detection Hardening

• Terminal-window detection — Replaced the cmd-specific looksLikeCmdConsole heuristic with broader detectTerminalWindow logic that detects terminal-shaped windows by pixel brightness delta and bounding-box rectangle fill, including cmd.exe black, PowerShell blue, and custom shell colors
• Brutus-aligned algorithm — Detection approach adapted from Praetorian Brutus analyzeBackdoorResponse behavior, with attribution in code
• Extended Left-Win scancode fix — github.com/x90skysn3k/grdp v1.0.4 fixes CaptureLogonScreen / TriggerWinU by sending Left-Win (0x5B) with KBDFLAGS_EXTENDED, preventing servers from interpreting it as numpad 0
• Expanded RDP tests — Sticky-keys tests now cover cmd-style and PowerShell-style positive cases plus sparse repaint, full-screen repaint, and scattered-change negative cases

New Feature: Wordlist Research Provider + Quality Gates

• OpenAI-compatible research provider — wordlist research now supports OpenAI-compatible endpoints such as vLLM through WORDLIST_RESEARCH_PROVIDER, WORDLIST_RESEARCH_MODEL, and WORDLIST_RESEARCH_URL, while preserving Ollama defaults/fallbacks
• Monthly wordlist workflow hardening — The scheduled wordlist update workflow now has stricter merge/research quality gates and improved report artifacts
• Manifest validation — Embedded wordlist manifests are now validated for generated metadata, seasonal range ordering, alias resolution, and all base/layer/service wordlist references
• Packaging guidance — docs/wordlists.md now documents downstream packaging expectations for embedded wordlists and local manifest fallbacks

New Feature: Attempt Status Taxonomy

• Stable status codes — Attempts now carry machine-readable statuses such as auth_success, auth_failure, connection_failure, unsupported_service, module_timeout, module_panic_recovered, and skipped_service
• Backward compatible — Existing AuthSuccess and ConnectionSuccess behavior is preserved; statuses add a stable reason layer for output, retry, debug, and resume paths
• Status propagation — Status codes flow through JSONL output, session logs, TUI attempt messages, and TUI session replay

New Feature: Module Boundary Protection

• Panic recovery — A panicking protocol module no longer crashes the entire run; the attempt is recorded as module_panic_recovered
• Timeout containment — Modules that ignore timeout no longer block host completion forever; the attempt is recorded as module_timeout
• Nil result handling — Bad module returns are classified as connection failures instead of causing ambiguous behavior

New Feature: Scheduling, Skip Policy, and Resume Controls

• Connection skip policy — New --skip-policy auto|off|conservative|aggressive and --max-conn-fails controls tune when repeated connection failures skip a host/service. auto preserves prior behavior: enabled in spray mode only
• Deterministic queue modes — New --schedule auto|host-major|spray|pairwise selects credential queue order. Exact observed output order still requires single-worker execution (-t 1 -T 1) because attempts run concurrently
• Granular resume cursor — Checkpoint resume now uses a count-based per-host cursor to skip already-attempted queue prefixes on partially completed hosts. Retry recovery attempts do not advance the base cursor
• Retry progress accounting — Legacy and TUI progress now separate base combinations from retry attempts, avoiding misleading totals such as 2/1 combinations tested

New Feature: Operator Diagnostics

• Redacted debug audit log — --debug-audit and --debug-file write per-attempt JSONL diagnostics with passwords redacted and credential substrings scrubbed from error text
• Route diagnostics — --route-diagnostics prints selected local/source route information per target, including interface, bound local IP, and proxy context when configured. This mode disables TUI so diagnostics remain visible
• Module help introspection — --module-help <service|all> prints default port, credential mode, common module params, and wrapper gating information

Output

• JSONL attempts now include additive status_code while retaining legacy status
• Session log attempt entries now carry status for replay/resume visibility
• TUI attempt events now carry status and retry progress separately
• Final legacy progress output reports retry attempts as a suffix instead of adding them to base combinations

Security

• Redaction by default for debug audit — Debug audit output never writes raw passwords and scrubs credential substrings from error messages before encoding
• Wrapper remains gated — Module help explicitly calls out wrapper requiring --allow-wrapper
• govulncheck clean on the release workflow for current dependencies

Dependency Updates

• github.com/x90skysn3k/grdp v1.0.3 → v1.0.4
• github.com/jlaffaye/ftp v0.2.0 → v0.2.1
• golang.org/x/crypto v0.52.0 → v0.53.0
• golang.org/x/net v0.55.0 → v0.56.0
• golang.org/x/term v0.43.0 → v0.44.0
• actions/checkout v6 → v7
• actions/setup-go v6.4.0 → v6.5.0
• docker/metadata-action v6.0.0 → v6.1.0
• docker/setup-qemu-action v4.0.0 → v4.1.0

CI / Tooling

• GoReleaser workflow uses pinned actions/checkout and actions/setup-go major updates
• govulncheck workflow uses a patched Go toolchain
• Wordlist-update workflow adds safer defaults, report artifacts, and pull-request automation hardening
• Local release validation passed go test ./... -count=1, golangci-lint, go build ./..., go vet ./..., and race tests before tagging

Documentation

• docs/wordlists.md — downstream packaging guidance, vLLM/OpenAI-compatible research provider notes, and manifest validation expectations
• PR/release notes now document deterministic queue scheduling, skip policy, debug audit, route diagnostics, and module-help behavior

Full Changelog: v2.6.2...v2.6.3