Skip to content

Auth_Brute mixin: Add report_host/report_service & remove dup IP:PORT#21396

Merged
jheysel-r7 merged 2 commits into
rapid7:masterfrom
g0tmi1k:auth_brute_mixin
Jun 22, 2026
Merged

Auth_Brute mixin: Add report_host/report_service & remove dup IP:PORT#21396
jheysel-r7 merged 2 commits into
rapid7:masterfrom
g0tmi1k:auth_brute_mixin

Conversation

@g0tmi1k

@g0tmi1k g0tmi1k commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

The idea of this PR to update the authbrute force mixin, so each module doesn't need to be udpated to support being able to detect if a host is up, but the service attacking isn't on the target.

Example:

  • 10.0.0.1 is attacker, without service.
  • 10.0.0.10 is target, with service.

Both now are in hosts, without having to update any modules. Doing it via mixin.

Before

$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf > git checkout
[*] exec: git checkout

Your branch is up to date with 'origin/master'.
msf > use exec_login

Matching Modules
================

   #  Name                                     Disclosure Date  Rank    Check  Description
   -  ----                                     ---------------  ----    -----  -----------
   0  auxiliary/scanner/rservices/rexec_login  .                normal  No     rexec Authentication Scanner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/rservices/rexec_login

[*] Using auxiliary/scanner/rservices/rexec_login
msf auxiliary(scanner/rservices/rexec_login) > options

Module options (auxiliary/scanner/rservices/rexec_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   CreateSession     true             no        Create a new session for every successful login
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   ENABLE_STDERR     false            yes       Enables connecting the stderr port
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS            10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             512              yes       The target port (TCP)
   STDERR_PORT                        no        The port to listen on for stderr
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf auxiliary(scanner/rservices/rexec_login) > set RHOST 10.0.0.1 10.0.0.10
RHOST => 10.0.0.1 10.0.0.10
msf auxiliary(scanner/rservices/rexec_login) > set USERNAME foo
USERNAME => foo
msf auxiliary(scanner/rservices/rexec_login) > set PASSWORD bar
PASSWORD => bar
msf auxiliary(scanner/rservices/rexec_login) > run
[*] 10.0.0.1:512          - 10.0.0.1:512 - Starting rexec sweep
[*] 10.0.0.1:512          - 10.0.0.1:512 - Attempting rexec with username:password 'foo':'bar'
[*] Scanned 1 of 2 hosts (50% complete)
[*] 10.0.0.10:512         - 10.0.0.10:512 - Starting rexec sweep
[*] 10.0.0.10:512         - 10.0.0.10:512 - Attempting rexec with username:password 'foo':'bar'
[-] 10.0.0.10:512         - 10.0.0.10:512         - [1/1] - Result: Where are you?
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/rservices/rexec_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/rservices/rexec_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf auxiliary(scanner/rservices/rexec_login) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  512   tcp    exec  open         {}

msf auxiliary(scanner/rservices/rexec_login) >

After

$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf > git checkout
[*] exec: git checkout

Your branch is up to date with 'origin/auth_brute_mixin'.
msf > use exec_login

Matching Modules
================

   #  Name                                     Disclosure Date  Rank    Check  Description
   -  ----                                     ---------------  ----    -----  -----------
   0  auxiliary/scanner/rservices/rexec_login  .                normal  No     rexec Authentication Scanner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/rservices/rexec_login

[*] Using auxiliary/scanner/rservices/rexec_login
msf auxiliary(scanner/rservices/rexec_login) > set RHOST 10.0.0.1 10.0.0.10
RHOST => 10.0.0.1 10.0.0.10
msf auxiliary(scanner/rservices/rexec_login) > set USERNAME foo
USERNAME => foo
msf auxiliary(scanner/rservices/rexec_login) > set PASSWORD bar
PASSWORD => bar
msf auxiliary(scanner/rservices/rexec_login) > options

Module options (auxiliary/scanner/rservices/rexec_login):

   Name              Current Setting     Required  Description
   ----              ---------------     --------  -----------
   ANONYMOUS_LOGIN   false               yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS   false               no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                   yes       How fast to bruteforce, from 0 to 5
   CreateSession     true                no        Create a new session for every successful login
   DB_ALL_CREDS      false               no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false               no        Add all passwords in the current database to the list
   DB_ALL_USERS      false               no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   ENABLE_STDERR     false               yes       Enables connecting the stderr port
   PASSWORD          bar                 no        A specific password to authenticate with
   PASS_FILE                             no        File containing passwords, one per line
   RHOSTS            10.0.0.1 10.0.0.10  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             512                 yes       The target port (TCP)
   STDERR_PORT                           no        The port to listen on for stderr
   STOP_ON_SUCCESS   false               yes       Stop guessing when a credential works for a host
   THREADS           1                   yes       The number of concurrent threads (max one per host)
   USERNAME          foo                 no        A specific username to authenticate as
   USERPASS_FILE                         no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false               no        Try the username as the password for all users
   USER_FILE                             no        File containing usernames, one per line
   VERBOSE           true                yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf auxiliary(scanner/rservices/rexec_login) > run
[*] 10.0.0.1:512          - 10.0.0.1:512 - Starting rexec sweep
[*] 10.0.0.1:512          - 10.0.0.1:512 - Attempting rexec with username:password 'foo':'bar'
[-] 10.0.0.1:512          - 10.0.0.1:512          - [1/1] - Connection refused
[*] Scanned 1 of 2 hosts (50% complete)
[*] 10.0.0.10:512         - 10.0.0.10:512 - Starting rexec sweep
[*] 10.0.0.10:512         - 10.0.0.10:512 - Attempting rexec with username:password 'foo':'bar'
[-] 10.0.0.10:512         - 10.0.0.10:512         - [1/1] - Result: Where are you?
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/rservices/rexec_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  2      1         0      0      0      0

msf auxiliary(scanner/rservices/rexec_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.1
10.0.0.10             Unknown                    device

msf auxiliary(scanner/rservices/rexec_login) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  512   tcp    exec  open         {}

msf auxiliary(scanner/rservices/rexec_login) >

@g0tmi1k g0tmi1k changed the title auth_brute: Add report_host & report_service auth_brute fix mixin: Add report_host (if service down) & report_service (auto, if service up) May 4, 2026
@g0tmi1k g0tmi1k force-pushed the auth_brute_mixin branch 4 times, most recently from 7a66394 to a1ef429 Compare May 12, 2026 05:34
@g0tmi1k g0tmi1k force-pushed the auth_brute_mixin branch from a1ef429 to 12819d6 Compare May 19, 2026 15:14
@g0tmi1k g0tmi1k force-pushed the auth_brute_mixin branch from 12819d6 to 2efc17c Compare May 20, 2026 08:47
@g0tmi1k

g0tmi1k commented May 20, 2026

Copy link
Copy Markdown
Contributor Author

Before

$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
$
$ ./msfconsole -q -x 'workspace -D; set VERBOSE true;
use auxiliary/scanner/smb/smb_login;
set RHOSTS 10.0.0.10;
set ANONYMOUS_LOGIN true; set BLANK_PASSWORDS true; set USER_AS_PASS true;
set USERNAME msfadmin; set PASSWORD incorrect;
run'
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
RHOSTS => 10.0.0.10
ANONYMOUS_LOGIN => true
BLANK_PASSWORDS => true
USER_AS_PASS => true
USERNAME => msfadmin
PASSWORD => incorrect
[*] 10.0.0.10:445         - 10.0.0.10:445         - Starting SMB login bruteforce
[+] 10.0.0.10:445         - 10.0.0.10:445         - Success: '.\:' Guest
[-] 10.0.0.10:445         - 10.0.0.10:445         - Failed: '.\msfadmin:incorrect',
[-] 10.0.0.10:445         - 10.0.0.10:445         - Failed: '.\msfadmin:msfadmin',
[-] 10.0.0.10:445         - 10.0.0.10:445         - Failed: '.\msfadmin:',
[*] 10.0.0.10:445         - Scanned 1 of 1 hosts (100% complete)
[*] 10.0.0.10:445         - Bruteforce completed, 1 credential was successful.
[*] 10.0.0.10:445         - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) >

After

$ git status
On branch auth_brute_mixin
Your branch is up to date with 'origin/auth_brute_mixin'.

nothing to commit, working tree clean
$
$ ./msfconsole -q -x 'workspace -D; set VERBOSE true;
use auxiliary/scanner/smb/smb_login;
set RHOSTS 10.0.0.10;
set ANONYMOUS_LOGIN true; set BLANK_PASSWORDS true; set USER_AS_PASS true;
set USERNAME msfadmin; set PASSWORD incorrect;
run'
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
RHOSTS => 10.0.0.10
ANONYMOUS_LOGIN => true
BLANK_PASSWORDS => true
USER_AS_PASS => true
USERNAME => msfadmin
PASSWORD => incorrect
[*] 10.0.0.10:445         - Starting SMB login bruteforce
[+] 10.0.0.10:445         - Success: '.\:' Guest
[-] 10.0.0.10:445         - Failed: '.\msfadmin:incorrect',
[-] 10.0.0.10:445         - Failed: '.\msfadmin:msfadmin',
[-] 10.0.0.10:445         - Failed: '.\msfadmin:',
[*] 10.0.0.10:445         - Scanned 1 of 1 hosts (100% complete)
[*] 10.0.0.10:445         - Bruteforce completed, 1 credential was successful.
[*] 10.0.0.10:445         - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) >

@g0tmi1k

g0tmi1k commented May 20, 2026

Copy link
Copy Markdown
Contributor Author

Think I've finished tweaking with this PR!

@g0tmi1k g0tmi1k changed the title auth_brute fix mixin: Add report_host (if service down) & report_service (auto, if service up) auth_brute fix mixin: Add report_host/report_service & remove dup IP:PORT May 20, 2026
@g0tmi1k g0tmi1k changed the title auth_brute fix mixin: Add report_host/report_service & remove dup IP:PORT Auth_Brute mixin: Add report_host/report_service & remove dup IP:PORT May 20, 2026
@g0tmi1k

g0tmi1k commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

Think I've finished tweaking with this PR!

Comment thread lib/msf/core/auxiliary/auth_brute.rb
@jheysel-r7 jheysel-r7 self-assigned this Jun 9, 2026
@jheysel-r7 jheysel-r7 moved this from Todo to Waiting on Contributor in Metasploit Kanban Jun 9, 2026
@g0tmi1k g0tmi1k requested a review from jheysel-r7 June 15, 2026 13:49
@adisetia0902-eng

Copy link
Copy Markdown

Metasploit

@jheysel-r7 jheysel-r7 moved this from Waiting on Contributor to Waiting on Review in Metasploit Kanban Jun 15, 2026
@github-project-automation github-project-automation Bot moved this from Waiting on Review to In Progress in Metasploit Kanban Jun 22, 2026
@jheysel-r7 jheysel-r7 merged commit 81648e6 into rapid7:master Jun 22, 2026
52 of 53 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban Jun 22, 2026
@jheysel-r7

Copy link
Copy Markdown
Contributor

Release Notes

This makes improvements to the auth_brute mixin. It adds report_host and report_service calls to the mixin and removes duplicate printing of IP:PORT in the print_brute statements.

@jheysel-r7 jheysel-r7 added enhancement rn-enhancement release notes enhancement labels Jun 22, 2026
@g0tmi1k g0tmi1k deleted the auth_brute_mixin branch June 23, 2026 09:05
@g0tmi1k

g0tmi1k commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Wooo! Thanks @jheysel-r7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement rn-enhancement release notes enhancement

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

4 participants