ssh_brute module may generate false positives due to empty success regex

[berardifra]

While reviewing the SSH brute force module, I noticed a logic issue that may lead to false positive results.

In modules/brute/ssh.yaml, the successful_login condition is defined with an empty regex:

response:
  condition_type: or
  conditions:
    successful_login:
      regex: ''
      reverse: false

An empty regex matches any response, meaning failed authentication attempts, errors, or banners could be interpreted as successful logins.

Impact:
• False positives in SSH brute force scans
• Misleading output for users
• Unreliable detection of successful authentication

Suggestions:
• Define a proper success pattern (if exposed by the SSH library)
• Or remove/disable the success condition until a reliable indicator is available
• Or document the limitation explicitly

Environment:
• OS: macOS
• Module: modules/brute/ssh.yaml

Related issues:

• Nettacker ssh_brute module detects SSH port but no success output despite valid credentials #1165 (ssh_brute does not report successful login)
• ssh_brute module detects target but shows no success events despite valid credentials #1166 (ssh_brute detects SSH but no success events)

This issue focuses specifically on a logic/configuration problem in the module definition that may contribute to unreliable results.

Found during manual review of modules.

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

🔗 Similar Issues

Related Issues

• ssh_brute module detects target but shows no success events despite valid credentials #1166
• Nettacker ssh_brute module detects SSH port but no success output despite valid credentials #1165
• Refactor: Mislabeled 'scan' tag on 5 'vuln' modules #1161

👤 Suggested Assignees

• 08062003
• prbhtkumr

---

🧪 Issue enrichment is currently in early access.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

[Aarush289]

@berardifra Please go through the closed issue #1166 , I have tested the ssh_module with all possible combinations , I have used username and password lists with wrong as well as right credentials and it worked perfectly fine and results were as expected without any false positives , so I would request you to test it rigorously and if you come across any such issue , please attach that .

[berardifra]

@berardifra Please go through the closed issue #1166 , I have tested the ssh_module with all possible combinations , I have used username and password lists with wrong as well as right credentials and it worked perfectly fine and results were as expected without any false positives , so I would request you to test it rigorously and if you come across any such issue , please attach that .

Thanks for checking and for the detailed feedback.

I agree that in many scenarios the module works as expected, and I’m not claiming that ssh_brute always produces false positives.

My concern was mainly about robustness and long-term reliability: the current success detection logic can rely on conditions that are too permissive, which may behave differently depending on SSH server behavior, library responses, or future changes.

That’s why my PR focuses on strengthening the success condition at the code level (transport validation, stricter return logic, better error handling), rather than changing the external behavior or interface of the module.

I’ve tested the module locally against OpenSSH on 127.0.0.1 with:

• valid single credentials
• invalid credentials
• mixed username/password attempts

Results matched expectations in both cases.

If you have specific test scenarios or environments where you think this change could be unnecessary or problematic, I’d be happy to test and adjust accordingly.