chore(deps): bump golang.org/x/net from 0.53.0 to 0.55.0#287
Closed
dependabot[bot] wants to merge 49 commits into
Closed
chore(deps): bump golang.org/x/net from 0.53.0 to 0.55.0#287dependabot[bot] wants to merge 49 commits into
dependabot[bot] wants to merge 49 commits into
Conversation
dependabot
Bot
added
dependencies
Plan for borrowing four high-value capabilities from Praetorian's Brutus: embedded SSH bad-keys bundle, pre-auth RDP recon (NLA fingerprint + sticky-keys backdoor scan), stdin pipeline auto-detection (naabu / fingerprintx / masscan JSON / Nerva URI / bare host:port), and five new database modules (Neo4j, Cassandra, CouchDB, Elasticsearch, InfluxDB). Includes SNMP wordlist tiering, inline cred pairs, and a brutespray-vs-others positioning table for the README. Single combined release PR off dev.
Output value types belong in their own file, not alongside orchestration logic. Also tighten BruteResult field assertions in result_test.go: add inline comments explaining intent and assert KeyMatch.CVE round-trips.
Add KeyMatch *brute.KeyMatch to AttemptResultMsg so the TUI success view can render [+] BADKEY lines for SSH bad-key matches. Populate it from result.KeyMatch in processCredential. Add tui/messages_test.go to verify the field round-trips correctly through the struct.
Remove the 52 keys from Rapid7's host/ directory (SSH server identity keys extracted from device firmware). These keys authenticate servers to clients and cannot be used as client identities in authorized_keys — every attempt would guarantee auth failure and waste connection slots. Retain only the 9 keys from Rapid7's authorized/ directory (plus the Vagrant key which was already among them) — these are actual client private keys confirmed present in real-world authorized_keys deployments. Prune metadata.yaml to match. Add SOURCES.md attributing the upstream repositories and explaining the host/ exclusion rationale.
Add a guard in Load() that returns an error if a key file embeds as zero bytes, catching corrupted or accidentally truncated vendored keys at startup rather than silently passing an empty slice to SSH auth. Rename Entry.Fingerprint to Entry.PEMHash with a clarifying comment: the field holds SHA-256 of the raw PEM file bytes, which differs from the OpenSSH-format fingerprint produced by `ssh-keygen -l -E sha256`. The old name implied the standard format, which would mislead callers. Tighten registry_test.go: exact-count assertion (9), new TestPEMHashIsHexSHA256 validating format of every entry's hash, and TestLoadIsDeterministic confirming stable ordering across two calls.
Adds --no-badkeys (skip the pre-pass) and --badkeys-only (pre-pass only, skip password list) flags, wires them through Config and WorkerPool, and injects BuildBadKeyCreds into ProcessHost before the regular credential loop.
…d errors When -u is a file path, os.Stat detects it so the bad-keys pre-pass uses each entry's metadata-suggested username instead of the literal path string. Bundle load failures now emit a warning to stderr rather than silently skipping. Adds NOTE comment on early return bypassing jobQueue close for future cleanup.
Both flags together silently produce no SSH attempts. Validate() now returns an error when both are set. Adds TestValidateRejectsContradictoryBadKeyFlags. Also applies gofmt alignment normalization to the Config struct.
Add FingerprintNLA to grdp client, wire local sibling via replace directive, and implement nlaFinding/ScanRDPRecon in brute/rdp.go.
…stic ScanRDPRecon now calls CaptureLogonScreen when NLA is not enforced, captures before/after PNG framebuffer snapshots around 5x Shift presses, and emits a CRITICAL finding when the after-snapshot looks like a cmd.exe console (>65% black, 2-15% white pixels in top-left 400x200 region) or an INFO/inconclusive finding when the screen changed but the console heuristic did not fire. Adds looksLikeCmdConsole, framebuffersDiffer, stickyKeysVerdict helpers and a unit-test file covering all verdict paths plus edge cases.
Add ParseMasscanJSON to ingest masscan -oJ output, and defaultServiceForPort helper for port-only parsers to resolve brutespray canonical service names. Closed and unmapped ports are filtered at parse time.
Adds gocql-backed Cassandra brute module, unit tests, and seed wordlists for username and password.
Adds opt-in SNMP community-string tiering: pass -m mode:default|extended|full to replace the per-credential community list with a cached, embedded tier wordlist (~20/~55/~92 strings). Default behavior (user+md5(password)) is unchanged when no mode param is set.
Register -c (short) and --creds (long) flags for supplying comma-separated user:pass pairs directly on the command line without a wordlist file. Pairs are fired first across all services before the regular credential loop; passwords containing colons are handled correctly by splitting on the first colon only. Adds ParseInlineCreds helper and four unit tests.
Insert How-brutespray-compares section with competitor feature matrix and update all "30+ protocols" claims to "40+" to reflect the 41 services now supported.
Add table rows for couchdb, elasticsearch, influxdb (stable) and neo4j, cassandra (beta) with their default ports and key notes. Update "30+ protocols" header to "40+".
Document the embedded SSH bad-key bundle (9 keys, CVE-tagged) with flag table and key inventory. Document the pre-auth RDP recon flow: NLA fingerprint classification and sticky-keys backdoor probe with all output variants.
Document the new JSONL record types emitted by pre-auth RDP recon (type:finding with severity/code fields) and SSH bad-key hits (type:badkey with vendor/CVE fields).
Document the three embedded SNMP community-string tiers (default/ extended/full) selectable via -m mode:, including sizes and content categories for each tier.
Add flag table rows for --no-badkeys, --badkeys-only, --no-rdp-scan, and -c/--creds. Add Reading-targets-from-stdin subsection covering naabu, masscan, and fingerprintx pipeline examples.
New file documenting stdin pipeline integration with naabu, fingerprintx, and masscan. Covers all five auto-detected input formats and includes four example pipelines: credential brute-forcing, SSH bad-keys-only scan, and RDP recon with JSONL output.
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.53.0 to 0.55.0. - [Commits](golang/net@v0.53.0...v0.55.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.55.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/go_modules/dev/golang.org/x/net-0.55.0
branch
from
f8d055b to
725f639
Compare
x90skysn3k
force-pushed
the
dev
branch
2 times, most recently
from
bf6d6fa to
6fe6c64
Compare
Owner
|
@dependabot rebase |
Owner
|
Bump already applied to dev via b735383. Closing. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps golang.org/x/net from 0.53.0 to 0.55.0.
Commits
7770ec4go.mod: update golang.org/x dependencies4ece7b6html: escape greater-than symbol in doctype identifiers08be507html: improve Noah's Ark clause performancea8fb2fehtml: properly render fostered elements in foreign content0dc5b7ahtml: properly check namespace in "in body" any other end taga452f3chtml: ignore duplicate attributes during tokenizationf865199quic: fix appendMaxDataFrame erroneously accumulating sentLimit210ed3cquic: establish a "happened-before" relationship between stream write and readad8140equic: fix buffer slicing when handling overlapping stream data23ee2efhttp2: avoid API changes when built with go1.27