v2.6.1
What's New in v2.6.1
New Feature: -delay Flag
- Per-attempt delay — New
-delayduration flag (e.g.-delay 10s) as an ergonomic alias for fractional-ratevalues. More intuitive for slow brute-force scenarios where you want seconds between attempts rather than calculating1/nrates -ratehelp text updated to clarify that fractional values are supported (e.g.-rate 0.1= one attempt every 10s)-delayand-rateare mutually exclusive; using both exits with a clear error
Security
- go-ntlmssp panic fix — Bumped to v0.1.1 which fixes a panic on malformed NTLM challenge payloads (dependabot alert #9)
- Deprecated API replaced — Removed usage of deprecated
ntlmssp.ProcessChallengein favor of current API
Supply Chain Hardening
- govulncheck workflow — Scans all Go dependencies against the Go vulnerability database on every push/PR to main/dev, plus a weekly cron schedule
- dependency-review action — Blocks PRs that introduce dependencies with known moderate-or-higher severity vulnerabilities; comments on the PR with details on failure
- SHA-pinned GitHub Actions — All third-party actions pinned to commit SHAs (with version comments) to prevent tag-based supply chain attacks. Dependabot keeps pins updated automatically
Code Quality
- Go 1.26.1 — Upgraded from 1.26.0
- Modernized min/max — Replaced manual
if x > ypatterns with Go 1.21+min()/max()builtins - Lint fixes —
strings.CutSuffix, labeled breaks, unused parameter cleanup
Dependency Updates
- github.com/Azure/go-ntlmssp v0.1.0 → v0.1.1
- golang.org/x/crypto v0.49.0 → v0.50.0
- golang.org/x/net v0.52.0 → v0.53.0
- golang.org/x/term v0.41.0 → v0.42.0
- github.com/lib/pq v1.12.0 → v1.12.3
- github.com/x90skysn3k/grdp v1.0.1 → v1.0.2
- goreleaser/goreleaser-action v6.4.0 → v7.2.1
- docker/login-action v3.7.0 → v4.1.0
- docker/setup-qemu-action v3.7.0 → v4.0.0
Wordlists
- Monthly wordlist update with new SMTP overrides
Full Changelog: v2.6.0...v2.6.1