v2.6.1

What's New in v2.6.1

New Feature: -delay Flag

• Per-attempt delay — New -delay duration flag (e.g. -delay 10s) as an ergonomic alias for fractional -rate values. More intuitive for slow brute-force scenarios where you want seconds between attempts rather than calculating 1/n rates
• -rate help text updated to clarify that fractional values are supported (e.g. -rate 0.1 = one attempt every 10s)
• -delay and -rate are mutually exclusive; using both exits with a clear error

Security

• go-ntlmssp panic fix — Bumped to v0.1.1 which fixes a panic on malformed NTLM challenge payloads (dependabot alert #9)
• Deprecated API replaced — Removed usage of deprecated ntlmssp.ProcessChallenge in favor of current API

Supply Chain Hardening

• govulncheck workflow — Scans all Go dependencies against the Go vulnerability database on every push/PR to main/dev, plus a weekly cron schedule
• dependency-review action — Blocks PRs that introduce dependencies with known moderate-or-higher severity vulnerabilities; comments on the PR with details on failure
• SHA-pinned GitHub Actions — All third-party actions pinned to commit SHAs (with version comments) to prevent tag-based supply chain attacks. Dependabot keeps pins updated automatically

Code Quality

• Go 1.26.1 — Upgraded from 1.26.0
• Modernized min/max — Replaced manual if x > y patterns with Go 1.21+ min()/max() builtins
• Lint fixes — strings.CutSuffix, labeled breaks, unused parameter cleanup

Dependency Updates

• github.com/Azure/go-ntlmssp v0.1.0 → v0.1.1
• golang.org/x/crypto v0.49.0 → v0.50.0
• golang.org/x/net v0.52.0 → v0.53.0
• golang.org/x/term v0.41.0 → v0.42.0
• github.com/lib/pq v1.12.0 → v1.12.3
• github.com/x90skysn3k/grdp v1.0.1 → v1.0.2
• goreleaser/goreleaser-action v6.4.0 → v7.2.1
• docker/login-action v3.7.0 → v4.1.0
• docker/setup-qemu-action v3.7.0 → v4.0.0

Wordlists

• Monthly wordlist update with new SMTP overrides

Full Changelog: v2.6.0...v2.6.1