Land rapid7#7665, Add ABORT_ON_LOCKOUT option for smb_login

Author: wchen-r7

lib/metasploit/framework/login_scanner/smb.rb

@@ -203,6 +203,8 @@ def attempt_login(credential)
             status = case e.get_error(e.error_code)
                      when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
                        Metasploit::Model::Login::Status::DENIED_ACCESS
+                     when 'STATUS_ACCOUNT_LOCKED_OUT'
+                       Metasploit::Model::Login::Status::LOCKED_OUT
                      when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
                        Metasploit::Model::Login::Status::INCORRECT
                      else

modules/auxiliary/scanner/smb/smb_login.rb

@@ -55,6 +55,7 @@ def initialize
     register_options(
       [
         Opt::Proxies,
+        OptBool.new('ABORT_ON_LOCKOUT', [ true, "Abort the run when an account lockout is detected", true ]),
         OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true ]),
         OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false ]),
         OptBool.new('DETECT_ANY_AUTH', [false, 'Enable detection of systems accepting any authentication', true])
@@ -121,6 +122,9 @@ def run_host(ip)
 
     @scanner.scan! do |result|
       case result.status
+      when Metasploit::Model::Login::Status::LOCKED_OUT
+        print_error("Account lockout detected on '#{result.credential}'")
+        return if datastore['ABORT_ON_LOCKOUT']
       when Metasploit::Model::Login::Status::DENIED_ACCESS
         print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
         report_creds(ip, rport, result)