Fix reids_login scanner when auth is enabled

Author: adfoster-r7

documentation/modules/auxiliary/scanner/redis/redis_login.md

@@ -8,6 +8,36 @@ Note that Redis does not require a username to log in; login is done purely via
 
 A complete installation guide for Redis can be found [here](https://redis.io/topics/quickstart)
 
+## Setup
+
+Run redis in docker without auth:
+
+```
+docker run --rm -p 6379:6379 redis
+```
+
+Optionally setting the default password for the implicit `default` username account, connect to the running Redis instance and set a password:
+
+```
+$ nc 127.0.0.1 6379
+config set requirepass mypass
++OK
+```
+
+Optionally creating an enabled `test_user` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user allkeys on +@string +@set -SADD >mypass
+```
+
+Optionally creating a disabled `test_user_disabled` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user_disabled allkeys off +@string +@set -SADD >mypass
+```
+
 ## Verification Steps
 1. Do: `use auxiliary/scanner/redis/redis_login`
 2. Do: `set RHOSTS [ips]`

lib/metasploit/framework/credential_collection.rb

@@ -88,18 +88,10 @@ def prepend_cred(cred)
     # @yieldparam credential [Metasploit::Framework::Credential]
     # @return [void]
     def each_filtered
-      if password_spray
-        each_unfiltered_password_first do |credential|
-          next unless self.filter.nil? || self.filter.call(credential)
-
-          yield credential
-        end
-      else
-        each_unfiltered_username_first do |credential|
-          next unless self.filter.nil? || self.filter.call(credential)
+      each_unfiltered do |credential|
+        next unless self.filter.nil? || self.filter.call(credential)
 
-          yield credential
-        end
+        yield credential
       end
     end
 
@@ -121,6 +113,9 @@ def each_unfiltered
       if blank_passwords
         yield Metasploit::Framework::Credential.new(private: "", realm: realm, private_type: :password)
       end
+      if nil_passwords
+        yield Metasploit::Framework::Credential.new(private: nil, realm: realm, private_type: :password)
+      end
       if pass_fd
         pass_fd.each_line do |pass_from_file|
           pass_from_file.chomp!
@@ -177,6 +172,12 @@ def private_type(private)
   end
 
   class CredentialCollection < PrivateCredentialCollection
+    # @!attribute password_spray
+    #   Whether password spray is enabled. When true, each password is tried against each username first.
+    #   Otherwise the default bruteforce logic will attempt all passwords against the first user, before
+    #   continuing to the next user
+    #
+    #   @return [Boolean]
     attr_accessor :password_spray
 
     # @!attribute additional_publics
@@ -233,6 +234,29 @@ def add_public(public_str='')
       additional_publics << public_str
     end
 
+    # Combines all the provided credential sources into a stream of {Credential}
+    # objects, yielding them one at a time
+    #
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
+    def each_filtered
+      if password_spray
+        each_unfiltered_password_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
+      else
+        each_unfiltered_username_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
+      end
+    end
+
+    alias each each_filtered
+
     # When password spraying is enabled, do first passwords then usernames
     #  i.e.
     #   username1:password1
@@ -334,6 +358,9 @@ def each_unfiltered_password_first
         if blank_passwords
           yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
         end
+        if nil_passwords
+          yield Metasploit::Framework::Credential.new(public: add_public, private: nil, realm: realm, private_type: :password)
+        end
         if user_fd
           user_fd.each_line do |user_from_file|
             user_from_file.chomp!

spec/lib/metasploit/framework/private_credential_collection_spec.rb

@@ -0,0 +1,127 @@
+require 'spec_helper'
+require 'metasploit/framework/credential_collection'
+
+RSpec.describe Metasploit::Framework::PrivateCredentialCollection do
+
+  subject(:collection) do
+    described_class.new(
+      nil_passwords: nil_passwords,
+      blank_passwords: blank_passwords,
+      pass_file: pass_file,
+      password: password,
+      prepended_creds: prepended_creds,
+      additional_privates: additional_privates
+    )
+  end
+
+  before(:each) do
+    # The test suite overrides File.open(...) calls; fall back to the normal behavior for any File.open calls that aren't explicitly mocked
+    allow(File).to receive(:open).with(anything).and_call_original
+    allow(File).to receive(:open).with(anything, anything).and_call_original
+    allow(File).to receive(:open).with(anything, anything, anything).and_call_original
+  end
+
+  let(:nil_passwords) { nil }
+  let(:blank_passwords) { nil }
+  let(:password) { "pass" }
+  let(:pass_file) { nil }
+  # PrivateCredentialCollection yields `nil` as the username; unlike CredentialCollection
+  let(:username) { nil }
+  let(:prepended_creds) { [] }
+  let(:additional_privates) { [] }
+
+  describe "#each" do
+    specify do
+      expect { |b| collection.each(&b) }.to yield_with_args(Metasploit::Framework::Credential)
+    end
+
+    context "when given a pass_file" do
+      let(:password) { nil }
+      let(:pass_file) do
+        filename = "foo"
+        stub_file = StringIO.new("asdf\njkl\n")
+        allow(File).to receive(:open).with(filename,/^r/).and_return stub_file
+
+        filename
+      end
+
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: username, private: "asdf"),
+          Metasploit::Framework::Credential.new(public: username, private: "jkl"),
+        )
+      end
+    end
+
+    context "when :nil_passwords is true" do
+      let(:nil_passwords) { true }
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: username, private: password),
+          Metasploit::Framework::Credential.new(public: username, private: nil),
+        )
+      end
+    end
+
+    context "when :blank_passwords is true" do
+      let(:blank_passwords) { true }
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: username, private: password),
+          Metasploit::Framework::Credential.new(public: username, private: ""),
+        )
+      end
+    end
+
+  end
+
+  describe "#empty?" do
+    context "when :password is not set" do
+      let(:username) { nil }
+      let(:password) { nil }
+      specify do
+        expect(collection.empty?).to eq true
+      end
+
+      context "and :prepended_creds is not empty" do
+        let(:prepended_creds) { [ "test" ] }
+        specify do
+          expect(collection.empty?).to eq false
+        end
+      end
+
+      context "and :additional_privates is not empty" do
+        let(:additional_privates) { [ "test_private" ] }
+        specify do
+          expect(collection.empty?).to eq false
+        end
+      end
+
+      context "and :additional_publics is not empty" do
+        let(:additional_publics) { [ "test_public" ] }
+        specify do
+          expect(collection.empty?).to eq true
+        end
+      end
+    end
+
+    context "when :password is set" do
+      let(:password) { 'pass' }
+      specify do
+        expect(collection.empty?).to eq false
+      end
+    end
+  end
+
+  describe "#prepend_cred" do
+    specify do
+      prep = Metasploit::Framework::Credential.new(public: "foo", private: "bar")
+      collection.prepend_cred(prep)
+      expect { |b| collection.each(&b) }.to yield_successive_args(
+        prep,
+        Metasploit::Framework::Credential.new(public: username, private: password),
+      )
+    end
+  end
+
+end