From 4503a7af50a02832895892f87794869ea1352582 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 16 May 2013 10:25:32 -0500
Subject: [PATCH] Don't save creds of anyuser:anypass

If http accepts any user and any pass, it's not a real auth
there is no reason to create cred objects for this.
These creds have been confusing our users
---
 modules/auxiliary/scanner/http/http_login.rb | 24 +++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb
index 13a8f2a733..e7ad1a932e 100644
--- a/modules/auxiliary/scanner/http/http_login.rb
+++ b/modules/auxiliary/scanner/http/http_login.rb
@@ -149,18 +149,20 @@ class Metasploit3 < Msf::Auxiliary
 				print_status("#{target_url} - Random passwords are not allowed.")
 			end
 
-			report_auth_info(
-				:host   => rhost,
-				:port   => rport,
-				:sname => (ssl ? 'https' : 'http'),
-				:user   => user,
-				:pass   => pass,
-				:proof  => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
-				:source_type => "user_supplied",
-				:active => true
-			)
+      unless user == "anyuser" and pass == "anypass"
+        report_auth_info(
+          :host   => rhost,
+          :port   => rport,
+          :sname => (ssl ? 'https' : 'http'),
+          :user   => user,
+          :pass   => pass,
+          :proof  => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
+          :source_type => "user_supplied",
+          :active => true
+        )
+      end
 
-			return :abort if ([any_user,any_pass].include? :success)
+	  	return :abort if ([any_user,any_pass].include? :success)
 			return :next_user
 		else
 			vprint_error("#{target_url} - Failed to login as '#{user}'")