From 0110b97fa2d36983f188e83bd1006d388ee32a56 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 7 Dec 2016 16:49:16 -0600
Subject: [PATCH 1/2] Fix #7671, support LOCKED_OUT and DISABLED login status

This allows login scanner modules to skip a user if it is
locked out, or disabled.

Fix #7671
---
 lib/metasploit/framework/login_scanner/base.rb | 13 +++++++++++++
 modules/auxiliary/scanner/smb/smb_login.rb     |  9 +++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/base.rb b/lib/metasploit/framework/login_scanner/base.rb
index 4c50065fd8..445bfe4ed1 100644
--- a/lib/metasploit/framework/login_scanner/base.rb
+++ b/lib/metasploit/framework/login_scanner/base.rb
@@ -199,6 +199,7 @@ module Metasploit
             total_error_count = 0
 
             successful_users = Set.new
+            ignored_users = Set.new
             first_attempt = true
 
             each_credential do |credential|
@@ -213,6 +214,14 @@ module Metasploit
                 next
               end
 
+              # Users that went into the lock-out list
+              if ignored_users.include?(credential.public)
+                if credential.parent.respond_to?(:skipped)
+                  credential.parent.skipped = true
+                end
+                next
+              end
+
               if first_attempt
                 first_attempt = false
               else
@@ -228,6 +237,10 @@ module Metasploit
                 consecutive_error_count = 0
                 successful_users << credential.public
                 break if stop_on_success
+              elsif result.status == Metasploit::Model::Login::Status::LOCKED_OUT
+                ignored_users << credential.public
+              elsif result.status == Metasploit::Model::Login::Status::DISABLED
+                ignored_users << credential.public
               else
                 if result.status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
                   consecutive_error_count += 1
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
index 0ee650e433..2b76afa5f7 100644
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -123,8 +123,13 @@ class MetasploitModule < Msf::Auxiliary
     @scanner.scan! do |result|
       case result.status
       when Metasploit::Model::Login::Status::LOCKED_OUT
-        print_error("Account lockout detected on '#{result.credential}'")
-        return if datastore['ABORT_ON_LOCKOUT']
+        if datastore['ABORT_ON_LOCKOUT']
+          print_error("Account lockout detected on '#{result.credential.public}', aborting.")
+          return
+        else
+          print_error("Account lockout detected on '#{result.credential.public}', skipping this user.")
+        end
+
       when Metasploit::Model::Login::Status::DENIED_ACCESS
         print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
         report_creds(ip, rport, result)

From 7e0b224eb27399cd4418f28dc6737446c0f76f83 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 8 Dec 2016 15:07:53 -0600
Subject: [PATCH 2/2] Make ABORT_ON_LOCKOUT non default

---
 modules/auxiliary/scanner/smb/smb_login.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
index 2b76afa5f7..88a7dbcacb 100644
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -55,7 +55,7 @@ class MetasploitModule < Msf::Auxiliary
     register_options(
       [
         Opt::Proxies,
-        OptBool.new('ABORT_ON_LOCKOUT', [ true, "Abort the run when an account lockout is detected", true ]),
+        OptBool.new('ABORT_ON_LOCKOUT', [ true, "Abort the run when an account lockout is detected", false ]),
         OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true ]),
         OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false ]),
         OptBool.new('DETECT_ANY_AUTH', [false, 'Enable detection of systems accepting any authentication', true])