rapid7 · gwillcox-r7 · Jul 16, 2020 · Jun 21, 2020 · Jun 21, 2020 · Jun 21, 2020
diff --git a/...auxiliary/admin/brocade/brocade_config.md → ...iliary/admin/networking/brocade_config.md b/...auxiliary/admin/brocade/brocade_config.md → ...iliary/admin/networking/brocade_config.md
@@ -1,40 +1,43 @@
-## General Notes
+## Vulnerable Application
+
+### General Notes
 
 This module imports a Brocade configuration file into the database.
-This is similar to `post/brocade/gather/enum_brocade` only access isn't required,
+This is similar to `post/networking/gather/enum_brocade` only access isn't required,
 and assumes you already have the file.
 
-Example files for import can be found on git, like [this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
+Example files for import can be found on git, like
+[this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
 
 ## Verification Steps
 
 1. Have a Brocade configuration file
 2. Start `msfconsole`
-3. `use auxiliary/admin/brocade/brocade_config`
+3. `use auxiliary/admin/networking/brocade_config`
 4. `set RHOST x.x.x.x`
 5. `set CONFIG /tmp/file.config`
 6. `run`
 
 ## Options
 
-  **RHOST**
+### RHOST
 
-  Needed for setting services and items to.  This is relatively arbitrary.
+Needed for setting services and items to.  This is relatively arbitrary.
 
-  **CONFIG**
+### CONFIG
 
-  File path to the configuration file.
+File path to the configuration file.
 
 ## Scenarios
 
 ```
 msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf
-msf5 > use auxiliary/admin/brocade/brocade_config
-msf5 auxiliary(admin/brocade/brocade_config) > set rhosts 127.0.0.1
+msf5 > use auxiliary/admin/networking/brocade_config
+msf5 auxiliary(admin/networking/brocade_config) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
-msf5 auxiliary(admin/brocade/brocade_config) > set config /tmp/brocade.conf
+msf5 auxiliary(admin/networking/brocade_config) > set config /tmp/brocade.conf
 config => /tmp/brocade.conf
-msf5 auxiliary(admin/brocade/brocade_config) > run
+msf5 auxiliary(admin/networking/brocade_config) > run
 [*] Running module against 127.0.0.1
 
 [*] Importing config

diff --git a/...liary/admin/cisco/cisco_asa_extrabacon.md → .../admin/networking/cisco_asa_extrabacon.md b/...liary/admin/cisco/cisco_asa_extrabacon.md → .../admin/networking/cisco_asa_extrabacon.md
@@ -1,4 +1,6 @@
-## General notes
+## Vulnerable Application
+
+### General notes
 
 This is using improved shellcode, has less stages than the Equation Group
 version making it more reliable. This makes the SNMP payload packet ~150 less
@@ -10,7 +12,7 @@ finder are available at:
 
 https://github.com/RiskSense-Ops/CVE-2016-6366
 
-## Partial list of supported versions
+### Partial list of supported versions
 ------------------------------------------------------------
 All of the leaked versions are available in the module
 
@@ -54,12 +56,14 @@ All of the leaked versions are available in the module
 
 `*` new version support not part of the original Shadow Brokers leak
 
-`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
+`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the
+NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future,
+we'd like to incorporate these versions. Perhaps as a bool option?
 
 ## Verification Steps
 
 - Start `msfconsole`
-- `use auxiliary/admin/cisco/cisco_asa_extrabacon`
+- `use auxiliary/admin/networking/cisco_asa_extrabacon`
 - `set RHOST x.x.x.x`
 - `check`
 - `run`
@@ -68,10 +72,14 @@ All of the leaked versions are available in the module
 - `run`
 - ssh admin@x.x.x.x, ensure fake password does not work
 
-## Checking for a vulnerable version
+## Options
+
+## Scenarios
+
+### Checking for a vulnerable version
 
 ```
-msf > use auxiliary/admin/cisco/cisco_asa_extrabacon
+msf > use auxiliary/admin/networking/cisco_asa_extrabacon
 msf auxiliary(cisco_asa_extrabacon) > set rhost 192.168.1.1
 rhost => 192.168.1.1
 msf auxiliary(cisco_asa_extrabacon) > check
@@ -80,7 +88,7 @@ msf auxiliary(cisco_asa_extrabacon) > check
 [*] 192.168.1.1:161 The target appears to be vulnerable.
 ```
 
-## Disabling administrative password
+### Disabling administrative password
 
 ```
   msf auxiliary(cisco_asa_extrabacon) > set
@@ -101,7 +109,7 @@ msf auxiliary(cisco_asa_extrabacon) > run
 [*] Auxiliary module execution completed
 ```
 
-## Re-enabling administrative password
+### Re-enabling administrative password
 
 ```
 msf auxiliary(cisco_asa_extrabacon) > set MODE pass-enable

diff --git a/...les/auxiliary/admin/cisco/cisco_config.md → ...uxiliary/admin/networking/cisco_config.md b/...les/auxiliary/admin/cisco/cisco_config.md → ...uxiliary/admin/networking/cisco_config.md
@@ -1,30 +1,33 @@
-## General Notes
+## Vulnerable Application
+
+### General Notes
 
 This module imports a Cisco configuration file into the database.
-This is similar to `post/cisco/gather/enum_cisco` only access isn't required,
+This is similar to `post/networking/gather/enum_cisco` only access isn't required,
 and assumes you already have the file.
 
-Example files for import can be found on git, like [this](https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt)
+Example files for import can be found on git, like
+[this](https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt)
 or from [Cisco](https://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/sampconf.html).
 
 ## Verification Steps
 
 1. Have a Cisco configuration file
 2. Start `msfconsole`
-3. `use auxiliary/admin/cisco/cisco_config`
+3. `use auxiliary/admin/networking/cisco_config`
 4. `set RHOST x.x.x.x`
 5. `set CONFIG /tmp/file.config`
 6. `run`
 
 ## Options
 
-  **RHOST**
+### RHOST
 
-  Needed for setting services and items to.  This is relatively arbitrary.
+Needed for setting services and items to.  This is relatively arbitrary.
 
-  **CONFIG**
+### CONFIG
 
-  File path to the configuration file.
+File path to the configuration file.
 
 ## Scenarios
 
@@ -34,12 +37,12 @@ root@metasploit-dev:~/metasploit-framework# wget https://raw.githubusercontent.c
 root@metasploit-dev:~/metasploit-framework# ./msfconsole 
 
 [*] Starting persistent handler(s)...
-msf5 > use auxiliary/admin/cisco/cisco_config 
-msf5 auxiliary(admin/cisco/cisco_config) > set config /tmp/LA_EDGE_D.txt
+msf5 > use auxiliary/admin/networking/cisco_config 
+msf5 auxiliary(admin/networking/cisco_config) > set config /tmp/LA_EDGE_D.txt
 config => /tmp/LA_EDGE_D.txt
-msf5 auxiliary(admin/cisco/cisco_config) > set rhost 127.0.0.1
+msf5 auxiliary(admin/networking/cisco_config) > set rhost 127.0.0.1
 rhost => 127.0.0.1
-msf5 auxiliary(admin/cisco/cisco_config) > run
+msf5 auxiliary(admin/networking/cisco_config) > run
 [*] Running module against 127.0.0.1
 
 [*] Importing config

diff --git a/...iliary/admin/cisco/cisco_dcnm_download.md → ...y/admin/networking/cisco_dcnm_download.md b/...iliary/admin/cisco/cisco_dcnm_download.md → ...y/admin/networking/cisco_dcnm_download.md
@@ -1,23 +1,31 @@
 ## Vulnerable Application
 
-Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
+Cisco Data Center Network Manager exposes a servlet to download files on `/fm/downloadServlet`.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
 the full path of the file (aka CVE-2019-1621).
 
 This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.
 
+## Verification Steps
+
+1. Do: ```use auxiliary/admin/networking/cisco_dcnm_download```
+2. Do: ```set rhosts [ip]```
+3. Do: ```run```
+
+## Options
+
 ## Scenarios
 
 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!
 
 ```
-msf5 exploit(multi/http/cisco_dcnm_upload_2019) > use auxiliary/admin/cisco/cisco_dcnm_download
+msf5 exploit > use auxiliary/admin/networking/cisco_dcnm_download
 
-msf5 auxiliary(admin/cisco/cisco_dcnm_download) > set rhost 10.75.1.40
+msf5 auxiliary(admin/networking/cisco_dcnm_download) > set rhost 10.75.1.40
 rhost => 10.75.1.40
-msf5 auxiliary(admin/cisco/cisco_dcnm_download) > run
+msf5 auxiliary(admin/networking/cisco_dcnm_download) > run
 
 [+] 10.75.1.40:443 - Detected DCNM 10.4(2)
 [*] 10.75.1.40:443 - No authentication required, ready to exploit!

diff --git a/...auxiliary/admin/juniper/juniper_config.md → ...iliary/admin/networking/juniper_config.md b/...auxiliary/admin/juniper/juniper_config.md → ...iliary/admin/networking/juniper_config.md
@@ -1,35 +1,39 @@
-## General Notes
+## Vulnerable Application
+
+### General Notes
 
 This module imports a Juniper configuration file into the database.
-This is similar to `post/juniper/gather/enum_juniper` only access isn't required,
+This is similar to `post/networking/gather/enum_juniper` only access isn't required,
 and assumes you already have the file.
 
-Example files for import can be found on git, like [this (junos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config)
-or [this (screenos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf).
+Example files for import can be found on git, like
+[this (junos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config)
+or
+[this (screenos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf).
 
 ## Verification Steps
 
 1. Have a Juniper configuration file
 2. Start `msfconsole`
-3. `use auxiliary/admin/juniper/juniper_config`
+3. `use auxiliary/admin/networking/juniper_config`
 4. `set RHOST x.x.x.x`
 5. `set CONFIG /tmp/file.config`
 6. `set action junos`
 7. `run`
 
 ## Options
 
-  **RHOST**
+### RHOST
 
-  Needed for setting services and items to.  This is relatively arbitrary.
+Needed for setting services and items to.  This is relatively arbitrary.
 
-  **CONFIG**
+### CONFIG
 
-  File path to the configuration file.
+File path to the configuration file.
 
-  **Action**
+### Action
 
-  `JUNOS` for JunOS config file, and `SCREENOS` for ScreenOS config file.
+`JUNOS` for JunOS config file, and `SCREENOS` for ScreenOS config file.
 
 ## Scenarios
 
@@ -40,12 +44,12 @@ root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex
 root@metasploit-dev:~/metasploit-framework# ./msfconsole 
 
 [*] Starting persistent handler(s)...
-msf5 > use auxiliary/admin/juniper/gather/juniper_config
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/juniper_ex2200.config
+msf5 > use auxiliary/admin/networking/gather/juniper_config
+msf5 auxiliary(admin/networking/gather/juniper_config) > set config /tmp/juniper_ex2200.config
 config => /tmp/juniper_ex2200.config
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
+msf5 auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1
 rhost => 127.0.0.1
-msf5 auxiliary(admin/juniper/gather/juniper_config) > run
+msf5 auxiliary(admin/networking/gather/juniper_config) > run
 [*] Running module against 127.0.0.1
 
 [*] Importing config
@@ -72,14 +76,14 @@ root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.c
 root@metasploit-dev:~/metasploit-framework# ./msfconsole 
 
 [*] Starting persistent handler(s)...
-msf5 > use auxiliary/admin/juniper/gather/juniper_config
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/screenos.conf
+msf5 > use auxiliary/admin/networking/gather/juniper_config
+msf5 auxiliary(admin/networking/gather/juniper_config) > set config /tmp/screenos.conf
 config => /tmp/screenos.conf
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
+msf5 auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1
 rhost => 127.0.0.1
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set action SCREENOS
+msf5 auxiliary(admin/networking/gather/juniper_config) > set action SCREENOS
 action => SCREENOS
-msf5 auxiliary(admin/juniper/gather/juniper_config) > run
+msf5 auxiliary(admin/networking/gather/juniper_config) > run
 [*] Running module against 127.0.0.1
 
 [*] Importing config
@@ -88,4 +92,3 @@ msf5 auxiliary(admin/juniper/gather/juniper_config) > run
 [+] Config import successful
 [*] Auxiliary module execution completed
 ```
-
diff --git a/...xiliary/admin/ubiquiti/ubiquiti_config.md → ...liary/admin/networking/ubiquiti_config.md b/...xiliary/admin/ubiquiti/ubiquiti_config.md → ...liary/admin/networking/ubiquiti_config.md
@@ -1,43 +1,45 @@
-## General Notes
+## Vulnerable Application
 
-  This module imports an Ubiquiti Unifi configuration file into the database.
-  This is similar to `post/multi/gather/ubiquiti_unifi_backup` only access isn't required,
-  and assumes you already have the file.
+### General Notes
 
-  This module is able to take a unf file, from the controller and perform the following actions:
+This module imports an Ubiquiti Unifi configuration file into the database.
+This is similar to `post/multi/gather/ubiquiti_unifi_backup` only access isn't required,
+and assumes you already have the file.
 
-  1. Decrypt the file
-  2. Fix the zip file if a `zip` utility is on the system
-  3. Extract db.gz
-  4. Unzip the db file
-  5. Import the db file
+This module is able to take a unf file, from the controller and perform the following actions:
 
-  Or simply pass the db file for import directly.
+1. Decrypt the file
+2. Fix the zip file if a `zip` utility is on the system
+3. Extract db.gz
+4. Unzip the db file
+5. Import the db file
+
+Or simply pass the db file for import directly.
 
 ## Verification Steps
 
 1. Have a Ubiquiti Unifi configuration file (db or unf)
 2. Start `msfconsole`
-3. `use auxiliary/admin/ubiquiti/ubiquiti_config`
+3. `use auxiliary/admin/networking/ubiquiti_config`
 4. `set RHOST x.x.x.x`
 5. `set CONFIG /tmp/file.unf`
 6. `run`
 
 ## Options
 
-  **RHOST**
+### RHOST
 
-  Needed for setting services and items to.  This is relatively arbitrary.
+Needed for setting services and items to.  This is relatively arbitrary.
 
-  **CONFIG**
+### CONFIG
 
-  File path to the configuration unf or db file..
+File path to the configuration unf or db file..
 
 ## Scenarios
 
 ### Unf File
 ```
-resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> use auxiliary/admin/networking/ubiquiti_config
 resource (unifi_config.rb)> set rhosts 127.0.0.1
 rhosts => 127.0.0.1
 resource (unifi_config.rb)> set config /root/.msf4/loot/20190825172544_default_1.1.1.1_ubiquiti.unifi.b_740136.unf
@@ -59,12 +61,12 @@ resource (unifi_config.rb)> run
 ### db File
 
 ```
-resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> use auxiliary/admin/networking/ubiquiti_config
 resource (unifi_config.rb)> set rhosts 127.0.0.1
 rhosts => 127.0.0.1
-msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > set config /root/.msf4/loot/db
+msf5 auxiliary(admin/networking/ubiquiti_config) > set config /root/.msf4/loot/db
 config => /root/.msf4/loot/db
-msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > run
+msf5 auxiliary(admin/networking/ubiquiti_config) > run
 [*] Running module against 127.0.0.1
 
 [*] Converting config BSON to JSON