finished up comments

h00die · h00die · commit 15a29a199423 · 2018-02-24T13:39:14.000-05:00
diff --git a/documentation/modules/auxiliary/scanner/http/cert.md b/documentation/modules/auxiliary/scanner/http/cert.md
@@ -13,8 +13,6 @@ Just set target RHOSTS and THREADS values and let it do its thing.
 
 ## Scenarios
 
-**Running the scanner**
-
 ```
 msf > use auxiliary/scanner/http/cert
 msf auxiliary(cert) > set RHOSTS 192.168.1.0/24
@@ -30,4 +28,51 @@ msf auxiliary(cert) > run
 [*] Scanned 256 of 256 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(cert) >
-```
+```
+
+## Confirming
+
+The following are other industry tools which can also be used.
+
+### [nmap](https://nmap.org/nsedoc/scripts/ssl-cert.html)
+
+```
+# nmap -p 443 192.168.2.137 -sV --script=ssl-cert
+
+Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-24 13:20 EST
+Nmap scan report for ubuntu (192.168.2.137)
+Host is up (0.0029s latency).
+
+PORT    STATE SERVICE  VERSION
+443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+| ssl-cert: Subject: commonName=ubuntu
+| Issuer: commonName=ubuntu
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2018-01-26T21:38:21
+| Not valid after:  2028-01-24T21:38:21
+| MD5:   d2a7 364d 636a 6eee c3e1 7af9 05f7 8c5b
+|_SHA-1: a5bf f783 2514 90ee 365a 3ee4 9b6c 23f6 24af dbfa
+MAC Address: 00:0C:29:5B:CF:75 (VMware)
+```
+
+### [sslscan](https://github.com/rbsec/sslscan)
+```
+# sslscan 192.168.2.137
+Version: 1.11.11-static
+OpenSSL 1.0.2-chacha (1.0.2g-dev)
+
+Connected to 192.168.2.137
+
+Testing SSL server 192.168.2.137 on port 443 using SNI name 192.168.2.137
+```
+...snip...
+```
+Subject:  ubuntu
+Issuer:   ubuntu
+
+Not valid before: Jan 26 21:38:21 2018 GMT
+Not valid after:  Jan 24 21:38:21 2028 GMT
+```
diff --git a/documentation/modules/auxiliary/scanner/http/dir_scanner.md b/documentation/modules/auxiliary/scanner/http/dir_scanner.md
@@ -8,29 +8,10 @@ This module scans one or more web servers for interesting directories that can b
 2. Do: ```set RHOSTS [IP]```
 3. Do: ```run```
 
-Let the default dictionary included in Metasploit set, set our target, and let the scanner run.
-
 ## Scenarios
 
-**Running the scanner**
-
 ```
 > use auxiliary/scanner/http/dir_scanner
-msf auxiliary(dir_scanner) > show options
-
-Module options (auxiliary/scanner/http/dir_scanner):
-
-   Name        Current Setting                                          Required  Description
-   ----        ---------------                                          --------  -----------
-   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
-   PATH        /                                                        yes       The path  to identify files
-   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS                                                               yes       The target address range or CIDR identifier
-   RPORT       80                                                       yes       The target port (TCP)
-   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
-   THREADS     1                                                        yes       The number of concurrent threads
-   VHOST                                                                no        HTTP server virtual host
-
 msf auxiliary(dir_scanner) > set RHOSTS 192.168.1.201
 RHOSTS => 192.168.1.201
 msf auxiliary(dir_scanner) > run
@@ -51,4 +32,37 @@ msf auxiliary(dir_scanner) > run
 msf auxiliary(dir_scanner) >
 ```
 
-A quick scan has turned up a number of directories on the target server that could be certainly investigated further.
+## Confirming
+
+The following are other industry tools which can also be used.
+
+### [dirb](http://dirb.sourceforge.net/)
+
+```
+# dirb http://192.168.2.137 /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt 
+
+-----------------
+DIRB v2.22    
+By The Dark Raver
+-----------------
+
+START_TIME: Sat Feb 24 12:56:40 2018
+URL_BASE: http://192.168.2.137/
+WORDLIST_FILES: /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt
+
+-----------------
+
+GENERATED WORDS: 2351
+
+---- Scanning URL: http://192.168.2.137/ ----
+==> DIRECTORY: http://192.168.2.137/.../
+==> DIRECTORY: http://192.168.2.137/Joomla/
+==> DIRECTORY: http://192.168.2.137/cgi-bin/
+==> DIRECTORY: http://192.168.2.137/error/
+==> DIRECTORY: http://192.168.2.137/icons/
+==> DIRECTORY: http://192.168.2.137/oscommerce/
+==> DIRECTORY: http://192.168.2.137/phpmyadmin/
+==> DIRECTORY: http://192.168.2.137/security/
+==> DIRECTORY: http://192.168.2.137/webalizer/
+==> DIRECTORY: http://192.168.2.137/webdav/
+```
diff --git a/documentation/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.md b/documentation/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.md
@@ -1,8 +1,6 @@
 ## Description
 
-The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found [here](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535).
-
-CVE: CVE-2009-1535
+The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a `/protected/` initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. More info about this vulnerability can be found in [cve-2009-1535](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535).
 
 ## Verification Steps
 
@@ -11,12 +9,8 @@ CVE: CVE-2009-1535
 3. Do: ```set THREADS [number of threads]```
 4. Do: ```run```
 
-You can keep the default DICTIONARY and HTTP404S dictionary settings, set our RHOSTS and THREADS values and let the module run.
-
 ## Scenarios
 
-**Running the scanner**
-
 ```
 msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
 msf auxiliary(dir_webdav_unicode_bypass) > show options
@@ -62,5 +56,3 @@ msf auxiliary(dir_webdav_unicode_bypass) > run
 [*] Auxiliary module execution completed
 msf auxiliary(dir_webdav_unicode_bypass) >
 ```
-
-The scan can find vulnerable servers. This vulnerability can potentially allow attacker to list, download, or even upload files to password protected folders.
diff --git a/documentation/modules/auxiliary/scanner/smb/smb2.md b/documentation/modules/auxiliary/scanner/smb/smb2.md
@@ -11,7 +11,6 @@ The SMB2 scanner module simply scans the remote hosts and determines if they sup
 
 ## Scenarios
 
-**Running the scanner**
 ```
 msf > use auxiliary/scanner/smb/smb2
 msf auxiliary(smb2) > set RHOSTS 192.168.1.150-165
@@ -27,4 +26,4 @@ msf auxiliary(smb2) > run
 [*] Scanned 16 of 16 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(smb2) >
-```
+```
diff --git a/documentation/modules/auxiliary/scanner/smb/smb_enumshares.md b/documentation/modules/auxiliary/scanner/smb/smb_enumshares.md
@@ -11,27 +11,10 @@ The smb_enumshares module, as would be expected, enumerates any SMB shares that
 
 ## Scenarios
 
-**Running the scanner**
+### Uncredentialed
+
 ```
 msf > use auxiliary/scanner/smb/smb_enumshares
-msf auxiliary(smb_enumshares) > show options
-
-Module options (auxiliary/scanner/smb/smb_enumshares):
-
-   Name             Current Setting  Required  Description
-   ----             ---------------  --------  -----------
-   LogSpider        3                no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
-   MaxDepth         999              yes       Max number of subdirectories to spider
-   RHOSTS                            yes       The target address range or CIDR identifier
-   SMBDomain        .                no        The Windows domain to use for authentication
-   SMBPass                           no        The password for the specified username
-   SMBUser                           no        The username to authenticate as
-   ShowFiles        false            yes       Show detailed information when spidering
-   SpiderProfiles   true             no        Spider only user profiles when share = C$
-   SpiderShares     false            no        Spider shares recursively
-   THREADS          1                yes       The number of concurrent threads
-   USE_SRVSVC_ONLY  false            yes       List shares only with SRVSVC
-
 msf auxiliary(smb_enumshares) > set RHOSTS 192.168.1.150-165
 RHOSTS => 192.168.1.150-165
 msf auxiliary(smb_enumshares) > set THREADS 16
@@ -55,7 +38,10 @@ Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded
 msf auxiliary(smb_enumshares) >
 ```
 
-As you can see, since this is an "###uncredentialed" scan, access is denied a most of the systems that are probed. Doing a "###credentialed" scan produces much different results.
+### Credentialed
+
+As you can see in the previous scan, access is denied a most of the systems that are probed.
+Doing a Credentialed scan produces much different results.
 
 ```
 msf auxiliary(smb_enumshares) > set SMBPass s3cr3t
