nDepth Employee Contributions to Open Source Security Software, May 2026 Edition

ETHERJACK

EtherJack or “EJ” by nDepth Security, is a “plug-and-pray” leave behind device that can be used to establish different levels of persistence on a target network through a series of software and hardware configurations. EJ was developed by and for pentesters to help support and aid in physical pentesting engagements through the use of open/available RJ-45 Ethernet ports.

nDepth’s Mike ‘h00die’ Cyr and Lindsey Wizinsky have started making the first public updates to EtherJack in a while. Don’t worry, we have more coming soon as well.

MASS UPDATES

The first update was from the original EtherJack developer Ray Nutting, but submitted by h00die. This change catches EJ to the most recent updates we’ve been testing internally for the past few months.

CI/CD PIPELINE

Modern development usually happens in CI/CD Pipelines. What is that you ask? Continuous Integration and Development involves writing tests to ensure incoming changes don’t break current functionality, then automating that testing to publish new builds. At least, that’s the easy explanation for EtherJack purposes. Since EJ runs on dedicated hardware, building out a testing suite to ensure consistent and reliable product releases was non-trivial, but we were able to accomplish it. With this done, we’re able to start putting in new features, and other bigger changes to the product!

To view this month’s contributions, check the following links:

METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community.

nDepth’s own Lindsey Wizinsky became a FIRST TIME CONTRIBUTOR to Metasploit! Let’s take a look at Lindsey’s contribution:

WINDOWS POWERSHELL PROFILE PERSISTENCE

PowerShell is a very popular programing language built into all modern Windows systems. When PowerShell starts, it runs code from several different profiles. With this new Metasploit module, a penetration tester can establish persistence on a Windows computer by adding PowerShell code to the user’s profile. When the user opens PowerShell, the code will execute allowing the penetraiton tester to regain access.

nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

GENERAL FIXES, UPDATES, AND ENHANCEMENTS

Fixed a bug in the WSL Startup Folder persistence module where it could crash when run on unexpected operating systems.

Added 8 CVE references to modules previously missing them.

Fixed a bug in the SNMP Enumeration module where if a system didn’t have a system date set, the module would crash.

Added further documentation for AI agents to clarify expectations leveraged on them.

APACHE ACTIVEMQ JOLOKIA REMOTE CODE EXECUTION

Apache’s ActiveMQ product suffered a remote code execution vulnerability tracked as CVE-2026-34197. This vulnerability allows an authenticated user to connect to the Jolokia JMX-over-HTTP API, initiate a configuration change that then executes supplied code. This exploit is now included in Metasploit Framework to allow penetration testers to leverage the vulnerability.

VIM PLUGIN PERSISTENCE

VIM (short for Vi IMproved) is an extremely popular text editor on many non-Windows based operating systems. VIM, like most text editors, allows for plugins/extensions to be added to automate tasks and make the user experience better. However, these plugins can be abused to allow a penetration tester to establish persistence. In this case, every time the user opens their copy of VIM, the penetration tester’s code will execute allowing them to regain access to the system. Rapid7, owner of Metasploit, wrote up a pretty funny weekly blog post about the new module: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-05-15-2026/ .

OLLAMA ENUMERATOR

Ollama is a program that allows users to download, manage, and run AI/Large Language Models (LLMs) on their own computer. Think of using your own ChatGPT from your own computer and you’ve essentially captured the idea. As the use of AI expands, penetration testers need to be able to interact with Ollama to determine what models the user has, and which are running. This change to Metasploit adds that capability by connecting to the Ollama instance over the network and gathering information about it.

WINDOWS KERBEROS STYLE HASH CRACKING

Metasploit has been putting in a lot of effort towards the Kerberos authentication system. Amongst these changes were adding Kerberoasting, Timeroasting, and other ticket generating or stealing capabilities. However, Metasploit users didn’t have the ability to attempt to password crack these stolen hashes. However, after 4 months of effort to add the new hash cracking capabilities, it is now possible!

TENABLE SECURITY CENTER INFORMATION GATHERING CAPABILITY

Tenable Security Center is primarily used by large companies to manage their Nessus instances. Security Center can be a goldmine of information to a penetration tester since it contains credentials for Nessus, and likely highly privileged users on the network. While gaining command line access to Security Center isn’t always trivial, when a penetration does get there, it can be difficult to obtain further information. This change to Metasploit adds a capability to decrypt the stored credentials, and store hashed passwords by uploading custom PHP pages and running them locally to extract the information.

To view this month’s contributions, check the following links: