I searched through the Metasploit source code for User Agent Strings (starting with Mozilla/).
This is what I found:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N
Mozilla/4.0 (compatible; Metasploit RSPEC)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Didier Stevens 
Are lines 5 and 7 truncated?
Comment by Drew Hunt — Monday 16 March 2015 @ 14:11
Here are my finds for comparison:
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible; BullsEye; Windows 95)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\
Mozilla/5.0
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1\
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0\
Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0\
Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8
Comment by Drew Hunt — Monday 16 March 2015 @ 14:30
@Drew No, these lines are not truncated. This is what I found in the source code:
OptString.new(‘UserAgent’, [ true, “The HTTP User-Agent sent in the request”,
‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N’ ])
header = { ‘User-Agent’ => “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13”}
Comment by Didier Stevens — Monday 16 March 2015 @ 14:43
@Drew There are many User Agent Strings found in the comments of the Metasploit source code. I did not include these, and that explains why you find so many.
I used the following regex: ([“‘])Mozilla/.+\1
Comment by Didier Stevens — Monday 16 March 2015 @ 14:45
Interesting. I’m not able to find the ‘SIMBAR’ UAS to validate. What module is it from?. It looks to be a cut-off .NET string. That would be an intersting anomaly to search for.
WRT searching, I believe the bulk of the UAS I located were in the included Ruby libraries, not Metasploit itself.
root@host1:/opt/metasploit# cat /tmp/ua1 | awk -F: ‘{print $1}’ | sort | uniq -c | sort -nr
8 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/spec/lib/secure_headers_spec.rb
5 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/spec/lib/secure_headers/headers/content_security_policy_spec.rb
4 apps/pro/ui/db/runners/se_reporting_seed_objects.rb
2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb
2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb
2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb
2 apps/pro/vendor/bundle/ruby/1.9.1/gems/secure_headers-1.1.1/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb
2 apps/pro/vendor/bundle/ruby/1.9.1/gems/rack-1.4.5/test/spec_request.rb
1 apps/pro/vendor/bundle/ruby/1.9.1/gems/robots-0.10.1/test/fixtures/eventbrite.txt
1 apps/pro/ui/app/models/websploit_task.rb
1 apps/pro/ui/app/models/webscan_task.rb
1 apps/pro/ui/app/models/webaudit_task.rb
1 apps/pro/ui/app/models/social_engineering/web_page.rb
1 apps/pro/ui/app/models/scan_task.rb
1 apps/pro/ui/app/models/exploit_task.rb
1 apps/pro/engine/spec/modules/auxiliary/pro/social_engineering/web_phish_spec.rb
1 apps/pro/engine/lib/pro/dynamic_stagers/templates/reverse_http_svc.c.template
1 apps/pro/engine/lib/pro/dynamic_stagers/templates/reverse_http.c.template
Eliminating the Ruby spec strings, the list is reduced, but still not matched to yours. Then again, I’m searching the Kali packaged installation and not the source code.
root@host1:/opt/metasploit# fgrep -r Mozilla/ * | fgrep -v access.log | fgrep -v “vendor/bundle” | tee /tmp/ua1.1 | perl -pe ‘s/^(.*)\”(Mozilla\/[^\”]+)\”(.*)$/$2/;’ | perl -pe “s/^(.*)\'(Mozilla\/[^\’]+)\'(.*)$/$2/;” | perl -pe ‘s/^(.*)\s(Mozilla\/.*)$/$2/;’ | perl -pe ‘s/^\s*$//’| sort | uniq | tee /tmp/ua2.1
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\
Mozilla/5.0
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1\
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0\
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0\
Interesting findings. Thanks for the post!
Comment by Drew Hunt — Monday 16 March 2015 @ 15:08
@Drew Indeed, it is a truncated .NET CLR string, and makes it easy to spot. I found it here: metasploit-framework-master\modules\exploits\windows\http\hp_nnm_ovas.rb line 90.
Comment by Didier Stevens — Monday 16 March 2015 @ 15:26
[…] on the Metasploit User Agent Strings I published a couple of months ago, I made these Snort […]
Pingback by Detecting Network Traffic from Metasploit’s Meterpreter Reverse HTTP Module | Didier Stevens — Monday 11 May 2015 @ 5:52