Exploiting Network infrastructure

Attacks on Network equipment: Routers, Switches, VPN

Mikrotik

• On port 8291 https://github.com/mrmtwoj/0day-mikrotik/blob/master/WinboxExploit.py

Juniper

Hardcoded credentials vulnerabilities:

• 2017: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10791 (CVE-2017-2343)
• 2020: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10997&actp=METADATA (CVE-2020-1614)

Cisco

• CVE-2019-1821 https://github.com/k8gege/CiscoExploit

VPN Servers

Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure
CVSS 10.0 Metasploit exploit:
https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html

Citrix NetScaler

CVE-2019-19781

On Dec. 17, 2019, a directory traversal vulnerability was announced in the Citrix Application Discovery Controller and Citrix Gateway, which would allow a remote, unauthenticated user to write a file to a location on disk. Affected products include:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

References:

• https://support.citrix.com/supportkc/filedownload?uri=/filedownload/CTX269180/Check-CVE-2019-19781.zip
• https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/
• https://www.tenable.com/blog/cve-2019-19781-unauthenticated-remote-code-execution-vulnerability-in-citrix-adcs-and-gateways

Home routers

Scan for CVE-2015-3036 (NetUSB Kcodes):

nmap -p 20005 --open 192.168.1.*

Scan for CWMP Modem RCE / XXE:

nmap -p 7457 --open 192.168.1.*

Scan for faximum:

nmap -p 7437 --open 192.168.1.*

Scan for UPnP

nmap -p 37215 -sV --open 192.168.1.*
wget -O - http://192.168.1.1:37215/upnpdev.xml
wget -O - http://192.168.1.1:37215/tr064dev.xml

Physical access exploitation (LAN)

MAC flooding

macof -n 1000

MITM

arpspoof

ettercap

LLMNR poisoning

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

responder -I eth0 -rv

References:

• https://github.com/SpiderLabs/Responder