Exploiting Network infrastructure

Penetration Testing Wiki

Attacks on Network equipment: Routers, Switches, VPN

Mikrotik

Juniper

Hardcoded credentials vulnerabilities:

Cisco

VPN Servers

Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure
CVSS 10.0 Metasploit exploit:
https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html

Citrix NetScaler

CVE-2019-19781

On Dec. 17, 2019, a directory traversal vulnerability was announced in the Citrix Application Discovery Controller and Citrix Gateway, which would allow a remote, unauthenticated user to write a file to a location on disk. Affected products include:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

References:

Home routers

Scan for CVE-2015-3036 (NetUSB Kcodes):

nmap -p 20005 --open 192.168.1.*

Scan for CWMP Modem RCE / XXE:

nmap -p 7457 --open 192.168.1.*

Scan for faximum:

nmap -p 7437 --open 192.168.1.*

Scan for UPnP

nmap -p 37215 -sV --open 192.168.1.*
wget -O - http://192.168.1.1:37215/upnpdev.xml
wget -O - http://192.168.1.1:37215/tr064dev.xml

Physical access exploitation (LAN)

MAC flooding

macof -n 1000

MITM

arpspoof
ettercap

LLMNR poisoning

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

responder -I eth0 -rv

References: