Attacks on Network equipment: Routers, Switches, VPN
Mikrotik
Juniper
Hardcoded credentials vulnerabilities:
- 2017: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10791 (CVE-2017-2343)
- 2020: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10997&actp=METADATA (CVE-2020-1614)
Cisco
- CVE-2019-1821 https://github.com/k8gege/CiscoExploit
VPN Servers
Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure
CVSS 10.0 Metasploit exploit:
https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
Citrix NetScaler
CVE-2019-19781
On Dec. 17, 2019, a directory traversal vulnerability was announced in the Citrix Application Discovery Controller and Citrix Gateway, which would allow a remote, unauthenticated user to write a file to a location on disk. Affected products include:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
References:
- https://support.citrix.com/supportkc/filedownload?uri=/filedownload/CTX269180/Check-CVE-2019-19781.zip
- https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/
- https://www.tenable.com/blog/cve-2019-19781-unauthenticated-remote-code-execution-vulnerability-in-citrix-adcs-and-gateways
Home routers
Scan for CVE-2015-3036 (NetUSB Kcodes):
nmap -p 20005 --open 192.168.1.*
Scan for CWMP Modem RCE / XXE:
nmap -p 7457 --open 192.168.1.*
Scan for faximum:
nmap -p 7437 --open 192.168.1.*
Scan for UPnP
nmap -p 37215 -sV --open 192.168.1.* wget -O - http://192.168.1.1:37215/upnpdev.xml wget -O - http://192.168.1.1:37215/tr064dev.xml
Physical access exploitation (LAN)
MAC flooding
macof -n 1000
MITM
arpspoof
ettercap
LLMNR poisoning
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
responder -I eth0 -rv
References: