http://[target]/dana-na/auth/url_default/welcome.cgi URL.
@infosecmafia and I mentioned in our DerbyCon talk on how you can sometimes find extra or test URLs that are also valid URLs for the Juniper VPN. The example we used was where the url_default required secret questions but url_8 or whatever did not because it was a test URL the admins had set up.
Soooooooo, its worth running a quick check if you come across one. I wrote a Metasploit auxiliary module to do this. Pretty simple, it just runs thru url_0 through url_100 and prints out the 200 replies. looks like so:
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_0/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_1/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_2/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_3/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_4/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_5/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_6/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_8/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_9/welcome.cgi
–[+]
192.168.1.1:443 Received a HTTP 200 with
bytes for /dana-na/auth/url_12/welcome.cgi
Random example:
url_default
url_3
url_8
url_10
Available on my github repo until I get around to doing a pull request.
-CG
This comment has been removed by a blog administrator.
ReplyDeleteORIGINAL COMMENT
ReplyDelete"HUNDREDTi has left a new comment on your post "Funky Juniper URLs":
Hi!!, You know?
VPN SCANNER
http://www.netprotect.ch/tools.html
This tool conducts a simple information gathering (find administrative logins, find multiple logins, read schema files, find access to extra modules etc.) and vulnerability testing (common juniper vulnerabilities according to CVE)on Juniper SSL VPN devices.
- Don't forget to try the other tools posted on the web
Best regards "
you going to provide the password?
ReplyDeleteHi!, Download SWAT,
ReplyDeleteThis application contains the "Juniper VPN Scanner" tool, which allows the following attacks:
Multiple sing-in pages (you can configure it for perform dictionary attacks)
admin access
web root
Setup files
Auth bypass
Meeting test
XSS test
http://www.netprotect.ch/Swat_Setup.msi
http://www.netprotect.ch/images/key.txt
(do not forget to try the tool fully)
dont forget
ReplyDelete/dana-na/auth/url_admin/welcome.cgi
And
/dana/home/basicauth_userpass.cgi
/,dana-na/,IP=192.168.8.8,port=80
Also check for http://www.securityfocus.com/archive/1/archive/1/511775/100/0/threaded
ReplyDeletefor i in {1..100}; do echo -n "$i:"; curl -s -I https://example.com/dana-na/url_$i/welcome.cgi | head -n 1; done | grep -v 404
ReplyDelete