Automation

Introduction

While automation should not be relied on too heavily, it can assist when scanning the external perimiter of an organization during a penetration test to quickly identify low-hanging fruits. In this specific instance, I am referring to Nuclei from Project Discovery, however, other tooling to automate your penetration tests exists such as leveraging a vulnerability scanner like Burp Suite's Active Scan or Nessus.

Nuclei

To further improve your penetration test workflow, creating custom templates with Nuclei is highly recommended for common findings. For example, during a penetration test I observed several devices leveraging the same default credentials - a check for this can be quickly automated using Nuclei's scanner:

id: yealink-default-login

info:
  name: Yealink CTP18 - Default Login
  author: parzival
  severity: high
  description: |
    Yealink CTP18 Default Administrator Credentials Discovered.
  reference:
    - https://support.yealink.com
  metadata:
    fofa-query: Yealink CTP18
    max-request: 1
    verified: true
  tags: default-login,yealink

http:
  - raw:
      - |
        POST /api/auth/login?p=Login&t=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: application/json, text/plain, */*

        username={{username}}&pwd={{password}}

    attack: pitchfork
    payloads:
      username:
        - admin
      password:
        - '0000'

    host-redirects: true
    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"ret":"ok","data":"ok"}'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

PreviousFortress NextCisco

Last updated 1 year ago

Automation

Introduction

Nuclei

id: yealink-default-login

info:
  name: Yealink CTP18 - Default Login
  author: parzival
  severity: high
  description: |
    Yealink CTP18 Default Administrator Credentials Discovered.
  reference:
    - https://support.yealink.com
  metadata:
    fofa-query: Yealink CTP18
    max-request: 1
    verified: true
  tags: default-login,yealink

http:
  - raw:
      - |
        POST /api/auth/login?p=Login&t=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: application/json, text/plain, */*

        username={{username}}&pwd={{password}}

    attack: pitchfork
    payloads:
      username:
        - admin
      password:
        - '0000'

    host-redirects: true
    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"ret":"ok","data":"ok"}'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

PreviousFortress NextCisco

Last updated 1 year ago