Automation
Introduction
While automation should not be relied on too heavily, it can assist when scanning the external perimiter of an organization during a penetration test to quickly identify low-hanging fruits. In this specific instance, I am referring to Nuclei from Project Discovery, however, other tooling to automate your penetration tests exists such as leveraging a vulnerability scanner like Burp Suite's Active Scan or Nessus.
Nuclei
To further improve your penetration test workflow, creating custom templates with Nuclei is highly recommended for common findings. For example, during a penetration test I observed several devices leveraging the same default credentials - a check for this can be quickly automated using Nuclei's scanner:
id: yealink-default-login
info:
name: Yealink CTP18 - Default Login
author: parzival
severity: high
description: |
Yealink CTP18 Default Administrator Credentials Discovered.
reference:
- https://support.yealink.com
metadata:
fofa-query: Yealink CTP18
max-request: 1
verified: true
tags: default-login,yealink
http:
- raw:
- |
POST /api/auth/login?p=Login&t=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, */*
username={{username}}&pwd={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- '0000'
host-redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"ret":"ok","data":"ok"}'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
Last updated