Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  1. Pentesting
  2. Fortress
  3. Cisco

Cisco Adaptive Security Appliance

PreviousCiscoNextCisco Smart Install

Last updated 2 years ago

Cisco Adaptive Security Appliance (ASA)

CVE-2020-3452

# Validate with Metasploit
use auxiliary/scanner/http/cisco_directory_traversal

List of files from some light reverse engineering of a Cisco ASA device:

+CSCOCA+/ca_inc.lua
+CSCOCA+/crl/asa_ca.crl
+CSCOCA+/enroll.html
+CSCOCA+/login.html
+CSCOE+/041235123432C2
+CSCOE+/041235123432U2
+CSCOE+/app_index.html
+CSCOE+/appstart.js
+CSCOE+/appstatus
+CSCOE+/ask.html
+CSCOE+/auth.html
+CSCOE+/autosignon_api.js
+CSCOE+/blank.html
+CSCOE+/cedf.html
+CSCOE+/cedhelp.html
+CSCOE+/ced.html
+CSCOE+/cedlogon.html
+CSCOE+/cedmain.html
+CSCOE+/cedportal.html
+CSCOE+/cedsave.html
+CSCOE+/cert.html
+CSCOE+/color_picker.html
+CSCOE+/color_picker.js
+CSCOE+/common.js
+CSCOE+/commonspawn.js
+CSCOE+/display_bookmarks.lua
+CSCOE+/files/browse.html
+CSCOE+/files/domains_retr
+CSCOE+/files/file_action.html
+CSCOE+/files/files.js
+CSCOE+/files/files_retr
+CSCOE+/files/webfolder
+CSCOE+/files/wfolder
+CSCOE+/gp-gip.html
+CSCOE+/handler
+CSCOE+/help/webvpn_help
+CSCOE+/home/index.html
+CSCOE+/http_auth.html
+CSCOE+/include/browser_inc.lua
+CSCOE+/include/common.lua
+CSCOE+/include/plugin.lua
+CSCOE+/lced.html
+CSCOE+/load_bookmarks.lua
+CSCOE+/localization_inc.lua
+CSCOE+/logo.gif
+CSCOE+/logon_custom.css
+CSCOE+/logon_forms.js
+CSCOE+/logon.html
+CSCOE+/logon.html
+CSCOE+/logon_redirect.html
+CSCOE+/logout.html
+CSCOE+/message.html
+CSCOE+/noportal.html
+CSCOE+/nostcaccess.html
+CSCOE+/no_svc.html
+CSCOE+/ping.html
+CSCOE+/pluginlib.js
+CSCOE+/portal_ce.html
+CSCOE+/portal.css
+CSCOE+/portal_custom.css
+CSCOE+/portal_elements.html
+CSCOE+/portal_forms.js
+CSCOE+/portal.html
+CSCOE+/portal_inc.lua
+CSCOE+/portal.js
+CSCOE+/posturl.html
+CSCOE+/preview.html
+CSCOE+/relayjar.html
+CSCOE+/relaymonjar.html
+CSCOE+/relaymonocx.html
+CSCOE+/relayocx.html
+CSCOE+/running.conf
+CSCOE+/saml/sp/acs
+CSCOE+/saml/sp/login
+CSCOE+/saml/sp/metadata
+CSCOE+/save_capture.html
+CSCOE+/sdesktop/fail.html
+CSCOE+/sdesktop/logout.html
+CSCOE+/sdesktop/scan.xml
+CSCOE+/sdesktop/tokenrenew.xml
+CSCOE+/sdesktop/token.xml
+CSCOE+/sdesktop/wait.html
+CSCOE+/sdesktop/webstart.xml
+CSCOE+/session.js
+CSCOE+/session_password.html
+CSCOE+/sess_update.html
+CSCOE+/shshim
+CSCOE+/shshimdo_url
+CSCOE+/smart_tunnel_install.html
+CSCOE+/st_dl.json
+CSCOE+/svc.html
+CSCOE+/tlbr
+CSCOE+/tlbrportal_forms.js
+CSCOE+/tunnel_linux.jnlp
+CSCOE+/tunnel_mac.html
+CSCOE+/tunnel_mac.jnlp
+CSCOE+/useralert.html
+CSCOE+/user_dialog.html
+CSCOE+/win.js
+CSCOE+/wrong_url.html
+CSCOL+/cte_fallback.js
+CSCOL+/cte.js
+CSCOL+/relayparam.js
+CSCOL+/sw.js
+CSCOL+/xsl.js
CSCOSSLC/config-auth
+CSCOT+/oem-customization
+CSCOT+/translation
+CSCOT+/translation-table
+CSCOU+/anyconnect_unsupported_version.html
+CSCOU+/anyconnect_wrong_url.html
+CSCOU+/portal.css
+CSCOU+/sample.html
locale/manifest_data.lua

CVE-2020-3580

If you have compromised a valid users session to Cisco ASA you can recover plaintext credentials leveraging the following exploit:

☠️
LogoGitHub - cygenta/CVE-2020-3452GitHub
LogoGitHub - catatonicprime/CVE-2020-3580: Additional exploits for XSS in Cisco ASA devices discovered by PTSwarmGitHub