diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md index a128c17e554..0b45128bc4e 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/README.md +++ b/src/generic-methodologies-and-resources/pentesting-network/README.md @@ -658,6 +658,46 @@ In Open Shortest Path First (OSPF) protocol **MD5 authentication is commonly emp - **Configuring Route Parameters:** This is done through the _Injection_ tab. - **Setting the Compromised Key:** The key is configured under the _Connection_ tab. +### Cisco SD-WAN Control-Plane Attacks + +Cisco Catalyst SD-WAN controllers expose a **DTLS control-plane service on UDP/12346** (`vdaemon`). Treat it like a routing-adjacency surface, not "just another management port": if you can become an authenticated peer, you can usually pivot into the whole overlay fabric. + +**Interesting protocol details:** +- `vdaemon` uses a **12-byte header** where the **high nibble** of `device_info` encodes the claimed device role (`1` vEdge, `2` vHub, `3` vSmart, `4` vBond, `5` vManage, `6` ZTP). +- The DTLS handshake itself is **not sufficient authentication**. Peer trust is finalized later during `CHALLENGE_ACK` processing. +- `CHALLENGE_ACK` (**message type `9`**) is reachable **before authentication**, because it is part of the control-plane bootstrap allowlist. + +**Practical attack pattern:** +- In CVE-2026-20182, Rapid7 showed that `vbond_proc_challenge_ack()` verified some roles (`vEdge`, `vSmart`, `vManage`) but had **no verification branch for claimed role `2` / vHub**. +- Because the function later fell through to `peer->authenticated = 1`, an attacker could complete DTLS with **any certificate**, send `CHALLENGE_ACK` with the **high nibble of `device_info` set to `2`**, then send `Hello` and transition to an **UP authenticated peer**. +- This is a good pattern to hunt in other proprietary control planes: **attacker-controlled role selection + missing default-deny branch + pre-auth handshake messages**. + +**Post-auth pivot worth checking:** +- Once treated as an authenticated peer, the controller accepted `MSG_VMANAGE_TO_PEER` (**message type `14`**) and appended attacker-controlled data to `/home/vmanage-admin/.ssh/authorized_keys`. +- That turns a control-plane foothold into **persistent NETCONF over SSH** access on **TCP/830** as `vmanage-admin`. +- Review similar appliances for post-auth messages that write **SSH keys, API tokens, trust bundles, or bootstrap secrets** for privileged internal service accounts. + +**Exposure triage / offensive workflow:** + +```bash +# Discover the control-plane and follow-on management ports +nmap -sU -p12346 +nmap -sT -p22,830 + +# Rapid7 module automating the vHub auth bypass + SSH key injection +msf6 > use auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass +msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > set RHOSTS +msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > run + +# If the target accepts the injected key, pivot to NETCONF over SSH +ssh -i vmanage-admin@ -p 830 +``` + +**Detection / validation ideas:** +- Audit Internet-facing or cross-trust-boundary exposure of **UDP/12346** and **TCP/830**. +- Inspect `/home/vmanage-admin/.ssh/authorized_keys` for unexpected appended keys after control-plane events. +- After gaining NETCONF, remember that configuration and state retrieval may be available even if a normal shell is not. + ### Other Generic Tools & Sources - [**Above**](https://github.com/c4s73r/Above): Tool to scan network traffic and find vulnerabilities @@ -992,6 +1032,8 @@ telecom-network-exploitation.md ## References +- [Rapid7: CVE-2026-20182 - Critical authentication bypass in Cisco Catalyst SD-WAN Controller](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/) +- [Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) - **Network Security Assessment: Know Your Network (3rd edition)** - **Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood**