If you've ever tested any clients that have Juniper VPNs you've probable seen the ol:
http://[target]/dana-na/auth/url_default/welcome.cgi URL.
@infosecmafia and I mentioned in our DerbyCon talk on how you can sometimes find extra or test URLs that are also valid URLs for the Juniper VPN. The example we used was where the url_default required secret questions but url_8 or whatever did not because it was a test URL the admins had set up.
Soooooooo, its worth running a quick check if you come across one. I wrote a Metasploit auxiliary module to do this. Pretty simple, it just runs thru url_0 through url_100 and prints out the 200 replies. looks like so:
Seeing these doesn't ALWAYS mean you have a multi-factor bypass but its worth checking out if the main site is multi-factor.
Random example:
![]()
![]()
![]()
![]()
Available on my github repo until I get around to doing a pull request.
-CG
http://[target]/dana-na/auth/url_default/welcome.cgi URL.
@infosecmafia and I mentioned in our DerbyCon talk on how you can sometimes find extra or test URLs that are also valid URLs for the Juniper VPN. The example we used was where the url_default required secret questions but url_8 or whatever did not because it was a test URL the admins had set up.
Soooooooo, its worth running a quick check if you come across one. I wrote a Metasploit auxiliary module to do this. Pretty simple, it just runs thru url_0 through url_100 and prints out the 200 replies. looks like so:
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_0/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_1/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_2/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_3/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_4/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_5/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_6/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_8/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_9/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_12/welcome.cgi
Random example:
url_default
url_3
url_8
url_10
Available on my github repo until I get around to doing a pull request.
-CG