Skip to content

Issue while adding default credential detection for Aruba's ClearPass #79

New issue
New issue
Closed
Closed
Issue while adding default credential detection for Aruba's ClearPass#79
@mzet-

Description

@mzet-
mzet-
opened on May 23, 2019

First of all: thanks for excellent tool. Just found it so haven't used during the testing engagement but it has potential to save huge amount of time during the testing and skip most mundane activity during pen tests of large networks: walking thru all the web consoles for yet another (and another, ...) device/appliance and try out default creds manually.

That being said, during my pen test I've recently found instance of Aruba ClearPass (https://www.arubanetworks.com/products/security/network-access-control/) and guess what default credentials admin:eTIPS123 worked perfectly :).

After finding changeme I've decided to add ClearPass to it. The authentication to ClearPass is straightforward and could be summed up with following curl invocations:

Failed authn:

curl -x 127.0.0.1:8080 -v -k --url https://<ip>/tips/tipsLoginSubmit.action -d 'username=admin&password=badpass'

# Response:
< HTTP/1.1 200 OK
< Date: Thu, 23 May 2019 16:35:18 GMT
...

Successful authn:

curl -x 127.0.0.1:8080 -v -k --url https://<ip>/tips/tipsLoginSubmit.action -d 'username=admin&password=eTIPS123'

# Response:
< HTTP/1.1 302 Found
< Date: Thu, 23 May 2019 16:37:28 GMT
....
(empty body)

So the HTTP status code 200 vs 302 differentiate successful vs failed authn.

Fingerprinting:

curl -s -x 127.0.0.1:8080 -k --url https://<ip>/tips/tipsLogin.action | grep '<title>ClearPass Policy Manager - Aruba Networks</title>'

# Response:
<title>ClearPass Policy Manager - Aruba Networks</title>

So I've prepared (with --mkcred) following yaml file for changeme:

auth:
  credentials:
  - password: eTIPS123
    username: admin
  headers: []
  post:
    password: password
    username: username
  sessionid: JSESSIONID
  success:
    body:
    - ""
    status: 302
  type: post
  url:
  - /tips/tipsLoginSubmit.action
category: general
contributor: mzet
default_port: 443
fingerprint:
  body:
  - <title>ClearPass Policy Manager - Aruba Networks</title>
  status: 200
  url:
  - /tips/tipsLogin.action
name: ClearPass
protocol: http
ssl: true

Unfortunately default creds aren't identified:

clearpass

What I've missed? Or mybe yaml file is wrong?

Best,
mzet

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions