Exploit allowing for the recovery of cleartext credentials. This tool is provided for testing purposes only. Only run it against infrastructure for which you have recieved permission to test.
Headnod to those who discovered the exploit, more information by the researcher can be found here: https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
This exploit was developed to pull the interesting credentials straight out of the binary, rather than require someone to run strings and review the output.
Google Dork: inurl:remote/login?lang=
This vulnerability affects the following versions:
FortiOS 5.6.3 to 5.6.7
FortiOS 6.0.0 to 6.0.4
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled
Video of tool in action
This tool is now multithreaded it's been 14 months since this exploit was released to the world as single threaded and multiple tools now exist to look up this vulnerablity enmass. Recent media also reports mass credentials from this vulnerability being sold on the "Darknet".
Install Requirements: pip3 install -r requirements.txt
, then use as below.
python3 fortigate.py -h
___ ___ ___ _____ ___ ___ _ _____ ___
| __/ _ \| _ \_ _|_ _/ __| /_\_ _| __|
| _| (_) | / | | | | (_ |/ _ \| | | _|
|_| \___/|_|_\ |_| |___\___/_/ \_\_| |___|
Extract Useful info (credentials!) from SSL VPN Directory Traversal Vulnerability (FG-IR-18-384)
Tool originally developed by @x41x41x41 and @DavidStubley.
usage: fortigate.py [-h] [-i INPUT] [-o OUTPUT] [-t THREADS] [-c CREDSCAN]
optional arguments:
-h, --help show this help message and exit
-i INPUT, --input INPUT
Line seperated list of targets i.e google.com or 127.0.0.1
-o OUTPUT, --output OUTPUT
File to output discovered credentials too
-t THREADS, --threads THREADS
threads
-c CREDSCAN, --credscan CREDSCAN
Execute Credential Pull y/n With great power comes great
Note to pull credentials -c y
must be used.
It is often helpful to run this tool through a proxy. Burp being the most
obvious example. You can configure burp to use an upstream socks proxy which you
can create with the -D
flag in SSH.
For example, to make requests come from a jump box example.com, create the socks proxy
ssh -D 8081 user@example.com
Configure burp (Project or user settings) to use that proxy. Host: 127.0.0.1 port 8081.
This tool (or rather the requests library it uses) will honour the *_proxy environment variables. Set these to burp:
export http_proxy="http://127.0.0.1:8080" https_proxy="http://127.0.0.1:8080"
This software should only be used for authorised testing activity and not for malicious use.
By downloading and/or running this software you are accepting the terms of use and the licensing agreement.