After my previous adventures with FortiGate VM's I decided to check it again and finally finish some of the ideas I was talking about during the last The Hack Summit Conference (PL, 2022). One of them was to bypass FortiGate's "anti-bruteforce protection". Below you'll find the details about it. Here we go...
This time we'll start here:
My goal was to:
- start a 'brute force attack' against FortiGate's web panel
- get banned and analyse the logs I've got on my FortiGate appliance
- bypass protection to continue bruteforce (without being banned/blocked).
I started my local mini-LAB with VMWare and FortiGate 7.0.x VM. As a "pentester's machine" I used Kali (and Ubuntu) VM as well.
At this stage to continue you need to:
- grab the login request using Burp
- prepare your favorite top_passwords.txt file
- (to make it easier) use Copy-As-Python-Request if you want.
After a while we should be somewhere here:
As you can see (in the FortiGate's log page) - during our bruteforce test:
- if we're trying to log in to web panel multiple times...
-- ...in a short period of time...
--- from the same IP...
...we'll get banned. Simple like this:
So I decided to extend the time we need between this-or-another password-guess-test/request. So we're landing somewhere here:
Checking:
Quick results you'll find presented on the screen below:
Next I added print() function to the script to see if there is any (and what kind of) response. For the 'wrong password' and/or 'already banned' response - we'll get 0 or 2 in the response message:
Results? Banned again:
I moved forward and fixed time range again. Now we can see a different response:
As you can see this is a very simple attack scenario but in case you're using a "dictionary passwords" - probably you need to change it ASAP. ;)
BTW: a bit more and more ;)
Brak komentarzy:
Prześlij komentarz