diff --git a/src/SUMMARY.md b/src/SUMMARY.md index e58cefc8771..a72637dd76f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -628,6 +628,7 @@ - [10000 - Pentesting Network Data Management Protocol (ndmp)](network-services-pentesting/10000-network-data-management-protocol-ndmp.md) - [11211 - Pentesting Memcache](network-services-pentesting/11211-memcache/README.md) - [Memcache Commands](network-services-pentesting/11211-memcache/memcache-commands.md) +- [12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane](network-services-pentesting/12346-udp-pentesting-cisco-sd-wan-control-plane.md) - [15672 - Pentesting RabbitMQ Management](network-services-pentesting/15672-pentesting-rabbitmq-management.md) - [24007,24008,24009,49152 - Pentesting GlusterFS](network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md) - [27017,27018 - Pentesting MongoDB](network-services-pentesting/27017-27018-mongodb.md) diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md index a128c17e554..ec22ad18bad 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/README.md +++ b/src/generic-methodologies-and-resources/pentesting-network/README.md @@ -1003,4 +1003,3 @@ telecom-network-exploitation.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/12346-udp-pentesting-cisco-sd-wan-control-plane.md b/src/network-services-pentesting/12346-udp-pentesting-cisco-sd-wan-control-plane.md new file mode 100644 index 00000000000..e5250f122fa --- /dev/null +++ b/src/network-services-pentesting/12346-udp-pentesting-cisco-sd-wan-control-plane.md @@ -0,0 +1,93 @@ +# 12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane + +{{#include ../banners/hacktricks-training.md}} + +## Basic Information + +Cisco Catalyst SD-WAN controllers expose a **DTLS control-plane service on UDP/12346** (`vdaemon`). This service should be treated like a routing-adjacency surface: if an attacker can become an authenticated peer, they may be able to pivot into the overlay fabric. + +`vdaemon` uses a **12-byte header** where the **high nibble** of `device_info` encodes the claimed device role: + +| Role value | Claimed role | +| --- | --- | +| `1` | vEdge | +| `2` | vHub | +| `3` | vSmart | +| `4` | vBond | +| `5` | vManage | +| `6` | ZTP | + +The DTLS handshake is not enough to authenticate a peer by itself. Peer trust is finalized later during control-plane bootstrap messages such as `CHALLENGE_ACK`. + +**Default port:** 12346/udp + +```text +PORT STATE SERVICE +12346/udp open unknown +``` + +## Enumeration + +Discover the control-plane service and follow-on management ports: + +```bash +nmap -sU -p12346 +nmap -sT -p22,830 +``` + +If the host exposes TCP/830, check whether NETCONF over SSH is reachable: + +```bash +ssh -p 830 @ +``` + +## Pentesting Cisco SD-WAN Control Plane + +### Pre-auth Role Confusion + +`CHALLENGE_ACK` (**message type `9`**) is reachable before authentication because it is part of the control-plane bootstrap allowlist. In CVE-2026-20182, Rapid7 showed that `vbond_proc_challenge_ack()` verified some roles (`vEdge`, `vSmart`, `vManage`) but had no verification branch for claimed role `2` / vHub. + +Because the function later fell through to `peer->authenticated = 1`, an attacker could: + +1. Complete DTLS with any certificate. +2. Send `CHALLENGE_ACK` with the high nibble of `device_info` set to `2`. +3. Send `Hello`. +4. Transition to an UP authenticated peer. + +This is a useful bug pattern to hunt in proprietary control planes: attacker-controlled role selection, missing default-deny validation, and pre-auth handshake messages. + +### Post-auth Pivot + +Once treated as an authenticated peer, the controller accepted `MSG_VMANAGE_TO_PEER` (**message type `14`**) and appended attacker-controlled data to `/home/vmanage-admin/.ssh/authorized_keys`. + +This turns a control-plane foothold into persistent NETCONF over SSH access on TCP/830 as `vmanage-admin`. + +```bash +# Rapid7 module automating the vHub auth bypass and SSH key injection +msf6 > use auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass +msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > set RHOSTS +msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > run + +# If the target accepts the injected key, pivot to NETCONF over SSH +ssh -i vmanage-admin@ -p 830 +``` + +Review similar appliances for post-auth messages that write SSH keys, API tokens, trust bundles, or bootstrap secrets for privileged internal service accounts. + +## Detection + +- Audit Internet-facing or cross-trust-boundary exposure of UDP/12346 and TCP/830. +- Inspect `/home/vmanage-admin/.ssh/authorized_keys` for unexpected appended keys after control-plane events. +- After gaining NETCONF, remember that configuration and state retrieval may be available even if a normal shell is not. + +## Shodan + +- `port:12346` +- `port:830 "NETCONF"` + +## References + +- [Rapid7: CVE-2026-20182 - Critical authentication bypass in Cisco Catalyst SD-WAN Controller](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/) +- [Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) + +{{#include ../banners/hacktricks-training.md}}