- Introduction
- Features
- Requirements
- Installation
- Usage
- Options
- Examples
- Output
- Advanced Usage
- Contributing
- License
- Credits
The Advanced Pulse Connect Secure VPN Exploitation Script is a powerful tool designed for exploiting vulnerabilities in Pulse Connect Secure VPN, specifically targeting the CVE-2019-11510 vulnerability. It provides security researchers and professionals with the capability to extract critical information such as private keys, usernames, admin details, observed logins, and VPN session cookies from files downloaded via the exploit.
- Extracts private keys, usernames, admin details, observed logins, and VPN session cookies from vulnerable Pulse Connect Secure VPN instances.
- Supports downloading necessary files (configuration, cache, and session files) from the target VPN for offline analysis.
- Tests session cookies to identify active VPN sessions, facilitating further investigation and potential hijacking.
- Extracts SSH keys from downloaded files, providing additional avenues for exploitation and lateral movement.
- Generates detailed reports for each target, providing organized and actionable insights into the extracted information.
- Allows exploitation and extraction from multiple targets simultaneously, streamlining large-scale assessments.
To use this script, ensure you have the following dependencies installed:
-
Bash: The script is written in Bash, the Bourne Again SHell.
-
curl: Command-line tool for transferring data with URL syntax.
-
unzip: Tool for extracting files from ZIP archives.
-
dig: Tool for querying DNS name servers.
To install the script, simply clone the repository to your local machine:
git clone https://github.com/yourusername/advanced-pulse-vpn-exploit.git
cd advanced-pulse-vpn-exploitEnsure that the script file (exploit.sh) has executable permissions:
chmod +x exploit.shTo use the script, simply execute it with the appropriate options. See the Options section for details on available options.
./exploit.sh [options]-
-h: Display the help message. -
-t <target>: Set the target IP address or domain name. Multiple targets can be specified in a CSV file or as individual arguments. -
-d: Download configuration, cache, and session files from the target VPN. -
-c: Test cookies to identify active sessions. This option also requires downloading files. -
-k: Test cookies without downloading files. Assumes that files are already downloaded and extracted. -
-s: Extract SSH keys from downloaded files. Requires downloading files. -
-a: Perform all tests (download files, test cookies, and extract SSH keys).
./exploit.sh -t 192.168.1.100 -a./exploit.sh -t targets.csv -c./exploit.sh -t vpn.example.com -sThe script creates a directory named DATA in the current working directory to store extracted data and reports for each target. Detailed reports are generated for each target, including extracted information such as product version, SSH keys, admin details, and VPN session cookies.
For advanced usage, you can customize the script to add new features or integrate it into your existing security toolchain. Additionally, you can modify the script to target specific vulnerabilities or environments by adjusting the extraction logic or adding new modules.
Contributions to this project are welcome! Feel free to fork the repository, make improvements or bug fixes, and submit pull requests. Please ensure that
your code adheres to the project's coding standards and practices.
This project is licensed under the MIT License. See the LICENSE file for details.
This script is based on research by Orange Tsai and Meh Chang as detailed in their blog post: Attacking SSL VPN Part 3: Golden Pulse Secure RCE Chain.
Special thanks to Alyssa Herrera and 0xDezzy for additional insights, and bl4ckh0l3z for fixing, cleaning, and refactoring the original code.