How to generate payloads for specific Cisco ASA versions with ExtraBacon?

Use the Lina offset finder script by running 'python2 ./lina-offsets.py asa_lina_XXX.elf' after extracting the Lina binary from ASA firmware. This automates offset calculation, and you can add new payloads to the 'extrabacon-2.0/improved/' folder.

Is ExtraBacon still effective against modern Cisco devices?

No, it primarily targets older x86 Cisco ASA devices (8.x and early 9.x). For modern networks with ASA 9.6+ or x64 systems, DEP and ASLR make it ineffective, as mentioned in the README regarding version limitations.

How do I integrate this exploit into Metasploit?

The Metasploit module is included and merged into the master branch. Use 'use auxiliary/admin/cisco/cisco_asa_extrabacon' in Metasploit, and follow standard procedures for deployment, as referenced in the pull request link.

What's the difference between ExtraBacon 2.0 and the original Shadow Brokers leak?

ExtraBacon 2.0 has improved shellcode with fewer stages for better reliability, extends support to 9.x versions, and includes tools like the Lina offset finder. The original leak was limited to 8.x and had less reliable payloads.

Can I use this legally for security research?

Yes, but only in authorized environments like penetration testing labs with proper consent. Using it on unauthorized systems is illegal. Always follow ethical guidelines and obtain permissions, as implied by the project's focus on research.

How to extract Lina from Cisco ASA firmware for offset finding?

Use binwalk with 'binwalk -e asaXXX-k8.bin' to extract, then 'cpio -idv < rootfs.img' in the extracted directory to unpack, and copy 'asa/bin/lina' to a temporary location, as detailed in the README's Lina offset finder section.

CVE-2016-6366

MITPython

An improved exploit implementation for CVE-2016-6366 (EXTRABACON) targeting Cisco ASA devices with extended version support.

Visit Website GitHub

What is CVE-2016-6366?

CVE-2016-6366 is an open-source repository containing improvements to the EXTRABACON exploit, which targets Cisco ASA devices via a remote code execution vulnerability. It enhances the original Equation Group exploit with more reliable shellcode, extended version support, and tools for security researchers. The project provides practical resources for understanding and testing this specific vulnerability in controlled environments.

Target Audience

Security researchers, penetration testers, and network security professionals who need to analyze or demonstrate the CVE-2016-6366 vulnerability in Cisco ASA devices.

Value Proposition

It offers a more reliable and version-compatible implementation than the original leaked exploit, along with automation tools like the Lina offset finder. Being open-source allows for community verification and extension of the research.

Overview

Public repository for improvements to the EXTRABACON exploit

Use Cases

Best For

Analyzing the EXTRABACON exploit mechanics in Cisco ASA

Related Projects

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

163 stars63 forks0 contributors

Penetration testing labs targeting legacy Cisco ASA versions

Security research on SNMP-based vulnerabilities

Studying Equation Group exploit techniques

Developing custom payloads for CVE-2016-6366

Teaching advanced exploit development concepts

Not Ideal For

Penetration testing targeting Cisco ASA 9.6+ devices with x64 architecture and DEP/ASLR enabled
Legal security assessments requiring vendor-certified or commercially supported exploit tools
Broad network vulnerability scans that need coverage beyond CVE-2016-6366 on Cisco ASA
Projects lacking access to physical or virtual Cisco ASA hardware for payload validation

Pros & Cons

Pros

More Reliable Shellcode

Reduces stages from the original exploit, increasing reliability and shrinking the SNMP payload by about 150 bytes, as stated in the README.

Extended Version Compatibility

Adds support for Cisco ASA 9.x series beyond the initial 8.x-only leak, with a detailed list of tested versions including 9.0(1) and 9.2(4)13.

Automated Offset Generation

The Lina offset finder Python script automates generating offsets for porting the exploit to other ASA firmware versions, saving manual effort for researchers.

Metasploit Framework Integration

Includes a Metasploit module that has been merged into the master branch, making it easy to integrate into standard penetration testing workflows.

Cons

No x64/DEP/ASLR Support

The exploit does not work on modern x64 Cisco ASA versions (9.6 and above) due to DEP and ASLR, limiting it to legacy x86 hardware.

Hardware-Dependent Testing

Requires access to real Cisco ASA devices for testing payloads, which can be a barrier for researchers without such resources, as noted in the contributing section.

Incomplete NPE Version Support

Currently lacks full support for No Payload Encryption (NPE) versions of ASA, as distinguishing them from normal versions is challenging without additional work.

Frequently Asked Questions

Home

Scapy

krackattacks-scripts

This project provides a suite of Python scripts to detect vulnerabilities related to the KRACK (Key Reinstallation Attack) against WPA2 Wi-Fi security. It allows security researchers and network administrators to test whether specific clients or access points are affected by critical CVEs like CVE-2017-13077 and CVE-2017-13080. ## Key Features - **Client Vulnerability Testing** — Seven distinct tests to check for key reinstallation vulnerabilities in Wi-Fi clients, including pairwise and group key handshake flaws. - **Access Point Testing** — Detects vulnerabilities in the FT (Fast Transition) handshake (802.11r) used by access points during roaming. - **Detailed Test Mapping** — Scripts correspond to official Wi-Fi Alliance test cases for standardized vulnerability assessment. - **Manual Verification Support** — Includes guidance for using additional monitoring interfaces to manually confirm script findings. - **Regulatory and Hardware Considerations** — Provides notes on hardware encryption, 5 GHz band limitations, and driver adjustments for accurate testing. ## Philosophy The project emphasizes responsible security testing by providing tools to verify patches and assess real-world vulnerability status, rather than functioning as attack scripts. It requires legitimate network credentials to operate.

Stars3,509

Forks769

Last commit1 year ago

PPPwn (CVE-2006-4304)

PPPwn - PlayStation 4 PPPoE RCE

Stars2,944

Forks416

Last commit2 years ago

fragattacks

FragAttacks is a security testing tool that identifies vulnerabilities in Wi-Fi implementations related to frame fragmentation and aggregation. It can test both clients and access points for a range of flaws that impact WPA2 and WPA3 networks, helping security researchers and network administrators assess the security of their Wi-Fi devices. ## Key Features - **Fragmentation Attack Testing** — Tests for vulnerabilities where Wi-Fi frames are split into fragments and reassembled incorrectly. - **Aggregation (A-MSDU) Attack Testing** — Checks for flaws in handling aggregated MAC service data units. - **Mixed Key Attack Detection** — Identifies issues where fragments encrypted under different keys are accepted. - **Cache Attack Verification** — Tests whether fragments remain in memory after disassociation or reconnection. - **Plaintext Injection Checks** — Detects acceptance of plaintext frames in encrypted networks. - **Broadcast Fragment Testing** — Assesses vulnerabilities related to broadcast frame handling. - **EAPOL Frame Attack Simulation** — Tests for cloaking attacks using EAPOL frames within A-MSDU aggregates. - **Multiple Interface Modes** — Supports mixed mode (single card), injection mode (two cards), and experimental hwsim mode. - **Comprehensive Test Suite** — Includes sanity checks, basic behavior tests, and extended vulnerability tests. - **Driver and Firmware Patching** — Provides patched Linux drivers and firmware for compatible network cards. ## Philosophy FragAttacks aims to provide a rigorous, open-source tool for uncovering fundamental Wi-Fi security flaws, emphasizing practical testing over theoretical analysis to help secure real-world networks.

Stars1,297

Forks185

Last commit1 year ago

isf

ISF(Industrial Control System Exploitation Framework)，a exploitation framework based on Python

Stars1,103

Forks301

Last commit2 years ago

#exploit-development

#penetration-testing

#vulnerability-research