enterprise-vpn-attack

When to use this skill

Trigger when recon surfaces:

• *.<client>.example/+CSCOE+/logon.html or similar +CSCOE+ paths → Cisco ASA / AnyConnect
• intranet.* / vpn.* / connect.* / webvpn.* / wc.* / remote.* subdomains
• Port 443 returning login pages with Server: Apache or banner like "AnyConnect", "FortiGate", "NetScaler", "GlobalProtect", "Pulse", "Ivanti"
• TCP 8443 / 4443 / 10443 / 8888 (common VPN web-mgmt ports)
• HTTP responses with Set-Cookie: webvpn= (Cisco) / SVPNCOOKIE= (Fortinet) / NSC_AAA= (Citrix) / DSAuthSession= (Pulse) / BIGipServer* (F5)

DO NOT use for:

• Internal lateral-movement post-foothold (out of scope per user's boundary)
• VPN client-side bugs (different attack class)
• IPsec / L2TP / OpenVPN (different protocols, not SSL VPN web stack)

Vendor identification (fingerprinting)