gilks / hostscan-bypass Goto Github PK
View Code? Open in Web Editor NEWGenerate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements
Generate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements
The UI only asks me for my password when using anyconnect via the bypass. My org also requires a rsa token. Any thoughts?
I think this might be related to issue #12.
I'm testing on a Mac OS and I looked into the OSX troubleshooting issue #4 but didn't find anyone mentioning this before.
That config.json
wasn't working properly for me, I think AnyConnect expects more certificate information than the one on that example but I'm not sure. So what I ended up doing was to use Burp Suite as an invisible proxy and route the traffic to the hostscan-bypass listener.
Burp generates a proper (self-signed) certificate which seems to work fine with AnyConnect.
Tested with AnyConnect 4.9.04043 on MacOS 10.15.6.
Steps I did to prepare my test setup were the following:
/etc/hosts
to point to localhost127.0.0.1 targethost
This is because it's a bad idea to run Burp as root
echo "rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443" | sudo pfctl -ef -
With this setup, Burp will intercept all the communications (useful for debugging) while forwarding all the traffic to hostscan-bypass:
Note: The certificate name must be manually set to the targethost, otherwise AnyConnect will reject the connection.
go run hostscan-bypass.go -l 127.0.0.1 -p 9443 -r targethost:443 -o anyconnect-mac.sh -s -c config.json
Finally, establish the connection on AnyConnect.
So this works fine and the connection is successfully established and hostscan-bypass manages to capture all the traffic. The problem is that it never finds the EOF when reading the data, so it never finishes. I noticed that the last received bytes were the following on the output:
00000200 2e 31 35 2e 36 22 3b 0a 65 6e 64 70 6f 69 6e 74 |.15.6";.endpoint|
00000210 2e 61 6d 5b 22 31 30 30 31 33 37 22 5d 2e 61 63 |.am["100137"].ac|
00000220 74 69 76 65 73 63 61 6e 3d 22 6f 6b 22 3b 0a 0a |tivescan="ok";..|
So, the fix for me was to add the following code to the script (not elegant but it does the job):
...
// I added this check
if strings.HasSuffix(hostscan.Endpoint,"\x0a\x0a") {
err = io.EOF
}
if err != nil && err == io.EOF {
if hostscan.Endpoint != "" {
...
This checks if the HTTP request has finished sending all the data, and if so, forces the EOF to trigger.
This works for me and now the script is able to finish and create the output file successfully.
UPDATE: Looking closely at the generated script, I can see 2 problems with this approach: The user agent and the platform were not replaced, this means that the script ended prematurely and it needs another way of checking if all the fields were replaced correctly first. The second problem is that the <ENDPOINT>
includes the HTTP request headers which is not meant to happen. I believe this has to do with using Burp as an invisible proxy and not related to hostscan-bypass. I can do more tests on this later if necessary.
AnyConnect client doesn't want to connect to Hostscan Bypass script.
Instead, I get an error message: AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.
# /opt/cisco/anyconnect/bin/vpn
Cisco AnyConnect Secure Mobility Client (version 4.8.03052) .
Copyright (c) 2004 - 2020 Cisco Systems, Inc. All Rights Reserved.
>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
VPN> connect 192.168.1.68:2100
connect 192.168.1.68:2100
>> contacting host (192.168.1.68:2100) for login information...
>> notice: Contacting 192.168.1.68:2100.
>> warning: Connection attempt has failed.
>> error: AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.
>> state: Disconnected
VPN> version
version
Cisco AnyConnect Secure Mobility Client (version 4.8.03052) .
Copyright (c) 2004 - 2020 Cisco Systems, Inc. All Rights Reserved.
VPN>
$ sudo go run hostscan-bypass.go -l 192.168.1.68 -p 2100 -r vpn.tensor.ru:501 -s
[sudo] password for mikhail:
[*] Listening for AnyConnect client connection..
[*] Accepted from: 192.168.1.67:51576
[*][0] Connected to server: 91.213.144.15:501
read tcp 192.168.1.68:53610->91.213.144.15:501: read: connection reset by peer
[*] Accepted from: 192.168.1.67:51800
[*][1] Connected to server: 91.213.144.15:501
read tcp 192.168.1.68:56554->91.213.144.15:501: read: connection reset by peer
Hello,
I'm running this script on Archlinux. When my windows machine tries to connect to this host I get following error. Any clues?
[unknown ~/go]$ sudo go run hostscan-bypass.go -l 192.168.1.100 -p 443 -r myvpnhost:443 -s[] Listening for AnyConnect client connection..
[] Accepted from: 192.168.122.29:50235
remote error: tls: handshake failure
[] Accepted from: 192.168.122.29:50236
remote error: tls: handshake failure
[] Accepted from: 192.168.122.29:50237
remote error: tls: handshake failure
I am able to connect to the VPN through the mitm, but it never writes out the CSD script. Just continues to use the connection until I close it either through the client, or at the mitm.
Using AnyConnect 4.7 client.
I was originally getting an error about the client not being installed, but that was fixed by changing the --data-ascii
to --data-binary
as noted in another issue.
Hi,
I have successfully created the csd wrapper script in windows. But when I run it in my linux box and try to connect to the vpn client with openconnect. I get the below error after giving user name and password.
The following issues have been found with your endpoint:
[CC] VPN Client not allowed
Any insights ?
Hi @Gilks
Unfortunately I couldn't succeed with that script. Looks like something has changed in recent versions. Do you have any ideas?
go run hostscan-bypass.go -l 10.10.0.2 -p 443 -r vpn-QQQQQQ.com:443 -s
[*] Listening for AnyConnect client connection..
[*] Accepted from: QQQQQ:49653
[*][0] Connected to server: QQQQQ:443
[*] Accepted from: QQQQQ:49758
[*][1] Connected to server: QQQQQ:443
read tcp 10.10.0.2:35710->QQQQQ:443: read: connection reset by peer
read tcp 10.10.0.2:35716->QQQQQ:443: read: connection reset by peer
Great work man, this is interesting stuff. I just had a question, does this issue have an associated CVE? Or would this type of bypass even warrant a CVE from Cisco?
In my case, access to the VPN server requires the use of a smart card for certificate authentication first.
This proxy doesn't seem to forward this request, causing the VPN server to return a rejection.
go run hostscan-bypass.go -l 127.0.0.1 -p 8000 -r someserver.com:443 -s
I'm getting never-ending client's requests, see below - the same as from the docker container.
When I'm trying to run it in docker:
Dockerfile:
FROM golang:1.7.3 as builder
COPY . $GOPATH/src/github.com/gilks/hostscan-bypass/
WORKDIR $GOPATH/src/github.com/gilks/hostscan-bypass/
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/hostscan-bypass
FROM scratch
COPY --from=builder /go/bin/hostscan-bypass /go/bin/hostscan-bypass
ENTRYPOINT [ "/go/bin/hostscan-bypass" ]
Build command:
docker build . -t hostsscan
Run command:
docker run -it --rm -p 8000:8000 hostsscan -p 8000 -s -r someserver.com:443
I'm also getting never-ending client's requests:
From Client [67]:
00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |.<config-a|
00000030 75 74 68 20 63 6c 69 65 6e 74 3d 22 76 70 6e 22 |uth client="vpn"|
00000040 20 74 79 70 65 3d 22 69 6e 69 74 22 20 61 67 67 | type="init" agg|
00000050 72 65 67 61 74 65 2d 61 75 74 68 2d 76 65 72 73 |regate-auth-vers|
00000060 69 6f 6e 3d 22 32 22 3e 0a 3c 76 65 72 73 69 6f |ion="2">.<versio|
00000070 6e 20 77 68 6f 3d 22 76 70 6e 22 3e 34 2e 38 2e |n who="vpn">4.8.|
00000080 30 33 30 35 32 3c 2f 76 65 72 73 69 6f 6e 3e 0a |03052.|
00000090 3c 64 65 76 69 63 65 2d 69 64 20 63 6f 6d 70 75 |<device-id compu|
..................................................................................................................................................................
66 3c 2f 6d 61 63 2d 61 64 64 72 65 73 73 3e 3c |f<|
000001d0 2f 6d 61 63 2d 61 64 64 72 65 73 73 2d 6c 69 73 |/mac-address-lis|
000001e0 74 3e 0a 3c 67 72 6f 75 70 2d 73 65 6c 65 63 74 |t>.<group-select|
000001f0 3e 47 6c 6f 62 61 6c 3c 2f 67 72 6f 75 70 2d 73 |>Global</group-s|
00000200 65 6c 65 63 74 3e 0a 3c 67 72 6f 75 70 2d 61 63 |elect>.<group-ac|
00000210 63 65 73 73 3e 68 74 74 70 73 3a 2f 2f 31 32 37 |cess>https://127|
00000220 2e 30 2e 30 2e 31 3a 38 30 30 30 3c 2f 67 72 6f |.0.0.1:8000</gro|
00000230 75 70 2d 61 63 63 65 73 73 3e 0a 3c 63 61 70 61 |up-access>.<capa|
00000240 62 69 6c 69 74 69 65 73 3e 0a 3c 61 75 74 68 2d |bilities>.<auth-|
00000250 6d 65 74 68 6f 64 3e 6d 75 6c 74 69 70 6c 65 2d |method>multiple-|
00000260 63 65 72 74 3c 2f 61 75 74 68 2d 6d 65 74 68 6f |cert</auth-metho|
00000270 64 3e 0a 3c 61 75 74 68 2d 6d 65 74 68 6f 64 3e |d>.|
00000280 73 69 6e 67 6c 65 2d 73 69 67 6e 2d 6f 6e 3c 2f |single-sign-on</|
00000290 61 75 74 68 2d 6d 65 74 68 6f 64 3e 0a 3c 61 75 |auth-method>.<au|
000002a0 74 68 2d 6d 65 74 68 6f 64 3e 73 69 6e 67 6c 65 |th-method>single|
000002b0 2d 73 69 67 6e 2d 6f 6e 2d 76 32 3c 2f 61 75 74 |-sign-on-v2</aut|
000002c0 68 2d 6d 65 74 68 6f 64 3e 3c 2f 63 61 70 61 62 |h-method></capab|
000002d0 69 6c 69 74 69 65 73 3e 0a 3c 2f 63 6f 6e 66 69 |ilities>.</confi|
000002e0 67 2d 61 75 74 68 3e 0a |g-auth>.|
EOF
read tcp 172.17.0.2:48368->x.x.x.x:443: use of closed network connection
[] Accepted from: 172.17.0.1:46236
[][68] Connected to server: x.x.x.x:443
EOF
read tcp 172.17.0.2:48374->x.x.x.x:443: use of closed network connection
[] Accepted from: 172.17.0.1:46242
[][69] Connected to server: x.x.x.x:443
From Client [69]: .................
When I'm trying to run openconnect without --csd-wrapper=hostscan-bypass.cmd param I'm getting:
.\openconnect.exe --os=win someserver.com/group --token-mode=rsa [email protected]
.....
Error: Server asked us to run CSD hostscan.
And https://someserver.com/CACHE/sdesktop/data.xml contains non-empty hostscan section.
After using hostscan-bypass.go I am unable to connect using Cisco AnyConnect due to an unknown port error.
go run hostscan-bypass.go -l -p 443 -r https:///CACHE/sdesktop/install/start.htm -s
[] Listening for AnyConnect client connection..
[] Accepted from: :
dial tcp: address tcp///AttackingIP/CACHE/sdesktop/install/start.htm: unknown port
Not a bug, just an FYI for others.
Go dropped support for cipher TLS_RSA_WITH_AES_256_CBC_SHA256
here.
My anyconnect provider has locked their endpoint to only accept this cipher, and so I get a TLS negotiation failure when attempting to connect 😢
Hello.
I cannot make "hostscan-bypass.sh" work for some reason. Let me list here what I have found so far in case you can point me in the right direction:
This is all the data that "hostscan-bypass.go" captures in my case:
POST /
HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: AnyConnect Windows 4.8.0305
X-Transcend-Version: 1
X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
X-Aggregate-Auth: 1
Content-Length: 838
Host: ...
DATA (computer name, mac address, auth method, ...)
GET /CACHE/sdesktop/install/binaries/update.txt
HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: AnyConnect Windows 4.8.0305
X-Transcend-Version: 1
X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
X-Aggregate-Auth: 1
Host: ...
GET /CACHE/sdesktop/paths.txt
HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: AnyConnect Windows 4.8.0305
X-Transcend-Version: 1
X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
X-Aggregate-Auth: 1
Host: ...
HEAD /
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /+CSCOE+/sdesktop/token.xml?ticket=4AB...77&stub=0
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /CACHE/sdektop/hostscan/windows_i386/manifest
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /+CSCOT+/translation-table?type=mo&textdomain=csd&lang=en-us
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /+CSCOT+/translation-table?type=mo&textdomain=csd&lang=en-us
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
HEAD /
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /+CSCOE+/sdesktop/token.xml?ticket=4AB...77&stub=0
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
HEAD /CACHE/sdesktop/data.xml
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /CACHE/sdesktop/data.xml
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /+CSCOL+/opswatlicense.html
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ...
GET /CACHE/sdesktop/hostscan/windows_i386/manifest
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Cookie: sdesktop=54...31
Host: ...
POST /
HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: AnyConnect Windows 4.8...
X-Transcend-Version: 1
X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
X-Aggregate-Auth: 1
Content-Length: 916
Host: ...
DATA (computer name, mac address, auth method, ...)
POST /+CSCOE+/sdesktop/scan.xml ...
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml
Cookie: sdesktop=54...31
Content-Length=14205
Host: ...
DATA (all "juicy" information):
endpoint.os.version="Windows 10";
endpoint.os.architecture="x64";
...
endpoint.pfw[...].description="Windows Firewall";
endpoint.pfw[...].enabled="ok";
...
Anyway... I see that "hostscan-bypass.go" parses all these packets and does two things:
I already see an issue with (2), as none of the packets in my case contain those two headers at the same time. I had to manually edit the generated "hostscan-bypass.sh" script to change "<PLAT>" to "win" and "<USERAGENT>" to "AnyConnect Windows 4.8.0305". But it wouldn't work either.
Another option was to also include the "X-AnyConnect-STRAP-Pubkey" header. But again, no luck.
In particular, with this "hostscan-bypass.sh" script, when I exeuted this:
sudo openconnect -v -v -v --useragent="AnyConnect Windows 4.8.0305" --dump-http-traffic --csd-wrapper=/home/alexander/bin/hostscan/hostscan-bypass.sh vpn.mycompany.com --os=win
...this is what I get:
> POST /
...
Got HTTP response: HTTP/1.1 200 Ok
...
<message> Please enter username and password </message>
<host-scan-ticket>67...</host-scan-ticket>
<host-scan-token>4A...</host-scan-token>
...
> GET .../sdesktop/wait.html
...
Got HTTP response: HTTP/1.1 302 Moved Temporarily
...
> POST /
...
Got HTTP response: HTTP/1.1 200 Ok
...
<message> Please enter username and password </message>
<host-scan-ticket>7B...</host-scan-ticket>
<host-scan-token>55...</host-scan-token>
...
> POST /
...
Got HTTP response: HTTP/1.1 200 Ok
...
message> Please enter username and password </message>
<host-scan-ticket>A9...</host-scan-ticket>
<host-scan-token>6C...</host-scan-token>
...
...and the I'm asked for my login/password.
Some extra issues I see here all have to do with the number of "host-scan-ticket" fields I receive (three in total) and the number of times "hostscan-bypass.sh" is called (which seems to be only one, with the first token).
Is it normal to receive three tokens? (Maybe it has to do with the 302 redirect?). Should "hostscan-bypass.sh" be executed three times (one for each token)? I have manually tried to execute it those two additional times (with tokens #2 and #3) before entering the login/password, but again no luck.
Any idea of what I could do next?
Thanks for your time.
Bypass command:
go run hostscan-bypass.go -l 192.168.1.13 -p 443 -r sslvpn.mycompany.com:443 -s
AnyConnect warns about an invalid certificate, click "Connect Anyway", login dialog appears on the screen.
Bypass output:
[*] Listening for AnyConnect client connection..
[*] Accepted from: 192.168.1.146:49967
[*][0] Connected to server: 68.115.198.2:443
EOF
read tcp 192.168.1.13:47456->68.115.198.2:443: use of closed network connection
[*] Accepted from: 192.168.1.146:49968
[*][1] Connected to server: 68.115.198.2:443
From Client [1]:
00000000 50 4f 53 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d |POST / HTTP/1.1.|
00000010 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 |.Cache-Control: |
00000020 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 6e 65 63 |no-cache..Connec|
00000030 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 50 72 61 |tion: close..Pra|
00000040 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 55 |gma: no-cache..U|
00000050 73 65 72 2d 41 67 65 6e 74 3a 20 41 6e 79 43 6f |ser-Agent: AnyCo|
00000060 6e 6e 65 63 74 20 57 69 6e 64 6f 77 73 20 34 2e |nnect Windows 4.|
00000070 38 2e 30 31 30 39 30 0d 0a 58 2d 54 72 61 6e 73 |8.01090..X-Trans|
00000080 63 65 6e 64 2d 56 65 72 73 69 6f 6e 3a 20 31 0d |cend-Version: 1.|
00000090 0a 58 2d 41 6e 79 43 6f 6e 6e 65 63 74 2d 53 54 |.X-AnyConnect-ST|
000000a0 52 41 50 2d 50 75 62 6b 65 79 3a 20 4d 46 6b 77 |RAP-Pubkey: MFkw|
000000b0 45 77 59 48 4b 6f 5a 49 7a 6a 30 43 41 51 59 49 |EwYHKoZIzj0CAQYI|
000000c0 4b 6f 5a 49 7a 6a 30 44 41 51 63 44 51 67 41 45 |KoZIzj0DAQcDQgAE|
000000d0 71 72 41 6a 58 4e 42 65 39 52 58 6e 4b 78 75 45 |qrAjXNBe9RXnKxuE|
000000e0 4a 36 48 61 2f 46 53 52 64 6b 77 47 43 39 4e 42 |J6Ha/FSRdkwGC9NB|
000000f0 49 38 2f 61 64 6e 2b 4a 54 4e 38 59 62 52 36 5a |I8/adn+JTN8YbR6Z|
00000100 31 47 57 65 55 39 4b 4d 7a 45 72 71 53 6b 2b 39 |1GWeU9KMzErqSk+9|
00000110 55 4f 32 4b 6f 62 6b 6c 59 64 43 30 39 53 61 71 |UO2KobklYdC09Saq|
00000120 43 2b 53 2b 43 51 3d 3d 0d 0a 58 2d 41 67 67 72 |C+S+CQ==..X-Aggr|
00000130 65 67 61 74 65 2d 41 75 74 68 3a 20 31 0d 0a 43 |egate-Auth: 1..C|
00000140 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 37 |ontent-Length: 7|
00000150 39 31 0d 0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 |91..Host: 192.16|
00000160 38 2e 31 2e 31 33 0d 0a 0d 0a |8.1.13....|
From Client [1]:
00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |<?xml version="1|
00000010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 |.0" encoding="UT|
00000020 46 2d 38 22 3f 3e 0a 3c 63 6f 6e 66 69 67 2d 61 |F-8"?>.<config-a|
00000030 75 74 68 20 63 6c 69 65 6e 74 3d 22 76 70 6e 22 |uth client="vpn"|
00000040 20 74 79 70 65 3d 22 69 6e 69 74 22 20 61 67 67 | type="init" agg|
00000050 72 65 67 61 74 65 2d 61 75 74 68 2d 76 65 72 73 |regate-auth-vers|
00000060 69 6f 6e 3d 22 32 22 3e 0a 3c 76 65 72 73 69 6f |ion="2">.<versio|
00000070 6e 20 77 68 6f 3d 22 76 70 6e 22 3e 34 2e 38 2e |n who="vpn">4.8.|
00000080 30 31 30 39 30 3c 2f 76 65 72 73 69 6f 6e 3e 0a |01090</version>.|
00000090 3c 64 65 76 69 63 65 2d 69 64 20 63 6f 6d 70 75 |<device-id compu|
000000a0 74 65 72 2d 6e 61 6d 65 3d 22 41 52 43 48 2d 57 |ter-name="ARCH-W|
000000b0 49 4e 31 30 22 20 64 65 76 69 63 65 2d 74 79 70 |IN10" device-typ|
000000c0 65 3d 22 51 45 4d 55 20 53 74 61 6e 64 61 72 64 |e="QEMU Standard|
000000d0 20 50 43 20 28 51 33 35 20 2b 20 49 43 48 39 2c | PC (Q35 + ICH9,|
000000e0 20 32 30 30 39 29 22 20 70 6c 61 74 66 6f 72 6d | 2009)" platform|
000000f0 2d 76 65 72 73 69 6f 6e 3d 22 31 30 2e 30 2e 31 |-version="10.0.1|
00000100 38 33 36 32 20 22 20 75 6e 69 71 75 65 2d 69 64 |8362 " unique-id|
00000110 3d 22 35 46 33 37 30 45 45 43 39 39 43 42 39 44 |="5F370EEC99CB9D|
00000120 33 31 38 35 31 37 36 33 37 44 39 39 35 31 31 33 |318517637D995113|
00000130 45 45 36 42 30 33 35 31 33 36 43 42 43 46 30 45 |EE6B035136CBCF0E|
00000140 46 31 34 34 37 31 32 32 32 33 31 42 38 46 37 42 |F1447122231B8F7B|
00000150 41 33 22 20 75 6e 69 71 75 65 2d 69 64 2d 67 6c |A3" unique-id-gl|
00000160 6f 62 61 6c 3d 22 45 42 42 44 32 44 37 45 32 38 |obal="EBBD2D7E28|
00000170 37 45 39 31 45 34 36 32 44 46 34 33 34 42 38 39 |7E91E462DF434B89|
00000180 41 42 43 32 32 35 35 42 37 31 35 32 43 43 22 3e |ABC2255B7152CC">|
00000190 77 69 6e 3c 2f 64 65 76 69 63 65 2d 69 64 3e 0a |win</device-id>.|
000001a0 3c 6d 61 63 2d 61 64 64 72 65 73 73 2d 6c 69 73 |<mac-address-lis|
000001b0 74 3e 0a 3c 6d 61 63 2d 61 64 64 72 65 73 73 20 |t>.<mac-address |
000001c0 70 75 62 6c 69 63 2d 69 6e 74 65 72 66 61 63 65 |public-interface|
000001d0 3d 22 74 72 75 65 22 3e 35 32 2d 35 34 2d 30 30 |="true">52-54-00|
000001e0 2d 34 62 2d 64 34 2d 30 36 3c 2f 6d 61 63 2d 61 |-4b-d4-06</mac-a|
000001f0 64 64 72 65 73 73 3e 3c 2f 6d 61 63 2d 61 64 64 |ddress></mac-add|
00000200 72 65 73 73 2d 6c 69 73 74 3e 0a 3c 67 72 6f 75 |ress-list>.<grou|
00000210 70 2d 73 65 6c 65 63 74 3e 49 6e 66 6f 72 6d 61 |p-select>IVPN1</group-|
00000230 73 65 6c 65 63 74 3e 0a 3c 67 72 6f 75 70 2d 61 |select>.<group-a|
00000240 63 63 65 73 73 3e 68 74 74 70 73 3a 2f 2f 31 39 |ccess>https://19|
00000250 32 2e 31 36 38 2e 31 2e 31 33 3c 2f 67 72 6f 75 |2.168.1.13</grou|
00000260 70 2d 61 63 63 65 73 73 3e 0a 3c 63 61 70 61 62 |p-access>.<capab|
00000270 69 6c 69 74 69 65 73 3e 0a 3c 61 75 74 68 2d 6d |ilities>.<auth-m|
00000280 65 74 68 6f 64 3e 6d 75 6c 74 69 70 6c 65 2d 63 |ethod>multiple-c|
00000290 65 72 74 3c 2f 61 75 74 68 2d 6d 65 74 68 6f 64 |ert</auth-method|
000002a0 3e 0a 3c 61 75 74 68 2d 6d 65 74 68 6f 64 3e 73 |>.<auth-method>s|
000002b0 69 6e 67 6c 65 2d 73 69 67 6e 2d 6f 6e 3c 2f 61 |ingle-sign-on</a|
000002c0 75 74 68 2d 6d 65 74 68 6f 64 3e 0a 3c 61 75 74 |uth-method>.<aut|
000002d0 68 2d 6d 65 74 68 6f 64 3e 73 69 6e 67 6c 65 2d |h-method>single-|
000002e0 73 69 67 6e 2d 6f 6e 2d 76 32 3c 2f 61 75 74 68 |sign-on-v2</auth|
000002f0 2d 6d 65 74 68 6f 64 3e 3c 2f 63 61 70 61 62 69 |-method></capabi|
00000300 6c 69 74 69 65 73 3e 0a 3c 2f 63 6f 6e 66 69 67 |lities>.</config|
00000310 2d 61 75 74 68 3e 0a |-auth>.|
EOF
read tcp 192.168.1.13:47458->68.115.198.2:443: use of closed network connection
No further output in the console and no CSD file created.
I run hostscan-bypass in the Ubuntu VM:
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
$ go version
go version go1.10.4 linux/amd64
Cisco AnyConnect version 4.8.01090
Hi @Gilks !
I've been able to sniff a window machine with hotscan-bypass, but when I do the same with the Linux client I get the "Limited Access DNS Failure" line with the banner saying AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. Connection attempt has failed.
The macos user say they get the same.
The bypass script says:
[*] Listening for AnyConnect client connection.. [*] Accepted from: 87.228.186.66:58944 [*][0] Connected to server: 198.49.180.205:443 read tcp 10.10.0.2:33620->198.49.180.205:443: read: connection reset by peer
Thanks!
I am using my Mac Mini as the MITM machine and running this bypass one-liner:
sudo go hostscan-bypass.go -l 192.168.1.228 -p 443 -r $SECRET_COMPANY:443
I am running the AnyConnect on my corporate MacBook and connecting to the MITM IP. I had to get rid of the -s
in the bypass one-liner to get AnyConnect to connect successfully and bring up the untrusted warning.
However, after it prints a bunch of stuff to the screen, I see the following:
EOF
read tcp 192.168.1.228:50081-> <SECRET_IP>:443: use of closed network connection
And there's no CSD file generated.
I tried the config.json
+ certificate solution in #4 but that also doesn't seem to help. It prints out the same EOF message a bunch of times but no CSD file still.
FWIW, I also tried running the MITM on the same machine using 0.0.0.0
as the local IP but the EOF error still plagues me.
Any help would be greatly appreciated.
Trying to connect my AnyConnect linux client to running hostscan-bypass cause tls: failed to parse private key
in hostscan stdout and then timeout error on AnyConnect client (obviously).
My hostscan run command is:
sudo go run hostscan-bypass.go -l <my-ip> -p 443 -r <redacted>:443 -s -client-cert cert.pem -client-key cert.key
cert.pem in the following format:
Bag Attributes
localKeyID: <40 symbols following...>
subject=/C=<redacted>/ST=<redacted>/L=<redacted>/O=<redacted>/OU=<redacted>/CN=<redacted>/emailAddress=<redacted>
issuer=/DC=<redacted>/DC=<redacted>/CN=<redacted>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
cert.key:
Bag Attributes
localKeyID: <same 40 symbols following...>
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
<redacted>
-----END ENCRYPTED PRIVATE KEY-----
Full hostscan-bypass stdout is just
[*] Listening for AnyConnect client connection..
[*] Accepted from: <redacted>:58404
tls: failed to parse private key
Much appreciate if you can help me with this.
And thanks for your hard work!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.