gilks / hostscan-bypass Goto Github PK

View Code? Open in Web Editor NEW

245.0 245.0 46.0 14 KB

Generate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements

Go 100.00%

hostscan-bypass's People

Contributors

Stargazers

Watchers

hostscan-bypass's Issues

RSA token with hostscan bypass

The UI only asks me for my password when using anyconnect via the bypass. My org also requires a rsa token. Any thoughts?

On MacOS EOF is never triggered - Potential fix

I think this might be related to issue #12.
I'm testing on a Mac OS and I looked into the OSX troubleshooting issue #4 but didn't find anyone mentioning this before.
That config.json wasn't working properly for me, I think AnyConnect expects more certificate information than the one on that example but I'm not sure. So what I ended up doing was to use Burp Suite as an invisible proxy and route the traffic to the hostscan-bypass listener.
Burp generates a proper (self-signed) certificate which seems to work fine with AnyConnect.

Tested with AnyConnect 4.9.04043 on MacOS 10.15.6.

Steps I did to prepare my test setup were the following:

Hardcode the DNS in `/etc/hosts` to point to localhost

127.0.0.1    targethost

PortForward port 443 to 8443

This is because it's a bad idea to run Burp as root

echo "rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443" | sudo pfctl -ef -

Setup Burp as an invisible proxy

With this setup, Burp will intercept all the communications (useful for debugging) while forwarding all the traffic to hostscan-bypass:

Note: The certificate name must be manually set to the targethost, otherwise AnyConnect will reject the connection.

Start hostscan-bypass

go run hostscan-bypass.go -l 127.0.0.1 -p 9443 -r targethost:443 -o anyconnect-mac.sh -s -c config.json

Finally, establish the connection on AnyConnect.
So this works fine and the connection is successfully established and hostscan-bypass manages to capture all the traffic. The problem is that it never finds the EOF when reading the data, so it never finishes. I noticed that the last received bytes were the following on the output:

00000200  2e 31 35 2e 36 22 3b 0a  65 6e 64 70 6f 69 6e 74  |.15.6";.endpoint|
00000210  2e 61 6d 5b 22 31 30 30  31 33 37 22 5d 2e 61 63  |.am["100137"].ac|
00000220  74 69 76 65 73 63 61 6e  3d 22 6f 6b 22 3b 0a 0a  |tivescan="ok";..|

So, the fix for me was to add the following code to the script (not elegant but it does the job):

...
                // I added this check
                if strings.HasSuffix(hostscan.Endpoint,"\x0a\x0a") {
                        err = io.EOF
                }
                if err != nil && err == io.EOF {
                        if hostscan.Endpoint != "" {
...

This checks if the HTTP request has finished sending all the data, and if so, forces the EOF to trigger.
This works for me and now the script is able to finish and create the output file successfully.

UPDATE: Looking closely at the generated script, I can see 2 problems with this approach: The user agent and the platform were not replaced, this means that the script ended prematurely and it needs another way of checking if all the fields were replaced correctly first. The second problem is that the <ENDPOINT> includes the HTTP request headers which is not meant to happen. I believe this has to do with using Burp as an invisible proxy and not related to hostscan-bypass. I can do more tests on this later if necessary.

AnyConnect client doesn't want to connect to Hostscan Bypass script

AnyConnect client doesn't want to connect to Hostscan Bypass script.
Instead, I get an error message: AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.

# /opt/cisco/anyconnect/bin/vpn
Cisco AnyConnect Secure Mobility Client (version 4.8.03052) .

Copyright (c) 2004 - 2020 Cisco Systems, Inc.  All Rights Reserved.


  >> state: Disconnected
  >> state: Disconnected
  >> notice: Ready to connect.
  >> registered with local VPN subsystem.
VPN> connect 192.168.1.68:2100
connect 192.168.1.68:2100
  >> contacting host (192.168.1.68:2100) for login information...
  >> notice: Contacting 192.168.1.68:2100.
  >> warning: Connection attempt has failed.
  >> error: AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
  >> state: Disconnected

VPN> version
version
Cisco AnyConnect Secure Mobility Client (version 4.8.03052) .

Copyright (c) 2004 - 2020 Cisco Systems, Inc.  All Rights Reserved.


VPN>

AnyConnectLocalPolicy.zip

$ sudo go run hostscan-bypass.go -l 192.168.1.68 -p 2100 -r vpn.tensor.ru:501 -s
[sudo] password for mikhail: 
[*] Listening for AnyConnect client connection..
[*] Accepted from: 192.168.1.67:51576
[*][0] Connected to server: 91.213.144.15:501
read tcp 192.168.1.68:53610->91.213.144.15:501: read: connection reset by peer
[*] Accepted from: 192.168.1.67:51800
[*][1] Connected to server: 91.213.144.15:501
read tcp 192.168.1.68:56554->91.213.144.15:501: read: connection reset by peer

tls: handshake failure issue

Hello,

I'm running this script on Archlinux. When my windows machine tries to connect to this host I get following error. Any clues?

[unknown ~/go]$ sudo go run hostscan-bypass.go -l 192.168.1.100 -p 443 -r myvpnhost:443 -s[] Listening for AnyConnect client connection..
[] Accepted from: 192.168.122.29:50235
remote error: tls: handshake failure
[] Accepted from: 192.168.122.29:50236
remote error: tls: handshake failure
[] Accepted from: 192.168.122.29:50237
remote error: tls: handshake failure

Connection is good, but never stops to write the bypass

I am able to connect to the VPN through the mitm, but it never writes out the CSD script. Just continues to use the connection until I close it either through the client, or at the mitm.

Using AnyConnect 4.7 client.

I was originally getting an error about the client not being installed, but that was fixed by changing the --data-ascii to --data-binary as noted in another issue.

Getting the below error

Hi,
I have successfully created the csd wrapper script in windows. But when I run it in my linux box and try to connect to the vpn client with openconnect. I get the below error after giving user name and password.

The following issues have been found with your endpoint:

[CC] VPN Client not allowed

Any insights ?

Possible protocol change

Hi @Gilks

Unfortunately I couldn't succeed with that script. Looks like something has changed in recent versions. Do you have any ideas?

  go run hostscan-bypass.go -l 10.10.0.2 -p 443 -r  vpn-QQQQQQ.com:443 -s

  [*] Listening for AnyConnect client connection..
  [*] Accepted from: QQQQQ:49653
  [*][0] Connected to server: QQQQQ:443
  [*] Accepted from: QQQQQ:49758
  [*][1] Connected to server: QQQQQ:443
  read tcp 10.10.0.2:35710->QQQQQ:443: read: connection reset by peer
  read tcp 10.10.0.2:35716->QQQQQ:443: read: connection reset by peer

Does this issue have a CVE?

Great work man, this is interesting stuff. I just had a question, does this issue have an associated CVE? Or would this type of bypass even warrant a CVE from Cisco?

How to forward the certificate validation request.

In my case, access to the VPN server requires the use of a smart card for certificate authentication first.
This proxy doesn't seem to forward this request, causing the VPN server to return a rejection.

How to run it on Windows 10 PC?

go run hostscan-bypass.go -l 127.0.0.1 -p 8000 -r someserver.com:443 -s

I'm getting never-ending client's requests, see below - the same as from the docker container.

When I'm trying to run it in docker:

Dockerfile:

FROM golang:1.7.3 as builder

COPY . $GOPATH/src/github.com/gilks/hostscan-bypass/
WORKDIR $GOPATH/src/github.com/gilks/hostscan-bypass/

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/hostscan-bypass

FROM scratch
COPY --from=builder /go/bin/hostscan-bypass /go/bin/hostscan-bypass
ENTRYPOINT [ "/go/bin/hostscan-bypass" ]

Build command:

docker build . -t hostsscan

Run command:

docker run -it --rm -p 8000:8000 hostsscan -p 8000 -s -r someserver.com:443

EOF
read tcp 172.17.0.2:48368->x.x.x.x:443: use of closed network connection
[] Accepted from: 172.17.0.1:46236
[][68] Connected to server: x.x.x.x:443
EOF
read tcp 172.17.0.2:48374->x.x.x.x:443: use of closed network connection
[] Accepted from: 172.17.0.1:46242
[][69] Connected to server: x.x.x.x:443
From Client [69]: .................

When I'm trying to run openconnect without --csd-wrapper=hostscan-bypass.cmd param I'm getting:

.\openconnect.exe --os=win someserver.com/group --token-mode=rsa [email protected]
.....
Error: Server asked us to run CSD hostscan.

And https://someserver.com/CACHE/sdesktop/data.xml contains non-empty hostscan section.

Unable to connect into my server using AnyConnect

After using hostscan-bypass.go I am unable to connect using Cisco AnyConnect due to an unknown port error.

go run hostscan-bypass.go -l -p 443 -r https:///CACHE/sdesktop/install/start.htm -s

[] Listening for AnyConnect client connection..
[] Accepted from: :
dial tcp: address tcp///AttackingIP/CACHE/sdesktop/install/start.htm: unknown port

Doesn't work with TLS_RSA_WITH_AES_256_CBC_SHA256 cipher

Not a bug, just an FYI for others.

Go dropped support for cipher TLS_RSA_WITH_AES_256_CBC_SHA256 here.

My anyconnect provider has locked their endpoint to only accept this cipher, and so I get a TLS negotiation failure when attempting to connect 😢

Login denied (multiple issues)

Hello.

I cannot make "hostscan-bypass.sh" work for some reason. Let me list here what I have found so far in case you can point me in the right direction:

This is all the data that "hostscan-bypass.go" captures in my case:

POST /
    HTTP/1.1
    Cache-Control: no-cache
    Connection: close
    Pragma: no-cache
    User-Agent: AnyConnect Windows 4.8.0305
    X-Transcend-Version: 1
    X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
    X-Aggregate-Auth: 1
    Content-Length: 838
    Host: ...
    
    DATA (computer name, mac address, auth method, ...)
    
    
GET /CACHE/sdesktop/install/binaries/update.txt
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Close
    Pragma: no-cache
    User-Agent: AnyConnect Windows 4.8.0305
    X-Transcend-Version: 1
    X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
    X-Aggregate-Auth: 1
    Host: ...


GET /CACHE/sdesktop/paths.txt
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Close
    Pragma: no-cache
    User-Agent: AnyConnect Windows 4.8.0305
    X-Transcend-Version: 1
    X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
    X-Aggregate-Auth: 1
    Host: ...
    

HEAD /
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...


GET /+CSCOE+/sdesktop/token.xml?ticket=4AB...77&stub=0
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    
    
GET /CACHE/sdektop/hostscan/windows_i386/manifest
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    

GET /+CSCOT+/translation-table?type=mo&textdomain=csd&lang=en-us
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    
    
GET /+CSCOT+/translation-table?type=mo&textdomain=csd&lang=en-us
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    
     
HEAD / 
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    

GET /+CSCOE+/sdesktop/token.xml?ticket=4AB...77&stub=0
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    
    
HEAD /CACHE/sdesktop/data.xml 
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...


GET /CACHE/sdesktop/data.xml 
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...

    
GET /+CSCOL+/opswatlicense.html 
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Host: ...
    
       
GET /CACHE/sdesktop/hostscan/windows_i386/manifest
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Cookie: sdesktop=54...31
    Host: ...


POST /
    HTTP/1.1
    Cache-Control: no-cache
    Connection: close
    Pragma: no-cache
    User-Agent: AnyConnect Windows 4.8...
    X-Transcend-Version: 1
    X-AnyConnect-STRAP-Pubkey: KLe09...Cq==
    X-Aggregate-Auth: 1
    Content-Length: 916
    Host: ...
    
    DATA (computer name, mac address, auth method, ...)
    
    
POST /+CSCOE+/sdesktop/scan.xml ...
    HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml
    Cookie: sdesktop=54...31
    Content-Length=14205
    Host: ...

    DATA (all "juicy" information):
        endpoint.os.version="Windows 10";
        endpoint.os.architecture="x64";
        ...
        endpoint.pfw[...].description="Windows Firewall";
        endpoint.pfw[...].enabled="ok";
        ...

Anyway... I see that "hostscan-bypass.go" parses all these packets and does two things:

If packet data contains the string "endpoint", saves this for later, to be sent inside the "hostscan-bypass.sh" POST to the server.
If packet data contains the string "User-Agent" and "X-AnyConnect-Platform", it saves the values of these two headers to later use them when creating the forged "hostscan-bypass.sh" POST.

I already see an issue with (2), as none of the packets in my case contain those two headers at the same time. I had to manually edit the generated "hostscan-bypass.sh" script to change "<PLAT>" to "win" and "<USERAGENT>" to "AnyConnect Windows 4.8.0305". But it wouldn't work either.

Another option was to also include the "X-AnyConnect-STRAP-Pubkey" header. But again, no luck.

In particular, with this "hostscan-bypass.sh" script, when I exeuted this:

sudo openconnect -v -v -v --useragent="AnyConnect Windows 4.8.0305" --dump-http-traffic --csd-wrapper=/home/alexander/bin/hostscan/hostscan-bypass.sh vpn.mycompany.com --os=win

...this is what I get:

> POST /
...
Got HTTP response: HTTP/1.1 200 Ok
...
<message> Please enter username and password </message>
<host-scan-ticket>67...</host-scan-ticket>
<host-scan-token>4A...</host-scan-token>
...
> GET .../sdesktop/wait.html
...
Got HTTP response: HTTP/1.1 302 Moved Temporarily
...

> POST /
...
Got HTTP response: HTTP/1.1 200 Ok
...
<message> Please enter username and password </message>
<host-scan-ticket>7B...</host-scan-ticket>
<host-scan-token>55...</host-scan-token>
...

> POST /
...
Got HTTP response: HTTP/1.1 200 Ok
...
message> Please enter username and password </message>
<host-scan-ticket>A9...</host-scan-ticket>
<host-scan-token>6C...</host-scan-token>
...

...and the I'm asked for my login/password.

Some extra issues I see here all have to do with the number of "host-scan-ticket" fields I receive (three in total) and the number of times "hostscan-bypass.sh" is called (which seems to be only one, with the first token).

Is it normal to receive three tokens? (Maybe it has to do with the 302 redirect?). Should "hostscan-bypass.sh" be executed three times (one for each token)? I have manually tried to execute it those two additional times (with tokens #2 and #3) before entering the login/password, but again no luck.

Any idea of what I could do next?

Thanks for your time.

Unable to obtain CSD file

Bypass command:

go run hostscan-bypass.go -l 192.168.1.13 -p 443 -r sslvpn.mycompany.com:443 -s

AnyConnect warns about an invalid certificate, click "Connect Anyway", login dialog appears on the screen.

Bypass output:

[*] Listening for AnyConnect client connection..
[*] Accepted from: 192.168.1.146:49967
[*][0] Connected to server: 68.115.198.2:443
EOF
read tcp 192.168.1.13:47456->68.115.198.2:443: use of closed network connection
[*] Accepted from: 192.168.1.146:49968
[*][1] Connected to server: 68.115.198.2:443
From Client [1]:
00000000  50 4f 53 54 20 2f 20 48  54 54 50 2f 31 2e 31 0d  |POST / HTTP/1.1.|
00000010  0a 43 61 63 68 65 2d 43  6f 6e 74 72 6f 6c 3a 20  |.Cache-Control: |
00000020  6e 6f 2d 63 61 63 68 65  0d 0a 43 6f 6e 6e 65 63  |no-cache..Connec|
00000030  74 69 6f 6e 3a 20 63 6c  6f 73 65 0d 0a 50 72 61  |tion: close..Pra|
00000040  67 6d 61 3a 20 6e 6f 2d  63 61 63 68 65 0d 0a 55  |gma: no-cache..U|
00000050  73 65 72 2d 41 67 65 6e  74 3a 20 41 6e 79 43 6f  |ser-Agent: AnyCo|
00000060  6e 6e 65 63 74 20 57 69  6e 64 6f 77 73 20 34 2e  |nnect Windows 4.|
00000070  38 2e 30 31 30 39 30 0d  0a 58 2d 54 72 61 6e 73  |8.01090..X-Trans|
00000080  63 65 6e 64 2d 56 65 72  73 69 6f 6e 3a 20 31 0d  |cend-Version: 1.|
00000090  0a 58 2d 41 6e 79 43 6f  6e 6e 65 63 74 2d 53 54  |.X-AnyConnect-ST|
000000a0  52 41 50 2d 50 75 62 6b  65 79 3a 20 4d 46 6b 77  |RAP-Pubkey: MFkw|
000000b0  45 77 59 48 4b 6f 5a 49  7a 6a 30 43 41 51 59 49  |EwYHKoZIzj0CAQYI|
000000c0  4b 6f 5a 49 7a 6a 30 44  41 51 63 44 51 67 41 45  |KoZIzj0DAQcDQgAE|
000000d0  71 72 41 6a 58 4e 42 65  39 52 58 6e 4b 78 75 45  |qrAjXNBe9RXnKxuE|
000000e0  4a 36 48 61 2f 46 53 52  64 6b 77 47 43 39 4e 42  |J6Ha/FSRdkwGC9NB|
000000f0  49 38 2f 61 64 6e 2b 4a  54 4e 38 59 62 52 36 5a  |I8/adn+JTN8YbR6Z|
00000100  31 47 57 65 55 39 4b 4d  7a 45 72 71 53 6b 2b 39  |1GWeU9KMzErqSk+9|
00000110  55 4f 32 4b 6f 62 6b 6c  59 64 43 30 39 53 61 71  |UO2KobklYdC09Saq|
00000120  43 2b 53 2b 43 51 3d 3d  0d 0a 58 2d 41 67 67 72  |C+S+CQ==..X-Aggr|
00000130  65 67 61 74 65 2d 41 75  74 68 3a 20 31 0d 0a 43  |egate-Auth: 1..C|
00000140  6f 6e 74 65 6e 74 2d 4c  65 6e 67 74 68 3a 20 37  |ontent-Length: 7|
00000150  39 31 0d 0a 48 6f 73 74  3a 20 31 39 32 2e 31 36  |91..Host: 192.16|
00000160  38 2e 31 2e 31 33 0d 0a  0d 0a                    |8.1.13....|

From Client [1]:
00000000  3c 3f 78 6d 6c 20 76 65  72 73 69 6f 6e 3d 22 31  |<?xml version="1|
00000010  2e 30 22 20 65 6e 63 6f  64 69 6e 67 3d 22 55 54  |.0" encoding="UT|
00000020  46 2d 38 22 3f 3e 0a 3c  63 6f 6e 66 69 67 2d 61  |F-8"?>.<config-a|
00000030  75 74 68 20 63 6c 69 65  6e 74 3d 22 76 70 6e 22  |uth client="vpn"|
00000040  20 74 79 70 65 3d 22 69  6e 69 74 22 20 61 67 67  | type="init" agg|
00000050  72 65 67 61 74 65 2d 61  75 74 68 2d 76 65 72 73  |regate-auth-vers|
00000060  69 6f 6e 3d 22 32 22 3e  0a 3c 76 65 72 73 69 6f  |ion="2">.<versio|
00000070  6e 20 77 68 6f 3d 22 76  70 6e 22 3e 34 2e 38 2e  |n who="vpn">4.8.|
00000080  30 31 30 39 30 3c 2f 76  65 72 73 69 6f 6e 3e 0a  |01090</version>.|
00000090  3c 64 65 76 69 63 65 2d  69 64 20 63 6f 6d 70 75  |<device-id compu|
000000a0  74 65 72 2d 6e 61 6d 65  3d 22 41 52 43 48 2d 57  |ter-name="ARCH-W|
000000b0  49 4e 31 30 22 20 64 65  76 69 63 65 2d 74 79 70  |IN10" device-typ|
000000c0  65 3d 22 51 45 4d 55 20  53 74 61 6e 64 61 72 64  |e="QEMU Standard|
000000d0  20 50 43 20 28 51 33 35  20 2b 20 49 43 48 39 2c  | PC (Q35 + ICH9,|
000000e0  20 32 30 30 39 29 22 20  70 6c 61 74 66 6f 72 6d  | 2009)" platform|
000000f0  2d 76 65 72 73 69 6f 6e  3d 22 31 30 2e 30 2e 31  |-version="10.0.1|
00000100  38 33 36 32 20 22 20 75  6e 69 71 75 65 2d 69 64  |8362 " unique-id|
00000110  3d 22 35 46 33 37 30 45  45 43 39 39 43 42 39 44  |="5F370EEC99CB9D|
00000120  33 31 38 35 31 37 36 33  37 44 39 39 35 31 31 33  |318517637D995113|
00000130  45 45 36 42 30 33 35 31  33 36 43 42 43 46 30 45  |EE6B035136CBCF0E|
00000140  46 31 34 34 37 31 32 32  32 33 31 42 38 46 37 42  |F1447122231B8F7B|
00000150  41 33 22 20 75 6e 69 71  75 65 2d 69 64 2d 67 6c  |A3" unique-id-gl|
00000160  6f 62 61 6c 3d 22 45 42  42 44 32 44 37 45 32 38  |obal="EBBD2D7E28|
00000170  37 45 39 31 45 34 36 32  44 46 34 33 34 42 38 39  |7E91E462DF434B89|
00000180  41 42 43 32 32 35 35 42  37 31 35 32 43 43 22 3e  |ABC2255B7152CC">|
00000190  77 69 6e 3c 2f 64 65 76  69 63 65 2d 69 64 3e 0a  |win</device-id>.|
000001a0  3c 6d 61 63 2d 61 64 64  72 65 73 73 2d 6c 69 73  |<mac-address-lis|
000001b0  74 3e 0a 3c 6d 61 63 2d  61 64 64 72 65 73 73 20  |t>.<mac-address |
000001c0  70 75 62 6c 69 63 2d 69  6e 74 65 72 66 61 63 65  |public-interface|
000001d0  3d 22 74 72 75 65 22 3e  35 32 2d 35 34 2d 30 30  |="true">52-54-00|
000001e0  2d 34 62 2d 64 34 2d 30  36 3c 2f 6d 61 63 2d 61  |-4b-d4-06</mac-a|
000001f0  64 64 72 65 73 73 3e 3c  2f 6d 61 63 2d 61 64 64  |ddress></mac-add|
00000200  72 65 73 73 2d 6c 69 73  74 3e 0a 3c 67 72 6f 75  |ress-list>.<grou|
00000210  70 2d 73 65 6c 65 63 74  3e 49 6e 66 6f 72 6d 61  |p-select>IVPN1</group-|
00000230  73 65 6c 65 63 74 3e 0a  3c 67 72 6f 75 70 2d 61  |select>.<group-a|
00000240  63 63 65 73 73 3e 68 74  74 70 73 3a 2f 2f 31 39  |ccess>https://19|
00000250  32 2e 31 36 38 2e 31 2e  31 33 3c 2f 67 72 6f 75  |2.168.1.13</grou|
00000260  70 2d 61 63 63 65 73 73  3e 0a 3c 63 61 70 61 62  |p-access>.<capab|
00000270  69 6c 69 74 69 65 73 3e  0a 3c 61 75 74 68 2d 6d  |ilities>.<auth-m|
00000280  65 74 68 6f 64 3e 6d 75  6c 74 69 70 6c 65 2d 63  |ethod>multiple-c|
00000290  65 72 74 3c 2f 61 75 74  68 2d 6d 65 74 68 6f 64  |ert</auth-method|
000002a0  3e 0a 3c 61 75 74 68 2d  6d 65 74 68 6f 64 3e 73  |>.<auth-method>s|
000002b0  69 6e 67 6c 65 2d 73 69  67 6e 2d 6f 6e 3c 2f 61  |ingle-sign-on</a|
000002c0  75 74 68 2d 6d 65 74 68  6f 64 3e 0a 3c 61 75 74  |uth-method>.<aut|
000002d0  68 2d 6d 65 74 68 6f 64  3e 73 69 6e 67 6c 65 2d  |h-method>single-|
000002e0  73 69 67 6e 2d 6f 6e 2d  76 32 3c 2f 61 75 74 68  |sign-on-v2</auth|
000002f0  2d 6d 65 74 68 6f 64 3e  3c 2f 63 61 70 61 62 69  |-method></capabi|
00000300  6c 69 74 69 65 73 3e 0a  3c 2f 63 6f 6e 66 69 67  |lities>.</config|
00000310  2d 61 75 74 68 3e 0a                              |-auth>.|

EOF
read tcp 192.168.1.13:47458->68.115.198.2:443: use of closed network connection

No further output in the console and no CSD file created.

I run hostscan-bypass in the Ubuntu VM:

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

$ go version
go version go1.10.4 linux/amd64

Cisco AnyConnect version 4.8.01090

OS X Troubleshooting

Hi @Gilks !

I've been able to sniff a window machine with hotscan-bypass, but when I do the same with the Linux client I get the "Limited Access DNS Failure" line with the banner saying AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. Connection attempt has failed. The macos user say they get the same.

The bypass script says:
[*] Listening for AnyConnect client connection.. [*] Accepted from: 87.228.186.66:58944 [*][0] Connected to server: 198.49.180.205:443 read tcp 10.10.0.2:33620->198.49.180.205:443: read: connection reset by peer
Thanks!

unexpected EOF when running hostscan-bypass

I am using my Mac Mini as the MITM machine and running this bypass one-liner:

sudo go hostscan-bypass.go -l 192.168.1.228 -p 443 -r $SECRET_COMPANY:443

I am running the AnyConnect on my corporate MacBook and connecting to the MITM IP. I had to get rid of the -s in the bypass one-liner to get AnyConnect to connect successfully and bring up the untrusted warning.

However, after it prints a bunch of stuff to the screen, I see the following:

EOF
read tcp 192.168.1.228:50081-> <SECRET_IP>:443: use of closed network connection

And there's no CSD file generated.

I tried the config.json + certificate solution in #4 but that also doesn't seem to help. It prints out the same EOF message a bunch of times but no CSD file still.

FWIW, I also tried running the MITM on the same machine using 0.0.0.0 as the local IP but the EOF error still plagues me.

Any help would be greatly appreciated.

tls: failed to parse private key

Trying to connect my AnyConnect linux client to running hostscan-bypass cause tls: failed to parse private key in hostscan stdout and then timeout error on AnyConnect client (obviously).

My hostscan run command is:
sudo go run hostscan-bypass.go -l <my-ip> -p 443 -r <redacted>:443 -s -client-cert cert.pem -client-key cert.key

cert.pem in the following format:

Bag Attributes
    localKeyID: <40 symbols following...> 
subject=/C=<redacted>/ST=<redacted>/L=<redacted>/O=<redacted>/OU=<redacted>/CN=<redacted>/emailAddress=<redacted>
issuer=/DC=<redacted>/DC=<redacted>/CN=<redacted>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----

cert.key:

Bag Attributes
    localKeyID: <same 40 symbols following...> 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
<redacted>
-----END ENCRYPTED PRIVATE KEY-----

Full hostscan-bypass stdout is just

[*] Listening for AnyConnect client connection..
[*] Accepted from: <redacted>:58404
tls: failed to parse private key

Much appreciate if you can help me with this.
And thanks for your hard work!

gilks / hostscan-bypass Goto Github PK

hostscan-bypass's People

Contributors

Stargazers

Watchers

Forkers

hostscan-bypass's Issues

Hardcode the DNS in /etc/hosts to point to localhost

PortForward port 443 to 8443

Setup Burp as an invisible proxy

Start hostscan-bypass

Recommend Projects

Recommend Topics

Recommend Org

Jobs

Hardcode the DNS in `/etc/hosts` to point to localhost