Possible protocol change about hostscan-bypass HOT 6 CLOSED

Hey @megastallman! I appreciate you taking the time to try out the bypass! As a sanity check, I have just verified the bypass is still working.

It looks like a connection between your MITM machine and vpn-QQQQQQ.com:443 is not being made successfully. Are you able to verify that you can browse to vpn-QQQQQQ.com:443 manually?

from hostscan-bypass.

Hi @Gilks !

I've tried to connect to https://vpn-QQQQQQ.com which is actually our gateway. It normally redirects to /CACHE/sdesktop/install/start.htm That looks normal.

from hostscan-bypass.

I've also run like this:
go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r vpn-QQQQQ:443 -s
Is it a valid option for VMs with sticky external IPs?

But the result is still the same. The browser can access the cisco gateway directly but cannot access via MITM-host. The official cisco anydisconnect just falls back to backup gateways.

If I add the /etc/hosts entry forcing it connect directly to my MITM host it says: "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

from hostscan-bypass.

Excellent! I think I understand your issue a bit better now. Take a look at this blog post. It provides a tutorial on how the tool works and how to configure the AnyConnect client to connect to the MITM machine.

You are on the right track making the Windows AnyConnect client connect directly to your MITM machine. The error message AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network. means the AnyConnect client needs to be configured to connect to untrusted servers.

Imagine this scenario- You want to intercept the Windows AnyConnect clients connection from your linux machine. Here's some fictitious IPs:
Windows AnyConnect Client (10.0.0.2) --> Linux MITM Machine (10.0.0.10) --> VPN URL (vpn-QQQQQQ.com)

On your Linux host, this would be your one liner:
go run hostscan-bypass.go -l 10.0.0.10 -p 443 -r vpn-QQQQQQ.com:443 -s

On your Windows AnyConnect Client(10.0.0.2) you would connect to 10.0.0.10 instead of vpn-QQQQQQ.com. As long as you have "Block connection to untrusted servers" unchecked in the client, you will make the connection successfully.

Does this explanation help?

from hostscan-bypass.

Hi @Gilks !

Thanks! My problem was that I've used a GKE VM with a sticky IP address. Now I've got to think of a way to get data from the "right" target computer, but it is already my problem.

from hostscan-bypass.

This is the most universal scenario for me, that works everywhere. Both on physical machines or cloud VM with floating IP:
go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r vpn-QQQQQQ.com:443 -s
Just listen on all interfaces.

from hostscan-bypass.